The LDAP attribute for token status has been modified to store the same values displayed on the CLI. This way searching tokens with specific status can be done correctly with simple LDAP filter such as (tokenStatus=<status>).
https://fedorahosted.org/pki/ticket/2296 -- Endi S. Dewata
>From 0b56804d0c4a1c63e6aba639bec1c4ecc147b849 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Mon, 2 May 2016 18:00:05 +0200 Subject: [PATCH] Fixed token status search filter. The LDAP attribute for token status has been modified to store the same values displayed on the CLI. This way searching tokens with specific status can be done correctly with simple LDAP filter such as (tokenStatus=<status>). https://fedorahosted.org/pki/ticket/2296 --- .../src/org/dogtagpki/server/tps/TPSTokendb.java | 10 +-- .../org/dogtagpki/server/tps/dbs/TokenRecord.java | 29 ++------- .../server/tps/processor/TPSEnrollProcessor.java | 76 +++++++++++----------- .../server/tps/processor/TPSProcessor.java | 2 +- .../dogtagpki/server/tps/rest/TokenService.java | 49 ++++++-------- 5 files changed, 67 insertions(+), 99 deletions(-) diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java index 4a4aa89d3d61637b948599d481d1091db2c05ab6..523ac2f56888402511e7893dd5cf3c788bc300ee 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java @@ -161,7 +161,7 @@ public class TPSTokendb { tdbFindTokenRecordsByUID(userid); boolean foundActive = false; for (TokenRecord tokenRecord:tokens) { - if (tokenRecord.getStatus().equals("active")) { + if (tokenRecord.getTokenStatus().equals(TokenStatus.ACTIVE)) { foundActive = true; } } @@ -170,9 +170,9 @@ public class TPSTokendb { } } - public void tdbAddTokenEntry(TokenRecord tokenRecord, String status) + public void tdbAddTokenEntry(TokenRecord tokenRecord, TokenStatus status) throws Exception { - tokenRecord.setStatus(status); + tokenRecord.setTokenStatus(status); tps.tokenDatabase.addRecord(tokenRecord.getId(), tokenRecord); } @@ -186,11 +186,11 @@ public class TPSTokendb { } catch (Exception e) { CMS.debug("TPSTokendb.tdbUpdateTokenEntry: token entry not found; Adding"); // add and exit - tdbAddTokenEntry(tokenRecord, "ready"); + tdbAddTokenEntry(tokenRecord, TokenStatus.READY); return; } // token found; modify - CMS.debug("TPSTokendb.tdbUpdateTokenEntry: token entry found; Modifying with status: "+ tokenRecord.getStatus()); + CMS.debug("TPSTokendb.tdbUpdateTokenEntry: token entry found; Modifying with status: " + tokenRecord.getTokenStatus()); // don't change the create time of an existing token record; put it back tokenRecord.setCreateTimestamp(existingTokenRecord.getCreateTimestamp()); tps.tokenDatabase.updateRecord(id, tokenRecord); diff --git a/base/tps/src/org/dogtagpki/server/tps/dbs/TokenRecord.java b/base/tps/src/org/dogtagpki/server/tps/dbs/TokenRecord.java index e8b0c5d9f949be11cf4d62086930af2bda4e3930..05761e1db553895d956f7c630200d6bfa042c609 100644 --- a/base/tps/src/org/dogtagpki/server/tps/dbs/TokenRecord.java +++ b/base/tps/src/org/dogtagpki/server/tps/dbs/TokenRecord.java @@ -241,31 +241,10 @@ public class TokenRecord extends DBRecord { public TokenStatus getTokenStatus() { String status = getStatus(); - - if ("ready".equals(status)) { - return TokenStatus.READY; - - } else if ("active".equals(status)) { - return TokenStatus.ACTIVE; - - } else if ("lost".equals(status)) { - String reason = getReason(); - - if ("keyCompromise".equals(reason)) { - return TokenStatus.PERM_LOST; - - } else if ("destroyed".equals(reason)) { - return TokenStatus.DAMAGED; - - } else if ("onHold".equals(reason)) { - return TokenStatus.SUSPENDED; - } - - } else if ("terminated".equals(status)) { - return TokenStatus.TERMINATED; - } - - return