Bug 1557883 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (RHEL) [rhel-7.5.z]
Summary: Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (R...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1546708 1560227
Blocks: 1560230
TreeView+ depends on / blocked
 
Reported: 2018-03-19 07:34 UTC by Oneata Mircea Teodor
Modified: 2018-06-26 16:48 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.5.1-10.el7
Doc Type: Bug Fix
Doc Text:
The Certificate System server rejects saving invalid access control lists (ACL). As a consequence, when saving an ACL with an empty expression, the server rejected the update and the pkiconsole utility displayed an StringIndexOutOfBoundsException error. With this update, the utility rejects empty ACL expressions. As a result, invalid ACLs cannot be saved and the error is no longer displayed.
Clone Of: 1546708
: 1560230 (view as bug list)
Environment:
Last Closed: 2018-06-26 16:47:58 UTC
Target Upstream Version:


Attachments (Terms of Use)
ACL-console log (256.91 KB, image/png)
2018-04-12 09:22 UTC, Geetika Kapoor
no flags Details
Screenshot of ACI with empty "Syntax" field resulting in "Incorrect syntax" warning (49.94 KB, image/png)
2018-04-13 02:21 UTC, Fraser Tweedale
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1979 None None None 2018-06-26 16:48:27 UTC

Description Oneata Mircea Teodor 2018-03-19 07:34:23 UTC
This bug has been copied from bug #1546708 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Fraser Tweedale 2018-03-21 01:29:47 UTC
Pushed to `DOGTAG_10_5_BRANCH`:

- c4904a4e39b2dd7ee6064ce04488aca36e19342d console: prohibit empty ACL expression                 
- 021ebec5d54a85d8de56478fb4762c4b15ee0a3a DirAclAuthz.updateACLs: re-throw ACL exception         
- 682fcf270f6b49ff5a6e7133f022982445a74422 ACLEntry.java: return null on parse error              
- 5e36d86d2c5ab2264768e64fe8029e428ce01b92 ACL.java: remove setDescription method                 
- 414a6a63d4833cfe0e575a682378fb9515ad59a6 ACL.java: retain all resourceACLs strings when merging 
- fcacf3d579a2562b764e0caed2cab81d73aa053f ACL.java: Make constructor private and add sanity check
- 8748541f70e1c753589b37f76331a7cadc684253 ACL.java: Remove unused constructor                    
- 80577d3480c8f5aa917db86f962b8acf6f750c55 Move parseACL to ACL.java

Comment 5 Fraser Tweedale 2018-04-10 04:57:40 UTC
add doc text

Comment 7 Geetika Kapoor 2018-04-11 13:21:54 UTC
Test Env:
=======

rpm -qa pki-*
pki-server-10.5.1-11.el7.noarch
pki-core-debuginfo-10.5.1-10.el7.x86_64
pki-base-10.5.1-11.el7.noarch
pki-tests-pki-tests-20150522165149.1561420-0.noarch
pki-javadoc-10.5.1-10.el7.noarch
pki-tps-10.5.1-10.el7pki.x86_64
pki-base-java-10.5.1-11.el7.noarch
pki-ca-10.5.1-11.el7.noarch
pki-tests-pki-tests-dogtag-20151005152014.66e7821-0.noarch
pki-ocsp-10.5.1-10.el7pki.noarch
pki-tools-10.5.1-11.el7.x86_64
pki-tests-CoreOS-dogtag-aakkiang-test-rhcs-1.0.8.20170618003302-0.noarch
pki-symkey-10.5.1-10.el7.x86_64
pki-tks-10.5.1-10.el7pki.noarch
pki-tests-CoreOS-dogtag-PKI_TEST_USER_ID-bbhavsar-1.0.8.RPM.IDENTIFIER-0.noarch
pki-console-10.5.1-5.el7pki.noarch
pki-kra-10.5.1-11.el7.noarch


Test case:
========

1. open pkiconsole
2. Goto ACL on left panel.Add a testACL.
3. Add resourcename=testACL, allowable rights=read,approve
ACL entried add -- allow(read,approve)
write description.
4. Click on "OK".
5. System logs shows:

0.http-bio-20443-exec-3 - [11/Apr/2018:16:16:00 IDT] [13] [3] updateACLs: failed to flushResourceACLs(): Failed to parse ACLs
0.http-bio-20443-exec-3 - [11/Apr/2018:16:16:00 IDT] [10] [3] ACLAdminServlet: Failed to parse ACLs
0.http-bio-20443-exec-3 - [11/Apr/2018:16:16:57 IDT] [13] [3] updateACLs: failed to flushResourceACLs(): Failed to parse ACLs
0.http-bio-20443-exec-3 - [11/Apr/2018:16:16:57 IDT] [10] [3] ACLAdminServlet: Failed to parse ACLs

So ACL's are not getting updated from console and it failed.Exception message is changed now.

Comment 9 Fraser Tweedale 2018-04-12 03:37:07 UTC
Geetika, thanks for testing. 
Can you please explain exactly what you are putting in each ACL field?

- For the ACL entry, which rights are selected in the "Rights" list
- For the ACL entry, the exact contexts of the "Syntax" text field
- For the ACL, the exact contents of the "Allowable rights" field
- For the ACL, the exact contents of the "Description" field.

Comment 10 Geetika Kapoor 2018-04-12 09:22:40 UTC
Created attachment 1420762 [details]
ACL-console log

Comment 11 Geetika Kapoor 2018-04-12 09:24:03 UTC
Hi Fraser, I have attached the screenshot.I think it should help.

Comment 12 Fraser Tweedale 2018-04-13 02:18:54 UTC
Geetika, thanks for the screenshot.

It seems that the ACL entry "Syntax" field was left empty.
I cannot reproduce this with pki-console-10.5.1-5.el7pki.noarch.
In fact, the patch is designed to disallow this; it should cause
and "Incorrect syntax" error dialog after clicking "OK" in the
ACL entry dialog, when then "Syntax" field has been left empty.

See screenshot.

Are you running pki-console-10.5.1-5.el7pki.noarch on the *client* system?
I have tried with this package and the behaviour is as expected (i.e.
what I just described).

Comment 13 Fraser Tweedale 2018-04-13 02:21:24 UTC
Created attachment 1421153 [details]
Screenshot of ACI with empty "Syntax" field resulting in "Incorrect syntax" warning

Comment 14 Geetika Kapoor 2018-04-13 11:00:20 UTC
Thanks Fraser for looking into this.
Yes with pki-console-10.5.1-5.el7pki.noarch it works.
I was trying with a different client(version was little old) as it was HSM.
Now i tried with a non HSM instance and it worked .


Test case 1: Try to add ACL with allow first
------------

AAAAA:read,write:allow (read,write) group="Administrators":testing


Test case 2: Try to add ACL with deny first
------------

abbbb:read,write:deny (read,write) group="Administrators":dfsfsfsfs


Test case 3: Try to add ACL with empty syntax/incorrect syntax
-----------
syntax exception comes which is as expected.

Comment 15 Fraser Tweedale 2018-04-13 23:45:54 UTC
Hi Geetika,

The testing you've performed is sufficient.  In fact, it was still
useful to test with the old client to show that the
StringIndexOutOfBoundsException is now avoided on the server side.
And testing with the new client shows that the invalid data can no longer
be sent to the server.

So this is verified.

Comment 17 errata-xmlrpc 2018-06-26 16:47:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979


Note You need to log in before you can comment on or make changes to this bug.