Merge pull request #8633 from kaltura/Orion-15.3.0-PLAT-9942

PLAT-9942:Add 2FA support to AdminUser->updatePassword and user->upd…

alpha/lib/model/UserLoginDataPeer.php

@@ -17,6 +17,8 @@ class UserLoginDataPeer extends BaseUserLoginDataPeer implements IRelatedObjectP
 {
 	const KALTURAS_CMS_PASSWORD_RESET = 51;
 	const LAST_LOGIN_TIME_UPDATE_INTERVAL = 600; // 10 Minutes
+	const OTP_MISSING = 'otp is missing';
+	const OTP_INVALID = 'otp is invalid';
 
 	public static function generateNewPassword()
 	{
@@ -82,7 +84,7 @@ private static function emailResetPassword($partner_id, $cms_email, $user_name,
 		);
 	}
 
-	public static function updateLoginData($oldLoginEmail, $oldPassword, $newLoginEmail = null, $newPassword = null, $newFirstName = null, $newLastName = null)
+	public static function updateLoginData($oldLoginEmail, $oldPassword, $newLoginEmail = null, $newPassword = null, $newFirstName = null, $newLastName = null, $otp = null)
 	{
 		// if email is null, no need to do any DB queries
 		if (!$oldLoginEmail) {
@@ -120,7 +122,7 @@ public static function updateLoginData($oldLoginEmail, $oldPassword, $newLoginEm
 		}
 
 		self::checkPasswordValidation ( $newPassword, $loginData );
-				 
+		self::validate2FA($loginData, $otp);
 		// update password if requested
 		if ($newPassword && $newPassword != $oldPassword) {
 			$password = $loginData->resetPassword($newPassword, $oldPassword);
@@ -153,7 +155,25 @@ public static function updateLoginData($oldLoginEmail, $oldPassword, $newLoginEm
 
 		return $loginData;
 	}
-
+
+	protected static function validate2FA($loginData, $otp)
+	{
+
+		$dbUser =  kuserPeer::getAdminUser($loginData->getConfigPartnerId(), $loginData);
+		if ($dbUser && $loginData->isTwoFactorAuthenticationRequired($dbUser))
+		{
+			if(!$otp)
+			{
+				throw new kUserException (self::OTP_MISSING, kUserException::MISSING_OTP);
+			}
+			$result = authenticationUtils::verify2FACode($loginData, $otp);
+			if (!$result)
+			{
+				throw new kUserException (self::OTP_INVALID, kUserException::INVALID_OTP);
+			}
+		}
+	}
+
 	public static function checkPasswordValidation($newPassword, $loginData) {
 		// check that new password structure is valid
 		if ($newPassword && 

api_v3/lib/KalturaBaseUserService.php

@@ -40,15 +40,18 @@ public function initService($serviceId, $serviceName, $actionName)
 	 * @param string $newPassword
 	 * @param string $newFirstName Optional, provide only when you want to update the first name
 	 * @param string $newLastName Optional, provide only when you want to update the last name
+	 * @param string $otp the user's one-time password
 	 *
 	 * @throws KalturaErrors::INVALID_FIELD_VALUE
 	 * @throws KalturaErrors::LOGIN_DATA_NOT_FOUND
 	 * @throws KalturaErrors::WRONG_OLD_PASSWORD
 	 * @throws KalturaErrors::PASSWORD_STRUCTURE_INVALID
 	 * @throws KalturaErrors::PASSWORD_ALREADY_USED
 	 * @throws KalturaErrors::LOGIN_ID_ALREADY_USED
+	 * @throws KalturaErrors::INVALID_OTP
+	 * @throws KalturaErrors::MISSING_OTP
 	 */
-	protected function updateLoginDataImpl( $email , $password , $newEmail = "" , $newPassword = "", $newFirstName = null, $newLastName = null)
+	protected function updateLoginDataImpl( $email , $password , $newEmail = "" , $newPassword = "", $newFirstName = null, $newLastName = null, $otp = null)
 	{
 		KalturaResponseCacher::disableCache();
 
