From 3cecb8862dc941f75644689c9cae21df8075a740 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Beno=C3=AEt=20Knecht?= Date: Tue, 12 Apr 2022 11:51:10 +0200 Subject: [PATCH] rgw: Avoid segfault when OPA authz is enabled MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When `rgw_use_opa_authz=true`, radosgw would segfault on any request that didn't target a specific object or bucket, because `s->object` or `s->bucket` would be `nullptr` in that case, but that code path would try to dereference them anyway. This commit only adds the `object_name`, `subuser`, `user_info` and `bucket_info` JSON objects if the corresponding `s->X` object is defined, thereby avoiding segfaults in radosgw when Open Policy Agent authorization is enabled. Fixes: https://tracker.ceph.com/issues/55286 Signed-off-by: Benoît Knecht (cherry picked from commit ac71916cea04c8bac4baf58bcb9c63d8797f877e) --- src/rgw/rgw_opa.cc | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc index 4e5770300267f..2cbbbdbd52ccb 100644 --- a/src/rgw/rgw_opa.cc +++ b/src/rgw/rgw_opa.cc @@ -44,10 +44,18 @@ int rgw_opa_authorize(RGWOp *& op, jf.dump_string("decoded_uri", s->decoded_uri.c_str()); jf.dump_string("params", s->info.request_params.c_str()); jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str()); - jf.dump_string("object_name", s->object->get_name().c_str()); - jf.dump_string("subuser", s->auth.identity->get_subuser().c_str()); - jf.dump_object("user_info", s->user->get_info()); - jf.dump_object("bucket_info", s->bucket->get_info()); + if (s->object) { + jf.dump_string("object_name", s->object->get_name().c_str()); + } + if (s->auth.identity) { + jf.dump_string("subuser", s->auth.identity->get_subuser().c_str()); + } + if (s->user) { + jf.dump_object("user_info", s->user->get_info()); + } + if (s->bucket) { + jf.dump_object("bucket_info", s->bucket->get_info()); + } jf.close_section(); jf.close_section(); -- 2.39.5