safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-529: Apply database-specific account restrictions depending on context.

Browse Source
This commit is contained in:
Michael Jumper
2018-04-01 23:19:40 -07:00
parent 4f27a03adf
commit 6dde0e778a
1 changed files with 29 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
View File

@@ -85,15 +85,21 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
public ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
AuthenticatedUser authenticatedUser) throws GuacamoleException {
// Always allow but provide no data for users authenticated via our own
// connection sharing links
if (authenticatedUser instanceof SharedAuthenticatedUser)
return null;
// Set semantic flags based on context
boolean databaseCredentialsUsed = (authenticatedUser instanceof ModeledAuthenticatedUser);
boolean databaseRestrictionsApplicable = (databaseCredentialsUsed || environment.isUserRequired());
// Retrieve user account for already-authenticated user
ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
if (user != null && !user.isDisabled()) {
// Account restrictions specific to this extension apply if this
// extension authenticated the user OR if an account from this
// extension is explicitly required
if (authenticatedUser instanceof ModeledAuthenticatedUser
|| environment.isUserRequired()) {
// Enforce applicable account restrictions
if (databaseRestrictionsApplicable) {
// Verify user account is still valid as of today
if (!user.isAccountValid())
@@ -103,33 +109,34 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
// Update password if password is expired
if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
}
// Link to user context
// Update password if password is expired AND the password was
// actually involved in the authentication process
if (databaseCredentialsUsed) {
if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
}
// Return all data associated with the authenticated user
ModeledUserContext context = userContextProvider.get();
context.init(user.getCurrentUser());
return context;
}
// Do not invalidate the authentication result of users who were
// authenticated via our own connection sharing links
if (authenticatedUser instanceof SharedAuthenticatedUser)
return null;
// Simply return no data if a database user account is not required
if (!environment.isUserRequired())
return null;
// Otherwise, invalidate the authentication result, as database user
// accounts are absolutely required
// Veto authentication result only if database-specific account
// restrictions apply in this situation
if (databaseRestrictionsApplicable)
throw new GuacamoleInvalidCredentialsException("Invalid login",
CredentialsInfo.USERNAME_PASSWORD);
// There is no data to be returned for the user, either because they do
// not exist or because restrictions prevent their data from being
// retrieved, but no restrictions apply which should prevent the user
// from authenticating entirely
return null;
}
@Override