Search in sources :

Example 11 with CloudAuthenticationException

use of com.cloud.exception.CloudAuthenticationException in project cloudstack by apache.

the class ListAndSwitchSAMLAccountCmd method authenticate.

@Override
public String authenticate(final String command, final Map<String, Object[]> params, final HttpSession session, InetAddress remoteAddress, final String responseType, final StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
    if (session == null || session.isNew()) {
        throw new ServerApiException(ApiErrorCode.UNAUTHORIZED, _apiServer.getSerializedApiError(ApiErrorCode.UNAUTHORIZED.getHttpCode(), "Only authenticated saml users can request this API", params, responseType));
    }
    if (!HttpUtils.validateSessionKey(session, params, req.getCookies(), ApiConstants.SESSIONKEY)) {
        throw new ServerApiException(ApiErrorCode.UNAUTHORIZED, _apiServer.getSerializedApiError(ApiErrorCode.UNAUTHORIZED.getHttpCode(), "Unauthorized session, please re-login", params, responseType));
    }
    final long currentUserId = (Long) session.getAttribute("userid");
    final UserAccount currentUserAccount = _accountService.getUserAccountById(currentUserId);
    if (currentUserAccount == null || currentUserAccount.getSource() != User.Source.SAML2) {
        throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Only authenticated saml users can request this API", params, responseType));
    }
    String userUuid = null;
    String domainUuid = null;
    if (params.containsKey(ApiConstants.USER_ID)) {
        userUuid = ((String[]) params.get(ApiConstants.USER_ID))[0];
    }
    if (params.containsKey(ApiConstants.DOMAIN_ID)) {
        domainUuid = ((String[]) params.get(ApiConstants.DOMAIN_ID))[0];
    }
    if (userUuid != null && domainUuid != null) {
        final User user = _userDao.findByUuid(userUuid);
        final Domain domain = _domainDao.findByUuid(domainUuid);
        final UserAccount nextUserAccount = _accountService.getUserAccountById(user.getId());
        if (nextUserAccount != null && !nextUserAccount.getAccountState().equals(Account.State.enabled.toString())) {
            throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "The requested user account is locked and cannot be switched to, please contact your administrator.", params, responseType));
        }
        if (nextUserAccount == null || !nextUserAccount.getAccountState().equals(Account.State.enabled.toString()) || !nextUserAccount.getUsername().equals(currentUserAccount.getUsername()) || !nextUserAccount.getExternalEntity().equals(currentUserAccount.getExternalEntity()) || (nextUserAccount.getDomainId() != domain.getId()) || (nextUserAccount.getSource() != User.Source.SAML2)) {
            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "User account is not allowed to switch to the requested account", params, responseType));
        }
        try {
            if (_apiServer.verifyUser(nextUserAccount.getId())) {
                final LoginCmdResponse loginResponse = (LoginCmdResponse) _apiServer.loginUser(session, nextUserAccount.getUsername(), nextUserAccount.getUsername() + nextUserAccount.getSource().toString(), nextUserAccount.getDomainId(), null, remoteAddress, params);
                SAMLUtils.setupSamlUserCookies(loginResponse, resp);
                resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
                return ApiResponseSerializer.toSerializedString(loginResponse, responseType);
            }
        } catch (CloudAuthenticationException | IOException exception) {
            s_logger.debug("Failed to switch to request SAML user account due to: " + exception.getMessage());
        }
    } else {
        List<UserAccountVO> switchableAccounts = _userAccountDao.getAllUsersByNameAndEntity(currentUserAccount.getUsername(), currentUserAccount.getExternalEntity());
        if (switchableAccounts != null && switchableAccounts.size() > 0 && currentUserId != User.UID_SYSTEM) {
            List<SamlUserAccountResponse> accountResponses = new ArrayList<SamlUserAccountResponse>();
            for (UserAccountVO userAccount : switchableAccounts) {
                User user = _userDao.getUser(userAccount.getId());
                Domain domain = _domainService.getDomain(userAccount.getDomainId());
                SamlUserAccountResponse accountResponse = new SamlUserAccountResponse();
                accountResponse.setUserId(user.getUuid());
                accountResponse.setUserName(user.getUsername());
                accountResponse.setDomainId(domain.getUuid());
                accountResponse.setDomainName(domain.getName());
                accountResponse.setAccountName(userAccount.getAccountName());
                accountResponse.setIdpId(user.getExternalEntity());
                accountResponses.add(accountResponse);
            }
            ListResponse<SamlUserAccountResponse> response = new ListResponse<SamlUserAccountResponse>();
            response.setResponses(accountResponses);
            response.setResponseName(getCommandName());
            return ApiResponseSerializer.toSerializedString(response, responseType);
        }
    }
    throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Unable to switch to requested SAML account. Please make sure your user/account is enabled. Please contact your administrator.", params, responseType));
}
Also used : User(com.cloud.user.User) ListResponse(org.apache.cloudstack.api.response.ListResponse) CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException) SamlUserAccountResponse(org.apache.cloudstack.api.response.SamlUserAccountResponse) ArrayList(java.util.ArrayList) IOException(java.io.IOException) UserAccountVO(com.cloud.user.UserAccountVO) ServerApiException(org.apache.cloudstack.api.ServerApiException) Domain(com.cloud.domain.Domain) UserAccount(com.cloud.user.UserAccount) LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse)

