Repository: guacamole-client Updated Branches: refs/heads/master 4f27a03ad -> d35d67fee
GUACAMOLE-529: Apply database-specific account restrictions depending on context. Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/6dde0e77 Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/6dde0e77 Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/6dde0e77 Branch: refs/heads/master Commit: 6dde0e778a9ef70f405b88584d7e4c10431cbad5 Parents: 4f27a03 Author: Michael Jumper <mjum...@apache.org> Authored: Sun Apr 1 23:19:40 2018 -0700 Committer: Michael Jumper <mjum...@apache.org> Committed: Sun Apr 1 23:29:19 2018 -0700 ---------------------------------------------------------------------- .../jdbc/JDBCAuthenticationProviderService.java | 49 +++++++++++--------- 1 file changed, 28 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/6dde0e77/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java index 284a5aa..68e2a47 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java @@ -85,15 +85,21 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider public ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider, AuthenticatedUser authenticatedUser) throws GuacamoleException { + // Always allow but provide no data for users authenticated via our own + // connection sharing links + if (authenticatedUser instanceof SharedAuthenticatedUser) + return null; + + // Set semantic flags based on context + boolean databaseCredentialsUsed = (authenticatedUser instanceof ModeledAuthenticatedUser); + boolean databaseRestrictionsApplicable = (databaseCredentialsUsed || environment.isUserRequired()); + // Retrieve user account for already-authenticated user ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser); if (user != null && !user.isDisabled()) { - // Account restrictions specific to this extension apply if this - // extension authenticated the user OR if an account from this - // extension is explicitly required - if (authenticatedUser instanceof ModeledAuthenticatedUser - || environment.isUserRequired()) { + // Enforce applicable account restrictions + if (databaseRestrictionsApplicable) { // Verify user account is still valid as of today if (!user.isAccountValid()) @@ -103,32 +109,33 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider if (!user.isAccountAccessible()) throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE"); - // Update password if password is expired + } + + // Update password if password is expired AND the password was + // actually involved in the authentication process + if (databaseCredentialsUsed) { if (user.isExpired() || passwordPolicyService.isPasswordExpired(user)) userService.resetExpiredPassword(user, authenticatedUser.getCredentials()); - } - // Link to user context + // Return all data associated with the authenticated user ModeledUserContext context = userContextProvider.get(); context.init(user.getCurrentUser()); return context; } - // Do not invalidate the authentication result of users who were - // authenticated via our own connection sharing links - if (authenticatedUser instanceof SharedAuthenticatedUser) - return null; - - // Simply return no data if a database user account is not required - if (!environment.isUserRequired()) - return null; - - // Otherwise, invalidate the authentication result, as database user - // accounts are absolutely required - throw new GuacamoleInvalidCredentialsException("Invalid login", - CredentialsInfo.USERNAME_PASSWORD); + // Veto authentication result only if database-specific account + // restrictions apply in this situation + if (databaseRestrictionsApplicable) + throw new GuacamoleInvalidCredentialsException("Invalid login", + CredentialsInfo.USERNAME_PASSWORD); + + // There is no data to be returned for the user, either because they do + // not exist or because restrictions prevent their data from being + // retrieved, but no restrictions apply which should prevent the user + // from authenticating entirely + return null; }