safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 05:07:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-284: Merge database account restrictions when users required.

Browse Source
This commit is contained in:
James Muehlner
2017-06-06 20:06:28 -07:00
parent eb087ae290 862e2c398a
commit 728d9b937c
4 changed files with 84 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
View File

@@ -21,12 +21,13 @@ package org.apache.guacamole.auth.jdbc;
import com.google.inject.Inject;
import com.google.inject.Provider;
import org.apache.guacamole.GuacamoleClientException;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.jdbc.security.PasswordPolicyService;
import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
import org.apache.guacamole.auth.jdbc.user.UserModel;
import org.apache.guacamole.auth.jdbc.user.UserService;
import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -86,33 +87,48 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
// Retrieve user account for already-authenticated user
ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
if (user == null) {
if (user != null && !user.isDisabled()) {
// Do not invalidate the authentication result of users who were
// authenticated via our own connection sharing links
if (authenticatedUser instanceof SharedAuthenticatedUser)
return null;
// Account restrictions specific to this extension apply if this
// extension authenticated the user OR if an account from this
// extension is explicitly required
if (authenticatedUser instanceof ModeledAuthenticatedUser
|| environment.isUserRequired()) {
// Simply return no data if a database user account is not required
if (!environment.isUserRequired())
return null;
// Verify user account is still valid as of today
if (!user.isAccountValid())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
// Otherwise, invalidate the authentication result, as database user
// accounts are absolutely required
throw new GuacamoleInvalidCredentialsException("Invalid login",
CredentialsInfo.USERNAME_PASSWORD);
// Verify user account is allowed to be used at the current time
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
// Update password if password is expired
if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
}
// Link to user context
ModeledUserContext context = userContextProvider.get();
context.init(user.getCurrentUser());
return context;
}
// Update password if password is expired
UserModel userModel = user.getModel();
if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
// Do not invalidate the authentication result of users who were
// authenticated via our own connection sharing links
if (authenticatedUser instanceof SharedAuthenticatedUser)
return null;
// Link to user context
ModeledUserContext context = userContextProvider.get();
context.init(user.getCurrentUser());
return context;
// Simply return no data if a database user account is not required
if (!environment.isUserRequired())
return null;
// Otherwise, invalidate the authentication result, as database user
// accounts are absolutely required
throw new GuacamoleInvalidCredentialsException("Invalid login",
CredentialsInfo.USERNAME_PASSWORD);
}

26
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
View File

@@ -766,4 +766,30 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
return isActive(getAccessWindowStart(), getAccessWindowEnd());
}
/**
* Returns whether this user account has been disabled. The credentials of
* disabled user accounts are treated as invalid, effectively disabling
* that user's access to data for which they would otherwise have
* permission.
*
* @return
* true if this user account has been disabled, false otherwise.
*/
public boolean isDisabled() {
return getModel().isDisabled();
}
/**
* Returns whether this user's password has expired. If a user's password
* is expired, it must be immediately changed upon login. A user account
* with an expired password cannot be used until the password has been
* changed.
*
* @return
* true if this user's password has expired, false otherwise.
*/
public boolean isExpired() {
return getModel().isExpired();
}
}

31
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java
View File

@@ -194,48 +194,51 @@ public class UserModel extends ObjectModel {
}
/**
* Returns whether the user has been disabled. Disabled users are not
* allowed to login. Although their account data exists, all login attempts
* will fail as if the account does not exist.
* Returns whether this user account has been disabled. The credentials of
* disabled user accounts are treated as invalid, effectively disabling
* that user's access to data for which they would otherwise have
* permission.
*
* @return
* true if the account is disabled, false otherwise.
* true if this user account is disabled, false otherwise.
*/
public boolean isDisabled() {
return disabled;
}
/**
* Sets whether the user is disabled. Disabled users are not allowed to
* login. Although their account data exists, all login attempts will fail
* as if the account does not exist.
* Sets whether this user account has been disabled. The credentials of
* disabled user accounts are treated as invalid, effectively disabling
* that user's access to data for which they would otherwise have
* permission.
*
* @param disabled
* true if the account should be disabled, false otherwise.
* true if this user account should be disabled, false otherwise.
*/
public void setDisabled(boolean disabled) {
this.disabled = disabled;
}
/**
* Returns whether the user's password has expired. If a user's password is
* expired, it must be immediately changed upon login. A user account with
* an expired password cannot be used until the password has been changed.
* Returns whether this user's password has expired. If a user's password
* is expired, it must be immediately changed upon login. A user account
* with an expired password cannot be used until the password has been
* changed.
*
* @return
* true if the user's password has expired, false otherwise.
* true if this user's password has expired, false otherwise.
*/
public boolean isExpired() {
return expired;
}
/**
* Sets whether the user's password is expired. If a user's password is
* Sets whether this user's password is expired. If a user's password is
* expired, it must be immediately changed upon login. A user account with
* an expired password cannot be used until the password has been changed.
*
* @param expired
* true to expire the user's password, false otherwise.
* true if this user's password has expired, false otherwise.
*/
public void setExpired(boolean expired) {
this.expired = expired;

19
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
View File

@@ -312,9 +312,10 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
/**
* Retrieves the user corresponding to the given credentials from the
* database. If the user account is expired, and the credentials contain
* the necessary additional parameters to reset the user's password, the
* password is reset.
* database. Note that this function will not enforce any additional
* account restrictions, including explicitly disabled accounts,
* scheduling, and password expiration. It is the responsibility of the
* caller to enforce such restrictions, if desired.
*
* @param authenticationProvider
* The AuthenticationProvider on behalf of which the user is being
@@ -342,10 +343,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
if (userModel == null)
return null;
// If user is disabled, pretend user does not exist
if (userModel.isDisabled())
return null;
// Verify provided password is correct
byte[] hash = encryptionService.createPasswordHash(password, userModel.getPasswordSalt());
if (!Arrays.equals(hash, userModel.getPasswordHash()))
@@ -355,14 +352,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
ModeledUser user = getObjectInstance(null, userModel);
user.setCurrentUser(new ModeledAuthenticatedUser(authenticationProvider, user, credentials));
// Verify user account is still valid as of today
if (!user.isAccountValid())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
// Verify user account is allowed to be used at the current time
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
// Return now-authenticated user
return user.getCurrentUser();