From 9fc16df7ed39890b3cfa10fd6f1798b691e8ea0a Mon Sep 17 00:00:00 2001 From: Abhishek Lekshmanan Date: Tue, 24 Sep 2019 16:40:41 +0200 Subject: [PATCH] rgw: honor PublicAccessBlockConfiguration for put object Signed-off-by: Abhishek Lekshmanan --- src/rgw/rgw_op.cc | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 42682a6c637..4a9560e98db 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -86,6 +86,7 @@ using rgw::IAM::Effect; using rgw::IAM::Policy; using rgw::IAM::Policy; +using rgw::IAM::PublicAccessConfiguration; static string mp_ns = RGW_OBJ_NS_MULTIPART; static string shadow_ns = RGW_OBJ_NS_SHADOW; @@ -294,6 +295,24 @@ static boost::optional get_iam_policy_from_attr(CephContext* cct, } } +static boost::optional +get_public_access_conf_from_attr(const map& attrs) +{ + if (auto aiter = attrs.find(RGW_ATTR_PUBLIC_ACCESS); + aiter != attrs.end()) + { + bufferlist::const_iterator iter{&aiter->second}; + PublicAccessConfiguration access_conf; + try { + access_conf.decode(iter); + } catch (const buffer::error& e) { + return boost::none; + } + return access_conf; + } + return boost::none; +} + vector get_iam_user_policy_from_attr(CephContext* cct, rgw::sal::RGWRadosStore* store, map& attrs, @@ -3615,6 +3634,14 @@ int RGWPutObj::verify_permission() } } + auto access_conf = get_public_access_conf_from_attr(s->bucket_attrs); + if (access_conf && access_conf->block_public_acls()) { + if (s->canned_acl.compare("public-read") || + s->canned_acl.compare("public-read-write") || + s->canned_acl.compare("authenticated-read")) + return -EACCES; + } + auto op_ret = get_params(); if (op_ret < 0) { ldpp_dout(this, 20) << "get_params() returned ret=" << op_ret << dendl;