GUACAMOLE-1656: Force refresh the user context on updateUserContext to ensure that any modified user attributes are picked up.

2025-09-06 21:27:40 +00:00 · 2022-08-05 18:30:22 +00:00
parent e882a08486
commit 3790d76fc9
4 changed files with 48 additions and 12 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -89,9 +89,31 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider

    }

-    @Override
-    public ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
-            AuthenticatedUser authenticatedUser) throws GuacamoleException {
+    /**
+     * Gets a user context for the given authentication provider and user. If
+     * forceRefresh is set to true, the user record will be re-fetched even if
+     * it has already been loaded from the database. If not, the existing
+     * user will be used.
+     *
+     * @param authenticationProvider
+     *     The authentication provider to use when loading or refreshing the user.
+     *
+     * @param authenticatedUser
+     *     The user for which the user context is being fetched.
+     *
+     * @param forceRefresh
+     *     A flag that, when set to true, will force the authenticated user to
+     *     refreshed from the database. If false, an existing DB user will be
+     *     reused.
+     *
+     * @return
+     *     The fetched user context.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while fetching or refreshing the user context.
+     */
+    private ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
+            AuthenticatedUser authenticatedUser, boolean forceRefresh) throws GuacamoleException {

        // Always allow but provide no data for users authenticated via our own
        // connection sharing links
@@ -102,8 +124,9 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
        boolean databaseCredentialsUsed = (authenticatedUser instanceof ModeledAuthenticatedUser);
        boolean databaseRestrictionsApplicable = (databaseCredentialsUsed || environment.isUserRequired());

-        // Retrieve user account for already-authenticated user
-        ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
+        // Retrieve user account for already-authenticated user, forcing a refresh if requested
+        ModeledUser user = userService.retrieveUser(
+                authenticationProvider, authenticatedUser, forceRefresh);
        ModeledUserContext context = userContextProvider.get();
        if (user != null && !user.isDisabled()) {

@@ -159,13 +182,21 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider

    }

+    @Override
+    public ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
+            AuthenticatedUser authenticatedUser) throws GuacamoleException {
+
+        // Do not force refresh unless updateUserContext is explicitly called
+        return getUserContext(authenticationProvider, authenticatedUser, false);
+    }
+
    @Override
    public UserContext updateUserContext(AuthenticationProvider authenticationProvider,
            UserContext context, AuthenticatedUser authenticatedUser,
            Credentials credentials) throws GuacamoleException {

-        // No need to update the context
-        return context;
+        // Force-refresh the user context
+        return getUserContext(authenticationProvider, authenticatedUser, true);

    }

--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -404,6 +404,11 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
     * @param authenticatedUser
     *     The AuthenticatedUser to retrieve the corresponding ModeledUser of.
     *
+     * @param forceRefresh
+     *     Whether the user should be force-refreshed: i.e. re-queried from the
+     *     database. If false, and the user has already been queried, it will
+     *     be returned as-is.
+     *
     * @return
     *     The ModeledUser which corresponds to the given AuthenticatedUser, or
     *     null if no such user exists.
@@ -413,10 +418,11 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
     *     AuthenticatedUser cannot be created.
     */
    public ModeledUser retrieveUser(AuthenticationProvider authenticationProvider,
-            AuthenticatedUser authenticatedUser) throws GuacamoleException {
+            AuthenticatedUser authenticatedUser, boolean forceRefresh) throws GuacamoleException {

-        // If we already queried this user, return that rather than querying again
-        if (authenticatedUser instanceof ModeledAuthenticatedUser)
+        // If refresh is not being forced, and we already queried this user,
+        // return that rather than querying again
+        if (!forceRefresh && (authenticatedUser instanceof ModeledAuthenticatedUser))
            return ((ModeledAuthenticatedUser) authenticatedUser).getUser();

        // Retrieve corresponding user model, if such a user exists