Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7C5EC200BCD for ; Sun, 13 Nov 2016 02:43:13 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 7AF32160B14; Sun, 13 Nov 2016 01:43:13 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 76770160B00 for ; Sun, 13 Nov 2016 02:43:12 +0100 (CET) Received: (qmail 72238 invoked by uid 500); 13 Nov 2016 01:43:11 -0000 Mailing-List: contact commits-help@guacamole.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@guacamole.incubator.apache.org Delivered-To: mailing list commits@guacamole.incubator.apache.org Received: (qmail 72229 invoked by uid 99); 13 Nov 2016 01:43:11 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Nov 2016 01:43:11 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 388D6C130A for ; Sun, 13 Nov 2016 01:43:11 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -6.219 X-Spam-Level: X-Spam-Status: No, score=-6.219 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.999] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id CXFyDGq2tMN8 for ; Sun, 13 Nov 2016 01:43:09 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with SMTP id 4CF3E5FBD1 for ; Sun, 13 Nov 2016 01:43:09 +0000 (UTC) Received: (qmail 72212 invoked by uid 99); 13 Nov 2016 01:43:08 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Nov 2016 01:43:08 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id BA428E08F2; Sun, 13 Nov 2016 01:43:08 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: jmuehlner@apache.org To: commits@guacamole.incubator.apache.org Date: Sun, 13 Nov 2016 01:43:08 -0000 Message-Id: <8b43febd38dc4e00900cabae4975b24b@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [1/2] incubator-guacamole-client git commit: GUACAMOLE-70: Allow access to be restricted to strictly the users in the database. archived-at: Sun, 13 Nov 2016 01:43:13 -0000 Repository: incubator-guacamole-client Updated Branches: refs/heads/master d455dbaae -> 0227ccd96 GUACAMOLE-70: Allow access to be restricted to strictly the users in the database. Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/5c800b1d Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/5c800b1d Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/5c800b1d Branch: refs/heads/master Commit: 5c800b1d896cbfa91b44a13a16852c70b6bbbe24 Parents: 9240dd8 Author: Michael Jumper Authored: Wed Aug 3 15:16:12 2016 -0700 Committer: Michael Jumper Committed: Fri Nov 11 17:34:29 2016 -0800 ---------------------------------------------------------------------- .../jdbc/AuthenticationProviderService.java | 5 ++-- .../jdbc/JDBCAuthenticationProviderService.java | 26 ++++++++++++++++++-- .../guacamole/auth/jdbc/JDBCEnvironment.java | 14 +++++++++++ .../guacamole/auth/mysql/MySQLEnvironment.java | 14 +++++++++++ .../auth/mysql/MySQLGuacamoleProperties.java | 12 +++++++++ .../auth/postgresql/PostgreSQLEnvironment.java | 14 +++++++++++ .../PostgreSQLGuacamoleProperties.java | 13 ++++++++++ 7 files changed, 93 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java index 915c417..3989102 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/AuthenticationProviderService.java @@ -60,8 +60,7 @@ public interface AuthenticationProviderService { /** * Returning a new UserContext instance for the given already-authenticated - * user. A new placeholder account will be created for any user that does - * not already exist within the database. + * user. * * @param authenticationProvider * The AuthenticationProvider on behalf of which the UserContext is @@ -72,7 +71,7 @@ public interface AuthenticationProviderService { * * @return * A new UserContext instance for the user identified by the given - * credentials. + * credentials, or null if no such user exists within the database. * * @throws GuacamoleException * If an error occurs during authentication, or if the given http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java index 20e2f09..8f98c74 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java @@ -22,6 +22,7 @@ package org.apache.guacamole.auth.jdbc; import com.google.inject.Inject; import com.google.inject.Provider; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.auth.jdbc.user.ModeledUserContext; import org.apache.guacamole.auth.jdbc.user.UserService; @@ -42,6 +43,12 @@ import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsExce public class JDBCAuthenticationProviderService implements AuthenticationProviderService { /** + * The environment of the Guacamole server. + */ + @Inject + private JDBCEnvironment environment; + + /** * Service for accessing users. */ @Inject @@ -73,8 +80,23 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider // Retrieve user account for already-authenticated user ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser); - if (user == null) - return null; + if (user == null) { + + // Do not invalidate the authentication result of users who were + // authenticated via our own connection sharing