From 5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 15 Mar 2016 18:22:02 +1100
Subject: [PATCH] Allow multiple ACLs of same name (union of rules)

Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.

If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rights and
rules to the existing ACL.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 base/common/src/com/netscape/certsrv/acls/ACL.java        | 15 +++++++++------
 .../cms/src/com/netscape/cms/authorization/AAclAuthz.java | 14 +++++++++++++-
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java
index 292be4cddc1c864e2cff8494f047295cd142b40f..86720810ccbd5275aa905d9c5d3e3f00f5fb6444 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACL.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java
@@ -17,7 +17,10 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.certsrv.acls;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Enumeration;
+import java.util.TreeSet;
 import java.util.Vector;
 
 /**
@@ -40,7 +43,7 @@ public class ACL implements IACL, java.io.Serializable {
     private static final long serialVersionUID = -1867465948611161868L;
 
     protected Vector<ACLEntry> entries = new Vector<ACLEntry>(); // ACL entries
-    protected Vector<String> rights = null; // possible rights entries
+    protected TreeSet<String> rights = null; // possible rights entries
     protected String resourceACLs = null; // exact resourceACLs string on ldap server
     protected String name = null; // resource name
     protected String description = null; // resource description
@@ -65,12 +68,12 @@ public class ACL implements IACL, java.io.Serializable {
      *            Allow administrators to read and modify log
      *            configuration"
      */
-    public ACL(String name, Vector<String> rights, String resourceACLs) {
+    public ACL(String name, Collection<String> rights, String resourceACLs) {
         setName(name);
         if (rights != null) {
-            this.rights = rights;
+            this.rights = new TreeSet<>(rights);
         } else {
-            this.rights = new Vector<String>();
+            this.rights = new TreeSet<>();
         }
         this.resourceACLs = resourceACLs;
 
@@ -170,7 +173,7 @@ public class ACL implements IACL, java.io.Serializable {
      * @param right The right to be added for this ACL
      */
     public void addRight(String right) {
-        rights.addElement(right);
+        rights.add(right);
     }
 
     /**
@@ -189,6 +192,6 @@ public class ACL implements IACL, java.io.Serializable {
      * @return enumeration of rights defined for this ACL
      */
     public Enumeration<String> rights() {
-        return rights.elements();
+        return Collections.enumeration(rights);
     }
 }
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
index 089cca9bea9f7cfcdac65f6023060109eb6b8d10..b3e447cfca49951fe78f6b4896652921ffc43406 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -160,7 +160,19 @@ public abstract class AAclAuthz {
         ACL acl = (ACL) CMS.parseACL(resACLs);
 
         if (acl != null) {
-            mACLs.put(acl.getName(), acl);
+            ACL curACL = mACLs.get(acl.getName());
+            if (curACL == null) {
+                mACLs.put(acl.getName(), acl);
+            } else {
+                for (Enumeration<ACLEntry> entries = acl.entries() ;
+                        entries.hasMoreElements() ; ) {
+                    curACL.addEntry(entries.nextElement());
+                }
+                for (Enumeration<String> rights = acl.rights() ;
+                        rights.hasMoreElements() ; ) {
+                    curACL.addRight(rights.nextElement());
+                }
+            }
         } else {
             log(ILogger.LL_FAILURE, "parseACL failed");
         }
-- 
2.5.5