From 09c1bfe864d62ec97ec42afb5dd320cb279a1294 Mon Sep 17 00:00:00 2001
From: Pritha Srivastava <prsrivas@redhat.com>
Date: Mon, 5 Feb 2018 15:10:38 +0530
Subject: [PATCH] rgw: Correct permission evaluation to allow only admin users
 to work with Roles.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---
 src/rgw/rgw_common.cc    |  3 ++-
 src/rgw/rgw_rest_role.cc | 29 ++++++++++-------------------
 src/rgw/rgw_rest_role.h  |  9 ++++-----
 3 files changed, 16 insertions(+), 25 deletions(-)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 955e9bac499..eadebfa9469 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1738,7 +1738,8 @@ bool RGWUserCaps::is_valid_cap_type(const string& tp)
                                     "bilog",
                                     "mdlog",
                                     "datalog",
-                                    "opstate" };
+                                    "opstate",
+                                    "roles"};
 
   for (unsigned int i = 0; i < sizeof(cap_type) / sizeof(char *); ++i) {
     if (tp.compare(cap_type[i]) == 0) {
diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc
index 40473fba67f..60b0efa0e13 100644
--- a/src/rgw/rgw_rest_role.cc
+++ b/src/rgw/rgw_rest_role.cc
@@ -26,30 +26,21 @@ void RGWRestRole::send_response()
   end_header(s);
 }
 
-int RGWRoleRead::verify_permission()
+int RGWRestRole::verify_permission()
 {
-  if (s->auth.identity->is_anonymous()) {
-    return -EACCES;
-  }
-
-  if (!verify_user_permission(s, RGW_PERM_READ)) {
-    return -EACCES;
-  }
-
-  return 0;
+  int ret = check_caps(s->user->caps);
+  ldout(s->cct, 0) << "INFO: verify_permissions ret" << ret << dendl;
+  return ret;
 }
 
-int RGWRoleWrite::verify_permission()
+int RGWRoleRead::check_caps(RGWUserCaps& caps)
 {
-  if (s->auth.identity->is_anonymous()) {
-    return -EACCES;
-  }
-
-  if (!verify_user_permission(s, RGW_PERM_WRITE)) {
-    return -EACCES;
-  }
+    return caps.check_cap("roles", RGW_CAP_READ);
+}
 
-  return 0;
+int RGWRoleWrite::check_caps(RGWUserCaps& caps)
+{
+    return caps.check_cap("roles", RGW_CAP_WRITE);
 }
 
 int RGWCreateRole::get_params()
diff --git a/src/rgw/rgw_rest_role.h b/src/rgw/rgw_rest_role.h
index 7a99dbe45c6..42788b5c6a9 100644
--- a/src/rgw/rgw_rest_role.h
+++ b/src/rgw/rgw_rest_role.h
@@ -3,7 +3,7 @@
 #ifndef CEPH_RGW_REST_ROLE_H
 #define CEPH_RGW_REST_ROLE_H
 
-class RGWRestRole : public RGWOp {
+class RGWRestRole : public RGWRESTOp {
 protected:
   string role_name;
   string role_path;
@@ -13,21 +13,20 @@ protected:
   string path_prefix;
 
 public:
+  int verify_permission() override;
   void send_response() override;
 };
 
 class RGWRoleRead : public RGWRestRole {
 public:
   RGWRoleRead() = default;
-  int verify_permission() override;
-  uint32_t op_mask() override { return RGW_OP_TYPE_READ; }
+  int check_caps(RGWUserCaps& caps) override;
 };
 
 class RGWRoleWrite : public RGWRestRole {
 public:
   RGWRoleWrite() = default;
-  int verify_permission() override;
-  uint32_t op_mask() override { return RGW_OP_TYPE_WRITE; }
+  int check_caps(RGWUserCaps& caps) override;
 };
 
 class RGWCreateRole : public RGWRoleWrite {
-- 
2.47.3