KEYCLOAK-55 Lost credential logic
This commit is contained in:
parent
083dc1721b
commit
27d1a2d547
11 changed files with 346 additions and 55 deletions
|
@ -24,7 +24,6 @@ package org.keycloak.services.email;
|
|||
import java.net.URI;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
|
||||
|
@ -39,7 +38,6 @@ import javax.ws.rs.core.UriBuilder;
|
|||
import javax.ws.rs.core.UriInfo;
|
||||
|
||||
import org.jboss.resteasy.logging.Logger;
|
||||
import org.keycloak.services.managers.AccessCodeEntry;
|
||||
import org.keycloak.services.models.RealmModel;
|
||||
import org.keycloak.services.models.UserModel;
|
||||
import org.keycloak.services.resources.AccountService;
|
||||
|
@ -101,4 +99,25 @@ public class EmailSender {
|
|||
}
|
||||
}
|
||||
|
||||
public void sendPasswordReset(UserModel user, RealmModel realm, String code, UriInfo uriInfo) {
|
||||
UriBuilder builder = Urls.accountBase(uriInfo.getBaseUri()).path(AccountService.class, "passwordPage");
|
||||
for (Entry<String, List<String>> e : uriInfo.getQueryParameters().entrySet()) {
|
||||
builder.queryParam(e.getKey(), e.getValue().toArray());
|
||||
}
|
||||
builder.queryParam("code", code);
|
||||
|
||||
URI uri = builder.build(realm.getId());
|
||||
|
||||
StringBuilder sb = new StringBuilder();
|
||||
sb.append(uri.toString());
|
||||
sb.append("\n");
|
||||
sb.append("Expires in " + TimeUnit.SECONDS.toMinutes(realm.getAccessCodeLifespanUserAction()));
|
||||
|
||||
try {
|
||||
send(user.getEmail(), "Reset password link", sb.toString());
|
||||
} catch (Exception e) {
|
||||
log.warn("Failed to send reset password link", e);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -212,6 +212,7 @@ public class RealmManager {
|
|||
public UserModel createUser(RealmModel newRealm, UserRepresentation userRep) {
|
||||
UserModel user = newRealm.addUser(userRep.getUsername());
|
||||
user.setStatus(UserModel.Status.valueOf(userRep.getStatus()));
|
||||
user.setEmail(userRep.getEmail());
|
||||
if (userRep.getAttributes() != null) {
|
||||
for (Map.Entry<String, String> entry : userRep.getAttributes().entrySet()) {
|
||||
user.setAttribute(entry.getKey(), entry.getValue());
|
||||
|
|
|
@ -39,8 +39,10 @@ import org.jboss.resteasy.jose.jws.JWSInput;
|
|||
import org.jboss.resteasy.jose.jws.crypto.RSAProvider;
|
||||
import org.jboss.resteasy.spi.HttpRequest;
|
||||
import org.keycloak.representations.idm.CredentialRepresentation;
|
||||
import org.keycloak.services.email.EmailSender;
|
||||
import org.keycloak.services.managers.AccessCodeEntry;
|
||||
import org.keycloak.services.managers.AuthenticationManager;
|
||||
import org.keycloak.services.managers.ResourceAdminManager;
|
||||
import org.keycloak.services.managers.TokenManager;
|
||||
import org.keycloak.services.messages.Messages;
|
||||
import org.keycloak.services.models.RealmModel;
|
||||
|
@ -49,6 +51,7 @@ import org.keycloak.services.models.UserModel;
|
|||
import org.keycloak.services.models.UserModel.RequiredAction;
|
||||
import org.keycloak.services.resources.flows.Flows;
|
||||
import org.keycloak.services.resources.flows.FormFlows;
|
||||
import org.keycloak.services.resources.flows.OAuthFlows;
|
||||
import org.keycloak.services.validation.Validation;
|
||||
import org.picketlink.idm.credential.util.TimeBasedOTP;
|
||||
|
||||
|
@ -253,15 +256,19 @@ public class AccountService {
|
|||
|
||||
String error = null;
|
||||
|
||||
if (Validation.isEmpty(password)) {
|
||||
error = Messages.MISSING_PASSWORD;
|
||||
} else if (Validation.isEmpty(passwordNew)) {
|
||||
if (Validation.isEmpty(passwordNew)) {
|
||||
error = Messages.MISSING_PASSWORD;
|
||||
} else if (!passwordNew.equals(passwordConfirm)) {
|
||||
error = Messages.INVALID_PASSWORD_CONFIRM;
