1546708 – Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (RHEL)

Bug 1546708 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (RHEL)

Summary: Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (R...

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:	(Show other bugs)
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Keywords:	TestCaseProvided, ZStream
Depends On:
Blocks:	1557883 1560227 1560230
TreeView+	depends on / blocked

Reported:	2018-02-19 11:38 UTC by Geetika Kapoor
Modified:	2018-10-30 11:06 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The pkiconsole utility no longer accepts ACLs with an empty expression The Certificate System server rejects saving invalid access control lists (ACL). As a consequence, when saving an ACL with an empty expression, the server rejected the update and the pkiconsole utility displayed an StringIndexOutOfBoundsException error. With this update, the utility rejects empty ACL expressions. As a result, invalid ACLs cannot be saved and the error is no longer displayed.
Story Points:	---
Clone Of:
Clones:	1557883 1560227 (view as bug list)
Environment:
Last Closed:	2018-10-30 11:05:22 UTC
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3195	None	None	None	2018-10-30 11:06 UTC

Description Geetika Kapoor 2018-02-19 11:38:32 UTC

Description of problem:

Adding ACL from console gives:
 ACLAdminServlet: java.lang.StringIndexOutOfBoundsException: String index out of range: -3


Version-Release number of selected component (if applicable):
10.5

How reproducible:

always 
Steps to Reproduce:
1. open pkiconsole
2. Goto ACL on left panel.Add a testACL.
3. Add resourcename=testACL, allowable rights=read,approve
ACL entried add -- allow(read,approve)
write description.
4. Click on "OK".
5. System logs shows  
 ACLAdminServlet: java.lang.StringIndexOutOfBoundsException: String index out of range: -3

Actual results:


Expected results:


Additional info:

Audit logs doesn't report anything.

0.http-bio-25443-exec-25 - [19/Feb/2018:06:37:51 EST] [14] [6] [AuditEvent=AUTH][SubjectID=caadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
0.http-bio-25443-exec-25 - [19/Feb/2018:06:37:51 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=caadmin][Outcome=Success][aclResource=certServer.acl.configuration][Op=modify] authorization success
0.http-bio-25443-exec-25 - [19/Feb/2018:06:37:51 EST] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=caadmin][Outcome=Success][Role=Certificate Manager Agents, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role

Comment 2 Fraser Tweedale 2018-03-08 05:05:45 UTC

I think it is a combination of the fact that we can now separate ACL entries for a single resource into multiple ACLs (for readability / maintainability), and that the ACLAdminServlet and ACLPanel components use the NameValuePairs class
for transmitting ACLs, which cannot handle duplicate keys.

Comment 3 Fraser Tweedale 2018-03-09 09:14:18 UTC

Gerrit reviews:

- https://review.gerrithub.io/403280
- https://review.gerrithub.io/403281
- https://review.gerrithub.io/403282
- https://review.gerrithub.io/403283
- https://review.gerrithub.io/403284
- https://review.gerrithub.io/403285
- https://review.gerrithub.io/403286
- https://review.gerrithub.io/403287

Comment 4 Fraser Tweedale 2018-03-14 02:53:42 UTC

Fixed in master:

- 223e6980c3f3f7a075890897bbb74140cb95279a console: prohibit empty ACL expression                 
- f62f8931d3dfced0b41e56e0bd4dc67fb31e2810 DirAclAuthz.updateACLs: re-throw ACL exception         
- 476320b43da7781a3f2994d55c8b48ee9bf6de73 ACLEntry.java: return null on parse error              
- 8f0b4a2f140590d6ed0149d9990e4f95eb047ae8 ACL.java: remove setDescription method                 
- db05fc2c34b2f87e920d370cb5288ee0222f4023 ACL.java: retain all resourceACLs strings when merging 
- f4edd44009bc681577ea9209e092b65ca9985179 ACL.java: Make constructor private and add sanity check
- f5e399a6bc7672d308332902d044e29f7deb3557 ACL.java: Remove unused constructor                    
- 29092bd3a6c788164d3d37cdf40ac0811544accf Move parseACL to ACL.java

Comment 7 Fraser Tweedale 2018-04-10 04:57:49 UTC

add doc text

Comment 8 Matthew Harmsen 2018-04-25 00:28:58 UTC

Marking MODIFIED; inherited from 7.5.z

Comment 10 Matthew Harmsen 2018-06-26 02:09:57 UTC

QE Test Verification

https://bugzilla.redhat.com/show_bug.cgi?id=1557883#c14

Comment 11 Geetika Kapoor 2018-08-13 12:57:47 UTC

Test Env:

pki-core-10.5.9-5.el7

Bugzilla tested and works as expected.

Comment 13 errata-xmlrpc 2018-10-30 11:05:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195

Note You need to log in before you can comment on or make changes to this bug.