Search in sources :

Example 11 with CloudAuthenticationException

use of com.cloud.legacymodel.exceptions.CloudAuthenticationException in project cosmic by MissionCriticalCloud.

the class AccountManagerImpl method getUserAccount.

private UserAccount getUserAccount(final String username, final String password, final Long domainId, final Map<String, Object[]> requestParameters) {
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Attempting to log in user: " + username + " in domain " + domainId);
    }
    UserAccount userAccount = _userAccountDao.getUserAccount(username, domainId);
    boolean authenticated = false;
    final HashSet<ActionOnFailedAuthentication> actionsOnFailedAuthenticaion = new HashSet<>();
    final User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN;
    for (final UserAuthenticator authenticator : _userAuthenticators) {
        if (userSource != User.Source.UNKNOWN) {
            if (!authenticator.getName().equalsIgnoreCase(userSource.name())) {
                continue;
            }
        }
        final Pair<Boolean, ActionOnFailedAuthentication> result = authenticator.authenticate(username, password, domainId, requestParameters);
        if (result.first()) {
            authenticated = true;
            break;
        } else if (result.second() != null) {
            actionsOnFailedAuthenticaion.add(result.second());
        }
    }
    final boolean updateIncorrectLoginCount = actionsOnFailedAuthenticaion.contains(ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT);
    if (authenticated) {
        final Domain domain = _domainMgr.getDomain(domainId);
        String domainName = null;
        if (domain != null) {
            domainName = domain.getName();
        }
        userAccount = _userAccountDao.getUserAccount(username, domainId);
        if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {
            if (s_logger.isInfoEnabled()) {
                s_logger.info("User " + username + " in domain " + domainName + " is disabled/locked (or account is disabled/locked)");
            }
            throw new CloudAuthenticationException("User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the " + "administrator.");
        }
        // Whenever the user is able to log in successfully, reset the login attempts to zero
        if (!isInternalAccount(userAccount.getId())) {
            updateLoginAttempts(userAccount.getId(), 0, false);
        }
        return userAccount;
    } else {
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Unable to authenticate user with username " + username + " in domain " + domainId);
        }
        if (userAccount == null) {
            s_logger.warn("Unable to find an user with username " + username + " in domain " + domainId);
            return null;
        }
        if (userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString())) {
            if (!isInternalAccount(userAccount.getId())) {
                // Internal accounts are not disabled
                final int attemptsMade = userAccount.getLoginAttempts() + 1;
                if (updateIncorrectLoginCount) {
                    if (attemptsMade < _allowedLoginAttempts) {
                        updateLoginAttempts(userAccount.getId(), attemptsMade, false);
                        s_logger.warn("Login attempt failed. You have " + (_allowedLoginAttempts - attemptsMade) + " attempt(s) remaining");
                    } else {
                        updateLoginAttempts(userAccount.getId(), _allowedLoginAttempts, true);
                        s_logger.warn("User " + userAccount.getUsername() + " has been disabled due to multiple failed login attempts." + " Please contact admin.");
                    }
                }
            }
        } else {
            s_logger.info("User " + userAccount.getUsername() + " is disabled/locked");
        }
        return null;
    }
}
Also used : User(com.cloud.legacymodel.user.User) CloudAuthenticationException(com.cloud.legacymodel.exceptions.CloudAuthenticationException) UserAuthenticator(com.cloud.server.auth.UserAuthenticator) ActionOnFailedAuthentication(com.cloud.server.auth.UserAuthenticator.ActionOnFailedAuthentication) Domain(com.cloud.legacymodel.domain.Domain) UserAccount(com.cloud.legacymodel.user.UserAccount) HashSet(java.util.HashSet)

Example 12 with CloudAuthenticationException

use of com.cloud.legacymodel.exceptions.CloudAuthenticationException in project cosmic by MissionCriticalCloud.

the class QueryManagerImpl method searchForDiskOfferingsInternal.

private Pair<List<DiskOfferingJoinVO>, Integer> searchForDiskOfferingsInternal(final ListDiskOfferingsCmd cmd) {
    // Note
    // The list method for offerings is being modified in accordance with
    // discussion with Will/Kevin
    // For now, we will be listing the following based on the usertype
    // 1. For root, we will list all offerings
    // 2. For domainAdmin and regular users, we will list everything in
    // their domains+parent domains ... all the way
    // till
    // root
    Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
    isAscending = isAscending == null ? true : isAscending;
    final Filter searchFilter = new Filter(DiskOfferingJoinVO.class, "sortKey", isAscending, cmd.getStartIndex(), cmd.getPageSizeVal());
    final SearchCriteria<DiskOfferingJoinVO> sc = _diskOfferingJoinDao.createSearchCriteria();
    sc.addAnd("type", Op.EQ, DiskOfferingVO.Type.Disk);
    final Account account = CallContext.current().getCallingAccount();
    final Object name = cmd.getDiskOfferingName();
    final Object id = cmd.getId();
    final Object keyword = cmd.getKeyword();
    final Long domainId = cmd.getDomainId();
    final Boolean isRootAdmin = _accountMgr.isRootAdmin(account.getAccountId());
    final Boolean isRecursive = cmd.isRecursive();
    // associated with this domain
    if (domainId != null) {
        if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) {
            // check if the user's domain == do's domain || user's domain is
            // a child of so's domain for non-root users
            sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
            if (!isRootAdmin) {
                sc.addAnd("displayOffering", SearchCriteria.Op.EQ, 1);
            }
            return _diskOfferingJoinDao.searchAndCount(sc, searchFilter);
        } else {
            throw new PermissionDeniedException("The account:" + account.getAccountName() + " does not fall in the same domain hierarchy as the disk offering");
        }
    }
    final List<Long> domainIds;
    // and everything above till root
    if (_accountMgr.isNormalUser(account.getId()) || _accountMgr.isDomainAdmin(account.getId()) || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
        if (isRecursive) {
            // domain + all sub-domains
            if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list disk offerings with isrecursive=true");
            }
            final DomainVO domainRecord = _domainDao.findById(account.getDomainId());
            sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domainRecord.getPath() + "%");
        } else {
            // domain + all ancestors
            // find all domain Id up to root domain for this account
            domainIds = new ArrayList<>();
            DomainVO domainRecord = _domainDao.findById(account.getDomainId());
            if (domainRecord == null) {
                s_logger.error("Could not find the domainId for account:" + account.getAccountName());
                throw new CloudAuthenticationException("Could not find the domainId for account:" + account.getAccountName());
            }
            domainIds.add(domainRecord.getId());
            while (domainRecord.getParent() != null) {
                domainRecord = _domainDao.findById(domainRecord.getParent());
                domainIds.add(domainRecord.getId());
            }
            final SearchCriteria<DiskOfferingJoinVO> spc = _diskOfferingJoinDao.createSearchCriteria();
            spc.addOr("domainId", SearchCriteria.Op.IN, domainIds.toArray());
            // include public offering as where
            spc.addOr("domainId", SearchCriteria.Op.NULL);
            sc.addAnd("domainId", SearchCriteria.Op.SC, spc);
            // non-root users should not see system offering at all
            sc.addAnd("systemUse", SearchCriteria.Op.EQ, false);
        }
    }
    if (keyword != null) {
        final SearchCriteria<DiskOfferingJoinVO> ssc = _diskOfferingJoinDao.createSearchCriteria();
        ssc.addOr("displayText", SearchCriteria.Op.LIKE, "%" + keyword + "%");
        ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
        sc.addAnd("name", SearchCriteria.Op.SC, ssc);
    }
    if (id != null) {
        sc.addAnd("id", SearchCriteria.Op.EQ, id);
    }
    if (name != null) {
        sc.addAnd("name", SearchCriteria.Op.EQ, name);
    }
    return _diskOfferingJoinDao.searchAndCount(sc, searchFilter);
}
Also used : Account(com.cloud.legacymodel.user.Account) CloudAuthenticationException(com.cloud.legacymodel.exceptions.CloudAuthenticationException) DiskOfferingJoinVO(com.cloud.api.query.vo.DiskOfferingJoinVO) DomainVO(com.cloud.domain.DomainVO) Filter(com.cloud.utils.db.Filter) TemplateFilter(com.cloud.legacymodel.storage.VirtualMachineTemplate.TemplateFilter) InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException) PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)

Example 13 with CloudAuthenticationException

use of com.cloud.legacymodel.exceptions.CloudAuthenticationException in project cosmic by MissionCriticalCloud.

the class QueryManagerImpl method searchForServiceOfferingsInternal.

