Re: [Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch
Addressed cfu's concerns and pushed to master for cond ACK.
commit e326cd2f06bd651cdd87646eea94622e18cec28d
Closing tiecket #1664
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: pki-devel(a)redhat.com
Sent: Monday, June 27, 2016 2:25:33 PM
Subject: Re: [Pki-devel] [pki-devel] [PATCH]
0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch
Just a few minor ones.
* configuration parameters referencing token existence in tokendb should use
names begin with "tokendb". e.g.
Done: Changed the names of the params as suggested.
tokendb.allowMultiActiveTokensPerUser.externalReg=false
tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false
* boolean allowMultiCerts -- I think the name is misleading. how about
alowMultiTokens
* existing calls to tps.tdb.tdbHasActiveToken() need to be decided:
e.g.
Both of these blocks of code I simply removed the action taken if the user has an active
token,
since they can no longer get there.
The alternate case has been left untouched.
The second occurrence is not likely to even happen since the transitions allowed
will not usually allow to go from SUSPENDED to ACTIVE anyway. Case retained as
a fallback.
1. TPSEnrollProcessor.java search for tdbHasActiveToken (first
occurrence) ,
you will find that it is called with "TODO:" comment. I believe that whole
try/catch with the tps.tdb.tdbHasActiveToken(userid); call can be removed
since you already call that earlier in your patch
2. TPSEnrollProcessor.java, the 2nd occurrence is when the enrolling token is
suspended. You need to look into what it is doing at the point and whether
that check can also be eliminated.
thanks,
Christina
On 06/24/2016 11:08 AM, John Magne wrote:
Add ability to disallow TPS to enroll a single user on multiple tokens.
This patch will install a check during the early portion of the
enrollment
process check a configurable policy whether or not a user should be
allowed
to have more that one active token.
This check will take place only for brand new tokens not seen before.
The check will prevent the enrollment to proceed and will exit before the
system
has a chance to add this new token to the TPS tokendb.
The behavior will be configurable for the the external reg and not
external reg scenarios
as follows:
op.enroll.nonExternalReg.allowMultiActiveTokensUser=false
op.enroll.externalReg.allowMultiActiveTokensUser=false
_______________________________________________
Pki-devel mailing list Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel