From 5ba1b947bee13bf0001a1f988990859a76c2b04e Mon Sep 17 00:00:00 2001
From: Pritha Srivastava <prsrivas@redhat.com>
Date: Thu, 8 Jul 2021 21:24:10 +0530
Subject: [PATCH] rgw/sts: createbucket op should take into account session
 policies also while evaluating permissions.

Fixes: https://tracker.ceph.com/issues/51598

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit 261eb60e0f3df202d0d13c719338690fbd6edb70)
---
 src/rgw/rgw_common.cc | 21 +++++++++++++++++----
 src/rgw/rgw_common.h  |  1 +
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index e7b62527a05ba..45ce6144f069f 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1077,15 +1077,28 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                             perm_state_base * const s,
                             RGWAccessControlPolicy * const user_acl,
                             const vector<rgw::IAM::Policy>& user_policies,
+                            const vector<rgw::IAM::Policy>& session_policies,
                             const rgw::ARN& res,
                             const uint64_t op)
 {
-  auto usr_policy_res = eval_identity_or_session_policies(user_policies, s->env, op, res);
-  if (usr_policy_res == Effect::Deny) {
+  auto identity_policy_res = eval_identity_or_session_policies(user_policies, s->env, op, res);
+  if (identity_policy_res == Effect::Deny) {
+    return false;
+  }
+
+  if (! session_policies.empty()) {
+    auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, res);
+    if (session_policy_res == Effect::Deny) {
+      return false;
+    }
+    //Intersection of identity policies and session policies
+    if (identity_policy_res == Effect::Allow && session_policy_res == Effect::Allow) {
+      return true;
+    }
     return false;
   }
 
-  if (usr_policy_res == Effect::Allow) {
+  if (identity_policy_res == Effect::Allow) {
     return true;
   }
 
@@ -1122,7 +1135,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                             const uint64_t op)
 {
   perm_state_from_req_state ps(s);
-  return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, res, op);
+  return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, s->session_policies, res, op);
 }
 
 bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, 
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 714810d199dc4..20bc5e4e49f38 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -2106,6 +2106,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                             struct req_state * const s,
                             RGWAccessControlPolicy * const user_acl,
                             const vector<rgw::IAM::Policy>& user_policies,
+                            const vector<rgw::IAM::Policy>& session_policies,
                             const rgw::ARN& res,
                             const uint64_t op);
 bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
-- 
2.39.5