KEYCLOAK-2147
This commit is contained in:
Stian Thorgersen
parent
d5105164e9
commit
7c4c77d70e
4 changed files with 29 additions and 40 deletions
|
|
@ -53,12 +53,6 @@ public class BruteForceProtector implements Runnable {
|
|||
}
|
||||
}
|
||||
|
||||
protected class SuccessfulLogin extends LoginEvent {
|
||||
public SuccessfulLogin(String realmId, String userId, String ip) {
|
||||
super(realmId, userId, ip);
|
||||
}
|
||||
}
|
||||
|
||||
protected class ShutdownEvent extends LoginEvent {
|
||||
public ShutdownEvent() {
|
||||
super(null, null, null);
|
||||
|
|
@ -83,7 +77,7 @@ public class BruteForceProtector implements Runnable {
|
|||
logFailure(event);
|
||||
UsernameLoginFailureModel user = getUserModel(session, event);
|
||||
if (user == null) {
|
||||
user = session.sessions().addUserLoginFailure(realm, event.username);
|
||||
user = session.sessions().addUserLoginFailure(realm, event.username.toLowerCase());
|
||||
}
|
||||
user.setLastIPFailure(event.ip);
|
||||
long currentTime = System.currentTimeMillis();
|
||||
|
|
@ -122,7 +116,7 @@ public class BruteForceProtector implements Runnable {
|
|||
protected UsernameLoginFailureModel getUserModel(KeycloakSession session, LoginEvent event) {
|
||||
RealmModel realm = getRealmModel(session, event);
|
||||
if (realm == null) return null;
|
||||
UsernameLoginFailureModel user = session.sessions().getUserLoginFailure(realm, event.username);
|
||||
UsernameLoginFailureModel user = session.sessions().getUserLoginFailure(realm, event.username.toLowerCase());
|
||||
if (user == null) return null;
|
||||
return user;
|
||||
}
|
||||
|
|
@ -147,7 +141,6 @@ public class BruteForceProtector implements Runnable {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
public void run() {
|
||||
final ArrayList<LoginEvent> events = new ArrayList<LoginEvent>(TRANSACTION_SIZE + 1);
|
||||
try {
|
||||
|
|
@ -196,10 +189,6 @@ public class BruteForceProtector implements Runnable {
|
|||
}
|
||||
}
|
||||
|
||||
protected void logSuccess(LoginEvent event) {
|
||||
logger.warn("login success for user " + event.username + " from ip " + event.ip);
|
||||
}
|
||||
|
||||
protected void logFailure(LoginEvent event) {
|
||||
logger.warn("login failure for user " + event.username + " from ip " + event.ip);
|
||||
failures++;
|
||||
|
|
@ -215,15 +204,6 @@ public class BruteForceProtector implements Runnable {
|
|||
}
|
||||
}
|
||||
|
||||
public void successfulLogin(RealmModel realm, String username, ClientConnection clientConnection) {
|
||||
logger.info("successful login user: " + username + " from ip " + clientConnection.getRemoteAddr());
|
||||
}
|
||||
|
||||
public void invalidUser(RealmModel realm, String username, ClientConnection clientConnection) {
|
||||
logger.warn("invalid user: " + username + " from ip " + clientConnection.getRemoteAddr());
|
||||
// todo more?
