[Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

[Fraser Tweedale]

The attached patch makes a change to how ACLs are loaded from
database, to allow a single ACL to be specified across several
values.

Thanks,
Fraser
-------------- next part --------------
From 1fd4824d8b46d995286e5bad689e903e5e954831 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 15 Mar 2016 18:22:02 +1100
Subject: [PATCH] Allow multiple ACLs of same name (union of rules)

Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.

If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rules to the
existing ACL.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 .../cms/src/com/netscape/cms/authorization/AAclAuthz.java      | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
index 089cca9bea9f7cfcdac65f6023060109eb6b8d10..400649cd53ca5801af6af216f8145d265c5d52f4 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -160,7 +160,15 @@ public abstract class AAclAuthz {
         ACL acl = (ACL) CMS.parseACL(resACLs);
 
         if (acl != null) {
-            mACLs.put(acl.getName(), acl);
+            ACL curACL = mACLs.get(acl.getName());
+            if (curACL == null) {
+                mACLs.put(acl.getName(), acl);
+            } else {
+                Enumeration<ACLEntry> entries = acl.entries();
+                while (entries.hasMoreElements()) {
+                    curACL.addEntry(entries.nextElement());
+                }
+            }
         } else {
             log(ILogger.LL_FAILURE, "parseACL failed");
         }
-- 
2.5.0