69
69
import com.eucalyptus.auth.Groups;
70
70
import com.eucalyptus.auth.UserInfo;
71
71
import com.eucalyptus.auth.Users;
72
import com.eucalyptus.auth.crypto.Crypto;
72
73
import com.eucalyptus.auth.principal.User;
73
74
import com.eucalyptus.bootstrap.HttpServerBootstrapper;
74
75
import com.eucalyptus.component.Component;
131
132
private static Properties props = new Properties();
132
133
private static long session_timeout_ms = 1000 * 60 * 60 * 24 * 14L; /* 2 weeks (TODO: put into config?) */
133
134
private static long pass_expiration_ms = 1000 * 60 * 60 * 24 * 365L; /* 1 year (TODO: put into config?) */
135
private static long recovery_expiration_ms = 1000 * 60 * 30; // 30 minutes (TODO: put into config?)
135
137
/* parameters to be read from config file */
136
138
private static String thanks_for_signup;
287
289
SessionInfo session = verifySession (sessionId);
288
290
UserInfoWeb requestingUser = verifyUser (session, session.getUserId(), true);
289
291
if ( !requestingUser.isAdministrator().booleanValue()) {
292
user.setAdministrator(false); // in case someone is trying to be sneaky
290
293
throw new SerializableException("Administrative privileges required");
337
341
LOG.error ("Confirmation code for user '" + user.getUserName()
338
342
+ "' and address " + user.getEmail()
339
343
+ " is " + user.getConfirmationCode());
341
return "Internal problem (failed to notify " + user.getEmail() + " by email)";
343
return "Notified '" + user.getUserName() + "' by email, thank you.";
346
347
public String recoverPassword ( UserInfoWeb web_user )
350
351
throw new SerializableException("Invalid RPC arguments");
355
/* try login first */
356
db_user = EucalyptusManagement.getWebUser(web_user.getUserName());
357
} catch (Exception e) {
359
db_user = EucalyptusManagement.getWebUserByEmail(web_user.getEmail());
355
if (web_user.getPassword()==null) { // someone is initiating password recovery
357
UserInfoWeb db_user = EucalyptusManagement.getWebUser(web_user.getUserName());
358
if (db_user.getEmail().equalsIgnoreCase(web_user.getEmail())) {
359
long expires = System.currentTimeMillis() + recovery_expiration_ms;
360
db_user.setConfirmationCode(String.format("%015d", expires) + Crypto.generateSessionToken( db_user.getUserName() ) );
361
EucalyptusManagement.commitWebUser(db_user);
362
notifyUserRecovery(db_user);
364
} catch (Exception e) { } // pretend all is well regardless of the outcome
365
response = "Please, check your email for further instructions.";
367
} else { // someone is trying to change the password
368
String code = web_user.getConfirmationCode();
370
throw new SerializableException("Insufficient parameters");
374
db_user = EucalyptusManagement.getWebUserByCode(code);
375
long expires = Long.parseLong(code.substring(0, 15));
376
long now = System.currentTimeMillis();
378
throw new SerializableException("Recovery attempt expired");
380
db_user.setConfirmationCode("-unset-"); // so the code cannot be reused
381
db_user.setPassword (web_user.getPassword());
382
db_user.setPasswordExpires( new Long(now + pass_expiration_ms) );
383
EucalyptusManagement.commitWebUser(db_user);
384
} catch (Exception e) {
385
throw new SerializableException("Incorrect code");
388
response = "Your password has been reset.";
361
db_user.setPassword (web_user.getPassword());
362
EucalyptusManagement.commitWebUser(db_user);
363
return notifyUserRecovery(db_user);
366
393
/* ensure the sessionId is (still) valid */
503
530
if (action.equals("recover") ||
504
531
action.equals("confirm")) {
505
532
UserInfoWeb user = EucalyptusManagement.getWebUserByCode(param);
533
String response = "OK";
508
535
if (action.equals("confirm")) {
509
536
if ( user != null ) {
510
537
user.setConfirmed(true);
538
user.setConfirmationCode("-unset-"); // so the code cannot be reused
513
539
EucalyptusManagement.commitWebUser(user);
515
541
response = "Your account is now active.";
518
user.setPassword (user.getPassword());
519
long now = System.currentTimeMillis();
520
user.setPasswordExpires( new Long(now + pass_expiration_ms) );
521
EucalyptusManagement.commitWebUser(user);
543
} else if (action.equals("recover")) { // this is just a way to verify that the code is valid (TODO: remove?)
545
throw new SerializableException("Invalid code");
523
547
response = "Your password has been reset.";
702
726
&& ! callerRecord.getUserName().equals(userName)) {
703
727
throw new SerializableException ("Operation restricted to owner and administrator");
706
// set expiration for admin setting password for the first time
707
if (oldRecord.isAdministrator() && oldRecord.getEmail().equalsIgnoreCase(UserInfo.BOGUS_ENTRY)) {
708
long now = System.currentTimeMillis();
709
oldRecord.setPasswordExpires( new Long(now + pass_expiration_ms) );
712
/* TODO: Any checks? */
730
// only an admin should be able to change this settings
731
if (callerRecord.isAdministrator()) {
733
// set password and expiration for admin when logging in for the first time
734
if (oldRecord.getEmail().equalsIgnoreCase(UserInfo.BOGUS_ENTRY)) {
735
long now = System.currentTimeMillis();
736
oldRecord.setPasswordExpires( new Long(now + pass_expiration_ms) );
737
oldRecord.setPassword (newRecord.getPassword());
740
// admin can reset pwd of another user, but
741
// to reset his own password he has to use
742
// "change password" functionality
743
if(!callerRecord.getUserName().equals(userName))
744
oldRecord.setPassword (newRecord.getPassword());
746
if(oldRecord.isAdministrator() != newRecord.isAdministrator())
747
oldRecord.setAdministrator(newRecord.isAdministrator());
748
if(oldRecord.isEnabled() != newRecord.isEnabled())
749
oldRecord.setEnabled(newRecord.isEnabled( ));
750
// once confirmed, cannot be unconfirmed; also, confirmation implies approval and enablement
751
if (!oldRecord.isConfirmed() && newRecord.isConfirmed()) {
752
oldRecord.setConfirmed(true);
753
oldRecord.setEnabled(true);
754
oldRecord.setApproved(true);
713
758
oldRecord.setRealName (newRecord.getRealName());
714
759
oldRecord.setEmail (newRecord.getEmail());
715
oldRecord.setPassword (newRecord.getPassword());
716
760
oldRecord.setTelephoneNumber (newRecord.getTelephoneNumber());
717
761
oldRecord.setAffiliation (newRecord.getAffiliation());
718
762
oldRecord.setProjectDescription (newRecord.getProjectDescription());
719
763
oldRecord.setProjectPIName (newRecord.getProjectPIName());
720
oldRecord.setAdministrator(newRecord.isAdministrator());
721
oldRecord.setEnabled(newRecord.isEnabled( ));
723
// once confirmed, cannot be unconfirmed; also, confirmation implies approval and enablement
724
if (!oldRecord.isConfirmed() && newRecord.isConfirmed()) {
725
oldRecord.setConfirmed(true);
726
oldRecord.setEnabled(true);
727
oldRecord.setApproved(true);
730
765
EucalyptusManagement.commitWebUser( oldRecord );
732
767
return "Account of user '" + userName + "' was updated";