MatheMatrix · ZStack-Robot · Apr 11, 2026 · Apr 11, 2026 · coderabbitai · Apr 11, 2026
diff --git a/plugin/ldap/src/main/java/org/zstack/ldap/LdapManager.java b/plugin/ldap/src/main/java/org/zstack/ldap/LdapManager.java
@@ -2,6 +2,7 @@
 
 import org.zstack.core.Platform;
 import org.zstack.header.errorcode.ErrorableValue;
+import org.zstack.identity.imports.entity.AccountThirdPartyAccountSourceRefVO;
 import org.zstack.ldap.driver.LdapUtil;
 import org.zstack.ldap.entity.LdapServerVO;
 
@@ -10,7 +11,7 @@
  */
 public interface LdapManager {
     boolean isValid(String uid, String password);
-
+    ErrorableValue<AccountThirdPartyAccountSourceRefVO> findAccountThirdPartyAccountSourceRefByName(String ldapLoginName, String ldapLoginPassword);
     ErrorableValue<String> findCurrentLdapServerUuid();
     ErrorableValue<LdapServerVO> findCurrentLdapServer();
 

diff --git a/plugin/ldap/src/main/java/org/zstack/ldap/LdapManagerImpl.java b/plugin/ldap/src/main/java/org/zstack/ldap/LdapManagerImpl.java
@@ -407,44 +407,49 @@ public LoginType getLoginType() {
         return loginType;
     }
 
-    @Override
-    public void login(LoginContext loginContext, ReturnValueCompletion<LoginSessionInfo> completion) {
+    public ErrorableValue<AccountThirdPartyAccountSourceRefVO> findAccountThirdPartyAccountSourceRefByName(String ldapLoginName, String ldapLoginPassword) {
         final ErrorableValue<LdapServerVO> currentLdapServer = findCurrentLdapServer();
         if (!currentLdapServer.isSuccess()) {
-            logger.debug("failed to login by LDAP: failed to find current LdapServer: " + currentLdapServer.error.getDetails());
-            completion.fail(err(IdentityErrors.AUTHENTICATION_ERROR,
-                    "Login validation failed in LDAP"));
-            return;
+            return ErrorableValue.ofErrorCode(currentLdapServer.error);
         }
         final LdapServerVO ldap = currentLdapServer.result;
 
-        String ldapLoginName = loginContext.getUsername();
-        if (!isValid(ldapLoginName, loginContext.getPassword())) {
-            completion.fail(err(IdentityErrors.AUTHENTICATION_ERROR,
-                    "Login validation failed in LDAP"));
-            return;
-        }
-
         String dn = createDriver().getFullUserDn(ldap, ldap.getUsernameProperty(), ldapLoginName);
         AccountThirdPartyAccountSourceRefVO vo = Q.New(AccountThirdPartyAccountSourceRefVO.class)
                 .eq(AccountThirdPartyAccountSourceRefVO_.credentials, dn)
                 .eq(AccountThirdPartyAccountSourceRefVO_.accountSourceUuid, ldap.getUuid())
                 .find();
 
         if (vo == null) {
-            completion.fail(err(IdentityErrors.AUTHENTICATION_ERROR,
+            return ErrorableValue.ofErrorCode(err(IdentityErrors.AUTHENTICATION_ERROR,
                     "The ldapUid does not have a binding account."));
+        }
+        return ErrorableValue.of(vo);
+    }
+
+    @Override
+    public void login(LoginContext loginContext, ReturnValueCompletion<LoginSessionInfo> completion) {
+        final ErrorableValue<AccountThirdPartyAccountSourceRefVO> accountThirdPartyAccountSourceRef = findAccountThirdPartyAccountSourceRefByName(loginContext.getUsername(), loginContext.getPassword());
+
+        if  (!accountThirdPartyAccountSourceRef.isSuccess()) {
+            completion.fail(accountThirdPartyAccountSourceRef.error);
             return;
         }
 
