From ad697c4fc5d09a21cda0a939b43b8b26ad3850b3 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Thu, 28 Jul 2016 21:42:55 -0700
Subject: [PATCH] GUACAMOLE-5: Establish distinction between the
 AuthenticationProvider storing a user's data and the AuthenticationProvider
 which authenticated the user.

---
 .../jdbc/AuthenticationProviderService.java   |  8 ++-
 .../jdbc/InjectedAuthenticationProvider.java  |  2 +-
 .../JDBCAuthenticationProviderService.java    |  4 +-
 .../SharedAuthenticationProviderService.java  |  1 +
 .../auth/jdbc/user/AuthenticatedUser.java     | 61 +++++++++++++++++--
 .../guacamole/auth/jdbc/user/UserContext.java |  2 +-
 .../guacamole/auth/jdbc/user/UserService.java | 10 ++-
 7 files changed, 75 insertions(+), 13 deletions(-)

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java
index a821bfa2d..625006bbc 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java
@@ -63,6 +63,10 @@ public interface AuthenticationProviderService  {
      * user. A new placeholder account will be created for any user that does
      * not already exist within the database.
      *
+     * @param authenticationProvider
+     *     The AuthenticationProvider on behalf of which the UserContext is
+     *     being produced.
+     *
      * @param authenticatedUser
      *     The credentials to use to produce the UserContext.
      *
@@ -74,7 +78,7 @@ public interface AuthenticationProviderService  {
      *     If an error occurs during authentication, or if the given
      *     credentials are invalid or expired.
      */
-    public UserContext getUserContext(AuthenticatedUser authenticatedUser)
-            throws GuacamoleException;
+    public UserContext getUserContext(AuthenticationProvider authenticationProvider,
+            AuthenticatedUser authenticatedUser) throws GuacamoleException;
 
 }
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/InjectedAuthenticationProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/InjectedAuthenticationProvider.java
index cc25e4ac5..e33dcf346 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/InjectedAuthenticationProvider.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/InjectedAuthenticationProvider.java
@@ -90,7 +90,7 @@ public abstract class InjectedAuthenticationProvider implements AuthenticationPr
     @Override
     public UserContext getUserContext(AuthenticatedUser authenticatedUser)
             throws GuacamoleException {
-        return authProviderService.getUserContext(authenticatedUser);
+        return authProviderService.getUserContext(this, authenticatedUser);
     }
 
     @Override
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index 07b7382bb..e5743f4a5 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -67,11 +67,11 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
     }
 
     @Override
-    public org.apache.guacamole.net.auth.UserContext getUserContext(
+    public UserContext getUserContext(AuthenticationProvider authenticationProvider,
             AuthenticatedUser authenticatedUser) throws GuacamoleException {
 
         // Retrieve user account for already-authenticated user
-        ModeledUser user = userService.retrieveUser(authenticatedUser);
+        ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
         if (user == null)
             return null;
 
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharing/SharedAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharing/SharedAuthenticationProviderService.java
index 1ca667abb..cd4e6c2aa 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharing/SharedAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharing/SharedAuthenticationProviderService.java
@@ -67,6 +67,7 @@ public class SharedAuthenticationProviderService implements AuthenticationProvid
 
     @Override
     public org.apache.guacamole.net.auth.UserContext getUserContext(
+            AuthenticationProvider authenticationProvider,
             AuthenticatedUser authenticatedUser) throws GuacamoleException {
 
         // Produce sharing-specific user context if this is the user of a shared connection
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticatedUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticatedUser.java
index d58c2e316..377606bad 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticatedUser.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticatedUser.java
@@ -33,10 +33,17 @@ import org.apache.guacamole.net.auth.Credentials;
 public class AuthenticatedUser extends RemoteAuthenticatedUser {
 
     /**
-     * The user that authenticated.
+     * The ModeledUser object which is backed by the data associated with this
+     * user in the database.
      */
     private final ModeledUser user;
 
+    /**
+     * The AuthenticationProvider that is associated with this user's
+     * corresponding ModeledUser.
+     */
+    private final AuthenticationProvider modelAuthenticationProvider;
+
     /**
      * The connections which have been committed for use by this user in the
      * context of a balancing connection group. Balancing connection groups
@@ -48,15 +55,42 @@ public class AuthenticatedUser extends RemoteAuthenticatedUser {
     private final Set<String> preferredConnections =
             Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>());
 
