GUACAMOLE-284: Add convenience methods for determining whether a user account is disabled/expired.

2025-09-06 21:27:40 +00:00 · 2017-06-04 14:08:49 -07:00
parent c87ec1bf5d
commit f4fce6a07a
2 changed files with 44 additions and 28 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -28,7 +28,6 @@ import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
 import org.apache.guacamole.auth.jdbc.user.UserModel;
 import org.apache.guacamole.auth.jdbc.user.UserService;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -88,40 +87,33 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
        // Retrieve user account for already-authenticated user
        ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
-        if (user != null) {
+        if (user != null && !user.isDisabled()) {
-            // User data only exists for purposes of retrieval if the account
+            // Apply account restrictions if this extension authenticated
-            // is not disabled
+            // the user OR if an account from this extension is explicitly
-            UserModel userModel = user.getModel();
+            // required
-            if (!userModel.isDisabled()) {
+            if (authenticatedUser instanceof ModeledAuthenticatedUser
                    || environment.isUserRequired()) {
-                // Apply account restrictions if this extension authenticated
+                // Verify user account is still valid as of today
-                // the user OR if an account from this extension is explicitly
+                if (!user.isAccountValid())
-                // required
+                    throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
                if (authenticatedUser instanceof ModeledAuthenticatedUser
                        || environment.isUserRequired()) {
-                    // Verify user account is still valid as of today
+                // Verify user account is allowed to be used at the current time
-                    if (!user.isAccountValid())
+                if (!user.isAccountAccessible())
-                        throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
+                    throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
-                    // Verify user account is allowed to be used at the current time
+                // Update password if password is expired
-                    if (!user.isAccountAccessible())
+                if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
-                        throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
+                    userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
                    // Update password if password is expired
                    if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
                        userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
                }
                // Link to user context
                ModeledUserContext context = userContextProvider.get();
                context.init(user.getCurrentUser());
                return context;
            }
            // Link to user context
            ModeledUserContext context = userContextProvider.get();
            context.init(user.getCurrentUser());
            return context;
        }
        // Do not invalidate the authentication result of users who were
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
@@ -766,4 +766,28 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
        return isActive(getAccessWindowStart(), getAccessWindowEnd());
    }
    /**
     * Returns whether the user has been disabled. Disabled users are not
     * allowed to login. Although their account data exists, all login attempts
     * will fail as if the account does not exist.
     *
     * @return
     *     true if the account is disabled, false otherwise.
     */
    public boolean isDisabled() {
        return getModel().isDisabled();
    }
    /**
     * Returns whether the user's password has expired. If a user's password is
     * expired, it must be immediately changed upon login. A user account with
     * an expired password cannot be used until the password has been changed.
     *
     * @return
     *     true if the user's password has expired, false otherwise.
     */
    public boolean isExpired() {
        return getModel().isExpired();
    }
 }