From 0fb3ac33937b5873a6cd4c0baadebc1a07f9a218 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 1 Feb 2024 14:56:28 -0500
Subject: [PATCH] rgw/iam: add lots of actions needed for managed policies

in order to parse managed policies, we have to recognize all of the
actions and wildcards they use

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 src/rgw/rgw_iam_policy.cc           | 84 +++++++++++++++++++++++++++++
 src/rgw/rgw_iam_policy.h            | 28 +++++++++-
 src/test/rgw/test_rgw_iam_policy.cc | 45 +++++++++++++---
 3 files changed, 147 insertions(+), 10 deletions(-)

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 470a3e604d2de..1239de0433b5e 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -134,6 +134,9 @@ static const actpair actpairs[] =
  { "s3:PutPublicAccessBlock", s3PutPublicAccessBlock },
  { "s3:PutReplicationConfiguration", s3PutReplicationConfiguration },
  { "s3:RestoreObject", s3RestoreObject },
+ { "s3:DescribeJob", s3DescribeJob },
+ { "s3-object-lambda:GetObject", s3objectlambdaGetObject },
+ { "s3-object-lambda:ListBucket", s3objectlambdaListBucket },
  { "iam:PutUserPolicy", iamPutUserPolicy },
  { "iam:GetUserPolicy", iamGetUserPolicy },
  { "iam:DeleteUserPolicy", iamDeleteUserPolicy },
@@ -164,6 +167,10 @@ static const actpair actpairs[] =
  { "iam:UpdateAccessKey", iamUpdateAccessKey},
  { "iam:DeleteAccessKey", iamDeleteAccessKey},
  { "iam:ListAccessKeys", iamListAccessKeys},
+ { "iam:GenerateCredentialReport", iamGenerateCredentialReport},
+ { "iam:GenerateServiceLastAccessedDetails", iamGenerateServiceLastAccessedDetails},
+ { "iam:SimulateCustomPolicy", iamSimulateCustomPolicy},
+ { "iam:SimulatePrincipalPolicy", iamSimulatePrincipalPolicy},
  { "sts:AssumeRole", stsAssumeRole},
  { "sts:AssumeRoleWithWebIdentity", stsAssumeRoleWithWebIdentity},
  { "sts:GetSessionToken", stsGetSessionToken},
@@ -173,6 +180,17 @@ static const actpair actpairs[] =
  { "sns:Publish", snsPublish},
  { "sns:SetTopicAttributes", snsSetTopicAttributes},
  { "sns:CreateTopic", snsCreateTopic},
+ { "sns:ListTopics", snsListTopics},
+ { "organizations:DescribeAccount", organizationsDescribeAccount},
+ { "organizations:DescribeOrganization", organizationsDescribeOrganization},
+ { "organizations:DescribeOrganizationalUnit", organizationsDescribeOrganizationalUnit},
+ { "organizations:DescribePolicy", organizationsDescribePolicy},
+ { "organizations:ListChildren", organizationsListChildren},
+ { "organizations:ListParents", organizationsListParents},
+ { "organizations:ListPoliciesForTarget", organizationsListPoliciesForTarget},
+ { "organizations:ListRoots", organizationsListRoots},
+ { "organizations:ListPolicies", organizationsListPolicies},
+ { "organizations:ListTargetsForPolicy", organizationsListTargetsForPolicy},
 };
 
 struct PolicyParser;
@@ -606,6 +624,12 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
         if ((t->notaction & s3AllValue) == s3AllValue) {
           t->notaction[s3All] = 1;
         }
+        if ((t->action & s3objectlambdaAllValue) == s3objectlambdaAllValue) {
+          t->action[s3objectlambdaAll] = 1;
+        }
+        if ((t->notaction & s3objectlambdaAllValue) == s3objectlambdaAllValue) {
+          t->notaction[s3objectlambdaAll] = 1;
+        }
         if ((t->action & iamAllValue) == iamAllValue) {
           t->action[iamAll] = 1;
         }
@@ -624,6 +648,12 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
         if ((t->notaction & snsAllValue) == snsAllValue) {
           t->notaction[snsAll] = 1;
         }
+        if ((t->action & organizationsAllValue) == organizationsAllValue) {
+          t->action[organizationsAll] = 1;
+        }
+        if ((t->notaction & organizationsAllValue) == organizationsAllValue) {
+          t->notaction[organizationsAll] = 1;
+        }
       }
     }
   } else if (w->id == TokenID::Resource || w->id == TokenID::NotResource) {
@@ -1415,6 +1445,15 @@ const char* action_bit_string(uint64_t action) {
   case s3BypassGovernanceRetention:
     return "s3:BypassGovernanceRetention";
 
