From 27b5b076fed2a3f981fac716c2b89531d02ce5e9 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Mon, 30 Jun 2025 17:50:26 -0400 Subject: [PATCH] rgw: PublicAccessBlockConfiguration as raw struct we really don't need encapsulation for this Signed-off-by: Casey Bodley --- src/rgw/rgw_common.cc | 8 ++++---- src/rgw/rgw_op.cc | 6 +++--- src/rgw/rgw_public_access.cc | 8 ++++---- src/rgw/rgw_public_access.h | 28 +++++----------------------- 4 files changed, 16 insertions(+), 34 deletions(-) diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 418e4ef2aec..1fbe97026a1 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1379,7 +1379,7 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, // If RestrictPublicBuckets is enabled and the bucket policy allows public access, // deny the request if the requester is not in the bucket owner account - const bool restrict_public_buckets = s->public_access_block && s->public_access_block->restrict_public_buckets(); + const bool restrict_public_buckets = s->public_access_block && s->public_access_block->RestrictPublicBuckets; if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) { ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl; return false; @@ -1457,7 +1457,7 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, if (bucket_acl.verify_permission(dpp, *ps->identity, perm, perm, ps->get_referer(), ps->public_access_block && - ps->public_access_block->ignore_public_acls())) { + ps->public_access_block->IgnorePublicAcls)) { ldpp_dout(dpp, 10) << __func__ << ": granted by bucket acl" << dendl; if (granted_by_acl) { *granted_by_acl = true; @@ -1546,7 +1546,7 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b // If RestrictPublicBuckets is enabled and the bucket policy allows public access, // deny the request if the requester is not in the bucket owner account - const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->restrict_public_buckets(); + const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->RestrictPublicBuckets; if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !ps->identity->is_owner_of(ps->bucket_info.owner)) { ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl; return false; @@ -1634,7 +1634,7 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm, nullptr, /* http referrer */ ps->public_access_block && - ps->public_access_block->ignore_public_acls())) { + ps->public_access_block->IgnorePublicAcls)) { ldpp_dout(dpp, 10) << __func__ << ": granted by object acl" << dendl; if (granted_by_acl) { *granted_by_acl = true; diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 8afe19e24f6..5760e876100 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -4175,7 +4175,7 @@ int RGWPutObj::init_processing(optional_yield y) { } /* copy_source */ // reject public canned acls - if (s->public_access_block && s->public_access_block->block_public_acls() && + if (s->public_access_block && s->public_access_block->BlockPublicAcls && (s->canned_acl == "public-read" || s->canned_acl == "public-read-write" || s->canned_acl == "authenticated-read")) { @@ -6408,7 +6408,7 @@ void RGWPutACLs::execute(optional_yield y) } if (s->public_access_block && - s->public_access_block->block_public_acls() && + s->public_access_block->BlockPublicAcls && new_policy.is_public(this)) { op_ret = -EACCES; return; @@ -8856,7 +8856,7 @@ void RGWPutBucketPolicy::execute(optional_yield y) s->cct->_conf.get_val("rgw_policy_reject_invalid_principals")); rgw::sal::Attrs attrs(s->bucket_attrs); if (s->public_access_block && - s->public_access_block->block_public_policy() && + s->public_access_block->BlockPublicPolicy && rgw::IAM::is_public(p)) { op_ret = -EACCES; return; diff --git a/src/rgw/rgw_public_access.cc b/src/rgw/rgw_public_access.cc index 6d86ad3516e..77c372f149c 100644 --- a/src/rgw/rgw_public_access.cc +++ b/src/rgw/rgw_public_access.cc @@ -26,10 +26,10 @@ std::ostream& operator<< (std::ostream& os, const PublicAccessBlockConfiguration oldState.copyfmt(os); os << std::boolalpha - << "BlockPublicAcls: " << access_conf.block_public_acls() << std::endl - << "IgnorePublicAcls: " << access_conf.ignore_public_acls() << std::endl - << "BlockPublicPolicy" << access_conf.block_public_policy() << std::endl - << "RestrictPublicBuckets" << access_conf.restrict_public_buckets() << std::endl; + << "BlockPublicAcls: " << access_conf.BlockPublicAcls << std::endl + << "IgnorePublicAcls: " << access_conf.IgnorePublicAcls << std::endl + << "BlockPublicPolicy" << access_conf.BlockPublicPolicy << std::endl + << "RestrictPublicBuckets" << access_conf.RestrictPublicBuckets << std::endl; os.copyfmt(oldState); return os; diff --git a/src/rgw/rgw_public_access.h b/src/rgw/rgw_public_access.h index 4bae36e732d..dc282ef3ad8 100644 --- a/src/rgw/rgw_public_access.h +++ b/src/rgw/rgw_public_access.h @@ -19,29 +19,11 @@ class XMLObj; namespace ceph { class Formatter; } -class PublicAccessBlockConfiguration { - bool BlockPublicAcls; - bool IgnorePublicAcls; - bool BlockPublicPolicy; - bool RestrictPublicBuckets; - public: - PublicAccessBlockConfiguration(): - BlockPublicAcls(false), IgnorePublicAcls(false), - BlockPublicPolicy(false), RestrictPublicBuckets(false) - {} - - auto block_public_acls() const { - return BlockPublicAcls; - } - auto ignore_public_acls() const { - return IgnorePublicAcls; - } - auto block_public_policy() const { - return BlockPublicPolicy; - } - auto restrict_public_buckets() const { - return RestrictPublicBuckets; - } +struct PublicAccessBlockConfiguration { + bool BlockPublicAcls = false; + bool IgnorePublicAcls = false; + bool BlockPublicPolicy = false; + bool RestrictPublicBuckets = false; void encode(ceph::bufferlist& bl) const { ENCODE_START(1,1, bl); -- 2.39.5