|
||||
}
|
||||
|
||||
public void failedLogin(RealmModel realm, String username, ClientConnection clientConnection) {
|
||||
try {
|
||||
FailedLogin event = new FailedLogin(realm.getId(), username, clientConnection.getRemoteAddr());
|
||||
|
|
@ -238,7 +218,7 @@ public class BruteForceProtector implements Runnable {
|
|||
}
|
||||
|
||||
public boolean isTemporarilyDisabled(KeycloakSession session, RealmModel realm, String username) {
|
||||
UsernameLoginFailureModel failure = session.sessions().getUserLoginFailure(realm, username);
|
||||
UsernameLoginFailureModel failure = session.sessions().getUserLoginFailure(realm, username.toLowerCase());
|
||||
if (failure == null) {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -251,13 +231,4 @@ public class BruteForceProtector implements Runnable {
|
|||
return false;
|
||||
}
|
||||
|
||||
public long getFailures() {
|
||||
return failures;
|
||||
}
|
||||
|
||||
public long getLastFailure() {
|
||||
return lastFailure;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ public class AttackDetectionResource {
|
|||
data.put("lastIPFailure", "n/a");
|
||||
if (!realm.isBruteForceProtected()) return data;
|
||||
|
||||
UsernameLoginFailureModel model = session.sessions().getUserLoginFailure(realm, username);
|
||||
UsernameLoginFailureModel model = session.sessions().getUserLoginFailure(realm, username.toLowerCase());
|
||||
if (model == null) return data;
|
||||
if (protector.isTemporarilyDisabled(session, realm, username)) {
|
||||
data.put("disabled", true);
|
||||
|
|
@ -97,7 +97,7 @@ public class AttackDetectionResource {
|
|||
@DELETE
|
||||
public void clearBruteForceForUser(@PathParam("username") String username) {
|
||||
auth.requireManage();
|
||||
UsernameLoginFailureModel model = session.sessions().getUserLoginFailure(realm, username);
|
||||
UsernameLoginFailureModel model = session.sessions().getUserLoginFailure(realm, username.toLowerCase());
|
||||
if (model != null) {
|
||||
session.sessions().removeUserLoginFailure(realm, username);
|
||||
adminEvent.operation(OperationType.DELETE).success();
|
||||
|
|
|
|||
|
|
@ -144,7 +144,7 @@ public class UsersResource {
|
|||
}
|
||||
|
||||
if (rep.isEnabled() != null && rep.isEnabled()) {
|
||||
UsernameLoginFailureModel failureModel = session.sessions().getUserLoginFailure(realm, rep.getUsername());
|
||||
UsernameLoginFailureModel failureModel = session.sessions().getUserLoginFailure(realm, rep.getUsername().toLowerCase());
|
||||
if (failureModel != null) {
|
||||
failureModel.clearFailures();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -302,6 +302,15 @@ public class BruteForceTest {
|
|||
loginSuccess();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testBrowserInvalidPasswordDifferentCase() throws Exception {
|
||||
loginSuccess("test-user@localhost");
|
||||
loginInvalidPassword("test-User@localhost");
|
||||
loginInvalidPassword("Test-user@localhost");
|
||||
expectTemporarilyDisabled();
|
||||
clearAllUserFailures();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testBrowserMissingPassword() throws Exception {
|
||||
loginSuccess();
|
||||
|
|
@ -333,8 +342,12 @@ public class BruteForceTest {
|
|||
}
|
||||
|
||||
public void expectTemporarilyDisabled() throws Exception {
|
||||
expectTemporarilyDisabled("test-user@localhost");
|
||||
}
|
||||
|
||||
public void expectTemporarilyDisabled(String username) throws Exception {
|
||||
loginPage.open();
|
||||
loginPage.login("test-user@localhost", "password");
|
||||
loginPage.login(username, "password");
|
||||
|
||||
loginPage.assertCurrent();
|
||||
String src = driver.getPageSource();
|
||||
|
|
@ -345,9 +358,11 @@ public class BruteForceTest {
|
|||
.assertEvent();
|
||||
}
|
||||
|
||||
|
||||
|
||||
public void loginSuccess() throws Exception {
|
||||
loginSuccess("test-user@localhost");
|
||||
}
|
||||
|
||||
public void loginSuccess(String username) throws Exception {
|
||||
loginPage.open();
|
||||
loginPage.login("test-user@localhost", "password");
|
||||
|
||||
|
|
@ -391,10 +406,13 @@ public class BruteForceTest {
|
|||
events.clear();
|
||||
}
|
||||
|
||||
|
||||
public void loginInvalidPassword() throws Exception {
|
||||
loginInvalidPassword("test-user@localhost");
|
||||
}
|
||||
|
||||
public void loginInvalidPassword(String username) throws Exception {
|
||||
loginPage.open();
|
||||
loginPage.login("test-user@localhost", "invalid");
|
||||
loginPage.login(username, "invalid");
|
||||
|
||||
loginPage.assertCurrent();
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue