Search in sources :

Example 6 with UserAuthenticator

use of com.cloud.server.auth.UserAuthenticator in project cosmic by MissionCriticalCloud.

the class AccountManagerImpl method getUserAccount.

private UserAccount getUserAccount(final String username, final String password, final Long domainId, final Map<String, Object[]> requestParameters) {
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Attempting to log in user: " + username + " in domain " + domainId);
    }
    UserAccount userAccount = _userAccountDao.getUserAccount(username, domainId);
    boolean authenticated = false;
    final HashSet<ActionOnFailedAuthentication> actionsOnFailedAuthenticaion = new HashSet<>();
    final User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN;
    for (final UserAuthenticator authenticator : _userAuthenticators) {
        if (userSource != User.Source.UNKNOWN) {
            if (!authenticator.getName().equalsIgnoreCase(userSource.name())) {
                continue;
            }
        }
        final Pair<Boolean, ActionOnFailedAuthentication> result = authenticator.authenticate(username, password, domainId, requestParameters);
        if (result.first()) {
            authenticated = true;
            break;
        } else if (result.second() != null) {
            actionsOnFailedAuthenticaion.add(result.second());
        }
    }
    final boolean updateIncorrectLoginCount = actionsOnFailedAuthenticaion.contains(ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT);
    if (authenticated) {
        final Domain domain = _domainMgr.getDomain(domainId);
        String domainName = null;
        if (domain != null) {
            domainName = domain.getName();
        }
        userAccount = _userAccountDao.getUserAccount(username, domainId);
        if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {
            if (s_logger.isInfoEnabled()) {
                s_logger.info("User " + username + " in domain " + domainName + " is disabled/locked (or account is disabled/locked)");
            }
            throw new CloudAuthenticationException("User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the " + "administrator.");
        }
        // Whenever the user is able to log in successfully, reset the login attempts to zero
        if (!isInternalAccount(userAccount.getId())) {
            updateLoginAttempts(userAccount.getId(), 0, false);
        }
        return userAccount;
    } else {
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Unable to authenticate user with username " + username + " in domain " + domainId);
        }
        if (userAccount == null) {
            s_logger.warn("Unable to find an user with username " + username + " in domain " + domainId);
            return null;
        }
        if (userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString())) {
            if (!isInternalAccount(userAccount.getId())) {
                // Internal accounts are not disabled
                final int attemptsMade = userAccount.getLoginAttempts() + 1;
                if (updateIncorrectLoginCount) {
                    if (attemptsMade < _allowedLoginAttempts) {
                        updateLoginAttempts(userAccount.getId(), attemptsMade, false);
                        s_logger.warn("Login attempt failed. You have " + (_allowedLoginAttempts - attemptsMade) + " attempt(s) remaining");
                    } else {
                        updateLoginAttempts(userAccount.getId(), _allowedLoginAttempts, true);
                        s_logger.warn("User " + userAccount.getUsername() + " has been disabled due to multiple failed login attempts." + " Please contact admin.");
                    }
                }
            }
        } else {
            s_logger.info("User " + userAccount.getUsername() + " is disabled/locked");
        }
        return null;
    }
}
Also used : CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException) UserAuthenticator(com.cloud.server.auth.UserAuthenticator) ActionOnFailedAuthentication(com.cloud.server.auth.UserAuthenticator.ActionOnFailedAuthentication) Domain(com.cloud.domain.Domain) HashSet(java.util.HashSet)

Example 7 with UserAuthenticator

use of com.cloud.server.auth.UserAuthenticator in project cosmic by MissionCriticalCloud.

the class AccountManagerImpl method createUser.

protected UserVO createUser(final long accountId, final String userName, final String password, final String firstName, final String lastName, final String email, final String timezone, String userUUID, final User.Source source) {
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone);
    }
    String encodedPassword = null;
    for (final UserAuthenticator authenticator : _userPasswordEncoders) {
        encodedPassword = authenticator.encode(password);
        if (encodedPassword != null) {
            break;
        }
    }
    if (encodedPassword == null) {
        throw new CloudRuntimeException("Failed to encode password");
    }
    if (userUUID == null) {
        userUUID = UUID.randomUUID().toString();
    }
    final UserVO user = _userDao.persist(new UserVO(accountId, userName, encodedPassword, firstName, lastName, email, timezone, userUUID, source));
    CallContext.current().putContextParameter(User.class, user.getUuid());
    return user;
}
Also used : VpnUserVO(com.cloud.network.VpnUserVO) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) UserAuthenticator(com.cloud.server.auth.UserAuthenticator)

Example 8 with UserAuthenticator

use of com.cloud.server.auth.UserAuthenticator in project cloudstack by apache.

the class AccountManagerImplTest method validateCurrentPasswordTestUserAuthenticatedWithProvidedCurrentPasswordViaFirstAuthenticator.

@Test
public void validateCurrentPasswordTestUserAuthenticatedWithProvidedCurrentPasswordViaFirstAuthenticator() {
    AccountVO accountVoMock = Mockito.mock(AccountVO.class);
    long domainId = 14l;
    Mockito.doReturn(domainId).when(accountVoMock).getDomainId();
    Mockito.doReturn(accountVoMock).when(_accountDao).findById(accountMockId);
    String username = "username";
    Mockito.doReturn(username).when(userVoMock).getUsername();
    accountManagerImpl._userPasswordEncoders = new ArrayList<>();
    UserAuthenticator authenticatorMock1 = Mockito.mock(UserAuthenticator.class);
    UserAuthenticator authenticatorMock2 = Mockito.mock(UserAuthenticator.class);
    accountManagerImpl._userPasswordEncoders.add(authenticatorMock1);
    accountManagerImpl._userPasswordEncoders.add(authenticatorMock2);
    Pair<Boolean, ActionOnFailedAuthentication> authenticationResult = new Pair<Boolean, UserAuthenticator.ActionOnFailedAuthentication>(true, UserAuthenticator.ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT);
    String currentPassword = "currentPassword";
    Mockito.doReturn(authenticationResult).when(authenticatorMock1).authenticate(username, currentPassword, domainId, null);
    accountManagerImpl.validateCurrentPassword(userVoMock, currentPassword);
    Mockito.verify(authenticatorMock1, Mockito.times(1)).authenticate(username, currentPassword, domainId, null);
    Mockito.verify(authenticatorMock2, Mockito.times(0)).authenticate(username, currentPassword, domainId, null);
}
Also used : UserAuthenticator(com.cloud.server.auth.UserAuthenticator) ActionOnFailedAuthentication(com.cloud.server.auth.UserAuthenticator.ActionOnFailedAuthentication) ProjectAccountVO(com.cloud.projects.ProjectAccountVO) Pair(com.cloud.utils.Pair) Test(org.junit.Test)

Example 9 with UserAuthenticator

use of com.cloud.server.auth.UserAuthenticator in project cloudstack by apache.

the class AccountManagerImplTest method configureUserMockAuthenticators.

private String configureUserMockAuthenticators(String newPassword) {
    accountManagerImpl._userPasswordEncoders = new ArrayList<>();
    UserAuthenticator authenticatorMock1 = Mockito.mock(UserAuthenticator.class);
    String expectedUserPasswordAfterEncoded = "passwordEncodedByAuthenticator1";
    Mockito.doReturn(expectedUserPasswordAfterEncoded).when(authenticatorMock1).encode(newPassword);
    UserAuthenticator authenticatorMock2 = Mockito.mock(UserAuthenticator.class);
    Mockito.lenient().doReturn("passwordEncodedByAuthenticator2").when(authenticatorMock2).encode(newPassword);
    accountManagerImpl._userPasswordEncoders.add(authenticatorMock1);
    accountManagerImpl._userPasswordEncoders.add(authenticatorMock2);
    return expectedUserPasswordAfterEncoded;
}
Also used : UserAuthenticator(com.cloud.server.auth.UserAuthenticator)

Example 10 with UserAuthenticator

use of com.cloud.server.auth.UserAuthenticator in project cloudstack by apache.

the class AccountManagerImpl method validateCurrentPassword.

/**
 * Iterates over all configured user authenticators and tries to authenticate the user using the current password.
 * If the user is authenticated with success, we have nothing else to do here; otherwise, an {@link InvalidParameterValueException} is thrown.
 */
protected void validateCurrentPassword(UserVO user, String currentPassword) {
    AccountVO userAccount = _accountDao.findById(user.getAccountId());
    boolean currentPasswordMatchesDataBasePassword = false;
    for (UserAuthenticator userAuthenticator : _userPasswordEncoders) {
        Pair<Boolean, ActionOnFailedAuthentication> authenticationResult = userAuthenticator.authenticate(user.getUsername(), currentPassword, userAccount.getDomainId(), null);
        if (authenticationResult == null) {
            s_logger.trace(String.format("Authenticator [%s] is returning null for the authenticate mehtod.", userAuthenticator.getClass()));
            continue;
        }
        if (BooleanUtils.toBoolean(authenticationResult.first())) {
            s_logger.debug(String.format("User [id=%s] re-authenticated [authenticator=%s] during password update.", user.getUuid(), userAuthenticator.getName()));
            currentPasswordMatchesDataBasePassword = true;
            break;
        }
    }
    if (!currentPasswordMatchesDataBasePassword) {
        throw new InvalidParameterValueException("Current password is incorrect.");
    }
}
Also used : InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) UserAuthenticator(com.cloud.server.auth.UserAuthenticator) ActionOnFailedAuthentication(com.cloud.server.auth.UserAuthenticator.ActionOnFailedAuthentication)

Aggregations

UserAuthenticator (com.cloud.server.auth.UserAuthenticator)13 CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)7 ActionOnFailedAuthentication (com.cloud.server.auth.UserAuthenticator.ActionOnFailedAuthentication)5 VpnUserVO (com.cloud.network.VpnUserVO)4 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)3 Domain (com.cloud.domain.Domain)2 ActionEvent (com.cloud.event.ActionEvent)2 CloudAuthenticationException (com.cloud.exception.CloudAuthenticationException)2 PermissionDeniedException (com.cloud.exception.PermissionDeniedException)2 ProjectAccountVO (com.cloud.projects.ProjectAccountVO)2 UserVO (com.cloud.user.UserVO)2 Pair (com.cloud.utils.Pair)2 HashSet (java.util.HashSet)2 Test (org.junit.Test)2 InvalidParameterValueException (com.cloud.utils.exception.InvalidParameterValueException)1 LinkedHashSet (java.util.LinkedHashSet)1