[BUG] Add ability to disallow TPS to enroll a single user on multiple tokens.

[pki-bot]

This issue was migrated from Pagure Issue #1664. Originally filed by dsirrine (@dsirrine) on 2015-10-22 00:42:02:

• Closed as Fixed
• Assigned to jmagne (@jmagne)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1274096

---

It is currently possible to attempt to enroll multiple tokens to a single user
causing an additional entry in the TPS token database.

Steps to reproduce:

    1) Create tpsclient file:

    ~~~
    cat > token_enroll.txt << EOF
    op=var_set name=ra_host value=<TPS_HOST_URL>
    op=var_set name=ra_port value=7888
    op=var_set name=ra_uri value=/nk_service
    op=token_set cuid=00000000000000200000 msn=01020304 app_ver=6FBBC105
    key_info=0101 major_ver=0 minor_ver=0
    op=token_set auth_key=404142434445464748494a4b4c4d4e4f
    op=token_set mac_key=404142434445464748494a4b4c4d4e4f
    op=token_set kek_key=404142434445464748494a4b4c4d4e4f
    op=ra_enroll uid=tuser pwd=test new_pin=Secret123 num_threads=1
    op=exit
    EOF
    ~~~

    2) Eroll token using tpsclient

    # tpsclient < token_enroll.txt

    3) Modify token cuid in token_enroll.txt from:

    cuid=00000000000000200000

    to

    cuid=00000000000000200001

    4) Enroll token using tpsclient

    # tpsclient < token_enroll.txt

Actual Results:

    - tpsclient enroll fails with:
       ~~~
       Result> Error - Operation 'ra_enroll' Failure (9787 msec)
       ~~~
    - TPS token database has additional unintialized token entry for user

Expected Results:

    - tpsclient enroll fails
    - NO additional unintialized token entry for user

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-10-22 00:45:10

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1181667 (Red Hat Certificate System)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-11-03 00:32:58

Per CS/DS meeting of 11/02/2015:

Closed as WONT FIX for RHCS 8.x version of product.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-06-24 00:26:13

Per PKI Bug Council of 06/23/2016: 10.3.4

[pki-bot]

Comment from jmagne (@jmagne) at 2016-06-30 23:46:10

Checkin:

commit e326cd2
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Fri Jun 24 11:02:35 2016 -0700

Add ability to disallow TPS to enroll a single user on multiple tokens.

This patch will install a check during the early portion of the enrollment
process check a configurable policy whether or not a user should be allowed
to have more that one active token.

This check will take place only for brand new tokens not seen before.
The check will prevent the enrollment to proceed and will exit before the system
has a chance to add this new token to the TPS tokendb.

The behavior will be configurable for the the external reg and not external reg scenarios
as follows:

tokendb.nonExternalReg.allowMultiActiveTokensUser=false
tokendb.enroll.externalReg.allowMultiActiveTokensUser=false

Closing:

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-10-04 03:12:42

Per CS/DS Meeting of 10/03/2016:

• single user can no longer enroll using single token
• Regression
• Blocker

[pki-bot]

Comment from jmagne (@jmagne) at 2016-10-08 02:58:49

commit 1efc001db20afc34b7353f6d2b114593eb761b90
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Wed Oct 5 18:16:35 2016 -0700

Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. 1664

This bug was previously not completely fixed where we left a loophole to allow a user to
end up with 2 active tokens. This fix closes that loophole.

Also:

Fix for: Unable to read an encrypted email using renewed tokens. 2483

This fix provides for a new optional renewal based token policy, that
allows the user to retain or recover old encryption certs for that profile,
that get overwritten by the renewal process.

An example is:

RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES

The default is YESk you have to explicitly set it to NO to turn it off.

The second part of the policy is new.

When this is set to "YES", the system will make sure the old enc cert
will remain on the token. If it's missing or "NO", no such attempt will be made.

[pki-bot]

Comment from jmagne (@jmagne) at 2016-10-11 02:38:01

Last minute addition to really fix the issue.

commit 6857475
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Mon Oct 10 15:56:03 2016 -0700

Another Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. 1664

We just found out the code doesn't account for if the user has an active token which IS the
token currently being worked on.

[pki-bot]

Comment from dsirrine (@dsirrine) at 2017-02-27 14:10:21

Metadata Update from @dsirrine:

• Issue assigned to jmagne
• Issue set to the milestone: 10.3.7