PLAT-24956+PLAT-24957: Add support for configuring support access mode + block login when support access not allowed

alpha/apps/kaltura/lib/webservices/APIErrors.class.php

@@ -276,6 +276,8 @@ public static function getMessage($errorString)
 
 	const PARTNER_ACCESS_FORBIDDEN = "PARTNER_ACCESS_FORBIDDEN;ACCESSING_PID,ACCESSED_PID;Partner [@ACCESSING_PID@] cannot access partner [@ACCESSED_PID@]";
 
+	const PARTNER_LOGIN_FORBIDDEN = "PARTNER_LOGIN_FORBIDDEN;ACCESSING_PID,ACCESSED_PID;Partner [@ACCESSED_PID@] did not allow partner [@ACCESSING_PID@] to access his account ";
+
 	const ACCESS_FORBIDDEN_FROM_UNKNOWN_IP = "ACCESS_FORBIDDEN_FROM_UNKNOWN_IP;IP;Access forbidden from unknown ip [@IP@]";
 
 	const INVALID_BATCHJOB_ID = "INVALID_BATCHJOB_ID;JOB_ID;[@JOB_ID@]" ;

alpha/lib/enums/SupportAccessMode.php

@@ -0,0 +1,18 @@
+<?php
+/**
+ * @package Core
+ * @subpackage model.enum
+ */
+interface SupportAccessMode extends BaseEnum
+{
+	//Access to manage the account is always allowed
+	const ALLWAYS_ALLOWED = 0;
+
+	//Access will be blocked unless security team opens overrides this in case of security/production incidents
+	const NEVER_ALLOWED = 1;
+
+	//Access to manage the account will be opened and the time frame of it will controlled by the account admins
+	const USER_CONTROLLED = 2;
+
+
+}

alpha/lib/model/Partner.php

@@ -128,6 +128,10 @@ class Partner extends BasePartner
 	const CUSTOM_DATE_MAX_METADATA_INDEX_LENGTH = 'max_metadata_index_length';
 
 	const CUSTOM_ANALYTICS_DOMAIN = 'custom_analytics_domain';
+
+	const SUPPORT_ACCESS_ALLOWED_UNTIL = 'custom_support_access_allowed_until';
+
+	const SUPPORT_ACCESS_MODE = 'custom_support_access_mode';
 
 	public function save(PropelPDO $con = null)
 	{
@@ -2315,32 +2319,6 @@ public function getSharedStorageProfileId()
 
 		return $partnerDedicatedStorage ? $partnerDedicatedStorage->getId() : null;
 	}
-
-//	public function getSharedStorageProfileId()
-//	{
-//		$sharedStorageId = null;
-//		$allSharedStorageIds = kDataCenterMgr::getSharedStorageProfileIds();
-//
-//		$sharedIncludePartnerIds = kConf::get('shared_include_partner_ids', 'cloud_storage', array());
-//		if (in_array($this->getId(), $sharedIncludePartnerIds) || in_array(self::ALL_PARTNERS_WILD_CHAR, $sharedIncludePartnerIds))
-//		{
-//			$sharedStorageId = reset($allSharedStorageIds);
-//		}
-//
-//		$sharedPartnerPackages = kConf::get('shared_partner_package_types', 'cloud_storage', array());
-//		if (in_array($this->getPartnerPackage(), $sharedPartnerPackages) || in_array(self::ALL_PARTNERS_WILD_CHAR, $sharedPartnerPackages))
-//		{
-//			$sharedStorageId = reset($allSharedStorageIds);
-//		}
-//
-//		$sharedExcludePartnerIds = kConf::get('shared_exclude_partner_ids', 'cloud_storage', array());
-//		if (in_array($this->getId(), $sharedExcludePartnerIds) || in_array(self::ALL_PARTNERS_WILD_CHAR, $sharedExcludePartnerIds))
-//		{
-//			$sharedStorageId = null;
-//		}
-//
-//		return $sharedStorageId;
-//	}
 
