GUACAMOLE-136: Move password reset flow into own function. Invoke from getUserContext(), not authenticateUser(), such that secondary authentication factors have a chance to invalidate the auth attempt prior to password reset.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java

@@ -25,6 +25,7 @@ import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
+import org.apache.guacamole.auth.jdbc.user.UserModel;
 import org.apache.guacamole.auth.jdbc.user.UserService;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -98,6 +99,11 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
         }
 
+        // Update password if password is expired
+        UserModel userModel = user.getModel();
+        if (userModel.isExpired())
+            userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+
         // Link to user context
         ModeledUserContext context = userContextProvider.get();
         context.init(user.getCurrentUser());

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java

@@ -319,40 +319,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
         if (!user.isAccountAccessible())
             throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
 
-        // Update password if password is expired
-        if (userModel.isExpired()) {
-
-            // Pull new password from HTTP request
-            HttpServletRequest request = credentials.getRequest();
-            String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
-            String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
-
-            // Require new password if account is expired
-            if (newPassword == null || confirmNewPassword == null) {
-                logger.info("The password of user \"{}\" has expired and must be reset.", username);
-                throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD);
-            }
-
-            // New password must be different from old password
-            if (newPassword.equals(credentials.getPassword()))
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME");
-
-            // New password must not be blank
-            if (newPassword.isEmpty())
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK");
-
-            // Confirm that the password was entered correctly twice
-            if (!newPassword.equals(confirmNewPassword))
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH");
-
-            // Change password and reset expiration flag
-            userModel.setExpired(false);
-            user.setPassword(newPassword);
-            userMapper.update(userModel);
-            logger.info("Expired password of user \"{}\" has been reset.", username);
-
-        }
-
         // Return now-authenticated user
         return user.getCurrentUser();
 
@@ -398,4 +364,60 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
 
     }
 
+    /**
+     * Resets the password of the given user to the new password specified via
+     * the "new-password" and "confirm-new-password" parameters from the
+     * provided credentials. If these parameters are missing or invalid,
+     * additional credentials will be requested.
+     *
+     * @param user
+     *     The user whose password should be reset.
+     *
+     * @param credentials
+     *     The credentials from which the parameters required for password
+     *     reset should be retrieved.
+     *
+     * @throws GuacamoleException
+     *     If the password reset parameters within the given credentials are
+     *     invalid or missing.
+     */
+    public void resetExpiredPassword(ModeledUser user, Credentials credentials)
+            throws GuacamoleException {
+
+        UserModel userModel = user.getModel();
+
+        // Get username
+        String username = user.getIdentifier();
+
+        // Pull new password from HTTP request
+        HttpServletRequest request = credentials.getRequest();
+        String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
+        String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
+
+        // Require new password if account is expired
+        if (newPassword == null || confirmNewPassword == null) {
+            logger.info("The password of user \"{}\" has expired and must be reset.", username);
+            throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD);
+        }
+
+        // New password must be different from old password
+        if (newPassword.equals(credentials.getPassword()))
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME");
+
+        // New password must not be blank
+        if (newPassword.isEmpty())
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK");
+
+        // Confirm that the password was entered correctly twice
+        if (!newPassword.equals(confirmNewPassword))
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH");
+
+        // Change password and reset expiration flag
+        userModel.setExpired(false);
+        user.setPassword(newPassword);
+        userMapper.update(userModel);
+        logger.info("Expired password of user \"{}\" has been reset.", username);
+
+    }
+
 }