private Pair<List<ServiceOfferingJoinVO>, Integer> searchForServiceOfferingsInternal(final ListServiceOfferingsCmd cmd) {
    // Note
    // The filteredOfferings method for offerings is being modified in accordance with
    // discussion with Will/Kevin
    // For now, we will be listing the following based on the usertype
    // 1. For root, we will filteredOfferings all offerings
    // 2. For domainAdmin and regular users, we will filteredOfferings everything in
    // their domains+parent domains ... all the way
    // till
    // root
    Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
    isAscending = isAscending == null ? true : isAscending;
    final Filter searchFilter = new Filter(ServiceOfferingJoinVO.class, "sortKey", isAscending, cmd.getStartIndex(), cmd.getPageSizeVal());
    final Account caller = CallContext.current().getCallingAccount();
    final Object name = cmd.getServiceOfferingName();
    final Object id = cmd.getId();
    final Object keyword = cmd.getKeyword();
    final Long vmId = cmd.getVirtualMachineId();
    final Long domainId = cmd.getDomainId();
    final Boolean isSystem = cmd.getIsSystem();
    final String vmTypeStr = cmd.getSystemVmType();
    final ServiceOfferingVO currentVmOffering;
    final Boolean isRecursive = cmd.isRecursive();
    final SearchCriteria<ServiceOfferingJoinVO> sc = _srvOfferingJoinDao.createSearchCriteria();
    if (!_accountMgr.isRootAdmin(caller.getId()) && isSystem) {
        throw new InvalidParameterValueException("Only ROOT admins can access system's offering");
    }
    // domain
    if (domainId != null && !_accountMgr.isRootAdmin(caller.getId())) {
        // child of so's domain
        if (!isPermissible(caller.getDomainId(), domainId)) {
            throw new PermissionDeniedException("The account:" + caller.getAccountName() + " does not fall in the same domain hierarchy as the service offering");
        }
    }
    if (vmId != null) {
        final VMInstanceVO vmInstance = _vmInstanceDao.findById(vmId);
        if (vmInstance == null || vmInstance.getRemoved() != null) {
            final InvalidParameterValueException ex = new InvalidParameterValueException("unable to find a virtual machine with specified id");
            ex.addProxyObject(vmId.toString(), "vmId");
            throw ex;
        }
        _accountMgr.checkAccess(caller, null, true, vmInstance);
        currentVmOffering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
        sc.addAnd("id", SearchCriteria.Op.NEQ, currentVmOffering.getId());
        // 1. Only return offerings with the same storage type
        sc.addAnd("useLocalStorage", SearchCriteria.Op.EQ, currentVmOffering.getUseLocalStorage());
        // 2.In case vm is running return only offerings greater than equal to current offering compute.
        if (vmInstance.getState() == VirtualMachine.State.Running) {
            sc.addAnd("cpu", Op.GTEQ, currentVmOffering.getCpu());
            sc.addAnd("ramSize", Op.GTEQ, currentVmOffering.getRamSize());
        }
    }
    // boolean includePublicOfferings = false;
    if (_accountMgr.isNormalUser(caller.getId()) || _accountMgr.isDomainAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
        // For non-root users.
        if (isSystem) {
            throw new InvalidParameterValueException("Only root admins can access system's offering");
        }
        if (isRecursive) {
            // domain + all sub-domains
            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list service offerings with isrecursive=true");
            }
            final DomainVO domainRecord = _domainDao.findById(caller.getDomainId());
            sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domainRecord.getPath() + "%");
        } else {
            // domain + all ancestors
            // find all domain Id up to root domain for this account
            final List<Long> domainIds = new ArrayList<>();
            DomainVO domainRecord;
            if (vmId != null) {
                final UserVmVO vmInstance = _userVmDao.findById(vmId);
                domainRecord = _domainDao.findById(vmInstance.getDomainId());
                if (domainRecord == null) {
                    s_logger.error("Could not find the domainId for vmId:" + vmId);
                    throw new CloudAuthenticationException("Could not find the domainId for vmId:" + vmId);
                }
            } else {
                domainRecord = _domainDao.findById(caller.getDomainId());
                if (domainRecord == null) {
                    s_logger.error("Could not find the domainId for account:" + caller.getAccountName());
                    throw new CloudAuthenticationException("Could not find the domainId for account:" + caller.getAccountName());
                }
            }
            domainIds.add(domainRecord.getId());
            while (domainRecord.getParent() != null) {
                domainRecord = _domainDao.findById(domainRecord.getParent());
                domainIds.add(domainRecord.getId());
            }
            final SearchCriteria<ServiceOfferingJoinVO> spc = _srvOfferingJoinDao.createSearchCriteria();
            spc.addOr("domainId", SearchCriteria.Op.IN, domainIds.toArray());
            // include public offering as well
            spc.addOr("domainId", SearchCriteria.Op.NULL);
            sc.addAnd("domainId", SearchCriteria.Op.SC, spc);
        }
    } else {
        // for root users
        if (caller.getDomainId() != 1 && isSystem) {
            // NON ROOT admin
            throw new InvalidParameterValueException("Non ROOT admins cannot access system's offering");
        }
        if (domainId != null) {
            sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
        }
    }
    if (keyword != null) {
        final SearchCriteria<ServiceOfferingJoinVO> ssc = _srvOfferingJoinDao.createSearchCriteria();
        ssc.addOr("displayText", SearchCriteria.Op.LIKE, "%" + keyword + "%");
        ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
        sc.addAnd("name", SearchCriteria.Op.SC, ssc);
    }
    if (id != null) {
        sc.addAnd("id", SearchCriteria.Op.EQ, id);
    }
    if (isSystem != null) {
        // note that for non-root users, isSystem is always false when
        // control comes to here
        sc.addAnd("systemUse", SearchCriteria.Op.EQ, isSystem);
    }
    if (name != null) {
        sc.addAnd("name", SearchCriteria.Op.EQ, name);
    }
    if (vmTypeStr != null) {
        sc.addAnd("vmType", SearchCriteria.Op.EQ, vmTypeStr);
    }
    final Pair<List<ServiceOfferingJoinVO>, Integer> result = _srvOfferingJoinDao.searchAndCount(sc, searchFilter);
    return result;
}
Also used : Account(com.cloud.legacymodel.user.Account) UserVmVO(com.cloud.vm.UserVmVO) ServiceOfferingJoinVO(com.cloud.api.query.vo.ServiceOfferingJoinVO) CloudAuthenticationException(com.cloud.legacymodel.exceptions.CloudAuthenticationException) ArrayList(java.util.ArrayList) VMInstanceVO(com.cloud.vm.VMInstanceVO) ServiceOfferingVO(com.cloud.service.ServiceOfferingVO) DomainVO(com.cloud.domain.DomainVO) Filter(com.cloud.utils.db.Filter) TemplateFilter(com.cloud.legacymodel.storage.VirtualMachineTemplate.TemplateFilter) InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException) PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException) ArrayList(java.util.ArrayList) List(java.util.List)

