From 01caaa3d3764f0be8bab18269858515c6abe193f Mon Sep 17 00:00:00 2001
From: Seena Fallah <seenafallah@gmail.com>
Date: Wed, 22 May 2024 14:29:42 +0200
Subject: [PATCH] rgw/auth: add is_root and is_root_of to identities

The is_root() function helps to make sure the identity is either
the root account of the account if there is any ccount linked to the user,
or is the user has full control permission.

The is_root_of() will check whether whether a given identity is the rgw_owner
and is also is_root().

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
---
 src/rgw/rgw_auth.cc                 | 20 ++++++++++++++++++++
 src/rgw/rgw_auth.h                  | 18 ++++++++++++++++++
 src/rgw/rgw_auth_filters.h          |  4 ++++
 src/test/rgw/test_rgw_iam_policy.cc |  5 +++++
 src/test/rgw/test_rgw_lua.cc        |  4 ++++
 5 files changed, 51 insertions(+)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index a0b494eb9c5..5ee582cb738 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -246,6 +246,13 @@ static auto transform_old_authinfo(const RGWUserInfo& user,
       return match_owner(o, id, account);
     }
 
+    bool is_root() const override {
+      if (account)
+        return get_identity_type() == TYPE_ROOT;
+
+      return get_perm_mask() == RGW_PERM_FULL_CONTROL;
+    }
+
     bool is_identity(const Principal& p) const override {
       if (p.is_wildcard()) {
         return true;
@@ -838,6 +845,11 @@ bool rgw::auth::RemoteApplier::is_owner_of(const rgw_owner& o) const
   return info.acct_user == *uid;
 }
 
+bool rgw::auth::RemoteApplier::is_root() const
+{
+  return get_perm_mask() == RGW_PERM_FULL_CONTROL;
+}
+
 bool rgw::auth::RemoteApplier::is_identity(const Principal& p) const {
   // We also need to cover cases where rgw_keystone_implicit_tenants
   // was enabled.
@@ -1062,6 +1074,14 @@ bool rgw::auth::LocalApplier::is_owner_of(const rgw_owner& o) const
   return match_owner(o, user_info.user_id, account);
 }
 
+bool rgw::auth::LocalApplier::is_root() const
+{
+  if (account)
+    return get_identity_type() == TYPE_ROOT;
+
+  return get_perm_mask() == RGW_PERM_FULL_CONTROL;
+}
+
 bool rgw::auth::LocalApplier::is_identity(const Principal& p) const {
   if (p.is_wildcard()) {
     return true;
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 22b0816bac9..9f8626b1f4d 100644
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -56,6 +56,15 @@ public:
    * On internal error throws rgw::auth::Exception storing the reason. */
   virtual bool is_owner_of(const rgw_owner& o) const = 0;
 
+  /* Verify whether a given identity is the root user. */
+  virtual bool is_root() const = 0;
+
+  /* Verify whether a given identity is the root user and the owner of the
+   * rgw_owner specified in @o. */
+  virtual bool is_root_of(const rgw_owner& o) const {
+    return is_root() && is_owner_of(o);
+  }
+
   /* Return the permission mask that is used to narrow down the set of
    * operations allowed for a given identity. This method reflects the idea
    * of subuser tied to RGWUserInfo. On  error throws rgw::auth::Exception
@@ -477,6 +486,10 @@ public:
 
   bool is_owner_of(const rgw_owner& o) const override;
 
+  bool is_root() const override {
+    return false;
+  }
+
   uint32_t get_perm_mask() const override {
     return RGW_PERM_NONE;
   }
@@ -653,6 +666,7 @@ public:
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
   bool is_admin_of(const rgw_owner& o) const override;
   bool is_owner_of(const rgw_owner& o) const override;
+  bool is_root() const override;
   bool is_identity(const Principal& p) const override;
 
   uint32_t get_perm_mask() const override { return info.perm_mask; }
@@ -718,6 +732,7 @@ public:
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
   bool is_admin_of(const rgw_owner& o) const override;
   bool is_owner_of(const rgw_owner& o) const override;
+  bool is_root() const override;
   bool is_identity(const Principal& p) const override;
   uint32_t get_perm_mask() const override {
     if (this->perm_mask == RGW_PERM_INVALID) {
@@ -798,6 +813,9 @@ public:
     return false;
   }
   bool is_owner_of(const rgw_owner& o) const override;
+  bool is_root() const override {
+    return false;
+  }
   bool is_identity(const Principal& p) const override;
   uint32_t get_perm_mask() const override {
     return RGW_PERM_NONE; 
diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h
index 7d264197c52..8c01efe6d38 100644
--- a/src/rgw/rgw_auth_filters.h
+++ b/src/rgw/rgw_auth_filters.h
@@ -81,6 +81,10 @@ public:
     return get_decoratee().is_owner_of(o);
   }
 
+  bool is_root() const override {
+    return get_decoratee().is_root();
+  }
+
   bool is_anonymous() const override {
     return get_decoratee().is_anonymous();
   }
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index 1d13c2aa013..763c5972ed6 100644
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -168,6 +168,11 @@ public:
     return false;
   }
 
+  bool is_root() const override {
+    ceph_abort();
+    return false;
+  }
+
   virtual uint32_t get_perm_mask() const override {
     ceph_abort();
     return 0;
diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc
index a22584bb5ea..d5291f81154 100644
--- a/src/test/rgw/test_rgw_lua.cc
+++ b/src/test/rgw/test_rgw_lua.cc
@@ -50,6 +50,10 @@ public:
     return false;
   }
 
+  bool is_root() const override {
+    return false;
+  }
+
   virtual uint32_t get_perm_mask() const override {
     return 0;
   }
-- 
2.39.5