From 24d295237ef8de8f156e307fe451975b2292bc93 Mon Sep 17 00:00:00 2001
From: xiangxiang <xiangxiang@xsky.com>
Date: Fri, 17 Aug 2018 17:59:06 +0800
Subject: [PATCH] rgw: policy: fix NotPricipal, NotResource does not take
 effect

Signed-off-by: xiangxiang <xiangxiang@xsky.com>
---
 src/rgw/rgw_iam_policy.cc | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 8641d110917..d45bc952dce 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -1280,20 +1280,28 @@ ostream& operator <<(ostream& m, const Condition& c) {
 Effect Statement::eval(const Environment& e,
 		       boost::optional<const rgw::auth::Identity&> ida,
 		       uint64_t act, const ARN& res) const {
-  if (ida && (!ida->is_identity(princ) || ida->is_identity(noprinc))) {
-    return Effect::Pass;
+  if (ida) {
+    if (!princ.empty() && !ida->is_identity(princ)) {
+      return Effect::Pass;
+    } else if (!noprinc.empty() && ida->is_identity(noprinc)) {
+      return Effect::Pass;
+    }
   }
 
-
-  if (!std::any_of(resource.begin(), resource.end(),
-		   [&res](const ARN& pattern) {
-		     return pattern.match(res);
-		   }) ||
-      (std::any_of(notresource.begin(), notresource.end(),
-		   [&res](const ARN& pattern) {
-		     return pattern.match(res);
-		   }))) {
-    return Effect::Pass;
+  if (!resource.empty()) {
+    if (!std::any_of(resource.begin(), resource.end(),
+          [&res](const ARN& pattern) {
+            return pattern.match(res);
+          })) {
+      return Effect::Pass;
+    }
+  } else if (!notresource.empty()) {
+    if (std::any_of(notresource.begin(), notresource.end(),
+          [&res](const ARN& pattern) {
+            return pattern.match(res);
+          })) {
+      return Effect::Pass;
+    }
   }
 
   if (!(action[act] == 1) || (notaction[act] == 1)) {
-- 
2.47.3