From a6ba14e279ae870df2499fdd87a08c622e0c2e14 Mon Sep 17 00:00:00 2001
From: Radoslaw Zarzynski <rzarzynski@mirantis.com>
Date: Sun, 17 Apr 2016 12:44:44 +0200
Subject: [PATCH] rgw: split account owner from identity used for
 authorization.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
---
 src/rgw/rgw_common.cc | 16 ++++----
 src/rgw/rgw_op.cc     | 92 +++++++++++++++++++++++++++----------------
 2 files changed, 66 insertions(+), 42 deletions(-)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index b14b26c6de48d..517b103bc8f4c 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -849,7 +849,7 @@ bool verify_requester_payer_permission(struct req_state *s)
   if (!s->bucket_info.requester_pays)
     return true;
 
-  if (s->bucket_info.owner == s->user->user_id)
+  if (s->auth_identity->is_owner_of(s->bucket_info.owner))
     return true;
 
   const char *request_payer = s->info.env->get("HTTP_X_AMZ_REQUEST_PAYER");
@@ -881,7 +881,7 @@ bool verify_bucket_permission(struct req_state * const s,
   if (!verify_requester_payer_permission(s))
     return false;
 
-  return bucket_acl->verify_permission(s->user->user_id, perm, perm);
+  return bucket_acl->verify_permission(*s->auth_identity, perm, perm);
 }
 
 bool verify_bucket_permission(struct req_state * const s, const int perm)
@@ -911,13 +911,14 @@ bool verify_object_permission(struct req_state * const s,
     return true;
   }
 
-  if (!object_acl)
+  if (!object_acl) {
     return false;
+  }
 
-  bool ret = object_acl->verify_permission(s->user->user_id, s->perm_mask,
-					  perm);
-  if (ret)
+  bool ret = object_acl->verify_permission(*s->auth_identity, s->perm_mask, perm);
+  if (ret) {
     return true;
+  }
 
   if (!s->cct->_conf->rgw_enforce_swift_acls)
     return ret;
@@ -935,8 +936,7 @@ bool verify_object_permission(struct req_state * const s,
     return false;
   /* we already verified the user mask above, so we pass swift_perm as the mask here,
      otherwise the mask might not cover the swift permissions bits */
-  return bucket_acl->verify_permission(s->user->user_id, swift_perm,
-				      swift_perm);
+  return bucket_acl->verify_permission(*s->auth_identity, swift_perm, swift_perm);
 }
 
 bool verify_object_permission(struct req_state *s, int perm)
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 082d128b816f1..5cee66ff35d60 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -273,16 +273,18 @@ static int read_policy(RGWRados *store, struct req_state *s,
     string no_object;
     rgw_obj no_obj(bucket, no_object);
     ret = get_policy_from_attr(s->cct, store, s->obj_ctx, bucket_info, bucket_attrs, &bucket_policy, no_obj);
-    if (ret < 0)
+    if (ret < 0) {
       return ret;
+    }
+
     rgw_user& owner = bucket_policy.get_owner().get_id();
     if (!s->system_request && owner.compare(s->user->user_id) != 0 &&
-        !bucket_policy.verify_permission(s->user->user_id, s->perm_mask,
-					RGW_PERM_READ))
+        !bucket_policy.verify_permission(*s->auth_identity, s->perm_mask,
+                                         RGW_PERM_READ)) {
       ret = -EACCES;
-    else
+    } else {
       ret = -ENOENT;
-
+    }
   } else if (ret == -ENOENT) {
       ret = -ERR_NO_SUCH_BUCKET;
   }
@@ -432,11 +434,13 @@ int RGWGetObj::verify_permission()
 {
   obj = rgw_obj(s->bucket, s->object);
   store->set_atomic(s->obj_ctx, obj);
-  if (get_data)
+  if (get_data) {
     store->set_prefetch_data(s->obj_ctx, obj);
+  }
 
-  if (!verify_object_permission(s, RGW_PERM_READ))
+  if (!verify_object_permission(s, RGW_PERM_READ)) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -1337,8 +1341,10 @@ int RGWListBuckets::verify_permission()
 
 int RGWGetUsage::verify_permission()
 {
-  if (!rgw_user_is_authenticated(*s->user))
+  if (s->auth_identity->is_anonymous()) {
     return -EACCES;
+  }
+
   return 0;
 }
 
