[KEYCLOAK-12253] Fix conditional authenticators are evaluated even if they are disabled (#6553)

2019-11-28 09:30:31 +01:00 · 2019-11-28 09:30:31 +01:00 · 129c689855
commit 129c689855
parent 27b410e772
2 changed files with 32 additions and 0 deletions
--- a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java
+++ b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java
@ -352,6 +352,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow {
        List<AuthenticationExecutionModel> modelList = processor.getRealm().getAuthenticationExecutions(model.getFlowId());
        List<AuthenticationExecutionModel> conditionalAuthenticatorList = modelList.stream()
                .filter(this::isConditionalAuthenticator)
+                .filter(s -> s.isEnabled())
                .collect(Collectors.toList());
        return conditionalAuthenticatorList.isEmpty() || conditionalAuthenticatorList.stream().anyMatch(m-> conditionalNotMatched(m, modelList));
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserFlowTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserFlowTest.java
@ -363,6 +363,37 @@ public class BrowserFlowTest extends AbstractTestRealmKeycloakTest {
        );
    }

+    // A conditional flow with disabled conditional authenticator should automatically be disabled
+    @Test
+    public void testFlowDisabledWhenConditionalAuthenticatorIsDisabled() {
+        try {
+            configureBrowserFlowWithConditionalSubFlowHavingDisabledConditionalAuthenticator("browser - disabled conditional authenticator");
+            // Flow is conditional but it is missing a conditional authentication executor
+            // The whole flow is disabled
+            Assert.assertFalse(needsPassword("user-with-two-configured-otp"));
+        } finally {
+            revertFlows("browser - disabled conditional authenticator");
+        }
+    }
+
+    private void configureBrowserFlowWithConditionalSubFlowHavingDisabledConditionalAuthenticator(String newFlowAlias) {
+        testingClient.server("test").run(session -> FlowUtil.inCurrentRealm(session).copyBrowserFlow(newFlowAlias));
+        testingClient.server("test").run(session -> FlowUtil.inCurrentRealm(session)
+                .selectFlow(newFlowAlias)
+                .inForms(forms -> forms
+                        .clear()
+                        .addAuthenticatorExecution(Requirement.REQUIRED, UsernameFormFactory.PROVIDER_ID)
+                        .addSubFlowExecution(Requirement.CONDITIONAL, subFlow -> {
+                            // Add authenticators to this flow: 1 conditional authenticator and a basic authenticator executions
+                            subFlow.addAuthenticatorExecution(Requirement.DISABLED, ConditionalUserConfiguredAuthenticatorFactory.PROVIDER_ID);
+
+                            // Update the browser forms only with a UsernameForm
+                            subFlow.addAuthenticatorExecution(Requirement.REQUIRED, PasswordFormFactory.PROVIDER_ID);
+                        }))
+                .defineAsBrowserFlow()
+        );
+    }
+
    // Configure a conditional authenticator in a non-conditional sub-flow
    // In such case, the flow is evaluated and the conditional authenticator is considered as disabled
    @Test