From 68574756d5afa1c14cd6cc316298aa8f721e7244 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Mon, 10 Oct 2016 15:56:03 -0700 Subject: Another Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664 We just found out the code doesn't account for if the user has an active token which IS the token currently being worked on. --- .../src/org/dogtagpki/server/tps/TPSTokendb.java | 24 +++++++++++++-- .../server/tps/processor/TPSEnrollProcessor.java | 35 +++++++++++++++++----- 2 files changed, 50 insertions(+), 9 deletions(-) (limited to 'base/tps') diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java index e9190d09a..729e81e07 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java @@ -25,6 +25,8 @@ import java.util.HashMap; import java.util.Iterator; import java.util.Map; +import netscape.security.x509.RevocationReason; + import org.dogtagpki.server.tps.cms.CARemoteRequestHandler; import org.dogtagpki.server.tps.cms.CARevokeCertResponse; import org.dogtagpki.server.tps.dbs.ActivityDatabase; @@ -41,8 +43,6 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.dbs.EDBRecordNotFoundException; import com.netscape.certsrv.tps.token.TokenStatus; -import netscape.security.x509.RevocationReason; - /* * TPSTokendb class offers a collection of tokendb management convenience routines */ @@ -171,6 +171,26 @@ public class TPSTokendb { } } + public void tdbHasOtherActiveToken(String userid,String cuid) + throws Exception { + if (userid == null || cuid == null) + throw new Exception("TPSTokendb.tdbhasOtherActiveToken: uerid null, or cuid is null"); + + ArrayList tokens = + tdbFindTokenRecordsByUID(userid); + boolean foundActive = false; + for (TokenRecord tokenRecord:tokens) { + if (tokenRecord.getTokenStatus().equals(TokenStatus.ACTIVE)) { + + if(!tokenRecord.getId().equalsIgnoreCase(cuid)) + foundActive = true; + } + } + if (!foundActive) { + throw new Exception("TPSTokendb.tdbhasActiveToken: active token not found"); + } + } + public void tdbAddTokenEntry(TokenRecord tokenRecord, TokenStatus status) throws Exception { tokenRecord.setTokenStatus(status); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index db9a230cb..c5015cc8c 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -15,6 +15,11 @@ import java.util.Map; import java.util.Random; import java.util.zip.DataFormatException; +import netscape.security.provider.RSAPublicKey; +//import org.mozilla.jss.pkcs11.PK11ECPublicKey; +import netscape.security.util.BigInt; +import netscape.security.x509.X509CertImpl; + import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.TPSTokenPolicy; @@ -54,6 +59,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey; import org.mozilla.jss.pkcs11.PK11RSAPublicKey; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; +import sun.security.pkcs11.wrapper.PKCS11Constants; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; @@ -61,12 +68,6 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.tps.token.TokenStatus; import com.netscape.cmsutil.util.Utils; -import netscape.security.provider.RSAPublicKey; -//import org.mozilla.jss.pkcs11.PK11ECPublicKey; -import netscape.security.util.BigInt; -import netscape.security.x509.X509CertImpl; -import sun.security.pkcs11.wrapper.PKCS11Constants; - public class TPSEnrollProcessor extends TPSProcessor { public TPSEnrollProcessor(TPSSession session) { @@ -335,7 +336,7 @@ public class TPSEnrollProcessor extends TPSProcessor { boolean allowMultiTokens = checkAllowMultiActiveTokensUser(isExternalReg); if (allowMultiTokens == false) { - boolean alreadyHasActiveToken = checkUserAlreadyHasActiveToken(userid); + boolean alreadyHasActiveToken = checkUserAlreadyHasOtherActiveToken(userid,cuid); if (alreadyHasActiveToken == true) { //We don't allow the user to have more than one active token, nip it in the bud right now @@ -1050,6 +1051,7 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug(method + ": There are multiple token entries for user " + userid); + //We already know the current token is not active if( checkUserAlreadyHasActiveToken(userid) == false) { isRecover = true; continue; // TODO: or break? @@ -3709,6 +3711,25 @@ public class TPSEnrollProcessor extends TPSProcessor { return result; } + private boolean checkUserAlreadyHasOtherActiveToken(String userid,String cuid) { + boolean result = false; + String method = "TPSEnrollProcessor.checkUserAlreadyHasOtherActiveToken: "; + + TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + try { + tps.tdb.tdbHasOtherActiveToken(userid,cuid); + result = true; + + } catch (Exception e) { + result = false; + } + + CMS.debug(method + " user: " + userid + " has an active token already: not cuid: " + cuid + " : " + result); + + + return result; + } + private boolean checkAllowMultiActiveTokensUser(boolean isExternalReg) { boolean allow = true; -- cgit