+  case s3DescribeJob:
+    return "s3:DescribeJob";
+
+  case s3objectlambdaGetObject:
+    return "s3-object-lambda:GetObject";
+
+  case s3objectlambdaListBucket:
+    return "s3-object-lambda:ListBucket";
+
   case iamPutUserPolicy:
     return "iam:PutUserPolicy";
 
@@ -1505,6 +1544,18 @@ const char* action_bit_string(uint64_t action) {
   case iamListAccessKeys:
     return "iam:ListAccessKeys";
 
+  case iamGenerateCredentialReport:
+    return "iam:GenerateCredentialReport";
+
+  case iamGenerateServiceLastAccessedDetails:
+    return "iam:GenerateServiceLastAccessedDetails";
+
+  case iamSimulateCustomPolicy:
+    return "iam:SimulateCustomPolicy";
+
+  case iamSimulatePrincipalPolicy:
+    return "iam:SimulatePrincipalPolicy";
+
   case stsAssumeRole:
     return "sts:AssumeRole";
 
@@ -1531,6 +1582,39 @@ const char* action_bit_string(uint64_t action) {
 
   case snsCreateTopic:
     return "sns:CreateTopic";
+
+  case snsListTopics:
+    return "sns:ListTopics";
+
+  case organizationsDescribeAccount:
+    return "organizations:DescribeAccount";
+
+  case organizationsDescribeOrganization:
+    return "organizations:DescribeOrganization";
+
+  case organizationsDescribeOrganizationalUnit:
+    return "organizations:DescribeOrganizationalUnit";
+
+  case organizationsDescribePolicy:
+    return "organizations:DescribePolicy";
+
+  case organizationsListChildren:
+    return "organizations:ListChildren";
+
+  case organizationsListParents:
+    return "organizations:ListParents";
+
+  case organizationsListPoliciesForTarget:
+    return "organizations:ListPoliciesForTarget";
+
+  case organizationsListRoots:
+    return "organizations:ListRoots";
+
+  case organizationsListPolicies:
+    return "organizations:ListPolicies";
+
+  case organizationsListTargetsForPolicy:
+    return "organizations:ListTargetsForPolicy";
   }
   return "s3Invalid";
 }
diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 5eac17d3a94d6..3b236f695b989 100644
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -113,8 +113,13 @@ enum {
   s3DeleteBucketPublicAccessBlock,
   s3GetBucketEncryption,
   s3PutBucketEncryption,
+  s3DescribeJob,
   s3All,
 
+  s3objectlambdaGetObject,
+  s3objectlambdaListBucket,
+  s3objectlambdaAll,
+
   iamPutUserPolicy,
   iamGetUserPolicy,
   iamDeleteUserPolicy,
@@ -145,6 +150,10 @@ enum {
   iamUpdateAccessKey,
   iamDeleteAccessKey,
   iamListAccessKeys,
+  iamGenerateCredentialReport,
+  iamGenerateServiceLastAccessedDetails,
+  iamSimulateCustomPolicy,
+  iamSimulatePrincipalPolicy,
   iamAll,
 
   stsAssumeRole,
@@ -158,8 +167,21 @@ enum {
   snsPublish,
   snsSetTopicAttributes,
   snsCreateTopic,
+  snsListTopics,
   snsAll,
 
+  organizationsDescribeAccount,
+  organizationsDescribeOrganization,
+  organizationsDescribeOrganizationalUnit,
+  organizationsDescribePolicy,
+  organizationsListChildren,
+  organizationsListParents,
+  organizationsListPoliciesForTarget,
+  organizationsListRoots,
+  organizationsListPolicies,
+  organizationsListTargetsForPolicy,
+  organizationsAll,
+
   allCount
 };
 
@@ -181,9 +203,11 @@ constexpr std::bitset<N> set_cont_bits(size_t start, size_t end)
 
 static const Action_t None(0);
 static const Action_t s3AllValue = set_cont_bits<allCount>(0,s3All);
-static const Action_t iamAllValue = set_cont_bits<allCount>(s3All+1,iamAll);
+static const Action_t s3objectlambdaAllValue = set_cont_bits<allCount>(s3All+1,s3objectlambdaAll);
+static const Action_t iamAllValue = set_cont_bits<allCount>(s3objectlambdaAll+1,iamAll);
 static const Action_t stsAllValue = set_cont_bits<allCount>(iamAll+1,stsAll);
-static const Action_t snsAllValue = set_cont_bits<allCount>(stsAll + 1, snsAll);
+static const Action_t snsAllValue = set_cont_bits<allCount>(stsAll+1, snsAll);
+static const Action_t organizationsAllValue = set_cont_bits<allCount>(snsAll+1,organizationsAll);
 static const Action_t allValue = set_cont_bits<allCount>(0,allCount);
 
