Example 11 with CloudAuthenticationException
use of com.cloud.legacymodel.exceptions.CloudAuthenticationException in project cosmic by MissionCriticalCloud.
the class AccountManagerImpl method getUserAccount.
private UserAccount getUserAccount(final String username, final String password, final Long domainId, final Map<String, Object[]> requestParameters) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Attempting to log in user: " + username + " in domain " + domainId);
}
UserAccount userAccount = _userAccountDao.getUserAccount(username, domainId);
boolean authenticated = false;
final HashSet<ActionOnFailedAuthentication> actionsOnFailedAuthenticaion = new HashSet<>();
final User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN;
for (final UserAuthenticator authenticator : _userAuthenticators) {
if (userSource != User.Source.UNKNOWN) {
if (!authenticator.getName().equalsIgnoreCase(userSource.name())) {
continue;
}
}
final Pair<Boolean, ActionOnFailedAuthentication> result = authenticator.authenticate(username, password, domainId, requestParameters);
if (result.first()) {
authenticated = true;
break;
} else if (result.second() != null) {
actionsOnFailedAuthenticaion.add(result.second());
}
}
final boolean updateIncorrectLoginCount = actionsOnFailedAuthenticaion.contains(ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT);
if (authenticated) {
final Domain domain = _domainMgr.getDomain(domainId);
String domainName = null;
if (domain != null) {
domainName = domain.getName();
}
userAccount = _userAccountDao.getUserAccount(username, domainId);
if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {
if (s_logger.isInfoEnabled()) {
s_logger.info("User " + username + " in domain " + domainName + " is disabled/locked (or account is disabled/locked)");
}
throw new CloudAuthenticationException("User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the " + "administrator.");
}
// Whenever the user is able to log in successfully, reset the login attempts to zero
if (!isInternalAccount(userAccount.getId())) {
updateLoginAttempts(userAccount.getId(), 0, false);
}
return userAccount;
} else {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Unable to authenticate user with username " + username + " in domain " + domainId);
}
if (userAccount == null) {
s_logger.warn("Unable to find an user with username " + username + " in domain " + domainId);
return null;
}
if (userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString())) {
if (!isInternalAccount(userAccount.getId())) {
// Internal accounts are not disabled
final int attemptsMade = userAccount.getLoginAttempts() + 1;
if (updateIncorrectLoginCount) {
if (attemptsMade < _allowedLoginAttempts) {
updateLoginAttempts(userAccount.getId(), attemptsMade, false);
s_logger.warn("Login attempt failed. You have " + (_allowedLoginAttempts - attemptsMade) + " attempt(s) remaining");
} else {
updateLoginAttempts(userAccount.getId(), _allowedLoginAttempts, true);
s_logger.warn("User " + userAccount.getUsername() + " has been disabled due to multiple failed login attempts." + " Please contact admin.");
}
}
}
} else {
s_logger.info("User " + userAccount.getUsername() + " is disabled/locked");
}
return null;
}
}
Also used :
User(com.cloud.legacymodel.user.User)
CloudAuthenticationException(com.cloud.legacymodel.exceptions.CloudAuthenticationException)
UserAuthenticator(com.cloud.server.auth.UserAuthenticator)
ActionOnFailedAuthentication(com.cloud.server.auth.UserAuthenticator.ActionOnFailedAuthentication)
Domain(com.cloud.legacymodel.domain.Domain)
UserAccount(com.cloud.legacymodel.user.UserAccount)
HashSet(java.util.HashSet)
Example 12 with CloudAuthenticationException
use of com.cloud.legacymodel.exceptions.CloudAuthenticationException in project cosmic by MissionCriticalCloud.
the class QueryManagerImpl method searchForDiskOfferingsInternal.
