safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-284: Move enforcement of account restrictions into AuthenticationProviderService.

Browse Source
This commit is contained in:
Michael Jumper
2017-06-04 13:42:28 -07:00
parent 45ee895044
commit 0eef629a9d
2 changed files with 21 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
View File

@@ -21,9 +21,11 @@ package org.apache.guacamole.auth.jdbc;
import com.google.inject.Inject;
import com.google.inject.Provider;
import org.apache.guacamole.GuacamoleClientException;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.jdbc.security.PasswordPolicyService;
import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
import org.apache.guacamole.auth.jdbc.user.UserModel;
@@ -104,13 +106,24 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
}
// Veto authentication result if account is required but unavailable
// due to account restrictions
// Apply account restrictions if this extension authenticated the user
// OR if an account from this extension is explicitly required
UserModel userModel = user.getModel();
if (environment.isUserRequired()
&& (userModel.isDisabled() || !user.isAccountValid() || !user.isAccountAccessible())) {
if (authenticatedUser instanceof ModeledAuthenticatedUser || environment.isUserRequired()) {
// If user is disabled, pretend user does not exist
if (userModel.isDisabled())
throw new GuacamoleInvalidCredentialsException("Invalid login",
CredentialsInfo.USERNAME_PASSWORD);
// Verify user account is still valid as of today
if (!user.isAccountValid())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
// Verify user account is allowed to be used at the current time
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
}
// Update password if password is expired

19
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
View File

@@ -312,9 +312,10 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
/**
* Retrieves the user corresponding to the given credentials from the
* database. If the user account is expired, and the credentials contain
* the necessary additional parameters to reset the user's password, the
* password is reset.
* database. Note that this function will not enforce any additional
* account restrictions, including explicitly disabled accounts,
* scheduling, and password expiration. It is the responsibility of the
* caller to enforce such restrictions, if desired.
*
* @param authenticationProvider
* The AuthenticationProvider on behalf of which the user is being
@@ -342,10 +343,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
if (userModel == null)
return null;
// If user is disabled, pretend user does not exist
if (userModel.isDisabled())
return null;
// Verify provided password is correct
byte[] hash = encryptionService.createPasswordHash(password, userModel.getPasswordSalt());
if (!Arrays.equals(hash, userModel.getPasswordHash()))
@@ -355,14 +352,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
ModeledUser user = getObjectInstance(null, userModel);
user.setCurrentUser(new ModeledAuthenticatedUser(authenticationProvider, user, credentials));
// Verify user account is still valid as of today
if (!user.isAccountValid())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
// Verify user account is allowed to be used at the current time
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
// Return now-authenticated user
return user.getCurrentUser();