 namespace {
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index 1a308c0f68a02..b13e06c31358a 100644
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -48,7 +48,7 @@ using rgw::IAM::Environment;
 using rgw::Partition;
 using rgw::IAM::Policy;
 using rgw::IAM::s3All;
-using rgw::IAM::s3All;
+using rgw::IAM::s3objectlambdaAll;
 using rgw::IAM::s3GetAccelerateConfiguration;
 using rgw::IAM::s3GetBucketAcl;
 using rgw::IAM::s3GetBucketOwnershipControls;
@@ -86,6 +86,27 @@ using rgw::IAM::s3PutBucketPolicy;
 using rgw::IAM::s3GetBucketObjectLockConfiguration;
 using rgw::IAM::s3GetObjectRetention;
 using rgw::IAM::s3GetObjectLegalHold;
+using rgw::IAM::s3DescribeJob;
+using rgw::IAM::s3objectlambdaGetObject;
+using rgw::IAM::s3objectlambdaListBucket;
+using rgw::IAM::iamGenerateCredentialReport;
+using rgw::IAM::iamGenerateServiceLastAccessedDetails;
+using rgw::IAM::iamGetUserPolicy;
+using rgw::IAM::iamGetRole;
+using rgw::IAM::iamGetRolePolicy;
+using rgw::IAM::iamGetOIDCProvider;
+using rgw::IAM::iamGetUser;
+using rgw::IAM::iamListUserPolicies;
+using rgw::IAM::iamListRoles;
+using rgw::IAM::iamListRolePolicies;
+using rgw::IAM::iamListOIDCProviders;
+using rgw::IAM::iamListRoleTags;
+using rgw::IAM::iamListUsers;
+using rgw::IAM::iamListAccessKeys;
+using rgw::IAM::iamSimulateCustomPolicy;
+using rgw::IAM::iamSimulatePrincipalPolicy;
+using rgw::IAM::snsGetTopicAttributes;
+using rgw::IAM::snsListTopics;
 using rgw::Service;
 using rgw::IAM::TokenID;
 using rgw::IAM::Version;
@@ -96,8 +117,17 @@ using rgw::IAM::iamDeleteRole;
 using rgw::IAM::iamAll;
 using rgw::IAM::stsAll;
 using rgw::IAM::snsAll;
+using rgw::IAM::organizationsAll;
 using rgw::IAM::allCount;
 
+using rgw::IAM::s3AllValue;
+using rgw::IAM::s3objectlambdaAllValue;
+using rgw::IAM::iamAllValue;
+using rgw::IAM::stsAllValue;
+using rgw::IAM::snsAllValue;
+using rgw::IAM::organizationsAllValue;
+using rgw::IAM::allValue;
+
 class FakeIdentity : public Identity {
   const Principal id;
 public:
@@ -592,7 +622,7 @@ TEST_F(PolicyTest, Parse5) {
   EXPECT_TRUE(p->statements[0].noprinc.empty());
   EXPECT_EQ(p->statements[0].effect, Effect::Allow);
   Action_t act;
-  for (auto i = s3All+1; i <= iamAll; i++)
+  for (auto i = s3objectlambdaAll+1; i <= iamAll; i++)
     act[i] = 1;
   EXPECT_EQ(p->statements[0].action, act);
   EXPECT_EQ(p->statements[0].notaction, None);
@@ -642,7 +672,7 @@ TEST_F(PolicyTest, Parse6) {
   EXPECT_TRUE(p->statements[0].noprinc.empty());
   EXPECT_EQ(p->statements[0].effect, Effect::Allow);
   Action_t act;
-  for (auto i = 0U; i <= snsAll; i++)
+  for (auto i = 0U; i <= organizationsAll; i++)
     act[i] = 1;
   EXPECT_EQ(p->statements[0].action, act);
   EXPECT_EQ(p->statements[0].notaction, None);
@@ -1301,14 +1331,13 @@ Action_t set_range_bits(std::uint64_t start, std::uint64_t end)
   return result;
 }
 
-using rgw::IAM::s3AllValue;
-using rgw::IAM::stsAllValue;
-using rgw::IAM::allValue;
-using rgw::IAM::iamAllValue;
 TEST(set_cont_bits, iamconsts)
 {
   EXPECT_EQ(s3AllValue, set_range_bits(0, s3All));
-  EXPECT_EQ(iamAllValue, set_range_bits(s3All+1, iamAll));
+  EXPECT_EQ(s3objectlambdaAllValue, set_range_bits(s3All+1, s3objectlambdaAll));
+  EXPECT_EQ(iamAllValue, set_range_bits(s3objectlambdaAll+1, iamAll));
   EXPECT_EQ(stsAllValue, set_range_bits(iamAll+1, stsAll));
+  EXPECT_EQ(snsAllValue, set_range_bits(stsAll+1, snsAll));
+  EXPECT_EQ(organizationsAllValue, set_range_bits(snsAll+1, organizationsAll));
   EXPECT_EQ(allValue , set_range_bits(0, allCount));
 }
-- 
2.39.5