@Override
public void execute() {
// Check permissions
UserAccount userAccount = _accountService.getUserAccountById(getId());
if (userAccount == null) {
throw new ServerApiException(
ApiErrorCode.ACCOUNT_ERROR, "Unable to find a user account with the given ID");
}
Domain domain = _domainService.getDomain(userAccount.getDomainId());
Account account = _accountService.getAccount(userAccount.getAccountId());
_accountService.checkAccess(CallContext.current().getCallingAccount(), domain);
_accountService.checkAccess(
CallContext.current().getCallingAccount(),
SecurityChecker.AccessType.OperateEntry,
true,
account);
CallContext.current().setEventDetails("UserId: " + getId());
SuccessResponse response = new SuccessResponse();
Boolean status = false;
if (_samlAuthManager.authorizeUser(getId(), getEntityId(), getEnable())) {
status = true;
}
response.setResponseName(getCommandName());
response.setSuccess(status);
setResponseObject(response);
}
@Override
public Pair<Boolean, ActionOnFailedAuthentication> authenticate(
String username, String password, Long domainId, Map<String, Object[]> requestParameters) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Trying SAML2 auth for user: "******"Username or Password cannot be empty");
return new Pair<Boolean, ActionOnFailedAuthentication>(false, null);
}
final UserAccount userAccount = _userAccountDao.getUserAccount(username, domainId);
if (userAccount == null || userAccount.getSource() != User.Source.SAML2) {
s_logger.debug(
"Unable to find user with "
+ username
+ " in domain "
+ domainId
+ ", or user source is not SAML2");
return new Pair<Boolean, ActionOnFailedAuthentication>(false, null);
} else {
User user = _userDao.getUser(userAccount.getId());
if (user != null
&& user.getSource() == User.Source.SAML2
&& user.getExternalEntity() != null) {
return new Pair<Boolean, ActionOnFailedAuthentication>(true, null);
}
}
// Deny all by default
return new Pair<Boolean, ActionOnFailedAuthentication>(
false, ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT);
}
@Override
public void loginUser(
HttpSession session,
String username,
String password,
Long domainId,
String domainPath,
String loginIpAddress,
Map<String, Object[]> requestParameters)
throws CloudAuthenticationException {
// We will always use domainId first. If that does not exist, we will use domain name. If THAT
// doesn't exist
// we will default to ROOT
if (domainId == null) {
if (domainPath == null || domainPath.trim().length() == 0) {
domainId = Domain.ROOT_DOMAIN;
} else {
Domain domainObj = _domainMgr.findDomainByPath(domainPath);
if (domainObj != null) {
domainId = domainObj.getId();
} else { // if an unknown path is passed in, fail the login call
throw new CloudAuthenticationException(
"Unable to find the domain from the path " + domainPath);
}
}
}
UserAccount userAcct =
_accountMgr.authenticateUser(
username, password, domainId, loginIpAddress, requestParameters);
if (userAcct != null) {
String timezone = userAcct.getTimezone();
float offsetInHrs = 0f;
if (timezone != null) {
TimeZone t = TimeZone.getTimeZone(timezone);
s_logger.info("Current user logged in under " + timezone + " timezone");
java.util.Date date = new java.util.Date();
long longDate = date.getTime();
float offsetInMs = (t.getOffset(longDate));
offsetInHrs = offsetInMs / (1000 * 60 * 60);
s_logger.info("Timezone offset from UTC is: " + offsetInHrs);
}
Account account = _accountMgr.getAccount(userAcct.getAccountId());
// set the userId and account object for everyone
session.setAttribute("userid", userAcct.getId());
UserVO user = (UserVO) _accountMgr.getActiveUser(userAcct.getId());
if (user.getUuid() != null) {
session.setAttribute("user_UUID", user.getUuid());
}
session.setAttribute("username", userAcct.getUsername());
session.setAttribute("firstname", userAcct.getFirstname());
session.setAttribute("lastname", userAcct.getLastname());
session.setAttribute("accountobj", account);
session.setAttribute("account", account.getAccountName());
session.setAttribute("domainid", account.getDomainId());
DomainVO domain = (DomainVO) _domainMgr.getDomain(account.getDomainId());
if (domain.getUuid() != null) {
session.setAttribute("domain_UUID", domain.getUuid());
}
session.setAttribute("type", Short.valueOf(account.getType()).toString());
session.setAttribute("registrationtoken", userAcct.getRegistrationToken());
session.setAttribute("registered", new Boolean(userAcct.isRegistered()).toString());
if (timezone != null) {
session.setAttribute("timezone", timezone);
session.setAttribute("timezoneoffset", Float.valueOf(offsetInHrs).toString());
}
// (bug 5483) generate a session key that the user must submit on every request to prevent
// CSRF, add that
// to the login response so that session-based authenticators know to send the key back
SecureRandom sesssionKeyRandom = new SecureRandom();
byte sessionKeyBytes[] = new byte[20];
sesssionKeyRandom.nextBytes(sessionKeyBytes);
String sessionKey = Base64.encodeBase64String(sessionKeyBytes);
session.setAttribute("sessionkey", sessionKey);
return;
}
throw new CloudAuthenticationException(
"Failed to authenticate user "
+ username
+ " in domain "
+ domainId
+ "; please provide valid credentials");
}
private void createCloudstackUserAccount(LdapUser user, String accountName, Domain domain) {
Account account = _accountService.getActiveAccountByName(accountName, domain.getId());
if (account == null) {
s_logger.debug(
"No account exists with name: "
+ accountName
+ " creating the account and an user with name: "
+ user.getUsername()
+ " in the account");
_accountService.createUserAccount(
user.getUsername(),
generatePassword(),
user.getFirstname(),
user.getLastname(),
user.getEmail(),
timezone,
accountName,
accountType,
domain.getId(),
domain.getNetworkDomain(),
details,
UUID.randomUUID().toString(),
UUID.randomUUID().toString(),
User.Source.LDAP);
} else {
// check if the user exists. if yes, call update
UserAccount csuser = _accountService.getActiveUserAccount(user.getUsername(), domain.getId());
if (csuser == null) {
s_logger.debug(
"No user exists with name: "
+ user.getUsername()
+ " creating a user in the account: "
+ accountName);
_accountService.createUser(
user.getUsername(),
generatePassword(),
user.getFirstname(),
user.getLastname(),
user.getEmail(),
timezone,
accountName,
domain.getId(),
UUID.randomUUID().toString(),
User.Source.LDAP);
} else {
s_logger.debug(
"account with name: "
+ accountName
+ " exist and user with name: "
+ user.getUsername()
+ " exists in the account. Updating the account.");
_accountService.updateUser(
csuser.getId(),
user.getFirstname(),
user.getLastname(),
user.getEmail(),
null,
null,
null,
null,
null);
}
}
}