private Pair<List<DiskOfferingJoinVO>, Integer> searchForDiskOfferingsInternal(final ListDiskOfferingsCmd cmd) {
// Note
// The list method for offerings is being modified in accordance with
// discussion with Will/Kevin
// For now, we will be listing the following based on the usertype
// 1. For root, we will list all offerings
// 2. For domainAdmin and regular users, we will list everything in
// their domains+parent domains ... all the way
// till
// root
Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
isAscending = isAscending == null ? true : isAscending;
final Filter searchFilter = new Filter(DiskOfferingJoinVO.class, "sortKey", isAscending, cmd.getStartIndex(), cmd.getPageSizeVal());
final SearchCriteria<DiskOfferingJoinVO> sc = _diskOfferingJoinDao.createSearchCriteria();
sc.addAnd("type", Op.EQ, DiskOfferingVO.Type.Disk);
final Account account = CallContext.current().getCallingAccount();
final Object name = cmd.getDiskOfferingName();
final Object id = cmd.getId();
final Object keyword = cmd.getKeyword();
final Long domainId = cmd.getDomainId();
final Boolean isRootAdmin = _accountMgr.isRootAdmin(account.getAccountId());
final Boolean isRecursive = cmd.isRecursive();
// associated with this domain
if (domainId != null) {
if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) {
// check if the user's domain == do's domain || user's domain is
// a child of so's domain for non-root users
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
if (!isRootAdmin) {
sc.addAnd("displayOffering", SearchCriteria.Op.EQ, 1);
}
return _diskOfferingJoinDao.searchAndCount(sc, searchFilter);
} else {
throw new PermissionDeniedException("The account:" + account.getAccountName() + " does not fall in the same domain hierarchy as the disk offering");
}
}
final List<Long> domainIds;
// and everything above till root
if (_accountMgr.isNormalUser(account.getId()) || _accountMgr.isDomainAdmin(account.getId()) || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
if (isRecursive) {
// domain + all sub-domains
if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list disk offerings with isrecursive=true");
}
final DomainVO domainRecord = _domainDao.findById(account.getDomainId());
sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domainRecord.getPath() + "%");
} else {
// domain + all ancestors
// find all domain Id up to root domain for this account
domainIds = new ArrayList<>();
DomainVO domainRecord = _domainDao.findById(account.getDomainId());
if (domainRecord == null) {
s_logger.error("Could not find the domainId for account:" + account.getAccountName());
throw new CloudAuthenticationException("Could not find the domainId for account:" + account.getAccountName());
}
domainIds.add(domainRecord.getId());
while (domainRecord.getParent() != null) {
domainRecord = _domainDao.findById(domainRecord.getParent());
domainIds.add(domainRecord.getId());
}
final SearchCriteria<DiskOfferingJoinVO> spc = _diskOfferingJoinDao.createSearchCriteria();
spc.addOr("domainId", SearchCriteria.Op.IN, domainIds.toArray());
// include public offering as where
spc.addOr("domainId", SearchCriteria.Op.NULL);
sc.addAnd("domainId", SearchCriteria.Op.SC, spc);
// non-root users should not see system offering at all
sc.addAnd("systemUse", SearchCriteria.Op.EQ, false);
}
}
if (keyword != null) {
final SearchCriteria<DiskOfferingJoinVO> ssc = _diskOfferingJoinDao.createSearchCriteria();
ssc.addOr("displayText", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
sc.addAnd("name", SearchCriteria.Op.SC, ssc);
}
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
}
if (name != null) {
sc.addAnd("name", SearchCriteria.Op.EQ, name);
}
return _diskOfferingJoinDao.searchAndCount(sc, searchFilter);
}
Also used :
Account(com.cloud.legacymodel.user.Account)
CloudAuthenticationException(com.cloud.legacymodel.exceptions.CloudAuthenticationException)
DiskOfferingJoinVO(com.cloud.api.query.vo.DiskOfferingJoinVO)
DomainVO(com.cloud.domain.DomainVO)
Filter(com.cloud.utils.db.Filter)
TemplateFilter(com.cloud.legacymodel.storage.VirtualMachineTemplate.TemplateFilter)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
Example 13 with CloudAuthenticationException
use of com.cloud.legacymodel.exceptions.CloudAuthenticationException in project cosmic by MissionCriticalCloud.
the class QueryManagerImpl method searchForServiceOfferingsInternal.
