From a5184f5a5b47da2ed5a71b9321173dcc69c31884 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Tue, 23 Feb 2021 10:17:56 -0500
Subject: [PATCH] Final changes that adds in the additional setting for the
 renewal period threshold.  This value indicates that if the end validity has
 been reached for the current issued attestation certificate, then don't
 generate one.  However if we are within the number of days set by the
 threshold, then generate the certificate before it expires.  The default is 1
 year from the end validity.

---
 ...stractAttestationCertificateAuthority.java | 28 ++++--
 .../portal/model/PolicyPageModel.java         | 61 +++++++++++--
 .../controllers/PolicyPageController.java     | 85 +++++++++++++++++--
 .../src/main/webapp/WEB-INF/jsp/policy.jsp    | 28 ++++--
 .../hirs/data/persist/SupplyChainPolicy.java  | 28 +++++-
 5 files changed, 204 insertions(+), 26 deletions(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
index a99a1951..e49ba51e 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@@ -1685,21 +1685,34 @@ public abstract class AbstractAttestationCertificateAuthority
                                             final Set<PlatformCredential> platformCredentials,
                                             final Device device) {
         IssuedAttestationCertificate issuedAc;
-        boolean validDate = false;
+        boolean generateCertificate = true;
         SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
+        Date currentDate = new Date();
+        int days;
         try {
             // save issued certificate
             IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
                     derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
 
-            if (scp != null && !scp.isIssueAttestationCertificate()) {
+            if (scp != null) {
                 issuedAc = IssuedAttestationCertificate.select(certificateManager)
                         .byDeviceId(device.getId()).getCertificate();
-                if (issuedAc != null) {
-                    validDate = issuedAc.isValidOn(attCert.getBeginValidity());
+
+                generateCertificate = scp.isIssueAttestationCertificate();
+                if (issuedAc != null && scp.isGenerateOnExpiration()) {
+                    if (issuedAc.getEndValidity().after(currentDate)) {
+                        // so the issued AC is expired
+                        // however are we within the threshold
+                        days = daysBetween(currentDate, issuedAc.getEndValidity());
+                        if (days < Integer.parseInt(scp.getReissueThreshold())) {
+                            generateCertificate = true;
+                        } else {
+                            generateCertificate = false;
+                        }
+                    }
                 }
             }
-            if (!validDate) {
+            if (generateCertificate) {
                 attCert.setDevice(device);
                 certificateManager.save(attCert);
             }
@@ -1710,4 +1723,9 @@ public abstract class AbstractAttestationCertificateAuthority
                             + e.getMessage(), e);
         }
     }
+
+    @SuppressWarnings("magicnumber")
+    private int daysBetween(final Date date1, final Date date2) {
+        return (int) ((date2.getTime() - date1.getTime()) / (1000 * 60 * 60 * 24));
+    }
 }
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java
index af702b82..498dff5a 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java
@@ -24,10 +24,13 @@ public class PolicyPageModel {
     private String ecValidate;
     private String fmValidate;
     private String attestationCertificateIssued;
-    private String generationExpiration;
+    private String generationExpirationOn;
     private String numOfValidDays;
+    private String reissueThreshold;
     private String ignoreIma;
     private String ignoretBoot;
+    private String expirationValue;
+    private String thresholdValue;
 
     /**
      * Constructor. Sets fields from policy.
@@ -42,8 +45,11 @@ public class PolicyPageModel {
         this.issueAttestationCertificate = policy.isIssueAttestationCertificate();
         this.generateOnExpiration = policy.isGenerateOnExpiration();
         this.numOfValidDays = policy.getValidityDays();
+        this.reissueThreshold = policy.getReissueThreshold();
         this.enableIgnoreIma = policy.isIgnoreImaEnabled();
         this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
+        this.expirationValue = policy.getValidityDays();
+        this.thresholdValue = policy.getReissueThreshold();
     }
 
     /**
@@ -172,8 +178,8 @@ public class PolicyPageModel {
      *
      * @return the model string representation of this field.
      */
-    public String getGenerationExpiration() {
-        return generationExpiration;
+    public String getGenerationExpirationOn() {
+        return generationExpirationOn;
     }
 
     /**
@@ -185,6 +191,15 @@ public class PolicyPageModel {
         return numOfValidDays;
     }
 
+    /**
+     * Gets the number of selected threshold days.
+     *
+     * @return the number of the days for reissue
+     */
+    public String getReissueThreshold() {
+        return reissueThreshold;
+    }
+
     /**
      * Gets the Ignore IMA validation value.
      *
@@ -326,11 +341,11 @@ public class PolicyPageModel {
     /**
      * Sets the generation expiration state.
      *
-     * @param generationExpiration "checked" if generating expiration is on.
+     * @param generationExpirationOn "checked" if generating expiration is on.
      */
-    public void setGenerationExpiration(
-            final String generationExpiration) {
-        this.generationExpiration = generationExpiration;
+    public void setGenerationExpirationOn(
+            final String generationExpirationOn) {
+        this.generationExpirationOn = generationExpirationOn;
     }
 
