Issue #1664: [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. - dogtagpki

dogtagpki

#1664 [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens.

Closed: Fixed None Opened 8 years ago by dsirrine.

It is currently possible to attempt to enroll multiple tokens to a single user
causing an additional entry in the TPS token database.

Steps to reproduce:

    1) Create tpsclient file:

    ~~~
    cat > token_enroll.txt << EOF
    op=var_set name=ra_host value=<TPS_HOST_URL>
    op=var_set name=ra_port value=7888
    op=var_set name=ra_uri value=/nk_service
    op=token_set cuid=00000000000000200000 msn=01020304 app_ver=6FBBC105
    key_info=0101 major_ver=0 minor_ver=0
    op=token_set auth_key=404142434445464748494a4b4c4d4e4f
    op=token_set mac_key=404142434445464748494a4b4c4d4e4f
    op=token_set kek_key=404142434445464748494a4b4c4d4e4f
    op=ra_enroll uid=tuser pwd=test new_pin=Secret123 num_threads=1
    op=exit
    EOF
    ~~~

    2) Eroll token using tpsclient

    # tpsclient < token_enroll.txt

    3) Modify token cuid in token_enroll.txt from:

    cuid=00000000000000200000

    to

    cuid=00000000000000200001

    4) Enroll token using tpsclient

    # tpsclient < token_enroll.txt

Actual Results:

    - tpsclient enroll fails with:
       ~~~
       Result> Error - Operation 'ra_enroll' Failure (9787 msec)
       ~~~
    - TPS token database has additional unintialized token entry for user

Expected Results:

    - tpsclient enroll fails
    - NO additional unintialized token entry for user

mharmsen commented 8 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1181667 (Red Hat Certificate System)

mharmsen commented 8 years ago

Per CS/DS meeting of 11/02/2015:

Closed as WONT FIX for RHCS 8.x version of product.

mharmsen commented 7 years ago

Per PKI Bug Council of 06/23/2016: 10.3.4

jmagne commented 7 years ago

Checkin:

commit e326cd2f06bd651cdd87646eea94622e18cec28d
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Fri Jun 24 11:02:35 2016 -0700

Add ability to disallow TPS to enroll a single user on multiple tokens.

This patch will install a check during the early portion of the enrollment
process check a configurable policy whether or not a user should be allowed
to have more that one active token.

This check will take place only for brand new tokens not seen before.
The check will prevent the enrollment to proceed and will exit before the system
has a chance to add this new token to the TPS tokendb.

The behavior will be configurable for the the external reg and not external reg scenarios
as follows:

tokendb.nonExternalReg.allowMultiActiveTokensUser=false
tokendb.enroll.externalReg.allowMultiActiveTokensUser=false

Closing:

mharmsen commented 7 years ago

Per CS/DS Meeting of 10/03/2016:

single user can no longer enroll using single token
Regression
Blocker

jmagne commented 7 years ago

commit 1efc001db20afc34b7353f6d2b114593eb761b90
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Wed Oct 5 18:16:35 2016 -0700

Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664

This bug was previously not completely fixed where we left a loophole to allow a user to
end up with 2 active tokens. This fix closes that loophole.

Also:

Fix for: Unable to read an encrypted email using renewed tokens. #2483

This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.

An example is:

RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES

The default is YESk you have to explicitly set it to NO to turn it off.

The second part of the policy is new.

When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt will be made.

jmagne commented 7 years ago

Last minute addition to really fix the issue.

commit 68574756d5afa1c14cd6cc316298aa8f721e7244
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Mon Oct 10 15:56:03 2016 -0700

Another Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664

We just found out the code doesn't account for if the user has an active token which IS the
token currently being worked on.

Metadata Update from @dsirrine:
- Issue assigned to jmagne
- Issue set to the milestone: 10.3.7

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2223

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

jmagne

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

10.3.7

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1274096

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

RHCust

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

TPS

proposedmilestone

None

dogtagpki

Source Code

#1664 [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. Closed: Fixed None Opened 8 years ago by dsirrine.

Metadata

#1664 [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens.

Closed: Fixed None Opened 8 years ago by dsirrine.