private Pair<List<ServiceOfferingJoinVO>, Integer> searchForServiceOfferingsInternal(final ListServiceOfferingsCmd cmd) {
// Note
// The filteredOfferings method for offerings is being modified in accordance with
// discussion with Will/Kevin
// For now, we will be listing the following based on the usertype
// 1. For root, we will filteredOfferings all offerings
// 2. For domainAdmin and regular users, we will filteredOfferings everything in
// their domains+parent domains ... all the way
// till
// root
Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
isAscending = isAscending == null ? true : isAscending;
final Filter searchFilter = new Filter(ServiceOfferingJoinVO.class, "sortKey", isAscending, cmd.getStartIndex(), cmd.getPageSizeVal());
final Account caller = CallContext.current().getCallingAccount();
final Object name = cmd.getServiceOfferingName();
final Object id = cmd.getId();
final Object keyword = cmd.getKeyword();
final Long vmId = cmd.getVirtualMachineId();
final Long domainId = cmd.getDomainId();
final Boolean isSystem = cmd.getIsSystem();
final String vmTypeStr = cmd.getSystemVmType();
final ServiceOfferingVO currentVmOffering;
final Boolean isRecursive = cmd.isRecursive();
final SearchCriteria<ServiceOfferingJoinVO> sc = _srvOfferingJoinDao.createSearchCriteria();
if (!_accountMgr.isRootAdmin(caller.getId()) && isSystem) {
throw new InvalidParameterValueException("Only ROOT admins can access system's offering");
}
// domain
if (domainId != null && !_accountMgr.isRootAdmin(caller.getId())) {
// child of so's domain
if (!isPermissible(caller.getDomainId(), domainId)) {
throw new PermissionDeniedException("The account:" + caller.getAccountName() + " does not fall in the same domain hierarchy as the service offering");
}
}
if (vmId != null) {
final VMInstanceVO vmInstance = _vmInstanceDao.findById(vmId);
if (vmInstance == null || vmInstance.getRemoved() != null) {
final InvalidParameterValueException ex = new InvalidParameterValueException("unable to find a virtual machine with specified id");
ex.addProxyObject(vmId.toString(), "vmId");
throw ex;
}
_accountMgr.checkAccess(caller, null, true, vmInstance);
currentVmOffering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
sc.addAnd("id", SearchCriteria.Op.NEQ, currentVmOffering.getId());
// 1. Only return offerings with the same storage type
sc.addAnd("useLocalStorage", SearchCriteria.Op.EQ, currentVmOffering.getUseLocalStorage());
// 2.In case vm is running return only offerings greater than equal to current offering compute.
if (vmInstance.getState() == VirtualMachine.State.Running) {
sc.addAnd("cpu", Op.GTEQ, currentVmOffering.getCpu());
sc.addAnd("ramSize", Op.GTEQ, currentVmOffering.getRamSize());
}
}
// boolean includePublicOfferings = false;
if (_accountMgr.isNormalUser(caller.getId()) || _accountMgr.isDomainAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// For non-root users.