|
||||
}
|
||||
|
||||
if (user.getRequiredActions() == null || !user.getRequiredActions().contains(RequiredAction.RESET_PASSWORD)) {
|
||||
if (Validation.isEmpty(password)) {
|
||||
error = Messages.MISSING_PASSWORD;
|
||||
} else if (!realm.validatePassword(user, password)) {
|
||||
error = Messages.INVALID_PASSWORD_EXISTING;
|
||||
}
|
||||
}
|
||||
|
||||
if (error != null) {
|
||||
return forms.setError(error).forwardToPassword();
|
||||
|
@ -273,12 +280,13 @@ public class AccountService {
|
|||
|
||||
realm.updateCredential(user, credentials);
|
||||
|
||||
Response response = redirectOauth();
|
||||
if (response != null) {
|
||||
return response;
|
||||
} else {
|
||||
return Flows.forms(realm, request, uriInfo).setUser(user).forwardToPassword();
|
||||
}
|
||||
user.removeRequiredAction(RequiredAction.RESET_PASSWORD);
|
||||
user.setStatus(UserModel.Status.ENABLED);
|
||||
|
||||
authManager.expireIdentityCookie(realm, uriInfo);
|
||||
new ResourceAdminManager().singleLogOut(realm, user.getLoginName());
|
||||
|
||||
return Flows.forms(realm, request, uriInfo).forwardToLogin();
|
||||
} else {
|
||||
return Response.status(Status.FORBIDDEN).build();
|
||||
}
|
||||
|
@ -320,7 +328,7 @@ public class AccountService {
|
|||
@Path("password")
|
||||
@GET
|
||||
public Response passwordPage() {
|
||||
UserModel user = getUserFromAuthManager();
|
||||
UserModel user = getUser(RequiredAction.RESET_PASSWORD);
|
||||
if (user != null) {
|
||||
return Flows.forms(realm, request, uriInfo).setUser(user).forwardToPassword();
|
||||
} else {
|
||||
|
@ -328,4 +336,40 @@ public class AccountService {
|
|||
}
|
||||
}
|
||||
|
||||
@Path("password-reset")
|
||||
@GET
|
||||
public Response resetPassword(@QueryParam("username") final String username,
|
||||
@QueryParam("client_id") final String clientId, @QueryParam("scope") final String scopeParam,
|
||||
@QueryParam("state") final String state, @QueryParam("redirect_uri") final String redirect) {
|
||||
|
||||
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
|
||||
|
||||
if (!realm.isEnabled()) {
|
||||
return oauth.forwardToSecurityFailure("Realm not enabled.");
|
||||
}
|
||||
UserModel client = realm.getUser(clientId);
|
||||
if (client == null) {
|
||||
return oauth.forwardToSecurityFailure("Unknown login requester.");
|
||||
}
|
||||
if (!client.isEnabled()) {
|
||||
return oauth.forwardToSecurityFailure("Login requester not enabled.");
|
||||
}
|
||||
|
||||
// String username = formData.getFirst("username");
|
||||
UserModel user = realm.getUser(username);
|
||||
user.addRequiredAction(RequiredAction.RESET_PASSWORD);
|
||||
user.setStatus(UserModel.Status.ACTIONS_REQUIRED);
|
||||
|
||||
AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, realm, client, user);
|
||||
accessCode.setExpiration(System.currentTimeMillis() / 1000 + realm.getAccessCodeLifespanUserAction());
|
||||
|
||||
if (user.getEmail() == null) {
|
||||
return oauth.forwardToSecurityFailure("Email address not set, contact admin");
|
||||
}
|
||||
|
||||
new EmailSender().sendPasswordReset(user, realm, accessCode.getCode(), uriInfo);
|
||||
// TODO Add info message
|
||||
return Flows.forms(realm, request, uriInfo).forwardToLogin();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -21,10 +21,13 @@
|
|||
*/
|
||||
package org.keycloak.testsuite;
|
||||
|
||||
import org.jboss.arquillian.graphene.page.Page;
|
||||
import org.jboss.arquillian.junit.Arquillian;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.keycloak.testsuite.pages.ChangePasswordPage;
|
||||
import org.keycloak.testsuite.pages.UpdateProfilePage;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
|
@ -32,44 +35,52 @@ import org.junit.runner.RunWith;
|
|||
@RunWith(Arquillian.class)
