guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jmuehl...@apache.org
Subject [1/2] incubator-guacamole-client git commit: GUACAMOLE-70: Allow access to be restricted to strictly the users in the database.
Date Sun, 13 Nov 2016 01:43:08 GMT
Repository: incubator-guacamole-client
Updated Branches:
  refs/heads/master d455dbaae -> 0227ccd96


GUACAMOLE-70: Allow access to be restricted to strictly the users in the database.


Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/5c800b1d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/5c800b1d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/5c800b1d

Branch: refs/heads/master
Commit: 5c800b1d896cbfa91b44a13a16852c70b6bbbe24
Parents: 9240dd8
Author: Michael Jumper <mjumper@apache.org>
Authored: Wed Aug 3 15:16:12 2016 -0700
Committer: Michael Jumper <mjumper@apache.org>
Committed: Fri Nov 11 17:34:29 2016 -0800

----------------------------------------------------------------------
 .../jdbc/AuthenticationProviderService.java     |  5 ++--
 .../jdbc/JDBCAuthenticationProviderService.java | 26 ++++++++++++++++++--
 .../guacamole/auth/jdbc/JDBCEnvironment.java    | 14 +++++++++++
 .../guacamole/auth/mysql/MySQLEnvironment.java  | 14 +++++++++++
 .../auth/mysql/MySQLGuacamoleProperties.java    | 12 +++++++++
 .../auth/postgresql/PostgreSQLEnvironment.java  | 14 +++++++++++
 .../PostgreSQLGuacamoleProperties.java          | 13 ++++++++++
 7 files changed, 93 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java
index 915c417..3989102 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java
@@ -60,8 +60,7 @@ public interface AuthenticationProviderService  {
 
     /**
      * Returning a new UserContext instance for the given already-authenticated
-     * user. A new placeholder account will be created for any user that does
-     * not already exist within the database.
+     * user.
      *
      * @param authenticationProvider
      *     The AuthenticationProvider on behalf of which the UserContext is
@@ -72,7 +71,7 @@ public interface AuthenticationProviderService  {
      *
      * @return
      *     A new UserContext instance for the user identified by the given
-     *     credentials.
+     *     credentials, or null if no such user exists within the database.
      *
      * @throws GuacamoleException
      *     If an error occurs during authentication, or if the given

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index 20e2f09..8f98c74 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -22,6 +22,7 @@ package org.apache.guacamole.auth.jdbc;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
 import org.apache.guacamole.auth.jdbc.user.UserService;
@@ -42,6 +43,12 @@ import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsExce
 public class JDBCAuthenticationProviderService implements AuthenticationProviderService 
{
 
     /**
+     * The environment of the Guacamole server.
+     */
+    @Inject
+    private JDBCEnvironment environment;
+
+    /**
      * Service for accessing users.
      */
     @Inject
@@ -73,8 +80,23 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
         // Retrieve user account for already-authenticated user
         ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
-        if (user == null)
-            return null;
+        if (user == null) {
+
+            // Do not invalidate the authentication result of users who were
+            // authenticated via our own connection sharing links
+            if (authenticatedUser instanceof SharedAuthenticatedUser)
+                return null;
+
+            // Simply return no data if a database user account is not required
+            if (!environment.isUserRequired())
+                return null;
+
+            // Otherwise, invalidate the authentication result, as database user
+            // accounts are absolutely required
+            throw new GuacamoleInvalidCredentialsException("Invalid login",
+                    CredentialsInfo.USERNAME_PASSWORD);
+
+        }
 
         // Link to user context
         ModeledUserContext context = userContextProvider.get();

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java
index f14bc25..7d014c4 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java
@@ -42,6 +42,20 @@ public abstract class JDBCEnvironment extends LocalEnvironment {
     }
 
     /**
+     * Returns whether a database user account is required for authentication to
+     * succeed, even if another authentication provider has already
+     * authenticated the user.
+     *
+     * @return
+     *     true if database user accounts are required for absolutely all
+     *     authentication attempts, false otherwise.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while retrieving the property.
+     */
+    public abstract boolean isUserRequired() throws GuacamoleException;
+
+    /**
      * Returns the maximum number of concurrent connections to allow overall.
      * As this limit applies globally (independent of which connection is in
      * use or which user is using it), this setting cannot be overridden at the

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java
index 208bf44..27710de 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java
@@ -49,6 +49,12 @@ public class MySQLEnvironment extends JDBCEnvironment {
     private static final int DEFAULT_PORT = 3306;
 
     /**
+     * Whether a database user account is required by default for authentication
+     * to succeed.
+     */
+    private static final boolean DEFAULT_USER_REQUIRED = false;
+
+    /**
      * The default value for the maximum number of connections to be
      * allowed to the Guacamole server overall.
      */
@@ -168,6 +174,14 @@ public class MySQLEnvironment extends JDBCEnvironment {
     }
 
     @Override
+    public boolean isUserRequired() throws GuacamoleException {
+        return getProperty(
+            MySQLGuacamoleProperties.MYSQL_USER_REQUIRED,
+            DEFAULT_USER_REQUIRED
+        );
+    }
+
+    @Override
     public int getAbsoluteMaxConnections() throws GuacamoleException {
         return getProperty(MySQLGuacamoleProperties.MYSQL_ABSOLUTE_MAX_CONNECTIONS,
             DEFAULT_ABSOLUTE_MAX_CONNECTIONS

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java
index 19da1c1..7397f7a 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java
@@ -91,6 +91,18 @@ public class MySQLGuacamoleProperties {
     };
 
     /**
+     * Whether a user account within the database is required for authentication
+     * to succeed, even if the user has been authenticated via another
+     * authentication provider.
+     */
+    public static final BooleanGuacamoleProperty MYSQL_USER_REQUIRED = new BooleanGuacamoleProperty()
{
+
+        @Override
+        public String getName() { return "mysql-user-required"; }
+
+    };
+
+    /**
      * Whether or not multiple users accessing the same connection at the same 
      * time should be disallowed.
      */

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java
index b50fd79..fe4207a 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java
@@ -48,6 +48,12 @@ public class PostgreSQLEnvironment extends JDBCEnvironment {
     private static final int DEFAULT_PORT = 5432;
 
     /**
+     * Whether a database user account is required by default for authentication
+     * to succeed.
+     */
+    private static final boolean DEFAULT_USER_REQUIRED = false;
+
+    /**
      * The default value for the maximum number of connections to be
      * allowed to the Guacamole server overall.
      */
@@ -167,6 +173,14 @@ public class PostgreSQLEnvironment extends JDBCEnvironment {
     }
 
     @Override
+    public boolean isUserRequired() throws GuacamoleException {
+        return getProperty(
+            PostgreSQLGuacamoleProperties.POSTGRESQL_USER_REQUIRED,
+            DEFAULT_USER_REQUIRED
+        );
+    }
+
+    @Override
     public int getAbsoluteMaxConnections() throws GuacamoleException {
         return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_ABSOLUTE_MAX_CONNECTIONS,
             DEFAULT_ABSOLUTE_MAX_CONNECTIONS

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java
index 16b8b8d..e5b516c 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java
@@ -96,6 +96,19 @@ public class PostgreSQLGuacamoleProperties {
     };
 
     /**
+     * Whether a user account within the database is required for authentication
+     * to succeed, even if the user has been authenticated via another
+     * authentication provider.
+     */
+    public static final BooleanGuacamoleProperty
+            POSTGRESQL_USER_REQUIRED = new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "postgresql-user-required"; }
+
+    };
+
+    /**
      * Whether or not multiple users accessing the same connection at the same
      * time should be disallowed.
      */


Mime
View raw message