@Override public Pair<Boolean, ActionOnFailedAuthentication> authenticate(String username, String password, Long domainId, Map<String, Object[]> requestParameters) { if (s_logger.isDebugEnabled()) { s_logger.debug("Retrieving user: " + username); } if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { s_logger.debug("Username or Password cannot be empty"); return new Pair<Boolean, ActionOnFailedAuthentication>(false, null); } UserAccount user = _userAccountDao.getUserAccount(username, domainId); if (user == null) { s_logger.debug("Unable to find user with " + username + " in domain " + domainId); return new Pair<Boolean, ActionOnFailedAuthentication>(false, null); } if (!user.getPassword().equals(password)) { s_logger.debug("Password does not match"); return new Pair<Boolean, ActionOnFailedAuthentication>(false, ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT); } return new Pair<Boolean, ActionOnFailedAuthentication>(true, null); }
final String timezone = userAcct.getTimezone(); float offsetInHrs = 0f; if (timezone != null) { final Account account = accountMgr.getAccount(userAcct.getAccountId()); session.setAttribute("userid", userAcct.getId()); final UserVO user = (UserVO)accountMgr.getActiveUser(userAcct.getId()); if (user.getUuid() != null) { session.setAttribute("user_UUID", user.getUuid()); session.setAttribute("username", userAcct.getUsername()); session.setAttribute("firstname", userAcct.getFirstname()); session.setAttribute("lastname", userAcct.getLastname()); session.setAttribute("accountobj", account); session.setAttribute("account", account.getAccountName()); session.setAttribute("registrationtoken", userAcct.getRegistrationToken()); session.setAttribute("registered", Boolean.toString(userAcct.isRegistered()));
@Override public void logoutUser(long userId) { UserAccount userAcct = _userAccountDao.findById(userId); if (userAcct != null) { ActionEventUtils.onActionEvent(userId, userAcct.getAccountId(), userAcct.getDomainId(), EventTypes.EVENT_USER_LOGOUT, "user has logged out"); } // else log some kind of error event? This likely means the user doesn't exist, or has been deleted... }
/** * If it fails to authenticate the user, the method gets the value from configuration * Saml2FailedLoginRedirectUrl; if the user configured an error URL then it redirects to that * URL, otherwise it throws the ServerApiException */ protected void whenFailToAuthenticateThrowExceptionOrRedirectToUrl(final Map<String, Object[]> params, final String responseType, final HttpServletResponse resp, Issuer issuer, UserAccount userAccount) throws IOException { if (userAccount == null || userAccount.getExternalEntity() == null || !samlAuthManager.isUserAuthorized(userAccount.getId(), issuer.getValue())) { String saml2RedirectUrl = saml2FailedLoginRedirectUrl.value(); if (StringUtils.isBlank(saml2RedirectUrl)) { throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator", params, responseType)); } else { resp.sendRedirect(saml2RedirectUrl); } } }
if (user.getId() == User.UID_SYSTEM) { s_logger.error("Failed to authenticate user: " + username + " in domain " + domainId); return null; if (BaremetalUtils.BAREMETAL_SYSTEM_ACCOUNT_NAME.equals(user.getUsername())) { s_logger.error("Won't authenticate user: " + username + " in domain " + domainId); return null; final Account account = getAccount(user.getAccountId()); final DomainVO domain = (DomainVO) _domainMgr.getDomain(account.getDomainId()); ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN, "user has logged in from IP Address " + loginIpAddress);
if (currentUserAccount == null || currentUserAccount.getSource() != User.Source.SAML2) { throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Only authenticated saml users can request this API", final Domain domain = _domainDao.findByUuid(domainUuid); final UserAccount nextUserAccount = _accountService.getUserAccountById(user.getId()); if (nextUserAccount != null && !nextUserAccount.getAccountState().equals(Account.State.enabled.toString())) { throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "The requested user account is locked and cannot be switched to, please contact your