@@ -701,11 +701,10 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
701701 return false ;
702702 }
703703 } else if (w->kind == TokenKind::cond_key) {
704- auto & t = pp->policy .statements .back ();
705704 if (l > 0 && *s == ' $'
706705 if (l >= 2 && *(s+1 ) == ' {'
707706 if (l > 0 && *(s+l-1 ) == ' }'
708- t. conditions .back ().isruntime = true ;
707+ t-> conditions .back ().isruntime = true ;
709708 } else {
710709 annotate (fmt::format (" Invalid interpolation `{}`."
711710 std::string_view{s, l}));
@@ -717,7 +716,7 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
717716 return false ;
718717 }
719718 }
720- t. conditions .back ().vals .emplace_back (s, l);
719+ t-> conditions .back ().vals .emplace_back (s, l);
721720
722721 // Principals
723722
@@ -756,6 +755,13 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
756755 return false ;
757756 }
758757
758+ // NotPrincipal must be used with "Effect":"Deny". Using it with "Effect":"Allow" is not supported.
759+ // cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
760+ if (t && t->effect == Effect::Allow && !t->noprinc .empty ()) {
761+ annotate (" Allow with NotPrincipal is not allowed."
762+ return false ;
763+ }
764+
759765 return true ;
760766}
761767
@@ -1887,14 +1893,10 @@ struct IsPublicStatement
18871893 bool operator () (const Statement &s) const {
18881894 if (s.effect == Effect::Allow) {
18891895 for (const auto & p : s.princ ) {
1890- if (p.is_wildcard ()) {
1891- return s.eval_conditions (iam_all_env) == Effect::Allow;
1892- }
1896+ if (p.is_wildcard ()) {
1897+ return s.eval_conditions (iam_all_env) == Effect::Allow;
1898+ }
18931899 }
1894- // no princ should not contain fixed values
1895- return std::none_of (s.noprinc .begin (), s.noprinc .end (), [](const rgw::auth::Principal& p) {
1896- return p.is_wildcard ();
1897- });
18981900 }
18991901 return false ;
19001902 }
0 commit comments