GUAC-586: Load multiple AuthenticationProviders.

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/GuacamoleSession.java

@@ -22,6 +22,8 @@
 
 package org.glyptodon.guacamole.net.basic;
 
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import org.glyptodon.guacamole.GuacamoleException;
@@ -51,9 +53,10 @@ public class GuacamoleSession {
     private AuthenticatedUser authenticatedUser;
     
     /**
-     * The user context associated with this session.
+     * All UserContexts associated with this session. Each
+     * AuthenticationProvider may provide its own UserContext.
      */
-    private UserContext userContext;
+    private List<UserContext> userContexts;
 
     /**
      * All currently-active tunnels, indexed by tunnel UUID.
@@ -66,7 +69,8 @@ public class GuacamoleSession {
     private long lastAccessedTime;
     
     /**
-     * Creates a new Guacamole session associated with the given user context.
+     * Creates a new Guacamole session associated with the given
+     * AuthenticatedUser and UserContexts.
      *
      * @param environment
      *     The environment of the Guacamole server associated with this new
@@ -75,18 +79,19 @@ public class GuacamoleSession {
      * @param authenticatedUser
      *     The authenticated user to associate this session with.
      *
-     * @param userContext
+     * @param userContexts
-     *     The user context to associate this session with.
+     *     The List of UserContexts to associate with this session.
      *
      * @throws GuacamoleException
      *     If an error prevents the session from being created.
      */
     public GuacamoleSession(Environment environment,
-            AuthenticatedUser authenticatedUser, UserContext userContext)
+            AuthenticatedUser authenticatedUser,
+            List<UserContext> userContexts)
             throws GuacamoleException {
         this.lastAccessedTime = System.currentTimeMillis();
         this.authenticatedUser = authenticatedUser;
-        this.userContext = userContext;
+        this.userContexts = userContexts;
     }
 
     /**
@@ -116,18 +121,56 @@ public class GuacamoleSession {
      * @return The UserContext associated with this session.
      */
     public UserContext getUserContext() {
-        return userContext;
+
+        // Warn of deprecation
+        logger.debug(
+            "\n****************************************************************"
+          + "\n"
+          + "\n       !!!!  PLEASE DO NOT USE getUserContext() !!!!"
+          + "\n"
+          + "\n getUserContext() has been replaced by getUserContexts(), which"
+          + "\n properly handles multiple authentication providers. All use of"
+          + "\n the old getUserContext() must be removed before GUAC-586 can"
+          + "\n be considered complete."
+          + "\n"
+          + "\n****************************************************************"
+        );
+
+        // Return the UserContext associated with the AuthenticationProvider
+        // that authenticated the current user.
+        String authProviderIdentifier = authenticatedUser.getAuthenticationProvider().getIdentifier();
+        for (UserContext userContext : userContexts) {
+            if (userContext.getAuthenticationProvider().getIdentifier().equals(authProviderIdentifier))
+                return userContext;
+        }
+
+        // If not found, return null
+        return null;
+
     }
 
     /**
-     * Replaces the user context associated with this session with the given
+     * Returns a list of all UserContexts associated with this session. Each
-     * user context.
+     * AuthenticationProvider currently loaded by Guacamole may provide its own
+     * UserContext for any successfully-authenticated user.
      *
-     * @param userContext
+     * @return
-     *     The user context to associate with this session.
+     *     An unmodifiable list of all UserContexts associated with this
+     *     session.
      */
-    public void setUserContext(UserContext userContext) {
+    public List<UserContext> getUserContexts() {
-        this.userContext = userContext;
+        return Collections.unmodifiableList(userContexts);
+    }
+
+    /**
+     * Replaces all UserContexts associated with this session with the given
+     * List of UserContexts.
+     *
+     * @param userContexts
+     *     The List of UserContexts to associate with this session.
+     */
+    public void setUserContexts(List<UserContext> userContexts) {
+        this.userContexts = userContexts;
     }
     
     /**

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/TunnelRequestService.java

@@ -244,13 +244,13 @@ public class TunnelRequestService {
                     // Connection identifiers
                     case CONNECTION:
                         logger.info("User \"{}\" disconnected from connection \"{}\". Duration: {} milliseconds",
-                                session.getUserContext().self().getIdentifier(), id, duration);
+                                session.getAuthenticatedUser().getIdentifier(), id, duration);
                         break;
 