+    /**
+     * Creates a copy of the given AuthenticatedUser which is associated with
+     * the data stored in the provided ModeledUser. The AuthenticatedUser need
+     * not have come from the same AuthenticationProvider which produced the
+     * given ModeledUser.
+     *
+     * @param authenticatedUser
+     *     An existing AuthenticatedUser representing the user that
+     *     authenticated.
+     *
+     * @param modelAuthenticationProvider
+     *     The AuthenticationProvider that is associated with the given user's
+     *     corresponding ModeledUser.
+     *
+     * @param user
+     *     A ModeledUser object which is backed by the data associated with
+     *     this user in the database.
+     */
+    public AuthenticatedUser(org.apache.guacamole.net.auth.AuthenticatedUser authenticatedUser,
+            AuthenticationProvider modelAuthenticationProvider, ModeledUser user) {
+        super(authenticatedUser.getAuthenticationProvider(), authenticatedUser.getCredentials());
+        this.modelAuthenticationProvider = modelAuthenticationProvider;
+        this.user = user;
+    }
+
     /**
      * Creates a new AuthenticatedUser associating the given user with their
      * corresponding credentials.
      *
      * @param authenticationProvider
-     *     The AuthenticationProvider that has authenticated the given user.
+     *     The AuthenticationProvider that has authenticated the given user
+     *     and which produced the given ModeledUser.
      *
      * @param user
-     *     The user this object should represent.
+     *     A ModeledUser object which is backed by the data associated with
+     *     this user in the database.
      *
      * @param credentials 
      *     The credentials given by the user when they authenticated.
@@ -64,19 +98,36 @@ public class AuthenticatedUser extends RemoteAuthenticatedUser {
     public AuthenticatedUser(AuthenticationProvider authenticationProvider,
             ModeledUser user, Credentials credentials) {
         super(authenticationProvider, credentials);
+        this.modelAuthenticationProvider = authenticationProvider;
         this.user = user;
     }
 
     /**
-     * Returns the user that authenticated.
+     * Returns a ModeledUser object which is backed by the data associated with
+     * this user within the database.
      *
      * @return 
-     *     The user that authenticated.
+     *     A ModeledUser object which is backed by the data associated with
+     *     this user in the database.
      */
     public ModeledUser getUser() {
         return user;
     }
 
+    /**
+     * Returns the AuthenticationProvider which produced the ModeledUser
+     * retrievable via getUser(). This is not necessarily the same as the
+     * AuthenticationProvider which authenticated that user, which can be
+     * retrieved with getAuthenticationProvider().
+     *
+     * @return
+     *     The AuthenticationProvider which produced the ModeledUser
+     *     retrievable via getUser().
+     */
+    public AuthenticationProvider getModelAuthenticationProvider() {
+        return modelAuthenticationProvider;
+    }
+
     /**
      * Returns whether the connection having the given identifier has been
      * marked as preferred for this user's current Guacamole session. A
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserContext.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserContext.java
index a3c646fa0..a6a1f76e6 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserContext.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserContext.java
@@ -121,7 +121,7 @@ public class UserContext extends RestrictedObject
 
     @Override
     public AuthenticationProvider getAuthenticationProvider() {
-        return getCurrentUser().getAuthenticationProvider();
+        return getCurrentUser().getModelAuthenticationProvider();
     }
 
     @Override
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index 3d5a9e5e1..3727f39fe 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -353,6 +353,10 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
      * Retrieves the user corresponding to the given AuthenticatedUser from the
      * database.
      *
+     * @param authenticationProvider
+     *     The AuthenticationProvider on behalf of which the user is being
+     *     retrieved.
+     *
      * @param authenticatedUser
      *     The AuthenticatedUser to retrieve the corresponding ModeledUser of.
      *
@@ -360,7 +364,8 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
      *     The ModeledUser which corresponds to the given AuthenticatedUser, or
      *     null if no such user exists.
      */
-    public ModeledUser retrieveUser(org.apache.guacamole.net.auth.AuthenticatedUser authenticatedUser) {
+    public ModeledUser retrieveUser(AuthenticationProvider authenticationProvider,
+            org.apache.guacamole.net.auth.AuthenticatedUser authenticatedUser) {
 
         // If we already queried this user, return that rather than querying again
         if (authenticatedUser instanceof AuthenticatedUser)
@@ -376,7 +381,8 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
 
         // Create corresponding user object, set up cyclic reference
         ModeledUser user = getObjectInstance(null, userModel);
-        user.setCurrentUser(new AuthenticatedUser(authenticatedUser.getAuthenticationProvider(), user, authenticatedUser.getCredentials()));
+        user.setCurrentUser(new AuthenticatedUser(authenticatedUser,
+                authenticationProvider, user));
 
         // Return already-authenticated user
         return user;