GUACAMOLE-284: Merge database account restrictions when users required.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java

@@ -21,12 +21,13 @@ package org.apache.guacamole.auth.jdbc;
 
 import com.google.inject.Inject;
 import com.google.inject.Provider;
+import org.apache.guacamole.GuacamoleClientException;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.security.PasswordPolicyService;
 import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
+import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
-import org.apache.guacamole.auth.jdbc.user.UserModel;
 import org.apache.guacamole.auth.jdbc.user.UserService;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -86,33 +87,48 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
         // Retrieve user account for already-authenticated user
         ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
-        if (user == null) {
+        if (user != null && !user.isDisabled()) {
 
-            // Do not invalidate the authentication result of users who were
+            // Account restrictions specific to this extension apply if this
-            // authenticated via our own connection sharing links
+            // extension authenticated the user OR if an account from this
-            if (authenticatedUser instanceof SharedAuthenticatedUser)
+            // extension is explicitly required
-                return null;
+            if (authenticatedUser instanceof ModeledAuthenticatedUser
+                    || environment.isUserRequired()) {
 
-            // Simply return no data if a database user account is not required
+                // Verify user account is still valid as of today
-            if (!environment.isUserRequired())
+                if (!user.isAccountValid())
-                return null;
+                    throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
 
-            // Otherwise, invalidate the authentication result, as database user
+                // Verify user account is allowed to be used at the current time
-            // accounts are absolutely required
+                if (!user.isAccountAccessible())
-            throw new GuacamoleInvalidCredentialsException("Invalid login",
+                    throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
-                    CredentialsInfo.USERNAME_PASSWORD);
+
+                // Update password if password is expired
+                if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
+                    userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+
+            }
+
+            // Link to user context
+            ModeledUserContext context = userContextProvider.get();
+            context.init(user.getCurrentUser());
+            return context;
 
         }
 
-        // Update password if password is expired
+        // Do not invalidate the authentication result of users who were
-        UserModel userModel = user.getModel();
+        // authenticated via our own connection sharing links
-        if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
+        if (authenticatedUser instanceof SharedAuthenticatedUser)
-            userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+            return null;
 
-        // Link to user context
+        // Simply return no data if a database user account is not required
-        ModeledUserContext context = userContextProvider.get();
+        if (!environment.isUserRequired())
-        context.init(user.getCurrentUser());
+            return null;
-        return context;
+
+        // Otherwise, invalidate the authentication result, as database user
+        // accounts are absolutely required
+        throw new GuacamoleInvalidCredentialsException("Invalid login",
+                CredentialsInfo.USERNAME_PASSWORD);
 
     }
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java

@@ -766,4 +766,30 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
         return isActive(getAccessWindowStart(), getAccessWindowEnd());
     }
 
+    /**
+     * Returns whether this user account has been disabled. The credentials of
+     * disabled user accounts are treated as invalid, effectively disabling
+     * that user's access to data for which they would otherwise have
+     * permission.
+     *
+     * @return
+     *     true if this user account has been disabled, false otherwise.
+     */
+    public boolean isDisabled() {
+        return getModel().isDisabled();
+    }
+
+    /**
+     * Returns whether this user's password has expired. If a user's password
+     * is expired, it must be immediately changed upon login. A user account
+     * with an expired password cannot be used until the password has been
+     * changed.
+     *
+     * @return
+     *     true if this user's password has expired, false otherwise.
+     */
+    public boolean isExpired() {
+        return getModel().isExpired();
+    }
+
 }

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java

@@ -194,48 +194,51 @@ public class UserModel extends ObjectModel {
     }
 
     /**
-     * Returns whether the user has been disabled. Disabled users are not
+     * Returns whether this user account has been disabled. The credentials of
-     * allowed to login. Although their account data exists, all login attempts
+     * disabled user accounts are treated as invalid, effectively disabling
-     * will fail as if the account does not exist.
+     * that user's access to data for which they would otherwise have
+     * permission.
      *
      * @return
-     *     true if the account is disabled, false otherwise.
+     *     true if this user account is disabled, false otherwise.
      */
     public boolean isDisabled() {
         return disabled;
     }
 
     /**
-     * Sets whether the user is disabled. Disabled users are not allowed to
+     * Sets whether this user account has been disabled. The credentials of
-     * login. Although their account data exists, all login attempts will fail
+     * disabled user accounts are treated as invalid, effectively disabling
-     * as if the account does not exist.
+     * that user's access to data for which they would otherwise have
+     * permission.
      *
      * @param disabled
-     *     true if the account should be disabled, false otherwise.
+     *     true if this user account should be disabled, false otherwise.
      */
     public void setDisabled(boolean disabled) {
         this.disabled = disabled;
     }
 
     /**
-     * Returns whether the user's password has expired. If a user's password is
+     * Returns whether this user's password has expired. If a user's password
-     * expired, it must be immediately changed upon login. A user account with
+     * is expired, it must be immediately changed upon login. A user account
-     * an expired password cannot be used until the password has been changed.
+     * with an expired password cannot be used until the password has been
+     * changed.
      *
      * @return
-     *     true if the user's password has expired, false otherwise.
+     *     true if this user's password has expired, false otherwise.
      */
     public boolean isExpired() {
         return expired;
     }
 
     /**
-     * Sets whether the user's password is expired. If a user's password is
+     * Sets whether this user's password is expired. If a user's password is
      * expired, it must be immediately changed upon login. A user account with
      * an expired password cannot be used until the password has been changed.
      *
      * @param expired
-     *     true to expire the user's password, false otherwise.
+     *     true if this user's password has expired, false otherwise.
      */
     public void setExpired(boolean expired) {
         this.expired = expired;

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java

@@ -312,9 +312,10 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
 
     /**
      * Retrieves the user corresponding to the given credentials from the
-     * database. If the user account is expired, and the credentials contain
+     * database. Note that this function will not enforce any additional
-     * the necessary additional parameters to reset the user's password, the
+     * account restrictions, including explicitly disabled accounts,
-     * password is reset.
+     * scheduling, and password expiration. It is the responsibility of the
+     * caller to enforce such restrictions, if desired.
      *
      * @param authenticationProvider
      *     The AuthenticationProvider on behalf of which the user is being
@@ -342,10 +343,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
         if (userModel == null)
             return null;
 
-        // If user is disabled, pretend user does not exist
-        if (userModel.isDisabled())
-            return null;
-
         // Verify provided password is correct
         byte[] hash = encryptionService.createPasswordHash(password, userModel.getPasswordSalt());
         if (!Arrays.equals(hash, userModel.getPasswordHash()))
@@ -355,14 +352,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
         ModeledUser user = getObjectInstance(null, userModel);
         user.setCurrentUser(new ModeledAuthenticatedUser(authenticationProvider, user, credentials));
 
-        // Verify user account is still valid as of today
-        if (!user.isAccountValid())
-            throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
-
-        // Verify user account is allowed to be used at the current time
-        if (!user.isAccountAccessible())
-            throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
-
         // Return now-authenticated user
         return user.getCurrentUser();