                     // Connection group identifiers
                     case CONNECTION_GROUP:
                         logger.info("User \"{}\" disconnected from connection group \"{}\". Duration: {} milliseconds",
-                                session.getUserContext().self().getIdentifier(), id, duration);
+                                session.getAuthenticatedUser().getIdentifier(), id, duration);
                         break;
 
                     // Type is guaranteed to be one of the above

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/extension/ExtensionModule.java

@@ -22,6 +22,7 @@
 
 package org.glyptodon.guacamole.net.basic.extension;
 
+import com.google.inject.Provides;
 import com.google.inject.servlet.ServletModule;
 import java.io.File;
 import java.io.FileFilter;
@@ -91,10 +92,10 @@ public class ExtensionModule extends ServletModule {
     private final Environment environment;
 
     /**
-     * The currently-bound authentication provider, if any. At the moment, we
+     * All currently-bound authentication providers, if any.
-     * only support one authentication provider loaded at any one time.
      */
-    private Class<? extends AuthenticationProvider> boundAuthenticationProvider = null;
+    private final List<AuthenticationProvider> boundAuthenticationProviders =
+            new ArrayList<AuthenticationProvider>();
 
     /**
      * Service for adding and retrieving language resources.
@@ -179,40 +180,24 @@ public class ExtensionModule extends ServletModule {
     /**
      * Binds the given AuthenticationProvider class such that any service
      * requiring access to the AuthenticationProvider can obtain it via
-     * injection.
+     * injection, along with any other bound AuthenticationProviders.
      *
      * @param authenticationProvider
      *     The AuthenticationProvider class to bind.
      */
     private void bindAuthenticationProvider(Class<? extends AuthenticationProvider> authenticationProvider) {
 
-        // Choose auth provider for binding if not already chosen
-        if (boundAuthenticationProvider == null)
-            boundAuthenticationProvider = authenticationProvider;
-
-        // If an auth provider is already chosen, skip and warn
-        else {
-            logger.debug("Ignoring AuthenticationProvider \"{}\".", authenticationProvider);
-            logger.warn("Only one authentication extension may be used at a time. Please "
-                      + "make sure that only one authentication extension is present "
-                      + "within the GUACAMOLE_HOME/" + EXTENSIONS_DIRECTORY + " "
-                      + "directory, and that you are not also specifying the deprecated "
-                      + "\"auth-provider\" property within guacamole.properties.");
-            return;
-        }
-
         // Bind authentication provider
-        logger.debug("Binding AuthenticationProvider \"{}\".", authenticationProvider);
+        logger.debug("[{}] Binding AuthenticationProvider \"{}\".",
-        bind(AuthenticationProvider.class).toInstance(new AuthenticationProviderFacade(authenticationProvider));
+                boundAuthenticationProviders.size(), authenticationProvider.getName());
+        boundAuthenticationProviders.add(new AuthenticationProviderFacade(authenticationProvider));
 
     }
 
     /**
      * Binds each of the the given AuthenticationProvider classes such that any
      * service requiring access to the AuthenticationProvider can obtain it via
-     * injection. Note that, as multiple simultaneous authentication providers
+     * injection.
-     * are not currently supported, attempting to bind more than one
-     * authentication provider will result in warnings being logged.
      *
      * @param authProviders
      *     The AuthenticationProvider classes to bind.
@@ -225,6 +210,18 @@ public class ExtensionModule extends ServletModule {
 
     }
 
+    /**
+     * Returns a list of all currently-bound AuthenticationProvider instances.
+     *
+     * @return
+     *     A List of all currently-bound AuthenticationProvider. The List is
+     *     not modifiable.
+     */
+    @Provides
+    public List<AuthenticationProvider> getAuthenticationProviders() {
+        return Collections.unmodifiableList(boundAuthenticationProviders);
+    }
+
     /**
      * Serves each of the given resources as a language resource. Language
      * resources are served from within the "/translations" directory as JSON
@@ -415,11 +412,8 @@ public class ExtensionModule extends ServletModule {
         // Load all extensions
         loadExtensions(javaScriptResources, cssResources);
 
-        // Bind basic auth if nothing else chosen/provided
+        // Always bind basic auth last
-        if (boundAuthenticationProvider == null) {
+        bindAuthenticationProvider(BasicFileAuthenticationProvider.class);
-            logger.info("Using default, \"basic\", XML-driven authentication.");
-            bindAuthenticationProvider(BasicFileAuthenticationProvider.class);
-        }
 
