Repository: cloudstack Updated Branches: refs/heads/4.5 b0f3bea18 -> d5b61312b
CLOUDSTACK-9369: Restrict default login to ldap/native users - Restricts default login auth handler to ldap and native-cloudstack users - Refactors and create re-usable method to find domain by id/path Signed-off-by: Rohit Yadav <[email protected]> (cherry picked from commit 6a90c7cd580da1059adb190d48bf1ae26c6f058f) Signed-off-by: Rohit Yadav <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/419893a2 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/419893a2 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/419893a2 Branch: refs/heads/4.5 Commit: 419893a2fce15eaad0428bafe74bd01d3ed0c689 Parents: b0f3bea Author: Rohit Yadav <[email protected]> Authored: Wed Apr 27 00:02:11 2016 +0530 Committer: Rohit Yadav <[email protected]> Committed: Wed Apr 27 00:22:36 2016 +0530 ---------------------------------------------------------------------- api/src/com/cloud/user/DomainService.java | 10 ++++++++++ server/src/com/cloud/api/ApiServer.java | 16 +++++----------- .../auth/DefaultLoginAPIAuthenticatorCmd.java | 13 +++++++++++++ .../src/com/cloud/user/DomainManagerImpl.java | 20 ++++++++++++++++++++ .../com/cloud/user/MockDomainManagerImpl.java | 5 +++++ 5 files changed, 53 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/419893a2/api/src/com/cloud/user/DomainService.java ---------------------------------------------------------------------- diff --git a/api/src/com/cloud/user/DomainService.java b/api/src/com/cloud/user/DomainService.java index 4c1f93d..3ccfcbc 100644 --- a/api/src/com/cloud/user/DomainService.java +++ b/api/src/com/cloud/user/DomainService.java @@ -56,4 +56,14 @@ public interface DomainService { */ Domain findDomainByPath(String domainPath); + /** + * finds the domain by either id or provided path + * + * @param id the domain id + * @param domainPath the domain path use to lookup a domain + * + * @return domainId the long value of the domain ID, or null if no domain id exists with provided id/path + */ + Domain findDomainByIdOrPath(Long id, String domainPath); + } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/419893a2/server/src/com/cloud/api/ApiServer.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 2ab1f7c..7fa4648 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -999,17 +999,11 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer final Map<String, Object[]> requestParameters) throws CloudAuthenticationException { // We will always use domainId first. If that does not exist, we will use domain name. If THAT doesn't exist // we will default to ROOT - if (domainId == null) { - if (domainPath == null || domainPath.trim().length() == 0) { - domainId = Domain.ROOT_DOMAIN; - } else { - final Domain domainObj = _domainMgr.findDomainByPath(domainPath); - if (domainObj != null) { - domainId = domainObj.getId(); - } else { // if an unknown path is passed in, fail the login call - throw new CloudAuthenticationException("Unable to find the domain from the path " + domainPath); - } - } + final Domain userDomain = _domainMgr.findDomainByIdOrPath(domainId, domainPath); + if (userDomain == null || userDomain.getId() < 1L) { + throw new CloudAuthenticationException("Unable to find the domain from the path " + domainPath); + } else { + domainId = userDomain.getId(); } final UserAccount userAcct = _accountMgr.authenticateUser(username, password, domainId, loginIpAddress, requestParameters); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/419893a2/server/src/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java b/server/src/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java index ae633a3..0c38c4f 100644 --- a/server/src/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java +++ b/server/src/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java @@ -16,6 +16,9 @@ // under the License. package com.cloud.api.auth; +import com.cloud.domain.Domain; +import com.cloud.user.User; +import com.cloud.user.UserAccount; import org.apache.cloudstack.api.ApiServerService; import com.cloud.api.response.ApiResponseSerializer; import com.cloud.exception.CloudAuthenticationException; @@ -155,6 +158,16 @@ public class DefaultLoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthe if (username != null) { final String pwd = ((password == null) ? null : password[0]); try { + final Domain userDomain = _domainService.findDomainByIdOrPath(domainId, domain); + if (userDomain != null) { + domainId = userDomain.getId(); + } else { + throw new CloudAuthenticationException("Unable to find the domain from the path " + domain); + } + final UserAccount userAccount = _accountService.getActiveUserAccount(username[0], domainId); + if (userAccount == null || !(User.Source.UNKNOWN.equals(userAccount.getSource()) || User.Source.LDAP.equals(userAccount.getSource()))) { + throw new CloudAuthenticationException("User is not allowed CloudStack login"); + } return ApiResponseSerializer.toSerializedString(_apiServer.loginUser(session, username[0], pwd, domainId, domain, remoteAddress, params), responseType); } catch (final CloudAuthenticationException ex) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/419893a2/server/src/com/cloud/user/DomainManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/DomainManagerImpl.java b/server/src/com/cloud/user/DomainManagerImpl.java index fbbe0c2..aa54412 100644 --- a/server/src/com/cloud/user/DomainManagerImpl.java +++ b/server/src/com/cloud/user/DomainManagerImpl.java @@ -24,6 +24,7 @@ import java.util.UUID; import javax.ejb.Local; import javax.inject.Inject; +import com.google.common.base.Strings; import org.apache.log4j.Logger; import org.springframework.stereotype.Component; @@ -221,6 +222,25 @@ public class DomainManagerImpl extends ManagerBase implements DomainManager, Dom } @Override + public Domain findDomainByIdOrPath(final Long id, final String domainPath) { + Long domainId = id; + if (domainId == null) { + if (Strings.isNullOrEmpty(domainPath) || domainPath.trim().isEmpty()) { + domainId = Domain.ROOT_DOMAIN; + } else { + final Domain domainVO = findDomainByPath(domainPath); + if (domainVO != null) { + domainId = domainVO.getId(); + } + } + } + if (domainId != null) { + return _domainDao.findById(domainId); + } + return null; + } + + @Override public Set<Long> getDomainParentIds(long domainId) { return _domainDao.getDomainParentIds(domainId); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/419893a2/server/test/com/cloud/user/MockDomainManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/user/MockDomainManagerImpl.java b/server/test/com/cloud/user/MockDomainManagerImpl.java index 7dddefb..f44ab08 100644 --- a/server/test/com/cloud/user/MockDomainManagerImpl.java +++ b/server/test/com/cloud/user/MockDomainManagerImpl.java @@ -94,6 +94,11 @@ public class MockDomainManagerImpl extends ManagerBase implements DomainManager, } @Override + public DomainVO findDomainByIdOrPath(Long id, String domainPath) { + return null; + } + + @Override public Set<Long> getDomainParentIds(long domainId) { // TODO Auto-generated method stub return null;
