GUAC-1176: Add password expiration attribute.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java

@@ -58,12 +58,19 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
      */
     public static final String DISABLED_ATTRIBUTE_NAME = "disabled";
 
+    /**
+     * The name of the attribute which controls whether a user's password is
+     * expired and must be reset upon login.
+     */
+    public static final String EXPIRED_ATTRIBUTE_NAME = "expired";
+
     /**
      * All attributes related to restricting user accounts, within a logical
      * form.
      */
     public static final Form ACCOUNT_RESTRICTIONS = new Form("restrictions", "Account Restrictions", Arrays.asList(
-        new Field(DISABLED_ATTRIBUTE_NAME, "Disabled", "true")
+        new Field(DISABLED_ATTRIBUTE_NAME, "Disabled", "true"),
+        new Field(EXPIRED_ATTRIBUTE_NAME, "Password expired", "true")
     ));
 
     /**
@@ -214,7 +221,10 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
         Map<String, String> attributes = new HashMap<String, String>();
 
         // Set disabled attribute
-        attributes.put("disabled", getModel().isDisabled() ? "true" : null);
+        attributes.put(DISABLED_ATTRIBUTE_NAME, getModel().isDisabled() ? "true" : null);
+
+        // Set password expired attribute
+        attributes.put(EXPIRED_ATTRIBUTE_NAME, getModel().isExpired() ? "true" : null);
 
         return attributes;
     }
@@ -223,7 +233,10 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
     public void setAttributes(Map<String, String> attributes) {
 
         // Translate disabled attribute
-        getModel().setDisabled("true".equals(attributes.get("disabled")));
+        getModel().setDisabled("true".equals(attributes.get(DISABLED_ATTRIBUTE_NAME)));
+
+        // Translate password expired attribute
+        getModel().setExpired("true".equals(attributes.get(EXPIRED_ATTRIBUTE_NAME)));
 
     }
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserModel.java

@@ -48,6 +48,13 @@ public class UserModel extends ObjectModel {
      */
     private boolean disabled;
 
+    /**
+     * Whether the user's password is expired. If a user's password is expired,
+     * it must be changed immediately upon login, and the account cannot be
+     * used until this occurs.
+     */
+    private boolean expired;
+
     /**
      * Creates a new, empty user.
      */
@@ -127,4 +134,28 @@ public class UserModel extends ObjectModel {
         this.disabled = disabled;
     }
 
+    /**
+     * Returns whether the user's password has expired. If a user's password is
+     * expired, it must be immediately changed upon login. A user account with
+     * an expired password cannot be used until the password has been changed.
+     *
+     * @return
+     *     true if the user's password has expired, false otherwise.
+     */
+    public boolean isExpired() {
+        return expired;
+    }
+
+    /**
+     * Sets whether the user's password is expired. If a user's password is
+     * expired, it must be immediately changed upon login. A user account with
+     * an expired password cannot be used until the password has been changed.
+     *
+     * @param expired
+     *     true to expire the user's password, false otherwise.
+     */
+    public void setExpired(boolean expired) {
+        this.expired = expired;
+    }
+
 }

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/en.json

@@ -2,6 +2,7 @@
     "USER_ATTRIBUTES" : {
 
         "FIELD_HEADER_DISABLED" : "Login disabled:",
+        "FIELD_HEADER_EXPIRED"  : "Password expired:",
 
         "SECTION_HEADER_RESTRICTIONS" : "Account Restrictions"
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql

@@ -77,6 +77,7 @@ CREATE TABLE `guacamole_user` (
   `password_hash` binary(32)   NOT NULL,
   `password_salt` binary(32),
   `disabled`      boolean      NOT NULL DEFAULT 0,
+  `expired`       boolean      NOT NULL DEFAULT 0,
 
   PRIMARY KEY (`user_id`),
   UNIQUE KEY `username` (`username`)

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/upgrade/upgrade-pre-0.9.7.sql

@@ -26,3 +26,9 @@
 
 ALTER TABLE guacamole_user ADD COLUMN disabled BOOLEAN NOT NULL DEFAULT 0;
 
+--
+-- Add per-user password expiration flag
+--
+
+ALTER TABLE guacamole_user ADD COLUMN expired BOOLEAN NOT NULL DEFAULT 0;
+

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml

@@ -33,6 +33,7 @@
         <result column="password_hash" property="passwordHash" jdbcType="BINARY"/>
         <result column="password_salt" property="passwordSalt" jdbcType="BINARY"/>
         <result column="disabled"      property="disabled"     jdbcType="BOOLEAN"/>
+        <result column="expired"       property="expired"      jdbcType="BOOLEAN"/>
     </resultMap>
 
