Merge pull request #2683 from stianst/KEYCLOAK-2861-master

KEYCLOAK-2861 Test AttackDetectionResource
This commit is contained in:
Stian Thorgersen 2016-04-20 19:36:11 +02:00
commit 0cffa5740d
3 changed files with 146 additions and 0 deletions

View file

@ -0,0 +1,49 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.admin.client.resource;
import org.jboss.resteasy.annotations.cache.NoCache;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import java.util.Map;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/
public interface AttackDetectionResource {
@GET
@Path("brute-force/usernames/{username}")
@NoCache
@Produces(MediaType.APPLICATION_JSON)
Map<String, Object> bruteForceUserStatus(@PathParam("username") String username);
@Path("brute-force/usernames/{username}")
@DELETE
void clearBruteForceForUser(@PathParam("username") String username);
@Path("brute-force/usernames")
@DELETE
void clearAllBruteForce();
}

View file

@ -154,4 +154,7 @@ public interface RealmResource {
@Consumes(MediaType.APPLICATION_JSON)
AuthenticationManagementResource flows();
@Path("attack-detection")
AttackDetectionResource attackDetection();
}

View file

@ -0,0 +1,94 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.admin;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.junit.Test;
import org.keycloak.admin.client.resource.AttackDetectionResource;
import org.keycloak.common.util.Time;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.UserBuilder;
import java.util.Map;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/
public class AttackDetectionResourceTest extends AbstractAdminTest {
@ArquillianResource
private OAuthClient oauthClient;
@Override
public void configureTestRealm(RealmRepresentation testRealm) {
testRealm.setBruteForceProtected(true);
testRealm.setFailureFactor(2);
testRealm.getUsers().add(UserBuilder.create().username("test-user2").password("password").build());
}
@Test
public void test() {
AttackDetectionResource detection = adminClient.realm("test").attackDetection();
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
oauthClient.doLogin("test-user@localhost", "invalid");
oauthClient.doLogin("test-user@localhost", "invalid");
oauthClient.doLogin("test-user@localhost", "invalid");
oauthClient.doLogin("test-user2", "invalid");
oauthClient.doLogin("test-user2", "invalid");
oauthClient.doLogin("nosuchuser", "invalid");
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 3, true, true);
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 2, true, true);
assertBruteForce(detection.bruteForceUserStatus("nosuchuser"), 0, false, false);
detection.clearBruteForceForUser("test-user@localhost");
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 2, true, true);
detection.clearAllBruteForce();
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 0, false, false);
}
private void assertBruteForce(Map<String, Object> status, Integer expectedNumFailures, Boolean expectedFailure, Boolean expectedDisabled) {
assertEquals(4, status.size());
assertEquals(expectedNumFailures, status.get("numFailures"));
assertEquals(expectedDisabled, status.get("disabled"));
if (expectedFailure) {
assertEquals("127.0.0.1", status.get("lastIPFailure"));
Long lastFailure = (Long) status.get("lastFailure");
assertTrue(lastFailure < (System.currentTimeMillis() + 1) && lastFailure > (System.currentTimeMillis() - 10000));
} else {
assertEquals("n/a", status.get("lastIPFailure"));
assertEquals("0", status.get("lastFailure").toString());
}
}
}