Example 12 with CloudAuthenticationException

use of com.cloud.exception.CloudAuthenticationException in project cloudstack by apache.

the class CallContext method register.

public static CallContext register(long callingUserId, long callingAccountId, String contextId) throws CloudAuthenticationException {
    Account account = s_entityMgr.findById(Account.class, callingAccountId);
    if (account == null) {
        throw new CloudAuthenticationException("The account is no longer current.").add(Account.class, Long.toString(callingAccountId));
    }
    User user = s_entityMgr.findById(User.class, callingUserId);
    if (user == null) {
        throw new CloudAuthenticationException("The user is no longer current.").add(User.class, Long.toString(callingUserId));
    }
    return register(user, account, contextId);
}
Also used : Account(com.cloud.user.Account) User(com.cloud.user.User) CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException)

Example 13 with CloudAuthenticationException

use of com.cloud.exception.CloudAuthenticationException in project cloudstack by apache.

the class LogContext method register.

public static LogContext register(String callingUserUuid, String callingAccountUuid) {
    Account account = s_entityMgr.findByUuid(Account.class, callingAccountUuid);
    if (account == null) {
        throw new CloudAuthenticationException("The account is no longer current.").add(Account.class, callingAccountUuid);
    }
    User user = s_entityMgr.findByUuid(User.class, callingUserUuid);
    if (user == null) {
        throw new CloudAuthenticationException("The user is no longer current.").add(User.class, callingUserUuid);
    }
    return register(user, account);
}
Also used : Account(com.cloud.user.Account) User(com.cloud.user.User) CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException)

Example 14 with CloudAuthenticationException

use of com.cloud.exception.CloudAuthenticationException in project cloudstack by apache.

the class LogContext method register.

public static LogContext register(long callingUserId, long callingAccountId, String contextId) throws CloudAuthenticationException {
    Account account = s_entityMgr.findById(Account.class, callingAccountId);
    if (account == null) {
        throw new CloudAuthenticationException("The account is no longer current.").add(Account.class, Long.toString(callingAccountId));
    }
    User user = s_entityMgr.findById(User.class, callingUserId);
    if (user == null) {
        throw new CloudAuthenticationException("The user is no longer current.").add(User.class, Long.toString(callingUserId));
    }
    return register(user, account, contextId);
}
Also used : Account(com.cloud.user.Account) User(com.cloud.user.User) CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException)

Aggregations

CloudAuthenticationException (com.cloud.exception.CloudAuthenticationException)14 Account (com.cloud.user.Account)10 User (com.cloud.user.User)7 Domain (com.cloud.domain.Domain)4 DomainVO (com.cloud.domain.DomainVO)4 UserAccount (com.cloud.user.UserAccount)4 TemplateFilter (com.cloud.template.VirtualMachineTemplate.TemplateFilter)3 Filter (com.cloud.utils.db.Filter)3 ArrayList (java.util.ArrayList)3 ServerApiException (org.apache.cloudstack.api.ServerApiException)3 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)2 PermissionDeniedException (com.cloud.exception.PermissionDeniedException)2 UserAccountVO (com.cloud.user.UserAccountVO)2 IOException (java.io.IOException)2 HashSet (java.util.HashSet)2 List (java.util.List)2 LoginCmdResponse (org.apache.cloudstack.api.response.LoginCmdResponse)2 DataCenterJoinVO (com.cloud.api.query.vo.DataCenterJoinVO)1 DiskOfferingJoinVO (com.cloud.api.query.vo.DiskOfferingJoinVO)1 ServiceOfferingJoinVO (com.cloud.api.query.vo.ServiceOfferingJoinVO)1