~graziano.obertelli/eucalyptus/lp683800

« back to all changes in this revision

Viewing changes to clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/server/EucalyptusWebBackendImpl.java

Committer: root
Date: 2010-12-17 23:31:56 UTC
mfrom: (1195.1.179 2.0.0)
Revision ID: root@gibson-20101217233156-hhj1nft2op2ty067

version bump, security fixes LP: #675372

files modified:
VERSION

clc/.project

clc/modules/bootstrap/eucalyptus-bootstrap.h

clc/modules/www/conf/eucalyptus-web-default.properties

clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/client/EucalyptusWebInterface.java

clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/client/UserInfoWeb.java

clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/server/EucalyptusManagement.java

clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/server/EucalyptusWebBackendImpl.java

eucalyptus.spec

net/vnetwork.c

Show diffs side-by-side

added added

removed removed

clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/server/EucalyptusWebBackendImpl.java

import com.eucalyptus.auth.Groups;

import com.eucalyptus.auth.UserInfo;

import com.eucalyptus.auth.Users;

import com.eucalyptus.auth.crypto.Crypto;

import com.eucalyptus.auth.principal.User;

import com.eucalyptus.bootstrap.HttpServerBootstrapper;

import com.eucalyptus.component.Component;

131

132

private static Properties props = new Properties();

132

133

private static long session_timeout_ms = 1000 * 60 * 60 * 24 * 14L; /* 2 weeks (TODO: put into config?) */

133

134

private static long pass_expiration_ms = 1000 * 60 * 60 * 24 * 365L; /* 1 year (TODO: put into config?) */

135

private static long recovery_expiration_ms = 1000 * 60 * 30; // 30 minutes (TODO: put into config?)

134

136

135

137

/* parameters to be read from config file */

136

138

private static String thanks_for_signup;

287

289

SessionInfo session = verifySession (sessionId);

288

290

UserInfoWeb requestingUser = verifyUser (session, session.getUserId(), true);

289

291

if ( !requestingUser.isAdministrator().booleanValue()) {

292

user.setAdministrator(false); // in case someone is trying to be sneaky

290

293

throw new SerializableException("Administrative privileges required");

291

294

} else {

292

295

admin = true;

296

299

/* add the user */

297

300

long now = System.currentTimeMillis();

298

301

user.setPasswordExpires( new Long(now + pass_expiration_ms) );

302

user.setConfirmationCode( Crypto.generateSessionToken( user.getUserName() ) );

299

303

EucalyptusManagement.addWebUser(user);

300

304

301

305

String response;

316

320

return response;

317

321

}

318

322

319

private String notifyUserRecovery(UserInfoWeb user)

323

private void notifyUserRecovery(UserInfoWeb user)

320

324

{

321

325

try {

322

326

String http_eucalyptus = ServletUtils.getRequestUrl(getThreadLocalRequest());

337

341

LOG.error ("Confirmation code for user '" + user.getUserName()

338

342

+ "' and address " + user.getEmail()

339

343

+ " is " + user.getConfirmationCode());

340

341

return "Internal problem (failed to notify " + user.getEmail() + " by email)";

342

344

}

343

return "Notified '" + user.getUserName() + "' by email, thank you.";

344

345

}

345

346

347

public String recoverPassword ( UserInfoWeb web_user )

350

351

throw new SerializableException("Invalid RPC arguments");

351

352

}

352

353

UserInfoWeb db_user;

354

try {

355

/* try login first */

356

db_user = EucalyptusManagement.getWebUser(web_user.getUserName());

357

} catch (Exception e) {

358

/* try email then */

359

db_user = EucalyptusManagement.getWebUserByEmail(web_user.getEmail());

354

String response;

355

if (web_user.getPassword()==null) { // someone is initiating password recovery

356

try {

357

UserInfoWeb db_user = EucalyptusManagement.getWebUser(web_user.getUserName());

358

if (db_user.getEmail().equalsIgnoreCase(web_user.getEmail())) {

359

long expires = System.currentTimeMillis() + recovery_expiration_ms;

360

db_user.setConfirmationCode(String.format("%015d", expires) + Crypto.generateSessionToken( db_user.getUserName() ) );

361

EucalyptusManagement.commitWebUser(db_user);

362

notifyUserRecovery(db_user);

363

}

364

} catch (Exception e) { } // pretend all is well regardless of the outcome

365

response = "Please, check your email for further instructions.";

366

367

} else { // someone is trying to change the password

368

String code = web_user.getConfirmationCode();

369

if (code==null) {

370

throw new SerializableException("Insufficient parameters");

371

}

372

UserInfoWeb db_user;

373

try {

374

db_user = EucalyptusManagement.getWebUserByCode(code);

375

long expires = Long.parseLong(code.substring(0, 15));

376

long now = System.currentTimeMillis();

