Merge pull request #1877 from stianst/KEYCLOAK-2129

KEYCLOAK-2129
This commit is contained in:
Stian Thorgersen 2015-11-26 15:33:39 +01:00
commit 426a2b46fc
7 changed files with 102 additions and 41 deletions

View file

@ -754,7 +754,7 @@ public class AuthenticationProcessor {
if (!code.isValidAction(action)) { if (!code.isValidAction(action)) {
throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CLIENT_SESSION); throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CLIENT_SESSION);
} }
if (!code.isActionActive(action)) { if (!code.isActionActive(ClientSessionCode.ActionType.LOGIN)) {
throw new AuthenticationFlowException(AuthenticationFlowError.EXPIRED_CODE); throw new AuthenticationFlowException(AuthenticationFlowError.EXPIRED_CODE);
} }
clientSession.setTimestamp(Time.currentTime()); clientSession.setTimestamp(Time.currentTime());

View file

@ -202,7 +202,7 @@ public class TokenEndpoint {
ClientSessionModel clientSession = accessCode.getClientSession(); ClientSessionModel clientSession = accessCode.getClientSession();
event.detail(Details.CODE_ID, clientSession.getId()); event.detail(Details.CODE_ID, clientSession.getId());
if (!accessCode.isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name())) { if (!accessCode.isValid(ClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
event.error(Errors.INVALID_CODE); event.error(Errors.INVALID_CODE);
throw new ErrorResponseException("invalid_grant", "Code is expired", Response.Status.BAD_REQUEST); throw new ErrorResponseException("invalid_grant", "Code is expired", Response.Status.BAD_REQUEST);
} }

View file

@ -27,6 +27,12 @@ public class ClientSessionCode {
private final RealmModel realm; private final RealmModel realm;
private final ClientSessionModel clientSession; private final ClientSessionModel clientSession;
public enum ActionType {
CLIENT,
LOGIN,
USER
}
public ClientSessionCode(RealmModel realm, ClientSessionModel clientSession) { public ClientSessionCode(RealmModel realm, ClientSessionModel clientSession) {
this.realm = realm; this.realm = realm;
this.clientSession = clientSession; this.clientSession = clientSession;
@ -128,23 +134,29 @@ public class ClientSessionCode {
return clientSession; return clientSession;
} }
public boolean isValid(String requestedAction) { public boolean isValid(String requestedAction, ActionType actionType) {
if (!isValidAction(requestedAction)) return false; if (!isValidAction(requestedAction)) return false;
return isActionActive(requestedAction); return isActionActive(actionType);
} }
public boolean isActionActive(String requestedAction) { public boolean isActionActive(ActionType actionType) {
int timestamp = clientSession.getTimestamp(); int timestamp = clientSession.getTimestamp();
int lifespan; int lifespan;
if (requestedAction.equals(ClientSessionModel.Action.CODE_TO_TOKEN.name())) { switch (actionType) {
lifespan = realm.getAccessCodeLifespan(); case CLIENT:
lifespan = realm.getAccessCodeLifespan();
} else if (requestedAction.equals(ClientSessionModel.Action.AUTHENTICATE.name())) { break;
lifespan = realm.getAccessCodeLifespanLogin() > 0 ? realm.getAccessCodeLifespanLogin() : realm.getAccessCodeLifespanUserAction(); case LOGIN:
} else { lifespan = realm.getAccessCodeLifespanLogin() > 0 ? realm.getAccessCodeLifespanLogin() : realm.getAccessCodeLifespanUserAction();
lifespan = realm.getAccessCodeLifespanUserAction(); break;
case USER:
lifespan = realm.getAccessCodeLifespanUserAction();
break;
default:
throw new IllegalArgumentException();
} }
return timestamp + lifespan > Time.currentTime(); return timestamp + lifespan > Time.currentTime();
} }