links + if (authenticatedUser instanceof SharedAuthenticatedUser) + return null; + + // Simply return no data if a database user account is not required + if (!environment.isUserRequired()) + return null; + + // Otherwise, invalidate the authentication result, as database user + // accounts are absolutely required + throw new GuacamoleInvalidCredentialsException("Invalid login", + CredentialsInfo.USERNAME_PASSWORD); + + } // Link to user context ModeledUserContext context = userContextProvider.get(); http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java index f14bc25..7d014c4 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java @@ -42,6 +42,20 @@ public abstract class JDBCEnvironment extends LocalEnvironment { } /** + * Returns whether a database user account is required for authentication to + * succeed, even if another authentication provider has already + * authenticated the user. + * + * @return + * true if database user accounts are required for absolutely all + * authentication attempts, false otherwise. + * + * @throws GuacamoleException + * If an error occurs while retrieving the property. + */ + public abstract boolean isUserRequired() throws GuacamoleException; + + /** * Returns the maximum number of concurrent connections to allow overall. * As this limit applies globally (independent of which connection is in * use or which user is using it), this setting cannot be overridden at the http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java index 208bf44..27710de 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLEnvironment.java @@ -49,6 +49,12 @@ public class MySQLEnvironment extends JDBCEnvironment { private static final int DEFAULT_PORT = 3306; /** + * Whether a database user account is required by default for authentication + * to succeed. + */ + private static final boolean DEFAULT_USER_REQUIRED = false; + + /** * The default value for the maximum number of connections to be * allowed to the Guacamole server overall. */ @@ -168,6 +174,14 @@ public class MySQLEnvironment extends JDBCEnvironment { } @Override + public boolean isUserRequired() throws GuacamoleException { + return getProperty( + MySQLGuacamoleProperties.MYSQL_USER_REQUIRED, + DEFAULT_USER_REQUIRED + ); + } + + @Override public int getAbsoluteMaxConnections() throws GuacamoleException { return getProperty(MySQLGuacamoleProperties.MYSQL_ABSOLUTE_MAX_CONNECTIONS, DEFAULT_ABSOLUTE_MAX_CONNECTIONS http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java index 19da1c1..7397f7a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLGuacamoleProperties.java @@ -91,6 +91,18 @@ public class MySQLGuacamoleProperties { }; /** + * Whether a user account within the database is required for authentication + * to succeed, even if the user has been authenticated via another + * authentication provider. + */ + public static final BooleanGuacamoleProperty MYSQL_USER_REQUIRED = new BooleanGuacamoleProperty() { + + @Override + public String getName() { return "mysql-user-required"; } + + }; + + /** * Whether or not multiple users accessing the same connection at the same * time should be disallowed. */ http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java index b50fd79..fe4207a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLEnvironment.java @@ -48,6 +48,12 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { private static final int DEFAULT_PORT = 5432; /** + * Whether a database user account is required by default for authentication + * to succeed. + */ + private static final boolean DEFAULT_USER_REQUIRED = false; + + /** * The default value for the maximum number of connections to be * allowed to the Guacamole server overall. */ @@ -167,6 +173,14 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { } @Override + public boolean isUserRequired() throws GuacamoleException { + return getProperty( + PostgreSQLGuacamoleProperties.POSTGRESQL_USER_REQUIRED, + DEFAULT_USER_REQUIRED + ); + } + + @Override public int getAbsoluteMaxConnections() throws GuacamoleException { return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_ABSOLUTE_MAX_CONNECTIONS, DEFAULT_ABSOLUTE_MAX_CONNECTIONS http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/5c800b1d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java index 16b8b8d..e5b516c 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/PostgreSQLGuacamoleProperties.java @@ -96,6 +96,19 @@ public class PostgreSQLGuacamoleProperties { }; /** + * Whether a user account within the database is required for authentication + * to succeed, even if the user has been authenticated via another + * authentication provider. + */ + public static final BooleanGuacamoleProperty + POSTGRESQL_USER_REQUIRED = new BooleanGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-user-required"; } + + }; + + /** * Whether or not multiple users accessing the same connection at the same * time should be disallowed. */