From 3790d76fc9485f5229632d4583976a593679abd3 Mon Sep 17 00:00:00 2001
From: James Muehlner <james.muehlner@guac-dev.org>
Date: Fri, 5 Aug 2022 18:30:22 +0000
Subject: [PATCH] GUACAMOLE-1656: Force refresh the user context on
 updateUserContext to ensure that any modified user attributes are picked up.

---
 .../JDBCAuthenticationProviderService.java    | 45 ++++++++++++++++---
 .../guacamole/auth/jdbc/user/UserService.java | 12 +++--
 .../vault/ksm/GuacamoleExceptionSupplier.java |  1 +
 .../controllers/manageUserController.js       |  2 -
 4 files changed, 48 insertions(+), 12 deletions(-)

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index d2576ec2b..e276b2766 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -89,9 +89,31 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
     }
 
-    @Override
-    public ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
-            AuthenticatedUser authenticatedUser) throws GuacamoleException {
+    /**
+     * Gets a user context for the given authentication provider and user. If
+     * forceRefresh is set to true, the user record will be re-fetched even if
+     * it has already been loaded from the database. If not, the existing
+     * user will be used.
+     *
+     * @param authenticationProvider
+     *     The authentication provider to use when loading or refreshing the user.
+     *
+     * @param authenticatedUser
+     *     The user for which the user context is being fetched.
+     *
+     * @param forceRefresh
+     *     A flag that, when set to true, will force the authenticated user to
+     *     refreshed from the database. If false, an existing DB user will be
+     *     reused.
+     *
+     * @return
+     *     The fetched user context.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while fetching or refreshing the user context.
+     */
+    private ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
+            AuthenticatedUser authenticatedUser, boolean forceRefresh) throws GuacamoleException {
 
         // Always allow but provide no data for users authenticated via our own
         // connection sharing links
@@ -102,8 +124,9 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
         boolean databaseCredentialsUsed = (authenticatedUser instanceof ModeledAuthenticatedUser);
         boolean databaseRestrictionsApplicable = (databaseCredentialsUsed || environment.isUserRequired());
 
-        // Retrieve user account for already-authenticated user
-        ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
+        // Retrieve user account for already-authenticated user, forcing a refresh if requested
+        ModeledUser user = userService.retrieveUser(
+                authenticationProvider, authenticatedUser, forceRefresh);
         ModeledUserContext context = userContextProvider.get();
         if (user != null && !user.isDisabled()) {
 
@@ -159,13 +182,21 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
     }
 
+    @Override
+    public ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
+            AuthenticatedUser authenticatedUser) throws GuacamoleException {
+
+        // Do not force refresh unless updateUserContext is explicitly called
+        return getUserContext(authenticationProvider, authenticatedUser, false);
+    }
+
     @Override
     public UserContext updateUserContext(AuthenticationProvider authenticationProvider,
             UserContext context, AuthenticatedUser authenticatedUser,
             Credentials credentials) throws GuacamoleException {
 
-        // No need to update the context
-        return context;
+        // Force-refresh the user context
+        return getUserContext(authenticationProvider, authenticatedUser, true);
 
     }
 
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index c43aa1b01..3d23e64b0 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -404,6 +404,11 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
      * @param authenticatedUser
      *     The AuthenticatedUser to retrieve the corresponding ModeledUser of.
      *
+     * @param forceRefresh
+     *     Whether the user should be force-refreshed: i.e. re-queried from the
+     *     database. If false, and the user has already been queried, it will
+     *     be returned as-is.
+     *
      * @return
      *     The ModeledUser which corresponds to the given AuthenticatedUser, or
      *     null if no such user exists.
@@ -413,10 +418,11 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
      *     AuthenticatedUser cannot be created.
      */
     public ModeledUser retrieveUser(AuthenticationProvider authenticationProvider,
-            AuthenticatedUser authenticatedUser) throws GuacamoleException {
+            AuthenticatedUser authenticatedUser, boolean forceRefresh) throws GuacamoleException {
 
-        // If we already queried this user, return that rather than querying again
-        if (authenticatedUser instanceof ModeledAuthenticatedUser)
+        // If refresh is not being forced, and we already queried this user,
+        // return that rather than querying again
+        if (!forceRefresh && (authenticatedUser instanceof ModeledAuthenticatedUser))
             return ((ModeledAuthenticatedUser) authenticatedUser).getUser();
 
         // Retrieve corresponding user model, if such a user exists
diff --git a/extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/GuacamoleExceptionSupplier.java b/extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/GuacamoleExceptionSupplier.java
index d966a7320..ed59f7b68 100644
--- a/extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/GuacamoleExceptionSupplier.java
+++ b/extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/GuacamoleExceptionSupplier.java
@@ -39,4 +39,5 @@ public abstract class GuacamoleExceptionSupplier<T> {
      *    If an error occurs while attemping to calculate the return value.
      */
     public abstract T get() throws GuacamoleException;
+
 }
\ No newline at end of file
diff --git a/guacamole/src/main/frontend/src/app/manage/controllers/manageUserController.js b/guacamole/src/main/frontend/src/app/manage/controllers/manageUserController.js
index 94e3d8944..f7ead136a 100644
--- a/guacamole/src/main/frontend/src/app/manage/controllers/manageUserController.js
+++ b/guacamole/src/main/frontend/src/app/manage/controllers/manageUserController.js
@@ -501,6 +501,4 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
         return userService.deleteUser($scope.dataSource, $scope.user);
     };
 
-    console.log($scope);
-
 }]);