From 6d242176363c2799a2829784387093dfe2fd2a78 Mon Sep 17 00:00:00 2001 From: Fabricio Duarte Date: Mon, 21 Aug 2023 10:48:33 -0300 Subject: [PATCH] server: Allow admins to disable the 2FA of users in subdomains (#7870) --- .../java/com/cloud/user/AccountManagerImpl.java | 7 ++----- .../java/com/cloud/user/AccountManagerImplTest.java | 13 ++++++------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index c20e2fc2abf..99896dc9827 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -3327,7 +3327,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M protected UserTwoFactorAuthenticationSetupResponse disableTwoFactorAuthentication(Long userId, Account caller, Account owner) { UserVO userVO = null; if (userId != null) { - userVO = validateUser(userId, caller.getDomainId()); + userVO = validateUser(userId); owner = _accountService.getActiveAccountById(userVO.getAccountId()); } else { userId = CallContext.current().getCallingUserId(); @@ -3349,16 +3349,13 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M return response; } - private UserVO validateUser(Long userId, Long domainId) { + private UserVO validateUser(Long userId) { UserVO user = null; if (userId != null) { user = _userDao.findById(userId); if (user == null) { throw new InvalidParameterValueException("Invalid user ID provided"); } - if (_accountDao.findById(user.getAccountId()).getDomainId() != domainId) { - throw new InvalidParameterValueException("User doesn't belong to the specified account or domain"); - } } return user; } diff --git a/server/src/test/java/com/cloud/user/AccountManagerImplTest.java b/server/src/test/java/com/cloud/user/AccountManagerImplTest.java index c79b5069c2d..2f3a68e20af 100644 --- a/server/src/test/java/com/cloud/user/AccountManagerImplTest.java +++ b/server/src/test/java/com/cloud/user/AccountManagerImplTest.java @@ -875,19 +875,17 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase { @Test public void testDisableUserTwoFactorAuthentication() { Long userId = 1L; + Long accountId = 2L; UserVO userVO = Mockito.mock(UserVO.class); Account caller = Mockito.mock(Account.class); + Account owner = Mockito.mock(Account.class); - AccountVO accountMock = Mockito.mock(AccountVO.class); Mockito.doNothing().when(accountManagerImpl).checkAccess(nullable(Account.class), Mockito.isNull(), nullable(Boolean.class), nullable(Account.class)); - Mockito.when(caller.getDomainId()).thenReturn(1L); Mockito.when(userDaoMock.findById(userId)).thenReturn(userVO); - Mockito.when(userVO.getAccountId()).thenReturn(1L); - Mockito.when(_accountDao.findById(1L)).thenReturn(accountMock); - Mockito.when(accountMock.getDomainId()).thenReturn(1L); - Mockito.when(_accountService.getActiveAccountById(1L)).thenReturn(caller); + Mockito.when(userVO.getAccountId()).thenReturn(accountId); + Mockito.when(_accountService.getActiveAccountById(accountId)).thenReturn(owner); userVoMock.setKeyFor2fa("EUJEAEDVOURFZTE6OGWVTJZMI54QGMIL"); userVoMock.setUser2faProvider("totp"); @@ -895,8 +893,9 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase { Mockito.when(userDaoMock.createForUpdate()).thenReturn(userVoMock); - UserTwoFactorAuthenticationSetupResponse response = accountManagerImpl.disableTwoFactorAuthentication(userId, caller, caller); + UserTwoFactorAuthenticationSetupResponse response = accountManagerImpl.disableTwoFactorAuthentication(userId, caller, owner); + Mockito.verify(accountManagerImpl).checkAccess(caller, null, true, owner); Assert.assertNull(response.getSecretCode()); Assert.assertNull(userVoMock.getKeyFor2fa()); Assert.assertNull(userVoMock.getUser2faProvider());