From 52584d93dc785452cc87013103bd2b09372763b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernardo=20De=20Marco=20Gon=C3=A7alves?= Date: Wed, 4 Dec 2024 07:17:27 -0300 Subject: [PATCH] Prevent password updates for SAML and LDAP users (#9999) --- .../com/cloud/user/AccountManagerImpl.java | 8 +++++ .../cloud/user/AccountManagerImplTest.java | 30 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index 412a5b58282..c21d8b830dd 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -1459,6 +1459,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M * * @@ -1473,6 +1475,12 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new InvalidParameterValueException("Password cannot be empty or blank."); } + User.Source userSource = user.getSource(); + if (userSource == User.Source.SAML2 || userSource == User.Source.SAML2DISABLED || userSource == User.Source.LDAP) { + s_logger.warn(String.format("Unable to update the password for user [%d], as its source is [%s].", user.getId(), user.getSource().toString())); + throw new InvalidParameterValueException("CloudStack does not support updating passwords for SAML or LDAP users. Please contact your cloud administrator for assistance."); + } + passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(newPassword, user.getUsername(), getAccount(user.getAccountId()).getDomainId()); Account callingAccount = getCurrentCallingAccount(); diff --git a/server/src/test/java/com/cloud/user/AccountManagerImplTest.java b/server/src/test/java/com/cloud/user/AccountManagerImplTest.java index 3ecb4f2f1cf..a98d187b5a9 100644 --- a/server/src/test/java/com/cloud/user/AccountManagerImplTest.java +++ b/server/src/test/java/com/cloud/user/AccountManagerImplTest.java @@ -745,6 +745,36 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase { accountManagerImpl.validateUserPasswordAndUpdateIfNeeded(newPassword, userVoMock, currentPassword); } + @Test(expected = InvalidParameterValueException.class) + public void validateUserPasswordAndUpdateIfNeededTestSaml2UserShouldNotBeAllowedToUpdateTheirPassword() { + String newPassword = "newPassword"; + String currentPassword = "theCurrentPassword"; + + Mockito.when(userVoMock.getSource()).thenReturn(User.Source.SAML2); + + accountManagerImpl.validateUserPasswordAndUpdateIfNeeded(newPassword, userVoMock, currentPassword); + } + + @Test(expected = InvalidParameterValueException.class) + public void validateUserPasswordAndUpdateIfNeededTestSaml2DisabledUserShouldNotBeAllowedToUpdateTheirPassword() { + String newPassword = "newPassword"; + String currentPassword = "theCurrentPassword"; + + Mockito.when(userVoMock.getSource()).thenReturn(User.Source.SAML2DISABLED); + + accountManagerImpl.validateUserPasswordAndUpdateIfNeeded(newPassword, userVoMock, currentPassword); + } + + @Test(expected = InvalidParameterValueException.class) + public void validateUserPasswordAndUpdateIfNeededTestLdapUserShouldNotBeAllowedToUpdateTheirPassword() { + String newPassword = "newPassword"; + String currentPassword = "theCurrentPassword"; + + Mockito.when(userVoMock.getSource()).thenReturn(User.Source.LDAP); + + accountManagerImpl.validateUserPasswordAndUpdateIfNeeded(newPassword, userVoMock, currentPassword); + } + private String configureUserMockAuthenticators(String newPassword) { accountManagerImpl._userPasswordEncoders = new ArrayList<>(); UserAuthenticator authenticatorMock1 = Mockito.mock(UserAuthenticator.class);