From 1acdeb9663632c6ee6adae1ef7d32c9f8dee528d Mon Sep 17 00:00:00 2001
From: yossipapi <yossi.papiashvili@kaltura.com>
Date: Sun, 22 Sep 2024 17:28:14 +0300
Subject: [PATCH 1/2] PLAT-24956+PLAT-24957: Add support for configuring
 support access mode + block login when support access not allowed

---
 .../lib/webservices/APIErrors.class.php       |  2 +
 alpha/lib/model/Partner.php                   | 74 ++++++++++++-------
 api_v3/lib/types/partner/KalturaPartner.php   | 12 ++-
 .../services/SystemPartnerService.php         |  6 +-
 4 files changed, 66 insertions(+), 28 deletions(-)

diff --git a/alpha/apps/kaltura/lib/webservices/APIErrors.class.php b/alpha/apps/kaltura/lib/webservices/APIErrors.class.php
index 31321ee9ddf..9cb60b24f01 100644
--- a/alpha/apps/kaltura/lib/webservices/APIErrors.class.php
+++ b/alpha/apps/kaltura/lib/webservices/APIErrors.class.php
@@ -276,6 +276,8 @@ public static function getMessage($errorString)
 	
 	const PARTNER_ACCESS_FORBIDDEN = "PARTNER_ACCESS_FORBIDDEN;ACCESSING_PID,ACCESSED_PID;Partner [@ACCESSING_PID@] cannot access partner [@ACCESSED_PID@]";
 	
+	const PARTNER_LOGIN_FORBIDDEN = "PARTNER_LOGIN_FORBIDDEN;ACCESSING_PID,ACCESSED_PID;Partner [@ACCESSED_PID@] did not allow partner [@ACCESSING_PID@] to access his account ";
+	
 	const ACCESS_FORBIDDEN_FROM_UNKNOWN_IP = "ACCESS_FORBIDDEN_FROM_UNKNOWN_IP;IP;Access forbidden from unknown ip [@IP@]";
 	
 	const INVALID_BATCHJOB_ID = "INVALID_BATCHJOB_ID;JOB_ID;[@JOB_ID@]" ;
diff --git a/alpha/lib/model/Partner.php b/alpha/lib/model/Partner.php
index 6965952a08b..ee111519d38 100644
--- a/alpha/lib/model/Partner.php
+++ b/alpha/lib/model/Partner.php
@@ -128,6 +128,10 @@ class Partner extends BasePartner
 	const CUSTOM_DATE_MAX_METADATA_INDEX_LENGTH = 'max_metadata_index_length';
 	
 	const CUSTOM_ANALYTICS_DOMAIN = 'custom_analytics_domain';
+	
+	const SUPPORT_ACCESS_ALLOWED_UNTIL = 'custom_support_access_allowed_until';
+	
+	const SUPPORT_ACCESS_MODE = 'custom_support_access_mode';
 
 	public function save(PropelPDO $con = null)
 	{
@@ -2315,32 +2319,6 @@ public function getSharedStorageProfileId()
 
 		return $partnerDedicatedStorage ? $partnerDedicatedStorage->getId() : null;
 	}
-
-//	public function getSharedStorageProfileId()
-//	{
-//		$sharedStorageId = null;
-//		$allSharedStorageIds = kDataCenterMgr::getSharedStorageProfileIds();
-//
-//		$sharedIncludePartnerIds = kConf::get('shared_include_partner_ids', 'cloud_storage', array());
-//		if (in_array($this->getId(), $sharedIncludePartnerIds) || in_array(self::ALL_PARTNERS_WILD_CHAR, $sharedIncludePartnerIds))
-//		{
-//			$sharedStorageId = reset($allSharedStorageIds);
-//		}
-//
-//		$sharedPartnerPackages = kConf::get('shared_partner_package_types', 'cloud_storage', array());
-//		if (in_array($this->getPartnerPackage(), $sharedPartnerPackages) || in_array(self::ALL_PARTNERS_WILD_CHAR, $sharedPartnerPackages))
-//		{
-//			$sharedStorageId = reset($allSharedStorageIds);
-//		}
-//
-//		$sharedExcludePartnerIds = kConf::get('shared_exclude_partner_ids', 'cloud_storage', array());
-//		if (in_array($this->getId(), $sharedExcludePartnerIds) || in_array(self::ALL_PARTNERS_WILD_CHAR, $sharedExcludePartnerIds))
-//		{
-//			$sharedStorageId = null;
-//		}
-//
-//		return $sharedStorageId;
-//	}
 	
