From 9507d38ea29c4d6ba92708d049f40039124a3515 Mon Sep 17 00:00:00 2001
From: Mark Houghton <mhoughton@microfocus.com>
Date: Wed, 28 Oct 2020 14:44:03 +0000
Subject: [PATCH] rgw: Check user permissions for governance retention bypass
 in multi-object delete.

fixes: https://tracker.ceph.com/issues/47586
Signed-off-by: Mark Houghton <mhoughton@microfocus.com>
(cherry picked from commit 4f1524199132cbf382877a35b040d691b12717d1)

Conflicts:
        src/rgw/rgw_op.cc:
          s->bucket_info vs s->bucket->get_info()
          s->bucket_info.bucket vs s->bucket->get_key()
---
 src/rgw/rgw_op.cc | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 5c87c55829c77..78e35339c8a16 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6470,6 +6470,19 @@ void RGWGetHealthCheck::execute()
 int RGWDeleteMultiObj::verify_permission()
 {
   if (s->iam_policy || ! s->iam_user_policies.empty()) {
+    if (s->bucket_info.obj_lock_enabled() && bypass_governance_mode) {
+      auto r = eval_user_policies(s->iam_user_policies, s->env, boost::none,
+                                               rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket_info.bucket));
+      if (r == Effect::Deny) {
+        bypass_perm = false;
+      } else if (r == Effect::Pass && s->iam_policy) {
+        r = s->iam_policy->eval(s->env, *s->auth.identity, rgw::IAM::s3BypassGovernanceRetention,
+                                     ARN(s->bucket_info.bucket));
+        if (r == Effect::Deny) {
+          bypass_perm = false;
+        }
+      }
+    }
     auto usr_policy_res = eval_user_policies(s->iam_user_policies, s->env,
                                               boost::none,
                                               s->object.instance.empty() ?
-- 
2.39.5