GUACAMOLE-36: Record and maintain password history.

2025-10-31 00:53:21 +00:00 · 2016-08-22 22:06:44 -07:00
parent ae695ef17b
commit a943077d40
7 changed files with 111 additions and 2 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLPasswordPolicy.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLPasswordPolicy.java
@@ -71,6 +71,19 @@ public class MySQLPasswordPolicy implements PasswordPolicy {

    };

+    /**
+     * The property which specifies the number of previous passwords remembered
+     * for each user. If set to zero, the default, then this restriction does
+     * not apply.
+     */
+    private static final IntegerGuacamoleProperty HISTORY_SIZE =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "mysql-user-password-history-size"; }
+
+    };
+
    /**
     * The property which specifies whether all user passwords must have at
     * least one lowercase character and one uppercase character. By default,
@@ -155,6 +168,11 @@ public class MySQLPasswordPolicy implements PasswordPolicy {
        return environment.getProperty(MAX_AGE, 0);
    }

+    @Override
+    public int getHistorySize() throws GuacamoleException {
+        return environment.getProperty(HISTORY_SIZE, 0);
+    }
+
    @Override
    public boolean isMultipleCaseRequired() throws GuacamoleException {
        return environment.getProperty(REQUIRE_MULTIPLE_CASE, false);
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml
@@ -63,7 +63,19 @@
            #{record.passwordHash,jdbcType=BINARY},
            #{record.passwordSalt,jdbcType=BINARY},
            #{record.passwordDate,jdbcType=TIMESTAMP}
-        )
+        );
+
+        DELETE FROM guacamole_user_password_history
+        WHERE password_history_id <= (
+            SELECT password_history_id
+            FROM (
+                SELECT password_history_id
+                FROM guacamole_user_password_history
+                WHERE user_id = #{record.userID,jdbcType=INTEGER}
+                ORDER BY password_date DESC
+                LIMIT 1 OFFSET #{maxHistorySize}
+            ) old_password_record
+        );

    </insert>