Enrollment of a temporarily lost token is successful, with transition 3:4

[pki-bot]

This issue was migrated from Pagure Issue #1290. Originally filed by mharmsen (@mharmsen) on 2015-03-02 19:52:24:

• Closed as Fixed
• Assigned to edewata (@edewata)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1196308

---

Enrollment of a temporarily lost token is successful, with transition 3:4

How reproducible:

always

Steps to Reproduce:

1. Edit tps CS.cfg to have tps.operations.allowedTransitions=0:0,0:4,4:0,3:4
2. restart the server
3. Enroll an uninitialized/formatted token
4. From TPS UI change the state of the token to temp lost
5. Enroll the temp lost token with the same token using tpsclient

Actual results:

Enrollment is successful

Expected results:

Enrollment should fail

[pki-bot]

Comment from jmagne (@jmagne) at 2015-03-03 03:51:22

I just tried this out on my own system, which consists of the freshly checked in scp02 work, but it should not be a factor. I did this:

1. Enrolled a token with tpsclient.
2. Went into the UI and set the status to temp lost.
3. Went back to tpsclient and retried the enrollment.
4. It failed with the following message:

TPSSession.process: Message processing failed: Operation for CUID 40906145C76224192D2B Disabled, illegal transition attempted TEMP_LOST to ACTIVE

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-03-10 00:43:16

Per CS/DS Meeting of 03/09/2015: 10.2.3

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-04-28 20:51:54

Per Dogtag 10.2.x TRIAGE meeting of 04/28/2015: (Tech Preview Feature)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-06-08 20:53:41

Per CS/DS meeting of 06/08/2015: 10.2.6

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-06-30 20:41:40

Per Dogtag 10.2.6 TRIAGE meeting of 06/30/2015: 10.3

[pki-bot]

Comment from edewata (@edewata) at 2016-04-29 22:32:42

The 3:4 transition was removed from the default tokendb.allowedTransitions in ticket 1808. However, if the user adds the transition manually into tokendb.allowedTransitions, the UI might allow that transition to happen. Since this is an illegal transition, the TPS probably should specifically reject the 3:4 transition if it's added to tokendb.allowedTransitions.

[pki-bot]

Comment from edewata (@edewata) at 2016-04-29 22:53:53

The default list should be updated to include all supported transitions. Unwanted transitions can be removed from the list, but new transitions cannot be added to the list if they are not part of the default supported transitions.

The list should be validated in TPS selftest, so if the list contains illegal/unsupported transitions the TPS should not start.

[pki-bot]

Comment from edewata (@edewata) at 2016-05-06 01:39:53

Fixed in master:

• 00e4765

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-02-27 13:58:14

Metadata Update from @mharmsen:

• Issue assigned to edewata
• Issue set to the milestone: 10.3.1