From 4b8cea086a44019486418d818687cc1502b1ed2d Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 7 Dec 2023 16:16:16 -0500
Subject: [PATCH] rgw/auth: Identity::get_aclowner() for resources it creates

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 src/rgw/driver/rados/rgw_data_sync.cc |  4 +--
 src/rgw/rgw_auth.cc                   | 37 +++++++++++++++++++++++++++
 src/rgw/rgw_auth.h                    | 15 ++++++++++-
 src/rgw/rgw_auth_filters.h            |  4 +++
 src/test/rgw/test_rgw_iam_policy.cc   |  6 +++++
 src/test/rgw/test_rgw_lua.cc          |  4 +++
 6 files changed, 67 insertions(+), 3 deletions(-)

diff --git a/src/rgw/driver/rados/rgw_data_sync.cc b/src/rgw/driver/rados/rgw_data_sync.cc
index 0a7d21a727787..88ac7e8629d06 100644
--- a/src/rgw/driver/rados/rgw_data_sync.cc
+++ b/src/rgw/driver/rados/rgw_data_sync.cc
@@ -2645,8 +2645,8 @@ class RGWUserPermHandler {
         return ret;
       }
 
-      info->identity = rgw::auth::transform_old_authinfo(sync_env->cct,
-                                                         uid,
+      info->identity = rgw::auth::transform_old_authinfo(sync_env->cct, uid,
+                                                         info->user_info.display_name,
                                                          RGW_PERM_FULL_CONTROL,
                                                          false, /* system_request? */
                                                          TYPE_RGW);
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index e01f58a7f2c72..91107c60c9954 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -26,6 +26,7 @@ namespace auth {
 std::unique_ptr<rgw::auth::Identity>
 transform_old_authinfo(CephContext* const cct,
                        const rgw_user& auth_id,
+                       const std::string& display_name,
                        const int perm_mask,
                        const bool is_admin,
                        const uint32_t type)
@@ -40,22 +41,32 @@ transform_old_authinfo(CephContext* const cct,
      * the identity info as this was the policy for doing that before the
      * new auth. */
     const rgw_user id;
+    const std::string display_name;
     const int perm_mask;
     const bool is_admin;
     const uint32_t type;
   public:
     DummyIdentityApplier(CephContext* const cct,
                          const rgw_user& auth_id,
+                         const std::string display_name,
                          const int perm_mask,
                          const bool is_admin,
                          const uint32_t type)
       : cct(cct),
         id(auth_id),
+        display_name(display_name),
         perm_mask(perm_mask),
         is_admin(is_admin),
         type(type) {
     }
 
+    ACLOwner get_aclowner() const {
+      ACLOwner owner;
+      owner.id = id;
+      owner.display_name = display_name;
+      return owner;
+    }
+
     uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
       return rgw_perms_from_aclspec_default_strategy(id, aclspec, dpp);
     }
@@ -112,6 +123,7 @@ transform_old_authinfo(CephContext* const cct,
   return std::unique_ptr<rgw::auth::Identity>(
         new DummyIdentityApplier(cct,
                                  auth_id,
+                                 display_name,
                                  perm_mask,
                                  is_admin,
                                  type));
@@ -122,6 +134,7 @@ transform_old_authinfo(const req_state* const s)
 {
   return transform_old_authinfo(s->cct,
                                 s->user->get_id(),
+                                s->user->get_display_name(),
                                 s->perm_mask,
   /* System user has admin permissions by default - it's supposed to pass
    * through any security check. */
@@ -531,6 +544,14 @@ const std::string rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER;
 const std::string rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY;
 
 /* rgw::auth::RemoteAuthApplier */
+ACLOwner rgw::auth::RemoteApplier::get_aclowner() const
+{
+  ACLOwner owner;
+  owner.id = info.acct_user;
+  owner.display_name = info.acct_name;
+  return owner;
+}
+
 uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
 {
   uint32_t perm = 0;
@@ -748,6 +769,14 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW
 const std::string rgw::auth::LocalApplier::NO_SUBUSER;
 const std::string rgw::auth::LocalApplier::NO_ACCESS_KEY;
 
