Re: [Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

2016-03-23 Thread Fraser Tweedale 
On Wed, Mar 23, 2016 at 12:55:24AM -0500, Endi Sukma Dewata wrote:
> On 3/22/2016 12:52 AM, Fraser Tweedale wrote:
> >>On 3/15/2016 8:14 PM, Fraser Tweedale wrote:
> >>>The attached patch makes a change to how ACLs are loaded from
> >>>database, to allow a single ACL to be specified across several
> 
> >>Should the ACL.rights be merged as well?
> 
> >Yes, it should; nice catch.  Updated patch attached.
> 
> ACK.
> 
Thanks; pushed to master (5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

2016-03-21 Thread Fraser Tweedale 
On Mon, Mar 21, 2016 at 10:39:08PM -0500, Endi Sukma Dewata wrote:
> On 3/15/2016 8:14 PM, Fraser Tweedale wrote:
> >The attached patch makes a change to how ACLs are loaded from
> >database, to allow a single ACL to be specified across several
> >values.
> >
> >Thanks,
> >Fraser
> 
> Should the ACL.rights be merged as well?
> 
Yes, it should; nice catch.  Updated patch attached.

Thanks,
Fraser
From 5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 15 Mar 2016 18:22:02 +1100
Subject: [PATCH] Allow multiple ACLs of same name (union of rules)

Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.

If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rights and
rules to the existing ACL.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 base/common/src/com/netscape/certsrv/acls/ACL.java| 15 +--
 .../cms/src/com/netscape/cms/authorization/AAclAuthz.java | 14 +-
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java 
b/base/common/src/com/netscape/certsrv/acls/ACL.java
index 
292be4cddc1c864e2cff8494f047295cd142b40f..86720810ccbd5275aa905d9c5d3e3f00f5fb6444
 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACL.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java
@@ -17,7 +17,10 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.certsrv.acls;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Enumeration;
+import java.util.TreeSet;
 import java.util.Vector;
 
 /**
@@ -40,7 +43,7 @@ public class ACL implements IACL, java.io.Serializable {
 private static final long serialVersionUID = -1867465948611161868L;
 
 protected Vector entries = new Vector(); // ACL entries
-protected Vector rights = null; // possible rights entries
+protected TreeSet rights = null; // possible rights entries
 protected String resourceACLs = null; // exact resourceACLs string on ldap 
server
 protected String name = null; // resource name
 protected String description = null; // resource description
@@ -65,12 +68,12 @@ public class ACL implements IACL, java.io.Serializable {
  *Allow administrators to read and modify log
  *configuration"
  */
-public ACL(String name, Vector rights, String resourceACLs) {
+public ACL(String name, Collection rights, String resourceACLs) {
 setName(name);
 if (rights != null) {
-this.rights = rights;
+this.rights = new TreeSet<>(rights);
 } else {
-this.rights = new Vector();
+this.rights = new TreeSet<>();
 }
 this.resourceACLs = resourceACLs;
 
@@ -170,7 +173,7 @@ public class ACL implements IACL, java.io.Serializable {
  * @param right The right to be added for this ACL
  */
 public void addRight(String right) {
-rights.addElement(right);
+rights.add(right);
 }
 
 /**
@@ -189,6 +192,6 @@ public class ACL implements IACL, java.io.Serializable {
  * @return enumeration of rights defined for this ACL
  */
 public Enumeration rights() {
-return rights.elements();
+return Collections.enumeration(rights);
 }
 }
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java 
b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
index 
089cca9bea9f7cfcdac65f6023060109eb6b8d10..b3e447cfca49951fe78f6b4896652921ffc43406
 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -160,7 +160,19 @@ public abstract class AAclAuthz {
 ACL acl = (ACL) CMS.parseACL(resACLs);
 
 if (acl != null) {
-mACLs.put(acl.getName(), acl);
+ACL curACL = mACLs.get(acl.getName());
+if (curACL == null) {
+mACLs.put(acl.getName(), acl);
+} else {
+for (Enumeration entries = acl.entries() ;
+entries.hasMoreElements() ; ) {
+curACL.addEntry(entries.nextElement());
+}
+for (Enumeration rights = acl.rights() ;
+rights.hasMoreElements() ; ) {
+curACL.addRight(rights.nextElement());
+}
+}
 } else {
 log(ILogger.LL_FAILURE, "parseACL failed");
 }
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel