From 9d0f9a7e9d7b2991fc1c76ca2a46a17df1945190 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 14 Mar 2024 15:23:12 -0400
Subject: [PATCH] rgw/pubsub: CreateTopic consults identity policies when topic
 doesn't exist

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 8896b227226fad92d280e72cd08210685dd445af)
---
 src/rgw/rgw_rest_pubsub.cc | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/rgw/rgw_rest_pubsub.cc b/src/rgw/rgw_rest_pubsub.cc
index e268a4fadba..891b015a7f4 100644
--- a/src/rgw/rgw_rest_pubsub.cc
+++ b/src/rgw/rgw_rest_pubsub.cc
@@ -329,9 +329,20 @@ class RGWPSCreateTopicOp : public RGWOp {
       return 0;
     }
 
-    if (topic && !verify_topic_permission(this, s, *topic, topic_arn,
-                                          rgw::IAM::snsCreateTopic)) {
-      return -ERR_AUTHORIZATION;
+    if (topic) {
+      // consult topic policy for overwrite permission
+      if (!verify_topic_permission(this, s, *topic, topic_arn,
+                                   rgw::IAM::snsCreateTopic)) {
+        return -ERR_AUTHORIZATION;
+      }
+    } else {
+      // if no topic policy exists, just check identity policies for denies
+      constexpr bool mandatory_policy = false;
+      if (!verify_user_permission(this, s, topic_arn,
+                                  rgw::IAM::snsCreateTopic,
+                                  mandatory_policy)) {
+        return -ERR_AUTHORIZATION;
+      }
     }
     return 0;
   }
-- 
2.39.5