 	public function setSharedStorageProfileId($v)
 	{
@@ -2454,4 +2432,48 @@ public function setAllowedEmailDomainsForAdmins($v)
 	{
 		return $this->putInCustomData(self::ALLOWED_EMAIL_DOMAINS_FOR_ADMINS, $v);
 	}
+	
+	public function getSupportAccessAllowedUntil()
+	{
+		return $this->getFromCustomData(self::SUPPORT_ACCESS_ALLOWED_UNTIL);
+	}
+	
+	public function setSupportAccessAllowedUntil($v)
+	{
+		return $this->putInCustomData(self::SUPPORT_ACCESS_ALLOWED_UNTIL, $v);
+	}
+	
+	public function getSupportAccessMode()
+	{
+		return $this->getFromCustomData(self::SUPPORT_ACCESS_MODE, null, SupportAccessMode::ALLWAYS_ALLOWED);
+	}
+	
+	public function setSupportAccessMode($v)
+	{
+		return $this->putInCustomData(self::SUPPORT_ACCESS_MODE, $v);
+	}
+	
+	public function isSupportAccessAllowed()
+	{
+		$shouldEnforceSupportAccess = kConf::get('enforce_support_access', kConfMapNames::SECURITY, true);
+		if(!$shouldEnforceSupportAccess || $this->getSupportAccessMode() == SupportAccessMode::ALLWAYS_ALLOWED)
+		{
+			return true;
+		}
+		
+		$allowedUntil = $this->getSupportAccessAllowedUntil();
+		$allowedUntil = $allowedUntil ? $allowedUntil : (time() - 3600);
+		return (time() < $allowedUntil);
+	}
+	
+	public function getSupportAccessMaxKsExpiry()
+	{
+		$shouldEnforceSupportAccess = kConf::get('enforce_support_access', kConfMapNames::SECURITY, true);
+		if(!$shouldEnforceSupportAccess || $this->getSupportAccessMode() == SupportAccessMode::ALLWAYS_ALLOWED)
+		{
+			return dateUtils::DAY;
+		}
+		
+		return $this->getSupportAccessAllowedUntil() - time();
+	}
 }
diff --git a/api_v3/lib/types/partner/KalturaPartner.php b/api_v3/lib/types/partner/KalturaPartner.php
index 1e94e598034..653e1609c14 100644
--- a/api_v3/lib/types/partner/KalturaPartner.php
+++ b/api_v3/lib/types/partner/KalturaPartner.php
@@ -507,6 +507,16 @@ class KalturaPartner extends KalturaObject implements IFilterable
 	 */
 	public $allowedEmailDomainsForAdmins;
 	
+	/**
+	 * @var time
+	 */
+	public $supportAccessAllowedUntil;
+	
+	/**
+	 * @var KalturaSupportAccessMode
+	 */
+	public $supportAccessMode;
+	
 	private static $map_between_objects = array
 	(
 		'id' , 'name', 'website' => 'url1' , 'notificationUrl' => 'url2' , 'appearInSearch' , 'createdAt' , 'adminName' , 'adminEmail' , 'useTwoFactorAuthentication', 'useSso', 'blockDirectLogin',
@@ -520,7 +530,7 @@ class KalturaPartner extends KalturaObject implements IFilterable
 		'extendedFreeTrail', 'extendedFreeTrailEndsWarning', 'eightyPercentWarning', 'usageLimitWarning', 'lastFreeTrialNotificationDay','monitorUsage', 'additionalParams',
 		'passwordStructureValidations', 'passReplaceFreq', 'maxLoginAttempts', 'loginBlockPeriod', 'numPrevPassToKeep', 'twoFactorAuthenticationMode', 'isSelfServe', 'allowedDomains',
 		'excludedAdminRoleName', 'eventPlatformAllowedTemplates', 'verticalClassificationId' => 'verticalClasiffication', 'allowDefaultPasswordRestrictions', 'recycleBinRetentionPeriod',
-		'customAnalyticsDomain','allowedEmailDomainsForAdmins'
+		'customAnalyticsDomain','allowedEmailDomainsForAdmins', 'supportAccessAllowedUntil', 'supportAccessMode'
 	);
 	
 	public function getMapBetweenObjects ( )
diff --git a/plugins/admin_console/system_partner/services/SystemPartnerService.php b/plugins/admin_console/system_partner/services/SystemPartnerService.php
index 71b637b3a69..ad26ff8db33 100644
--- a/plugins/admin_console/system_partner/services/SystemPartnerService.php
+++ b/plugins/admin_console/system_partner/services/SystemPartnerService.php
@@ -210,6 +210,10 @@ public function getAdminSessionAction($pId, $userId = null)
 			$userId = $dbPartner->getAdminUserId();
 		}
 		
