Add ability to disallow TPS to enroll a single user on multiple tokens.

This patch will install a check during the early portion of the enrollment
process check a configurable policy whether or not a user should be allowed
to have more that one active token.

This check will take place only for brand new tokens not seen before.
The check will prevent the enrollment to proceed and will exit before the system
has a chance to add this new token to the TPS tokendb.

The behavior will be configurable for the the external reg and not external reg scenarios
as follows:

tokendb.nonExternalReg.allowMultiActiveTokensUser=false
tokendb.enroll.externalReg.allowMultiActiveTokensUser=false

3 files changed, 80 insertions, 26 deletions

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 4f2b3919c..a8499a2b3 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -2169,6 +2169,9 @@ tokendb.ssl=false
 tokendb.templateDir=[PKI_INSTANCE_PATH]/docroot/tus
 tokendb.userBaseDN=[TOKENDB_ROOT]
 tokendb.userDeleteTemplate=userDelete.template
+tokendb.nonExternalReg.allowMultiActiveTokensUser=false
+tokendb.externalReg.allowMultiActiveTokensUser=false
+
 tps._000=########################################
 tps._001=# For verifying system certificates
 tps._002=# tps.cert.list=sslserver,subsystem,audit_signing
diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
index a5fbc3b7d..93edfde4e 100644
--- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
+++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
@@ -91,6 +91,7 @@ public class TPSEngine {
     public static final String CFG_ERROR_PREFIX = "logging.error";
     public static final String CFG_DEBUG_PREFIX = "logging.debug";
     public static final String CFG_SELFTEST_PREFIX = "selftests.container.logger";
+    public static final String CFG_TOKENDB = "tokendb";
     public static final String CFG_TOKENDB_ALLOWED_TRANSITIONS = "tokendb.allowedTransitions";
     public static final String CFG_OPERATIONS_ALLOWED_TRANSITIONS = "tps.operations.allowedTransitions";
 
@@ -153,6 +154,7 @@ public class TPSEngine {
 
     public static final String CFG_EXTERNAL_REG = "externalReg";
     public static final String CFG_ER_DELEGATION = "delegation";
+    public static final String CFG_NON_EXTERNAL_REG = "nonExternalReg";
 
     /* misc values */
 
@@ -192,6 +194,7 @@ public class TPSEngine {
     public static final String ENROLL_MODE_ENROLLMENT = ENROLL_OP;
     public static final String ENROLL_MODE_RECOVERY = RECOVERY_OP;
     public static final String ERNOLL_MODE_RENEWAL = RENEWAL_OP;
+    public static final String CFG_ALLOW_MULTI_TOKENS_USER = "allowMultiActiveTokensUser";
 
     public void init() {
         //ToDo
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 6240ea69c..9d4254695 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -14,6 +14,11 @@ import java.util.Map;
 import java.util.Random;
 import java.util.zip.DataFormatException;
 
+import netscape.security.provider.RSAPublicKey;
+//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+import netscape.security.util.BigInt;
+import netscape.security.x509.X509CertImpl;
+
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.TPSTokenPolicy;
@@ -53,6 +58,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
 import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 
+import sun.security.pkcs11.wrapper.PKCS11Constants;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -60,12 +67,6 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cmsutil.util.Utils;
 
-import netscape.security.provider.RSAPublicKey;
-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-import netscape.security.util.BigInt;
-import netscape.security.x509.X509CertImpl;
-import sun.security.pkcs11.wrapper.PKCS11Constants;
-
 public class TPSEnrollProcessor extends TPSProcessor {
 
     public TPSEnrollProcessor(TPSSession session) {
@@ -329,6 +330,24 @@ public class TPSEnrollProcessor extends TPSProcessor {
         if (!isExternalReg)
             checkAndAuthenticateUser(appletInfo, getSelectedTokenType());
 
+        //Do this here after all authentication has taken place, so we have a (userid)
+
+        boolean allowMultiTokens = checkAllowMultiActiveTokensUser(isExternalReg);
+
+        if (isTokenPresent == false && allowMultiTokens == false) {
+            boolean alreadyHasActiveToken = checkUserAlreadyHasActiveToken(userid);
+
+            if (alreadyHasActiveToken == true) {
+                //We don't allow the user to have more than one active token, nip it in the bud right now
+                //If this token is brand new and not known to the system
+
+                throw new TPSException(method
+                        + " User already has an active token when trying to enroll this new token!",
+                        TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN);
+            }
+
+        }
+
         if (do_force_format) {
             //We will skip the auth step inside of format
             format(true);
@@ -1030,22 +1049,9 @@ public class TPSEnrollProcessor extends TPSProcessor {
                     } else {
                         CMS.debug(method + ": There are multiple token entries for user "
                                 + userid);
-                        try {
-                            // this is assuming that the user can only have one single active token
-                            // TODO: for future, maybe should allow multiple active tokens
-                            tps.tdb.tdbHasActiveToken(userid);
 
-                        } catch (Exception e1) {
-                            /*
-                             * user has no active token, need to find a token to recover from
-                             * there are no other active tokens for this user
-                             */
                             isRecover = true;
                             continue; // TODO: or break?
-                        }
-                        logMsg = method + ": user already has an active token";
-                        CMS.debug(logMsg);
-                        throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN);
                     }
 
                 } else if (tokenRecord.getTokenStatus() == TokenStatus.ACTIVE) {
@@ -1070,17 +1076,10 @@ public class TPSEnrollProcessor extends TPSProcessor {
                     throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_UNUSABLE_TOKEN_KEYCOMPROMISE);
 
                 } else if (tokenRecord.getTokenStatus() == TokenStatus.SUSPENDED) {
-                    try {
-                        tps.tdb.tdbHasActiveToken(userid);
-                        logMsg = "user already has an active token";
-                        CMS.debug(method + ": " + logMsg);
-                        throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN);
 
-                    } catch (Exception e2) {
                         logMsg = "User needs to contact administrator to report lost token (it should be put on Hold).";
                         CMS.debug(method + ": " + logMsg);
                         break;
-                    }
 
                 } else if (tokenRecord.getTokenStatus() == TokenStatus.DAMAGED) {
                     logMsg = "This destroyed lost case should not be executed because the token is so damaged. It should not get here";
@@ -3559,6 +3558,55 @@ public class TPSEnrollProcessor extends TPSProcessor {
         audit(auditMessage);
     }
 
+    private boolean checkUserAlreadyHasActiveToken(String userid) {
+
+        String method = "TPSEnrollProcessor.checkUserAlreadyHasActiveToken: ";
+        boolean result = false;
+
+        TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
+        try {
+            tps.tdb.tdbHasActiveToken(userid);
+            result = true;
+
+        } catch (Exception e) {
+            result = false;
+        }
+
+        CMS.debug(method + " user: " + userid + " has a token already: " + result);
+
+        return result;
+    }
+
+    private boolean checkAllowMultiActiveTokensUser(boolean isExternalReg) {
+        boolean allow = true;
+
+        String method = "TPSEnrollProcessor.checkAllowMultiActiveTokensUser: ";
+        IConfigStore configStore = CMS.getConfigStore();
+
+        String scheme = null;
+
+        if (isExternalReg == true) {
+            scheme = TPSEngine.CFG_EXTERNAL_REG;
+        } else {
+            scheme = TPSEngine.CFG_NON_EXTERNAL_REG;
+        }
+
+        String allowMultiConfig =  TPSEngine.CFG_TOKENDB + "." + scheme + "."
+                + TPSEngine.CFG_ALLOW_MULTI_TOKENS_USER;
+
+        CMS.debug(method + " trying config: " + allowMultiConfig);
+
+        try {
+            allow = configStore.getBoolean(allowMultiConfig, false);
+        } catch (EBaseException e) {
+            allow = false;
+        }
+
+        CMS.debug(method + "returning allow: " + allow);
+
+        return allow;
+    }
+
     public static void main(String[] args) {
     }