use of com.cloud.server.auth.UserAuthenticator in project cloudstack by apache.
the class AccountManagerImpl method getUserAccount.
private UserAccount getUserAccount(String username, String password, Long domainId, Map<String, Object[]> requestParameters) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Attempting to log in user: " + username + " in domain " + domainId);
}
UserAccount userAccount = _userAccountDao.getUserAccount(username, domainId);
boolean authenticated = false;
HashSet<ActionOnFailedAuthentication> actionsOnFailedAuthenticaion = new HashSet<ActionOnFailedAuthentication>();
User.Source userSource = userAccount != null ? userAccount.getSource() : User.Source.UNKNOWN;
for (UserAuthenticator authenticator : _userAuthenticators) {
if (userSource != User.Source.UNKNOWN) {
if (!authenticator.getName().equalsIgnoreCase(userSource.name())) {
continue;
}
}
Pair<Boolean, ActionOnFailedAuthentication> result = authenticator.authenticate(username, password, domainId, requestParameters);
if (result.first()) {
authenticated = true;
break;
} else if (result.second() != null) {
actionsOnFailedAuthenticaion.add(result.second());
}
}
boolean updateIncorrectLoginCount = actionsOnFailedAuthenticaion.contains(ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT);
if (authenticated) {
Domain domain = _domainMgr.getDomain(domainId);
String domainName = null;
if (domain != null) {
domainName = domain.getName();
}
userAccount = _userAccountDao.getUserAccount(username, domainId);
if (!userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString()) || !userAccount.getAccountState().equalsIgnoreCase(Account.State.enabled.toString())) {
if (s_logger.isInfoEnabled()) {
s_logger.info("User " + username + " in domain " + domainName + " is disabled/locked (or account is disabled/locked)");
}
throw new CloudAuthenticationException("User " + username + " (or their account) in domain " + domainName + " is disabled/locked. Please contact the administrator.");
}
// Whenever the user is able to log in successfully, reset the login attempts to zero
if (!isInternalAccount(userAccount.getId())) {
updateLoginAttempts(userAccount.getId(), 0, false);
}
return userAccount;
} else {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Unable to authenticate user with username " + username + " in domain " + domainId);
}
if (userAccount == null) {
s_logger.warn("Unable to find an user with username " + username + " in domain " + domainId);
return null;
}
if (userAccount.getState().equalsIgnoreCase(Account.State.enabled.toString())) {
if (!isInternalAccount(userAccount.getId())) {
// Internal accounts are not disabled
int attemptsMade = userAccount.getLoginAttempts() + 1;
if (updateIncorrectLoginCount) {
if (attemptsMade < _allowedLoginAttempts) {
updateLoginAttempts(userAccount.getId(), attemptsMade, false);
s_logger.warn("Login attempt failed. You have " + (_allowedLoginAttempts - attemptsMade) + " attempt(s) remaining");
} else {
updateLoginAttempts(userAccount.getId(), _allowedLoginAttempts, true);
s_logger.warn("User " + userAccount.getUsername() + " has been disabled due to multiple failed login attempts." + " Please contact admin.");
}
}
}
} else {
s_logger.info("User " + userAccount.getUsername() + " is disabled/locked");
}
return null;
}
}
use of com.cloud.server.auth.UserAuthenticator in project cloudstack by apache.
the class AccountManagerImpl method validateUserPasswordAndUpdateIfNeeded.
/**
* Updates the password in the user POJO if needed. If no password is provided, then the password is not updated.
* The following validations are executed if 'password' is not null. Admins (root admins or domain admins) can execute password updates without entering the current password.
* <ul>
* <li> If 'password' is blank, we throw an {@link InvalidParameterValueException};
* <li> If 'current password' is not provided and user is not an Admin, we throw an {@link InvalidParameterValueException};
* <li> If a normal user is calling this method, we use {@link #validateCurrentPassword(UserVO, String)} to check if the provided old password matches the database one;
* </ul>
*
* If all checks pass, we encode the given password with the most preferable password mechanism given in {@link #_userPasswordEncoders}.
*/
protected void validateUserPasswordAndUpdateIfNeeded(String newPassword, UserVO user, String currentPassword) {
if (newPassword == null) {
s_logger.trace("No new password to update for user: " + user.getUuid());
return;
}
if (StringUtils.isBlank(newPassword)) {
throw new InvalidParameterValueException("Password cannot be empty or blank.");
}
Account callingAccount = getCurrentCallingAccount();
boolean isRootAdminExecutingPasswordUpdate = callingAccount.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(callingAccount.getId());
boolean isDomainAdmin = isDomainAdmin(callingAccount.getId());
boolean isAdmin = isDomainAdmin || isRootAdminExecutingPasswordUpdate;
if (isAdmin) {
s_logger.trace(String.format("Admin account [uuid=%s] executing password update for user [%s] ", callingAccount.getUuid(), user.getUuid()));
}
if (!isAdmin && StringUtils.isBlank(currentPassword)) {
throw new InvalidParameterValueException("To set a new password the current password must be provided.");
}
if (CollectionUtils.isEmpty(_userPasswordEncoders)) {
throw new CloudRuntimeException("No user authenticators configured!");
}
if (!isAdmin) {
validateCurrentPassword(user, currentPassword);
}
UserAuthenticator userAuthenticator = _userPasswordEncoders.get(0);
String newPasswordEncoded = userAuthenticator.encode(newPassword);
user.setPassword(newPasswordEncoded);
}
use of com.cloud.server.auth.UserAuthenticator in project cloudstack by apache.
the class AccountManagerImpl method createUser.
protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID, User.Source source) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone);
}
String encodedPassword = null;
for (UserAuthenticator authenticator : _userPasswordEncoders) {
encodedPassword = authenticator.encode(password);
if (encodedPassword != null) {
break;
}
}
if (encodedPassword == null) {
throw new CloudRuntimeException("Failed to encode password");
}
if (userUUID == null) {
userUUID = UUID.randomUUID().toString();
}
UserVO user = _userDao.persist(new UserVO(accountId, userName, encodedPassword, firstName, lastName, email, timezone, userUUID, source));
CallContext.current().putContextParameter(User.class, user.getUuid());
return user;
}
Aggregations