Fixed illegal token state transition via TEMP_LOST.

The TokenService.setTokenStatus() has been modified to restore
the temporarily lost token back into either uninitialized or
active state based on whether the token has certificates.

The TPSTokendb.tdbGetCertRecordsByCUID() has been modified to use
only tokenID attribute to search for token certificates more
accurately. It also has been simplified to return the certificate
records collection object directly.

Some constructors were added to the TPSException to allow chaining
the exception cause.

https://fedorahosted.org/pki/ticket/1808

4 files changed, 42 insertions, 23 deletions

diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
index 5a53ff7a5..15e85fb32 100644
--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
@@ -299,29 +299,23 @@ public class TPSTokendb {
     /*
      * tdbGetCertificatesByCUID finds and returns certificate records belong to a token cuid
      * @param cuid the cuid of the token
-     * @return ArrayList of the cert records
+     * @return Collection of the cert records
      */
-    public ArrayList<TPSCertRecord> tdbGetCertRecordsByCUID(String cuid)
+    public Collection<TPSCertRecord> tdbGetCertRecordsByCUID(String cuid)
             throws TPSException {
+
         if (cuid == null)
             throw new TPSException("TPSTokendb.tdbGetCertificatesByCUID: cuid null");
 
-        ArrayList<TPSCertRecord> certRecords = new ArrayList<TPSCertRecord>();
-        String filter = cuid;
-        Iterator<TPSCertRecord> records;
+        Map<String, String> attributes = new HashMap<String, String>();
+        attributes.put("tokenID",  cuid);
+
         try {
-             records = tps.certDatabase.findRecords(filter).iterator();
+             return tps.certDatabase.findRecords(null, attributes);
         } catch (Exception e) {
             CMS.debug("TPSTokendb.tdbGetCertificatesByCUID:" + e);
-            throw new TPSException(e.getMessage());
+            throw new TPSException(e);
         }
-
-        while (records.hasNext()) {
-            TPSCertRecord certRecord = records.next();
-            certRecords.add(certRecord);
-        }
-
-        return certRecords;
     }
 
     public ArrayList<TPSCertRecord> tdbGetCertRecordsByCert(String serial, String issuer)
@@ -493,7 +487,7 @@ public class TPSTokendb {
             throw new TPSException(method + ": cuid null");
         String logMsg;
         IConfigStore configStore = CMS.getConfigStore();
-        ArrayList<TPSCertRecord> certRecords = tps.getTokendb().tdbGetCertRecordsByCUID(cuid);
+        Collection<TPSCertRecord> certRecords = tps.getTokendb().tdbGetCertRecordsByCUID(cuid);
         if (tokenReason != null) {
             if (!tokenReason.equalsIgnoreCase("onHold") &&
                     !tokenReason.equalsIgnoreCase("destroyed") &&
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 46421068f..07f7fa0d0 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -6,6 +6,7 @@ import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Date;
 import java.util.Enumeration;
 import java.util.LinkedHashMap;
@@ -1404,7 +1405,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
          * Get certs from the tokendb for this token to find out about
          * renewal possibility
          */
-        ArrayList<TPSCertRecord> allCerts = tps.tdb.tdbGetCertRecordsByCUID(tokenRecord.getId());
+        Collection<TPSCertRecord> allCerts = tps.tdb.tdbGetCertRecordsByCUID(tokenRecord.getId());
 
         certsInfo.setNumCertsToEnroll(keyTypeNum);
 
@@ -1767,7 +1768,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
                     actualCertIndex++;
                 }
 
-                ArrayList<TPSCertRecord> certs = tps.tdb.tdbGetCertRecordsByCUID(toBeRecovered.getId());
+                Collection<TPSCertRecord> certs = tps.tdb.tdbGetCertRecordsByCUID(toBeRecovered.getId());
 