377

if (now > expires) {

378

throw new SerializableException("Recovery attempt expired");

379

}

380

db_user.setConfirmationCode("-unset-"); // so the code cannot be reused

381

db_user.setPassword (web_user.getPassword());

382

db_user.setPasswordExpires( new Long(now + pass_expiration_ms) );

383

EucalyptusManagement.commitWebUser(db_user);

384

} catch (Exception e) {

385

throw new SerializableException("Incorrect code");

386

}

387

388

response = "Your password has been reset.";

360

389

}

361

db_user.setPassword (web_user.getPassword());

362

EucalyptusManagement.commitWebUser(db_user);

363

return notifyUserRecovery(db_user);

390

return response;

364

391

}

365

392

366

393

/* ensure the sessionId is (still) valid */

503

530

if (action.equals("recover") ||

504

531

action.equals("confirm")) {

505

532

UserInfoWeb user = EucalyptusManagement.getWebUserByCode(param);

506

String response;

533

String response = "OK";

507

534

508

535

if (action.equals("confirm")) {

509

536

if ( user != null ) {

510

537

user.setConfirmed(true);

511

}

512

if (user != null) {

538

user.setConfirmationCode("-unset-"); // so the code cannot be reused

513

539

EucalyptusManagement.commitWebUser(user);

514

540

}

515

541

response = "Your account is now active.";

516

} else {

517

if (user != null) {

518

user.setPassword (user.getPassword());

519

long now = System.currentTimeMillis();

520

user.setPasswordExpires( new Long(now + pass_expiration_ms) );

521

EucalyptusManagement.commitWebUser(user);

542

543

} else if (action.equals("recover")) { // this is just a way to verify that the code is valid (TODO: remove?)

544

if (user == null) {

545

throw new SerializableException("Invalid code");

522

546

}

523

547

response = "Your password has been reset.";

524

548

}

702

726

&& ! callerRecord.getUserName().equals(userName)) {

703

727

throw new SerializableException ("Operation restricted to owner and administrator");

704

728

}

705

706

// set expiration for admin setting password for the first time

707

if (oldRecord.isAdministrator() && oldRecord.getEmail().equalsIgnoreCase(UserInfo.BOGUS_ENTRY)) {

708

long now = System.currentTimeMillis();

709

oldRecord.setPasswordExpires( new Long(now + pass_expiration_ms) );

710

}

711

712

/* TODO: Any checks? */

729

730

// only an admin should be able to change this settings

731

if (callerRecord.isAdministrator()) {

732

733

// set password and expiration for admin when logging in for the first time

734

if (oldRecord.getEmail().equalsIgnoreCase(UserInfo.BOGUS_ENTRY)) {

735

long now = System.currentTimeMillis();

736

oldRecord.setPasswordExpires( new Long(now + pass_expiration_ms) );

737

oldRecord.setPassword (newRecord.getPassword());

738

}

739

740

// admin can reset pwd of another user, but

741

// to reset his own password he has to use

742

// "change password" functionality

743

if(!callerRecord.getUserName().equals(userName))

744

oldRecord.setPassword (newRecord.getPassword());

745

746

if(oldRecord.isAdministrator() != newRecord.isAdministrator())

747

oldRecord.setAdministrator(newRecord.isAdministrator());

748

if(oldRecord.isEnabled() != newRecord.isEnabled())

749

oldRecord.setEnabled(newRecord.isEnabled( ));

750

// once confirmed, cannot be unconfirmed; also, confirmation implies approval and enablement

751

if (!oldRecord.isConfirmed() && newRecord.isConfirmed()) {

752

oldRecord.setConfirmed(true);

753

oldRecord.setEnabled(true);

754

oldRecord.setApproved(true);

755

}

756

}

757

713

758

oldRecord.setRealName (newRecord.getRealName());

714

759

oldRecord.setEmail (newRecord.getEmail());

715

oldRecord.setPassword (newRecord.getPassword());

716

760

oldRecord.setTelephoneNumber (newRecord.getTelephoneNumber());

717

761

oldRecord.setAffiliation (newRecord.getAffiliation());

718

762

oldRecord.setProjectDescription (newRecord.getProjectDescription());

719

763

oldRecord.setProjectPIName (newRecord.getProjectPIName());

720

oldRecord.setAdministrator(newRecord.isAdministrator());

721

oldRecord.setEnabled(newRecord.isEnabled( ));

722

723

// once confirmed, cannot be unconfirmed; also, confirmation implies approval and enablement

724

if (!oldRecord.isConfirmed() && newRecord.isConfirmed()) {

725

oldRecord.setConfirmed(true);

726

oldRecord.setEnabled(true);

727

oldRecord.setApproved(true);

728

}

729

764

730

765

EucalyptusManagement.commitWebUser( oldRecord );

731

766

732

767

return "Account of user '" + userName + "' was updated";

Older »