GUACAMOLE-284: Reverse structure of restriction enforcement such that the default action is to deny access.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java

@@ -88,7 +88,41 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
         // Retrieve user account for already-authenticated user
         ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
-        if (user == null) {
+        if (user != null) {
+
+            // User data only exists for purposes of retrieval if the account
+            // is not disabled
+            UserModel userModel = user.getModel();
+            if (!userModel.isDisabled()) {
+
+                // Apply account restrictions if this extension authenticated
+                // the user OR if an account from this extension is explicitly
+                // required
+                if (authenticatedUser instanceof ModeledAuthenticatedUser
+                        || environment.isUserRequired()) {
+
+                    // Verify user account is still valid as of today
+                    if (!user.isAccountValid())
+                        throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
+
+                    // Verify user account is allowed to be used at the current time
+                    if (!user.isAccountAccessible())
+                        throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
+
+                    // Update password if password is expired
+                    if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
+                        userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+
+                }
+
+                // Link to user context
+                ModeledUserContext context = userContextProvider.get();
+                context.init(user.getCurrentUser());
+                return context;
+
+            }
+
+        }
 
         // Do not invalidate the authentication result of users who were
         // authenticated via our own connection sharing links
@@ -106,37 +140,6 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
     }
 
-        // Apply account restrictions if this extension authenticated the user
-        // OR if an account from this extension is explicitly required
-        UserModel userModel = user.getModel();
-        if (authenticatedUser instanceof ModeledAuthenticatedUser || environment.isUserRequired()) {
-
-            // If user is disabled, pretend user does not exist
-            if (userModel.isDisabled())
-                throw new GuacamoleInvalidCredentialsException("Invalid login",
-                        CredentialsInfo.USERNAME_PASSWORD);
-
-            // Verify user account is still valid as of today
-            if (!user.isAccountValid())
-                throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
-
-            // Verify user account is allowed to be used at the current time
-            if (!user.isAccountAccessible())
-                throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
-
-        }
-
-        // Update password if password is expired
-        if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
-            userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
-
-        // Link to user context
-        ModeledUserContext context = userContextProvider.get();
-        context.init(user.getCurrentUser());
-        return context;
-
-    }
-
     @Override
     public UserContext updateUserContext(AuthenticationProvider authenticationProvider,
             UserContext context, AuthenticatedUser authenticatedUser,