safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-284: Reverse structure of restriction enforcement such that the default action is to deny access.

Browse Source
This commit is contained in:
Michael Jumper
2017-06-04 14:04:56 -07:00
parent 0eef629a9d
commit c87ec1bf5d
1 changed files with 41 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
View File

@@ -88,52 +88,55 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
// Retrieve user account for already-authenticated user
ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
if (user == null) {
if (user != null) {
// Do not invalidate the authentication result of users who were
// authenticated via our own connection sharing links
if (authenticatedUser instanceof SharedAuthenticatedUser)
return null;
// User data only exists for purposes of retrieval if the account
// is not disabled
UserModel userModel = user.getModel();
if (!userModel.isDisabled()) {
// Simply return no data if a database user account is not required
if (!environment.isUserRequired())
return null;
// Apply account restrictions if this extension authenticated
// the user OR if an account from this extension is explicitly
// required
if (authenticatedUser instanceof ModeledAuthenticatedUser
|| environment.isUserRequired()) {
// Otherwise, invalidate the authentication result, as database user
// accounts are absolutely required
throw new GuacamoleInvalidCredentialsException("Invalid login",
CredentialsInfo.USERNAME_PASSWORD);
// Verify user account is still valid as of today
if (!user.isAccountValid())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
// Verify user account is allowed to be used at the current time
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
// Update password if password is expired
if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
}
// Link to user context
ModeledUserContext context = userContextProvider.get();
context.init(user.getCurrentUser());
return context;
}
}
// Apply account restrictions if this extension authenticated the user
// OR if an account from this extension is explicitly required
UserModel userModel = user.getModel();
if (authenticatedUser instanceof ModeledAuthenticatedUser || environment.isUserRequired()) {
// Do not invalidate the authentication result of users who were
// authenticated via our own connection sharing links
if (authenticatedUser instanceof SharedAuthenticatedUser)
return null;
// If user is disabled, pretend user does not exist
if (userModel.isDisabled())
throw new GuacamoleInvalidCredentialsException("Invalid login",
CredentialsInfo.USERNAME_PASSWORD);
// Simply return no data if a database user account is not required
if (!environment.isUserRequired())
return null;
// Verify user account is still valid as of today
if (!user.isAccountValid())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
// Verify user account is allowed to be used at the current time
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
}
// Update password if password is expired
if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
// Link to user context
ModeledUserContext context = userContextProvider.get();
context.init(user.getCurrentUser());
return context;
// Otherwise, invalidate the authentication result, as database user
// accounts are absolutely required
throw new GuacamoleInvalidCredentialsException("Invalid login",
CredentialsInfo.USERNAME_PASSWORD);
}