GUACAMOLE-2013: There is a typo in the Russian translation in the Guacamole interface "секуны", it needs to be fixed to "секунды".

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProviderModule.java

@@ -84,6 +84,10 @@ public MySQLAuthenticationProviderModule(MySQLEnvironment environment)
         myBatisProperties.setProperty("mybatis.pooled.pingEnabled", "true");
         myBatisProperties.setProperty("mybatis.pooled.pingQuery", "SELECT 1");
 
+        // Set whether public key retrieval from the server is allowed
+        driverProperties.setProperty("allowPublicKeyRetrieval",
+            environment.getMYSQLAllowPublicKeyRetrieval() ? "true" : "false");
+
         // Use UTF-8 in database
         driverProperties.setProperty("characterEncoding", "UTF-8");
 
@@ -121,10 +125,22 @@ public MySQLAuthenticationProviderModule(MySQLEnvironment environment)
         if (clientPassword != null)
             driverProperties.setProperty("clientCertificateKeyStorePassword",
                     clientPassword);
-        
+
         // Get the MySQL-compatible driver to use.
         mysqlDriver = environment.getMySQLDriver();
 
+        // Set the path to the server public key, if any
+        // Note that the property name casing is slightly different for MySQL
+        // and MariaDB drivers. See
+        // https://dev.mysql.com/doc/connector-j/en/connector-j-connp-props-security.html#cj-conn-prop_serverRSAPublicKeyFile
+        // and https://mariadb.com/kb/en/about-mariadb-connector-j/#infrequently-used-parameters
+        String publicKeyFile = environment.getMYSQLServerRSAPublicKeyFile();
+        if (publicKeyFile != null)
+            driverProperties.setProperty(
+                mysqlDriver == MySQLDriver.MYSQL
+                    ? "serverRSAPublicKeyFile" : "serverRsaPublicKeyFile",
+                publicKeyFile);
+
         // If timezone is present, set it.
         TimeZone serverTz = environment.getServerTimeZone();
         if (serverTz != null)

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java

@@ -443,4 +443,35 @@ public boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException
         );
     }
 
+    /**
+     * Returns the absolute path to the public key for the server being connected to,
+     * if any, or null if the configuration property is unset.
+     *
+     * @return
+     *     The absolute path to the public key for the server being connected to.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs retrieving the configuration value.
+     */
+    public String getMYSQLServerRSAPublicKeyFile() throws GuacamoleException {
+        return getProperty(MySQLGuacamoleProperties.MYSQL_SERVER_RSA_PUBLIC_KEY_FILE);
+    }
+
+    /**
+     * Returns true if the database server public key should be automatically
+     * retrieved from the MySQL server, or false otherwise.
+     *
+     * @return
+     *     Whether the database server public key should be automatically
+     *     retrieved from the MySQL server.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs retrieving the configuration value.
+     */
+    public boolean getMYSQLAllowPublicKeyRetrieval() throws GuacamoleException {
+        return getProperty(
+                MySQLGuacamoleProperties.MYSQL_ALLOW_PUBLIC_KEY_RETRIEVAL,
+                false);
+    }
+
 }

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java

@@ -302,5 +302,28 @@ private MySQLGuacamoleProperties() {}
         public String getName() { return "mysql-batch-size"; }
 
     };
-
+
+    /**
+     * The absolute path to the public key for the server being connected to, if any.
+     */
+    public static final StringGuacamoleProperty MYSQL_SERVER_RSA_PUBLIC_KEY_FILE =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "mysql-server-rsa-public-key-file"; }
+
+    };
+
+    /**
+     * Whether or not the server public key should be automatically retreived from
+     * the MySQL server.
+     */
+    public static final BooleanGuacamoleProperty MYSQL_ALLOW_PUBLIC_KEY_RETRIEVAL =
+            new BooleanGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "mysql-allow-public-key-retrieval"; }
+
+    };
+
 }

extensions/guacamole-auth-restrict/src/main/java/org/apache/guacamole/auth/restrict/Restrictable.java

