From 06868b2a83aa6f22e96520019696008bc956a961 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 14 Mar 2024 15:25:02 -0400
Subject: [PATCH] rgw/pubsub: fix DeleteTopic permissions

non-account users now consult identity policies with
verify_user_permission() when the topic doesn't exist

account users now consult topic policy when it does exist

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 4568b7a0c74404e0d21fcd221070530684de5066)
---
 src/rgw/rgw_rest_pubsub.cc | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/rgw/rgw_rest_pubsub.cc b/src/rgw/rgw_rest_pubsub.cc
index 891b015a7f4..60da1177059 100644
--- a/src/rgw/rgw_rest_pubsub.cc
+++ b/src/rgw/rgw_rest_pubsub.cc
@@ -920,17 +920,21 @@ class RGWPSDeleteTopicOp : public RGWOp {
   }
 
   int verify_permission(optional_yield y) override {
-    if (s->auth.identity->get_account()) {
+    if (topic) {
+      // consult topic policy for delete permission
+      if (!verify_topic_permission(this, s, *topic, topic_arn,
+                                   rgw::IAM::snsDeleteTopic)) {
+        return -ERR_AUTHORIZATION;
+      }
+    } else {
+      // if no topic policy exists, just check identity policies
+      // account users require an Allow, non-account users just check for Deny
+      const bool mandatory_policy = !!s->auth.identity->get_account();
       if (!verify_user_permission(this, s, topic_arn,
-                                  rgw::IAM::snsDeleteTopic)) {
+                                  rgw::IAM::snsDeleteTopic,
+                                  mandatory_policy)) {
         return -ERR_AUTHORIZATION;
       }
-      return 0;
-    }
-
-    if (topic && !verify_topic_permission(this, s, *topic, topic_arn,
-                                          rgw::IAM::snsDeleteTopic)) {
-      return -ERR_AUTHORIZATION;
     }
     return 0;
   }
-- 
2.39.5