From ff972d6956709ff8b5da5a34205af623d7af9542 Mon Sep 17 00:00:00 2001 From: Abhishek Lekshmanan Date: Thu, 29 Aug 2019 20:06:59 +0200 Subject: [PATCH] rgw: initial implementation of a public policy tester doesn't cover all the cases involving a nonprinc user yet Signed-off-by: Abhishek Lekshmanan --- src/rgw/rgw_iam_policy.cc | 33 ++++++++++++++++++++++++++++++++- src/rgw/rgw_iam_policy.h | 2 ++ src/rgw/rgw_op.cc | 2 ++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc index fdfa480f3e4..c33db62149c 100644 --- a/src/rgw/rgw_iam_policy.cc +++ b/src/rgw/rgw_iam_policy.cc @@ -1431,5 +1431,36 @@ ostream& operator <<(ostream& m, const Policy& p) { return m << " }"; } +static const Environment iam_all_env = { + {"aws:SourceIp","1.1.1.1"}, + {"aws:UserId","anonymous"}, + {"s3:x-amz-server-side-encryption-aws-kms-key-id","secret"} +}; + +struct IsPublicStatement +{ + bool operator() (const Statement &s) const { + if (s.effect == Effect::Allow) { + for (const auto& p : s.princ) { + if (p.is_wildcard()) { + if (s.eval_conditions(iam_all_env) == Effect::Allow) + return true; + } + } + // no princ should not contain fixed values + return std::all_of(s.noprinc.begin(), s.noprinc.end(), [](const rgw::auth::Principal& p) { + return !p.is_wildcard(); + }); + } + return false; + } +}; + + +bool IsPublic(const Policy& p) +{ + return std::any_of(p.statements.begin(), p.statements.end(), IsPublicStatement()); } -} + +} // namespace IAM +} // namespace rgw diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h index 21f8ead8e72..a667a0192ac 100644 --- a/src/rgw/rgw_iam_policy.h +++ b/src/rgw/rgw_iam_policy.h @@ -486,6 +486,8 @@ struct Policy { }; std::ostream& operator <<(ostream& m, const Policy& p); +bool IsPublic(const Policy& p); + } } diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index c2f4a98d255..a9fafb77f2d 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -8085,4 +8085,6 @@ void RGWGetBucketPolicyStatus::execute() } ); ldout(s->cct,20) << __func__ << "ACL public status=" << isPublic << dendl; + if (s->iam_policy) + isPublic |= rgw::IAM::IsPublic(*s->iam_policy); } -- 2.39.5