Bug 1557883

Summary: Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (RHEL) [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: pki-coreAssignee: Fraser Tweedale <ftweedal>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.5CC: ftweedal, gkapoor, mharmsen, msauton, rhcs-maint
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.1-10.el7 Doc Type: Bug Fix
Doc Text:
The Certificate System server rejects saving invalid access control lists (ACL). As a consequence, when saving an ACL with an empty expression, the server rejected the update and the pkiconsole utility displayed an StringIndexOutOfBoundsException error. With this update, the utility rejects empty ACL expressions. As a result, invalid ACLs cannot be saved and the error is no longer displayed.
 Story Points: ---
Clone Of: 1546708
: 1560230 (view as bug list) Environment:
Last Closed: 2018-06-26 16:47:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1546708, 1560227    
Bug Blocks: 1560230    
Attachments:
Description Flags
ACL-console log
none
Screenshot of ACI with empty "Syntax" field resulting in "Incorrect syntax" warning none

Description Oneata Mircea Teodor 2018-03-19 07:34:23 UTC 
This bug has been copied from bug #1546708 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 2 Fraser Tweedale 2018-03-21 01:29:47 UTC 
Pushed to `DOGTAG_10_5_BRANCH`:

- c4904a4e39b2dd7ee6064ce04488aca36e19342d console: prohibit empty ACL expression                 
- 021ebec5d54a85d8de56478fb4762c4b15ee0a3a DirAclAuthz.updateACLs: re-throw ACL exception         
- 682fcf270f6b49ff5a6e7133f022982445a74422 ACLEntry.java: return null on parse error              
- 5e36d86d2c5ab2264768e64fe8029e428ce01b92 ACL.java: remove setDescription method                 
- 414a6a63d4833cfe0e575a682378fb9515ad59a6 ACL.java: retain all resourceACLs strings when merging 
- fcacf3d579a2562b764e0caed2cab81d73aa053f ACL.java: Make constructor private and add sanity check
- 8748541f70e1c753589b37f76331a7cadc684253 ACL.java: Remove unused constructor                    
- 80577d3480c8f5aa917db86f962b8acf6f750c55 Move parseACL to ACL.java
Comment 5 Fraser Tweedale 2018-04-10 04:57:40 UTC 
add doc text
Comment 7 Geetika Kapoor 2018-04-11 13:21:54 UTC 
Test Env:
=======

rpm -qa pki-*
pki-server-10.5.1-11.el7.noarch
pki-core-debuginfo-10.5.1-10.el7.x86_64
pki-base-10.5.1-11.el7.noarch
pki-tests-pki-tests-20150522165149.1561420-0.noarch
pki-javadoc-10.5.1-10.el7.noarch
pki-tps-10.5.1-10.el7pki.x86_64
pki-base-java-10.5.1-11.el7.noarch
pki-ca-10.5.1-11.el7.noarch
pki-tests-pki-tests-dogtag-20151005152014.66e7821-0.noarch
pki-ocsp-10.5.1-10.el7pki.noarch
pki-tools-10.5.1-11.el7.x86_64
pki-tests-CoreOS-dogtag-aakkiang-test-rhcs-1.0.8.20170618003302-0.noarch
pki-symkey-10.5.1-10.el7.x86_64
pki-tks-10.5.1-10.el7pki.noarch
pki-tests-CoreOS-dogtag-PKI_TEST_USER_ID-bbhavsar-1.0.8.RPM.IDENTIFIER-0.noarch
pki-console-10.5.1-5.el7pki.noarch
pki-kra-10.5.1-11.el7.noarch


Test case:
========

1. open pkiconsole
2. Goto ACL on left panel.Add a testACL.
3. Add resourcename=testACL, allowable rights=read,approve
ACL entried add -- allow(read,approve)
write description.
4. Click on "OK".
5. System logs shows:

0.http-bio-20443-exec-3 - [11/Apr/2018:16:16:00 IDT] [13] [3] updateACLs: failed to flushResourceACLs(): Failed to parse ACLs
0.http-bio-20443-exec-3 - [11/Apr/2018:16:16:00 IDT] [10] [3] ACLAdminServlet: Failed to parse ACLs
0.http-bio-20443-exec-3 - [11/Apr/2018:16:16:57 IDT] [13] [3] updateACLs: failed to flushResourceACLs(): Failed to parse ACLs
0.http-bio-20443-exec-3 - [11/Apr/2018:16:16:57 IDT] [10] [3] ACLAdminServlet: Failed to parse ACLs

So ACL's are not getting updated from console and it failed.Exception message is changed now.
Comment 9 Fraser Tweedale 2018-04-12 03:37:07 UTC 
Geetika, thanks for testing. 
Can you please explain exactly what you are putting in each ACL field?

- For the ACL entry, which rights are selected in the "Rights" list
- For the ACL entry, the exact contexts of the "Syntax" text field
- For the ACL, the exact contents of the "Allowable rights" field
- For the ACL, the exact contents of the "Description" field.
Comment 10 Geetika Kapoor 2018-04-12 09:22:40 UTC 
Created attachment 1420762 [details]
ACL-console log
Comment 11 Geetika Kapoor 2018-04-12 09:24:03 UTC 
Hi Fraser, I have attached the screenshot.I think it should help.
Comment 12 Fraser Tweedale 2018-04-13 02:18:54 UTC 
Geetika, thanks for the screenshot.

It seems that the ACL entry "Syntax" field was left empty.
I cannot reproduce this with pki-console-10.5.1-5.el7pki.noarch.
In fact, the patch is designed to disallow this; it should cause
and "Incorrect syntax" error dialog after clicking "OK" in the
ACL entry dialog, when then "Syntax" field has been left empty.

See screenshot.

Are you running pki-console-10.5.1-5.el7pki.noarch on the *client* system?
I have tried with this package and the behaviour is as expected (i.e.
what I just described).
Comment 13 Fraser Tweedale 2018-04-13 02:21:24 UTC 
Created attachment 1421153 [details]
Screenshot of ACI with empty "Syntax" field resulting in "Incorrect syntax" warning
Comment 14 Geetika Kapoor 2018-04-13 11:00:20 UTC 
Thanks Fraser for looking into this.
Yes with pki-console-10.5.1-5.el7pki.noarch it works.
I was trying with a different client(version was little old) as it was HSM.
Now i tried with a non HSM instance and it worked .


Test case 1: Try to add ACL with allow first
------------

AAAAA:read,write:allow (read,write) group="Administrators":testing


Test case 2: Try to add ACL with deny first
------------

abbbb:read,write:deny (read,write) group="Administrators":dfsfsfsfs


Test case 3: Try to add ACL with empty syntax/incorrect syntax
-----------
syntax exception comes which is as expected.
Comment 15 Fraser Tweedale 2018-04-13 23:45:54 UTC 
Hi Geetika,

The testing you've performed is sufficient.  In fact, it was still
useful to test with the old client to show that the
StringIndexOutOfBoundsException is now avoided on the server side.
And testing with the new client shows that the invalid data can no longer
be sent to the server.

So this is verified.
Comment 17 errata-xmlrpc 2018-06-26 16:47:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979