@@ -27,6 +27,65 @@
  */
 public interface Restrictable extends Attributes {
 
+    /**
+     * The name of the attribute that contains the absolute date and time after
+     * which this restrictable object may be used. If this attribute is present
+     * access to to this object will be denied at any time prior to the parsed
+     * value of this attribute, regardless of what other restrictions may be
+     * present to allow access to the object at certain days/times of the week
+     * or from certain hosts.
+     */
+    public static final String RESTRICT_TIME_AFTER_ATTRIBUTE_NAME = "guac-restrict-time-after";
+
+    /**
+     * The name of the attribute that contains a list of weekdays and times (UTC)
+     * that this restrictable object can be used. The presence of values within
+     * this attribute will automatically restrict use of the object at any times
+     * that are not specified.
+     */
+    public static final String RESTRICT_TIME_ALLOWED_ATTRIBUTE_NAME = "guac-restrict-time-allowed";
+
+    /**
+     * The name of the attribute that contains the absolute date and time before
+     * which use of this restrictable object may be used. If this attribute is
+     * present use of the object will be denied at any time after the parsed
+     * value of this attribute, regardless of the presence of other restrictions
+     * that may allow access at certain days/times of the week or from certain
+     * hosts.
+     */
+    public static final String RESTRICT_TIME_BEFORE_ATTRIBUTE_NAME = "guac-restrict-time-before";
+
+    /**
+     * The name of the attribute that contains a list of weekdays and times (UTC)
+     * that this restrictable object cannot be used. Denied times will always take
+     * precedence over allowed times. The presence of this attribute without
+     * guac-restrict-time-allowed will deny access only during the times listed
+     * in this attribute, allowing access at all other times. The presence of
+     * this attribute along with the guac-restrict-time-allowed attribute will
+     * deny access at any times that overlap with the allowed times.
+     */
+    public static final String RESTRICT_TIME_DENIED_ATTRIBUTE_NAME = "guac-restrict-time-denied";
+
+    /**
+     * The name of the attribute that contains a list of hosts from which this
+     * restrictable object may be used. The presence of this attribute will
+     * restrict use to only users accessing Guacamole from the list of hosts
+     * contained in the attribute, subject to further restriction by the
+     * guac-restrict-hosts-denied attribute.
+     */
+    public static final String RESTRICT_HOSTS_ALLOWED_ATTRIBUTE_NAME = "guac-restrict-hosts-allowed";
+
+    /**
+     * The name of the attribute that contains a list of hosts from which this
+     * restrictable object may not be used. The presence of this attribute,
+     * absent the guac-restrict-hosts-allowed attribute, will allow use from
+     * all hosts except the ones listed in this attribute. The presence of this
+     * attribute coupled with the guac-restrict-hosts-allowed attribute will
+     * block access from any IPs in this list, overriding any that may be
+     * allowed.
+     */
+    public static final String RESTRICT_HOSTS_DENIED_ATTRIBUTE_NAME = "guac-restrict-hosts-denied";
+
     /**
      * Return the restriction state for this restrictable object at the
      * current date and time. By default returns an implicit denial.

extensions/guacamole-auth-restrict/src/main/java/org/apache/guacamole/auth/restrict/RestrictionVerificationService.java

@@ -23,14 +23,14 @@
 import inet.ipaddr.HostNameException;
 import inet.ipaddr.IPAddress;
 import java.net.UnknownHostException;
+import java.text.ParseException;
 import java.util.Collection;
+import java.util.Date;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.auth.restrict.connection.RestrictedConnection;
-import org.apache.guacamole.auth.restrict.user.RestrictedUser;
-import org.apache.guacamole.auth.restrict.usergroup.RestrictedUserGroup;
+import org.apache.guacamole.auth.restrict.form.DateTimeRestrictionField;
 import org.apache.guacamole.calendar.DailyRestriction;
 import org.apache.guacamole.calendar.RestrictionType;
 import org.apache.guacamole.calendar.TimeRestrictionParser;
@@ -54,6 +54,67 @@ public class RestrictionVerificationService {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(RestrictionVerificationService.class);
 
