server: Allow admins to disable the 2FA of users in subdomains (#7870)

Author: winterhazel

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -3327,7 +3327,7 @@ protected UserTwoFactorAuthenticationSetupResponse enableTwoFactorAuthentication
     protected UserTwoFactorAuthenticationSetupResponse disableTwoFactorAuthentication(Long userId, Account caller, Account owner) {
         UserVO userVO = null;
         if (userId != null) {
-            userVO = validateUser(userId, caller.getDomainId());
+            userVO = validateUser(userId);
             owner = _accountService.getActiveAccountById(userVO.getAccountId());
         } else {
             userId = CallContext.current().getCallingUserId();
@@ -3349,16 +3349,13 @@ protected UserTwoFactorAuthenticationSetupResponse disableTwoFactorAuthenticatio
         return response;
     }
 
-    private UserVO validateUser(Long userId, Long domainId) {
+    private UserVO validateUser(Long userId) {
         UserVO user = null;
         if (userId != null) {
             user = _userDao.findById(userId);
             if (user == null) {
                 throw new InvalidParameterValueException("Invalid user ID provided");
             }
-            if (_accountDao.findById(user.getAccountId()).getDomainId() != domainId) {
-                throw new InvalidParameterValueException("User doesn't belong to the specified account or domain");
-            }
         }
         return user;
     }

server/src/test/java/com/cloud/user/AccountManagerImplTest.java

@@ -875,28 +875,27 @@ public void testEnableUserTwoFactorAuthentication() {
     @Test
     public void testDisableUserTwoFactorAuthentication() {
         Long userId = 1L;
+        Long accountId = 2L;
 
         UserVO userVO = Mockito.mock(UserVO.class);
         Account caller = Mockito.mock(Account.class);
+        Account owner = Mockito.mock(Account.class);
 
-        AccountVO accountMock = Mockito.mock(AccountVO.class);
         Mockito.doNothing().when(accountManagerImpl).checkAccess(nullable(Account.class), Mockito.isNull(), nullable(Boolean.class), nullable(Account.class));
 
-        Mockito.when(caller.getDomainId()).thenReturn(1L);
         Mockito.when(userDaoMock.findById(userId)).thenReturn(userVO);
-        Mockito.when(userVO.getAccountId()).thenReturn(1L);
-        Mockito.when(_accountDao.findById(1L)).thenReturn(accountMock);
-        Mockito.when(accountMock.getDomainId()).thenReturn(1L);
-        Mockito.when(_accountService.getActiveAccountById(1L)).thenReturn(caller);
+        Mockito.when(userVO.getAccountId()).thenReturn(accountId);
+        Mockito.when(_accountService.getActiveAccountById(accountId)).thenReturn(owner);
 
         userVoMock.setKeyFor2fa("EUJEAEDVOURFZTE6OGWVTJZMI54QGMIL");
         userVoMock.setUser2faProvider("totp");
         userVoMock.setUser2faEnabled(true);
 
         Mockito.when(userDaoMock.createForUpdate()).thenReturn(userVoMock);
 
-        UserTwoFactorAuthenticationSetupResponse response = accountManagerImpl.disableTwoFactorAuthentication(userId, caller, caller);
+        UserTwoFactorAuthenticationSetupResponse response = accountManagerImpl.disableTwoFactorAuthentication(userId, caller, owner);
 
+        Mockito.verify(accountManagerImpl).checkAccess(caller, null, true, owner);
         Assert.assertNull(response.getSecretCode());
         Assert.assertNull(userVoMock.getKeyFor2fa());
         Assert.assertNull(userVoMock.getUser2faProvider());