From 10aea5d0a39f9a73f85921bebc3060190df068eb Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Wed, 27 May 2015 13:08:26 -0700 Subject: [PATCH] GUAC-1176: Add password expiration attribute. --- .../guacamole/auth/jdbc/user/ModeledUser.java | 19 ++++++++++-- .../guacamole/auth/jdbc/user/UserModel.java | 31 +++++++++++++++++++ .../src/main/resources/translations/en.json | 1 + .../schema/001-create-schema.sql | 1 + .../schema/upgrade/upgrade-pre-0.9.7.sql | 6 ++++ .../guacamole/auth/jdbc/user/UserMapper.xml | 19 ++++++++---- .../schema/001-create-schema.sql | 1 + .../schema/upgrade/upgrade-pre-0.9.7.sql | 6 ++++ .../guacamole/auth/jdbc/user/UserMapper.xml | 19 ++++++++---- 9 files changed, 88 insertions(+), 15 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java index 0f234c494..d35b9c07b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java @@ -58,12 +58,19 @@ public class ModeledUser extends ModeledDirectoryObject implements Us */ public static final String DISABLED_ATTRIBUTE_NAME = "disabled"; + /** + * The name of the attribute which controls whether a user's password is + * expired and must be reset upon login. + */ + public static final String EXPIRED_ATTRIBUTE_NAME = "expired"; + /** * All attributes related to restricting user accounts, within a logical * form. */ public static final Form ACCOUNT_RESTRICTIONS = new Form("restrictions", "Account Restrictions", Arrays.asList( - new Field(DISABLED_ATTRIBUTE_NAME, "Disabled", "true") + new Field(DISABLED_ATTRIBUTE_NAME, "Disabled", "true"), + new Field(EXPIRED_ATTRIBUTE_NAME, "Password expired", "true") )); /** @@ -214,7 +221,10 @@ public class ModeledUser extends ModeledDirectoryObject implements Us Map attributes = new HashMap(); // Set disabled attribute - attributes.put("disabled", getModel().isDisabled() ? "true" : null); + attributes.put(DISABLED_ATTRIBUTE_NAME, getModel().isDisabled() ? "true" : null); + + // Set password expired attribute + attributes.put(EXPIRED_ATTRIBUTE_NAME, getModel().isExpired() ? "true" : null); return attributes; } @@ -223,7 +233,10 @@ public class ModeledUser extends ModeledDirectoryObject implements Us public void setAttributes(Map attributes) { // Translate disabled attribute - getModel().setDisabled("true".equals(attributes.get("disabled"))); + getModel().setDisabled("true".equals(attributes.get(DISABLED_ATTRIBUTE_NAME))); + + // Translate password expired attribute + getModel().setExpired("true".equals(attributes.get(EXPIRED_ATTRIBUTE_NAME))); } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserModel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserModel.java index 1f84ab566..5057b2f5c 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserModel.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserModel.java @@ -48,6 +48,13 @@ public class UserModel extends ObjectModel { */ private boolean disabled; + /** + * Whether the user's password is expired. If a user's password is expired, + * it must be changed immediately upon login, and the account cannot be + * used until this occurs. + */ + private boolean expired; + /** * Creates a new, empty user. */ @@ -127,4 +134,28 @@ public class UserModel extends ObjectModel { this.disabled = disabled; } + /** + * Returns whether the user's password has expired. If a user's password is + * expired, it must be immediately changed upon login. A user account with + * an expired password cannot be used until the password has been changed. + * + * @return + * true if the user's password has expired, false otherwise. + */ + public boolean isExpired() { + return expired; + } + + /** + * Sets whether the user's password is expired. If a user's password is + * expired, it must be immediately changed upon login. A user account with + * an expired password cannot be used until the password has been changed. + * + * @param expired + * true to expire the user's password, false otherwise. + */ + public void setExpired(boolean expired) { + this.expired = expired; + } + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/en.json b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/en.json index 920ded08f..adeadf508 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/en.json +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/en.json @@ -2,6 +2,7 @@ "USER_ATTRIBUTES" : { "FIELD_HEADER_DISABLED" : "Login disabled:", + "FIELD_HEADER_EXPIRED" : "Password expired:", "SECTION_HEADER_RESTRICTIONS" : "Account Restrictions" diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql index e9545adae..d3cd2ce0d 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql @@ -77,6 +77,7 @@ CREATE TABLE `guacamole_user` ( `password_hash` binary(32) NOT NULL, `password_salt` binary(32), `disabled` boolean NOT NULL DEFAULT 0, + `expired` boolean NOT NULL DEFAULT 0, PRIMARY KEY (`user_id`), UNIQUE KEY `username` (`username`) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/upgrade/upgrade-pre-0.9.7.sql b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/upgrade/upgrade-pre-0.9.7.sql index 8bc41ec26..761d9be41 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/upgrade/upgrade-pre-0.9.7.sql +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/upgrade/upgrade-pre-0.9.7.sql @@ -26,3 +26,9 @@ ALTER TABLE guacamole_user ADD COLUMN disabled BOOLEAN NOT NULL DEFAULT 0; +-- +-- Add per-user password expiration flag +-- + +ALTER TABLE guacamole_user ADD COLUMN expired BOOLEAN NOT NULL DEFAULT 0; + diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml index de4b311cd..31a8fe407 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml @@ -33,6 +33,7 @@ + @@ -59,7 +60,8 @@ username, password_hash, password_salt, - disabled + disabled, + expired FROM guacamole_user WHERE username IN @@ -135,7 +141,8 @@ UPDATE guacamole_user SET password_hash = #{object.passwordHash,jdbcType=BINARY}, password_salt = #{object.passwordSalt,jdbcType=BINARY}, - disabled = #{object.disabled,jdbcType=BOOLEAN} + disabled = #{object.disabled,jdbcType=BOOLEAN}, + expired = #{object.expired,jdbcType=BOOLEAN} WHERE user_id = #{object.objectID,jdbcType=VARCHAR} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql index d228b5844..7f14986be 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql @@ -118,6 +118,7 @@ CREATE TABLE guacamole_user ( password_hash bytea NOT NULL, password_salt bytea, disabled boolean NOT NULL DEFAULT FALSE, + expired boolean NOT NULL DEFAULT FALSE, PRIMARY KEY (user_id), diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/upgrade/upgrade-pre-0.9.7.sql b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/upgrade/upgrade-pre-0.9.7.sql index ba8649629..0853e90c8 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/upgrade/upgrade-pre-0.9.7.sql +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/upgrade/upgrade-pre-0.9.7.sql @@ -26,3 +26,9 @@ ALTER TABLE guacamole_user ADD COLUMN disabled boolean NOT NULL DEFAULT FALSE; +-- +-- Add per-user password expiration flag +-- + +ALTER TABLE guacamole_user ADD COLUMN expired boolean NOT NULL DEFAULT FALSE; + diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml index 6b2438229..d78b30abb 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml @@ -33,6 +33,7 @@ + @@ -59,7 +60,8 @@ username, password_hash, password_salt, - disabled + disabled, + expired FROM guacamole_user WHERE username IN @@ -135,7 +141,8 @@ UPDATE guacamole_user SET password_hash = #{object.passwordHash,jdbcType=BINARY}, password_salt = #{object.passwordSalt,jdbcType=BINARY}, - disabled = #{object.disabled,jdbcType=BOOLEAN} + disabled = #{object.disabled,jdbcType=BOOLEAN}, + expired = #{object.expired,jdbcType=BOOLEAN} WHERE user_id = #{object.objectID,jdbcType=VARCHAR}