+		if(!$dbPartner->isSupportAccessAllowed()) {
+			throw new KalturaAPIException(KalturaErrors::PARTNER_LOGIN_FORBIDDEN, kCurrentContext::getCurrentPartnerId(), $pId);
+		}
+		
 		$kuser = kuserPeer::getKuserByPartnerAndUid($pId, $userId);
 		if (!$kuser) {
 			throw new KalturaAPIException(KalturaErrors::INVALID_USER_ID, $userId);
@@ -219,7 +223,7 @@ public function getAdminSessionAction($pId, $userId = null)
 		}
 			
 		$ks = "";
-		kSessionUtils::createKSessionNoValidations($dbPartner->getId(), $userId, $ks, 86400, 2, "", '*,' . ks::PRIVILEGE_DISABLE_ENTITLEMENT);
+		kSessionUtils::createKSessionNoValidations($dbPartner->getId(), $userId, $ks, $dbPartner->getSupportAccessMaxKsExpiry(), 2, "", '*,' . ks::PRIVILEGE_DISABLE_ENTITLEMENT);
 		return $ks;
 	}
 	

From 79d62d2c815f6a4f2c446cbf3eb98573f0278b7c Mon Sep 17 00:00:00 2001
From: yossipapi <yossi.papiashvili@kaltura.com>
Date: Tue, 24 Sep 2024 16:30:41 +0300
Subject: [PATCH 2/2] PLAT-24956: Enforce who can update support access fields
 + add missing classes

---
 alpha/lib/enums/SupportAccessMode.php         | 18 +++++++
 api_v3/lib/KalturaErrors.php                  |  4 ++
 .../types/enums/KalturaSupportAccessMode.php  |  9 ++++
 api_v3/lib/types/partner/KalturaPartner.php   | 53 +++++++++++++++++++
 4 files changed, 84 insertions(+)
 create mode 100644 alpha/lib/enums/SupportAccessMode.php
 create mode 100644 api_v3/lib/types/enums/KalturaSupportAccessMode.php

diff --git a/alpha/lib/enums/SupportAccessMode.php b/alpha/lib/enums/SupportAccessMode.php
new file mode 100644
index 00000000000..3b665b6c87d
--- /dev/null
+++ b/alpha/lib/enums/SupportAccessMode.php
@@ -0,0 +1,18 @@
+<?php
+/**
+ * @package Core
+ * @subpackage model.enum
+ */
+interface SupportAccessMode extends BaseEnum
+{
+	//Access to manage the account is always allowed
+	const ALLWAYS_ALLOWED = 0;
+	
+	//Access will be blocked unless security team opens overrides this in case of security/production incidents
+	const NEVER_ALLOWED = 1;
+	
+	//Access to manage the account will be opened and the time frame of it will controlled by the account admins
+	const USER_CONTROLLED = 2;
+	
+	
+}
\ No newline at end of file
diff --git a/api_v3/lib/KalturaErrors.php b/api_v3/lib/KalturaErrors.php
index 963ee9a99d7..237bf09e85d 100644
--- a/api_v3/lib/KalturaErrors.php
+++ b/api_v3/lib/KalturaErrors.php
@@ -523,6 +523,10 @@ class KalturaErrors extends APIErrors
 	const PROPERTY_IS_NOT_DEFINED = "PROPERTY_IS_NOT_DEFINED;PROP,TYPE;The property \"@PROP@\" is not defined on type \"@TYPE@\"";
 	
 	const GROUPS_CANNOT_CO_EXIST = "GROUPS_CANNOT_CO_EXIST;userId,group,blockedCoExist;Cannot add user [@userId@] to group [@group@], User is already member of a group with coexistence enforcement [@blockedCoExist@]";
+	
+	const CAN_ONLY_BE_UPDATED_BY_ACCOUNT_OWNER = "CAN_ONLY_BE_CHANGED_BY_ACCOUNT_OWNER;;Support access mode can only be updated by the account owner";
+	
+	const SUPPORT_ACCESS_CANNOT_BE_ENABLED = "SUPPORT_ACCESS_CANNOT_BE_ENABLED;;Support access cannot be enabled, please contact you account admin to change support access mode to be set to user_controlled";
 
