You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@guacamole.apache.org by jm...@apache.org on 2016/12/06 04:44:23 UTC

[1/2] incubator-guacamole-client git commit: GUACAMOLE-136: Move password reset flow into own function. Invoke from getUserContext(), not authenticateUser(), such that secondary authentication factors have a chance to invalidate the auth attempt prior to

Repository: incubator-guacamole-client
Updated Branches:
  refs/heads/master 32e5c3e68 -> 18565d171


GUACAMOLE-136: Move password reset flow into own function. Invoke from getUserContext(), not authenticateUser(), such that secondary authentication factors have a chance to invalidate the auth attempt prior to password reset.


Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/4a1ffbfd
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/4a1ffbfd
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/4a1ffbfd

Branch: refs/heads/master
Commit: 4a1ffbfdccd0d42e44a164bdbd89176fe1a098ef
Parents: 32e5c3e
Author: Michael Jumper <mj...@apache.org>
Authored: Sat Dec 3 13:39:42 2016 -0800
Committer: Michael Jumper <mj...@apache.org>
Committed: Mon Dec 5 20:13:59 2016 -0800

----------------------------------------------------------------------
 .../jdbc/JDBCAuthenticationProviderService.java |  6 ++
 .../guacamole/auth/jdbc/user/UserService.java   | 90 ++++++++++++--------
 2 files changed, 62 insertions(+), 34 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4a1ffbfd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index 8f98c74..a0d422a 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -25,6 +25,7 @@ import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
+import org.apache.guacamole.auth.jdbc.user.UserModel;
 import org.apache.guacamole.auth.jdbc.user.UserService;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -98,6 +99,11 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
         }
 
+        // Update password if password is expired
+        UserModel userModel = user.getModel();
+        if (userModel.isExpired())
+            userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+
         // Link to user context
         ModeledUserContext context = userContextProvider.get();
         context.init(user.getCurrentUser());

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4a1ffbfd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index 16f25b5..c83d6cb 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -319,40 +319,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
         if (!user.isAccountAccessible())
             throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
 
-        // Update password if password is expired
-        if (userModel.isExpired()) {
-
-            // Pull new password from HTTP request
-            HttpServletRequest request = credentials.getRequest();
-            String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
-            String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
-
-            // Require new password if account is expired
-            if (newPassword == null || confirmNewPassword == null) {
-                logger.info("The password of user \"{}\" has expired and must be reset.", username);
-                throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD);
-            }
-
-            // New password must be different from old password
-            if (newPassword.equals(credentials.getPassword()))
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME");
-
-            // New password must not be blank
-            if (newPassword.isEmpty())
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK");
-
-            // Confirm that the password was entered correctly twice
-            if (!newPassword.equals(confirmNewPassword))
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH");
-
-            // Change password and reset expiration flag
-            userModel.setExpired(false);
-            user.setPassword(newPassword);
-            userMapper.update(userModel);
-            logger.info("Expired password of user \"{}\" has been reset.", username);
-
-        }
-
         // Return now-authenticated user
         return user.getCurrentUser();
 
@@ -398,4 +364,60 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
 
     }
 
+    /**
+     * Resets the password of the given user to the new password specified via
+     * the "new-password" and "confirm-new-password" parameters from the
+     * provided credentials. If these parameters are missing or invalid,
+     * additional credentials will be requested.
+     *
+     * @param user
+     *     The user whose password should be reset.
+     *
+     * @param credentials
+     *     The credentials from which the parameters required for password
+     *     reset should be retrieved.
+     *
+     * @throws GuacamoleException
+     *     If the password reset parameters within the given credentials are
+     *     invalid or missing.
+     */
+    public void resetExpiredPassword(ModeledUser user, Credentials credentials)
+            throws GuacamoleException {
+
+        UserModel userModel = user.getModel();
+
+        // Get username
+        String username = user.getIdentifier();
+
+        // Pull new password from HTTP request
+        HttpServletRequest request = credentials.getRequest();
+        String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
+        String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
+
+        // Require new password if account is expired
+        if (newPassword == null || confirmNewPassword == null) {
+            logger.info("The password of user \"{}\" has expired and must be reset.", username);
+            throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD);
+        }
+
+        // New password must be different from old password
+        if (newPassword.equals(credentials.getPassword()))
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME");
+
+        // New password must not be blank
+        if (newPassword.isEmpty())
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK");
+
+        // Confirm that the password was entered correctly twice
+        if (!newPassword.equals(confirmNewPassword))
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH");
+
+        // Change password and reset expiration flag
+        userModel.setExpired(false);
+        user.setPassword(newPassword);
+        userMapper.update(userModel);
+        logger.info("Expired password of user \"{}\" has been reset.", username);
+
+    }
+
 }

[2/2] incubator-guacamole-client git commit: GUACAMOLE-136: Merge password reset flow fix for 2FA.

Posted by jm...@apache.org.

GUACAMOLE-136: Merge password reset flow fix for 2FA.


Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/18565d17
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/18565d17
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/18565d17

Branch: refs/heads/master
Commit: 18565d171e26d700b126f56bbf73950c57638096
Parents: 32e5c3e 4a1ffbf
Author: James Muehlner <ja...@guac-dev.org>
Authored: Mon Dec 5 20:43:39 2016 -0800
Committer: James Muehlner <ja...@guac-dev.org>
Committed: Mon Dec 5 20:43:39 2016 -0800

----------------------------------------------------------------------
 .../jdbc/JDBCAuthenticationProviderService.java |  6 ++
 .../guacamole/auth/jdbc/user/UserService.java   | 90 ++++++++++++--------
 2 files changed, 62 insertions(+), 34 deletions(-)
----------------------------------------------------------------------