Ticket #1527 reopened: retrieved wrong ca connector config parameter

This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment.
The following is attempted:
op.enroll.userKey.ca.conn
while the following is intended:
op.format.userKey.ca.conn
In addition, this patch also fixes the following issues;
a. reason param name is not conforming: "reason" instead of "revokeReason"
b. adding default reason to format TPS profiles
c. by default mappingResolver.formatProfileMappingResolver resolves
   to tokenKey, while enroll resolves to userKey.
   -> now changed the userKey
d. if revocation fails during format, it was forgiving.
   -> now changed so that error is logged in activity log and exception
      thrown and bail out

3 files changed, 62 insertions, 9 deletions

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 638787d22..90d1747dd 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -428,6 +428,7 @@ op.format.delegateIEtoken.issuerinfo.enable=true
 op.format.delegateIEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.delegateIEtoken.loginRequest.enable=true
 op.format.delegateIEtoken.revokeCert=false
+op.format.delegateIEtoken.revokeCert.reason=0
 op.format.delegateIEtoken.tks.conn=tks1
 op.format.delegateIEtoken.update.applet.directory=/usr/share/pki/tps/applets
 op.format.delegateIEtoken.update.applet.emptyToken.enable=true
@@ -686,6 +687,7 @@ op.format.delegateISEtoken.issuerinfo.enable=true
 op.format.delegateISEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.delegateISEtoken.loginRequest.enable=true
 op.format.delegateISEtoken.revokeCert=false
+op.format.delegateISEtoken.revokeCert.reason=0
 op.format.delegateISEtoken.tks.conn=tks1
 op.format.delegateISEtoken.update.applet.directory=/usr/share/pki/tps/applets
 op.format.delegateISEtoken.update.applet.emptyToken.enable=true
@@ -770,6 +772,7 @@ op.format.externalRegAddToToken.update.applet.requiredVersion=1.4.54de790f
 op.format.externalRegAddToToken.update.symmetricKeys.enable=false
 op.format.externalRegAddToToken.update.symmetricKeys.requiredVersion=1
 op.format.externalRegAddToToken.revokeCert=false
+op.format.externalRegAddToToken.revokeCert.reason=0
 op.enroll.allowUnknownToken=true
 op.enroll.mappingResolver=enrollProfileMappingResolver
 op.enroll.soKey.cuidMustMatchKDD=false
@@ -1392,6 +1395,7 @@ op.format.cleanToken.issuerinfo.enable=true
 op.format.cleanToken.issuerinfo.value=
 op.format.cleanToken.loginRequest.enable=true
 op.format.cleanToken.revokeCert=true
+op.format.cleanToken.revokeCert.reason=0
 op.format.cleanToken.tks.conn=tks1
 op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets
 op.format.cleanToken.update.applet.emptyToken.enable=true
@@ -1413,6 +1417,7 @@ op.format.soCleanSOToken.issuerinfo.enable=true
 op.format.soCleanSOToken.issuerinfo.value=
 op.format.soCleanSOToken.loginRequest.enable=false
 op.format.soCleanSOToken.revokeCert=true
+op.format.soCleanSOToken.revokeCert.reason=0
 op.format.soCleanSOToken.tks.conn=tks1
 op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets
 op.format.soCleanSOToken.update.applet.emptyToken.enable=true
@@ -1434,6 +1439,7 @@ op.format.soCleanUserToken.issuerinfo.enable=true
 op.format.soCleanUserToken.issuerinfo.value=
 op.format.soCleanUserToken.loginRequest.enable=false
 op.format.soCleanUserToken.revokeCert=true
+op.format.soCleanUserToken.revokeCert.reason=0
 op.format.soCleanUserToken.tks.conn=tks1
 op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets
 op.format.soCleanUserToken.update.applet.emptyToken.enable=true
@@ -1455,6 +1461,7 @@ op.format.soKey.issuerinfo.enable=true
 op.format.soKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.soKey.loginRequest.enable=true
 op.format.soKey.revokeCert=true
+op.format.soKey.revokeCert.reason=0
 op.format.soKey.tks.conn=tks1
 op.format.soKey.update.applet.directory=[TPS_DIR]/applets
 op.format.soKey.update.applet.emptyToken.enable=true
@@ -1476,6 +1483,7 @@ op.format.soUserKey.issuerinfo.enable=true
 op.format.soUserKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.soUserKey.loginRequest.enable=false
 op.format.soUserKey.revokeCert=true
+op.format.soUserKey.revokeCert.reason=0
 op.format.soUserKey.tks.conn=tks1
 op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets
 op.format.soUserKey.update.applet.emptyToken.enable=true
@@ -1497,6 +1505,7 @@ op.format.tokenKey.issuerinfo.enable=true
 op.format.tokenKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.tokenKey.loginRequest.enable=true
 op.format.tokenKey.revokeCert=true
+op.format.tokenKey.revokeCert.reason=0
 op.format.tokenKey.tks.conn=tks1
 op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets
 op.format.tokenKey.update.applet.emptyToken.enable=true
@@ -1518,6 +1527,7 @@ op.format.userKey.issuerinfo.enable=true
 op.format.userKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.userKey.loginRequest.enable=true
 op.format.userKey.revokeCert=true
+op.format.userKey.revokeCert.reason=0
 op.format.userKey.tks.conn=tks1
 op.format.userKey.update.applet.directory=[TPS_DIR]/applets
 op.format.userKey.update.applet.emptyToken.enable=true
@@ -1768,7 +1778,7 @@ mappingResolver.formatProfileMappingResolver.mapping.6.filter.appletMinorVersion
 mappingResolver.formatProfileMappingResolver.mapping.6.filter.tokenATR=
 mappingResolver.formatProfileMappingResolver.mapping.6.filter.tokenCUID.end=
 mappingResolver.formatProfileMappingResolver.mapping.6.filter.tokenCUID.start=
-mappingResolver.formatProfileMappingResolver.mapping.6.target.tokenType=tokenKey
+mappingResolver.formatProfileMappingResolver.mapping.6.target.tokenType=userKey
 mappingResolver.formatProfileMappingResolver.mapping.order=0,1,2,3,4,5,6
 mappingResolver.pinResetProfileMappingResolver.class_id=filterMappingResolverImpl
 mappingResolver.pinResetProfileMappingResolver.mapping.0.filter.appletMajorVersion=
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
index 0a68e6583..ace5f389f 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
@@ -108,6 +108,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
                 (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
         HttpConnector conn =
                 (HttpConnector) subsystem.getConnectionManager().getConnector(connid);
+        if (conn == null) {
+            throw new EBaseException("CARemoteRequestHandler: enrollCertificate() to connid: " + connid + ": HttpConnector conn null.");
+        }
         CMS.debug("CARemoteRequestHandler: enrollCertificate(): sending request to CA");
         String encodedPubKey = null;
         try {
@@ -192,12 +195,14 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
         CMS.debug("CARemoteRequestHandler: enrollCertificate(): sendMsg =" + sendMsg);
         HttpResponse resp =
                 conn.send("enrollment", sendMsg);
+        if (resp == null) {
+            throw new EBaseException("CARemoteRequestHandler: enrollCertificate() to connid: " + connid + ": response null.");
+        }
 