administrator.", || !nextUserAccount.getAccountState().equals(Account.State.enabled.toString()) || !nextUserAccount.getUsername().equals(currentUserAccount.getUsername()) || !nextUserAccount.getExternalEntity().equals(currentUserAccount.getExternalEntity()) || (nextUserAccount.getDomainId() != domain.getId()) || (nextUserAccount.getSource() != User.Source.SAML2)) { throw new ServerApiException(ApiErrorCode.PARAM_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "User account is not allowed to switch to the requested account", if (_apiServer.verifyUser(nextUserAccount.getId())) { final LoginCmdResponse loginResponse = (LoginCmdResponse) _apiServer.loginUser(session, nextUserAccount.getUsername(), nextUserAccount.getUsername() + nextUserAccount.getSource().toString(), nextUserAccount.getDomainId(), null, remoteAddress, params); SAMLUtils.setupSamlUserCookies(loginResponse, resp); resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value()); List<UserAccountVO> switchableAccounts = _userAccountDao.getAllUsersByNameAndEntity(currentUserAccount.getUsername(), currentUserAccount.getExternalEntity()); if (switchableAccounts != null && switchableAccounts.size() > 0 && currentUserId != User.UID_SYSTEM) { List<SamlUserAccountResponse> accountResponses = new ArrayList<SamlUserAccountResponse>();
User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN; for (UserAuthenticator authenticator : _userAuthenticators) { if (userSource != User.Source.UNKNOWN) { if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) { if (s_logger.isInfoEnabled()) { s_logger.info("User " + username + " in domain " + domainName + " is disabled/locked (or account is disabled/locked)"); if (!isInternalAccount(userAccount.getId())) { updateLoginAttempts(userAccount.getId(), 0, false); if (userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString())) { if (!isInternalAccount(userAccount.getId())) { int attemptsMade = userAccount.getLoginAttempts() + 1; if (updateIncorrectLoginCount) { if (attemptsMade < _allowedLoginAttempts) { updateLoginAttempts(userAccount.getId(), attemptsMade, false); s_logger.warn("Login attempt failed. You have " + (_allowedLoginAttempts - attemptsMade) + " attempt(s) remaining"); } else { updateLoginAttempts(userAccount.getId(), _allowedLoginAttempts, true); s_logger.warn("User " + userAccount.getUsername() + " has been disabled due to multiple failed login attempts." + " Please contact admin."); s_logger.info("User " + userAccount.getUsername() + " is disabled/locked");
if (apiServer.verifyUser(userAccount.getId())) { LoginCmdResponse loginResponse = (LoginCmdResponse) apiServer.loginUser(session, userAccount.getUsername(), userAccount.getUsername() + userAccount.getSource().toString(), userAccount.getDomainId(), null, remoteAddress, params); SAMLUtils.setupSamlUserCookies(loginResponse, resp); resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
private void disableUserInCloudStack(UserAccount user) { if (user != null) { _accountManager.disableUser(user.getId()); } }
private String getSignInURL(UserAccount accountValues){ List<NameValuePair> params = new LinkedList<NameValuePair>(); params.add(new BasicNameValuePair("client_id", accountValues.getClient_id() )); params.add(new BasicNameValuePair("client_secret",accountValues.getClient_secret() )); params.add(new BasicNameValuePair("grant_type", "password")); params.add(new BasicNameValuePair("username", accountValues.getEmail() )); params.add(new BasicNameValuePair("password", accountValues.getPassword() )); String paramString = URLEncodedUtils.format(params, "utf-8"); return this.baseUrl+"?"+paramString; }
@Override public Pair<Boolean, ActionOnFailedAuthentication> authenticate(String username, String password, Long domainId, Map<String, Object[]> requestParameters) { if (s_logger.isDebugEnabled()) { s_logger.debug("Trying SAML2 auth for user: " + username); } if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { s_logger.debug("Username or Password cannot be empty"); return new Pair<Boolean, ActionOnFailedAuthentication>(false, null); } final UserAccount userAccount = _userAccountDao.getUserAccount(username, domainId); if (userAccount == null || userAccount.getSource() != User.Source.SAML2) { s_logger.debug("Unable to find user with " + username + " in domain " + domainId + ", or user source is not SAML2"); return new Pair<Boolean, ActionOnFailedAuthentication>(false, null); } else { User user = _userDao.getUser(userAccount.getId()); if (user != null && user.getSource() == User.Source.SAML2 && user.getExternalEntity() != null) { return new Pair<Boolean, ActionOnFailedAuthentication>(true, null); } } // Deny all by default return new Pair<Boolean, ActionOnFailedAuthentication>(false, ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT); }
