From b824bed2a89c31898fbcf772bcbfd326937f7dab Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Wed, 21 Feb 2024 15:55:09 -0500
Subject: [PATCH] rgw/auth: RoleApplier matches account principals

account principals of the form ``arn:aws:iam::123456789012:root``
or ``123456789012`` delegate authority to the account, which means that
it applies to all of the account's users and roles

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 src/rgw/rgw_auth.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index f8673a771c86b..dd9337818c79e 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -976,6 +976,9 @@ void rgw::auth::RoleApplier::to_str(std::ostream& out) const {
 bool rgw::auth::RoleApplier::is_identity(const Principal& p) const {
   if (p.is_wildcard()) {
     return true;
+  } else if (p.is_account()) {
+    return match_account_or_tenant(role.account_id, role.tenant,
+                                   p.get_account());
   } else if (p.is_role()) {
     return p.get_id() == role.name // TODO: match path/name
         && p.get_account() == role.tenant;
-- 
2.39.5