GUACAMOLE-529: Apply database-specific account restrictions depending on context.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java

@@ -85,15 +85,21 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
     public ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
             AuthenticatedUser authenticatedUser) throws GuacamoleException {
 
+        // Always allow but provide no data for users authenticated via our own
+        // connection sharing links
+        if (authenticatedUser instanceof SharedAuthenticatedUser)
+            return null;
+
+        // Set semantic flags based on context
+        boolean databaseCredentialsUsed = (authenticatedUser instanceof ModeledAuthenticatedUser);
+        boolean databaseRestrictionsApplicable = (databaseCredentialsUsed || environment.isUserRequired());
+
         // Retrieve user account for already-authenticated user
         ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
         if (user != null && !user.isDisabled()) {
 
-            // Account restrictions specific to this extension apply if this
+            // Enforce applicable account restrictions
-            // extension authenticated the user OR if an account from this
+            if (databaseRestrictionsApplicable) {
-            // extension is explicitly required
-            if (authenticatedUser instanceof ModeledAuthenticatedUser
-                    || environment.isUserRequired()) {
 
                 // Verify user account is still valid as of today
                 if (!user.isAccountValid())
@@ -103,32 +109,33 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
                 if (!user.isAccountAccessible())
                     throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
 
-                // Update password if password is expired
-                if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
-                    userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
-
             }
 
-            // Link to user context
+            // Update password if password is expired AND the password was
+            // actually involved in the authentication process
+            if (databaseCredentialsUsed) {
+                if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
+                    userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+            }
+
+            // Return all data associated with the authenticated user
             ModeledUserContext context = userContextProvider.get();
             context.init(user.getCurrentUser());
             return context;
 
         }
 
-        // Do not invalidate the authentication result of users who were
+        // Veto authentication result only if database-specific account
-        // authenticated via our own connection sharing links
+        // restrictions apply in this situation
-        if (authenticatedUser instanceof SharedAuthenticatedUser)
+        if (databaseRestrictionsApplicable)
-            return null;
+            throw new GuacamoleInvalidCredentialsException("Invalid login",
+                    CredentialsInfo.USERNAME_PASSWORD);
 
-        // Simply return no data if a database user account is not required
+        // There is no data to be returned for the user, either because they do
-        if (!environment.isUserRequired())
+        // not exist or because restrictions prevent their data from being
-            return null;
+        // retrieved, but no restrictions apply which should prevent the user
-
+        // from authenticating entirely
-        // Otherwise, invalidate the authentication result, as database user
+        return null;
-        // accounts are absolutely required
-        throw new GuacamoleInvalidCredentialsException("Invalid login",
-                CredentialsInfo.USERNAME_PASSWORD);
 
     }