diff options
author | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-10-18 18:58:21 -0700 |
---|---|---|
committer | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-10-21 11:15:59 -0700 |
commit | 8c15e8d60a4004cb63ebb0bf2bed73be919d54ee (patch) | |
tree | 29ce61c7a33a12284fe75866625acca755ec8987 /base/tps/src | |
parent | 3c4f9c7eb1aa9a71c0f5a943314d355d2fdeebb4 (diff) | |
download | pki-8c15e8d60a4004cb63ebb0bf2bed73be919d54ee.tar.gz pki-8c15e8d60a4004cb63ebb0bf2bed73be919d54ee.tar.xz pki-8c15e8d60a4004cb63ebb0bf2bed73be919d54ee.zip |
PIN_RESET policy is not giving expected results when set on a token.
Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given token.
Ticket #2510.
Diffstat (limited to 'base/tps/src')
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java index 9d0625a31..fe3f80151 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java @@ -21,6 +21,7 @@ import java.io.IOException; import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; +import org.dogtagpki.server.tps.TPSTokenPolicy; import org.dogtagpki.server.tps.channel.SecureChannel; import org.dogtagpki.server.tps.dbs.ActivityDatabase; import org.dogtagpki.server.tps.dbs.TokenRecord; @@ -98,15 +99,7 @@ public class TPSPinResetProcessor extends TPSProcessor { TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); } - TokenStatus status = tokenRecord.getTokenStatus(); - - CMS.debug(method + ": Token status: " + status); - - if (!status.equals(TokenStatus.ACTIVE)) { - throw new TPSException(method + " Attempt to reset pin of token not currently active!", - TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); - - } + TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps); session.setTokenRecord(tokenRecord); @@ -142,6 +135,29 @@ public class TPSPinResetProcessor extends TPSProcessor { checkAndAuthenticateUser(appletInfo, tokenType); + TokenStatus status = tokenRecord.getTokenStatus(); + + CMS.debug(method + ": Token status: " + status); + + if (!status.equals(TokenStatus.ACTIVE)) { + logMsg = method + "Can not reset the pin of a non active token."; + auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg); + throw new TPSException(method + " Attempt to reset pin of token not currently active!", + TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); + + } + + boolean pinResetAllowed = tokenPolicy.isAllowedPinReset(tokenRecord.getId()); + + CMS.debug(method + ": PinResetPolicy: Pin Reset Allowed: " + pinResetAllowed); + logMsg = method + " PinReset Policy forbids pin reset operation."; + if (pinResetAllowed == false) { + auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg); + throw new TPSException(method + " Attempt to reset pin when token policy disallows it.!", + TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); + + } + checkAndUpgradeApplet(appletInfo); appletInfo = getAppletInfo(); |