From 1f73dab66f4667b13df573a238f029901b3f52ba Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Mon, 30 Jun 2025 17:53:38 -0400
Subject: [PATCH] rgw: req_state::public_access_block is not optional

a default-constructed PublicAccessBlockConfiguration (with all bool
members set to false) makes for a perfectly good empty state

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 src/rgw/rgw_common.cc | 16 ++++++++--------
 src/rgw/rgw_common.h  |  7 ++++---
 src/rgw/rgw_op.cc     | 22 ++++++++++------------
 3 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 1fbe97026a1..0ceca56434b 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1379,8 +1379,9 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp,
 
   // If RestrictPublicBuckets is enabled and the bucket policy allows public access,
   // deny the request if the requester is not in the bucket owner account
-  const bool restrict_public_buckets = s->public_access_block && s->public_access_block->RestrictPublicBuckets;
-  if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) {
+  if (s->public_access_block.RestrictPublicBuckets &&
+      bucket_policy && rgw::IAM::is_public(*bucket_policy) &&
+      !s->identity->is_owner_of(s->bucket_info.owner)) {
     ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
     return false;
   }
@@ -1456,8 +1457,7 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp,
 
   if (bucket_acl.verify_permission(dpp, *ps->identity, perm, perm,
                                    ps->get_referer(),
-                                   ps->public_access_block &&
-                                   ps->public_access_block->IgnorePublicAcls)) {
+                                   ps->public_access_block.IgnorePublicAcls)) {
     ldpp_dout(dpp, 10) << __func__ << ": granted by bucket acl" << dendl;
     if (granted_by_acl) {
       *granted_by_acl = true;
@@ -1546,8 +1546,9 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b
 
   // If RestrictPublicBuckets is enabled and the bucket policy allows public access,
   // deny the request if the requester is not in the bucket owner account
-  const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->RestrictPublicBuckets;
-  if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !ps->identity->is_owner_of(ps->bucket_info.owner)) {
+  if (ps->public_access_block.RestrictPublicBuckets &&
+      bucket_policy && rgw::IAM::is_public(*bucket_policy) &&
+      !ps->identity->is_owner_of(ps->bucket_info.owner)) {
     ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
     return false;
   }
@@ -1633,8 +1634,7 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
   if (ps->bucket_object_ownership != rgw::s3::ObjectOwnership::BucketOwnerEnforced &&
       object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm,
                                    nullptr, /* http referrer */
-                                   ps->public_access_block &&
-                                   ps->public_access_block->IgnorePublicAcls)) {
+                                   ps->public_access_block.IgnorePublicAcls)) {
     ldpp_dout(dpp, 10) << __func__ << ": granted by object acl" << dendl;
     if (granted_by_acl) {
       *granted_by_acl = true;
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 618b65e0086..7bbde0fd41b 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1404,7 +1404,8 @@ struct req_state : DoutPrefixProvider {
 
   rgw::IAM::Environment env;
   boost::optional<rgw::IAM::Policy> iam_policy;
-  boost::optional<PublicAccessBlockConfiguration> public_access_block;
+  // PublicAccessBlock configuration that applies to this request
+  PublicAccessBlockConfiguration public_access_block;
   rgw::s3::ObjectOwnership bucket_object_ownership = rgw::s3::ObjectOwnership::ObjectWriter;
   std::vector<rgw::IAM::Policy> iam_identity_policies;
 
@@ -1723,7 +1724,7 @@ struct perm_state_base {
   rgw::s3::ObjectOwnership bucket_object_ownership;
   int perm_mask;
   bool defer_to_bucket_acls;
-  boost::optional<PublicAccessBlockConfiguration> public_access_block;
+  PublicAccessBlockConfiguration public_access_block;
 
   perm_state_base(CephContext *_cct,
                   const rgw::IAM::Environment& _env,
@@ -1732,7 +1733,7 @@ struct perm_state_base {
                   rgw::s3::ObjectOwnership bucket_object_ownership,
                   int _perm_mask,
                   bool _defer_to_bucket_acls,
-                  boost::optional<PublicAccessBlockConfiguration> _public_access_block = boost::none) :
+                  PublicAccessBlockConfiguration _public_access_block = {}) :
                                                 cct(_cct),
                                                 env(_env),
                                                 identity(_identity),
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 5760e876100..fa326a491bd 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -373,21 +373,21 @@ static int get_obj_policy_from_attr(const DoutPrefixProvider *dpp,
   return ret;
 }
 
-static boost::optional<PublicAccessBlockConfiguration>
+static PublicAccessBlockConfiguration
 get_public_access_conf_from_attr(const map<string, bufferlist>& attrs)
 {
+  PublicAccessBlockConfiguration configuration;
   if (auto aiter = attrs.find(RGW_ATTR_PUBLIC_ACCESS);
       aiter != attrs.end()) {
     bufferlist::const_iterator iter{&aiter->second};
-    PublicAccessBlockConfiguration access_conf;
     try {
-      access_conf.decode(iter);
-    } catch (const buffer::error& e) {
-      return boost::none;
+      configuration.decode(iter);
+    } catch (const buffer::error&) {
+      // reset to default
+      configuration = PublicAccessBlockConfiguration{};
     }
-    return access_conf;
   }
-  return boost::none;
+  return configuration;
 }
 
 static int read_bucket_policy(const DoutPrefixProvider *dpp, 
@@ -4175,7 +4175,7 @@ int RGWPutObj::init_processing(optional_yield y) {
   } /* copy_source */
 
   // reject public canned acls
-  if (s->public_access_block && s->public_access_block->BlockPublicAcls &&
+  if (s->public_access_block.BlockPublicAcls &&
       (s->canned_acl == "public-read" ||
        s->canned_acl == "public-read-write" ||
        s->canned_acl == "authenticated-read")) {
@@ -6407,8 +6407,7 @@ void RGWPutACLs::execute(optional_yield y)
     *_dout << dendl;
   }
 
-  if (s->public_access_block &&
-      s->public_access_block->BlockPublicAcls &&
+  if (s->public_access_block.BlockPublicAcls &&
       new_policy.is_public(this)) {
     op_ret = -EACCES;
     return;
@@ -8855,8 +8854,7 @@ void RGWPutBucketPolicy::execute(optional_yield y)
       s->cct, &s->bucket_tenant, data.to_str(),
       s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
     rgw::sal::Attrs attrs(s->bucket_attrs);
-    if (s->public_access_block &&
-        s->public_access_block->BlockPublicPolicy &&
+    if (s->public_access_block.BlockPublicPolicy &&
         rgw::IAM::is_public(p)) {
       op_ret = -EACCES;
       return;
-- 
2.39.5