Do not unarchive existing RIM bundle during provision, search for unarchived bundle with later creation date. Delete RIM files with /delete endpoint, do not archive.

Author: chubtub

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java

@@ -1,5 +1,6 @@
 package hirs.attestationca.persist.provision;
 
+import com.fasterxml.jackson.databind.ser.Serializers;
 import com.google.protobuf.ByteString;
 import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2;
 import hirs.attestationca.persist.entity.manager.CertificateRepository;
@@ -375,11 +376,20 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
                                         support.getHexDecHash().length() - NUM_OF_VARIABLES)));
                         support.setDeviceName(dv.getNw().getHostname());
                         this.referenceManifestRepository.save(support);
-                    } else {
-                        log.info("Client provided Support RIM already loaded in database.");
+                    } else if (support.isArchived()) {
+                        List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
+                        for (ReferenceManifest rim : rims) {
+                            if (rim.isSupport() &&
+                                    rim.getTagId().equals(support.getTagId()) &&
+                                    rim.getCreateTime().after(support.getCreateTime())) {
+                                support.setDeviceName(null);
+                                support = (SupportReferenceManifest) rim;
+                                support.setDeviceName(dv.getNw().getHostname());
+                            }
+                        }
                         if (support.isArchived()) {
-                            support.restore();
-                            support.resetCreateTime();
+                            throw new Exception("Unable to locate an unarchived support RIM.");
+                        } else {
                             this.referenceManifestRepository.save(support);
                         }
                     }
@@ -408,21 +418,25 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
                                 swidFile.toByteArray());
                         dbBaseRim.setDeviceName(dv.getNw().getHostname());
                         this.referenceManifestRepository.save(dbBaseRim);
-                    } else {
-                        log.info("Client provided Base RIM already loaded in database.");
-                        /**
-                         * Leaving this as is for now, however can there be a condition
-                         * in which the provisioner sends swidtags without support rims?
-                         */
+                    } else if (dbBaseRim.isArchived()) {
+                        List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
+                        for (ReferenceManifest rim : rims) {
+                            if (rim.isBase() && rim.getTagId().equals(dbBaseRim.getTagId()) &&
+                                    rim.getCreateTime().after(dbBaseRim.getCreateTime())) {
+                                dbBaseRim.setDeviceName(null);
+                                dbBaseRim = (BaseReferenceManifest) rim;
+                                dbBaseRim.setDeviceName(dv.getNw().getHostname());
+                            }
+                        }
                         if (dbBaseRim.isArchived()) {
-                            dbBaseRim.restore();
-                            dbBaseRim.resetCreateTime();
-                            this.referenceManifestRepository.save(dbBaseRim);
+                            throw new Exception("Unable to locate an unarchived base RIM.");
                         }
                     }
                     tagId = dbBaseRim.getTagId();
                 } catch (UnmarshalException e) {
                     log.error(e);
+                } catch (Exception ex) {
+                    log.error(String.format("Failed to load base rim: %s", ex.getMessage()));
                 }
             }
         } else {

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java

@@ -66,7 +66,10 @@ public static AppraisalStatus validateFirmware(
         // In this case, try to look up the event log associated with the device, then get the base rim associated by event log hash
         List<ReferenceManifest> deviceRims = referenceManifestRepository.findByDeviceName(hostName);
         for (ReferenceManifest deviceRim : deviceRims) {
-            if (deviceRim instanceof BaseReferenceManifest && !deviceRim.isSwidSupplemental() && !deviceRim.isSwidPatch()) {
+            if (deviceRim instanceof BaseReferenceManifest &&
+                    !deviceRim.isSwidSupplemental() &&
+                    !deviceRim.isSwidPatch() &&
+                    !deviceRim.isArchived()) {
                 baseReferenceManifest = (BaseReferenceManifest) deviceRim;
             }
 

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java

@@ -239,9 +239,7 @@ public RedirectView delete(@RequestParam final String id,
                 messages.addError(notFoundMessage);
                 log.warn(notFoundMessage);
             } else {
-                // if support rim, update associated events
-                referenceManifest.archive();
-                referenceManifestRepository.save(referenceManifest);
+                referenceManifestRepository.delete(referenceManifest);
                 String deleteCompletedMessage = "RIM successfully deleted";
                 messages.addInfo(deleteCompletedMessage);
                 log.info(deleteCompletedMessage);