|
||||
public class AccountTest extends AbstractDroneTest {
|
||||
|
||||
@Page
|
||||
protected ChangePasswordPage changePasswordPage;
|
||||
|
||||
@Page
|
||||
protected UpdateProfilePage profilePage;
|
||||
|
||||
@Test
|
||||
public void changePassword() {
|
||||
// registerUser("changePassword", "password");
|
||||
//
|
||||
// browser.open(authServerUrl + "/rest/realms/demo/account/password");
|
||||
// browser.waitForPageToLoad(DEFAULT_WAIT);
|
||||
//
|
||||
// Assert.assertTrue(browser.isTextPresent("Change Password"));
|
||||
//
|
||||
// browser.type("id=password", "password");
|
||||
// browser.type("id=password-new", "newpassword");
|
||||
// browser.type("id=password-confirm", "newpassword");
|
||||
// browser.click("css=input[type=\"submit\"]");
|
||||
// browser.waitForPageToLoad(DEFAULT_WAIT);
|
||||
//
|
||||
// logout();
|
||||
//
|
||||
// login("changePassword", "password", "Invalid username or password");
|
||||
// login("changePassword", "newpassword");
|
||||
appPage.open();
|
||||
loginPage.register();
|
||||
registerPage.register("name", "email", "changePassword", "password", "password");
|
||||
|
||||
changePasswordPage.open();
|
||||
changePasswordPage.changePassword("password", "new-password", "new-password");
|
||||
|
||||
appPage.open();
|
||||
|
||||
Assert.assertTrue(loginPage.isCurrent());
|
||||
|
||||
loginPage.login("changePassword", "password");
|
||||
|
||||
Assert.assertEquals("Invalid username or password", loginPage.getError());
|
||||
|
||||
loginPage.login("changePassword", "new-password");
|
||||
|
||||
Assert.assertTrue(appPage.isCurrent());
|
||||
Assert.assertEquals("changePassword", appPage.getUser());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void changeProfile() {
|
||||
// registerUser("changeProfile", "password");
|
||||
//
|
||||
// browser.open(authServerUrl + "/rest/realms/demo/account");
|
||||
// browser.waitForPageToLoad(DEFAULT_WAIT);
|
||||
//
|
||||
// browser.type("id=firstName", "Newfirst");
|
||||
// browser.type("id=lastName", "Newlast");
|
||||
// browser.type("id=email", "new@email.com");
|
||||
//
|
||||
// browser.click("css=input[type=\"submit\"]");
|
||||
// browser.waitForPageToLoad(DEFAULT_WAIT);
|
||||
//
|
||||
// Assert.assertEquals("Newfirst", browser.getValue("id=firstName"));
|
||||
// Assert.assertEquals("Newlast", browser.getValue("id=lastName"));
|
||||
// Assert.assertEquals("new@email.com", browser.getValue("id=email"));
|
||||
appPage.open();
|
||||
loginPage.register();
|
||||
registerPage.register("first last", "old@email.com", "changeProfile", "password", "password");
|
||||
|
||||
profilePage.open();
|
||||
|
||||
Assert.assertEquals("first", profilePage.getFirstName());
|
||||
Assert.assertEquals("last", profilePage.getLastName());
|
||||
Assert.assertEquals("old@email.com", profilePage.getEmail());
|
||||
|
||||
profilePage.updateProfile("New first", "New last", "new@email.com");
|
||||
|
||||
Assert.assertEquals("New first", profilePage.getFirstName());
|
||||
Assert.assertEquals("New last", profilePage.getLastName());
|
||||
Assert.assertEquals("new@email.com", profilePage.getEmail());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,109 @@
|
|||
/*
|
||||
* JBoss, Home of Professional Open Source.
|
||||
* Copyright 2012, Red Hat, Inc., and individual contributors
|
||||
* as indicated by the @author tags. See the copyright.txt file in the
|
||||
* distribution for a full listing of individual contributors.
|
||||
*
|
||||
* This is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU Lesser General Public License as
|
||||
* published by the Free Software Foundation; either version 2.1 of
|
||||
* the License, or (at your option) any later version.
