diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-03-15 18:22:02 +1100 |
|---|---|---|
| committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-03-22 16:48:54 +1100 |
| commit | 5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74 (patch) | |
| tree | 62d38b81e5e5d938b8c5ebe4f21a2d62d57ef7b5 | |
| parent | 93421622ce1ba1bf97d45bca8f346a112c4cf246 (diff) | |
| download | pki-5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74.tar.gz pki-5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74.tar.xz pki-5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74.zip | |
Allow multiple ACLs of same name (union of rules)
Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.
If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rights and
rules to the existing ACL.
Part of: https://fedorahosted.org/pki/ticket/1625
| -rw-r--r-- | base/common/src/com/netscape/certsrv/acls/ACL.java | 15 | ||||
| -rw-r--r-- | base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java | 14 |
2 files changed, 22 insertions, 7 deletions
diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java index 292be4cdd..86720810c 100644 --- a/base/common/src/com/netscape/certsrv/acls/ACL.java +++ b/base/common/src/com/netscape/certsrv/acls/ACL.java @@ -17,7 +17,10 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.acls; +import java.util.Collection; +import java.util.Collections; import java.util.Enumeration; +import java.util.TreeSet; import java.util.Vector; /** @@ -40,7 +43,7 @@ public class ACL implements IACL, java.io.Serializable { private static final long serialVersionUID = -1867465948611161868L; protected Vector<ACLEntry> entries = new Vector<ACLEntry>(); // ACL entries - protected Vector<String> rights = null; // possible rights entries + protected TreeSet<String> rights = null; // possible rights entries protected String resourceACLs = null; // exact resourceACLs string on ldap server protected String name = null; // resource name protected String description = null; // resource description @@ -65,12 +68,12 @@ public class ACL implements IACL, java.io.Serializable { * Allow administrators to read and modify log * configuration" */ - public ACL(String name, Vector<String> rights, String resourceACLs) { + public ACL(String name, Collection<String> rights, String resourceACLs) { setName(name); if (rights != null) { - this.rights = rights; + this.rights = new TreeSet<>(rights); } else { - this.rights = new Vector<String>(); + this.rights = new TreeSet<>(); } this.resourceACLs = resourceACLs; @@ -170,7 +173,7 @@ public class ACL implements IACL, java.io.Serializable { * @param right The right to be added for this ACL */ public void addRight(String right) { - rights.addElement(right); + rights.add(right); } /** @@ -189,6 +192,6 @@ public class ACL implements IACL, java.io.Serializable { * @return enumeration of rights defined for this ACL */ public Enumeration<String> rights() { - return rights.elements(); + return Collections.enumeration(rights); } } diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java index 089cca9be..b3e447cfc 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java @@ -160,7 +160,19 @@ public abstract class AAclAuthz { ACL acl = (ACL) CMS.parseACL(resACLs); if (acl != null) { - mACLs.put(acl.getName(), acl); + ACL curACL = mACLs.get(acl.getName()); + if (curACL == null) { + mACLs.put(acl.getName(), acl); + } else { + for (Enumeration<ACLEntry> entries = acl.entries() ; + entries.hasMoreElements() ; ) { + curACL.addEntry(entries.nextElement()); + } + for (Enumeration<String> rights = acl.rights() ; + rights.hasMoreElements() ; ) { + curACL.addRight(rights.nextElement()); + } + } } else { log(ILogger.LL_FAILURE, "parseACL failed"); } |