@@ -1518,8 +1524,9 @@ void RGWStatAccount::execute()
 
 int RGWGetBucketVersioning::verify_permission()
 {
-  if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -1537,8 +1544,9 @@ void RGWGetBucketVersioning::execute()
 
 int RGWSetBucketVersioning::verify_permission()
 {
-  if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -1658,8 +1666,9 @@ void RGWDeleteBucketWebsite::execute()
 
 int RGWStatBucket::verify_permission()
 {
-  if (!verify_bucket_permission(s, RGW_PERM_READ))
+  if (!verify_bucket_permission(s, RGW_PERM_READ)) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -1696,8 +1705,9 @@ void RGWStatBucket::execute()
 
 int RGWListBucket::verify_permission()
 {
-  if (!verify_bucket_permission(s, RGW_PERM_READ))
+  if (!verify_bucket_permission(s, RGW_PERM_READ)) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -1767,24 +1777,27 @@ void RGWListBucket::execute()
 
 int RGWGetBucketLogging::verify_permission()
 {
-  if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
+  }
 
   return 0;
 }
 
 int RGWGetBucketLocation::verify_permission()
 {
-  if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
+  }
 
   return 0;
 }
 
 int RGWCreateBucket::verify_permission()
 {
-  if (!rgw_user_is_authenticated(*(s->user)))
+  if (s->auth_identity->is_anonymous()) {
     return -EACCES;
+  }
 
   if (s->user->user_id.tenant != s->bucket_tenant) {
     ldout(s->cct, 10)
@@ -2181,8 +2194,9 @@ void RGWCreateBucket::execute()
 
 int RGWDeleteBucket::verify_permission()
 {
-  if (!verify_bucket_permission(s, RGW_PERM_WRITE))
+  if (!verify_bucket_permission(s, RGW_PERM_WRITE)) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -2262,8 +2276,9 @@ void RGWDeleteBucket::execute()
 
 int RGWPutObj::verify_permission()
 {
-  if (!verify_bucket_permission(s, RGW_PERM_WRITE))
+  if (!verify_bucket_permission(s, RGW_PERM_WRITE)) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -2874,7 +2889,7 @@ int RGWPutMetadataAccount::init_processing()
 
 int RGWPutMetadataAccount::verify_permission()
 {
-  if (!rgw_user_is_authenticated(*(s->user))) {
+  if (s->auth_identity->is_anonymous()) {
     return -EACCES;
   }
 
@@ -3105,8 +3120,9 @@ int RGWDeleteObj::handle_slo_manifest(bufferlist& bl)
 
 int RGWDeleteObj::verify_permission()
 {
-  if (!verify_bucket_permission(s, RGW_PERM_WRITE))
+  if (!verify_bucket_permission(s, RGW_PERM_WRITE)) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -3280,14 +3296,15 @@ int RGWCopyObj::verify_permission()
 
     /* check source object permissions */
     op_ret = read_policy(store, s, src_bucket_info, src_attrs, &src_policy,
-			 src_bucket, src_object);
-    if (op_ret < 0)
+                         src_bucket, src_object);
+    if (op_ret < 0) {
       return op_ret;
+    }
 
-    if (!s->system_request && /* system request overrides permission checks */
-        !src_policy.verify_permission(s->user->user_id, s->perm_mask,
-				      RGW_PERM_READ))
+    if (!s->system_request && /* admin request overrides permission checks */
+        !src_policy.verify_permission(*s->auth_identity, s->perm_mask, RGW_PERM_READ)) {
       return -EACCES;
+    }
   }
 
   RGWAccessControlPolicy dest_bucket_policy(s->cct);
@@ -3299,7 +3316,7 @@ int RGWCopyObj::verify_permission()
     dest_attrs = src_attrs;
   } else {
     op_ret = store->get_bucket_info(obj_ctx, dest_tenant_name, dest_bucket_name,
-				    dest_bucket_info, NULL, &dest_attrs);
+                                    dest_bucket_info, nullptr, &dest_attrs);
     if (op_ret < 0) {
       if (op_ret == -ENOENT) {
         op_ret = -ERR_NO_SUCH_BUCKET;
@@ -3317,18 +3334,21 @@ int RGWCopyObj::verify_permission()
 
   /* check dest bucket permissions */
   op_ret = read_policy(store, s, dest_bucket_info, dest_attrs,
-		       &dest_bucket_policy, dest_bucket, no_obj);
-  if (op_ret < 0)
+                       &dest_bucket_policy, dest_bucket, no_obj);
+  if (op_ret < 0) {
     return op_ret;
+  }
 
   if (!s->system_request && /* system request overrides permission checks */
-      !dest_bucket_policy.verify_permission(s->user->user_id, s->perm_mask,
-					    RGW_PERM_WRITE))
+      !dest_bucket_policy.verify_permission(*s->auth_identity, s->perm_mask,
+                                            RGW_PERM_WRITE)) {
     return -EACCES;
+  }
 
   op_ret = init_dest_policy();
-  if (op_ret < 0)
+  if (op_ret < 0) {
     return op_ret;
+  }
 
   return 0;
 }
@@ -3574,8 +3594,9 @@ void RGWPutACLs::execute()
 
 int RGWGetCORS::verify_permission()
 {
-  if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -3595,8 +3616,9 @@ void RGWGetCORS::execute()
 
 int RGWPutCORS::verify_permission()
 {
-  if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -3623,8 +3645,9 @@ void RGWPutCORS::execute()
 
 int RGWDeleteCORS::verify_permission()
 {
-  if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
+  }
 
   return 0;
 }
@@ -3748,8 +3771,9 @@ void RGWGetRequestPayment::execute()
 
 int RGWSetRequestPayment::verify_permission()
 {
-  if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
+  }
 
   return 0;
 }
-- 
2.39.5