if (isSystem) {
throw new InvalidParameterValueException("Only root admins can access system's offering");
}
if (isRecursive) {
// domain + all sub-domains
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list service offerings with isrecursive=true");
}
final DomainVO domainRecord = _domainDao.findById(caller.getDomainId());
sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domainRecord.getPath() + "%");
} else {
// domain + all ancestors
// find all domain Id up to root domain for this account
final List<Long> domainIds = new ArrayList<>();
DomainVO domainRecord;
if (vmId != null) {
final UserVmVO vmInstance = _userVmDao.findById(vmId);
domainRecord = _domainDao.findById(vmInstance.getDomainId());
if (domainRecord == null) {
s_logger.error("Could not find the domainId for vmId:" + vmId);
throw new CloudAuthenticationException("Could not find the domainId for vmId:" + vmId);
}
} else {
domainRecord = _domainDao.findById(caller.getDomainId());
if (domainRecord == null) {
s_logger.error("Could not find the domainId for account:" + caller.getAccountName());
throw new CloudAuthenticationException("Could not find the domainId for account:" + caller.getAccountName());
}
}
domainIds.add(domainRecord.getId());
while (domainRecord.getParent() != null) {
domainRecord = _domainDao.findById(domainRecord.getParent());
domainIds.add(domainRecord.getId());
}
final SearchCriteria<ServiceOfferingJoinVO> spc = _srvOfferingJoinDao.createSearchCriteria();
spc.addOr("domainId", SearchCriteria.Op.IN, domainIds.toArray());
// include public offering as well
spc.addOr("domainId", SearchCriteria.Op.NULL);
sc.addAnd("domainId", SearchCriteria.Op.SC, spc);
}
} else {
// for root users
if (caller.getDomainId() != 1 && isSystem) {
// NON ROOT admin
throw new InvalidParameterValueException("Non ROOT admins cannot access system's offering");
}
if (domainId != null) {
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
}
}
if (keyword != null) {
final SearchCriteria<ServiceOfferingJoinVO> ssc = _srvOfferingJoinDao.createSearchCriteria();
ssc.addOr("displayText", SearchCriteria.Op.LIKE, "%" + keyword + "%");
ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
sc.addAnd("name", SearchCriteria.Op.SC, ssc);
}
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
}
if (isSystem != null) {
// note that for non-root users, isSystem is always false when
// control comes to here
sc.addAnd("systemUse", SearchCriteria.Op.EQ, isSystem);
}
if (name != null) {
sc.addAnd("name", SearchCriteria.Op.EQ, name);
}
if (vmTypeStr != null) {
sc.addAnd("vmType", SearchCriteria.Op.EQ, vmTypeStr);
}
final Pair<List<ServiceOfferingJoinVO>, Integer> result = _srvOfferingJoinDao.searchAndCount(sc, searchFilter);
return result;
}
Also used :
Account(com.cloud.legacymodel.user.Account)
UserVmVO(com.cloud.vm.UserVmVO)
ServiceOfferingJoinVO(com.cloud.api.query.vo.ServiceOfferingJoinVO)
CloudAuthenticationException(com.cloud.legacymodel.exceptions.CloudAuthenticationException)
ArrayList(java.util.ArrayList)
VMInstanceVO(com.cloud.vm.VMInstanceVO)
ServiceOfferingVO(com.cloud.service.ServiceOfferingVO)
DomainVO(com.cloud.domain.DomainVO)
Filter(com.cloud.utils.db.Filter)
TemplateFilter(com.cloud.legacymodel.storage.VirtualMachineTemplate.TemplateFilter)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
ArrayList(java.util.ArrayList)
List(java.util.List)
Aggregations
CloudAuthenticationException (com.cloud.legacymodel.exceptions.CloudAuthenticationException)13
Account (com.cloud.legacymodel.user.Account)11
User (com.cloud.legacymodel.user.User)7
DomainVO (com.cloud.domain.DomainVO)5
TemplateFilter (com.cloud.legacymodel.storage.VirtualMachineTemplate.TemplateFilter)3
UserAccount (com.cloud.legacymodel.user.UserAccount)3
Filter (com.cloud.utils.db.Filter)3
Domain (com.cloud.legacymodel.domain.Domain)2
InvalidParameterValueException (com.cloud.legacymodel.exceptions.InvalidParameterValueException)2
PermissionDeniedException (com.cloud.legacymodel.exceptions.PermissionDeniedException)2
ArrayList (java.util.ArrayList)2
HashSet (java.util.HashSet)2
List (java.util.List)2
ServerApiException (com.cloud.api.ServerApiException)1
DataCenterJoinVO (com.cloud.api.query.vo.DataCenterJoinVO)1
DiskOfferingJoinVO (com.cloud.api.query.vo.DiskOfferingJoinVO)1
ServiceOfferingJoinVO (com.cloud.api.query.vo.ServiceOfferingJoinVO)1
UserAuthenticator (com.cloud.server.auth.UserAuthenticator)1
ActionOnFailedAuthentication (com.cloud.server.auth.UserAuthenticator.ActionOnFailedAuthentication)1
ServiceOfferingVO (com.cloud.service.ServiceOfferingVO)1
