Merge pull request #962 from mposolda/master

KEYCLOAK-1036 Don't allow registration through identity brokering in cas...
This commit is contained in:
Marek Posolda 2015-02-10 17:05:53 +01:00
commit 35628174b0
5 changed files with 63 additions and 7 deletions

View file

@ -35,7 +35,9 @@ public interface Errors {
String NOT_ALLOWED = "not_allowed"; String NOT_ALLOWED = "not_allowed";
String IDENTITY_PROVIDER_NOT_FOUND = "identity_provider_not_found"; String IDENTITY_PROVIDER_NOT_FOUND = "identity_provider_not_found";
String SOCIAL_ID_IN_USE = "social_id_in_use"; String FEDERATED_IDENTITY_EMAIL_EXISTS = "federated_identity_email_exists";
String FEDERATED_IDENTITY_USERNAME_EXISTS = "federated_identity_username_exists";
String FEDERATED_IDENTITY_DISABLED_REGISTRATION = "federated_identity_disabled_registration";
String SSL_REQUIRED = "ssl_required"; String SSL_REQUIRED = "ssl_required";
String USER_SESSION_NOT_FOUND = "user_session_not_found"; String USER_SESSION_NOT_FOUND = "user_session_not_found";

View file

@ -55,6 +55,7 @@ emailExists=Email already exists
federatedIdentityEmailExists=User with email already exists. Please login to account management to link the account. federatedIdentityEmailExists=User with email already exists. Please login to account management to link the account.
federatedIdentityUsernameExists=User with username already exists. Please login to account management to link the account. federatedIdentityUsernameExists=User with username already exists. Please login to account management to link the account.
federatedIdentityDisabledRegistration=Registration of new users is not allowed. Please ask admin to register you and login to account management to link the account.
loginTitle=Log in to loginTitle=Log in to
loginOauthTitle=Temporary access. loginOauthTitle=Temporary access.

View file

@ -340,15 +340,28 @@ public class AuthenticationBrokerResource {
if (federatedUser == null) { if (federatedUser == null) {
UserModel existingUser = session.users().getUserByEmail(updatedIdentity.getEmail(), realm); String errorMessage = null;
String errorMessage = "federatedIdentityEmailExists";
if (existingUser == null) { // Check if no user already exists with this username or email
UserModel existingUser = session.users().getUserByEmail(updatedIdentity.getEmail(), realm);
if (existingUser != null) {
event.error(Errors.FEDERATED_IDENTITY_EMAIL_EXISTS);
errorMessage = "federatedIdentityEmailExists";
} else {
existingUser = session.users().getUserByUsername(updatedIdentity.getUsername(), realm); existingUser = session.users().getUserByUsername(updatedIdentity.getUsername(), realm);
errorMessage = "federatedIdentityUsernameExists"; if (existingUser != null) {
event.error(Errors.FEDERATED_IDENTITY_USERNAME_EXISTS);
errorMessage = "federatedIdentityUsernameExists";
}
} }
if (existingUser == null) { // Check if realm registration is allowed
if (!realm.isRegistrationAllowed()) {
event.error(Errors.FEDERATED_IDENTITY_DISABLED_REGISTRATION);
errorMessage = "federatedIdentityDisabledRegistration";
}
if (errorMessage == null) {
logger.debug("Creating user " + updatedIdentity.getUsername() + " and linking to federation provider " + providerId); logger.debug("Creating user " + updatedIdentity.getUsername() + " and linking to federation provider " + providerId);
federatedUser = session.users().addUser(realm, updatedIdentity.getUsername()); federatedUser = session.users().addUser(realm, updatedIdentity.getUsername());
federatedUser.setEnabled(true); federatedUser.setEnabled(true);

