From c7dbbdbbe203e054cbcc320304e1c3d3b0c71e5c Mon Sep 17 00:00:00 2001
From: "lin.ma" <lin.ma@zstack.io>
Date: Mon, 22 Sep 2025 15:07:12 +0800
Subject: [PATCH] <feature>[identity]: not allowed `thirdParty`, `OAuth2` local
 login

Resolves: ZSTAC-76390

Change-Id: I62646e64637a67777a667768686373626f696d72
---
 conf/springConfigXml/AccountManager.xml       |  1 +
 .../zstack/identity/AccountManagerImpl.java   | 23 ++++++++++++++++++-
 .../identity/BeforeLoginInAccountPoint.java   |  7 ++++++
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 identity/src/main/java/org/zstack/identity/BeforeLoginInAccountPoint.java

diff --git a/conf/springConfigXml/AccountManager.xml b/conf/springConfigXml/AccountManager.xml
index 79df4f3c2f..c154bcc5c5 100755
--- a/conf/springConfigXml/AccountManager.xml
+++ b/conf/springConfigXml/AccountManager.xml
@@ -50,6 +50,7 @@
             <zstack:extension interface="org.zstack.header.apimediator.ApiMessageInterceptor"/>
             <zstack:extension interface="org.zstack.header.rest.RestAuthenticationBackend"/>
             <zstack:extension interface="org.zstack.header.managementnode.PrepareDbInitialValueExtensionPoint" order="9999"/>
+            <zstack:extension interface="org.zstack.identity.BeforeLoginInAccountPoint" />
         </zstack:plugin>
     </bean>
 
diff --git a/identity/src/main/java/org/zstack/identity/AccountManagerImpl.java b/identity/src/main/java/org/zstack/identity/AccountManagerImpl.java
index c00a6e11dd..41d119c0fe 100755
--- a/identity/src/main/java/org/zstack/identity/AccountManagerImpl.java
+++ b/identity/src/main/java/org/zstack/identity/AccountManagerImpl.java
@@ -63,7 +63,8 @@
 import static org.zstack.header.identity.AccountConstant.ACCOUNT_REST_AUTHENTICATION_TYPE;
 
 public class AccountManagerImpl extends AbstractService implements AccountManager, SoftDeleteEntityExtensionPoint,
-        HardDeleteEntityExtensionPoint, ApiMessageInterceptor, RestAuthenticationBackend, PrepareDbInitialValueExtensionPoint {
+        HardDeleteEntityExtensionPoint, ApiMessageInterceptor, RestAuthenticationBackend, PrepareDbInitialValueExtensionPoint,
+        BeforeLoginInAccountPoint {
     private static final CLogger logger = Utils.getLogger(AccountManagerImpl.class);
 
     @Autowired
@@ -527,6 +528,10 @@ private void handle(APILogInByUserMsg msg) {
     private void handle(APILogInByAccountMsg msg) {
         APILogInReply reply = new APILogInReply();
 
+        pluginRgty.getExtensionList(BeforeLoginInAccountPoint.class).forEach(point->{
+            point.beforeLogin(msg);
+        });
+
         LogInMsg logInMsg = new LogInMsg();
         logInMsg.setVerifyCode(msg.getVerifyCode());
         logInMsg.setCaptchaUuid(msg.getCaptchaUuid());
@@ -1790,4 +1795,20 @@ public SessionInventory doAuth(RestAuthenticationParams params) {
         session.setUuid(params.authKey);
         return session;
     }
+
+    @Override
+    public void beforeLogin(APISessionMessage sessionMessage) {
+        String name = sessionMessage.getUsername();
+        AccountType thirdPartyType = AccountType.ThirdParty;
+
+        AccountVO account = Q.New(AccountVO.class).eq(AccountVO_.name, name).find();
+
+        if (account == null) {
+            return;
+        }
+
+        if (account.getType() == thirdPartyType) {
+            throw new CloudRuntimeException(String.format("Account [name=%s] [type=%s] cannot local login", name, thirdPartyType));
+        }
+    }
 }
diff --git a/identity/src/main/java/org/zstack/identity/BeforeLoginInAccountPoint.java b/identity/src/main/java/org/zstack/identity/BeforeLoginInAccountPoint.java
new file mode 100644
index 0000000000..33895b3f35
--- /dev/null
+++ b/identity/src/main/java/org/zstack/identity/BeforeLoginInAccountPoint.java
@@ -0,0 +1,7 @@
+package org.zstack.identity;
+
+import org.zstack.header.identity.APISessionMessage;
+
+public interface BeforeLoginInAccountPoint {
+    void beforeLogin(APISessionMessage sessionMessage);
+}