Fix NPE during reset password (#12585)

Author: sureshanaparti

plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmd.java

@@ -177,12 +177,8 @@ private String doOauthAuthentication(HttpSession session, Long domainId, String
 
     protected Long getDomainIdFromParams(Map<String, Object[]> params, StringBuilder auditTrailSb, String responseType) {
         String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
-
-        if (domainIdArr == null) {
-            domainIdArr = (String[])params.get(ApiConstants.DOMAIN__ID);
-        }
         Long domainId = null;
-        if ((domainIdArr != null) && (domainIdArr.length > 0)) {
+        if (domainIdArr != null && domainIdArr.length > 0) {
             try {
                 //check if UUID is passed in for domain
                 domainId = _apiServer.fetchDomainId(domainIdArr[0]);

plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java

@@ -158,11 +158,17 @@ public String authenticate(final String command, final Map<String, Object[]> par
                 String domainPath = null;
 
                 if (params.containsKey(ApiConstants.IDP_ID)) {
-                    idpId = ((String[])params.get(ApiConstants.IDP_ID))[0];
+                    String[] idpIds = (String[])params.get(ApiConstants.IDP_ID);
+                    if (idpIds != null && idpIds.length > 0) {
+                        idpId = idpIds[0];
+                    }
                 }
 
                 if (params.containsKey(ApiConstants.DOMAIN)) {
-                    domainPath = ((String[])params.get(ApiConstants.DOMAIN))[0];
+                    String[] domainPaths = (String[])params.get(ApiConstants.DOMAIN);
+                    if (domainPaths != null && domainPaths.length > 0) {
+                        domainPath = domainPaths[0];
+                    }
                 }
 
                 if (domainPath != null && !domainPath.isEmpty()) {

server/src/main/java/com/cloud/api/ApiServlet.java

@@ -34,6 +34,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import com.cloud.api.auth.DefaultForgotPasswordAPIAuthenticatorCmd;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.ApiServerService;
@@ -164,7 +165,6 @@ private void checkSingleQueryParameterValue(Map<String, String[]> params) {
                 LOGGER.warn(message);
             }
         });
-
     }
 
     void processRequestInContext(final HttpServletRequest req, final HttpServletResponse resp) {
@@ -226,7 +226,6 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
             }
 
             if (command != null && !command.equals(ValidateUserTwoFactorAuthenticationCodeCmd.APINAME)) {
-
                 APIAuthenticator apiAuthenticator = authManager.getAPIAuthenticator(command);
                 if (apiAuthenticator != null) {
                     auditTrailSb.append("command=");
@@ -262,7 +261,9 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                     } catch (ServerApiException e) {
                         httpResponseCode = e.getErrorCode().getHttpCode();
                         responseString = e.getMessage();
-                        LOGGER.debug("Authentication failure: " + e.getMessage());
+                        if (!DefaultForgotPasswordAPIAuthenticatorCmd.APINAME.equalsIgnoreCase(command) || StringUtils.isNotBlank(username)) {
+                            LOGGER.debug("Authentication failure: {}", e.getMessage());
+                        }
                     }
 
                     if (apiAuthenticator.getAPIType() == APIAuthenticationType.LOGOUT_API) {
@@ -330,7 +331,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                     }
                 }
 
-                if (! requestChecksoutAsSane(resp, auditTrailSb, responseType, params, session, command, userId, account, accountObj))
+                if (!requestChecksoutAsSane(resp, auditTrailSb, responseType, params, session, command, userId, account, accountObj))
                     return;
             } else {
                 CallContext.register(accountMgr.getSystemUser(), accountMgr.getSystemAccount());
@@ -360,7 +361,6 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                         apiServer.getSerializedApiError(HttpServletResponse.SC_UNAUTHORIZED, "unable to verify user credentials and/or request signature", params,
                                 responseType);
                 HttpUtils.writeHttpResponse(resp, serializedResponse, HttpServletResponse.SC_UNAUTHORIZED, responseType, ApiServer.JSONcontentType.value());
-
             }
         } catch (final ServerApiException se) {
             final String serializedResponseText = apiServer.getSerializedApiError(se, params, responseType);
@@ -550,6 +550,9 @@ public static void invalidateHttpSession(HttpSession session, String msg) {
             if (LOGGER.isTraceEnabled()) {
                 LOGGER.trace(msg);
             }
+            if (session == null) {
+                return;
+            }
             session.invalidate();
         } catch (final IllegalStateException ise) {
             if (LOGGER.isTraceEnabled()) {

server/src/main/java/com/cloud/api/auth/DefaultForgotPasswordAPIAuthenticatorCmd.java