View file

@ -446,7 +446,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
@Override @Override
public Response cancelled(String code) { public Response cancelled(String code) {
ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel); ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel);
if (clientCode.getClientSession() == null || !clientCode.isValid(AUTHENTICATE.name())) { if (clientCode.getClientSession() == null || !clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
return redirectToErrorPage(Messages.INVALID_CODE); return redirectToErrorPage(Messages.INVALID_CODE);
} }
@ -456,7 +456,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
@Override @Override
public Response error(String code, String message) { public Response error(String code, String message) {
ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel); ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel);
if (clientCode.getClientSession() == null || !clientCode.isValid(AUTHENTICATE.name())) { if (clientCode.getClientSession() == null || !clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
return redirectToErrorPage(Messages.INVALID_CODE); return redirectToErrorPage(Messages.INVALID_CODE);
} }
return browserAuthentication(clientCode.getClientSession(), message); return browserAuthentication(clientCode.getClientSession(), message);
@ -522,7 +522,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
private ClientSessionCode parseClientSessionCode(String code) { private ClientSessionCode parseClientSessionCode(String code) {
ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel); ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realmModel);
if (clientCode != null && clientCode.isValid(AUTHENTICATE.name())) { if (clientCode != null && clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
ClientSessionModel clientSession = clientCode.getClientSession(); ClientSessionModel clientSession = clientCode.getClientSession();
if (clientSession != null) { if (clientSession != null) {