|
||||
*
|
||||
* This software is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this software; if not, write to the Free
|
||||
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
|
||||
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
|
||||
*/
|
||||
package org.keycloak.testsuite;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.mail.MessagingException;
|
||||
import javax.mail.internet.MimeMessage;
|
||||
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.arquillian.graphene.page.Page;
|
||||
import org.jboss.arquillian.junit.Arquillian;
|
||||
import org.jboss.shrinkwrap.api.ShrinkWrap;
|
||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
import org.junit.After;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.keycloak.testsuite.pages.ChangePasswordPage;
|
||||
|
||||
import com.icegreen.greenmail.util.GreenMail;
|
||||
import com.icegreen.greenmail.util.ServerSetup;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
*/
|
||||
@RunWith(Arquillian.class)
|
||||
public class ResetPasswordTest extends AbstractDroneTest {
|
||||
|
||||
@Deployment(name = "properties", testable = false, order = 1)
|
||||
public static WebArchive propertiesDeployment() {
|
||||
return ShrinkWrap.create(WebArchive.class, "properties.war").addClass(SystemPropertiesSetter.class)
|
||||
.addAsWebInfResource("web-properties-email-verfication.xml", "web.xml");
|
||||
}
|
||||
|
||||
private GreenMail greenMail;
|
||||
|
||||
@Page
|
||||
protected ChangePasswordPage changePasswordPage;
|
||||
|
||||
@Before
|
||||
public void before() {
|
||||
ServerSetup setup = new ServerSetup(3025, "localhost", "smtp");
|
||||
|
||||
greenMail = new GreenMail(setup);
|
||||
greenMail.start();
|
||||
}
|
||||
|
||||
@After
|
||||
public void after() {
|
||||
if (greenMail != null) {
|
||||
greenMail.stop();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resetPassword() throws IOException, MessagingException {
|
||||
appPage.open();
|
||||
|
||||
Assert.assertTrue(loginPage.isCurrent());
|
||||
|
||||
String url = browser.getCurrentUrl();
|
||||
url = url.replace("tokens/login", "account/password-reset");
|
||||
url = url + "&username=bburke@redhat.com";
|
||||
|
||||
browser.navigate().to(url);
|
||||
|
||||
MimeMessage message = greenMail.getReceivedMessages()[0];
|
||||
|
||||
String body = (String) message.getContent();
|
||||
String changePasswordUrl = body.split("\n")[0];
|
||||
|
||||
browser.navigate().to(changePasswordUrl.trim());
|
||||
|
||||
changePasswordPage.changePassword("new-password", "new-password");
|
||||
|
||||
Assert.assertTrue(loginPage.isCurrent());
|
||||
|
||||
loginPage.login("bburke@redhat.com", "password");
|
||||
Assert.assertTrue(loginPage.isCurrent());
|
||||
Assert.assertEquals("Invalid username or password", loginPage.getError());
|
||||
|
||||
loginPage.login("bburke@redhat.com", "new-password");
|
||||
|
||||
Assert.assertTrue(appPage.isCurrent());
|
||||
Assert.assertEquals("bburke@redhat.com", appPage.getUser());
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,51 @@
|
|||
package org.keycloak.testsuite.pages;
|
||||
|
||||
import org.jboss.arquillian.drone.api.annotation.Drone;
|
||||
import org.keycloak.testsuite.Constants;
|
||||
import org.openqa.selenium.WebDriver;
|
||||
import org.openqa.selenium.WebElement;
|
||||
import org.openqa.selenium.support.FindBy;
|
||||
|
||||
public class ChangePasswordPage {
|
||||
|
||||
private static String PATH = Constants.AUTH_SERVER_ROOT + "/rest/realms/demo/account/password";
|
||||
|
||||
@Drone
|
||||
private WebDriver browser;
|
||||
|
||||
@FindBy(id = "password")
|
||||
private WebElement passwordInput;
|
||||
|
||||
@FindBy(id = "password-new")
|
||||
private WebElement newPasswordInput;
|
||||
|
||||
@FindBy(id = "password-confirm")
|
||||
private WebElement passwordConfirmInput;
|
||||
|