Aggregations

CloudAuthenticationException (com.cloud.legacymodel.exceptions.CloudAuthenticationException)13 Account (com.cloud.legacymodel.user.Account)11 User (com.cloud.legacymodel.user.User)7 DomainVO (com.cloud.domain.DomainVO)5 TemplateFilter (com.cloud.legacymodel.storage.VirtualMachineTemplate.TemplateFilter)3 UserAccount (com.cloud.legacymodel.user.UserAccount)3 Filter (com.cloud.utils.db.Filter)3 Domain (com.cloud.legacymodel.domain.Domain)2 InvalidParameterValueException (com.cloud.legacymodel.exceptions.InvalidParameterValueException)2 PermissionDeniedException (com.cloud.legacymodel.exceptions.PermissionDeniedException)2 ArrayList (java.util.ArrayList)2 HashSet (java.util.HashSet)2 List (java.util.List)2 ServerApiException (com.cloud.api.ServerApiException)1 DataCenterJoinVO (com.cloud.api.query.vo.DataCenterJoinVO)1 DiskOfferingJoinVO (com.cloud.api.query.vo.DiskOfferingJoinVO)1 ServiceOfferingJoinVO (com.cloud.api.query.vo.ServiceOfferingJoinVO)1 UserAuthenticator (com.cloud.server.auth.UserAuthenticator)1 ActionOnFailedAuthentication (com.cloud.server.auth.UserAuthenticator.ActionOnFailedAuthentication)1 ServiceOfferingVO (com.cloud.service.ServiceOfferingVO)1