libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

fix holes

Browse source
This commit is contained in:
Bill Burke 2015-08-15 10:39:33 -04:00
parent 25bb0ade1b
commit 374a2ad957
7 changed files with 37 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
events/api/src/main/java/org/keycloak/events/Errors.java
View file

@ -38,6 +38,7 @@ public interface Errors {
String EXPIRED_CODE = "expired_code";
String REGISTRATION_DISABLED = "registration_disabled";
String RESET_CREDENTIAL_DISABLED = "reset_credential_disabled";
String REJECTED_BY_USER = "rejected_by_user";

1
forms/common-themes/src/main/resources/theme/base/login/messages/messages_de.properties
View file

@ -163,6 +163,7 @@ invalidRedirectUriMessage=Ung\u00FCltige redirect uri.
unsupportedNameIdFormatMessage=Nicht unterst\u00FCtztes NameIDFormat.
invlidRequesterMessage=Ung\u00FCltiger requester.
registrationNotAllowedMessage=Registrierung nicht erlaubt.
resetCredentialNotAllowedMessage=Reset Credential not allowed
permissionNotApprovedMessage=Berechtigung nicht best\u00E4tigt.
noRelayStateInResponseMessage=Kein relay state in der Antwort von dem Identity Provider [{0}].

1
forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties
View file

@ -168,6 +168,7 @@ invalidRedirectUriMessage=Invalid redirect uri
unsupportedNameIdFormatMessage=Unsupported NameIDFormat
invlidRequesterMessage=Invalid requester
registrationNotAllowedMessage=Registration not allowed
resetCredentialNotAllowedMessage=Reset Credential not allowed
permissionNotApprovedMessage=Permission not approved.
noRelayStateInResponseMessage=No relay state in response from identity provider [{0}].

2
forms/common-themes/src/main/resources/theme/base/login/messages/messages_it.properties
View file

@ -160,6 +160,8 @@ invalidRedirectUriMessage=Redirect uri non valido
unsupportedNameIdFormatMessage=NameIDFormat non supportato
invlidRequesterMessage=Richiedente non valido
registrationNotAllowedMessage=Registrazione non permessa
resetCredentialNotAllowedMessage=Reset Credential not allowed
permissionNotApprovedMessage=Permesso non approvato.
noRelayStateInResponseMessage=Nessun relay state in risposta dall''identity provider [{0}].

1
forms/common-themes/src/main/resources/theme/base/login/messages/messages_pt_BR.properties
View file

@ -165,6 +165,7 @@ invalidRedirectUriMessage=URI de redirecionamento inv\u00E1lido
unsupportedNameIdFormatMessage=NameIDFormat n\u00E3o suportado
invlidRequesterMessage=Solicitante inv\u00E1lido
registrationNotAllowedMessage=Registro n\u00E3o permitido.
resetCredentialNotAllowedMessage=Reset Credential not allowed
permissionNotApprovedMessage=Permiss\u00E3o n\u00E3o aprovada.
noRelayStateInResponseMessage=Sem estado de retransmiss\u00E3o na resposta do provedor de identidade [{0}].

1
services/src/main/java/org/keycloak/services/messages/Messages.java
View file

@ -111,6 +111,7 @@ public class Messages {
public static final String UNSUPPORTED_NAME_ID_FORMAT = "unsupportedNameIdFormatMessage";
public static final String REGISTRATION_NOT_ALLOWED = "registrationNotAllowedMessage";
public static final String RESET_CREDENTIAL_NOT_ALLOWED = "resetCredentialNotAllowedMessage";
public static final String PERMISSION_NOT_APPROVED = "permissionNotApprovedMessage";

