rgw/iam: simplify match_policy() for colon-delimited use only

cbodley · cbodley · commit 4cd40c7f7153 · 2025-03-13T20:23:10.000-04:00
remove unused MATCH_POLICY_STRING

ARN::match() was the only caller for MATCH_POLICY_ARN, but it was used
to match the 'region' and 'account' components that were already parsed
out of the colon-separated ARN string. for that use, we don't need the
loop-over-colons behavior of match_policy() so can call match_wildcards()
directly

after doing the same for MATCH_POLICY_RESOURCE, we no longer have any
non-looping callers of match_policy() so can treat 'bool colonblocks' as
unconditionally true

Signed-off-by: Casey Bodley &lt;cbodley@redhat.com&gt;
diff --git a/src/rgw/rgw_arn.cc b/src/rgw/rgw_arn.cc
@@ -328,15 +328,15 @@ bool ARN::match(const ARN& candidate) const {
     return false;
   }
 
-  if (!match_policy(region, candidate.region, MATCH_POLICY_ARN)) {
+  if (!match_wildcards(region, candidate.region, MATCH_CASE_INSENSITIVE)) {
     return false;
   }
 
-  if (!match_policy(account, candidate.account, MATCH_POLICY_ARN)) {
+  if (!match_wildcards(account, candidate.account, MATCH_CASE_INSENSITIVE)) {
     return false;
   }
 
-  if (!match_policy(resource, candidate.resource, MATCH_POLICY_RESOURCE)) {
+  if (!match_wildcards(resource, candidate.resource, 0)) {
     return false;
   }
 
diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
@@ -2188,25 +2188,21 @@ bool match_policy(const std::string& pattern, const std::string& input,
 {
   const uint32_t flag2 = flag & (MATCH_POLICY_ACTION|MATCH_POLICY_ARN) ?
       MATCH_CASE_INSENSITIVE : 0;
-  const bool colonblocks = !(flag & (MATCH_POLICY_RESOURCE |
-				     MATCH_POLICY_STRING));
 
-  const auto npos = std::string_view::npos;
   std::string_view::size_type last_pos_input = 0, last_pos_pattern = 0;
   while (true) {
-    auto cur_pos_input = colonblocks ? input.find(":", last_pos_input) : npos;
-    auto cur_pos_pattern =
-      colonblocks ? pattern.find(":", last_pos_pattern) : npos;
+    auto cur_pos_input = input.find(":", last_pos_input);
+    auto cur_pos_pattern = pattern.find(":", last_pos_pattern);
 
     auto substr_input = input.substr(last_pos_input, cur_pos_input);
     auto substr_pattern = pattern.substr(last_pos_pattern, cur_pos_pattern);
 
     if (!match_wildcards(substr_pattern, substr_input, flag2))
       return false;
 
-    if (cur_pos_pattern == npos)
-      return cur_pos_input == npos;
-    if (cur_pos_input == npos)
+    if (cur_pos_pattern == pattern.npos)
+      return cur_pos_input == input.npos;
+    if (cur_pos_input == input.npos)
       return false;
 
     last_pos_pattern = cur_pos_pattern + 1;
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
@@ -1909,9 +1909,7 @@ extern std::string calc_hash_sha256_restart_stream(ceph::crypto::SHA256** phash)
 extern int rgw_parse_op_type_list(const std::string& str, uint32_t *perm);
 
 static constexpr uint32_t MATCH_POLICY_ACTION = 0x01;
-static constexpr uint32_t MATCH_POLICY_RESOURCE = 0x02;
-static constexpr uint32_t MATCH_POLICY_ARN = 0x04;
-static constexpr uint32_t MATCH_POLICY_STRING = 0x08;
+static constexpr uint32_t MATCH_POLICY_ARN = 0x02;
 
 extern bool match_policy(const std::string& pattern, const std::string& input,
                          uint32_t flag);
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
@@ -1464,15 +1464,6 @@ TEST(MatchPolicy, Action)
   EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
 }
 
-TEST(MatchPolicy, Resource)
-{
-  constexpr auto flag = MATCH_POLICY_RESOURCE;
-  EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
-  EXPECT_FALSE(match_policy("a:b:c", "A:B:C", flag)); // case sensitive
-  EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
-  EXPECT_TRUE(match_policy("a:*", "a:b:c", flag)); // can span segments
-}
-
 TEST(MatchPolicy, ARN)
 {
   constexpr auto flag = MATCH_POLICY_ARN;
@@ -1482,15 +1473,6 @@ TEST(MatchPolicy, ARN)
   EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
 }
 
-TEST(MatchPolicy, String)
-{
-  constexpr auto flag = MATCH_POLICY_STRING;
-  EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
-  EXPECT_FALSE(match_policy("a:b:c", "A:B:C", flag)); // case sensitive
-  EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
-  EXPECT_TRUE(match_policy("a:*", "a:b:c", flag)); // can span segments
-}
-
 Action_t set_range_bits(std::uint64_t start, std::uint64_t end)
 {
   Action_t result;

Original file line number	Diff line number	Diff line change
`@@ -328,15 +328,15 @@ bool ARN::match(const ARN& candidate) const {`
`328`	`328`	`return false;`
`329`	`329`	`}`
`330`	`330`
`331`		`- if (!match_policy(region, candidate.region, MATCH_POLICY_ARN)) {`
	`331`	`+ if (!match_wildcards(region, candidate.region, MATCH_CASE_INSENSITIVE)) {`
`332`	`332`	`return false;`
`333`	`333`	`}`
`334`	`334`
`335`		`- if (!match_policy(account, candidate.account, MATCH_POLICY_ARN)) {`
	`335`	`+ if (!match_wildcards(account, candidate.account, MATCH_CASE_INSENSITIVE)) {`
`336`	`336`	`return false;`
`337`	`337`	`}`
`338`	`338`
`339`		`- if (!match_policy(resource, candidate.resource, MATCH_POLICY_RESOURCE)) {`
	`339`	`+ if (!match_wildcards(resource, candidate.resource, 0)) {`
`340`	`340`	`return false;`
`341`	`341`	`}`
`342`	`342`