     <!-- Select all usernames -->
@@ -59,7 +60,8 @@
             username,
             password_hash,
             password_salt,
-            disabled
+            disabled,
+            expired
         FROM guacamole_user
         WHERE username IN
             <foreach collection="identifiers" item="identifier"
@@ -77,7 +79,8 @@
             username,
             password_hash,
             password_salt,
-            disabled
+            disabled,
+            expired
         FROM guacamole_user
         JOIN guacamole_user_permission ON affected_user_id = guacamole_user.user_id
         WHERE username IN
@@ -98,7 +101,8 @@
             username,
             password_hash,
             password_salt,
-            disabled
+            disabled,
+            expired
         FROM guacamole_user
         WHERE
             username = #{username,jdbcType=VARCHAR}
@@ -119,13 +123,15 @@
             username,
             password_hash,
             password_salt,
-            disabled
+            disabled,
+            expired
         )
         VALUES (
             #{object.identifier,jdbcType=VARCHAR},
             #{object.passwordHash,jdbcType=BINARY},
             #{object.passwordSalt,jdbcType=BINARY},
-            #{object.disabled,jdbcType=BOOLEAN}
+            #{object.disabled,jdbcType=BOOLEAN},
+            #{object.expired,jdbcType=BOOLEAN}
         )
 
     </insert>
@@ -135,7 +141,8 @@
         UPDATE guacamole_user
         SET password_hash = #{object.passwordHash,jdbcType=BINARY},
             password_salt = #{object.passwordSalt,jdbcType=BINARY},
-            disabled = #{object.disabled,jdbcType=BOOLEAN}
+            disabled = #{object.disabled,jdbcType=BOOLEAN},
+            expired = #{object.expired,jdbcType=BOOLEAN}
         WHERE user_id = #{object.objectID,jdbcType=VARCHAR}
     </update>
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql

@@ -118,6 +118,7 @@ CREATE TABLE guacamole_user (
   password_hash bytea        NOT NULL,
   password_salt bytea,
   disabled      boolean      NOT NULL DEFAULT FALSE,
+  expired       boolean      NOT NULL DEFAULT FALSE,
 
   PRIMARY KEY (user_id),
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/upgrade/upgrade-pre-0.9.7.sql

@@ -26,3 +26,9 @@
 
 ALTER TABLE guacamole_user ADD COLUMN disabled boolean NOT NULL DEFAULT FALSE;
 
+--
+-- Add per-user password expiration flag
+--
+
+ALTER TABLE guacamole_user ADD COLUMN expired boolean NOT NULL DEFAULT FALSE;
+

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml

@@ -33,6 +33,7 @@
         <result column="password_hash" property="passwordHash" jdbcType="BINARY"/>
         <result column="password_salt" property="passwordSalt" jdbcType="BINARY"/>
         <result column="disabled"      property="disabled"     jdbcType="BOOLEAN"/>
+        <result column="expired"       property="expired"      jdbcType="BOOLEAN"/>
     </resultMap>
 
     <!-- Select all usernames -->
@@ -59,7 +60,8 @@
             username,
             password_hash,
             password_salt,
-            disabled
+            disabled,
+            expired
         FROM guacamole_user
         WHERE username IN
             <foreach collection="identifiers" item="identifier"
@@ -77,7 +79,8 @@
             username,
             password_hash,
             password_salt,
-            disabled
+            disabled,
+            expired
         FROM guacamole_user
         JOIN guacamole_user_permission ON affected_user_id = guacamole_user.user_id
         WHERE username IN
@@ -98,7 +101,8 @@
             username,
             password_hash,
             password_salt,
-            disabled
+            disabled,
+            expired
         FROM guacamole_user
         WHERE
             username = #{username,jdbcType=VARCHAR}
@@ -119,13 +123,15 @@
             username,
             password_hash,
             password_salt,
-            disabled
+            disabled,
+            expired
         )
         VALUES (
             #{object.identifier,jdbcType=VARCHAR},
             #{object.passwordHash,jdbcType=BINARY},
             #{object.passwordSalt,jdbcType=BINARY},
-            #{object.disabled,jdbcType=BOOLEAN}
+            #{object.disabled,jdbcType=BOOLEAN},
+            #{object.expired,jdbcType=BOOLEAN}
         )
 
     </insert>
@@ -135,7 +141,8 @@
         UPDATE guacamole_user
         SET password_hash = #{object.passwordHash,jdbcType=BINARY},
             password_salt = #{object.passwordSalt,jdbcType=BINARY},
-            disabled = #{object.disabled,jdbcType=BOOLEAN}
+            disabled = #{object.disabled,jdbcType=BOOLEAN},
+            expired = #{object.expired,jdbcType=BOOLEAN}
         WHERE user_id = #{object.objectID,jdbcType=VARCHAR}
     </update>