server/src/main/java/com/cloud/api/auth/ValidateUserTwoFactorAuthenticationCodeCmd.java - cloudstack - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 package com.cloud.api.auth;

 import com.cloud.api.ApiServlet;
 import com.cloud.api.response.ApiResponseSerializer;
 import com.cloud.exception.CloudTwoFactorAuthenticationException;
 import com.cloud.user.AccountManager;
 import com.cloud.user.UserAccount;
 import com.cloud.user.UserAccountVO;
 import com.cloud.utils.exception.CSExceptionErrorCode;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.ApiServerService;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.auth.APIAuthenticationType;
 import org.apache.cloudstack.api.auth.APIAuthenticator;
 import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
 import org.apache.cloudstack.api.response.SuccessResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.resourcedetail.UserDetailVO;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;

 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import java.net.InetAddress;
 import java.util.List;
 import java.util.Map;

 @APICommand(name = ValidateUserTwoFactorAuthenticationCodeCmd.APINAME, description = "Checks the 2FA code for the user.", requestHasSensitiveInfo = false,
         authorized = {RoleType.Admin, RoleType.DomainAdmin, RoleType.ResourceAdmin, RoleType.User},
         responseObject = SuccessResponse.class, entityType = {}, since = "4.18.0")
 public class ValidateUserTwoFactorAuthenticationCodeCmd extends BaseCmd implements APIAuthenticator {

     public static final String APINAME = "validateUserTwoFactorAuthenticationCode";
     public static final Logger s_logger = Logger.getLogger(ValidateUserTwoFactorAuthenticationCodeCmd.class.getName());

     @Inject
     private AccountManager accountManager;

     @Inject
     ApiServerService _apiServer;

     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////

     @Parameter(name = ApiConstants.CODE_FOR_2FA, type = CommandType.STRING, description = "two factor authentication code", required = true)
     private String codeFor2fa;

     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////

     public String getCodeFor2fa() {
         return codeFor2fa;
     }

     @Override
     public void execute() throws ServerApiException {
         throw new ServerApiException(ApiErrorCode.METHOD_NOT_ALLOWED, "This is an authentication api, cannot be used directly");
     }

     @Override
     public String getCommandName() {
         return APINAME.toLowerCase() + BaseCmd.RESPONSE_SUFFIX;
     }

     @Override
     public long getEntityOwnerId() {
         return CallContext.current().getCallingAccount().getId();
     }

     @Override
     public String authenticate(String command, Map<String, Object[]> params, HttpSession session, InetAddress remoteAddress, String responseType, StringBuilder auditTrailSb, HttpServletRequest req, HttpServletResponse resp) throws ServerApiException {
         String codeFor2FA = null;
         if (params.containsKey(ApiConstants.CODE_FOR_2FA)) {
             codeFor2FA = ((String[])params.get(ApiConstants.CODE_FOR_2FA))[0];
         }
         if (StringUtils.isEmpty(codeFor2FA)) {
             throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, "Code for two factor authentication is required");
         }

         final long currentUserId = (Long) session.getAttribute("userid");
         final UserAccount currentUserAccount = _accountService.getUserAccountById(currentUserId);
         boolean setupPhase = false;
         Map<String, String> userDetails = currentUserAccount.getDetails();
         if (userDetails.containsKey(UserDetailVO.Setup2FADetail) && userDetails.get(UserDetailVO.Setup2FADetail).equals(UserAccountVO.Setup2FAstatus.ENABLED.name())) {
             setupPhase = true;
         }

         String serializedResponse = null;
         try {
             accountManager.verifyUsingTwoFactorAuthenticationCode(codeFor2FA, currentUserAccount.getDomainId(), currentUserId);
             SuccessResponse response = new SuccessResponse(getCommandName());
             setResponseObject(response);
             return ApiResponseSerializer.toSerializedString(response, responseType);
         } catch (final CloudTwoFactorAuthenticationException ex) {
             if (!setupPhase) {
                 ApiServlet.invalidateHttpSession(session, "fall through to API key,");
             }
             String msg = String.format("%s", ex.getMessage() != null ?
                     ex.getMessage() :
                     "failed to authenticate user, check if two factor authentication code is correct");
             auditTrailSb.append(" " + ApiErrorCode.UNAUTHORIZED2FA + " " + msg);
             serializedResponse = _apiServer.getSerializedApiError(ApiErrorCode.UNAUTHORIZED2FA.getHttpCode(), msg, params, responseType);
             if (s_logger.isTraceEnabled()) {
                 s_logger.trace(msg);
             }
         }
         ServerApiException exception = new ServerApiException(ApiErrorCode.UNAUTHORIZED2FA, serializedResponse);
         exception.setCSErrorCode(CSExceptionErrorCode.getCSErrCode(CloudTwoFactorAuthenticationException.class.getName()));
         throw exception;
     }

     @Override
     public APIAuthenticationType getAPIType() {
         return APIAuthenticationType.LOGIN_2FA_API;
     }