         String content = resp.getContent();
 
-        CMS.debug("CARemoteRequestHandler: enrollCertificate(): got content = " + content);
-
         if (content != null && !content.equals("")) {
+            CMS.debug("CARemoteRequestHandler: enrollCertificate(): got content = " + content);
             XMLObject xmlResponse =
                     getXMLparser(content);
 
@@ -298,12 +303,18 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
                 (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
         HttpConnector conn =
                 (HttpConnector) subsystem.getConnectionManager().getConnector(connid);
+        if (conn == null) {
+            throw new EBaseException("CARemoteRequestHandler: retrieveCertificate() to connid: " + connid + ": HttpConnector conn null.");
+        }
         CMS.debug("CARemoteRequestHandler: retrieveCertificate(): sending request to CA");
         HttpResponse resp =
                 conn.send("getcert",
                         IRemoteRequest.GET_XML + "=" + true +
                                 "&" + IRemoteRequest.CA_GET_CERT_B64CertOnly + "=" + true +
                                 "&" + IRemoteRequest.CA_GET_CERT_SERIAL + "=" + serialno.toString());
+        if (resp == null) {
+            throw new EBaseException("CARemoteRequestHandler: retrieveCertificate() to connid: " + connid + ": response null.");
+        }
 
         String content = resp.getContent();
         if (content != null && !content.equals("")) {
@@ -395,6 +406,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
                 (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
         HttpConnector conn =
                 (HttpConnector) subsystem.getConnectionManager().getConnector(connid);
+        if (conn == null) {
+            throw new EBaseException("CARemoteRequestHandler: renewCertificate() to connid: " + connid + ": HttpConnector conn null.");
+        }
         CMS.debug("CARemoteRequestHandler: renewCertificate(): sending request to CA");
         HttpResponse resp =
                 conn.send("renewal",
@@ -403,6 +417,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
                                 "&" + IRemoteRequest.CA_RENEWAL_SerialNum + "=" + serialno.toString() +
                                 "&" + IRemoteRequest.CA_ProfileId + "=" + profileId);
 