+    /**
+     * Given the provided strings of an absolute date after which an action is
+     * valid and before which an action is valid, parse the strings into Date
+     * objects and determine if the current date and time falls within the
+     * provided window, returning the appropriate restriction type.
+     * 
+     * @param afterTimeString
+     *     The string that has the date and time value after which the activity
+     *     is allowed.
+     * 
+     * @param beforeTimeString
+     *     The string that has the date and time value before which the activity
+     *     is allowed.
+     * 
+     * @return 
+     *     The RestrictionType that represents the allowed or denied state of
+     *     the activity.
+     */
+    private static RestrictionType allowedByDateTimeRestrictions(
+            String afterTimeString, String beforeTimeString) {
+
+        // Set a default restriction.
+        RestrictionType dateTimeRestriction = RestrictionType.IMPLICIT_ALLOW;
+
+        // Check the after string and make sure that now is after that date.
+        if (afterTimeString != null && !afterTimeString.isEmpty()) {
+            Date now = new Date();
+            try {
+                Date afterTime = DateTimeRestrictionField.parse(afterTimeString);
+                if (now.before(afterTime))
+                    return RestrictionType.EXPLICIT_DENY;
+            }
+            catch (ParseException e) {
+                LOGGER.warn("Failed to parse date and time string: {}:", e.getMessage());
+                LOGGER.debug("Parse exception while parsing date and time string.", e);
+                return RestrictionType.IMPLICIT_DENY;
+            }
+            dateTimeRestriction = RestrictionType.EXPLICIT_ALLOW;
+        }
+
+        // Check the before string and make sure that now is prior to that date.
+        if (beforeTimeString != null && !beforeTimeString.isEmpty()) {
+            Date now = new Date();
+            try {
+                Date beforeTime = DateTimeRestrictionField.parse(beforeTimeString);
+                if (now.after(beforeTime))
+                    return RestrictionType.EXPLICIT_DENY;
+            }
+            catch (ParseException e) {
+                LOGGER.warn("Failed to parse date and time string: {}:", e.getMessage());
+                LOGGER.debug("Parse exception while parsing date and time string.", e);
+                return RestrictionType.IMPLICIT_DENY;
+            }
+            dateTimeRestriction = RestrictionType.EXPLICIT_ALLOW;
+
+        }
+
+        // Return the determined RestrictionType for the given date/time strings.
+        return dateTimeRestriction;
+    }
+
     /**
      * Parse out the provided strings of allowed and denied times, verifying
      * whether or not a login or connection should be allowed at the current
@@ -251,8 +312,8 @@ public static void verifyHostRestrictions(UserContext context,
         Map<String, String> userAttributes = currentUser.getAttributes();
 
         // Verify host-based restrictions specific to the user
-        String allowedHostString = userAttributes.get(RestrictedUser.RESTRICT_HOSTS_ALLOWED_ATTRIBUTE_NAME);
-        String deniedHostString = userAttributes.get(RestrictedUser.RESTRICT_HOSTS_DENIED_ATTRIBUTE_NAME);
+        String allowedHostString = userAttributes.get(Restrictable.RESTRICT_HOSTS_ALLOWED_ATTRIBUTE_NAME);
+        String deniedHostString = userAttributes.get(Restrictable.RESTRICT_HOSTS_DENIED_ATTRIBUTE_NAME);
         RestrictionType hostRestrictionResult = allowedByHostRestrictions(allowedHostString, deniedHostString, remoteAddress);
 
         switch (hostRestrictionResult) {
@@ -284,8 +345,8 @@ public static void verifyHostRestrictions(UserContext context,
             Map<String, String> grpAttributes = userGroup.getAttributes();
 
             // Pull host-based restrictions for this group and verify
-            String grpAllowedHostString = grpAttributes.get(RestrictedUserGroup.RESTRICT_HOSTS_ALLOWED_ATTRIBUTE_NAME);
-            String grpDeniedHostString = grpAttributes.get(RestrictedUserGroup.RESTRICT_HOSTS_DENIED_ATTRIBUTE_NAME);
+            String grpAllowedHostString = grpAttributes.get(Restrictable.RESTRICT_HOSTS_ALLOWED_ATTRIBUTE_NAME);
+            String grpDeniedHostString = grpAttributes.get(Restrictable.RESTRICT_HOSTS_DENIED_ATTRIBUTE_NAME);
             RestrictionType grpRestrictionResult = allowedByHostRestrictions(grpAllowedHostString, grpDeniedHostString, remoteAddress);
 
             // Any explicit denials are thrown immediately
@@ -344,8 +405,8 @@ public static void verifyHostRestrictions(Restrictable restrictable,
             String remoteAddress) throws GuacamoleException {
 
         // Verify time-based restrictions specific to this connection.
-        String allowedHostsString = restrictable.getAttributes().get(RestrictedConnection.RESTRICT_HOSTS_ALLOWED_ATTRIBUTE_NAME);
-        String deniedHostsString = restrictable.getAttributes().get(RestrictedConnection.RESTRICT_HOSTS_DENIED_ATTRIBUTE_NAME);
+        String allowedHostsString = restrictable.getAttributes().get(Restrictable.RESTRICT_HOSTS_ALLOWED_ATTRIBUTE_NAME);
+        String deniedHostsString = restrictable.getAttributes().get(Restrictable.RESTRICT_HOSTS_DENIED_ATTRIBUTE_NAME);
         RestrictionType hostRestrictionResult = allowedByHostRestrictions(allowedHostsString, deniedHostsString, remoteAddress);
 
