Merge pull request #2683 from stianst/KEYCLOAK-2861-master
KEYCLOAK-2861 Test AttackDetectionResource
This commit is contained in:
commit
0cffa5740d
3 changed files with 146 additions and 0 deletions
|
@ -0,0 +1,49 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.admin.client.resource;
|
||||
|
||||
import org.jboss.resteasy.annotations.cache.NoCache;
|
||||
|
||||
import javax.ws.rs.DELETE;
|
||||
import javax.ws.rs.GET;
|
||||
import javax.ws.rs.Path;
|
||||
import javax.ws.rs.PathParam;
|
||||
import javax.ws.rs.Produces;
|
||||
import javax.ws.rs.core.MediaType;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
*/
|
||||
public interface AttackDetectionResource {
|
||||
|
||||
@GET
|
||||
@Path("brute-force/usernames/{username}")
|
||||
@NoCache
|
||||
@Produces(MediaType.APPLICATION_JSON)
|
||||
Map<String, Object> bruteForceUserStatus(@PathParam("username") String username);
|
||||
|
||||
@Path("brute-force/usernames/{username}")
|
||||
@DELETE
|
||||
void clearBruteForceForUser(@PathParam("username") String username);
|
||||
|
||||
@Path("brute-force/usernames")
|
||||
@DELETE
|
||||
void clearAllBruteForce();
|
||||
|
||||
}
|
|
@ -154,4 +154,7 @@ public interface RealmResource {
|
|||
@Consumes(MediaType.APPLICATION_JSON)
|
||||
AuthenticationManagementResource flows();
|
||||
|
||||
@Path("attack-detection")
|
||||
AttackDetectionResource attackDetection();
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,94 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.testsuite.admin;
|
||||
|
||||
import org.jboss.arquillian.graphene.page.Page;
|
||||
import org.jboss.arquillian.test.api.ArquillianResource;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.AttackDetectionResource;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.testsuite.pages.LoginPage;
|
||||
import org.keycloak.testsuite.util.OAuthClient;
|
||||
import org.keycloak.testsuite.util.UserBuilder;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
*/
|
||||
public class AttackDetectionResourceTest extends AbstractAdminTest {
|
||||
|
||||
@ArquillianResource
|
||||
private OAuthClient oauthClient;
|
||||
|
||||
@Override
|
||||
public void configureTestRealm(RealmRepresentation testRealm) {
|
||||
testRealm.setBruteForceProtected(true);
|
||||
testRealm.setFailureFactor(2);
|
||||
|
||||
testRealm.getUsers().add(UserBuilder.create().username("test-user2").password("password").build());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void test() {
|
||||
AttackDetectionResource detection = adminClient.realm("test").attackDetection();
|
||||
|
||||
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
|
||||
|
||||
oauthClient.doLogin("test-user@localhost", "invalid");
|
||||
oauthClient.doLogin("test-user@localhost", "invalid");
|
||||
oauthClient.doLogin("test-user@localhost", "invalid");
|
||||
|
||||
oauthClient.doLogin("test-user2", "invalid");
|
||||
oauthClient.doLogin("test-user2", "invalid");
|
||||
oauthClient.doLogin("nosuchuser", "invalid");
|
||||
|
||||
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 3, true, true);
|
||||
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 2, true, true);
|
||||
assertBruteForce(detection.bruteForceUserStatus("nosuchuser"), 0, false, false);
|
||||
|
||||
detection.clearBruteForceForUser("test-user@localhost");
|
||||
|
||||
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
|
||||
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 2, true, true);
|
||||
|
||||
detection.clearAllBruteForce();
|
||||
|
||||
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
|
||||
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 0, false, false);
|
||||
}
|
||||
|
||||
private void assertBruteForce(Map<String, Object> status, Integer expectedNumFailures, Boolean expectedFailure, Boolean expectedDisabled) {
|
||||
assertEquals(4, status.size());
|
||||
assertEquals(expectedNumFailures, status.get("numFailures"));
|
||||
assertEquals(expectedDisabled, status.get("disabled"));
|
||||
if (expectedFailure) {
|
||||
assertEquals("127.0.0.1", status.get("lastIPFailure"));
|
||||
Long lastFailure = (Long) status.get("lastFailure");
|
||||
assertTrue(lastFailure < (System.currentTimeMillis() + 1) && lastFailure > (System.currentTimeMillis() - 10000));
|
||||
} else {
|
||||
assertEquals("n/a", status.get("lastIPFailure"));
|
||||
assertEquals("0", status.get("lastFailure").toString());
|
||||
}
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in a new issue