diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java index dd39f245b..284a5aaae 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java @@ -21,12 +21,13 @@ package org.apache.guacamole.auth.jdbc; import com.google.inject.Inject; import com.google.inject.Provider; +import org.apache.guacamole.GuacamoleClientException; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.security.PasswordPolicyService; import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser; +import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.auth.jdbc.user.ModeledUserContext; -import org.apache.guacamole.auth.jdbc.user.UserModel; import org.apache.guacamole.auth.jdbc.user.UserService; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticationProvider; @@ -86,33 +87,48 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider // Retrieve user account for already-authenticated user ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser); - if (user == null) { + if (user != null && !user.isDisabled()) { - // Do not invalidate the authentication result of users who were - // authenticated via our own connection sharing links - if (authenticatedUser instanceof SharedAuthenticatedUser) - return null; + // Account restrictions specific to this extension apply if this + // extension authenticated the user OR if an account from this + // extension is explicitly required + if (authenticatedUser instanceof ModeledAuthenticatedUser + || environment.isUserRequired()) { - // Simply return no data if a database user account is not required - if (!environment.isUserRequired()) - return null; + // Verify user account is still valid as of today + if (!user.isAccountValid()) + throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID"); - // Otherwise, invalidate the authentication result, as database user - // accounts are absolutely required - throw new GuacamoleInvalidCredentialsException("Invalid login", - CredentialsInfo.USERNAME_PASSWORD); + // Verify user account is allowed to be used at the current time + if (!user.isAccountAccessible()) + throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE"); + + // Update password if password is expired + if (user.isExpired() || passwordPolicyService.isPasswordExpired(user)) + userService.resetExpiredPassword(user, authenticatedUser.getCredentials()); + + } + + // Link to user context + ModeledUserContext context = userContextProvider.get(); + context.init(user.getCurrentUser()); + return context; } - // Update password if password is expired - UserModel userModel = user.getModel(); - if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user)) - userService.resetExpiredPassword(user, authenticatedUser.getCredentials()); + // Do not invalidate the authentication result of users who were + // authenticated via our own connection sharing links + if (authenticatedUser instanceof SharedAuthenticatedUser) + return null; - // Link to user context - ModeledUserContext context = userContextProvider.get(); - context.init(user.getCurrentUser()); - return context; + // Simply return no data if a database user account is not required + if (!environment.isUserRequired()) + return null; + + // Otherwise, invalidate the authentication result, as database user + // accounts are absolutely required + throw new GuacamoleInvalidCredentialsException("Invalid login", + CredentialsInfo.USERNAME_PASSWORD); } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java index 418ffad81..0ed115ff4 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java @@ -766,4 +766,30 @@ public class ModeledUser extends ModeledDirectoryObject implements Us return isActive(getAccessWindowStart(), getAccessWindowEnd()); } + /** + * Returns whether this user account has been disabled. The credentials of + * disabled user accounts are treated as invalid, effectively disabling + * that user's access to data for which they would otherwise have + * permission. + * + * @return + * true if this user account has been disabled, false otherwise. + */ + public boolean isDisabled() { + return getModel().isDisabled(); + } + + /** + * Returns whether this user's password has expired. If a user's password + * is expired, it must be immediately changed upon login. A user account + * with an expired password cannot be used until the password has been + * changed. + * + * @return + * true if this user's password has expired, false otherwise. + */ + public boolean isExpired() { + return getModel().isExpired(); + } + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java index 2376caed9..afaeb5521 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java @@ -194,48 +194,51 @@ public class UserModel extends ObjectModel { } /** - * Returns whether the user has been disabled. Disabled users are not - * allowed to login. Although their account data exists, all login attempts - * will fail as if the account does not exist. + * Returns whether this user account has been disabled. The credentials of + * disabled user accounts are treated as invalid, effectively disabling + * that user's access to data for which they would otherwise have + * permission. * * @return - * true if the account is disabled, false otherwise. + * true if this user account is disabled, false otherwise. */ public boolean isDisabled() { return disabled; } /** - * Sets whether the user is disabled. Disabled users are not allowed to - * login. Although their account data exists, all login attempts will fail - * as if the account does not exist. + * Sets whether this user account has been disabled. The credentials of + * disabled user accounts are treated as invalid, effectively disabling + * that user's access to data for which they would otherwise have + * permission. * * @param disabled - * true if the account should be disabled, false otherwise. + * true if this user account should be disabled, false otherwise. */ public void setDisabled(boolean disabled) { this.disabled = disabled; } /** - * Returns whether the user's password has expired. If a user's password is - * expired, it must be immediately changed upon login. A user account with - * an expired password cannot be used until the password has been changed. + * Returns whether this user's password has expired. If a user's password + * is expired, it must be immediately changed upon login. A user account + * with an expired password cannot be used until the password has been + * changed. * * @return - * true if the user's password has expired, false otherwise. + * true if this user's password has expired, false otherwise. */ public boolean isExpired() { return expired; } /** - * Sets whether the user's password is expired. If a user's password is + * Sets whether this user's password is expired. If a user's password is * expired, it must be immediately changed upon login. A user account with * an expired password cannot be used until the password has been changed. * * @param expired - * true to expire the user's password, false otherwise. + * true if this user's password has expired, false otherwise. */ public void setExpired(boolean expired) { this.expired = expired; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java index 7935f864d..3dc025fcd 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java @@ -312,9 +312,10 @@ public class UserService extends ModeledDirectoryObjectService