 	public function setSharedStorageProfileId($v)
 	{
@@ -2454,4 +2432,48 @@ public function setAllowedEmailDomainsForAdmins($v)
 	{
 		return $this->putInCustomData(self::ALLOWED_EMAIL_DOMAINS_FOR_ADMINS, $v);
 	}
+
+	public function getSupportAccessAllowedUntil()
+	{
+		return $this->getFromCustomData(self::SUPPORT_ACCESS_ALLOWED_UNTIL);
+	}
+
+	public function setSupportAccessAllowedUntil($v)
+	{
+		return $this->putInCustomData(self::SUPPORT_ACCESS_ALLOWED_UNTIL, $v);
+	}
+
+	public function getSupportAccessMode()
+	{
+		return $this->getFromCustomData(self::SUPPORT_ACCESS_MODE, null, SupportAccessMode::ALLWAYS_ALLOWED);
+	}
+
+	public function setSupportAccessMode($v)
+	{
+		return $this->putInCustomData(self::SUPPORT_ACCESS_MODE, $v);
+	}
+
+	public function isSupportAccessAllowed()
+	{
+		$shouldEnforceSupportAccess = kConf::get('enforce_support_access', kConfMapNames::SECURITY, true);
+		if(!$shouldEnforceSupportAccess || $this->getSupportAccessMode() == SupportAccessMode::ALLWAYS_ALLOWED)
+		{
+			return true;
+		}
+
+		$allowedUntil = $this->getSupportAccessAllowedUntil();
+		$allowedUntil = $allowedUntil ? $allowedUntil : (time() - 3600);
+		return (time() < $allowedUntil);
+	}
+
+	public function getSupportAccessMaxKsExpiry()
+	{
+		$shouldEnforceSupportAccess = kConf::get('enforce_support_access', kConfMapNames::SECURITY, true);
+		if(!$shouldEnforceSupportAccess || $this->getSupportAccessMode() == SupportAccessMode::ALLWAYS_ALLOWED)
+		{
+			return dateUtils::DAY;
+		}
+
+		return $this->getSupportAccessAllowedUntil() - time();
+	}
 }

api_v3/lib/KalturaErrors.php

@@ -523,6 +523,10 @@ class KalturaErrors extends APIErrors
 	const PROPERTY_IS_NOT_DEFINED = "PROPERTY_IS_NOT_DEFINED;PROP,TYPE;The property \"@PROP@\" is not defined on type \"@TYPE@\"";
 
 	const GROUPS_CANNOT_CO_EXIST = "GROUPS_CANNOT_CO_EXIST;userId,group,blockedCoExist;Cannot add user [@userId@] to group [@group@], User is already member of a group with coexistence enforcement [@blockedCoExist@]";
+
+	const CAN_ONLY_BE_UPDATED_BY_ACCOUNT_OWNER = "CAN_ONLY_BE_CHANGED_BY_ACCOUNT_OWNER;;Support access mode can only be updated by the account owner";
+
+	const SUPPORT_ACCESS_CANNOT_BE_ENABLED = "SUPPORT_ACCESS_CANNOT_BE_ENABLED;;Support access cannot be enabled, please contact you account admin to change support access mode to be set to user_controlled";
 
 	/*
 	 * syndication service

api_v3/lib/types/enums/KalturaSupportAccessMode.php

@@ -0,0 +1,9 @@
+<?php
+/**
+ * @package api
+ * @subpackage enum
+ */
+class KalturaSupportAccessMode extends KalturaEnum implements SupportAccessMode
+{
+
+}

api_v3/lib/types/partner/KalturaPartner.php

@@ -507,6 +507,16 @@ class KalturaPartner extends KalturaObject implements IFilterable
 	 */
 	public $allowedEmailDomainsForAdmins;
 
+	/**
+	 * @var time
+	 */
+	public $supportAccessAllowedUntil;
+
+	/**
+	 * @var KalturaSupportAccessMode
+	 */
+	public $supportAccessMode;
+
 	private static $map_between_objects = array
 	(
 		'id' , 'name', 'website' => 'url1' , 'notificationUrl' => 'url2' , 'appearInSearch' , 'createdAt' , 'adminName' , 'adminEmail' , 'useTwoFactorAuthentication', 'useSso', 'blockDirectLogin',
@@ -520,7 +530,7 @@ class KalturaPartner extends KalturaObject implements IFilterable
 		'extendedFreeTrail', 'extendedFreeTrailEndsWarning', 'eightyPercentWarning', 'usageLimitWarning', 'lastFreeTrialNotificationDay','monitorUsage', 'additionalParams',
 		'passwordStructureValidations', 'passReplaceFreq', 'maxLoginAttempts', 'loginBlockPeriod', 'numPrevPassToKeep', 'twoFactorAuthenticationMode', 'isSelfServe', 'allowedDomains',
 		'excludedAdminRoleName', 'eventPlatformAllowedTemplates', 'verticalClassificationId' => 'verticalClasiffication', 'allowDefaultPasswordRestrictions', 'recycleBinRetentionPeriod',
-		'customAnalyticsDomain','allowedEmailDomainsForAdmins'
+		'customAnalyticsDomain','allowedEmailDomainsForAdmins', 'supportAccessAllowedUntil', 'supportAccessMode'
 	);
 
 	public function getMapBetweenObjects ( )
@@ -615,6 +625,59 @@ public function toPartner()
 		return $this->toObject($partner);
 	}
 