TokenStatus.PERM_LOST; + return TokenStatus.valueOf(status); } + public void setTokenStatus(TokenStatus status) { + setStatus(status.toString()); + } } diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 4e8c8abfb95af5344a9a8303e8b5f34625286007..25e016b6400f3667cfc6eb22b04666a4f5af05c6 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -319,7 +319,7 @@ public class TPSEnrollProcessor extends TPSProcessor { } } else { CMS.debug(method + " token does not exist"); - tokenRecord.setStatus("ready"); + tokenRecord.setTokenStatus(TokenStatus.READY); checkAllowUnknownToken(TPSEngine.OP_FORMAT_PREFIX); } @@ -368,7 +368,7 @@ public class TPSEnrollProcessor extends TPSProcessor { if (!isTokenPresent) { try { - tps.tdb.tdbAddTokenEntry(tokenRecord, "ready"); + tps.tdb.tdbAddTokenEntry(tokenRecord, TokenStatus.READY); } catch (Exception e) { String failMsg = "add token failure"; logMsg = failMsg + ":" + e.toString(); @@ -537,7 +537,7 @@ public class TPSEnrollProcessor extends TPSProcessor { channel.setLifeycleState((byte) 0x0f); try { - tokenRecord.setStatus("active"); + tokenRecord.setTokenStatus(TokenStatus.ACTIVE); tps.tdb.tdbUpdateTokenEntry(tokenRecord); } catch (Exception e) { String failMsg = "update token failure"; @@ -1024,14 +1024,15 @@ public class TPSEnrollProcessor extends TPSProcessor { for (TokenRecord tokenRecord : tokenRecords) { CMS.debug(method + " token id:" + tokenRecord.getId() + "; status=" - + tokenRecord.getStatus()); + + tokenRecord.getTokenStatus()); //Is this the same token (current token)? if (tokenRecord.getId().equals(aInfo.getCUIDhexStringPlain())) { //same token logMsg = "found current token entry"; CMS.debug(method + ":" + logMsg); - if (tokenRecord.getStatus().equals("ready")) { + + if (tokenRecord.getTokenStatus() == TokenStatus.READY) { // this is the current token if (tokenRecords.size() == 1) { // the current token is the only token owned by the user @@ -1058,7 +1059,8 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug(logMsg); throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN); } - } else if (tokenRecord.getStatus().equals("active")) { + + } else if (tokenRecord.getTokenStatus() == TokenStatus.ACTIVE) { // current token is already active; renew if allowed if (tokenPolicy.isAllowdTokenRenew(aInfo.getCUIDhexStringPlain())) { return processRenewal(certsInfo, channel, aInfo, tokenRecord); @@ -1067,53 +1069,49 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug(method + ":" + logMsg); } break; - } else if (tokenRecord.getStatus().equals("terminated")) { + + } else if (tokenRecord.getTokenStatus() == TokenStatus.TERMINATED) { logMsg = "terminated token cuid=" + aInfo.getCUIDhexStringPlain() + " cannot be reused"; CMS.debug(method + ":" + logMsg); throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_CONTACT_ADMIN); - } else if (tokenRecord.getStatus().equals("lost")) { - String reasonStr = tokenRecord.getReason(); - if (reasonStr.equals("keyCompromise")) { - logMsg = "This token cannot be reused because it has been reported lost"; - CMS.debug(method + ": " - + logMsg); - throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_UNUSABLE_TOKEN_KEYCOMPROMISE); - } else if (reasonStr.equals("onHold")) { - try { - tps.tdb.tdbHasActiveToken(userid); - logMsg = "user already has an active token"; - CMS.debug(method + ": " - + logMsg); - throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN); - } catch (Exception e2) { - logMsg = "User needs to contact administrator to report lost token (it should be put on Hold)."; - CMS.debug(method + ": " - + logMsg); - break; - } - } else if (reasonStr.equals("destroyed")) { - logMsg = "This destroyed lost case should not be executed