     @Override
     public void setAuthenticators(List<PluggableAPIAuthenticator> authenticators) {
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	package com.cloud.api.auth;

	import com.cloud.api.ApiServlet;
	import com.cloud.api.response.ApiResponseSerializer;
	import com.cloud.exception.CloudTwoFactorAuthenticationException;
	import com.cloud.user.AccountManager;
	import com.cloud.user.UserAccount;
	import com.cloud.user.UserAccountVO;
	import com.cloud.utils.exception.CSExceptionErrorCode;
	import org.apache.cloudstack.acl.RoleType;
	import org.apache.cloudstack.api.APICommand;
	import org.apache.cloudstack.api.ApiConstants;
	import org.apache.cloudstack.api.ApiErrorCode;
	import org.apache.cloudstack.api.ApiServerService;
	import org.apache.cloudstack.api.BaseCmd;
	import org.apache.cloudstack.api.Parameter;
	import org.apache.cloudstack.api.ServerApiException;
	import org.apache.cloudstack.api.auth.APIAuthenticationType;
	import org.apache.cloudstack.api.auth.APIAuthenticator;
	import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
	import org.apache.cloudstack.api.response.SuccessResponse;
	import org.apache.cloudstack.context.CallContext;
	import org.apache.cloudstack.resourcedetail.UserDetailVO;
	import org.apache.commons.lang3.StringUtils;
	import org.apache.log4j.Logger;

	import javax.inject.Inject;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;
	import javax.servlet.http.HttpSession;
	import java.net.InetAddress;
	import java.util.List;
	import java.util.Map;

	@APICommand(name = ValidateUserTwoFactorAuthenticationCodeCmd.APINAME, description = "Checks the 2FA code for the user.", requestHasSensitiveInfo = false,
	authorized = {RoleType.Admin, RoleType.DomainAdmin, RoleType.ResourceAdmin, RoleType.User},
	responseObject = SuccessResponse.class, entityType = {}, since = "4.18.0")
	public class ValidateUserTwoFactorAuthenticationCodeCmd extends BaseCmd implements APIAuthenticator {

	public static final String APINAME = "validateUserTwoFactorAuthenticationCode";
	public static final Logger s_logger = Logger.getLogger(ValidateUserTwoFactorAuthenticationCodeCmd.class.getName());

	@Inject
	private AccountManager accountManager;

	@Inject
	ApiServerService _apiServer;

	/////////////////////////////////////////////////////
	//////////////// API parameters /////////////////////
	/////////////////////////////////////////////////////

	@Parameter(name = ApiConstants.CODE_FOR_2FA, type = CommandType.STRING, description = "two factor authentication code", required = true)
	private String codeFor2fa;

	/////////////////////////////////////////////////////
	/////////////////// Accessors ///////////////////////
	/////////////////////////////////////////////////////

	public String getCodeFor2fa() {
	return codeFor2fa;
	}

	@Override
	public void execute() throws ServerApiException {
	throw new ServerApiException(ApiErrorCode.METHOD_NOT_ALLOWED, "This is an authentication api, cannot be used directly");
	}

	@Override
	public String getCommandName() {
	return APINAME.toLowerCase() + BaseCmd.RESPONSE_SUFFIX;
	}

	@Override
	public long getEntityOwnerId() {
	return CallContext.current().getCallingAccount().getId();
	}

	@Override
	public String authenticate(String command, Map<String, Object[]> params, HttpSession session, InetAddress remoteAddress, String responseType, StringBuilder auditTrailSb, HttpServletRequest req, HttpServletResponse resp) throws ServerApiException {
	String codeFor2FA = null;
	if (params.containsKey(ApiConstants.CODE_FOR_2FA)) {
	codeFor2FA = ((String[])params.get(ApiConstants.CODE_FOR_2FA))[0];
	}
	if (StringUtils.isEmpty(codeFor2FA)) {
	throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, "Code for two factor authentication is required");
	}

	final long currentUserId = (Long) session.getAttribute("userid");
	final UserAccount currentUserAccount = _accountService.getUserAccountById(currentUserId);
	boolean setupPhase = false;
	Map<String, String> userDetails = currentUserAccount.getDetails();
	if (userDetails.containsKey(UserDetailVO.Setup2FADetail) && userDetails.get(UserDetailVO.Setup2FADetail).equals(UserAccountVO.Setup2FAstatus.ENABLED.name())) {
	setupPhase = true;
	}

	String serializedResponse = null;
	try {
	accountManager.verifyUsingTwoFactorAuthenticationCode(codeFor2FA, currentUserAccount.getDomainId(), currentUserId);
	SuccessResponse response = new SuccessResponse(getCommandName());
	setResponseObject(response);
	return ApiResponseSerializer.toSerializedString(response, responseType);
	} catch (final CloudTwoFactorAuthenticationException ex) {
	if (!setupPhase) {
	ApiServlet.invalidateHttpSession(session, "fall through to API key,");
	}
	String msg = String.format("%s", ex.getMessage() != null ?
	ex.getMessage() :
	"failed to authenticate user, check if two factor authentication code is correct");
	auditTrailSb.append(" " + ApiErrorCode.UNAUTHORIZED2FA + " " + msg);
	serializedResponse = _apiServer.getSerializedApiError(ApiErrorCode.UNAUTHORIZED2FA.getHttpCode(), msg, params, responseType);
	if (s_logger.isTraceEnabled()) {
	s_logger.trace(msg);
	}
	}
	ServerApiException exception = new ServerApiException(ApiErrorCode.UNAUTHORIZED2FA, serializedResponse);
	exception.setCSErrorCode(CSExceptionErrorCode.getCSErrCode(CloudTwoFactorAuthenticationException.class.getName()));
	throw exception;
	}

	@Override
	public APIAuthenticationType getAPIType() {
	return APIAuthenticationType.LOGIN_2FA_API;
	}

	@Override
	public void setAuthenticators(List<PluggableAPIAuthenticator> authenticators) {
	}
	}