PIN_RESET policy is not giving expected results when set on a token.
    
    Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given 
token.
Minor logging improvements added as well for this error condition.
    
    Ticket #2510.


From 09dba122f01881b93d32a03a51d0be37c247cb30 Mon Sep 17 00:00:00 2001
From: Jack Magne <jma...@dhcp-16-206.sjc.redhat.com>
Date: Tue, 18 Oct 2016 18:58:21 -0700
Subject: [PATCH] PIN_RESET policy is not giving expected results when set on a
 token.

Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given token.

Ticket #2510.
---
 .../server/tps/processor/TPSPinResetProcessor.java | 34 ++++++++++++++++------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
index 9d0625a..fe3f801 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
@@ -21,6 +21,7 @@ import java.io.IOException;
 
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
+import org.dogtagpki.server.tps.TPSTokenPolicy;
 import org.dogtagpki.server.tps.channel.SecureChannel;
 import org.dogtagpki.server.tps.dbs.ActivityDatabase;
 import org.dogtagpki.server.tps.dbs.TokenRecord;
@@ -98,15 +99,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
                     TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
         }
 
-        TokenStatus status = tokenRecord.getTokenStatus();
-
-        CMS.debug(method + ": Token status: " + status);
-
-        if (!status.equals(TokenStatus.ACTIVE)) {
-            throw new TPSException(method + " Attempt to reset pin of token not currently active!",
-                    TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
-
-        }
+        TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps);
 
         session.setTokenRecord(tokenRecord);
 
@@ -142,6 +135,29 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
         checkAndAuthenticateUser(appletInfo, tokenType);
 
+        TokenStatus status = tokenRecord.getTokenStatus();
+
+        CMS.debug(method + ": Token status: " + status);
+
+        if (!status.equals(TokenStatus.ACTIVE)) {
+            logMsg = method + "Can not reset the pin of a non active token.";
+            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            throw new TPSException(method + " Attempt to reset pin of token not currently active!",
+                    TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
+
+        }
+
+        boolean pinResetAllowed = tokenPolicy.isAllowedPinReset(tokenRecord.getId());
+
+        CMS.debug(method + ": PinResetPolicy: Pin Reset Allowed:  " + pinResetAllowed);
+        logMsg = method + " PinReset Policy forbids pin reset operation.";
+        if (pinResetAllowed == false) {
+            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            throw new TPSException(method + " Attempt to reset pin when token policy disallows it.!",
+                    TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
+
+        }
+
         checkAndUpgradeApplet(appletInfo);
         appletInfo = getAppletInfo();
 
-- 
2.5.0

_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Reply via email to