From e9ab0ec12bc7e22857850a6a183df825154971d4 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Thu, 30 Aug 2012 17:23:11 -0700 Subject: Bug 844800 - TPS should provide the ability to not allow tokens marked as 'Terminated' to be formatted and reused. --- base/tps/src/engine/RA.cpp | 103 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) (limited to 'base/tps/src/engine') diff --git a/base/tps/src/engine/RA.cpp b/base/tps/src/engine/RA.cpp index 862b9e105..f8c64f306 100644 --- a/base/tps/src/engine/RA.cpp +++ b/base/tps/src/engine/RA.cpp @@ -178,6 +178,8 @@ const char *RA::CFG_AUDIT_PREFIX = "logging.audit"; const char *RA::CFG_ERROR_PREFIX = "logging.error"; const char *RA::CFG_DEBUG_PREFIX = "logging.debug"; const char *RA::CFG_SELFTEST_PREFIX = "selftests.container.logger"; +const char *RA::CFG_TOKENDB_ALLOWED_TRANSITIONS = "tokendb.allowedTransitions"; +const char *RA::CFG_OPERATIONS_ALLOWED_TRANSITIONS = "tps.operations.allowedTransitions"; const char *RA::CFG_AUTHS_ENABLE="auth.enable"; @@ -195,6 +197,20 @@ typedef Authentication* (*makeauthentication)(); extern void BuildHostPortLists(char *host, char *port, char **hostList, char **portList, int len); +static char *transitionList = NULL; + +#define MAX_TOKEN_UI_STATE 6 + +enum token_ui_states { + TOKEN_UNINITIALIZED = 0, + TOKEN_DAMAGED =1, + TOKEN_PERM_LOST=2, + TOKEN_TEMP_LOST=3, + TOKEN_FOUND =4, + TOKEN_TEMP_LOST_PERM_LOST =5, + TOKEN_TERMINATED = 6 +}; + #ifdef XP_WIN32 #define TPS_PUBLIC __declspec(dllexport) #else /* !XP_WIN32 */ @@ -2821,6 +2837,47 @@ TPS_PUBLIC char *RA::ra_get_cert_tokenType(LDAPMessage *entry) { return get_cert_tokenType(entry); } +TPS_PUBLIC int RA::ra_get_token_status(char *cuid) { + + int rc = -1; + LDAPMessage *entry; + char *status = NULL; + char *reason = NULL; + + int status_int = -1; + //Let's say -1 is unknown; + + if ((rc = find_tus_db_entry(cuid, 0, &entry)) != LDAP_SUCCESS) { + goto loser; + } + + status = ra_get_token_status(entry); + + if (status == NULL) { + goto loser; + } + + reason = ra_get_token_reason(entry); + + status_int = get_token_state(status, reason); + + +loser: + if (entry != NULL) { + ldap_msgfree(entry); + } + + if (status != NULL) { + free(status); + } + + if (reason != NULL) { + free(reason); + } + + return status_int; +} + TPS_PUBLIC char *RA::ra_get_token_status(LDAPMessage *entry) { return get_token_status(entry); } @@ -3622,3 +3679,49 @@ loser: return newKey; } + +bool RA::transition_allowed(int oldState, int newState) +{ + /* parse the allowed transitions string and look for old:new */ + + // See if we need to read in the thing. + + transitionList = (char *) m_cfg->GetConfigAsString(RA::CFG_OPERATIONS_ALLOWED_TRANSITIONS, NULL); + + if (transitionList == NULL) { + transitionList = (char *) m_cfg->GetConfigAsString(RA::CFG_TOKENDB_ALLOWED_TRANSITIONS, NULL); + } + + if (transitionList == NULL) return true; + + char search[128]; + + PR_snprintf(search, 128, "%d:%d", oldState, newState); + return match_comma_list(search, transitionList); + +} + +int RA::get_token_state(char *state, char *reason) +{ + int ret = 0; + if (strcmp(state, STATE_UNINITIALIZED) == 0) { + ret = TOKEN_UNINITIALIZED; + } else if (strcasecmp(state, STATE_ACTIVE) == 0) { + ret = TOKEN_FOUND; + } else if (strcasecmp(state, STATE_LOST) == 0) { + if (strcasecmp(reason, "keyCompromise") == 0) { + /* perm lost or temp -> perm lost */ + ret = TOKEN_PERM_LOST; + } else if (strcasecmp(reason, "destroyed") == 0) { + ret = TOKEN_DAMAGED; + } else if (strcasecmp(reason, "onHold") == 0) { + ret = TOKEN_TEMP_LOST; + } + } else if (strcasecmp(state, "terminated") == 0) { + ret = TOKEN_TERMINATED; + } else { + /* state is disabled or otherwise : what to do here? */ + ret = TOKEN_PERM_LOST; + } + return ret; +} -- cgit