Ticket#1028 phase2: TPS rewrite: provide externalReg functionality

This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
author: Christina Fu <cfu@redhat.com> 2015-04-10 11:26:25 -0700
committer: Christina Fu <cfu@redhat.com> 2015-04-14 16:45:17 -0700
commit: 711d3ca66b6702a33839c3a436550464fa49d0d8 (patch)
tree: b9c037d045147eead5077e758608b66b84663fd3 /base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
parent: bdd5cc759f5d1642986330a4c29ccfa131ab034f (diff)
download: pki-711d3ca66b6702a33839c3a436550464fa49d0d8.tar.gz
pki-711d3ca66b6702a33839c3a436550464fa49d0d8.tar.xz
pki-711d3ca66b6702a33839c3a436550464fa49d0d8.zip
1 files changed, 30 insertions, 10 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 500dad412..27d88c2f1 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -1546,7 +1546,7 @@ public class TPSProcessor {
      * - parse the multi-valued attributes
      * @returns ExternalRegAttrs
      */
-    ExternalRegAttrs processExternalRegAttrs(/*IAuthToken authToken,*/String authId) throws EBaseException {
+    ExternalRegAttrs processExternalRegAttrs(/*IAuthToken authToken,*/String authId) throws NumberFormatException, EBaseException {
         String method = "processExternalRegAttrs";
         String configName;
         String tVal;
@@ -1563,10 +1563,11 @@ public class TPSProcessor {
             tVal = configStore.getString(configName,
                     "externalRegAddToToken");
             CMS.debug(method + ": set default tokenType:" + tVal);
+            erAttrs.setTokenType(tVal);
         } else {
             CMS.debug(method + ": retrieved tokenType:" + vals[0]);
+            erAttrs.setTokenType(vals[0]);
         }
-        erAttrs.setTokenType(vals[0]);
 
         CMS.debug(method + ": getting from authToken:"
                 + erAttrs.ldapAttrNameTokenCUID);
@@ -1584,19 +1585,27 @@ public class TPSProcessor {
                 + erAttrs.ldapAttrNameCertsToRecover);
         vals = authToken.getInStringArray(erAttrs.ldapAttrNameCertsToRecover);
         if (vals != null) {
+            // if any cert is mis-configured, the whole thing will bail
             for (String val : vals) {
                 CMS.debug(method + ": retrieved certsToRecover:" + val);
                 /*
                  * Each cert is represented as
-                 *    (serial#, caID, keyID, drmID)
+                 *    (serial#, caID, keyID, kraID)
                  * e.g.
-                 *    (1234, ca1, 81, drm1)
+                 *    (1234, ca1, 81, kra1)
                  *    note: numbers above are in decimal
+                 *    note: if keyID is less than or equal to 0, then recovery will be done by cert
+                 *          otherwise recovery is done by keyID
+                 *    note: if it only contains the serial# and caID (missing keyID and kraID)
+                 *          then it is used for retaining certs already existing on token
                  */
                 String[] items = val.split(",");
+                if (items.length !=2 && items.length !=4)
+                    throw new EBaseException(method + ": certsToRecover format error");
                 ExternalRegCertToRecover erCert =
                         new ExternalRegCertToRecover();
-                for (int i = 0; i < items.length; i++) {
+                int i = 0;
+                for (i = 0; i < items.length; i++) {
                     if (i == 0)
                         erCert.setSerial(new BigInteger(items[i]));
                     else if (i == 1)
@@ -1606,8 +1615,15 @@ public class TPSProcessor {
                     else if (i == 3)
                         erCert.setKraConn(items[i]);
                 }
+                /* TODO: for phase 3, retenable certs/keys
+                if (i<3) {
+                    erCert.setIsRetainable(true);
+                }
+                */
                 erAttrs.addCertToRecover(erCert);
             }
+        } else {
+            CMS.debug(method + ": certsToRecover attribute not found");
         }
 
         /*
@@ -1790,7 +1806,7 @@ public class TPSProcessor {
                 ExternalRegAttrs erAttrs;
                 try {
                     erAttrs = processExternalRegAttrs(/*authToken,*/authId);
-                } catch (EBaseException ee) {
+                } catch (Exception ee) {
                     auditMsg = "processExternalRegAttrs: " + ee.toString();
                     tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), auditMsg,
                             "failure");
@@ -2932,7 +2948,6 @@ public class TPSProcessor {
      *   then the returned value will be:
      *       John.Doe,e=JohnDoe@EXAMPLE.org,o=Example Org
      *
-     * TODO: It could be made more efficient
      */
     protected String mapPattern(LinkedHashMap<String, String> map, String inPattern) throws TPSException {
 
@@ -2946,6 +2961,11 @@ public class TPSProcessor {
         final char delim = '$';
         String pattern = inPattern;
 
+        /*
+         * Outer (while) loop searches for next token (in the format of $xxx$) to be mapped
+         *   when a pattern is found
+         *     inner (for) loop goes through all mappable params that the token maps to
+         */
         while (true) {
             String patternToMap = null;
             int firstPos = 0;
@@ -2966,7 +2986,7 @@ public class TPSProcessor {
 
             patternToMap = pattern.substring(firstPos + 1, nextPos);
 
-            CMS.debug("TPSProcessor.mapPattern: patternTo map: " + patternToMap);
+            //CMS.debug("TPSProcessor.mapPattern: patternTo map: " + patternToMap);
 
             String piece1 = "";
             if (firstPos >= 1)
@@ -2980,12 +3000,12 @@ public class TPSProcessor {
                 String key = entry.getKey();
 
                 String value = entry.getValue();
-                CMS.debug("TPSProcessor.mapPattern: Exposed: key: " + key + " Param: " + value);
+                //CMS.debug("TPSProcessor.mapPattern: Exposed: key: " + key + " Param: " + value);
 
                 if (key.equalsIgnoreCase(patternToMap)) {
                     CMS.debug("TPSProcessor.mapPattern: found match: key: " + key + " mapped to: " + value);
                     patternMapped = value;
-                    CMS.debug("TPSProcessor.mapPattern: pattern mapped: " + patternMapped);
+                    //CMS.debug("TPSProcessor.mapPattern: pattern mapped: " + patternMapped);
                     break;
                 }
author	Christina Fu <cfu@redhat.com>	2015-04-10 11:26:25 -0700
committer	Christina Fu <cfu@redhat.com>	2015-04-14 16:45:17 -0700
commit	711d3ca66b6702a33839c3a436550464fa49d0d8 (patch)
tree	b9c037d045147eead5077e758608b66b84663fd3 /base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
parent	bdd5cc759f5d1642986330a4c29ccfa131ab034f (diff)
download	pki-711d3ca66b6702a33839c3a436550464fa49d0d8.tar.gz pki-711d3ca66b6702a33839c3a436550464fa49d0d8.tar.xz pki-711d3ca66b6702a33839c3a436550464fa49d0d8.zip