@Override public AccountResponse createUserAccountResponse(ResponseView view, UserAccount user) { return ApiDBUtils.newAccountResponse(view, ApiDBUtils.findAccountViewById(user.getAccountId())); }
if (userAccount != null && User.Source.SAML2 == userAccount.getSource()) { throw new CloudAuthenticationException("User is not allowed CloudStack login");
logAndDisable(userAccount, "attempt to log on using disabled ldap user " + userAccount.getUsername(), false); } else if(mappedGroups.size() > 1) { logAndDisable(userAccount, "user '" + username + "' is mapped to more then one account in domain and will be disabled.", false); } else { if(userAccount.getAccountId() != mapping.getAccountId()) { _accountManager.moveUser(userAccount.getId(),userAccount.getDomainId(),mapping.getAccountId());
private void removeUserInCloudStack(UserAccount user) { if (user != null) { _accountManager.disableUser(user.getId()); } }
@Override public Map<String, String> getKeys(GetUserKeysCmd cmd) { final long userId = cmd.getID(); User user = getActiveUser(userId); if (user == null) { throw new InvalidParameterValueException("Unable to find user by id"); } final ControlledEntity account = getAccount(getUserAccountById(userId).getAccountId()); //Extracting the Account from the userID of the requested user. checkAccess(CallContext.current().getCallingUser(), account); Map<String, String> keys = new HashMap<String, String>(); keys.put("apikey", user.getApiKey()); keys.put("secretkey", user.getSecretKey()); return keys; }
@Override public Pair<Boolean, ActionOnFailedAuthentication> authenticate(String username, String password, Long domainId, Map<String, Object[]> requestParameters) { if (s_logger.isDebugEnabled()) { s_logger.debug("Retrieving user: " + username); } if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { s_logger.debug("Username or Password cannot be empty"); return new Pair<Boolean, ActionOnFailedAuthentication>(false, null); } UserAccount user = _userAccountDao.getUserAccount(username, domainId); if (user == null) { s_logger.debug("Unable to find user with " + username + " in domain " + domainId); return new Pair<Boolean, ActionOnFailedAuthentication>(false, null); } if (!user.getPassword().equals(encode(password))) { s_logger.debug("Password does not match"); return new Pair<Boolean, ActionOnFailedAuthentication>(false, ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT); } return new Pair<Boolean, ActionOnFailedAuthentication>(true, null); }
@Override public UserAccountJoinVO newUserView(UserAccount usr) { SearchCriteria<UserAccountJoinVO> sc = vrIdSearch.create(); sc.setParameters("id", usr.getId()); List<UserAccountJoinVO> users = searchIncludingRemoved(sc, null, null, false); assert users != null && users.size() == 1 : "No user found for user id " + usr.getId(); return users.get(0); }
@Override public void execute() { // Check permissions UserAccount userAccount = _accountService.getUserAccountById(getId()); if (userAccount == null) { throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR , "Unable to find a user account with the given ID"); } Domain domain = _domainService.getDomain(userAccount.getDomainId()); Account account = _accountService.getAccount(userAccount.getAccountId()); _accountService.checkAccess(CallContext.current().getCallingAccount(), domain); _accountService.checkAccess(CallContext.current().getCallingAccount(), SecurityChecker.AccessType.OperateEntry, true, account); CallContext.current().setEventDetails("UserId: " + getId()); SuccessResponse response = new SuccessResponse(); Boolean status = false; if (_samlAuthManager.authorizeUser(getId(), getEntityId(), getEnable())) { status = true; } response.setResponseName(getCommandName()); response.setSuccess(status); setResponseObject(response); } }