<feature>[ldap]: refactor LDAP login logic and add two-factor authentication support

1. Extract common method findAccountThirdPartyAccountSourceRefByName
   - Extract the logic of finding third-party account source reference from login method into a standalone method
   - Unify account lookup logic in both login and collectUserInfoIntoContext methods

2. Add two-factor authentication support
   - getRequiredAdditionalAuthFeature method now returns a list containing both basicLoginControl and twoFactor
   - Support two-factor authentication for LDAP login

Resolves: ZSV-11833

Change-Id: I7578626465676e6569686a786271786b64667179

Author: Chen, Taiyue

plugin/ldap/src/main/java/org/zstack/ldap/LdapManager.java

@@ -2,6 +2,7 @@
 
 import org.zstack.core.Platform;
 import org.zstack.header.errorcode.ErrorableValue;
+import org.zstack.identity.imports.entity.AccountThirdPartyAccountSourceRefVO;
 import org.zstack.ldap.driver.LdapUtil;
 import org.zstack.ldap.entity.LdapServerVO;
 
@@ -10,7 +11,7 @@
  */
 public interface LdapManager {
     boolean isValid(String uid, String password);
-
+    ErrorableValue<AccountThirdPartyAccountSourceRefVO> findAccountThirdPartyAccountSourceRefByName(String ldapLoginName, String ldapLoginPassword);
     ErrorableValue<String> findCurrentLdapServerUuid();
     ErrorableValue<LdapServerVO> findCurrentLdapServer();
 

plugin/ldap/src/main/java/org/zstack/ldap/LdapManagerImpl.java

@@ -15,6 +15,7 @@
 import org.zstack.header.core.ReturnValueCompletion;
 import org.zstack.header.errorcode.ErrorCode;
 import org.zstack.header.errorcode.ErrorableValue;
+import org.zstack.header.errorcode.OperationFailureException;
 import org.zstack.header.identity.*;
 import org.zstack.header.identity.login.*;
 import org.zstack.header.message.APIMessage;
@@ -407,44 +408,49 @@ public LoginType getLoginType() {
         return loginType;
     }
 
-    @Override
-    public void login(LoginContext loginContext, ReturnValueCompletion<LoginSessionInfo> completion) {
+    public ErrorableValue<AccountThirdPartyAccountSourceRefVO> findAccountThirdPartyAccountSourceRefByName(String ldapLoginName, String ldapLoginPassword) {
         final ErrorableValue<LdapServerVO> currentLdapServer = findCurrentLdapServer();
         if (!currentLdapServer.isSuccess()) {
-            logger.debug("failed to login by LDAP: failed to find current LdapServer: " + currentLdapServer.error.getDetails());
-            completion.fail(err(IdentityErrors.AUTHENTICATION_ERROR,
-                    "Login validation failed in LDAP"));
-            return;
+            return ErrorableValue.ofErrorCode(currentLdapServer.error);
         }
         final LdapServerVO ldap = currentLdapServer.result;
 
-        String ldapLoginName = loginContext.getUsername();
-        if (!isValid(ldapLoginName, loginContext.getPassword())) {
-            completion.fail(err(IdentityErrors.AUTHENTICATION_ERROR,
-                    "Login validation failed in LDAP"));
-            return;
-        }
-
         String dn = createDriver().getFullUserDn(ldap, ldap.getUsernameProperty(), ldapLoginName);
         AccountThirdPartyAccountSourceRefVO vo = Q.New(AccountThirdPartyAccountSourceRefVO.class)
                 .eq(AccountThirdPartyAccountSourceRefVO_.credentials, dn)
                 .eq(AccountThirdPartyAccountSourceRefVO_.accountSourceUuid, ldap.getUuid())
                 .find();
 
         if (vo == null) {
-            completion.fail(err(IdentityErrors.AUTHENTICATION_ERROR,
+            return ErrorableValue.ofErrorCode(err(IdentityErrors.AUTHENTICATION_ERROR,
                     "The ldapUid does not have a binding account."));
+        }
+        return ErrorableValue.of(vo);
+    }
+
+    @Override
+    public void login(LoginContext loginContext, ReturnValueCompletion<LoginSessionInfo> completion) {
+        if (!isValid(loginContext.getUsername(), loginContext.getPassword())) {
+            completion.fail(err(IdentityErrors.AUTHENTICATION_ERROR,
+                    "Login validation failed in LDAP"));
             return;
         }
 
