KEYCLOAK-2799 Show error for identity brokering login if user is disabled

2016-04-12 10:02:35 +02:00 · 2016-04-12 10:02:35 +02:00 · 538e49117f
commit 538e49117f
parent fcf7b28b8f
5 changed files with 98 additions and 8 deletions
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@ -32,6 +32,7 @@ import org.keycloak.broker.provider.IdentityProviderFactory;
 import org.keycloak.broker.provider.IdentityProviderMapper;
 import org.keycloak.common.util.Time;
 import org.keycloak.events.Details;
+import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.events.EventType;
 import org.keycloak.forms.login.LoginFormsProvider;
@ -319,6 +320,11 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
            return Response.status(302).location(redirect).build();

        } else {
+            Response response = validateUser(federatedUser, realmModel);
+            if (response != null) {
+                return response;
+            }
+
            updateFederatedIdentity(context, federatedUser);
            clientSession.setAuthenticatedUser(federatedUser);

@ -326,6 +332,18 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
        }
    }

+    public Response validateUser(UserModel user, RealmModel realm) {
+        if (!user.isEnabled()) {
+            event.error(Errors.USER_DISABLED);
+            return ErrorPage.error(session, Messages.ACCOUNT_DISABLED);
+        }
+        if (realm.isBruteForceProtected()) {
+            event.error(Errors.USER_TEMPORARILY_DISABLED);
+            return ErrorPage.error(session, Messages.ACCOUNT_DISABLED);
+        }
+        return null;
+    }
+
    // Callback from LoginActionsService after first login with broker was done and Keycloak account is successfully linked/created
    @GET
    @Path("/after-first-broker-login")
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
@ -177,10 +177,6 @@ public abstract class AbstractIdentityProviderTest {
            Time.setOffset(0);
        }

-        String afterLogoutUrl = driver.getCurrentUrl();
-        String afterLogoutPageSource = driver.getPageSource();
-        System.out.println("afterLogoutUrl: " + afterLogoutUrl);
-        //System.out.println("after logout page source: " + afterLogoutPageSource);

        driver.navigate().to("http://localhost:8081/test-app");

@ -224,7 +220,6 @@ public abstract class AbstractIdentityProviderTest {

        String currentUrl = this.driver.getCurrentUrl();
        assertTrue(currentUrl.startsWith("http://localhost:8082/auth/"));
-        System.out.println(this.driver.getCurrentUrl());
        // log in to identity provider
        this.loginPage.login(username, "password");
        doAfterProviderAuthentication();
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
@ -38,6 +38,7 @@ import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.FederatedIdentityModel;
 import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserFederationProviderModel;
@ -69,6 +70,73 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
        Assert.assertEquals("617-666-7777", user.getFirstAttribute("mobile"));
    }

+    @Test
+    public void testDisabledUser() {
+        setUpdateProfileFirstLogin(session.realms().getRealmByName("realm-with-broker"), IdentityProviderRepresentation.UPFLM_OFF);
+
+        driver.navigate().to("http://localhost:8081/test-app");
+        loginPage.clickSocial(getProviderId());
+        loginPage.login("test-user", "password");
+        System.out.println(driver.getPageSource());
+        driver.navigate().to("http://localhost:8081/test-app/logout");
+
+        try {
+            KeycloakSession session = brokerServerRule.startSession();
+            session.users().getUserByUsername("test-user", session.realms().getRealmByName("realm-with-broker")).setEnabled(false);
+            brokerServerRule.stopSession(session, true);
+
+            driver.navigate().to("http://localhost:8081/test-app");
+
+            loginPage.clickSocial(getProviderId());
+            loginPage.login("test-user", "password");
+
+            assertTrue(errorPage.isCurrent());
+            assertEquals("Account is disabled, contact admin.", errorPage.getError());
+        } finally {
+            KeycloakSession session = brokerServerRule.startSession();
+            session.users().getUserByUsername("test-user", session.realms().getRealmByName("realm-with-broker")).setEnabled(true);
+            brokerServerRule.stopSession(session, true);
+        }
+    }
+
+    @Test
+    public void testTemporarilyDisabledUser() {
+        setUpdateProfileFirstLogin(session.realms().getRealmByName("realm-with-broker"), IdentityProviderRepresentation.UPFLM_OFF);
+
+        driver.navigate().to("http://localhost:8081/test-app");
+        loginPage.clickSocial(getProviderId());
+        loginPage.login("test-user", "password");
+        driver.navigate().to("http://localhost:8081/test-app/logout");
+
+        try {
+            KeycloakSession session = brokerServerRule.startSession();
+            RealmModel brokerRealm = session.realms().getRealmByName("realm-with-broker");
+            brokerRealm.setBruteForceProtected(true);
+            brokerRealm.setFailureFactor(2);
+            brokerServerRule.stopSession(session, true);
+
+            driver.navigate().to("http://localhost:8081/test-app");
+            loginPage.login("test-user", "fail");
+            loginPage.login("test-user", "fail");
+
+            driver.navigate().to("http://localhost:8081/test-app");
+
+            assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth"));
+
+            loginPage.clickSocial(getProviderId());
+            loginPage.login("test-user", "password");
+
+            assertTrue(errorPage.isCurrent());
+            assertEquals("Account is disabled, contact admin.", errorPage.getError());
+        } finally {
+            KeycloakSession session = brokerServerRule.startSession();
+            RealmModel brokerRealm = session.realms().getRealmByName("realm-with-broker");
+            brokerRealm.setBruteForceProtected(false);
+            brokerRealm.setFailureFactor(0);
+            brokerServerRule.stopSession(session, true);
+        }
+    }
+
    @Test
    public void testSuccessfulAuthenticationUpdateProfileOnMissing_nothingMissing() {
        IdentityProviderModel identityProviderModel = getIdentityProviderModel();
@ -362,7 +430,6 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
        revokeGrant();

        // Logout from account management
-        System.out.println("*** logout from account management");
        accountFederatedIdentityPage.logout();
        assertTrue(driver.getTitle().equals("Log in to realm-with-broker"));
        assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth"));
@ -502,7 +569,7 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent

            driver.navigate().to("http://localhost:8081/test-app/logout");
            String currentUrl = this.driver.getCurrentUrl();
-            System.out.println("after logout currentUrl: " + currentUrl);
+//            System.out.println("after logout currentUrl: " + currentUrl);
            assertTrue(currentUrl.startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth"));

            unconfigureUserRetrieveToken("test-user");
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
@ -116,6 +116,16 @@ public class OIDCKeyCloakServerBrokerBasicTest extends AbstractKeycloakIdentityP
        super.testSuccessfulAuthentication();
    }

+    @Test
+    public void testDisabledUser() {
+        super.testDisabledUser();
+    }
+
+    @Test
+    public void testTemporarilyDisabledUser() {
+        super.testTemporarilyDisabledUser();
+    }
+
    @Test
    public void testLogoutWorksWithTokenTimeout() {
        Keycloak keycloak = Keycloak.getInstance("http://localhost:8081/auth", "master", "admin", "admin", org.keycloak.models.Constants.ADMIN_CLI_CLIENT_ID);
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/ErrorPage.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/ErrorPage.java
@ -46,7 +46,7 @@ public class ErrorPage extends AbstractPage {
    }

    public boolean isCurrent() {
-        return driver.getTitle().equals("We're sorry...");
+        return driver.getTitle() != null && driver.getTitle().equals("We're sorry...");
    }

    @Override