GUAC-1103: Allow unsalted passwords from external systems.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/PasswordEncryptionService.java

@@ -30,11 +30,16 @@ public interface PasswordEncryptionService {
 
     /**
      * Creates a password hash based on the provided username, password, and
-     * salt.
+     * salt. If the provided salt is null, only the password itself is hashed.
      *
-     * @param password The password to hash.
+     * @param password
-     * @param salt The salt to use when hashing the password.
+     *     The password to hash.
-     * @return The generated password hash.
+     *
+     * @param salt
+     *     The salt to use when hashing the password, if any.
+     *
+     * @return
+     *     The generated password hash.
      */
     public byte[] createPasswordHash(String password, byte[] salt);
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/SHA256PasswordEncryptionService.java

@@ -38,26 +38,26 @@ public class SHA256PasswordEncryptionService implements PasswordEncryptionServic
 
         try {
 
-            // Build salted password
+            // Build salted password, if a salt was provided
             StringBuilder builder = new StringBuilder();
             builder.append(password);
-            builder.append(DatatypeConverter.printHexBinary(salt));
 
-            // Hash UTF-8 bytes of salted password
+            if (salt != null)
+                builder.append(DatatypeConverter.printHexBinary(salt));
+
+            // Hash UTF-8 bytes of possibly-salted password
             MessageDigest md = MessageDigest.getInstance("SHA-256");
             md.update(builder.toString().getBytes("UTF-8"));
             return md.digest();
 
         }
 
-        // Should not happen
+        // Throw hard errors if standard pieces of Java are missing
-        catch (UnsupportedEncodingException ex) {
+        catch (UnsupportedEncodingException e) {
-            throw new RuntimeException(ex);
+            throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e);
         }
-
+        catch (NoSuchAlgorithmException e) {
-        // Should not happen
+            throw new UnsupportedOperationException("Unexpected lack of SHA-256 support.", e);
-        catch (NoSuchAlgorithmException ex) {
-            throw new RuntimeException(ex);
         }
 
     }

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/001-create-schema.sql

@@ -65,7 +65,9 @@ CREATE TABLE `guacamole_connection` (
 
 --
 -- Table of users. Each user has a unique username and a hashed password
--- with corresponding salt.
+-- with corresponding salt. Although the authentication system will always set
+-- salted passwords, other systems may set unsalted passwords by simply not
+-- providing the salt.
 --
 
 CREATE TABLE `guacamole_user` (
@@ -73,7 +75,7 @@ CREATE TABLE `guacamole_user` (
   `user_id`       int(11)      NOT NULL AUTO_INCREMENT,
   `username`      varchar(128) NOT NULL,
   `password_hash` binary(32)   NOT NULL,
-  `password_salt` binary(32)   NOT NULL,
+  `password_salt` binary(32),
 
   PRIMARY KEY (`user_id`),
   UNIQUE KEY `username` (`username`)

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/001-create-schema.sql

@@ -106,7 +106,9 @@ CREATE INDEX ON guacamole_connection(parent_id);
 
 --
 -- Table of users. Each user has a unique username and a hashed password
--- with corresponding salt.
+-- with corresponding salt. Although the authentication system will always set
+-- salted passwords, other systems may set unsalted passwords by simply not
+-- providing the salt.
 --
 
 CREATE TABLE guacamole_user (
@@ -114,7 +116,7 @@ CREATE TABLE guacamole_user (
   user_id       serial       NOT NULL,
   username      varchar(128) NOT NULL,
   password_hash bytea        NOT NULL,
-  password_salt bytea        NOT NULL,
+  password_salt bytea,
 
   PRIMARY KEY (user_id),