From 5f86459381ed9f3c5565d1b74fc064f11b55c275 Mon Sep 17 00:00:00 2001
From: Pritha Srivastava <prsrivas@redhat.com>
Date: Sat, 18 Apr 2020 22:38:47 +0530
Subject: [PATCH] rgw: adding code for policy evaluation for ops like
 getbucketversioning, putbucketversioning etc

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---
 src/rgw/rgw_common.cc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index a6df0e947e5cc..2e9b751177baf 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1263,11 +1263,22 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct req_state *
 int verify_bucket_owner_or_policy(struct req_state* const s,
 				  const uint64_t op)
 {
+  auto usr_policy_res = eval_user_policies(s->iam_user_policies, s->env, boost::none, op, ARN(s->bucket));
+  if (usr_policy_res == Effect::Deny) {
+    return -EACCES;
+  }
+
   auto e = eval_or_pass(s->iam_policy,
 			s->env, *s->auth.identity,
 			op, ARN(s->bucket));
+  if (e == Effect::Deny) {
+    return -EACCES;
+  }
+
   if (e == Effect::Allow ||
+      usr_policy_res == Effect::Allow ||
       (e == Effect::Pass &&
+       usr_policy_res == Effect::Pass &&
        s->auth.identity->is_owner_of(s->bucket_owner.get_id()))) {
     return 0;
   } else {
-- 
2.39.5