+        final ErrorableValue<AccountThirdPartyAccountSourceRefVO> accountThirdPartyAccountSourceRef = findAccountThirdPartyAccountSourceRefByName(loginContext.getUsername(), loginContext.getPassword());
+
+        if  (!accountThirdPartyAccountSourceRef.isSuccess()) {
+            completion.fail(accountThirdPartyAccountSourceRef.error);
+            return;
+        }
+        String accountUuid = accountThirdPartyAccountSourceRef.result.getAccountUuid();
         final AccountState state = Q.New(AccountVO.class)
-                .eq(AccountVO_.uuid, vo.getAccountUuid())
+                .eq(AccountVO_.uuid, accountUuid)
                 .select(AccountVO_.state)
                 .findValue();
 
         if (state == null || state == AccountState.Staled) {
             completion.fail(operr(
-                    "Account[uuid:%s] Not Found!!!", vo.getAccountUuid()));
+                    "Account[uuid:%s] Not Found!!!", accountUuid));
             return;
         }
         if (state == AccountState.Disabled) {
@@ -453,7 +459,7 @@ public void login(LoginContext loginContext, ReturnValueCompletion<LoginSessionI
         }
 
         LoginSessionInfo info = new LoginSessionInfo();
-        info.setAccountUuid(vo.getAccountUuid());
+        info.setAccountUuid(accountUuid);
         completion.success(info);
     }
 
@@ -468,21 +474,39 @@ public boolean authenticate(String username, String password) {
 
     @Override
     public String getAccountIdByName(String username) {
-        final ErrorableValue<LdapServerVO> property = findCurrentLdapServer();
-        if (property.isSuccess()) {
-            final String fullUserDn = createDriver().getFullUserDn(property.result, username);
-            return "".equals(fullUserDn) ? null : fullUserDn;
+        final ErrorableValue<LdapServerVO> currentLdapServer = findCurrentLdapServer();
+        if (!currentLdapServer.isSuccess()) {
+            return null;
+        }
+        final LdapServerVO ldap = currentLdapServer.result;
+
+        String dn = createDriver().getFullUserDn(ldap, ldap.getUsernameProperty(), username);
+        if (dn == null || dn.isEmpty()) {
+            return null;
         }
-        return null;
+
+        String accountUuid = Q.New(AccountThirdPartyAccountSourceRefVO.class)
+                .select(AccountThirdPartyAccountSourceRefVO_.accountUuid)
+                .eq(AccountThirdPartyAccountSourceRefVO_.credentials, dn)
+                .eq(AccountThirdPartyAccountSourceRefVO_.accountSourceUuid, ldap.getUuid())
+                .findValue();
+        return accountUuid;
     }
 
     @Override
     public void collectUserInfoIntoContext(LoginContext loginContext) {
-        loginContext.setAccountUuid(getAccountIdByName(loginContext.getUsername()));
+        ErrorableValue<AccountThirdPartyAccountSourceRefVO> accountThirdPartyAccountSourceRef = findAccountThirdPartyAccountSourceRefByName(loginContext.getUsername(), loginContext.getPassword());
+        if (!accountThirdPartyAccountSourceRef.isSuccess()) {
+            throw new OperationFailureException(accountThirdPartyAccountSourceRef.error);
+        }
+        if (accountThirdPartyAccountSourceRef.result == null) {
+            return;
+        }
+        loginContext.setAccountUuid(accountThirdPartyAccountSourceRef.result.getAccountUuid());
     }
 
     @Override
     public List<AdditionalAuthFeature> getRequiredAdditionalAuthFeature() {
-        return Collections.singletonList(LoginAuthConstant.basicLoginControl);
+        return Arrays.asList(LoginAuthConstant.basicLoginControl, LoginAuthConstant.twoFactor);
     }
 }

sdk/src/main/java/org/zstack/sdk/GetTwoFactorAuthenticationSecretAction.java

@@ -37,6 +37,9 @@ public Result throwExceptionIfError() {
     @Param(required = false, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
     public java.lang.String verifyCode;
 
+    @Param(required = true, validValues = {"account","ldap"}, nonempty = true, nullElements = false, emptyString = true, noTrim = false)
+    public java.lang.String type;
+
     @Param(required = false)
     public java.util.List systemTags;
 

sdk/src/main/java/org/zstack/sdk/ResetTwoFactorAuthenticationSecretAction.java

@@ -37,6 +37,9 @@ public Result throwExceptionIfError() {
     @Param(required = false, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
     public java.lang.String verifyCode;
 
+    @Param(required = true, validValues = {"account","ldap"}, nonempty = true, nullElements = false, emptyString = true, noTrim = false)
+    public java.lang.String type;
+
     @Param(required = false)
     public java.util.List systemTags;