                 String serialToRecover = null;
                 TPSCertRecord certToRecover = null;
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 05742842f..53af08a05 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -23,8 +23,8 @@ import java.math.BigInteger;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -1473,7 +1473,7 @@ public class TPSProcessor {
             throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_REVOKE_CERTIFICATES_FAILED);
         }
         //find all certs belonging to the token
-        ArrayList<TPSCertRecord> certRecords = tps.tdb.tdbGetCertRecordsByCUID(cuid);
+        Collection<TPSCertRecord> certRecords = tps.tdb.tdbGetCertRecordsByCUID(cuid);
 
         CMS.debug(method + ": found " + certRecords.size() + " certs");
 
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
index b3608aef2..226f039f4 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
@@ -39,6 +39,7 @@ import javax.ws.rs.core.UriInfo;
 import org.apache.commons.lang.StringUtils;
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.dbs.ActivityDatabase;
+import org.dogtagpki.server.tps.dbs.TPSCertRecord;
 import org.dogtagpki.server.tps.dbs.TokenDatabase;
 import org.dogtagpki.server.tps.dbs.TokenRecord;
 import org.dogtagpki.server.tps.engine.TPSEngine;
@@ -139,18 +140,37 @@ public class TokenService extends PKIService implements TokenResource {
             tokenRecord.setStatus("uninitialized");
             tokenRecord.setReason(null);
             break;
+
         case ACTIVE:
             String origStatus = tokenRecord.getStatus();
             String origReason = tokenRecord.getReason();
+
             if (origStatus.equalsIgnoreCase("lost") &&
                     origReason.equalsIgnoreCase("onHold")) {
-                //unrevoke certs
-                tps.tdb.unRevokeCertsByCUID(tokenRecord.getId(), ipAddress, remoteUser);
+
+                Collection<TPSCertRecord> certRecords = tps.tdb.tdbGetCertRecordsByCUID(tokenRecord.getId());
+                if (certRecords.isEmpty()) { // token was uninitialized
+                    // restore to uninitialized state
+                    tokenRecord.setStatus("uninitialized");
+                    tokenRecord.setReason(null);
+
+                } else { // token was active
+                    // unrevoke certs
+                    tps.tdb.unRevokeCertsByCUID(tokenRecord.getId(), ipAddress, remoteUser);
+
+                    // restore to active state
+                    tokenRecord.setStatus("active");
+                    tokenRecord.setReason(null);
+                }
+
+            } else {
+                // switch to active state
+                tokenRecord.setStatus("active");
+                tokenRecord.setReason(null);
             }
 
-            tokenRecord.setStatus("active");
-            tokenRecord.setReason(null);
             break;
+
         case PERM_LOST:
         case TEMP_LOST_PERM_LOST:
             tokenRecord.setStatus("lost");
@@ -159,6 +179,7 @@ public class TokenService extends PKIService implements TokenResource {
             //revoke certs
             tps.tdb.revokeCertsByCUID(tokenRecord.getId(), "keyCompromise", ipAddress, remoteUser);
             break;
+
         case DAMAGED:
             tokenRecord.setStatus("lost");
             tokenRecord.setReason("destroyed");
@@ -167,6 +188,7 @@ public class TokenService extends PKIService implements TokenResource {
             tps.tdb.revokeCertsByCUID(tokenRecord.getId(), "destroyed", ipAddress, remoteUser);
 
             break;
+
         case TEMP_LOST:
             tokenRecord.setStatus("lost");
             tokenRecord.setReason("onHold");
@@ -174,6 +196,7 @@ public class TokenService extends PKIService implements TokenResource {
             // put certs onHold
             tps.tdb.revokeCertsByCUID(tokenRecord.getId(), "onHold", ipAddress, remoteUser);
             break;
+
         case TERMINATED:
             String reason = "terminated";
             String origStatus2 = tokenRecord.getStatus();
@@ -189,6 +212,7 @@ public class TokenService extends PKIService implements TokenResource {
             //revoke certs
             tps.tdb.revokeCertsByCUID(tokenRecord.getId(), reason, ipAddress, remoteUser) ;
             break;
+
         default:
             throw new PKIException("Unsupported token state: " + tokenState);
         }