||||
@FindBy(css = "input[type=\"submit\"]")
|
||||
private WebElement submitButton;
|
||||
|
||||
public void changePassword(String newPassword, String passwordConfirm) {
|
||||
newPasswordInput.sendKeys(newPassword);
|
||||
passwordConfirmInput.sendKeys(passwordConfirm);
|
||||
|
||||
submitButton.click();
|
||||
}
|
||||
|
||||
public void changePassword(String password, String newPassword, String passwordConfirm) {
|
||||
passwordInput.sendKeys(password);
|
||||
newPasswordInput.sendKeys(newPassword);
|
||||
passwordConfirmInput.sendKeys(passwordConfirm);
|
||||
|
||||
submitButton.click();
|
||||
}
|
||||
|
||||
public boolean isCurrent() {
|
||||
return browser.getPageSource().contains("Change Password");
|
||||
}
|
||||
|
||||
public void open() {
|
||||
browser.navigate().to(PATH);
|
||||
}
|
||||
|
||||
}
|
|
@ -26,7 +26,10 @@ public class LoginPage {
|
|||
private WebElement loginErrorMessage;
|
||||
|
||||
public void login(String username, String password) {
|
||||
usernameInput.clear();
|
||||
usernameInput.sendKeys(username);
|
||||
|
||||
passwordInput.clear();
|
||||
passwordInput.sendKeys(password);
|
||||
|
||||
submitButton.click();
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
package org.keycloak.testsuite.pages;
|
||||
|
||||
import org.jboss.arquillian.drone.api.annotation.Drone;
|
||||
import org.keycloak.testsuite.Constants;
|
||||
import org.openqa.selenium.WebDriver;
|
||||
import org.openqa.selenium.WebElement;
|
||||
import org.openqa.selenium.support.FindBy;
|
||||
|
||||
public class UpdateProfilePage {
|
||||
|
||||
private static String PATH = Constants.AUTH_SERVER_ROOT + "/rest/realms/demo/account";
|
||||
|
||||
@Drone
|
||||
private WebDriver browser;
|
||||
|
||||
@FindBy(id = "firstName")
|
||||
private WebElement firstNameInput;
|
||||
|
||||
@FindBy(id = "lastName")
|
||||
private WebElement lastNameInput;
|
||||
|
||||
@FindBy(id = "email")
|
||||
private WebElement emailInput;
|
||||
|
||||
@FindBy(css = "input[type=\"submit\"]")
|
||||
private WebElement submitButton;
|
||||
|
||||
public void updateProfile(String firstName, String lastName, String email) {
|
||||
firstNameInput.clear();
|
||||
firstNameInput.sendKeys(firstName);
|
||||
lastNameInput.clear();
|
||||
lastNameInput.sendKeys(lastName);
|
||||
emailInput.clear();
|
||||
emailInput.sendKeys(email);
|
||||
|
||||
submitButton.click();
|
||||
}
|
||||
|
||||
public String getFirstName() {
|
||||
return firstNameInput.getAttribute("value");
|
||||
}
|
||||
|
||||
public String getLastName() {
|
||||
return lastNameInput.getAttribute("value");
|
||||
}
|
||||
|
||||
public String getEmail() {
|
||||
return emailInput.getAttribute("value");
|
||||
}
|
||||
|
||||
public boolean isCurrent() {
|
||||
return browser.getPageSource().contains("Edit Account");
|
||||
}
|
||||
|
||||
public void open() {
|
||||
browser.navigate().to(PATH);
|
||||
}
|
||||
|
||||
}
|
|
@ -18,9 +18,7 @@
|
|||
{
|
||||
"username" : "bburke@redhat.com",
|
||||
"status": "ENABLED",
|
||||
"attributes" : {
|
||||
"email" : "bburke@redhat.com"
|
||||
},
|
||||
"email" : "bburke@redhat.com",
|
||||
"credentials" : [
|
||||
{ "type" : "password",
|
||||
"value" : "password" }
|
||||
|
|
|
@ -17,9 +17,7 @@
|
|||
{
|
||||
"username" : "bburke@redhat.com",
|
||||
"status": "ENABLED",
|
||||
"attributes" : {
|
||||
"email" : "bburke@redhat.com"
|
||||
},
|
||||
"email" : "bburke@redhat.com",
|
||||
"credentials" : [
|
||||
{ "type" : "password",
|
||||
"value" : "password" }
|
||||
|
|
|
@ -17,9 +17,7 @@
|
|||
{
|
||||
"username" : "bburke@redhat.com",
|
||||
"status": "ENABLED",
|
||||
"attributes" : {
|
||||
"email" : "bburke@redhat.com"
|
||||
},
|
||||
"email" : "bburke@redhat.com",
|
||||
"credentials" : [
|
||||
{ "type" : "password",
|
||||
"value" : "password" }
|
||||
|
|
Loading…
Reference in a new issue