because the token is so damaged. It should not get here"; - CMS.debug(method + ": " - + logMsg); - throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_TOKEN_DISABLED); - } else { - logMsg = "No such lost reason: " + reasonStr + " for this cuid: " - + aInfo.getCUIDhexStringPlain(); - CMS.debug(method + ":" + logMsg); - throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_NO_SUCH_LOST_REASON); + + } else if (tokenRecord.getTokenStatus() == TokenStatus.PERM_LOST) { + logMsg = "This token cannot be reused because it has been reported lost"; + CMS.debug(method + ": " + logMsg); + throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_UNUSABLE_TOKEN_KEYCOMPROMISE); + + } else if (tokenRecord.getTokenStatus() == TokenStatus.SUSPENDED) { + try { + tps.tdb.tdbHasActiveToken(userid); + logMsg = "user already has an active token"; + CMS.debug(method + ": " + logMsg); + throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN); + + } catch (Exception e2) { + logMsg = "User needs to contact administrator to report lost token (it should be put on Hold)."; + CMS.debug(method + ": " + logMsg); + break; } + } else if (tokenRecord.getTokenStatus() == TokenStatus.DAMAGED) { + logMsg = "This destroyed lost case should not be executed because the token is so damaged. It should not get here"; + CMS.debug(method + ": " + + logMsg); + throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_TOKEN_DISABLED); + } else { logMsg = "No such token status for this cuid=" + aInfo.getCUIDhexStringPlain(); CMS.debug(method + ":" + logMsg); throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_NO_SUCH_TOKEN_STATE); } + } else { //cuid != current token logMsg = "found token entry different from current token"; CMS.debug(method + ":" + logMsg); - if (tokenRecord.getStatus().equals("lost")) { - //lostostToken keeps track of the latest token that's lost + TokenStatus st = tokenRecord.getTokenStatus(); + if (st == TokenStatus.PERM_LOST || st == TokenStatus.SUSPENDED || st == TokenStatus.DAMAGED) { + //lostToken keeps track of the latest token that's lost //last one in the look should be the latest lostToken = tokenRecord; logMsg = "found a lost token: cuid = " + tokenRecord.getId(); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index 0a0b10d46b292905546d1038c64432a85f6b9371..023f75479b3a36b1e30fff2d04613384a40fb901 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -2151,7 +2151,7 @@ public class TPSProcessor { } // Update Token DB - tokenRecord.setStatus("ready"); + tokenRecord.setTokenStatus(TokenStatus.READY); try { tps.tdb.tdbUpdateTokenEntry(tokenRecord); } catch (Exception e) { diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java index 441518e8b90cbee6ca85f7ee58d040058e421523..fd897ccfbd437dc2221961fdce62cde045cfefc9 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java @@ -83,17 +83,16 @@ public class TokenService extends PKIService implements TokenResource { throws Exception { TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); - String oldStatus = tokenRecord.getStatus(); + TokenStatus oldStatus = tokenRecord.getTokenStatus(); String oldReason = tokenRecord.getReason(); - String newStatus = String.valueOf(tokenState); + TokenStatus newStatus = tokenState; String newReason = null; auditModParams.put("UserID", tokenRecord.getUserID()); switch (tokenState.getValue()) { case TokenStatus.TOKEN_READY: - tokenRecord.setStatus("ready"); - newStatus = "ready"; + tokenRecord.setTokenStatus(tokenState); tokenRecord.setReason(null); break; @@ -103,15 +102,13 @@ public class TokenService extends PKIService implements TokenResource { tps.tdb.unRevokeCertsByCUID(tokenRecord.getId(), ipAddress, remoteUser); } - tokenRecord.setStatus("active"); - newStatus = "active"; + tokenRecord.setTokenStatus(tokenState); tokenRecord.setReason(null); break; case TokenStatus.TOKEN_PERM_LOST: case TokenStatus.TOKEN_TEMP_LOST_PERM_LOST: - tokenRecord.setStatus("lost"); - newStatus = "lost"; + tokenRecord.setTokenStatus(tokenState); tokenRecord.setReason("keyCompromise"); newReason = "keyCompromise"; @@ -120,8 +117,7 @@ public class TokenService extends PKIService implements TokenResource { break; case TokenStatus.TOKEN_DAMAGED: - tokenRecord.setStatus("lost"); - newStatus = "lost"; + tokenRecord.setTokenStatus(tokenState); tokenRecord.setReason("destroyed"); newReason = "destroyed"; @@ -130,8 +126,7 @@ public class TokenService extends PKIService implements TokenResource { break; case TokenStatus.TOKEN_SUSPENDED: - tokenRecord.setStatus("lost"); - newStatus = "lost"; + tokenRecord.setTokenStatus(tokenState); tokenRecord.setReason("onHold"); newReason = "onHold"; @@ -141,15 +136,11 @@ public class TokenService extends PKIService implements TokenResource { case TokenStatus.TOKEN_TERMINATED: String reason = "terminated"; - String origStatus2 = tokenRecord.getStatus(); - String origReason2 = tokenRecord.getReason(); - // temp token looks at "onHold" - if (origStatus2.equalsIgnoreCase("lost") && - origReason2.equalsIgnoreCase("onHold")) { - reason = "onHold"; + // keep original reason for suspension + if (oldStatus == TokenStatus.SUSPENDED) { + reason = oldReason; } - tokenRecord.setStatus("terminated"); - newStatus = "terminated"; + tokenRecord.setTokenStatus(tokenState); tokenRecord.setReason(reason); newReason = reason; @@ -378,8 +369,8 @@ public class TokenService extends PKIService implements TokenResource { } // new tokens are ready when created - tokenRecord.setStatus("ready"); - auditModParams.put("Status", "ready"); + tokenRecord.setTokenStatus(TokenStatus.READY); + auditModParams.put("Status", TokenStatus.READY.toString()); database.addRecord(tokenID, tokenRecord); subsystem.tdb.tdbActivity(ActivityDatabase.OP_ADD, tokenRecord, @@ -617,9 +608,9 @@ public class TokenService extends PKIService implements TokenResource { TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); // for auditing - String oldStatus = null; + TokenStatus oldStatus = null; String oldReason = null; - String newStatus = null; + TokenStatus newStatus = null; String newReason = null; TokenRecord tokenRecord = null; @@ -631,9 +622,9 @@ public class TokenService extends PKIService implements TokenResource { TokenStatus currentTokenStatus = tokenRecord.getTokenStatus(); CMS.debug("TokenService.changeTokenStatus(): current status: " + currentTokenStatus); - oldStatus = tokenRecord.getStatus(); + oldStatus = tokenRecord.getTokenStatus(); oldReason = tokenRecord.getReason(); - newStatus = String.valueOf(tokenStatus); + newStatus = tokenStatus; if (currentTokenStatus == tokenStatus) { CMS.debug("TokenService.changeTokenStatus(): no status change, no activity log generated"); @@ -789,16 +780,16 @@ public class TokenService extends PKIService implements TokenResource { /* * */ - public void auditTokenStateChange(String status, String oldState, String newState, String oldReason, + public void auditTokenStateChange(String status, TokenStatus oldState, TokenStatus newState, String oldReason, String newReason, Map<String, String> params, String info) { String msg = CMS.getLogMessage( "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8", servletRequest.getUserPrincipal().getName(), status, - oldState, + oldState.toString(), oldReason, - newState, + newState.toString(), newReason, auditor.getParamString(null, params), info); -- 2.5.5
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