+ACLOwner rgw::auth::LocalApplier::get_aclowner() const
+{
+  ACLOwner owner;
+  owner.id = user_info.user_id;
+  owner.display_name = user_info.display_name;
+  return owner;
+}
+
 uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
 {
   return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec, dpp);
@@ -831,6 +860,14 @@ void rgw::auth::LocalApplier::write_ops_log_entry(rgw_log_entry& entry) const
   entry.subuser = subuser;
 }
 
+ACLOwner rgw::auth::RoleApplier::get_aclowner() const
+{
+  ACLOwner owner;
+  owner.id = token_attrs.user_id;
+  owner.display_name = role.name;
+  return owner;
+}
+
 void rgw::auth::RoleApplier::to_str(std::ostream& out) const {
   out << "rgw::auth::RoleApplier(role name =" << role.name;
   for (auto& policy: role.role_policies) {
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 3745a539f94bf..aa81efe03dd42 100644
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -36,6 +36,9 @@ public:
 
   virtual ~Identity() = default;
 
+  /* Return the ACLOwner for resources created by this identity. */
+  virtual ACLOwner get_aclowner() const = 0;
+
   /* Translate the ACL provided in @aclspec into concrete permission set that
    * can be used during the authorization phase (RGWOp::verify_permission).
    * On error throws rgw::auth::Exception storing the reason.
@@ -100,6 +103,7 @@ inline std::ostream& operator<<(std::ostream& out,
 std::unique_ptr<rgw::auth::Identity>
 transform_old_authinfo(CephContext* const cct,
                        const rgw_user& auth_id,
+                       const std::string& display_name,
                        const int perm_mask,
                        const bool is_admin,
                        const uint32_t type);
@@ -444,6 +448,13 @@ public:
 
   void modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const override;
 
+  ACLOwner get_aclowner() const override {
+    ACLOwner owner;
+    owner.id = rgw_user{role_tenant, sub, "oidc"};
+    owner.display_name = user_name;
+    return owner;
+  }
+
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const  override {
     return RGW_PERM_NONE;
   }
@@ -618,6 +629,7 @@ public:
       implicit_tenant_bit(implicit_tenant_bit) {
   }
 
+  ACLOwner get_aclowner() const override;
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
   bool is_admin_of(const rgw_user& uid) const override;
   bool is_owner_of(const rgw_user& uid) const override;
@@ -678,7 +690,7 @@ public:
       access_key_id(access_key_id) {
   }
 
-
+  ACLOwner get_aclowner() const override;
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
   bool is_admin_of(const rgw_user& uid) const override;
   bool is_owner_of(const rgw_user& uid) const override;
@@ -740,6 +752,7 @@ public:
     : role(role),
       token_attrs(token_attrs) {}
 
+  ACLOwner get_aclowner() const override;
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     return 0;
   }
diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h
index 75b1c7aa1bdfc..d02772487e953 100644
--- a/src/rgw/rgw_auth_filters.h
+++ b/src/rgw/rgw_auth_filters.h
@@ -65,6 +65,10 @@ public:
     : decoratee(std::forward<DecorateeT>(decoratee)) {
   }
 
+  ACLOwner get_aclowner() const override {
+    return get_decoratee().get_aclowner();
+  }
+
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
   }
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index 32fd0d23a4564..d458742481c25 100644
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -102,6 +102,12 @@ class FakeIdentity : public Identity {
 public:
 
   explicit FakeIdentity(Principal&& id) : id(std::move(id)) {}
+
+  ACLOwner get_aclowner() const override {
+    ceph_abort();
+    return {};
+  }
+
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     ceph_abort();
     return 0;
diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc
index 2adba8016e50e..0fe87a4cd47b0 100644
--- a/src/test/rgw/test_rgw_lua.cc
+++ b/src/test/rgw/test_rgw_lua.cc
@@ -33,6 +33,10 @@ class FakeIdentity : public Identity {
 public:
   FakeIdentity() = default;
 
+  ACLOwner get_aclowner() const override {
+    return {};
+  }
+
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     return 0;
   };
-- 
2.39.5