View file

@ -232,11 +232,50 @@ public abstract class AbstractIdentityProviderTest {
accountFederatedIdentityPage.logout(); accountFederatedIdentityPage.logout();
assertTrue(driver.getTitle().equals("Log in to realm-with-broker")); assertTrue(driver.getTitle().equals("Log in to realm-with-broker"));
// Assert I am logged immediately to account management // Assert I am logged immediately to account management due to previously linked "test-user" identity
loginPage.clickSocial(identityProviderModel.getId()); loginPage.clickSocial(identityProviderModel.getId());
doAfterProviderAuthentication(); doAfterProviderAuthentication();
assertTrue(accountFederatedIdentityPage.isCurrent()); assertTrue(accountFederatedIdentityPage.isCurrent());
assertTrue(driver.getPageSource().contains("id=\"remove-" + identityProviderModel.getId() + "\"")); assertTrue(driver.getPageSource().contains("id=\"remove-" + identityProviderModel.getId() + "\""));
// Unlink my "test-user"
accountFederatedIdentityPage.clickRemoveProvider(identityProviderModel.getId());
assertTrue(driver.getPageSource().contains("id=\"add-" + identityProviderModel.getId() + "\""));
// Logout from account management
accountFederatedIdentityPage.logout();
assertTrue(driver.getTitle().equals("Log in to realm-with-broker"));
// Try to login. Previous link is not valid anymore, so now it should try to register new user
this.loginPage.clickSocial(identityProviderModel.getId());
doAfterProviderAuthentication();
this.updateProfilePage.assertCurrent();
}
@Test
public void testDisabledRegistration() {
// Disable registration in realm
getRealm().setRegistrationAllowed(false);
brokerServerRule.stopSession(this.session, true);
this.session = brokerServerRule.startSession();
// Login with identity provider
this.driver.navigate().to("http://localhost:8081/test-app/");
assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/login"));
this.loginPage.clickSocial(getProviderId());
assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8082/auth/"));
this.loginPage.login("test-user", "password");
doAfterProviderAuthentication();
WebElement element = this.driver.findElement(By.className("kc-feedback-text"));
assertNotNull(element);
assertEquals("Registration of new users is not allowed. Please ask admin to register you and login to account management to link the account.", element.getText());
// Re-enable registration in realm
getRealm().setRegistrationAllowed(true);
brokerServerRule.stopSession(this.session, true);
this.session = brokerServerRule.startSession();
} }
@Test(expected = NoSuchElementException.class) @Test(expected = NoSuchElementException.class)

