1546708 – Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (RHEL)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1546708 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (RHEL)

Summary: Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (R...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1557883 1560227 1560230
TreeView+	depends on / blocked

Reported:	2018-02-19 11:38 UTC by Geetika Kapoor
Modified:	2020-10-04 21:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The pkiconsole utility no longer accepts ACLs with an empty expression The Certificate System server rejects saving invalid access control lists (ACL). As a consequence, when saving an ACL with an empty expression, the server rejected the update and the pkiconsole utility displayed an StringIndexOutOfBoundsException error. With this update, the utility rejects empty ACL expressions. As a result, invalid ACLs cannot be saved and the error is no longer displayed.
Clone Of:
Clones:	1557883 1560227 (view as bug list)
Environment:
Last Closed:	2018-10-30 11:05:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 3075	0	None	None	None	2020-10-04 21:42:04 UTC
Red Hat Product Errata	RHBA-2018:3195	0	None	None	None	2018-10-30 11:06:40 UTC

Description Geetika Kapoor 2018-02-19 11:38:32 UTC

Description of problem:

Adding ACL from console gives:
 ACLAdminServlet: java.lang.StringIndexOutOfBoundsException: String index out of range: -3


Version-Release number of selected component (if applicable):
10.5

How reproducible:

always 
Steps to Reproduce:
1. open pkiconsole
2. Goto ACL on left panel.Add a testACL.
3. Add resourcename=testACL, allowable rights=read,approve
ACL entried add -- allow(read,approve)
write description.
4. Click on "OK".
5. System logs shows  
 ACLAdminServlet: java.lang.StringIndexOutOfBoundsException: String index out of range: -3

Actual results:


Expected results:


Additional info:

Audit logs doesn't report anything.

0.http-bio-25443-exec-25 - [19/Feb/2018:06:37:51 EST] [14] [6] [AuditEvent=AUTH][SubjectID=caadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
0.http-bio-25443-exec-25 - [19/Feb/2018:06:37:51 EST] [14] [6] [AuditEvent=AUTHZ][SubjectID=caadmin][Outcome=Success][aclResource=certServer.acl.configuration][Op=modify] authorization success
0.http-bio-25443-exec-25 - [19/Feb/2018:06:37:51 EST] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=caadmin][Outcome=Success][Role=Certificate Manager Agents, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role

Comment 2 Fraser Tweedale 2018-03-08 05:05:45 UTC

I think it is a combination of the fact that we can now separate ACL entries for a single resource into multiple ACLs (for readability / maintainability), and that the ACLAdminServlet and ACLPanel components use the NameValuePairs class
for transmitting ACLs, which cannot handle duplicate keys.

Comment 3 Fraser Tweedale 2018-03-09 09:14:18 UTC

Gerrit reviews:

- https://review.gerrithub.io/403280
- https://review.gerrithub.io/403281
- https://review.gerrithub.io/403282
- https://review.gerrithub.io/403283
- https://review.gerrithub.io/403284
- https://review.gerrithub.io/403285
- https://review.gerrithub.io/403286
- https://review.gerrithub.io/403287

Comment 4 Fraser Tweedale 2018-03-14 02:53:42 UTC

Fixed in master:

- 223e6980c3f3f7a075890897bbb74140cb95279a console: prohibit empty ACL expression                 
- f62f8931d3dfced0b41e56e0bd4dc67fb31e2810 DirAclAuthz.updateACLs: re-throw ACL exception         
- 476320b43da7781a3f2994d55c8b48ee9bf6de73 ACLEntry.java: return null on parse error              
- 8f0b4a2f140590d6ed0149d9990e4f95eb047ae8 ACL.java: remove setDescription method                 
- db05fc2c34b2f87e920d370cb5288ee0222f4023 ACL.java: retain all resourceACLs strings when merging 
- f4edd44009bc681577ea9209e092b65ca9985179 ACL.java: Make constructor private and add sanity check
- f5e399a6bc7672d308332902d044e29f7deb3557 ACL.java: Remove unused constructor                    
- 29092bd3a6c788164d3d37cdf40ac0811544accf Move parseACL to ACL.java

Comment 7 Fraser Tweedale 2018-04-10 04:57:49 UTC

add doc text

Comment 8 Matthew Harmsen 2018-04-25 00:28:58 UTC

Marking MODIFIED; inherited from 7.5.z

Comment 10 Matthew Harmsen 2018-06-26 02:09:57 UTC

QE Test Verification

https://bugzilla.redhat.com/show_bug.cgi?id=1557883#c14

Comment 11 Geetika Kapoor 2018-08-13 12:57:47 UTC

Test Env:

pki-core-10.5.9-5.el7

Bugzilla tested and works as expected.

Comment 13 errata-xmlrpc 2018-10-30 11:05:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195

Note You need to log in before you can comment on or make changes to this bug.