From 33af29c54ffb412ecf6b5eba5e66f5d3dfe4c09c Mon Sep 17 00:00:00 2001
From: Abhishek Lekshmanan <abhishek@suse.com>
Date: Mon, 27 Jul 2020 16:58:30 +0200
Subject: [PATCH] rgw: policy: reuse eval_principal to evaluate the policy
 principal

Since the other edge case when no Principal or a NotPrincipal is supplied also
must be accounted for, which is already done in eval_principal function. Also
reraising the error as Effect::Pass in line with the previous output, though an
Effect::Deny would also work here.

Fixes: https://tracker.ceph.com/issues/46078
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
(cherry picked from commit 1843f2dca853f97c6c9b4196eaf27581705be0e2)
---
 src/rgw/rgw_iam_policy.cc | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index da0fa92b7010e..31936c40472f2 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -970,12 +970,9 @@ ostream& operator <<(ostream& m, const Condition& c) {
 Effect Statement::eval(const Environment& e,
 		       boost::optional<const rgw::auth::Identity&> ida,
 		       uint64_t act, const ARN& res) const {
-  if (ida) {
-    if (!princ.empty() && !ida->is_identity(princ)) {
-      return Effect::Pass;
-    } else if (!noprinc.empty() && ida->is_identity(noprinc)) {
-      return Effect::Pass;
-    }
+
+  if (eval_principal(e, ida) == Effect::Deny) {
+    return Effect::Pass;
   }
 
   if (!resource.empty()) {
-- 
2.39.5