         // Dynamically generate app.js and app.css from extensions
         serve("/app.js").with(new ResourceServlet(new SequenceResource(javaScriptResources)));

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/ObjectRetrievalService.java

@@ -22,6 +22,7 @@
 
 package org.glyptodon.guacamole.net.basic.rest;
 
+import java.util.List;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleResourceNotFoundException;
 import org.glyptodon.guacamole.net.auth.Connection;
@@ -29,6 +30,7 @@ import org.glyptodon.guacamole.net.auth.ConnectionGroup;
 import org.glyptodon.guacamole.net.auth.Directory;
 import org.glyptodon.guacamole.net.auth.User;
 import org.glyptodon.guacamole.net.auth.UserContext;
+import org.glyptodon.guacamole.net.basic.GuacamoleSession;
 import org.glyptodon.guacamole.net.basic.rest.connectiongroup.APIConnectionGroup;
 
 /**
@@ -39,6 +41,39 @@ import org.glyptodon.guacamole.net.basic.rest.connectiongroup.APIConnectionGroup
  */
 public class ObjectRetrievalService {
 
+    /**
+     * Retrieves a single UserContext from the given GuacamoleSession, which
+     * may contain multiple UserContexts.
+     *
+     * @param session
+     *     The GuacamoleSession to retrieve the UserContext from.
+     *
+     * @param id
+     *     The numeric ID of the UserContext to retrieve. This ID is the index
+     *     of the UserContext within the overall list of UserContexts
+     *     associated with the user's session.
+     *
+     * @return
+     *     The user having the given identifier.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while retrieving the user, or if the
+     *     user does not exist.
+     */
+    public UserContext retrieveUserContext(GuacamoleSession session,
+            int id) throws GuacamoleException {
+
+        // Get list of UserContexts
+        List<UserContext> userContexts = session.getUserContexts();
+
+        // Verify context exists
+        if (id < 0 || id >= userContexts.size())
+            throw new GuacamoleResourceNotFoundException("No such user context: \"" + id + "\"");
+
+        return userContexts.get(id);
+
+    }
+
     /**
      * Retrieves a single user from the given user context.
      *

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/auth/AuthenticationService.java

@@ -23,6 +23,7 @@
 package org.glyptodon.guacamole.net.basic.rest.auth;
 
 import com.google.inject.Inject;
+import java.util.List;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleUnauthorizedException;
 import org.glyptodon.guacamole.net.auth.UserContext;
@@ -77,5 +78,24 @@ public class AuthenticationService {
     public UserContext getUserContext(String authToken)  throws GuacamoleException {
         return getGuacamoleSession(authToken).getUserContext();
     }
-    
+
+    /**
+     * Returns all UserContexts associated with a given auth token, if the auth
+     * token represents a currently logged in user. Throws an unauthorized
+     * error otherwise.
+     *
+     * @param authToken
+     *     The auth token to check against the map of logged in users.
+     *
+     * @return
+     *     A List of all UserContexts associated with the provided auth token.
+     *
+     * @throws GuacamoleException
+     *     If the auth token does not correspond to any logged in user.
+     */
+    public List<UserContext> getUserContexts(String authToken)
+            throws GuacamoleException {
+        return getGuacamoleSession(authToken).getUserContexts();
+    }
+
 }

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/auth/TokenRESTService.java

@@ -24,6 +24,8 @@ package org.glyptodon.guacamole.net.basic.rest.auth;
 
 import com.google.inject.Inject;
 import java.io.UnsupportedEncodingException;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.regex.Pattern;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
@@ -68,10 +70,11 @@ public class TokenRESTService {
     private Environment environment;
     
     /**
-     * The authentication provider used to authenticate this user.
+     * All configured authentication providers which can be used to
+     * authenticate users or retrieve data associated with authenticated users.
      */
     @Inject
-    private AuthenticationProvider authProvider;
+    private List<AuthenticationProvider> authProviders;
     
     /**
      * The map of auth tokens to sessions for the REST endpoints.
@@ -224,23 +227,31 @@ public class TokenRESTService {
         credentials.setRequest(request);
         credentials.setSession(request.getSession(true));
 
-        AuthenticatedUser authenticatedUser;
+        AuthenticatedUser authenticatedUser = null;
         try {
 
