From ab745eae2109b5429c1dea29d61ede6a7af7e0df Mon Sep 17 00:00:00 2001
From: Abhishek Lekshmanan <abhishek@suse.com>
Date: Wed, 2 Oct 2019 11:57:36 +0200
Subject: [PATCH] rgw: move PublicAccessConfiguration to req_state

This allows for evaluation of more complex use cases where IgnorePublicACLs and
the like are set which need to be evaluated for GET/HEAD requests as well

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
---
 src/rgw/rgw_common.h |  2 ++
 src/rgw/rgw_op.cc    | 22 +++++++++++++---------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index c8a02ed54a5..3a1cac9c141 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -37,6 +37,7 @@
 #include "cls/user/cls_user_types.h"
 #include "cls/rgw/cls_rgw_types.h"
 #include "include/rados/librados.hpp"
+#include "rgw_public_access.h"
 
 namespace ceph {
   class Formatter;
@@ -1696,6 +1697,7 @@ struct req_state : DoutPrefixProvider {
 
   rgw::IAM::Environment env;
   boost::optional<rgw::IAM::Policy> iam_policy;
+  boost::optional<rgw::IAM::PublicAccessConfiguration> bucket_access_conf;
   vector<rgw::IAM::Policy> iam_user_policies;
 
   /* Is the request made by an user marked as a system one?
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index b993f099e0c..a284e2e8239 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -700,6 +700,10 @@ int rgw_build_bucket_policies(rgw::sal::RGWRadosStore* store, struct req_state*
         return -EINVAL;
       }
     }
+
+    if(s->bucket_exists) {
+      s->bucket_access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
+    }
   }
 
   /* handle user ACL only for those APIs which support it */
@@ -3634,8 +3638,7 @@ int RGWPutObj::verify_permission()
     }
   }
 
-  auto access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
-  if (access_conf && access_conf->block_public_acls()) {
+  if (s->bucket_access_conf && s->bucket_access_conf->block_public_acls()) {
     if (s->canned_acl.compare("public-read") ||
         s->canned_acl.compare("public-read-write") ||
         s->canned_acl.compare("authenticated-read"))
@@ -5536,8 +5539,9 @@ void RGWPutACLs::execute()
     *_dout << dendl;
   }
 
-  if (auto access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
-      access_conf && access_conf->block_public_acls() && new_policy.IsPublic()) {
+  if (s->bucket_access_conf &&
+      s->bucket_access_conf->block_public_acls() &&
+      new_policy.IsPublic()) {
     op_ret = -EACCES;
     return;
   }
@@ -7692,11 +7696,11 @@ void RGWPutBucketPolicy::execute()
   try {
     const Policy p(s->cct, s->bucket_tenant, data);
     auto attrs = s->bucket_attrs;
-    if (auto access_conf = get_public_access_conf_from_attr(attrs);
-        access_conf && access_conf->block_public_policy() && rgw::IAM::IsPublic(p))
-    {
-        op_ret = -EACCES;
-        return;
+    if (s->bucket_access_conf &&
+        s->bucket_access_conf->block_public_policy() &&
+        rgw::IAM::IsPublic(p)) {
+      op_ret = -EACCES;
+      return;
     }
 
     op_ret = retry_raced_bucket_write(store->getRados(), s, [&p, this, &attrs] {
-- 
2.39.5