diff options
author | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-10-10 15:56:03 -0700 |
---|---|---|
committer | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-10-10 17:37:04 -0700 |
commit | 68574756d5afa1c14cd6cc316298aa8f721e7244 (patch) | |
tree | 422fae9b9d8c0e2f86c93ffd7e4ec212c943d193 /base/tps/src | |
parent | 1e39ab6823390e736bfa1044c8d63306a1fce226 (diff) | |
download | pki-68574756d5afa1c14cd6cc316298aa8f721e7244.tar.gz pki-68574756d5afa1c14cd6cc316298aa8f721e7244.tar.xz pki-68574756d5afa1c14cd6cc316298aa8f721e7244.zip |
Another Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
We just found out the code doesn't account for if the user has an active token which IS the
token currently being worked on.
Diffstat (limited to 'base/tps/src')
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java | 24 | ||||
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java | 35 |
2 files changed, 50 insertions, 9 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java index e9190d09a..729e81e07 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java @@ -25,6 +25,8 @@ import java.util.HashMap; import java.util.Iterator; import java.util.Map; +import netscape.security.x509.RevocationReason; + import org.dogtagpki.server.tps.cms.CARemoteRequestHandler; import org.dogtagpki.server.tps.cms.CARevokeCertResponse; import org.dogtagpki.server.tps.dbs.ActivityDatabase; @@ -41,8 +43,6 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.dbs.EDBRecordNotFoundException; import com.netscape.certsrv.tps.token.TokenStatus; -import netscape.security.x509.RevocationReason; - /* * TPSTokendb class offers a collection of tokendb management convenience routines */ @@ -171,6 +171,26 @@ public class TPSTokendb { } } + public void tdbHasOtherActiveToken(String userid,String cuid) + throws Exception { + if (userid == null || cuid == null) + throw new Exception("TPSTokendb.tdbhasOtherActiveToken: uerid null, or cuid is null"); + + ArrayList<TokenRecord> tokens = + tdbFindTokenRecordsByUID(userid); + boolean foundActive = false; + for (TokenRecord tokenRecord:tokens) { + if (tokenRecord.getTokenStatus().equals(TokenStatus.ACTIVE)) { + + if(!tokenRecord.getId().equalsIgnoreCase(cuid)) + foundActive = true; + } + } + if (!foundActive) { + throw new Exception("TPSTokendb.tdbhasActiveToken: active token not found"); + } + } + public void tdbAddTokenEntry(TokenRecord tokenRecord, TokenStatus status) throws Exception { tokenRecord.setTokenStatus(status); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index db9a230cb..c5015cc8c 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -15,6 +15,11 @@ import java.util.Map; import java.util.Random; import java.util.zip.DataFormatException; +import netscape.security.provider.RSAPublicKey; +//import org.mozilla.jss.pkcs11.PK11ECPublicKey; +import netscape.security.util.BigInt; +import netscape.security.x509.X509CertImpl; + import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.TPSTokenPolicy; @@ -54,6 +59,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey; import org.mozilla.jss.pkcs11.PK11RSAPublicKey; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; +import sun.security.pkcs11.wrapper.PKCS11Constants; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; @@ -61,12 +68,6 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.tps.token.TokenStatus; import com.netscape.cmsutil.util.Utils; -import netscape.security.provider.RSAPublicKey; -//import org.mozilla.jss.pkcs11.PK11ECPublicKey; -import netscape.security.util.BigInt; -import netscape.security.x509.X509CertImpl; -import sun.security.pkcs11.wrapper.PKCS11Constants; - public class TPSEnrollProcessor extends TPSProcessor { public TPSEnrollProcessor(TPSSession session) { @@ -335,7 +336,7 @@ public class TPSEnrollProcessor extends TPSProcessor { boolean allowMultiTokens = checkAllowMultiActiveTokensUser(isExternalReg); if (allowMultiTokens == false) { - boolean alreadyHasActiveToken = checkUserAlreadyHasActiveToken(userid); + boolean alreadyHasActiveToken = checkUserAlreadyHasOtherActiveToken(userid,cuid); if (alreadyHasActiveToken == true) { //We don't allow the user to have more than one active token, nip it in the bud right now @@ -1050,6 +1051,7 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug(method + ": There are multiple token entries for user " + userid); + //We already know the current token is not active if( checkUserAlreadyHasActiveToken(userid) == false) { isRecover = true; continue; // TODO: or break? @@ -3709,6 +3711,25 @@ public class TPSEnrollProcessor extends TPSProcessor { return result; } + private boolean checkUserAlreadyHasOtherActiveToken(String userid,String cuid) { + boolean result = false; + String method = "TPSEnrollProcessor.checkUserAlreadyHasOtherActiveToken: "; + + TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + try { + tps.tdb.tdbHasOtherActiveToken(userid,cuid); + result = true; + + } catch (Exception e) { + result = false; + } + + CMS.debug(method + " user: " + userid + " has an active token already: not cuid: " + cuid + " : " + result); + + + return result; + } + private boolean checkAllowMultiActiveTokensUser(boolean isExternalReg) { boolean allow = true; |