@@ -44,13 +44,13 @@
 import java.util.List;
 import java.util.Map;
 
-@APICommand(name = "forgotPassword",
+@APICommand(name = DefaultForgotPasswordAPIAuthenticatorCmd.APINAME,
         description = "Sends an email to the user with a token to reset the password using resetPassword command.",
         since = "4.20.0.0",
         requestHasSensitiveInfo = true,
         responseObject = SuccessResponse.class)
 public class DefaultForgotPasswordAPIAuthenticatorCmd extends BaseCmd implements APIAuthenticator {
-
+    public static final String APINAME = "forgotPassword";
 
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
@@ -108,10 +108,12 @@ public String authenticate(String command, Map<String, Object[]> params, HttpSes
                 if (userDomain != null) {
                     domainId = userDomain.getId();
                 } else {
+                    logger.debug("Unable to find the domain from the path {}", domain);
                     throw new ServerApiException(ApiErrorCode.PARAM_ERROR, String.format("Unable to find the domain from the path %s", domain));
                 }
                 final UserAccount userAccount = _accountService.getActiveUserAccount(username[0], domainId);
                 if (userAccount != null && List.of(User.Source.SAML2, User.Source.OAUTH2, User.Source.LDAP).contains(userAccount.getSource())) {
+                    logger.debug("Forgot Password is not allowed for the user {} from source {}", username[0], userAccount.getSource());
                     throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Forgot Password is not allowed for this user");
                 }
                 boolean success = _apiServer.forgotPassword(userAccount, userDomain);

server/src/main/java/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java

@@ -47,7 +47,6 @@
 @APICommand(name = "login", description = "Logs a user into the CloudStack. A successful login attempt will generate a JSESSIONID cookie value that can be passed in subsequent Query command calls until the \"logout\" command has been issued or the session has expired.", requestHasSensitiveInfo = true, responseObject = LoginCmdResponse.class, entityType = {})
 public class DefaultLoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthenticator {
 
-
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
@@ -107,17 +106,13 @@ public String authenticate(String command, Map<String, Object[]> params, HttpSes
         if (HTTPMethod.valueOf(req.getMethod()) != HTTPMethod.POST) {
             throw new ServerApiException(ApiErrorCode.METHOD_NOT_ALLOWED, "Please use HTTP POST to authenticate using this API");
         }
+
         // FIXME: ported from ApiServlet, refactor and cleanup
         final String[] username = (String[])params.get(ApiConstants.USERNAME);
         final String[] password = (String[])params.get(ApiConstants.PASSWORD);
-        String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
-
-        if (domainIdArr == null) {
-            domainIdArr = (String[])params.get(ApiConstants.DOMAIN__ID);
-        }
-        final String[] domainName = (String[])params.get(ApiConstants.DOMAIN);
+        final String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
         Long domainId = null;
-        if ((domainIdArr != null) && (domainIdArr.length > 0)) {
+        if (domainIdArr != null && domainIdArr.length > 0) {
             try {
                 //check if UUID is passed in for domain
                 domainId = _apiServer.fetchDomainId(domainIdArr[0]);
@@ -135,6 +130,7 @@ public String authenticate(String command, Map<String, Object[]> params, HttpSes
         }
 
         String domain = null;
+        final String[] domainName = (String[])params.get(ApiConstants.DOMAIN);
         domain = getDomainName(auditTrailSb, domainName, domain);
 
         String serializedResponse = null;

server/src/main/java/com/cloud/api/auth/DefaultResetPasswordAPIAuthenticatorCmd.java

@@ -53,7 +53,6 @@
         responseObject = SuccessResponse.class)
 public class DefaultResetPasswordAPIAuthenticatorCmd extends BaseCmd implements APIAuthenticator {
 
-
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////