View file

@ -4,6 +4,7 @@
"enabled": true, "enabled": true,
"requiredCredentials": [ "password" ], "requiredCredentials": [ "password" ],
"resetPasswordAllowed": true, "resetPasswordAllowed": true,
"registrationAllowed": true,
"defaultRoles": [ "manager" ], "defaultRoles": [ "manager" ],
"privateKey": "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCCPyvTTb14vSMkpe/pds2P5Cqxk7bkeFnQiNMS1vyZ+HS2O79fxzp1eAguHnBTs4XTRT7SZJhIT/6utgqZjmDigKV5N7X5ptq8BM/W1qa1cYBRip261pc+tWf3IywJYQ9yFI9mUQarmIEl0D7GH16NSZklheaWfbodRVarvX+ML0amNtGYVDft/RftYmgbKKrK218qQp9R4GZFtf/Q/RmboNXN7weMINU8GWVkTRrccKBIXSunT6zXGfuj3Wp1YpVq20BWwY2OMM/P+yDAc7LKEO1LJqPBdT4r9BRn2lXiaga3AL24gTKZPKU/tu7uqfFciF+i4Rr58SMDNOzQcnklAgMBAAECggEAc0eibJYEO5d8QXW1kPgcHV2gBChv2mxDYnWYDLbIQSdNdfYP/qABt/MTmm5KkWr16fcCEYoD1w0mqFBrtVn1msSusUmEAYGTXJMNumOmjjX1kzaTQMmqeFBrwqwYz/xehWR5P+A7fSmwNV3KEeW19GvN5w5K96w0TLAQdFV3TQVPSytusDunwuR1yltMe1voaEDZ9z0Pi08YiEk2f6xhj5CMkoiw3mNImzfruphHullxU4FD05fH6tDeJ381527ILpAzDsgYZh4aFLKjUHem96bX4EL7FIzBJ6okgN78AZnUC/EaVfgFTw0qfhoWvZV4ruVXXiMhCg4CMMRDq/k9iQKBgQDBNWsJMT84OnnWmQoJmZogkFV+tsGrSK6Re+aJxLWpishh7dwAnT2OcagZvVdUb0FwNWu1D0B9/SKDDMRnnHBhOGDpH57m/eQdRU0oX1BD27xvffk0lLcfD4BTxnR5e9jss8K4twc9jf0P1rxC/loGJ2NtCH0BrPHgz54Ea+96ewKBgQCsk3JDaaPnFwzVYm2BXlhxOxLPsF4wvD2rIRAswZV4C5xebjand8nwiMmVpNd0PRLkEnkI+waURGv2EY/P3JsssoiY8Xqe8f/1G+SQKre7lbqOas8rFoALepC0BYDiZDFy0Z9ZnRAFzRI5sgIt7jpoMRD4xDNlmiV8X+yBxc3Y3wKBgQChDQsU1YUyNKQ8+sLAL9anEEkD4Ald4q8JPHN2IY+gLLxNzT0XEfsu0pTiJ8805axxgUYv3e/PVYNAJBNPnrqaf6lgiegl+jr9Hzhqz9CTUAYqFaL2boSakoxQyNtsLI0s+cb1vDN/3uy0GDZDzcty18BsMagqDmRtFgNNAj/UIwKBgQCahbeFBv0cOPZjxisY8Bou4N8aGehsqNBq/0LVYExuXa8YmoTTdJ3bgw9Er4G/ccQNdUDsuqAMeCtW/CiRzQ0ge4d1sprB4Rv3I4+HSsiS7SFKzfZLtWzXWlpg5qCdlWr1TR7qhYjIOPO9t1beO3YOvwhcRoliyyAPenBxTmTfbwKBgDtm2WJ5VlQgNpIdOs1CCiqd0DFmWOmvBPspPC1kySiy+Ndr9jNohRZkR7pEjgqA5E8rdzc88LirUN7bY5HFHRWN9KXrs5/o3O1K3GFCp64N6nvnPEYZ2zSJalcMC2fjSsJg26z8Dg1H+gfTIDUMoGiEAAnJXuqk+WayPU+fZMLn", "privateKey": "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCCPyvTTb14vSMkpe/pds2P5Cqxk7bkeFnQiNMS1vyZ+HS2O79fxzp1eAguHnBTs4XTRT7SZJhIT/6utgqZjmDigKV5N7X5ptq8BM/W1qa1cYBRip261pc+tWf3IywJYQ9yFI9mUQarmIEl0D7GH16NSZklheaWfbodRVarvX+ML0amNtGYVDft/RftYmgbKKrK218qQp9R4GZFtf/Q/RmboNXN7weMINU8GWVkTRrccKBIXSunT6zXGfuj3Wp1YpVq20BWwY2OMM/P+yDAc7LKEO1LJqPBdT4r9BRn2lXiaga3AL24gTKZPKU/tu7uqfFciF+i4Rr58SMDNOzQcnklAgMBAAECggEAc0eibJYEO5d8QXW1kPgcHV2gBChv2mxDYnWYDLbIQSdNdfYP/qABt/MTmm5KkWr16fcCEYoD1w0mqFBrtVn1msSusUmEAYGTXJMNumOmjjX1kzaTQMmqeFBrwqwYz/xehWR5P+A7fSmwNV3KEeW19GvN5w5K96w0TLAQdFV3TQVPSytusDunwuR1yltMe1voaEDZ9z0Pi08YiEk2f6xhj5CMkoiw3mNImzfruphHullxU4FD05fH6tDeJ381527ILpAzDsgYZh4aFLKjUHem96bX4EL7FIzBJ6okgN78AZnUC/EaVfgFTw0qfhoWvZV4ruVXXiMhCg4CMMRDq/k9iQKBgQDBNWsJMT84OnnWmQoJmZogkFV+tsGrSK6Re+aJxLWpishh7dwAnT2OcagZvVdUb0FwNWu1D0B9/SKDDMRnnHBhOGDpH57m/eQdRU0oX1BD27xvffk0lLcfD4BTxnR5e9jss8K4twc9jf0P1rxC/loGJ2NtCH0BrPHgz54Ea+96ewKBgQCsk3JDaaPnFwzVYm2BXlhxOxLPsF4wvD2rIRAswZV4C5xebjand8nwiMmVpNd0PRLkEnkI+waURGv2EY/P3JsssoiY8Xqe8f/1G+SQKre7lbqOas8rFoALepC0BYDiZDFy0Z9ZnRAFzRI5sgIt7jpoMRD4xDNlmiV8X+yBxc3Y3wKBgQChDQsU1YUyNKQ8+sLAL9anEEkD4Ald4q8JPHN2IY+gLLxNzT0XEfsu0pTiJ8805axxgUYv3e/PVYNAJBNPnrqaf6lgiegl+jr9Hzhqz9CTUAYqFaL2boSakoxQyNtsLI0s+cb1vDN/3uy0GDZDzcty18BsMagqDmRtFgNNAj/UIwKBgQCahbeFBv0cOPZjxisY8Bou4N8aGehsqNBq/0LVYExuXa8YmoTTdJ3bgw9Er4G/ccQNdUDsuqAMeCtW/CiRzQ0ge4d1sprB4Rv3I4+HSsiS7SFKzfZLtWzXWlpg5qCdlWr1TR7qhYjIOPO9t1beO3YOvwhcRoliyyAPenBxTmTfbwKBgDtm2WJ5VlQgNpIdOs1CCiqd0DFmWOmvBPspPC1kySiy+Ndr9jNohRZkR7pEjgqA5E8rdzc88LirUN7bY5HFHRWN9KXrs5/o3O1K3GFCp64N6nvnPEYZ2zSJalcMC2fjSsJg26z8Dg1H+gfTIDUMoGiEAAnJXuqk+WayPU+fZMLn",
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgj8r0029eL0jJKXv6XbNj+QqsZO25HhZ0IjTEtb8mfh0tju/X8c6dXgILh5wU7OF00U+0mSYSE/+rrYKmY5g4oCleTe1+abavATP1tamtXGAUYqdutaXPrVn9yMsCWEPchSPZlEGq5iBJdA+xh9ejUmZJYXmln26HUVWq71/jC9GpjbRmFQ37f0X7WJoGyiqyttfKkKfUeBmRbX/0P0Zm6DVze8HjCDVPBllZE0a3HCgSF0rp0+s1xn7o91qdWKVattAVsGNjjDPz/sgwHOyyhDtSyajwXU+K/QUZ9pV4moGtwC9uIEymTylP7bu7qnxXIhfouEa+fEjAzTs0HJ5JQIDAQAB", "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgj8r0029eL0jJKXv6XbNj+QqsZO25HhZ0IjTEtb8mfh0tju/X8c6dXgILh5wU7OF00U+0mSYSE/+rrYKmY5g4oCleTe1+abavATP1tamtXGAUYqdutaXPrVn9yMsCWEPchSPZlEGq5iBJdA+xh9ejUmZJYXmln26HUVWq71/jC9GpjbRmFQ37f0X7WJoGyiqyttfKkKfUeBmRbX/0P0Zm6DVze8HjCDVPBllZE0a3HCgSF0rp0+s1xn7o91qdWKVattAVsGNjjDPz/sgwHOyyhDtSyajwXU+K/QUZ9pV4moGtwC9uIEymTylP7bu7qnxXIhfouEa+fEjAzTs0HJ5JQIDAQAB",