+	/* (non-PHPdoc)
+	 * @see KalturaObject::validateForInsert()
+	 */
+	public function validateForInsert($propertiesToSkip = array())
+	{
+		if(isset($this->supportAccessMode) && !$this->isApiDoneByAccountOwner())
+		{
+			throw new KalturaAPIException(KalturaErrors::CAN_ONLY_BE_UPDATED_BY_ACCOUNT_OWNER);
+		}
+
+		if(isset($this->supportAccessAllowedUntil) && !kCurrentContext::$is_admin_session)
+		{
+			throw new KalturaAPIException(KalturaErrors::PROPERTY_VALIDATION_ADMIN_PROPERTY, 'supportAccessAllowedUntil');
+		}
+
+		if(isset($this->supportAccessAllowedUntil) && isset($this->supportAccessMode) == KalturaSupportAccessMode::NEVER_ALLOWED)
+		{
+			throw new KalturaAPIException(KalturaErrors::SUPPORT_ACCESS_CANNOT_BE_ENABLED);
+		}
+
+		return parent::validateForInsert($propertiesToSkip);
+	}
+
+	/* (non-PHPdoc)
+	 * @see KalturaObject::validateForUpdate()
+	 */
+	public function validateForUpdate($sourceObject, $propertiesToSkip = array())
+	{
+		if(isset($this->supportAccessMode) && $this->supportAccessMode != $sourceObject->getSupportAccessMode()
+			&& !$this->isApiDoneByAccountOwner())
+		{
+			throw new KalturaAPIException(KalturaErrors::CAN_ONLY_BE_UPDATED_BY_ACCOUNT_OWNER);
+		}
+
+		if(isset($this->supportAccessAllowedUntil) && $this->supportAccessAllowedUntil != $sourceObject->getSupportAccessAllowedUntil()
+			&& !kCurrentContext::$is_admin_session)
+		{
+			throw new KalturaAPIException(KalturaErrors::PROPERTY_VALIDATION_ADMIN_PROPERTY, 'supportAccessAllowedUntil');
+		}
+
+		if(isset($this->supportAccessAllowedUntil) && $sourceObject->getSupportAccessAllowedUntil() == KalturaSupportAccessMode::NEVER_ALLOWED)
+		{
+			throw new KalturaAPIException(KalturaErrors::SUPPORT_ACCESS_CANNOT_BE_ENABLED);
+		}
+
+		return parent::validateForUpdate($sourceObject, $propertiesToSkip);
+	}
+
+	private function isApiDoneByAccountOwner()
+	{
+		return kCurrentContext::getCurrentKsKuserId() !=  $sourceObject->getAccountOwnerKuserId();
+	}
+
 	public function toObject($dbObject = null, $propsToSkip = array())
 	{
 		if (!$dbObject)

plugins/admin_console/system_partner/services/SystemPartnerService.php

@@ -210,6 +210,10 @@ public function getAdminSessionAction($pId, $userId = null)
 			$userId = $dbPartner->getAdminUserId();
 		}
 
+		if(!$dbPartner->isSupportAccessAllowed()) {
+			throw new KalturaAPIException(KalturaErrors::PARTNER_LOGIN_FORBIDDEN, kCurrentContext::getCurrentPartnerId(), $pId);
+		}
+
 		$kuser = kuserPeer::getKuserByPartnerAndUid($pId, $userId);
 		if (!$kuser) {
 			throw new KalturaAPIException(KalturaErrors::INVALID_USER_ID, $userId);
@@ -219,7 +223,7 @@ public function getAdminSessionAction($pId, $userId = null)
 		}
 
 		$ks = "";
-		kSessionUtils::createKSessionNoValidations($dbPartner->getId(), $userId, $ks, 86400, 2, "", '*,' . ks::PRIVILEGE_DISABLE_ENTITLEMENT);
+		kSessionUtils::createKSessionNoValidations($dbPartner->getId(), $userId, $ks, $dbPartner->getSupportAccessMaxKsExpiry(), 2, "", '*,' . ks::PRIVILEGE_DISABLE_ENTITLEMENT);
 		return $ks;
 	}