@Override
  public void execute() {
    // Check permissions
    UserAccount userAccount = _accountService.getUserAccountById(getId());
    if (userAccount == null) {
      throw new ServerApiException(
          ApiErrorCode.ACCOUNT_ERROR, "Unable to find a user account with the given ID");
    }
    Domain domain = _domainService.getDomain(userAccount.getDomainId());
    Account account = _accountService.getAccount(userAccount.getAccountId());
    _accountService.checkAccess(CallContext.current().getCallingAccount(), domain);
    _accountService.checkAccess(
        CallContext.current().getCallingAccount(),
        SecurityChecker.AccessType.OperateEntry,
        true,
        account);

    CallContext.current().setEventDetails("UserId: " + getId());
    SuccessResponse response = new SuccessResponse();
    Boolean status = false;

    if (_samlAuthManager.authorizeUser(getId(), getEntityId(), getEnable())) {
      status = true;
    }
    response.setResponseName(getCommandName());
    response.setSuccess(status);
    setResponseObject(response);
  }
  @Override
  public Pair<Boolean, ActionOnFailedAuthentication> authenticate(
      String username, String password, Long domainId, Map<String, Object[]> requestParameters) {
    if (s_logger.isDebugEnabled()) {
      s_logger.debug("Trying SAML2 auth for user: "******"Username or Password cannot be empty");
      return new Pair<Boolean, ActionOnFailedAuthentication>(false, null);
    }

    final UserAccount userAccount = _userAccountDao.getUserAccount(username, domainId);
    if (userAccount == null || userAccount.getSource() != User.Source.SAML2) {
      s_logger.debug(
          "Unable to find user with "
              + username
              + " in domain "
              + domainId
              + ", or user source is not SAML2");
      return new Pair<Boolean, ActionOnFailedAuthentication>(false, null);
    } else {
      User user = _userDao.getUser(userAccount.getId());
      if (user != null
          && user.getSource() == User.Source.SAML2
          && user.getExternalEntity() != null) {
        return new Pair<Boolean, ActionOnFailedAuthentication>(true, null);
      }
    }
    // Deny all by default
    return new Pair<Boolean, ActionOnFailedAuthentication>(
        false, ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT);
  }
Example #3
0
  @Override
  public void loginUser(
      HttpSession session,
      String username,
      String password,
      Long domainId,
      String domainPath,
      String loginIpAddress,
      Map<String, Object[]> requestParameters)
      throws CloudAuthenticationException {
    // We will always use domainId first. If that does not exist, we will use domain name. If THAT
    // doesn't exist
    // we will default to ROOT
    if (domainId == null) {
      if (domainPath == null || domainPath.trim().length() == 0) {
        domainId = Domain.ROOT_DOMAIN;
      } else {
        Domain domainObj = _domainMgr.findDomainByPath(domainPath);
        if (domainObj != null) {
          domainId = domainObj.getId();
        } else { // if an unknown path is passed in, fail the login call
          throw new CloudAuthenticationException(
              "Unable to find the domain from the path " + domainPath);
        }
      }
    }

    UserAccount userAcct =
        _accountMgr.authenticateUser(
            username, password, domainId, loginIpAddress, requestParameters);
    if (userAcct != null) {
      String timezone = userAcct.getTimezone();
      float offsetInHrs = 0f;
      if (timezone != null) {
        TimeZone t = TimeZone.getTimeZone(timezone);
        s_logger.info("Current user logged in under " + timezone + " timezone");

        java.util.Date date = new java.util.Date();
        long longDate = date.getTime();
        float offsetInMs = (t.getOffset(longDate));
        offsetInHrs = offsetInMs / (1000 * 60 * 60);
        s_logger.info("Timezone offset from UTC is: " + offsetInHrs);
      }

      Account account = _accountMgr.getAccount(userAcct.getAccountId());

      // set the userId and account object for everyone
      session.setAttribute("userid", userAcct.getId());
      UserVO user = (UserVO) _accountMgr.getActiveUser(userAcct.getId());
      if (user.getUuid() != null) {
        session.setAttribute("user_UUID", user.getUuid());
      }

      session.setAttribute("username", userAcct.getUsername());
      session.setAttribute("firstname", userAcct.getFirstname());
      session.setAttribute("lastname", userAcct.getLastname());
      session.setAttribute("accountobj", account);
      session.setAttribute("account", account.getAccountName());

      session.setAttribute("domainid", account.getDomainId());
      DomainVO domain = (DomainVO) _domainMgr.getDomain(account.getDomainId());
      if (domain.getUuid() != null) {
        session.setAttribute("domain_UUID", domain.getUuid());
      }

      session.setAttribute("type", Short.valueOf(account.getType()).toString());
      session.setAttribute("registrationtoken", userAcct.getRegistrationToken());
      session.setAttribute("registered", new Boolean(userAcct.isRegistered()).toString());

      if (timezone != null) {
        session.setAttribute("timezone", timezone);
        session.setAttribute("timezoneoffset", Float.valueOf(offsetInHrs).toString());
      }

      // (bug 5483) generate a session key that the user must submit on every request to prevent
      // CSRF, add that
      // to the login response so that session-based authenticators know to send the key back
      SecureRandom sesssionKeyRandom = new SecureRandom();
      byte sessionKeyBytes[] = new byte[20];
      sesssionKeyRandom.nextBytes(sessionKeyBytes);
      String sessionKey = Base64.encodeBase64String(sessionKeyBytes);
      session.setAttribute("sessionkey", sessionKey);

      return;
    }
    throw new CloudAuthenticationException(
        "Failed to authenticate user "
            + username
            + " in domain "
            + domainId
            + "; please provide valid credentials");
  }
 private void createCloudstackUserAccount(LdapUser user, String accountName, Domain domain) {
   Account account = _accountService.getActiveAccountByName(accountName, domain.getId());
   if (account == null) {
     s_logger.debug(
         "No account exists with name: "
             + accountName
             + " creating the account and an user with name: "
             + user.getUsername()
             + " in the account");
     _accountService.createUserAccount(
         user.getUsername(),
         generatePassword(),
         user.getFirstname(),
         user.getLastname(),
         user.getEmail(),
         timezone,
         accountName,
         accountType,
         domain.getId(),
         domain.getNetworkDomain(),
         details,
         UUID.randomUUID().toString(),
         UUID.randomUUID().toString(),
         User.Source.LDAP);
   } else {
     //            check if the user exists. if yes, call update
     UserAccount csuser = _accountService.getActiveUserAccount(user.getUsername(), domain.getId());
     if (csuser == null) {
       s_logger.debug(
           "No user exists with name: "
               + user.getUsername()
               + " creating a user in the account: "
               + accountName);
       _accountService.createUser(
           user.getUsername(),
           generatePassword(),
           user.getFirstname(),
           user.getLastname(),
           user.getEmail(),
           timezone,
           accountName,
           domain.getId(),
           UUID.randomUUID().toString(),
           User.Source.LDAP);
     } else {
       s_logger.debug(
           "account with name: "
               + accountName
               + " exist and user with name: "
               + user.getUsername()
               + " exists in the account. Updating the account.");
       _accountService.updateUser(
           csuser.getId(),
           user.getFirstname(),
           user.getLastname(),
           user.getEmail(),
           null,
           null,
           null,
           null,
           null);
     }
   }
 }