     /**
@@ -351,6 +366,38 @@ public class PolicyPageModel {
         this.ignoretBoot = ignoretBoot;
     }
 
+    /**
+     * Getter for the expiration value.
+     * @return the value
+     */
+    public String getExpirationValue() {
+        return expirationValue;
+    }
+
+    /**
+     * Setter for the expiration value.
+     * @param expirationValue string value
+     */
+    public void setExpirationValue(final String expirationValue) {
+        this.expirationValue = expirationValue;
+    }
+
+    /**
+     * Getter for the expiration value.
+     * @return the thresholdValue
+     */
+    public String getThresholdValue() {
+        return thresholdValue;
+    }
+
+    /**
+     * Setter for the expiration value.
+     * @param thresholdValue string value
+     */
+    public void setThresholdValue(final String thresholdValue) {
+        this.thresholdValue = thresholdValue;
+    }
+
     @Override
     public String toString() {
         return "PolicyPageModel{"
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java
index 1cf91c0f..a7edcc72 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java
@@ -264,10 +264,15 @@ public class PolicyPageController extends PageController<NoPageParams> {
         PageMessages messages = new PageMessages();
         String successMessage;
         String numOfDays;
-        LOGGER.error("We got this value -> {}", ppModel.getGenerationExpiration());
-        boolean generateCertificateEnabled
-                = ppModel.getGenerationExpiration()
-                .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
+
+        boolean generateCertificateEnabled = false;
+        // because this is just one option, there is not 'unchecked' value, so it is either
+        // 'checked' or null
+        if (ppModel.getGenerationExpirationOn() != null) {
+            generateCertificateEnabled
+                    = ppModel.getGenerationExpirationOn()
+                    .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
+        }
 
         try {
             SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@@ -282,7 +287,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
                 }
 
                 if (generateCertificateEnabled) {
-                    numOfDays = ppModel.getNumOfValidDays();
+                    numOfDays = ppModel.getExpirationValue();
                     if (numOfDays == null) {
                         numOfDays = SupplyChainPolicy.TEN_YEARS;
                     }
@@ -309,6 +314,76 @@ public class PolicyPageController extends PageController<NoPageParams> {
         return redirectToSelf(new NoPageParams(), model, attr);
     }
 
