diff options
-rw-r--r-- | base/tps/shared/conf/CS.cfg | 3 | ||||
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java | 3 | ||||
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java | 100 |
3 files changed, 80 insertions, 26 deletions
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg index 4f2b3919c..a8499a2b3 100644 --- a/base/tps/shared/conf/CS.cfg +++ b/base/tps/shared/conf/CS.cfg @@ -2169,6 +2169,9 @@ tokendb.ssl=false tokendb.templateDir=[PKI_INSTANCE_PATH]/docroot/tus tokendb.userBaseDN=[TOKENDB_ROOT] tokendb.userDeleteTemplate=userDelete.template +tokendb.nonExternalReg.allowMultiActiveTokensUser=false +tokendb.externalReg.allowMultiActiveTokensUser=false + tps._000=######################################## tps._001=# For verifying system certificates tps._002=# tps.cert.list=sslserver,subsystem,audit_signing diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java index a5fbc3b7d..93edfde4e 100644 --- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -91,6 +91,7 @@ public class TPSEngine { public static final String CFG_ERROR_PREFIX = "logging.error"; public static final String CFG_DEBUG_PREFIX = "logging.debug"; public static final String CFG_SELFTEST_PREFIX = "selftests.container.logger"; + public static final String CFG_TOKENDB = "tokendb"; public static final String CFG_TOKENDB_ALLOWED_TRANSITIONS = "tokendb.allowedTransitions"; public static final String CFG_OPERATIONS_ALLOWED_TRANSITIONS = "tps.operations.allowedTransitions"; @@ -153,6 +154,7 @@ public class TPSEngine { public static final String CFG_EXTERNAL_REG = "externalReg"; public static final String CFG_ER_DELEGATION = "delegation"; + public static final String CFG_NON_EXTERNAL_REG = "nonExternalReg"; /* misc values */ @@ -192,6 +194,7 @@ public class TPSEngine { public static final String ENROLL_MODE_ENROLLMENT = ENROLL_OP; public static final String ENROLL_MODE_RECOVERY = RECOVERY_OP; public static final String ERNOLL_MODE_RENEWAL = RENEWAL_OP; + public static final String CFG_ALLOW_MULTI_TOKENS_USER = "allowMultiActiveTokensUser"; public void init() { //ToDo diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 6240ea69c..9d4254695 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -14,6 +14,11 @@ import java.util.Map; import java.util.Random; import java.util.zip.DataFormatException; +import netscape.security.provider.RSAPublicKey; +//import org.mozilla.jss.pkcs11.PK11ECPublicKey; +import netscape.security.util.BigInt; +import netscape.security.x509.X509CertImpl; + import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.TPSTokenPolicy; @@ -53,6 +58,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey; import org.mozilla.jss.pkcs11.PK11RSAPublicKey; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; +import sun.security.pkcs11.wrapper.PKCS11Constants; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; @@ -60,12 +67,6 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.tps.token.TokenStatus; import com.netscape.cmsutil.util.Utils; -import netscape.security.provider.RSAPublicKey; -//import org.mozilla.jss.pkcs11.PK11ECPublicKey; -import netscape.security.util.BigInt; -import netscape.security.x509.X509CertImpl; -import sun.security.pkcs11.wrapper.PKCS11Constants; - public class TPSEnrollProcessor extends TPSProcessor { public TPSEnrollProcessor(TPSSession session) { @@ -329,6 +330,24 @@ public class TPSEnrollProcessor extends TPSProcessor { if (!isExternalReg) checkAndAuthenticateUser(appletInfo, getSelectedTokenType()); + //Do this here after all authentication has taken place, so we have a (userid) + + boolean allowMultiTokens = checkAllowMultiActiveTokensUser(isExternalReg); + + if (isTokenPresent == false && allowMultiTokens == false) { + boolean alreadyHasActiveToken = checkUserAlreadyHasActiveToken(userid); + + if (alreadyHasActiveToken == true) { + //We don't allow the user to have more than one active token, nip it in the bud right now + //If this token is brand new and not known to the system + + throw new TPSException(method + + " User already has an active token when trying to enroll this new token!", + TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN); + } + + } + if (do_force_format) { //We will skip the auth step inside of format format(true); @@ -1030,22 +1049,9 @@ public class TPSEnrollProcessor extends TPSProcessor { } else { CMS.debug(method + ": There are multiple token entries for user " + userid); - try { - // this is assuming that the user can only have one single active token - // TODO: for future, maybe should allow multiple active tokens - tps.tdb.tdbHasActiveToken(userid); - } catch (Exception e1) { - /* - * user has no active token, need to find a token to recover from - * there are no other active tokens for this user - */ isRecover = true; continue; // TODO: or break? - } - logMsg = method + ": user already has an active token"; - CMS.debug(logMsg); - throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN); } } else if (tokenRecord.getTokenStatus() == TokenStatus.ACTIVE) { @@ -1070,17 +1076,10 @@ public class TPSEnrollProcessor extends TPSProcessor { throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_UNUSABLE_TOKEN_KEYCOMPROMISE); } else if (tokenRecord.getTokenStatus() == TokenStatus.SUSPENDED) { - try { - tps.tdb.tdbHasActiveToken(userid); - logMsg = "user already has an active token"; - CMS.debug(method + ": " + logMsg); - throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN); - } catch (Exception e2) { logMsg = "User needs to contact administrator to report lost token (it should be put on Hold)."; CMS.debug(method + ": " + logMsg); break; - } } else if (tokenRecord.getTokenStatus() == TokenStatus.DAMAGED) { logMsg = "This destroyed lost case should not be executed because the token is so damaged. It should not get here"; @@ -3559,6 +3558,55 @@ public class TPSEnrollProcessor extends TPSProcessor { audit(auditMessage); } + private boolean checkUserAlreadyHasActiveToken(String userid) { + + String method = "TPSEnrollProcessor.checkUserAlreadyHasActiveToken: "; + boolean result = false; + + TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + try { + tps.tdb.tdbHasActiveToken(userid); + result = true; + + } catch (Exception e) { + result = false; + } + + CMS.debug(method + " user: " + userid + " has a token already: " + result); + + return result; + } + + private boolean checkAllowMultiActiveTokensUser(boolean isExternalReg) { + boolean allow = true; + + String method = "TPSEnrollProcessor.checkAllowMultiActiveTokensUser: "; + IConfigStore configStore = CMS.getConfigStore(); + + String scheme = null; + + if (isExternalReg == true) { + scheme = TPSEngine.CFG_EXTERNAL_REG; + } else { + scheme = TPSEngine.CFG_NON_EXTERNAL_REG; + } + + String allowMultiConfig = TPSEngine.CFG_TOKENDB + "." + scheme + "." + + TPSEngine.CFG_ALLOW_MULTI_TOKENS_USER; + + CMS.debug(method + " trying config: " + allowMultiConfig); + + try { + allow = configStore.getBoolean(allowMultiConfig, false); + } catch (EBaseException e) { + allow = false; + } + + CMS.debug(method + "returning allow: " + allow); + + return allow; + } + public static void main(String[] args) { } |