View file

@ -165,25 +165,25 @@ public class LoginActionsService {
ClientSessionCode clientCode; ClientSessionCode clientCode;
Response response; Response response;
boolean verifyCode(String code, String requiredAction) { boolean verifyCode(String code, String requiredAction, ClientSessionCode.ActionType actionType) {
if (!verifyCode(code)) { if (!verifyCode(code)) {
return false; return false;
} }
if (!verifyAction(requiredAction)) { if (!verifyAction(requiredAction, actionType)) {
return false; return false;
} else { } else {
return true; return true;
} }
} }
public boolean verifyAction(String requiredAction) { public boolean verifyAction(String requiredAction, ClientSessionCode.ActionType actionType) {
if (!clientCode.isValidAction(requiredAction)) { if (!clientCode.isValidAction(requiredAction)) {
event.client(clientCode.getClientSession().getClient()); event.client(clientCode.getClientSession().getClient());
event.error(Errors.INVALID_CODE); event.error(Errors.INVALID_CODE);
response = ErrorPage.error(session, Messages.INVALID_CODE); response = ErrorPage.error(session, Messages.INVALID_CODE);
return false; return false;
} }
if (!clientCode.isActionActive(requiredAction)) { if (!clientCode.isActionActive(actionType)) {
event.client(clientCode.getClientSession().getClient()); event.client(clientCode.getClientSession().getClient());
event.clone().error(Errors.EXPIRED_CODE); event.clone().error(Errors.EXPIRED_CODE);
if (clientCode.getClientSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) { if (clientCode.getClientSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) {
@ -264,7 +264,7 @@ public class LoginActionsService {
@QueryParam("execution") String execution) { @QueryParam("execution") String execution) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
return checks.response; return checks.response;
} }
event.detail(Details.CODE_ID, code); event.detail(Details.CODE_ID, code);
@ -315,7 +315,7 @@ public class LoginActionsService {
@QueryParam("execution") String execution) { @QueryParam("execution") String execution) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
return checks.response; return checks.response;
} }
final ClientSessionCode clientCode = checks.clientCode; final ClientSessionCode clientCode = checks.clientCode;
@ -374,7 +374,7 @@ public class LoginActionsService {
protected Response resetCredentials(String code, String execution) { protected Response resetCredentials(String code, String execution) {
event.event(EventType.RESET_PASSWORD); event.event(EventType.RESET_PASSWORD);
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) {
return checks.response; return checks.response;
} }
final ClientSessionCode clientCode = checks.clientCode; final ClientSessionCode clientCode = checks.clientCode;
@ -438,7 +438,7 @@ public class LoginActionsService {
} }
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
return checks.response; return checks.response;
} }
event.detail(Details.CODE_ID, code); event.detail(Details.CODE_ID, code);
@ -468,7 +468,7 @@ public class LoginActionsService {
return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED); return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED);
} }
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
return checks.response; return checks.response;
} }
@ -496,7 +496,7 @@ public class LoginActionsService {
event.event(EventType.IDENTITY_PROVIDER_FIRST_LOGIN); event.event(EventType.IDENTITY_PROVIDER_FIRST_LOGIN);
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
return checks.response; return checks.response;
} }
event.detail(Details.CODE_ID, code); event.detail(Details.CODE_ID, code);
@ -556,7 +556,7 @@ public class LoginActionsService {
String code = formData.getFirst("code"); String code = formData.getFirst("code");
ClientSessionCode accessCode = ClientSessionCode.parse(code, session, realm); ClientSessionCode accessCode = ClientSessionCode.parse(code, session, realm);
if (accessCode == null || !accessCode.isValid(ClientSessionModel.Action.OAUTH_GRANT.name())) { if (accessCode == null || !accessCode.isValid(ClientSessionModel.Action.OAUTH_GRANT.name(), ClientSessionCode.ActionType.LOGIN)) {
event.error(Errors.INVALID_CODE); event.error(Errors.INVALID_CODE);
return ErrorPage.error(session, Messages.INVALID_ACCESS_CODE); return ErrorPage.error(session, Messages.INVALID_ACCESS_CODE);
} }
@ -622,7 +622,7 @@ public class LoginActionsService {
event.event(EventType.VERIFY_EMAIL); event.event(EventType.VERIFY_EMAIL);
if (key != null) { if (key != null) {
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) {
return checks.response; return checks.response;
} }
ClientSessionCode accessCode = checks.clientCode; ClientSessionCode accessCode = checks.clientCode;
@ -665,7 +665,7 @@ public class LoginActionsService {
return AuthenticationProcessor.createRequiredActionRedirect(realm, clientSession, uriInfo); return AuthenticationProcessor.createRequiredActionRedirect(realm, clientSession, uriInfo);
} else { } else {
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) {
return checks.response; return checks.response;
} }
ClientSessionCode accessCode = checks.clientCode; ClientSessionCode accessCode = checks.clientCode;
@ -697,7 +697,7 @@ public class LoginActionsService {
event.event(EventType.EXECUTE_ACTIONS); event.event(EventType.EXECUTE_ACTIONS);
if (key != null) { if (key != null) {
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(key, ClientSessionModel.Action.EXECUTE_ACTIONS.name())) { if (!checks.verifyCode(key, ClientSessionModel.Action.EXECUTE_ACTIONS.name(), ClientSessionCode.ActionType.USER)) {
return checks.response; return checks.response;
} }
ClientSessionModel clientSession = checks.clientCode.getClientSession(); ClientSessionModel clientSession = checks.clientCode.getClientSession();
@ -767,7 +767,7 @@ public class LoginActionsService {
event.event(EventType.CUSTOM_REQUIRED_ACTION); event.event(EventType.CUSTOM_REQUIRED_ACTION);
event.detail(Details.CUSTOM_REQUIRED_ACTION, action); event.detail(Details.CUSTOM_REQUIRED_ACTION, action);
Checks checks = new Checks(); Checks checks = new Checks();
if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name())) { if (!checks.verifyCode(code, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) {
return checks.response; return checks.response;
} }
final ClientSessionCode clientCode = checks.clientCode; final ClientSessionCode clientCode = checks.clientCode;

View file

@ -166,7 +166,7 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
private ClientSessionCode parseClientSessionCode(String code) { private ClientSessionCode parseClientSessionCode(String code) {
ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realm); ClientSessionCode clientCode = ClientSessionCode.parse(code, this.session, this.realm);
if (clientCode != null && clientCode.isValid(AUTHENTICATE.name())) { if (clientCode != null && clientCode.isValid(AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
ClientSessionModel clientSession = clientCode.getClientSession(); ClientSessionModel clientSession = clientCode.getClientSession();
if (clientSession != null) { if (clientSession != null) {

