GUACAMOLE-284: Reverse structure of restriction enforcement such that the default action is to deny access.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/c87ec1bf Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/c87ec1bf Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/c87ec1bf Branch: refs/heads/master Commit: c87ec1bf5d6545cb8f4ed631257f4ba9667bdceb Parents: 0eef629 Author: Michael Jumper <[email protected]> Authored: Sun Jun 4 14:04:56 2017 -0700 Committer: Michael Jumper <[email protected]> Committed: Sun Jun 4 22:21:19 2017 -0700 ---------------------------------------------------------------------- .../jdbc/JDBCAuthenticationProviderService.java | 71 ++++++++++---------- 1 file changed, 37 insertions(+), 34 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/c87ec1bf/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java index a5cc164..37ff3bc 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java @@ -88,52 +88,55 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider // Retrieve user account for already-authenticated user ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser); - if (user == null) { + if (user != null) { - // Do not invalidate the authentication result of users who were - // authenticated via our own connection sharing links - if (authenticatedUser instanceof SharedAuthenticatedUser) - return null; + // User data only exists for purposes of retrieval if the account + // is not disabled + UserModel userModel = user.getModel(); + if (!userModel.isDisabled()) { - // Simply return no data if a database user account is not required - if (!environment.isUserRequired()) - return null; + // Apply account restrictions if this extension authenticated + // the user OR if an account from this extension is explicitly + // required + if (authenticatedUser instanceof ModeledAuthenticatedUser + || environment.isUserRequired()) { - // Otherwise, invalidate the authentication result, as database user - // accounts are absolutely required - throw new GuacamoleInvalidCredentialsException("Invalid login", - CredentialsInfo.USERNAME_PASSWORD); + // Verify user account is still valid as of today + if (!user.isAccountValid()) + throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID"); - } + // Verify user account is allowed to be used at the current time + if (!user.isAccountAccessible()) + throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE"); - // Apply account restrictions if this extension authenticated the user - // OR if an account from this extension is explicitly required - UserModel userModel = user.getModel(); - if (authenticatedUser instanceof ModeledAuthenticatedUser || environment.isUserRequired()) { + // Update password if password is expired + if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user)) + userService.resetExpiredPassword(user, authenticatedUser.getCredentials()); - // If user is disabled, pretend user does not exist - if (userModel.isDisabled()) - throw new GuacamoleInvalidCredentialsException("Invalid login", - CredentialsInfo.USERNAME_PASSWORD); + } - // Verify user account is still valid as of today - if (!user.isAccountValid()) - throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID"); + // Link to user context + ModeledUserContext context = userContextProvider.get(); + context.init(user.getCurrentUser()); + return context; - // Verify user account is allowed to be used at the current time - if (!user.isAccountAccessible()) - throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE"); + } } - // Update password if password is expired - if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user)) - userService.resetExpiredPassword(user, authenticatedUser.getCredentials()); + // Do not invalidate the authentication result of users who were + // authenticated via our own connection sharing links + if (authenticatedUser instanceof SharedAuthenticatedUser) + return null; - // Link to user context - ModeledUserContext context = userContextProvider.get(); - context.init(user.getCurrentUser()); - return context; + // Simply return no data if a database user account is not required + if (!environment.isUserRequired()) + return null; + + // Otherwise, invalidate the authentication result, as database user + // accounts are absolutely required + throw new GuacamoleInvalidCredentialsException("Invalid login", + CredentialsInfo.USERNAME_PASSWORD); }
