KEYCLOAK-2861 Test AttackDetectionResource
This commit is contained in:
parent
8efbdce810
commit
86dfcecef6
3 changed files with 146 additions and 0 deletions
|
@ -0,0 +1,49 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.admin.client.resource;
|
||||||
|
|
||||||
|
import org.jboss.resteasy.annotations.cache.NoCache;
|
||||||
|
|
||||||
|
import javax.ws.rs.DELETE;
|
||||||
|
import javax.ws.rs.GET;
|
||||||
|
import javax.ws.rs.Path;
|
||||||
|
import javax.ws.rs.PathParam;
|
||||||
|
import javax.ws.rs.Produces;
|
||||||
|
import javax.ws.rs.core.MediaType;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
|
*/
|
||||||
|
public interface AttackDetectionResource {
|
||||||
|
|
||||||
|
@GET
|
||||||
|
@Path("brute-force/usernames/{username}")
|
||||||
|
@NoCache
|
||||||
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
|
Map<String, Object> bruteForceUserStatus(@PathParam("username") String username);
|
||||||
|
|
||||||
|
@Path("brute-force/usernames/{username}")
|
||||||
|
@DELETE
|
||||||
|
void clearBruteForceForUser(@PathParam("username") String username);
|
||||||
|
|
||||||
|
@Path("brute-force/usernames")
|
||||||
|
@DELETE
|
||||||
|
void clearAllBruteForce();
|
||||||
|
|
||||||
|
}
|
|
@ -154,4 +154,7 @@ public interface RealmResource {
|
||||||
@Consumes(MediaType.APPLICATION_JSON)
|
@Consumes(MediaType.APPLICATION_JSON)
|
||||||
AuthenticationManagementResource flows();
|
AuthenticationManagementResource flows();
|
||||||
|
|
||||||
|
@Path("attack-detection")
|
||||||
|
AttackDetectionResource attackDetection();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,94 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.testsuite.admin;
|
||||||
|
|
||||||
|
import org.jboss.arquillian.graphene.page.Page;
|
||||||
|
import org.jboss.arquillian.test.api.ArquillianResource;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.keycloak.admin.client.resource.AttackDetectionResource;
|
||||||
|
import org.keycloak.common.util.Time;
|
||||||
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
|
import org.keycloak.testsuite.pages.LoginPage;
|
||||||
|
import org.keycloak.testsuite.util.OAuthClient;
|
||||||
|
import org.keycloak.testsuite.util.UserBuilder;
|
||||||
|
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
|
*/
|
||||||
|
public class AttackDetectionResourceTest extends AbstractAdminTest {
|
||||||
|
|
||||||
|
@ArquillianResource
|
||||||
|
private OAuthClient oauthClient;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void configureTestRealm(RealmRepresentation testRealm) {
|
||||||
|
testRealm.setBruteForceProtected(true);
|
||||||
|
testRealm.setFailureFactor(2);
|
||||||
|
|
||||||
|
testRealm.getUsers().add(UserBuilder.create().username("test-user2").password("password").build());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void test() {
|
||||||
|
AttackDetectionResource detection = adminClient.realm("test").attackDetection();
|
||||||
|
|
||||||
|
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
|
||||||
|
|
||||||
|
oauthClient.doLogin("test-user@localhost", "invalid");
|
||||||
|
oauthClient.doLogin("test-user@localhost", "invalid");
|
||||||
|
oauthClient.doLogin("test-user@localhost", "invalid");
|
||||||
|
|
||||||
|
oauthClient.doLogin("test-user2", "invalid");
|
||||||
|
oauthClient.doLogin("test-user2", "invalid");
|
||||||
|
oauthClient.doLogin("nosuchuser", "invalid");
|
||||||
|
|
||||||
|
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 3, true, true);
|
||||||
|
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 2, true, true);
|
||||||
|
assertBruteForce(detection.bruteForceUserStatus("nosuchuser"), 0, false, false);
|
||||||
|
|
||||||
|
detection.clearBruteForceForUser("test-user@localhost");
|
||||||
|
|
||||||
|
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
|
||||||
|
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 2, true, true);
|
||||||
|
|
||||||
|
detection.clearAllBruteForce();
|
||||||
|
|
||||||
|
assertBruteForce(detection.bruteForceUserStatus("test-user@localhost"), 0, false, false);
|
||||||
|
assertBruteForce(detection.bruteForceUserStatus("test-user2"), 0, false, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void assertBruteForce(Map<String, Object> status, Integer expectedNumFailures, Boolean expectedFailure, Boolean expectedDisabled) {
|
||||||
|
assertEquals(4, status.size());
|
||||||
|
assertEquals(expectedNumFailures, status.get("numFailures"));
|
||||||
|
assertEquals(expectedDisabled, status.get("disabled"));
|
||||||
|
if (expectedFailure) {
|
||||||
|
assertEquals("127.0.0.1", status.get("lastIPFailure"));
|
||||||
|
Long lastFailure = (Long) status.get("lastFailure");
|
||||||
|
assertTrue(lastFailure < (System.currentTimeMillis() + 1) && lastFailure > (System.currentTimeMillis() - 10000));
|
||||||
|
} else {
|
||||||
|
assertEquals("n/a", status.get("lastIPFailure"));
|
||||||
|
assertEquals("0", status.get("lastFailure").toString());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in a new issue