48
services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
View file

@ -158,8 +158,8 @@ public class LoginActionsService {
ClientSessionCode clientCode;
Response response;
boolean verifyCode(AuthenticationFlowModel flow, String code, String requiredAction) {
if (!verifyCode(flow, code)) {
boolean verifyCode(String code, String requiredAction) {
if (!verifyCode(code)) {
return false;
} else if (!clientCode.isValidAction(requiredAction)) {
event.client(clientCode.getClientSession().getClient());
@ -181,8 +181,8 @@ public class LoginActionsService {
}
}
boolean verifyCode(AuthenticationFlowModel flow, String code, String requiredAction, String alternativeRequiredAction) {
if (!verifyCode(flow, code)) {
boolean verifyCode(String code, String requiredAction, String alternativeRequiredAction) {
if (!verifyCode(code)) {
return false;
} else if (!(clientCode.isValidAction(requiredAction) || clientCode.isValidAction(alternativeRequiredAction))) {
event.client(clientCode.getClientSession().getClient());
@ -207,7 +207,7 @@ public class LoginActionsService {
}
}
public boolean verifyCode(AuthenticationFlowModel flow, String code) {
public boolean verifyCode(String code) {
if (!checkSsl()) {
event.error(Errors.SSL_REQUIRED);
response = ErrorPage.error(session, Messages.HTTPS_REQUIRED);
@ -226,7 +226,7 @@ public class LoginActionsService {
ClientSessionModel clientSession = RestartLoginCookie.restartSession(session, realm, code);
if (clientSession != null) {
event.clone().detail(Details.RESTART_AFTER_TIMEOUT, "true").error(Errors.EXPIRED_CODE);
response = processFlow(null, clientSession, flow, Messages.LOGIN_TIMEOUT);
response = processFlow(null, clientSession, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT);
return false;
}
} catch (Exception e) {
@ -274,7 +274,7 @@ public class LoginActionsService {
@QueryParam("execution") String execution) {
event.event(EventType.LOGIN);
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
return checks.response;
}
event.detail(Details.CODE_ID, code);
@ -329,7 +329,7 @@ public class LoginActionsService {
@QueryParam("execution") String execution) {
event.event(EventType.LOGIN);
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), code, ClientSessionModel.Action.AUTHENTICATE.name())) {
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) {
return checks.response;
}
final ClientSessionCode clientCode = checks.clientCode;
@ -360,7 +360,7 @@ public class LoginActionsService {
}
Checks checks = new Checks();
if (!checks.verifyCode(realm.getRegistrationFlow(), code, ClientSessionModel.Action.AUTHENTICATE.name())) {
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) {
return checks.response;
}
event.detail(Details.CODE_ID, code);
@ -385,8 +385,12 @@ public class LoginActionsService {
public Response processRegister(@QueryParam("code") String code,
@QueryParam("execution") String execution) {
event.event(EventType.REGISTER);
if (!realm.isRegistrationAllowed()) {
event.error(Errors.REGISTRATION_DISABLED);
return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED);
}
Checks checks = new Checks();
if (!checks.verifyCode(realm.getRegistrationFlow(), code, ClientSessionModel.Action.AUTHENTICATE.name())) {
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) {
return checks.response;
}
if (!realm.isRegistrationAllowed()) {
@ -487,7 +491,7 @@ public class LoginActionsService {
final MultivaluedMap<String, String> formData) {
event.event(EventType.UPDATE_PROFILE);
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), code, ClientSessionModel.Action.UPDATE_PROFILE.name())) {
if (!checks.verifyCode(code, ClientSessionModel.Action.UPDATE_PROFILE.name())) {
return checks.response;
}
ClientSessionCode accessCode = checks.clientCode;
@ -549,7 +553,7 @@ public class LoginActionsService {
final MultivaluedMap<String, String> formData) {
event.event(EventType.UPDATE_TOTP);
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), code, ClientSessionModel.Action.CONFIGURE_TOTP.name())) {
if (!checks.verifyCode(code, ClientSessionModel.Action.CONFIGURE_TOTP.name())) {
return checks.response;
}
ClientSessionCode accessCode = checks.clientCode;
@ -601,7 +605,7 @@ public class LoginActionsService {
final MultivaluedMap<String, String> formData) {
event.event(EventType.UPDATE_PASSWORD);
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), code, ClientSessionModel.Action.UPDATE_PASSWORD.name(), ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
if (!checks.verifyCode(code, ClientSessionModel.Action.UPDATE_PASSWORD.name(), ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
return checks.response;
}
ClientSessionCode accessCode = checks.clientCode;
@ -664,7 +668,7 @@ public class LoginActionsService {
event.event(EventType.VERIFY_EMAIL);
if (key != null) {
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), key, ClientSessionModel.Action.VERIFY_EMAIL.name())) {
if (!checks.verifyCode(key, ClientSessionModel.Action.VERIFY_EMAIL.name())) {
return checks.response;
}
ClientSessionCode accessCode = checks.clientCode;
@ -691,7 +695,7 @@ public class LoginActionsService {
return AuthenticationManager.nextActionAfterAuthentication(session, userSession, clientSession, clientConnection, request, uriInfo, event);
} else {
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), code, ClientSessionModel.Action.VERIFY_EMAIL.name())) {
if (!checks.verifyCode(code, ClientSessionModel.Action.VERIFY_EMAIL.name())) {
return checks.response;
}
ClientSessionCode accessCode = checks.clientCode;
@ -712,9 +716,13 @@ public class LoginActionsService {
@GET
public Response passwordReset(@QueryParam("code") String code, @QueryParam("key") String key) {
event.event(EventType.RESET_PASSWORD);
if (!realm.isResetPasswordAllowed()) {
event.error(Errors.RESET_CREDENTIAL_DISABLED);
return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
}
if (key != null) {
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), key, ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
if (!checks.verifyCode(key, ClientSessionModel.Action.RECOVER_PASSWORD.name())) {
return checks.response;
}
ClientSessionCode accessCode = checks.clientCode;
@ -734,8 +742,12 @@ public class LoginActionsService {
public Response sendPasswordReset(@QueryParam("code") String code,
final MultivaluedMap<String, String> formData) {
event.event(EventType.SEND_RESET_PASSWORD);
if (!realm.isResetPasswordAllowed()) {
event.error(Errors.RESET_CREDENTIAL_DISABLED);
return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
}
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), code)) {
if (!checks.verifyCode(code)) {
return checks.response;
}
final ClientSessionCode accessCode = checks.clientCode;
@ -870,7 +882,7 @@ public class LoginActionsService {
}
RequiredActionProvider provider = factory.create(session);
Checks checks = new Checks();
if (!checks.verifyCode(realm.getBrowserFlow(), code, action)) {
if (!checks.verifyCode(code, action)) {
return checks.response;
}
final ClientSessionCode clientCode = checks.clientCode;