View file

@ -21,10 +21,7 @@
*/ */
package org.keycloak.testsuite.forms; package org.keycloak.testsuite.forms;
import org.junit.Before; import org.junit.*;
import org.junit.ClassRule;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.events.Details; import org.keycloak.events.Details;
import org.keycloak.events.Errors; import org.keycloak.events.Errors;
import org.keycloak.events.Event; import org.keycloak.events.Event;
@ -39,13 +36,8 @@ import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.Constants; import org.keycloak.testsuite.Constants;
import org.keycloak.testsuite.MailUtil; import org.keycloak.testsuite.MailUtil;
import org.keycloak.testsuite.OAuthClient; import org.keycloak.testsuite.OAuthClient;
import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.*;
import org.keycloak.testsuite.pages.AppPage.RequestType; import org.keycloak.testsuite.pages.AppPage.RequestType;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.InfoPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.LoginPasswordResetPage;
import org.keycloak.testsuite.pages.LoginPasswordUpdatePage;
import org.keycloak.testsuite.rule.GreenMailRule; import org.keycloak.testsuite.rule.GreenMailRule;
import org.keycloak.testsuite.rule.KeycloakRule; import org.keycloak.testsuite.rule.KeycloakRule;
import org.keycloak.testsuite.rule.WebResource; import org.keycloak.testsuite.rule.WebResource;
@ -59,6 +51,7 @@ import javax.mail.internet.MimeMessage;
import java.io.IOException; import java.io.IOException;
import java.util.Collections; import java.util.Collections;
import java.util.concurrent.atomic.AtomicInteger;
import static org.junit.Assert.*; import static org.junit.Assert.*;
@ -114,6 +107,9 @@ public class ResetPasswordTest {
@WebResource @WebResource
protected InfoPage infoPage; protected InfoPage infoPage;
@WebResource
protected VerifyEmailPage verifyEmailPage;
@WebResource @WebResource
protected LoginPasswordResetPage resetPasswordPage; protected LoginPasswordResetPage resetPasswordPage;
@ -422,6 +418,59 @@ public class ResetPasswordTest {
} }
} }
@Test
public void resetPasswordExpiredCodeShort() throws IOException, MessagingException, InterruptedException {
final AtomicInteger originalValue = new AtomicInteger();
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
@Override
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
originalValue.set(appRealm.getAccessCodeLifespan());
appRealm.setAccessCodeLifespanUserAction(60);
}
});
try {
loginPage.open();
loginPage.resetPassword();
resetPasswordPage.assertCurrent();
resetPasswordPage.changePassword("login-test");
loginPage.assertCurrent();
assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage());
events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
.session((String)null)
.user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent();
assertEquals(1, greenMail.getReceivedMessages().length);
MimeMessage message = greenMail.getReceivedMessages()[0];
String changePasswordUrl = getPasswordResetEmailLink(message);
Time.setOffset(70);
driver.navigate().to(changePasswordUrl.trim());
loginPage.assertCurrent();
assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError());
events.expectRequiredAction(EventType.RESET_PASSWORD).error("expired_code").client("test-app").user((String) null).session((String) null).clearDetails().assertEvent();
} finally {
Time.setOffset(0);
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
@Override
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
appRealm.setAccessCodeLifespanUserAction(originalValue.get());
}
});
}
}
@Test @Test
public void resetPasswordDisabledUser() throws IOException, MessagingException, InterruptedException { public void resetPasswordDisabledUser() throws IOException, MessagingException, InterruptedException {
keycloakRule.configure(new KeycloakRule.KeycloakSetup() { keycloakRule.configure(new KeycloakRule.KeycloakSetup() {