+    /**
+     * Updates the state of the policy setting that indicates that the generation
+     * will occur in a set time frame from the end validity date and redirects
+     * back to the original page.
+     *
+     * @param ppModel The data posted by the form mapped into an object.
+     * @param attr RedirectAttributes used to forward data back to the original page.
+     * @return View containing the url and parameters
+     * @throws URISyntaxException if malformed URI
+     */
+    @RequestMapping(value = "update-threshold", method = RequestMethod.POST)
+    public RedirectView updateThresholdVal(@ModelAttribute final PolicyPageModel ppModel,
+                                          final RedirectAttributes attr)
+            throws URISyntaxException {
+
+        // set the data received to be populated back into the form
+        Map<String, Object> model = new HashMap<>();
+        PageMessages messages = new PageMessages();
+        String successMessage;
+        String threshold;
+
+        boolean generateCertificateEnabled = false;
+        // because this is just one option, there is not 'unchecked' value, so it is either
+        // 'checked' or null
+        if (ppModel.getGenerationExpirationOn() != null) {
+            generateCertificateEnabled
+                    = ppModel.getGenerationExpirationOn()
+                    .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
+        }
+
+        try {
+            SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
+            boolean issuedAttestationOptionEnabled
+                    = policy.isIssueAttestationCertificate();
+
+            if (issuedAttestationOptionEnabled) {
+                if (generateCertificateEnabled) {
+                    successMessage = "Attestation Certificate generation threshold time enabled.";
+                } else {
+                    successMessage = "Attestation Certificate generation threshold time disabled.";
+                }
+
+                if (generateCertificateEnabled) {
+                    threshold = ppModel.getThresholdValue();
+                    if (threshold == null) {
+                        threshold = SupplyChainPolicy.YEAR;
+                    }
+                } else {
+                    threshold = ppModel.getReissueThreshold();
+                }
+
+                policy.setReissueThreshold(threshold);
+            } else {
+                generateCertificateEnabled = false;
+                successMessage = "Attestation Certificate generation is disabled, "
+                        + "can not set time expiration";
+            }
+
+            policy.setGenerateOnExpiration(generateCertificateEnabled);
+            savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
+        } catch (PolicyManagerException e) {
+            handlePolicyManagerUpdateError(model, messages, e,
+                    "Error changing ACA Attestation Certificate generation policy",
+                    "Error updating policy. \n" + e.getMessage());
+        }
+
+        // return the redirect
+        return redirectToSelf(new NoPageParams(), model, attr);
+    }
+
     /**
      * Updates the Endorsement Credential Validation policy setting and
      * redirects back to the original page.
diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
index 49a1a564..e5f82942 100644
--- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
+++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
@@ -107,7 +107,7 @@
             <%-- Generate Attestation Certificate--%>
             <div class="aca-input-box">
                 <form:form method="POST" modelAttribute="initialData" action="policy/update-issue-attestation">
-                    <li>Generate Attestation Certificate: ${initialData.issueAttestationCertificate ? 'Enabled' : 'Disabled'}
+                    <li>Conditionally generate Attestation Certificate: ${initialData.issueAttestationCertificate ? 'Enabled' : 'Disabled'}
                         <my:editor id="issuedCertificatePolicyEditor" label="Edit Settings">
                             <div class="radio">
                                 <label><input id="aicTop" type="radio" name="attestationCertificateIssued" ${initialData.issueAttestationCertificate ? '' : 'checked'} value="unchecked"/> Never generate an Attestation Certificate</label>
@@ -117,23 +117,35 @@
                             </div>
                         </my:editor>
                 </form:form>
-                <form:form method="POST" modelAttribute="initialData" action="policy/update-expire-on">
                         <ul>
-                            <li> Set generate on expire time frame: ${initialData.generationExpiration ? 'Enabled' : 'Disabled'}
+                <form:form method="POST" modelAttribute="initialData" action="policy/update-expire-on">
+                            <li>Attestation Certificate Validity: ${initialData.generateOnExpiration ? 'Enabled' : 'Disabled'}
                                 <my:editor id="issuedCertificatePolicyExpirationEditor" label="Edit Settings">
                                     <div class="radio">
                                         <label>
-                                            <input id="aicBot" type="checkbox" name="generationExpiration" ${initialData.generationExpiration ? 'checked' : ''} value="checked"/>
-                                                Only Generate when current Attestation Certificate expires<br />
-                                                ** Validity period for the Attestation Certificate
-                                            <input id="validLen" type="text" name="numOfValidDays" value="3651" size="6" maxlength="6" enabled />
+                                            <input id="aicBot" type="checkbox" name="generationExpirationOn" ${initialData.generateOnExpiration ? 'checked' : ''} value="checked" />
+                                                Attestation Certificate validity time frame (Default 3651 days)<br />
+                                                Select time frame in days: <input id="expirationValue" type="text" name="expirationValue" value="${initialData.expirationValue}" />
                                         </label>
                                     </div>
                                 </my:editor>
                             </li>
+                </form:form>
+                <form:form method="POST" modelAttribute="initialData" action="policy/update-threshold">
+                            <li>Attestation Renewal time: ${initialData.generateOnExpiration ? 'Enabled' : 'Disabled'}
+                                <my:editor id="issuedCertificatePolicyGenerateEditor" label="Edit Settings">
+                                    <div class="radio">
+                                        <label>
+                                            <input id="aicBot" type="checkbox" name="generationExpirationOn" ${initialData.generateOnExpiration ? 'checked' : ''} value="checked" />
+                                                Renew Attestation Certificate before expiration time frame (Default 365 days)<br />
+                                                Select time frame in days: <input id="thresholdValue" type="text" name="thresholdValue" value="${initialData.thresholdValue}" />
+                                        </label>
+                                    </div>
+                                </my:editor>
+                            </li>
+                </form:form>
                         </ul>
                     </li>
-                </form:form>
             </div>
         </ul>
     </jsp:body>
diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java
index acf09f28..12e75b1a 100644
--- a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java
@@ -18,7 +18,11 @@ public class SupplyChainPolicy extends Policy {
     /**
      * Number of days in 10 years.
      */
-    public static final String TEN_YEARS = "3650";
+    public static final String TEN_YEARS = "3651";
+    /**
+     * Number of days in 1 year.
+     */
+    public static final String YEAR = "365";
 
     @Column(nullable = false)
     private boolean enableEcValidation = false;
@@ -47,6 +51,9 @@ public class SupplyChainPolicy extends Policy {
     @Column(nullable = false)
     private String validityDays = TEN_YEARS;
 
+    @Column(nullable = false)
+    private String reissueThreshold = YEAR;
+
     @Column(nullable = false)
     private boolean generateOnExpiration = false;
 
@@ -291,6 +298,25 @@ public class SupplyChainPolicy extends Policy {
     public void setValidityDays(final String validityDays) {
         this.validityDays = validityDays;
     }
+
+    /**
+     * Getter for the number of days before the expiration to reissue
+     * a certificate.
+     * @return number of days
+     */
+    public String getReissueThreshold() {
+        return reissueThreshold;
+    }
+
+    /**
+     * Setter for the number of days before the expiration to reissue
+     * a certificate.
+     * @param reissueThreshold validity.
+     */
+    public void setReissueThreshold(final String reissueThreshold) {
+        this.reissueThreshold = reissueThreshold;
+    }
+
     /**
      * Getter for the state of when to generate a certificate.
      * @return true or false