[Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch

[John Magne]

Add ability to disallow TPS to enroll a single user on multiple tokens.
    
    This patch will install a check during the early portion of the enrollment
    process check a configurable policy whether or not a user should be allowed
    to have more that one active token.
    
    This check will take place only for brand new tokens not seen before.
    The check will prevent the enrollment to proceed and will exit before the 
system
    has a chance to add this new token to the TPS tokendb.
    
    The behavior will be configurable for the the external reg and not external 
reg scenarios
    as follows:
    
    op.enroll.nonExternalReg.allowMultiActiveTokensUser=false
    op.enroll.externalReg.allowMultiActiveTokensUser=false

From f37a31bd9e59e6d93b9c9ea270a427d723a6d423 Mon Sep 17 00:00:00 2001
From: Jack Magne <jma...@dhcp-16-206.sjc.redhat.com>
Date: Fri, 24 Jun 2016 11:02:35 -0700
Subject: [PATCH] Add ability to disallow TPS to enroll a single user on
 multiple tokens.

This patch will install a check during the early portion of the enrollment
process check a configurable policy whether or not a user should be allowed
to have more that one active token.

This check will take place only for brand new tokens not seen before.
The check will prevent the enrollment to proceed and will exit before the system
has a chance to add this new token to the TPS tokendb.

The behavior will be configurable for the the external reg and not external reg scenarios
as follows:

op.enroll.nonExternalReg.allowMultiActiveTokensUser=false
op.enroll.externalReg.allowMultiActiveTokensUser=false
---
 base/tps/shared/conf/CS.cfg                        |  2 +
 .../org/dogtagpki/server/tps/engine/TPSEngine.java |  2 +
 .../server/tps/processor/TPSEnrollProcessor.java   | 80 ++++++++++++++++++++--
 3 files changed, 78 insertions(+), 6 deletions(-)

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index f552a54..0fbffc2 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -773,6 +773,8 @@ op.format.externalRegAddToToken.update.symmetricKeys.requiredVersion=1
 op.format.externalRegAddToToken.revokeCert=false
 op.format.externalRegAddToToken.revokeCert.reason=0
 op.enroll.allowUnknownToken=true
+op.enroll.nonExternalReg.allowMultiActiveTokensUser=false
+op.enroll.externalReg.allowMultiActiveTokensUser=false
 op.enroll.mappingResolver=enrollProfileMappingResolver
 op.enroll.soKey.cuidMustMatchKDD=false
 op.enroll.soKey.enableBoundedGPKeyVersion=true
diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
index a5fbc3b..a34be7c 100644
--- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
+++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
@@ -153,6 +153,7 @@ public class TPSEngine {
 
     public static final String CFG_EXTERNAL_REG = "externalReg";
     public static final String CFG_ER_DELEGATION = "delegation";
+    public static final String CFG_NON_EXTERNAL_REG = "nonExternalReg";
 
     /* misc values */
 
@@ -192,6 +193,7 @@ public class TPSEngine {
     public static final String ENROLL_MODE_ENROLLMENT = ENROLL_OP;
     public static final String ENROLL_MODE_RECOVERY = RECOVERY_OP;
     public static final String ERNOLL_MODE_RENEWAL = RENEWAL_OP;
+    public static final String CFG_ALLOW_MULTI_TOKENS_USER = "allowMultiActiveTokensUser";
 
     public void init() {
         //ToDo
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 6240ea6..3b8cdf3 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -14,6 +14,11 @@ import java.util.Map;
 import java.util.Random;
 import java.util.zip.DataFormatException;
 
+import netscape.security.provider.RSAPublicKey;
+//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+import netscape.security.util.BigInt;
+import netscape.security.x509.X509CertImpl;
+
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.TPSTokenPolicy;
@@ -53,6 +58,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
 import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 
+import sun.security.pkcs11.wrapper.PKCS11Constants;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -60,12 +67,6 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cmsutil.util.Utils;
 
-import netscape.security.provider.RSAPublicKey;
-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-import netscape.security.util.BigInt;
-import netscape.security.x509.X509CertImpl;
-import sun.security.pkcs11.wrapper.PKCS11Constants;
-
 public class TPSEnrollProcessor extends TPSProcessor {
 
     public TPSEnrollProcessor(TPSSession session) {
@@ -329,6 +330,24 @@ public class TPSEnrollProcessor extends TPSProcessor {
         if (!isExternalReg)
             checkAndAuthenticateUser(appletInfo, getSelectedTokenType());
 
+        //Do this here after all authentication has taken place, so we have a (userid)
+
+        boolean allowMultiCerts = checkAllowMultiActiveTokensUser(isExternalReg);
+
+        if (isTokenPresent == false && allowMultiCerts == false) {
+            boolean alreadyHasActiveToken = checkUserAlreadyHasActiveToken(userid);
+
+            if (alreadyHasActiveToken == true) {
+                //We don't allow the user to have more than one active token, nip it in the bud right now
+                //If this token is brand new and not known to the system
+
+                throw new TPSException(method
+                        + " User already has an active token when trying to enroll this new token!",
+                        TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN);
+            }
+
+        }
+
         if (do_force_format) {
             //We will skip the auth step inside of format
             format(true);
@@ -3559,6 +3578,55 @@ public class TPSEnrollProcessor extends TPSProcessor {
         audit(auditMessage);
     }
 
+    private boolean checkUserAlreadyHasActiveToken(String userid) {
+
+        String method = "TPSEnrollProcessor.checkUserAlreadyHasActiveToken: ";
+        boolean result = false;
+
+        TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
+        try {
+            tps.tdb.tdbHasActiveToken(userid);
+            result = true;
+
+        } catch (Exception e) {
+            result = false;
+        }
+
+        CMS.debug(method + " user: " + userid + " has a token already: " + result);
+
+        return result;
+    }
+
+    private boolean checkAllowMultiActiveTokensUser(boolean isExternalReg) {
+        boolean allow = true;
+
+        String method = "TPSEnrollProcessor.checkAllowMultiActiveTokensUser: ";
+        IConfigStore configStore = CMS.getConfigStore();
+
+        String scheme = null;
+
+        if (isExternalReg == true) {
+            scheme = TPSEngine.CFG_EXTERNAL_REG;
+        } else {
+            scheme = TPSEngine.CFG_NON_EXTERNAL_REG;
+        }
+
+        String allowMultiConfig = "op." + TPSEngine.ENROLL_OP + "." + scheme + "."
+                + TPSEngine.CFG_ALLOW_MULTI_TOKENS_USER;
+
+        CMS.debug(method + " trying config: " + allowMultiConfig);
+
+        try {
+            allow = configStore.getBoolean(allowMultiConfig, false);
+        } catch (EBaseException e) {
+            allow = false;
+        }
+
+        CMS.debug(method + "returning allow: " + allow);
+
+        return allow;
+    }
+
     public static void main(String[] args) {
     }
 
-- 
2.5.0


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel