[Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch
Add ability to disallow TPS to enroll a single user on multiple tokens. This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: op.enroll.nonExternalReg.allowMultiActiveTokensUser=false op.enroll.externalReg.allowMultiActiveTokensUser=false From f37a31bd9e59e6d93b9c9ea270a427d723a6d423 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Fri, 24 Jun 2016 11:02:35 -0700 Subject: [PATCH] Add ability to disallow TPS to enroll a single user on multiple tokens. This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: op.enroll.nonExternalReg.allowMultiActiveTokensUser=false op.enroll.externalReg.allowMultiActiveTokensUser=false --- base/tps/shared/conf/CS.cfg| 2 + .../org/dogtagpki/server/tps/engine/TPSEngine.java | 2 + .../server/tps/processor/TPSEnrollProcessor.java | 80 -- 3 files changed, 78 insertions(+), 6 deletions(-) diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg index f552a54..0fbffc2 100644 --- a/base/tps/shared/conf/CS.cfg +++ b/base/tps/shared/conf/CS.cfg @@ -773,6 +773,8 @@ op.format.externalRegAddToToken.update.symmetricKeys.requiredVersion=1 op.format.externalRegAddToToken.revokeCert=false op.format.externalRegAddToToken.revokeCert.reason=0 op.enroll.allowUnknownToken=true +op.enroll.nonExternalReg.allowMultiActiveTokensUser=false +op.enroll.externalReg.allowMultiActiveTokensUser=false op.enroll.mappingResolver=enrollProfileMappingResolver op.enroll.soKey.cuidMustMatchKDD=false op.enroll.soKey.enableBoundedGPKeyVersion=true diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java index a5fbc3b..a34be7c 100644 --- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -153,6 +153,7 @@ public class TPSEngine { public static final String CFG_EXTERNAL_REG = "externalReg"; public static final String CFG_ER_DELEGATION = "delegation"; +public static final String CFG_NON_EXTERNAL_REG = "nonExternalReg"; /* misc values */ @@ -192,6 +193,7 @@ public class TPSEngine { public static final String ENROLL_MODE_ENROLLMENT = ENROLL_OP; public static final String ENROLL_MODE_RECOVERY = RECOVERY_OP; public static final String ERNOLL_MODE_RENEWAL = RENEWAL_OP; +public static final String CFG_ALLOW_MULTI_TOKENS_USER = "allowMultiActiveTokensUser"; public void init() { //ToDo diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 6240ea6..3b8cdf3 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -14,6 +14,11 @@ import java.util.Map; import java.util.Random; import java.util.zip.DataFormatException; +import netscape.security.provider.RSAPublicKey; +//import org.mozilla.jss.pkcs11.PK11ECPublicKey; +import netscape.security.util.BigInt; +import netscape.security.x509.X509CertImpl; + import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.TPSTokenPolicy; @@ -53,6 +58,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey; import org.mozilla.jss.pkcs11.PK11RSAPublicKey; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; +import sun.security.pkcs11.wrapper.PKCS11Constants; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; @@ -60,12 +67,6 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.tps.token.TokenStatus; import com.netscape.cmsutil.util.Utils; -import netscape.security.provider.RSAPublicKey; -//import org.mozilla.jss.pkcs11.PK11ECPublicKey; -import netscape.security.util.BigInt; -import netscape.security.x509.X509CertImpl; -import sun.security.pkcs11.wrapper.PKCS11Constants; - public
Re: [Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch
Just a few minor ones. * configuration parameters referencing token existence in tokendb should use names begin with "tokendb". e.g. tokendb.allowMultiActiveTokensPerUser.externalReg=false tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false * boolean allowMultiCerts -- I think the name is misleading. how about alowMultiTokens * existing calls to tps.tdb.tdbHasActiveToken() need to be decided: e.g. 1. TPSEnrollProcessor.java search for tdbHasActiveToken (first occurrence) , you will find that it is called with "TODO:" comment. I believe that whole try/catch with the tps.tdb.tdbHasActiveToken(userid); call can be removed since you already call that earlier in your patch 2. TPSEnrollProcessor.java, the 2nd occurrence is when the enrolling token is suspended. You need to look into what it is doing at the point and whether that check can also be eliminated. thanks, Christina On 06/24/2016 11:08 AM, John Magne wrote: Add ability to disallow TPS to enroll a single user on multiple tokens. This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: op.enroll.nonExternalReg.allowMultiActiveTokensUser=false op.enroll.externalReg.allowMultiActiveTokensUser=false ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch
Addressed cfu's concerns and pushed to master for cond ACK. commit e326cd2f06bd651cdd87646eea94622e18cec28d Closing tiecket #1664 - Original Message - > From: "Christina Fu" > To: pki-devel@redhat.com > Sent: Monday, June 27, 2016 2:25:33 PM > Subject: Re: [Pki-devel] [pki-devel] [PATCH] > 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch > > Just a few minor ones. > > * configuration parameters referencing token existence in tokendb should use > names begin with "tokendb". e.g. Done: Changed the names of the params as suggested. > tokendb.allowMultiActiveTokensPerUser.externalReg=false > tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false > > * boolean allowMultiCerts -- I think the name is misleading. how about > alowMultiTokens > > * existing calls to tps.tdb.tdbHasActiveToken() need to be decided: > e.g. Both of these blocks of code I simply removed the action taken if the user has an active token, since they can no longer get there. The alternate case has been left untouched. The second occurrence is not likely to even happen since the transitions allowed will not usually allow to go from SUSPENDED to ACTIVE anyway. Case retained as a fallback. > 1. TPSEnrollProcessor.java search for tdbHasActiveToken (first occurrence) , > you will find that it is called with "TODO:" comment. I believe that whole > try/catch with the tps.tdb.tdbHasActiveToken(userid); call can be removed > since you already call that earlier in your patch > 2. TPSEnrollProcessor.java, the 2nd occurrence is when the enrolling token is > suspended. You need to look into what it is doing at the point and whether > that check can also be eliminated. > > thanks, > Christina > > On 06/24/2016 11:08 AM, John Magne wrote: > > > > Add ability to disallow TPS to enroll a single user on multiple tokens. > > This patch will install a check during the early portion of the > enrollment > process check a configurable policy whether or not a user should be > allowed > to have more that one active token. > > This check will take place only for brand new tokens not seen before. > The check will prevent the enrollment to proceed and will exit before the > system > has a chance to add this new token to the TPS tokendb. > > The behavior will be configurable for the the external reg and not > external reg scenarios > as follows: > > op.enroll.nonExternalReg.allowMultiActiveTokensUser=false > op.enroll.externalReg.allowMultiActiveTokensUser=false > > > ___ > Pki-devel mailing list Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > > > ___ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel