GUACAMOLE-284: Add convenience methods for determining whether a user account is disabled/expired.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/f4fce6a0 Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/f4fce6a0 Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/f4fce6a0 Branch: refs/heads/master Commit: f4fce6a07a94a6a4f8919df5bffe171e82aa3081 Parents: c87ec1b Author: Michael Jumper <mjum...@apache.org> Authored: Sun Jun 4 14:08:49 2017 -0700 Committer: Michael Jumper <mjum...@apache.org> Committed: Sun Jun 4 22:21:19 2017 -0700 ---------------------------------------------------------------------- .../jdbc/JDBCAuthenticationProviderService.java | 48 ++++++++------------ .../guacamole/auth/jdbc/user/ModeledUser.java | 24 ++++++++++ 2 files changed, 44 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/f4fce6a0/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java index 37ff3bc..b753ff8 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java @@ -28,7 +28,6 @@ import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.auth.jdbc.user.ModeledUserContext; -import org.apache.guacamole.auth.jdbc.user.UserModel; import org.apache.guacamole.auth.jdbc.user.UserService; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticationProvider; @@ -88,40 +87,33 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider // Retrieve user account for already-authenticated user ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser); - if (user != null) { + if (user != null && !user.isDisabled()) { - // User data only exists for purposes of retrieval if the account - // is not disabled - UserModel userModel = user.getModel(); - if (!userModel.isDisabled()) { + // Apply account restrictions if this extension authenticated + // the user OR if an account from this extension is explicitly + // required + if (authenticatedUser instanceof ModeledAuthenticatedUser + || environment.isUserRequired()) { - // Apply account restrictions if this extension authenticated - // the user OR if an account from this extension is explicitly - // required - if (authenticatedUser instanceof ModeledAuthenticatedUser - || environment.isUserRequired()) { + // Verify user account is still valid as of today + if (!user.isAccountValid()) + throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID"); - // Verify user account is still valid as of today - if (!user.isAccountValid()) - throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID"); + // Verify user account is allowed to be used at the current time + if (!user.isAccountAccessible()) + throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE"); - // Verify user account is allowed to be used at the current time - if (!user.isAccountAccessible()) - throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE"); - - // Update password if password is expired - if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user)) - userService.resetExpiredPassword(user, authenticatedUser.getCredentials()); - - } - - // Link to user context - ModeledUserContext context = userContextProvider.get(); - context.init(user.getCurrentUser()); - return context; + // Update password if password is expired + if (user.isExpired() || passwordPolicyService.isPasswordExpired(user)) + userService.resetExpiredPassword(user, authenticatedUser.getCredentials()); } + // Link to user context + ModeledUserContext context = userContextProvider.get(); + context.init(user.getCurrentUser()); + return context; + } // Do not invalidate the authentication result of users who were http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/f4fce6a0/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java index 418ffad..745fe5f 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java @@ -766,4 +766,28 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us return isActive(getAccessWindowStart(), getAccessWindowEnd()); } + /** + * Returns whether the user has been disabled. Disabled users are not + * allowed to login. Although their account data exists, all login attempts + * will fail as if the account does not exist. + * + * @return + * true if the account is disabled, false otherwise. + */ + public boolean isDisabled() { + return getModel().isDisabled(); + } + + /** + * Returns whether the user's password has expired. If a user's password is + * expired, it must be immediately changed upon login. A user account with + * an expired password cannot be used until the password has been changed. + * + * @return + * true if the user's password has expired, false otherwise. + */ + public boolean isExpired() { + return getModel().isExpired(); + } + }