             // Re-authenticate user if session exists
-            if (existingSession != null)
+            if (existingSession != null) {
-                authenticatedUser = authProvider.updateAuthenticatedUser(existingSession.getAuthenticatedUser(), credentials);
+                authenticatedUser = existingSession.getAuthenticatedUser();
+                authenticatedUser = authenticatedUser.getAuthenticationProvider().updateAuthenticatedUser(authenticatedUser, credentials);
+            }
 
-            /// Otherwise, authenticate as a new user
+            // Otherwise, attempt authentication as a new user against each
+            // AuthenticationProvider, in deterministic order
             else {
+                for (AuthenticationProvider authProvider : authProviders) {
 
-                authenticatedUser = authProvider.authenticateUser(credentials);
+                    // Attempt authentication
+                    authenticatedUser = authProvider.authenticateUser(credentials);
 
-                // Log successful authentication
+                    // Stop after successful authentication
-                if (authenticatedUser != null && logger.isInfoEnabled())
+                    if (authenticatedUser != null && logger.isInfoEnabled()) {
-                    logger.info("User \"{}\" successfully authenticated from {}.",
+                        logger.info("User \"{}\" successfully authenticated from {}.",
-                            authenticatedUser.getIdentifier(), getLoggableAddress(request));
+                                authenticatedUser.getIdentifier(), getLoggableAddress(request));
+                        break;
+                    }
 
+                }
             }
 
             // Request standard username/password if no user was produced
@@ -266,30 +277,35 @@ public class TokenRESTService {
             throw e;
         }
 
-        // Generate or update user context
+        // Get UserContexts from each available AuthenticationProvider
-        UserContext userContext;
+        List<UserContext> userContexts = new ArrayList<UserContext>(authProviders.size());
-        if (existingSession != null)
+        for (AuthenticationProvider authProvider : authProviders) {
-            userContext = authProvider.updateUserContext(existingSession.getUserContext(), authenticatedUser);
-        else
-            userContext = authProvider.getUserContext(authenticatedUser);
 
-        // STUB: Request standard username/password if no user context was produced
+            // Generate or update user context
-        if (userContext == null)
+            UserContext userContext;
-            throw new GuacamoleInvalidCredentialsException("Permission Denied.",
+            if (existingSession != null)
-                    CredentialsInfo.USERNAME_PASSWORD);
+                userContext = authProvider.updateUserContext(existingSession.getUserContext(), authenticatedUser);
+            else
+                userContext = authProvider.getUserContext(authenticatedUser);
+
+            // Add to available data, if successful
+            if (userContext != null)
+                userContexts.add(userContext);
+
+        }
 
         // Update existing session, if it exists
         String authToken;
         if (existingSession != null) {
             authToken = token;
             existingSession.setAuthenticatedUser(authenticatedUser);
-            existingSession.setUserContext(userContext);
+            existingSession.setUserContexts(userContexts);
         }
 
         // If no existing session, generate a new token/session pair
         else {
             authToken = authTokenGenerator.getToken();
-            tokenSessionMap.put(authToken, new GuacamoleSession(environment, authenticatedUser, userContext));
+            tokenSessionMap.put(authToken, new GuacamoleSession(environment, authenticatedUser, userContexts));
         }
         
         logger.debug("Login was successful for user \"{}\".", authenticatedUser.getIdentifier());

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/user/UserRESTService.java

@@ -41,7 +41,6 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleResourceNotFoundException;
-import org.glyptodon.guacamole.net.auth.AuthenticationProvider;
 import org.glyptodon.guacamole.net.auth.Credentials;
 import org.glyptodon.guacamole.net.auth.Directory;
 import org.glyptodon.guacamole.net.auth.User;
@@ -122,12 +121,6 @@ public class UserRESTService {
     @Inject
     private ObjectRetrievalService retrievalService;
     
-    /**
-     * The authentication provider used to authenticating a user.
-     */
-    @Inject
-    private AuthenticationProvider authProvider;
-    
     /**
      * Gets a list of users in the system, filtering the returned list by the
      * given permission, if specified.
@@ -340,7 +333,7 @@ public class UserRESTService {
         
         // Verify that the old password was correct
         try {
-            if (authProvider.authenticateUser(credentials) == null) {
+            if (userContext.getAuthenticationProvider().authenticateUser(credentials) == null) {
                 throw new APIException(APIError.Type.PERMISSION_DENIED,
                         "Permission denied.");
             }