+        if (!isValid(loginContext.getUsername(), loginContext.getPassword())) {
+            completion.fail(err(IdentityErrors.AUTHENTICATION_ERROR,
+                    "Login validation failed in LDAP"));
+            return;
+        }
+        String accountUuid = accountThirdPartyAccountSourceRef.result.getAccountUuid();
         final AccountState state = Q.New(AccountVO.class)
-                .eq(AccountVO_.uuid, vo.getAccountUuid())
+                .eq(AccountVO_.uuid, accountUuid)
                 .select(AccountVO_.state)
                 .findValue();
 
         if (state == null || state == AccountState.Staled) {
             completion.fail(operr(
-                    "Account[uuid:%s] Not Found!!!", vo.getAccountUuid()));
+                    "Account[uuid:%s] Not Found!!!", accountUuid));
             return;
         }
         if (state == AccountState.Disabled) {
@@ -453,7 +458,7 @@ public void login(LoginContext loginContext, ReturnValueCompletion<LoginSessionI
         }
 
         LoginSessionInfo info = new LoginSessionInfo();
-        info.setAccountUuid(vo.getAccountUuid());
+        info.setAccountUuid(accountUuid);
         completion.success(info);
     }
 
@@ -468,21 +473,36 @@ public boolean authenticate(String username, String password) {
 
     @Override
     public String getAccountIdByName(String username) {
-        final ErrorableValue<LdapServerVO> property = findCurrentLdapServer();
-        if (property.isSuccess()) {
-            final String fullUserDn = createDriver().getFullUserDn(property.result, username);
-            return "".equals(fullUserDn) ? null : fullUserDn;
+        final ErrorableValue<LdapServerVO> currentLdapServer = findCurrentLdapServer();
+        if (!currentLdapServer.isSuccess()) {
+            return null;
+        }
+        final LdapServerVO ldap = currentLdapServer.result;
+
+        String dn = createDriver().getFullUserDn(ldap, ldap.getUsernameProperty(), username);
+        if (dn == null || dn.isEmpty()) {
+            return null;
         }
-        return null;
+
+        String accountUuid = Q.New(AccountThirdPartyAccountSourceRefVO.class)
+                .select(AccountThirdPartyAccountSourceRefVO_.accountUuid)
+                .eq(AccountThirdPartyAccountSourceRefVO_.credentials, dn)
+                .eq(AccountThirdPartyAccountSourceRefVO_.accountSourceUuid, ldap.getUuid())
+                .findValue();
+        return accountUuid;
     }
 
     @Override
     public void collectUserInfoIntoContext(LoginContext loginContext) {
-        loginContext.setAccountUuid(getAccountIdByName(loginContext.getUsername()));
+        ErrorableValue<AccountThirdPartyAccountSourceRefVO> accountThirdPartyAccountSourceRef = findAccountThirdPartyAccountSourceRefByName(loginContext.getUsername(), loginContext.getPassword());
+        if (!accountThirdPartyAccountSourceRef.isSuccess()) {
+            return;
+        }
+        loginContext.setAccountUuid(accountThirdPartyAccountSourceRef.result.getAccountUuid());
     }
 
     @Override
     public List<AdditionalAuthFeature> getRequiredAdditionalAuthFeature() {
-        return Collections.singletonList(LoginAuthConstant.basicLoginControl);
+        return Arrays.asList(LoginAuthConstant.basicLoginControl, LoginAuthConstant.twoFactor);
     }
 }
diff --git a/sdk/src/main/java/org/zstack/sdk/GetTwoFactorAuthenticationSecretAction.java b/sdk/src/main/java/org/zstack/sdk/GetTwoFactorAuthenticationSecretAction.java
@@ -37,6 +37,9 @@ public Result throwExceptionIfError() {
     @Param(required = false, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
     public java.lang.String verifyCode;
 
+    @Param(required = true, validValues = {"account","ldap"}, nonempty = true, nullElements = false, emptyString = true, noTrim = false)
+    public java.lang.String type = "account";
+
     @Param(required = false)
     public java.util.List systemTags;
 

diff --git a/sdk/src/main/java/org/zstack/sdk/ResetTwoFactorAuthenticationSecretAction.java b/sdk/src/main/java/org/zstack/sdk/ResetTwoFactorAuthenticationSecretAction.java
@@ -37,6 +37,9 @@ public Result throwExceptionIfError() {
     @Param(required = false, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
     public java.lang.String verifyCode;
 
+    @Param(required = true, validValues = {"account","ldap"}, nonempty = true, nullElements = false, emptyString = true, noTrim = false)
+    public java.lang.String type = "account";
+
     @Param(required = false)
     public java.util.List systemTags;
 

diff --git a/test/src/test/resources/springConfigXml/Kvm.xml b/test/src/test/resources/springConfigXml/Kvm.xml
@@ -206,7 +206,7 @@
             <zstack:extension interface="org.zstack.header.vm.VmInstanceMigrateExtensionPoint"/>
         </zstack:plugin>
     </bean>
-    <bean id="HypervisorMetadataCollector" class="org.zstack.kvm.hypervisor.HypervisorMetadataCollectorForTest">
+    <bean id="HypervisorMetadataCollector" class="org.zstack.kvm.hypervisor.HypervisorMetadataCollectorSimulator">
     </bean>
 
