KEYCLOAK-5420

2017-12-15 12:16:24 -05:00 · 2017-12-15 12:16:24 -05:00 · 7cb39c2dfc
commit 7cb39c2dfc
parent 1c38cec10f
3 changed files with 25 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
@ -125,7 +125,8 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
            context.getEvent().user(user);
            context.getEvent().error(Errors.USER_DISABLED);
            Response challengeResponse = disabledUser(context);
-            context.failureChallenge(AuthenticationFlowError.USER_DISABLED, challengeResponse);
+            // this is not a failure so don't call failureChallenge.
+            context.forceChallenge(challengeResponse);
            return false;
        }
        if (context.getRealm().isBruteForceProtected()) {
@ -133,7 +134,8 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
                context.getEvent().user(user);
                context.getEvent().error(Errors.USER_TEMPORARILY_DISABLED);
                Response challengeResponse = temporarilyDisabledUser(context);
-                context.failureChallenge(AuthenticationFlowError.USER_TEMPORARILY_DISABLED, challengeResponse);
+                // this is not a failure so don't call failureChallenge.
+                context.forceChallenge(challengeResponse);
                return false;
            }
        }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
@ -389,7 +389,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
        return true;
    }
    
-    //@Test
+    @Test
    public void testDemo() throws Exception {
        testingClient.server().run(FineGrainAdminUnitTest::setupDemo);
        Thread.sleep(1000000000);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
@ -45,6 +45,7 @@ import org.keycloak.testsuite.util.RealmRepUtil;
 import org.keycloak.testsuite.util.UserBuilder;

 import java.net.MalformedURLException;
+import java.util.Collections;

 import static org.junit.Assert.assertEquals;

@ -67,6 +68,10 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {

        testRealm.setBruteForceProtected(true);
        testRealm.setFailureFactor(2);
+        testRealm.setMaxDeltaTimeSeconds(200);
+        testRealm.setMaxFailureWaitSeconds(1000);
+        testRealm.setWaitIncrementSeconds(50);
+        testRealm.setQuickLoginCheckMilliSeconds(0L);

        userId = user.getId();

@ -286,6 +291,21 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
        loginSuccess();
    }

+    @Test
+    public void testWait() throws Exception {
+        loginSuccess();
+        loginInvalidPassword();
+        loginInvalidPassword();
+        expectTemporarilyDisabled();
+        // KEYCLOAK-5420
+        // Test to make sure that temporarily disabled doesn't increment failure count
+        testingClient.testing().setTimeOffset(Collections.singletonMap("offset", String.valueOf(52)));
+        loginSuccess();
+        clearUserFailures();
+        clearAllUserFailures();
+        loginSuccess();
+    }
+
    @Test
    public void testBrowserInvalidPasswordDifferentCase() throws Exception {
        loginSuccess("test-user@localhost");