 	/*
 	 * syndication service
diff --git a/api_v3/lib/types/enums/KalturaSupportAccessMode.php b/api_v3/lib/types/enums/KalturaSupportAccessMode.php
new file mode 100644
index 00000000000..b59d85b3940
--- /dev/null
+++ b/api_v3/lib/types/enums/KalturaSupportAccessMode.php
@@ -0,0 +1,9 @@
+<?php
+/**
+ * @package api
+ * @subpackage enum
+ */
+class KalturaSupportAccessMode extends KalturaEnum implements SupportAccessMode
+{
+	
+}
\ No newline at end of file
diff --git a/api_v3/lib/types/partner/KalturaPartner.php b/api_v3/lib/types/partner/KalturaPartner.php
index 653e1609c14..1e17f8fb730 100644
--- a/api_v3/lib/types/partner/KalturaPartner.php
+++ b/api_v3/lib/types/partner/KalturaPartner.php
@@ -625,6 +625,59 @@ public function toPartner()
 		return $this->toObject($partner);
 	}
 	
+	/* (non-PHPdoc)
+	 * @see KalturaObject::validateForInsert()
+	 */
+	public function validateForInsert($propertiesToSkip = array())
+	{
+		if(isset($this->supportAccessMode) && !$this->isApiDoneByAccountOwner())
+		{
+			throw new KalturaAPIException(KalturaErrors::CAN_ONLY_BE_UPDATED_BY_ACCOUNT_OWNER);
+		}
+		
+		if(isset($this->supportAccessAllowedUntil) && !kCurrentContext::$is_admin_session)
+		{
+			throw new KalturaAPIException(KalturaErrors::PROPERTY_VALIDATION_ADMIN_PROPERTY, 'supportAccessAllowedUntil');
+		}
+		
+		if(isset($this->supportAccessAllowedUntil) && isset($this->supportAccessMode) == KalturaSupportAccessMode::NEVER_ALLOWED)
+		{
+			throw new KalturaAPIException(KalturaErrors::SUPPORT_ACCESS_CANNOT_BE_ENABLED);
+		}
+		
+		return parent::validateForInsert($propertiesToSkip);
+	}
+	
+	/* (non-PHPdoc)
+	 * @see KalturaObject::validateForUpdate()
+	 */
+	public function validateForUpdate($sourceObject, $propertiesToSkip = array())
+	{
+		if(isset($this->supportAccessMode) && $this->supportAccessMode != $sourceObject->getSupportAccessMode()
+			&& !$this->isApiDoneByAccountOwner())
+		{
+			throw new KalturaAPIException(KalturaErrors::CAN_ONLY_BE_UPDATED_BY_ACCOUNT_OWNER);
+		}
+		
+		if(isset($this->supportAccessAllowedUntil) && $this->supportAccessAllowedUntil != $sourceObject->getSupportAccessAllowedUntil()
+			&& !kCurrentContext::$is_admin_session)
+		{
+			throw new KalturaAPIException(KalturaErrors::PROPERTY_VALIDATION_ADMIN_PROPERTY, 'supportAccessAllowedUntil');
+		}
+		
+		if(isset($this->supportAccessAllowedUntil) && $sourceObject->getSupportAccessAllowedUntil() == KalturaSupportAccessMode::NEVER_ALLOWED)
+		{
+			throw new KalturaAPIException(KalturaErrors::SUPPORT_ACCESS_CANNOT_BE_ENABLED);
+		}
+		
+		return parent::validateForUpdate($sourceObject, $propertiesToSkip);
+	}
+	
+	private function isApiDoneByAccountOwner()
+	{
+		return kCurrentContext::getCurrentKsKuserId() !=  $sourceObject->getAccountOwnerKuserId();
+	}
+	
 	public function toObject($dbObject = null, $propsToSkip = array())
 	{
 		if (!$dbObject)