+        if (resp == null) {
+            throw new EBaseException("CARemoteRequestHandler: renewCertificate() to connid: " + connid + ": response null.");
+        }
         String content = resp.getContent();
 
         if (content != null && !content.equals("")) {
@@ -503,6 +520,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
                 (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
         HttpConnector conn =
                 (HttpConnector) subsystem.getConnectionManager().getConnector(connid);
+        if (conn == null) {
+            throw new EBaseException("CARemoteRequestHandler: revokeCertificate() to connid: " + connid + ": HttpConnector conn null.");
+        }
         CMS.debug("CARemoteRequestHandler: revokeCertificate(): sending request to CA");
         HttpResponse resp =
                 conn.send("revoke",
@@ -511,10 +531,13 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
                                 "&" + IRemoteRequest.CA_REVOKE_ALL + "=(" +
                                 IRemoteRequest.CA_REVOKE_SERIAL + "=" + serialno + ")&" +
                                 IRemoteRequest.CA_REVOKE_COUNT + "=1");
+        if (resp == null) {
+            throw new EBaseException("CARemoteRequestHandler: revokeCertificate() to connid: " + connid + ": response null.");
+        }
         String content = resp.getContent();
 
-        CMS.debug("CARemoteRequestHandler: revokeCertificate(): got content = " + content);
         if (content != null && !content.equals("")) {
+            CMS.debug("CARemoteRequestHandler: revokeCertificate(): got content = " + content);
             Hashtable<String, Object> response =
                     parseResponse(content);
 
@@ -570,14 +593,20 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
                 (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
         HttpConnector conn =
                 (HttpConnector) subsystem.getConnectionManager().getConnector(connid);
+        if (conn == null) {
+            throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate() to connid: " + connid + ": HttpConnector conn null.");
+        }
         CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): sending request to CA");
         HttpResponse resp =
                 conn.send("unrevoke",
                         IRemoteRequest.CA_UNREVOKE_SERIAL + "=" + serialno);
+        if (resp == null) {
+            throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate() to connid: " + connid + ": response null.");
+        }
         String content = resp.getContent();
 
-        CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): got content = " + content);
         if (content != null && !content.equals("")) {
+            CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): got content = " + content);
             Hashtable<String, Object> response =
                     parseResponse(content);
 
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index bbc9fcb5e..5b471ca24 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -1376,7 +1376,7 @@ public class TPSProcessor {
                 ".ca.conn";
             CMS.debug(method + " finding config: " + config);
         } else {
-            config = "op." + currentTokenOperation + "." +
+            config = TPSEngine.OP_FORMAT_PREFIX + "." +
                 selectedTokenType +
                 ".ca.conn";
             CMS.debug(method + " finding config: " + config);
@@ -1424,7 +1424,9 @@ public class TPSProcessor {
         String logMsg;
 
         IConfigStore configStore = CMS.getConfigStore();
-        String configName = TPSEngine.OP_FORMAT_PREFIX + "." + selectedTokenType + ".revokeCert.revokeReason";
+        String configName = TPSEngine.OP_FORMAT_PREFIX + "." + selectedTokenType + ".revokeCert.reason";
+        CMS.debug(method + " finding config: " + configName);
+
         RevocationReason revokeReason = RevocationReason.UNSPECIFIED;
         try {
             int revokeReasonInt = configStore.getInteger(configName);
@@ -2137,7 +2139,19 @@ public class TPSProcessor {
                 revokeCertificates(tokenRecord.getId(), reason, caConnId);
             } catch (TPSException te) {
                 // failed revocation; capture message and continue
-                logMsg = te.getMessage();
+                String failMsg = "revoke certificates failure";
+                logMsg = failMsg + ":" + te.toString();
+                CMS.debug("TPSProcessor.format: " + logMsg);
+                tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
+                    "failure");
+                throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_CONTACT_ADMIN);
+            } catch (Exception ee) {
+                String failMsg = "revoke certificates failure";
+                logMsg = failMsg + ":" + ee.toString();
+                CMS.debug("TPSProcessor.format: " + logMsg);
+                tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
+                    "failure");
+                throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_CONTACT_ADMIN);
             }
         }
 
@@ -2160,7 +2174,7 @@ public class TPSProcessor {
             tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), failMsg,
                     "failure");
 
-            throw new TPSException(logMsg);
+            throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_CONTACT_ADMIN);
         }
 
         logMsg = "format operation succeeded";