KEYCLOAK-3451

2016-12-14 15:04:53 -05:00 · 2016-12-14 15:04:53 -05:00 · 56f9aa41d0
commit 56f9aa41d0
parent c17a57d76c
3 changed files with 62 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java
@ -89,6 +89,11 @@ public class SpnegoAuthenticator extends AbstractUsernameFormAuthenticator imple

        CredentialValidationOutput output = context.getSession().userCredentialManager().authenticate(context.getSession(), context.getRealm(), spnegoCredential);

+        if (output == null) {
+            logger.warn("Received kerberos token, but there is no user storage provider that handles kerberos credentials.");
+            context.attempted();
+            return;
+        }
        if (output.getAuthStatus() == CredentialValidationOutput.Status.AUTHENTICATED) {
            context.setUser(output.getAuthenticatedUser());
            if (output.getState() != null && !output.getState().isEmpty()) {
--- a/services/src/main/java/org/keycloak/credential/UserCredentialStoreManager.java
+++ b/services/src/main/java/org/keycloak/credential/UserCredentialStoreManager.java
@ -146,7 +146,7 @@ public class UserCredentialStoreManager implements UserCredentialManager, OnUser
    protected <T> List<T> getCredentialProviders(RealmModel realm, Class<T> type) {
        List<T> list = new LinkedList<T>();
        for (ProviderFactory f : session.getKeycloakSessionFactory().getProviderFactories(CredentialProvider.class)) {
-            if (!Types.supports(CredentialInputUpdater.class, f, CredentialProviderFactory.class)) continue;
+            if (!Types.supports(type, f, CredentialProviderFactory.class)) continue;
            list.add((T)session.getProvider(CredentialProvider.class, f.getId()));
        }
        return list;
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosStandaloneTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosStandaloneTest.java
@ -25,6 +25,7 @@ import org.junit.Test;
 import org.junit.rules.RuleChain;
 import org.junit.rules.TestRule;
 import org.junit.runners.MethodSorters;
+import org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator;
 import org.keycloak.common.constants.KerberosConstants;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.federation.kerberos.CommonKerberosConfig;
@ -45,6 +46,8 @@ import org.keycloak.utils.CredentialHelper;
 import javax.ws.rs.core.Response;
 import java.net.URL;
 import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;

 /**
 * Test of KerberosFederationProvider (Kerberos not backed by LDAP)
@ -189,5 +192,58 @@ public class KerberosStandaloneTest extends AbstractKerberosTest {
        }
    }

+    /**
+     * KEYCLOAK-3451
+     *
+     * Test that if there is no User Storage Provider that can handle kerberos we can still login
+     *
+     * @throws Exception
+     */
+    @Test
+    public void noProvider() throws Exception {
+        KeycloakSession session = keycloakRule.startSession();
+        try {
+            RealmModel realm = session.realms().getRealm("test");
+            realm.removeComponent(kerberosModel);
+        } finally {
+            keycloakRule.stopSession(session, true);
+        }
+        /*
+         To do this we do a valid kerberos login.  The authenticator will obtain a valid token, but there will
+         be no user storage provider that can process it.  This means we should be on the login page.
+         We do this through a JAX-RS client request.  We extract the action URL from the login page, and stuff it
+         into selenium then just perform a regular login.
+         */
+        Response spnegoResponse = spnegoLogin("hnelson", "secret");
+        String context = spnegoResponse.readEntity(String.class);
+        spnegoResponse.close();
+        Pattern pattern = Pattern.compile("action=\"([^\"]+)\"");
+        Matcher m = pattern.matcher(context);
+        Assert.assertTrue(m.find());
+        String url = m.group(1);
+        driver.navigate().to(url);
+        Assert.assertTrue(loginPage.isCurrent());
+        loginPage.login("test-user@localhost", "password");
+        String pageSource = driver.getPageSource();
+        Assert.assertTrue(pageSource.contains("Kerberos Test") && pageSource.contains("Kerberos servlet secured content"));
+
+
+        events.clear();
+        session = keycloakRule.startSession();
+        try {
+            RealmModel realm = session.realms().getRealm("test");
+            realm.addComponentModel(kerberosModel);
+        } finally {
+            keycloakRule.stopSession(session, true);
+        }
+
+
+
+
+    }
+
+
+
+

 }