     <bean id="KvmHypervisorZQLExtension" class="org.zstack.kvm.hypervisor.KvmHypervisorZQLExtension">

diff --git a/test/src/test/resources/springConfigXml/license.xml b/test/src/test/resources/springConfigXml/license.xml
diff --git a/...r/HypervisorMetadataCollectorForTest.java → ...HypervisorMetadataCollectorSimulator.java b/...r/HypervisorMetadataCollectorForTest.java → ...HypervisorMetadataCollectorSimulator.java
@@ -13,7 +13,7 @@
  * 
  * Created by Wenhao.Zhang on 23/03/01
  */
-public class HypervisorMetadataCollectorForTest extends HypervisorMetadataCollectorImpl {
+public class HypervisorMetadataCollectorSimulator extends HypervisorMetadataCollectorImpl {
     public static final String QEMU_VERSION_FOR_TEST = "4.2.0-632.g6a6222b.el7";
     private Function<Path, List<HypervisorMetadataDefinition>> folderScannerSimulator;
     private Function<HypervisorMetadataDefinition, String> collectMetadataSimulator;
@@ -41,11 +41,11 @@ protected List<HypervisorMetadataDefinition> scanFolder(Path rootPath) throws IO
     }
 
     public List<HypervisorMetadataDefinition> scanFolderForDefault(Path rootPath) {
-        HypervisorMetadataDefinitionForTest d1 = new HypervisorMetadataDefinitionForTest();
+        HypervisorMetadataDefinitionSimulator d1 = new HypervisorMetadataDefinitionSimulator();
         d1.setArchitecture(CpuArchitecture.x86_64.name());
         d1.setOsReleaseSimpleVersion("c76");
 
-        HypervisorMetadataDefinitionForTest d2 = new HypervisorMetadataDefinitionForTest();
+        HypervisorMetadataDefinitionSimulator d2 = new HypervisorMetadataDefinitionSimulator();
         d2.setArchitecture(CpuArchitecture.x86_64.name());
         d2.setOsReleaseSimpleVersion("c79");
 
@@ -74,7 +74,7 @@ public String collectMetadataForDefault(HypervisorMetadataDefinition definition)
                 QEMU_VERSION_FOR_TEST, osReleaseVersion[0], osReleaseVersion[1], osReleaseVersion[2]);
     }
 
-    public static class HypervisorMetadataDefinitionForTest extends HypervisorMetadataDefinition {
+    public static class HypervisorMetadataDefinitionSimulator extends HypervisorMetadataDefinition {
         @Override
         public boolean isValid() {
             return true;

diff --git a/...ib/identity/ldap/LdapDriverForTest.groovy → .../identity/ldap/LdapDriverSimulator.groovy b/...ib/identity/ldap/LdapDriverForTest.groovy → .../identity/ldap/LdapDriverSimulator.groovy
@@ -13,7 +13,7 @@ import org.zstack.ldap.entity.LdapServerVO_
 import java.util.function.Function
 import java.util.function.Supplier
 
-class LdapDriverForTest extends LdapUtil {
+class LdapDriverSimulator extends LdapUtil {
     public Supplier<List<LdapVirtualEndpointSpec>> findAllEndpointsFunction
     public Function<LdapServerVO, LdapVirtualEndpointSpec> findEndpointByLdapVOFunction
 

diff --git a/testlib/src/main/java/org/zstack/testlib/identity/ldap/LdapVirtualEndpointSpec.groovy b/testlib/src/main/java/org/zstack/testlib/identity/ldap/LdapVirtualEndpointSpec.groovy
@@ -60,7 +60,7 @@ class LdapVirtualEndpointSpec extends Spec {
         endpointUuid = uuid
 
         envSpec.mockFactory(LdapUtil.class) {
-            def driver = new LdapDriverForTest()
+            def driver = new LdapDriverSimulator()
             driver.findAllEndpointsFunction = { findAllEndpoints() }
             driver.findEndpointByLdapVOFunction = { LdapServerVO ldap -> findEndpointByLdapVO(ldap) }
             return driver

diff --git a/...ack/testlib/vops/VOpsClientForTest.groovy → ...k/testlib/vops/VOpsClientSimulator.groovy b/...ack/testlib/vops/VOpsClientForTest.groovy → ...k/testlib/vops/VOpsClientSimulator.groovy
@@ -13,10 +13,10 @@ import java.util.function.Function
 
 import static org.zstack.externalservice.vops.VOpsCommands.*;
 
-class VOpsClientForTest extends VOpsClient {
+class VOpsClientSimulator extends VOpsClient {
     public final VOpsVirtualEndpointSpec parent
 
-    VOpsClientForTest(VOpsVirtualEndpointSpec parent) {
+    VOpsClientSimulator(VOpsVirtualEndpointSpec parent) {
         this.parent = parent
     }
 
@@ -75,9 +75,9 @@ class VOpsClientForTest extends VOpsClient {
     }
 
     static class HttpForTest<T> extends RestHttp<T> {
-        final VOpsClientForTest client
+        final VOpsClientSimulator client
 
-        HttpForTest(Class<T> returnClass, VOpsClientForTest client) {
+        HttpForTest(Class<T> returnClass, VOpsClientSimulator client) {
             super(returnClass)
             this.client = client
             this.errorCodeBuilder = { Exception e, http2 -> client.errorFacade.throwableToOperationError(e) }

diff --git a/testlib/src/main/java/org/zstack/testlib/vops/VOpsVirtualEndpointSpec.groovy b/testlib/src/main/java/org/zstack/testlib/vops/VOpsVirtualEndpointSpec.groovy
@@ -25,7 +25,7 @@ class VOpsVirtualEndpointSpec extends Spec {
 
     @Override
     SpecID create(String uuid, String sessionId) {
-        mockFactory(VOpsClient.class, { return new VOpsClientForTest(this) })
+        mockFactory(VOpsClient.class, { return new VOpsClientSimulator(this) })
         return id(endpointName, endpointUuid = uuid)
     }
 
@@ -34,15 +34,15 @@ class VOpsVirtualEndpointSpec extends Spec {
         Test.functionForMockTestObjectFactory.remove(VOpsClient.class)
     }
 
-    public List<PostHandlerPair<VOpsClientForTest.HttpForTest, Object>> postHandlers = []
+    public List<PostHandlerPair<VOpsClientSimulator.HttpForTest, Object>> postHandlers = []
 
     /**
      * @return a function to remove this handler
      */
     BooleanSupplier registerPostHttpHandler(
-            Predicate<VOpsClientForTest.HttpForTest> predicate,
-            BiFunction<VOpsClientForTest.HttpForTest, ErrorableValue<Object>, ErrorableValue<Object>> handler) {
-        def pair = new PostHandlerPair<VOpsClientForTest.HttpForTest, Object>(
+            Predicate<VOpsClientSimulator.HttpForTest> predicate,
+            BiFunction<VOpsClientSimulator.HttpForTest, ErrorableValue<Object>, ErrorableValue<Object>> handler) {
+        def pair = new PostHandlerPair<VOpsClientSimulator.HttpForTest, Object>(
                 Objects.requireNonNull(predicate),
                 Objects.requireNonNull(handler))
 
@@ -55,7 +55,7 @@ class VOpsVirtualEndpointSpec extends Spec {
      */
     BooleanSupplier registerPostHttpHandler(
             String path,
-            BiFunction<VOpsClientForTest.HttpForTest, ErrorableValue<Object>, ErrorableValue<Object>> handler) {
+            BiFunction<VOpsClientSimulator.HttpForTest, ErrorableValue<Object>, ErrorableValue<Object>> handler) {
         return registerPostHttpHandler({ it.path == path || it.pathWithoutIpAndPort == path }, handler)
     }
 
@@ -65,7 +65,7 @@ class VOpsVirtualEndpointSpec extends Spec {
     BooleanSupplier registerPostHttpHandler(
             String path,
             HttpMethod method,
-            BiFunction<VOpsClientForTest.HttpForTest, ErrorableValue<Object>, ErrorableValue<Object>> handler) {
+            BiFunction<VOpsClientSimulator.HttpForTest, ErrorableValue<Object>, ErrorableValue<Object>> handler) {
         return registerPostHttpHandler(
             {
                 (it.path == path || it.pathWithoutIpAndPort == path) && it.method == method