         // If the host is not allowed
@@ -393,8 +454,8 @@ public static void verifyTimeRestrictions(UserContext context,
         Map<String, String> userAttributes = currentUser.getAttributes();
 
         // Verify time-based restrictions specific to the user
-        String allowedTimeString = userAttributes.get(RestrictedUser.RESTRICT_TIME_ALLOWED_ATTRIBUTE_NAME);
-        String deniedTimeString = userAttributes.get(RestrictedUser.RESTRICT_TIME_DENIED_ATTRIBUTE_NAME);
+        String allowedTimeString = userAttributes.get(Restrictable.RESTRICT_TIME_ALLOWED_ATTRIBUTE_NAME);
+        String deniedTimeString = userAttributes.get(Restrictable.RESTRICT_TIME_DENIED_ATTRIBUTE_NAME);
         RestrictionType timeRestrictionResult = allowedByTimeRestrictions(allowedTimeString, deniedTimeString);
 
         // Check the time restriction for explicit results.
@@ -426,8 +487,8 @@ public static void verifyTimeRestrictions(UserContext context,
             Map<String, String> grpAttributes = userGroup.getAttributes();
 
             // Pull time-based restrictions for this group and verify
-            String grpAllowedTimeString = grpAttributes.get(RestrictedUserGroup.RESTRICT_TIME_ALLOWED_ATTRIBUTE_NAME);
-            String grpDeniedTimeString = grpAttributes.get(RestrictedUserGroup.RESTRICT_TIME_DENIED_ATTRIBUTE_NAME);
+            String grpAllowedTimeString = grpAttributes.get(Restrictable.RESTRICT_TIME_ALLOWED_ATTRIBUTE_NAME);
+            String grpDeniedTimeString = grpAttributes.get(Restrictable.RESTRICT_TIME_DENIED_ATTRIBUTE_NAME);
             RestrictionType grpRestrictionResult = allowedByTimeRestrictions(grpAllowedTimeString, grpDeniedTimeString);
 
             // An explicit deny results in immediate denial of the login.
@@ -463,6 +524,18 @@ public static void verifyTimeRestrictions(UserContext context,
 
     }
 
+    public static void verifyDateTimeRestrictions(Restrictable restrictable) throws GuacamoleException {
+
+        String afterTimeString = restrictable.getAttributes().get(Restrictable.RESTRICT_TIME_AFTER_ATTRIBUTE_NAME);
+        String beforeTimeString = restrictable.getAttributes().get(Restrictable.RESTRICT_TIME_BEFORE_ATTRIBUTE_NAME);
+        RestrictionType dateRestriction = allowedByDateTimeRestrictions(afterTimeString, beforeTimeString);
+        if (!dateRestriction.isAllowed())
+            throw new TranslatableGuacamoleSecurityException(
+                    "Use of this connection or connection group is not allowed at this time.",
+                    "RESTRICT.ERROR_CONNECTION_NOT_ALLOWED_NOW"
+            );
+    }
+
     /**
      * Verify the time restrictions for the given Connection object, throwing
      * an exception if the connection should not be allowed, or silently
@@ -478,8 +551,8 @@ public static void verifyTimeRestrictions(UserContext context,
     public static void verifyTimeRestrictions(Restrictable restrictable) throws GuacamoleException {
 
         // Verify time-based restrictions specific to this connection.
-        String allowedTimeString = restrictable.getAttributes().get(RestrictedConnection.RESTRICT_TIME_ALLOWED_ATTRIBUTE_NAME);
-        String deniedTimeString = restrictable.getAttributes().get(RestrictedConnection.RESTRICT_TIME_DENIED_ATTRIBUTE_NAME);
+        String allowedTimeString = restrictable.getAttributes().get(Restrictable.RESTRICT_TIME_ALLOWED_ATTRIBUTE_NAME);
+        String deniedTimeString = restrictable.getAttributes().get(Restrictable.RESTRICT_TIME_DENIED_ATTRIBUTE_NAME);
         RestrictionType timeRestriction = allowedByTimeRestrictions(allowedTimeString, deniedTimeString);
         if (!timeRestriction.isAllowed())
             throw new TranslatableGuacamoleSecurityException(
@@ -536,6 +609,7 @@ public static void verifyLoginRestrictions(UserContext context,
      */
     public static void verifyConnectionRestrictions(Restrictable restrictable,
             String remoteAddress) throws GuacamoleException {
+        verifyDateTimeRestrictions(restrictable);
         verifyTimeRestrictions(restrictable);
         verifyHostRestrictions(restrictable, remoteAddress);
     }