@@ -61,7 +64,7 @@ protected function updateLoginDataImpl( $email , $password , $newEmail = "" , $n
 		}
 
 		try {
-			UserLoginDataPeer::updateLoginData ( $email , $password, $newEmail, $newPassword, $newFirstName, $newLastName);
+			UserLoginDataPeer::updateLoginData ( $email , $password, $newEmail, $newPassword, $newFirstName, $newLastName, $otp);
 		}
 		catch (kUserException $e) {
 			$code = $e->getCode();
@@ -90,6 +93,14 @@ protected function updateLoginDataImpl( $email , $password , $newEmail = "" , $n
 			else if ($code == kUserException::LOGIN_ID_ALREADY_USED) {
 				throw new KalturaAPIException(KalturaErrors::LOGIN_ID_ALREADY_USED);
 			}
+			else if ($code === kUserException::INVALID_OTP)
+			{
+				throw new KalturaAPIException(KalturaErrors::INVALID_OTP);
+			}
+			else if ($code === kUserException::MISSING_OTP)
+			{
+				throw new KalturaAPIException(KalturaErrors::MISSING_OTP);
+			}
 			throw $e;			
 		}
 	}

api_v3/services/AdminUserService.php

@@ -60,6 +60,7 @@ private function throwTranslatedException(KalturaAPIException $e)
 	 * @param string $password
 	 * @param string $newEmail Optional, provide only when you want to update the email
 	 * @param string $newPassword
+	 * @param string $otp the user's one-time password
 	 * @return KalturaAdminUser
 	 * @ksIgnored
 	 *
@@ -70,14 +71,16 @@ private function throwTranslatedException(KalturaAPIException $e)
 	 * @throws KalturaErrors::PASSWORD_ALREADY_USED
 	 * @throws KalturaErrors::INVALID_FIELD_VALUE
 	 * @throws KalturaErrors::LOGIN_ID_ALREADY_USED
+	 * @throws KalturaErrors::INVALID_OTP
+	 * @throws KalturaErrors::MISSING_OTP
 	 * 
 	 * @deprecated
 	 */
-	public function updatePasswordAction( $email , $password , $newEmail = "" , $newPassword = "" )
+	public function updatePasswordAction( $email , $password , $newEmail = "" , $newPassword = "", $otp = null)
 	{
 		try
 		{
-			parent::updateLoginDataImpl($email, $password, $newEmail, $newPassword);
+			parent::updateLoginDataImpl($email, $password, $newEmail, $newPassword, null, null, $otp);
 
 			// copy required parameters to a KalturaAdminUser object for backward compatibility
 			$adminUser = new KalturaAdminUser();

api_v3/services/UserService.php

@@ -330,6 +330,7 @@ public function loginByLoginIdAction($loginId, $password, $partnerId = null, $ex
 	 * @param string $newPassword Optional, The user's new password
 	 * @param string $newFirstName Optional, The user's new first name
 	 * @param string $newLastName Optional, The user's new last name
+	 * @param string $otp the user's one-time password
 	 * @ksIgnored
 	 *
 	 * @throws KalturaErrors::INVALID_FIELD_VALUE
@@ -338,10 +339,12 @@ public function loginByLoginIdAction($loginId, $password, $partnerId = null, $ex
 	 * @throws KalturaErrors::PASSWORD_STRUCTURE_INVALID
 	 * @throws KalturaErrors::PASSWORD_ALREADY_USED
 	 * @throws KalturaErrors::LOGIN_ID_ALREADY_USED
+	 * @throws KalturaErrors::INVALID_OTP
+	 * @throws KalturaErrors::MISSING_OTP
 	 */
-	public function updateLoginDataAction( $oldLoginId , $password , $newLoginId = "" , $newPassword = "", $newFirstName = null, $newLastName = null)
+	public function updateLoginDataAction( $oldLoginId , $password , $newLoginId = "" , $newPassword = "", $newFirstName = null, $newLastName = null, $otp = null)
 	{	
-		return parent::updateLoginDataImpl($oldLoginId , $password , $newLoginId, $newPassword, $newFirstName, $newLastName);
+		return parent::updateLoginDataImpl($oldLoginId , $password , $newLoginId, $newPassword, $newFirstName, $newLastName, $otp);
 	}
 
 	/**