From 29b8c2c924418ae13d2fc61b1d3b4111b66796b1 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Wed, 14 Jan 2015 10:10:36 +0100 Subject: [PATCH] KEYCLOAK-949 Disabled user with wrong credentials receive wrong error message --- .../managers/AuthenticationManager.java | 11 ++-- .../keycloak/testsuite/forms/LoginTest.java | 56 +++++++++++++++++++ 2 files changed, 63 insertions(+), 4 deletions(-) diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 4856c02c75..36f2d0c187 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -414,10 +414,6 @@ public class AuthenticationManager { return AuthenticationStatus.INVALID_USER; } - if (!user.isEnabled()) { - return AuthenticationStatus.ACCOUNT_DISABLED; - } - Set types = new HashSet(); for (RequiredCredentialModel credential : realm.getRequiredCredentials()) { @@ -453,6 +449,10 @@ public class AuthenticationManager { return AuthenticationStatus.INVALID_CREDENTIALS; } + if (!user.isEnabled()) { + return AuthenticationStatus.ACCOUNT_DISABLED; + } + if (user.isTotp() && totp == null) { return AuthenticationStatus.MISSING_TOTP; } @@ -471,6 +471,9 @@ public class AuthenticationManager { if (!session.users().validCredentials(realm, user, UserCredentialModel.secret(secret))) { return AuthenticationStatus.INVALID_CREDENTIALS; } + if (!user.isEnabled()) { + return AuthenticationStatus.ACCOUNT_DISABLED; + } if (!user.getRequiredActions().isEmpty()) { return AuthenticationStatus.ACTIONS_REQUIRED; } else { diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java index 0bb825f1f6..3741c30c4a 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java @@ -118,6 +118,62 @@ public class LoginTest { events.expectLogin().user(userId).session((String) null).error("invalid_user_credentials").detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).assertEvent(); } + @Test + public void loginInvalidPasswordDisabledUser() { + keycloakRule.configure(new KeycloakRule.KeycloakSetup() { + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { + session.users().getUserByUsername("login-test", appRealm).setEnabled(false); + } + }); + + try { + loginPage.open(); + loginPage.login("login-test", "invalid"); + + loginPage.assertCurrent(); + + Assert.assertEquals("Invalid username or password.", loginPage.getError()); + + events.expectLogin().user(userId).session((String) null).error("invalid_user_credentials").detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).assertEvent(); + } finally { + keycloakRule.configure(new KeycloakRule.KeycloakSetup() { + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { + session.users().getUserByUsername("login-test", appRealm).setEnabled(true); + } + }); + } + } + + @Test + public void loginDisabledUser() { + keycloakRule.configure(new KeycloakRule.KeycloakSetup() { + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { + session.users().getUserByUsername("login-test", appRealm).setEnabled(false); + } + }); + + try { + loginPage.open(); + loginPage.login("login-test", "password"); + + loginPage.assertCurrent(); + + Assert.assertEquals("Account is disabled, contact admin", loginPage.getError()); + + events.expectLogin().user(userId).session((String) null).error("user_disabled").detail(Details.USERNAME, "login-test").removeDetail(Details.CODE_ID).assertEvent(); + } finally { + keycloakRule.configure(new KeycloakRule.KeycloakSetup() { + @Override + public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { + session.users().getUserByUsername("login-test", appRealm).setEnabled(true); + } + }); + } + } + @Test public void loginInvalidUsername() { loginPage.open();