Another Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664

We just found out the code doesn't account for if the user has an active token which IS the
token currently being worked on.

2 files changed, 50 insertions, 9 deletions

diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
index e9190d09a..729e81e07 100644
--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
@@ -25,6 +25,8 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 
+import netscape.security.x509.RevocationReason;
+
 import org.dogtagpki.server.tps.cms.CARemoteRequestHandler;
 import org.dogtagpki.server.tps.cms.CARevokeCertResponse;
 import org.dogtagpki.server.tps.dbs.ActivityDatabase;
@@ -41,8 +43,6 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.dbs.EDBRecordNotFoundException;
 import com.netscape.certsrv.tps.token.TokenStatus;
 
-import netscape.security.x509.RevocationReason;
-
 /*
  * TPSTokendb class offers a collection of tokendb management convenience routines
  */
@@ -171,6 +171,26 @@ public class TPSTokendb {
         }
     }
 
+    public void tdbHasOtherActiveToken(String userid,String cuid)
+            throws Exception {
+         if (userid == null || cuid == null)
+             throw new Exception("TPSTokendb.tdbhasOtherActiveToken: uerid null, or cuid is null");
+
+         ArrayList<TokenRecord> tokens =
+                 tdbFindTokenRecordsByUID(userid);
+         boolean foundActive = false;
+         for (TokenRecord tokenRecord:tokens) {
+             if (tokenRecord.getTokenStatus().equals(TokenStatus.ACTIVE)) {
+
+                 if(!tokenRecord.getId().equalsIgnoreCase(cuid))
+                    foundActive = true;
+             }
+         }
+         if (!foundActive) {
+             throw new Exception("TPSTokendb.tdbhasActiveToken: active token not found");
+         }
+     }
+
     public void tdbAddTokenEntry(TokenRecord tokenRecord, TokenStatus status)
             throws Exception {
         tokenRecord.setTokenStatus(status);
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index db9a230cb..c5015cc8c 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -15,6 +15,11 @@ import java.util.Map;
 import java.util.Random;
 import java.util.zip.DataFormatException;
 
+import netscape.security.provider.RSAPublicKey;
+//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+import netscape.security.util.BigInt;
+import netscape.security.x509.X509CertImpl;
+
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.TPSTokenPolicy;
@@ -54,6 +59,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
 import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 
+import sun.security.pkcs11.wrapper.PKCS11Constants;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -61,12 +68,6 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cmsutil.util.Utils;
 
-import netscape.security.provider.RSAPublicKey;
-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-import netscape.security.util.BigInt;
-import netscape.security.x509.X509CertImpl;
-import sun.security.pkcs11.wrapper.PKCS11Constants;
-
 public class TPSEnrollProcessor extends TPSProcessor {
 
     public TPSEnrollProcessor(TPSSession session) {
@@ -335,7 +336,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
         boolean allowMultiTokens = checkAllowMultiActiveTokensUser(isExternalReg);
 
         if (allowMultiTokens == false) {
-            boolean alreadyHasActiveToken = checkUserAlreadyHasActiveToken(userid);
+            boolean alreadyHasActiveToken = checkUserAlreadyHasOtherActiveToken(userid,cuid);
 
             if (alreadyHasActiveToken == true) {
                 //We don't allow the user to have more than one active token, nip it in the bud right now
@@ -1050,6 +1051,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
                         CMS.debug(method + ": There are multiple token entries for user "
                                 + userid);
 
+                        //We already know the current token is not active
                         if( checkUserAlreadyHasActiveToken(userid) == false) {
                             isRecover = true;
                             continue; // TODO: or break?
@@ -3709,6 +3711,25 @@ public class TPSEnrollProcessor extends TPSProcessor {
         return result;
     }
 
+    private boolean checkUserAlreadyHasOtherActiveToken(String userid,String cuid) {
+        boolean result = false;
+        String method = "TPSEnrollProcessor.checkUserAlreadyHasOtherActiveToken: ";
+
+        TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
+        try {
+            tps.tdb.tdbHasOtherActiveToken(userid,cuid);
+            result = true;
+
+        } catch (Exception e) {
+            result = false;
+        }
+
+        CMS.debug(method + " user: " + userid + " has an active token already: not cuid:  " + cuid + " : " + result);
+
+
+        return result;
+    }
+
     private boolean checkAllowMultiActiveTokensUser(boolean isExternalReg) {
         boolean allow = true;