Merge pull request #1348 from mposolda/master

KEYCLOAK-1088 Audit of user grants during login
This commit is contained in:
Marek Posolda 2015-06-09 20:55:26 +02:00
commit 93650c442a
10 changed files with 83 additions and 22 deletions

View file

@ -27,4 +27,9 @@ public interface Details {
String CLIENT_SESSION_STATE = "client_session_state"; String CLIENT_SESSION_STATE = "client_session_state";
String CLIENT_SESSION_HOST = "client_session_host"; String CLIENT_SESSION_HOST = "client_session_host";
String CONSENT = "consent";
String CONSENT_VALUE_NO_CONSENT_REQUIRED = "no_consent_required"; // No consent is required by client
String CONSENT_VALUE_CONSENT_GRANTED = "consent_granted"; // Consent granted by user
String CONSENT_VALUE_PERSISTED_CONSENT = "persistent_consent"; // Persistent consent used (was already granted by user before)
} }

View file

@ -465,7 +465,6 @@ public class AuthenticationManager {
} }
if (client.isConsentRequired()) { if (client.isConsentRequired()) {
accessCode.setAction(ClientSessionModel.Action.OAUTH_GRANT);
UserConsentModel grantedConsent = user.getConsentByClient(client.getId()); UserConsentModel grantedConsent = user.getConsentByClient(client.getId());
@ -496,11 +495,18 @@ public class AuthenticationManager {
// Skip grant screen if everything was already approved by this user // Skip grant screen if everything was already approved by this user
if (realmRoles.size() > 0 || resourceRoles.size() > 0 || protocolMappers.size() > 0) { if (realmRoles.size() > 0 || resourceRoles.size() > 0 || protocolMappers.size() > 0) {
accessCode.setAction(ClientSessionModel.Action.OAUTH_GRANT);
return session.getProvider(LoginFormsProvider.class) return session.getProvider(LoginFormsProvider.class)
.setClientSessionCode(accessCode.getCode()) .setClientSessionCode(accessCode.getCode())
.setAccessRequest(realmRoles, resourceRoles, protocolMappers) .setAccessRequest(realmRoles, resourceRoles, protocolMappers)
.createOAuthGrant(clientSession); .createOAuthGrant(clientSession);
} else {
String consentDetail = (grantedConsent != null) ? Details.CONSENT_VALUE_PERSISTED_CONSENT : Details.CONSENT_VALUE_NO_CONSENT_REQUIRED;
event.detail(Details.CONSENT, consentDetail);
} }
} else {
event.detail(Details.CONSENT, Details.CONSENT_VALUE_NO_CONSENT_REQUIRED);
} }
event.success(); event.success();

View file

@ -316,7 +316,7 @@ public class LoginActionsService {
return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER);
} }
if (!client.isEnabled()) { if (!client.isEnabled()) {
event.error(Errors.CLIENT_NOT_FOUND); event.error(Errors.CLIENT_DISABLED);
return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED);
} }
@ -443,7 +443,7 @@ public class LoginActionsService {
return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER);
} }
if (!client.isEnabled()) { if (!client.isEnabled()) {
event.error(Errors.CLIENT_NOT_FOUND); event.error(Errors.CLIENT_DISABLED);
return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED);
} }
@ -741,6 +741,7 @@ public class LoginActionsService {
} }
user.updateConsent(grantedConsent); user.updateConsent(grantedConsent);
event.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED);
event.success(); event.success();
return authManager.redirectAfterSuccessfulFlow(session, realm, userSession, clientSession, request, uriInfo, clientConnection); return authManager.redirectAfterSuccessfulFlow(session, realm, userSession, clientSession, request, uriInfo, clientConnection);

View file

@ -113,7 +113,7 @@ public class AssertEvents implements TestRule, EventListenerProviderFactory {
} }
public ExpectedEvent expectRequiredAction(EventType event) { public ExpectedEvent expectRequiredAction(EventType event) {
return expectLogin().event(event).session(isUUID()); return expectLogin().event(event).removeDetail(Details.CONSENT).session(isUUID());
} }
public ExpectedEvent expectLogin() { public ExpectedEvent expectLogin() {
@ -123,6 +123,7 @@ public class AssertEvents implements TestRule, EventListenerProviderFactory {
.detail(Details.RESPONSE_TYPE, "code") .detail(Details.RESPONSE_TYPE, "code")
.detail(Details.AUTH_METHOD, "form") .detail(Details.AUTH_METHOD, "form")
.detail(Details.REDIRECT_URI, DEFAULT_REDIRECT_URI) .detail(Details.REDIRECT_URI, DEFAULT_REDIRECT_URI)
.detail(Details.CONSENT, Details.CONSENT_VALUE_NO_CONSENT_REQUIRED)
.session(isUUID()); .session(isUUID());
} }

View file

@ -242,7 +242,9 @@ public class AccountTest {
Assert.assertEquals("Invalid username or password.", loginPage.getError()); Assert.assertEquals("Invalid username or password.", loginPage.getError());
events.expectLogin().session((String) null).error("invalid_user_credentials").assertEvent(); events.expectLogin().session((String) null).error("invalid_user_credentials")
.removeDetail(Details.CONSENT)
.assertEvent();
loginPage.open(); loginPage.open();
loginPage.login("test-user@localhost", "new-password"); loginPage.login("test-user@localhost", "new-password");

View file

@ -127,7 +127,10 @@ public class LoginTest {
Assert.assertEquals("Invalid username or password.", loginPage.getError()); Assert.assertEquals("Invalid username or password.", loginPage.getError());
events.expectLogin().user(userId).session((String) null).error("invalid_user_credentials").detail(Details.USERNAME, "login-test").assertEvent(); events.expectLogin().user(userId).session((String) null).error("invalid_user_credentials")
.detail(Details.USERNAME, "login-test")
.removeDetail(Details.CONSENT)
.assertEvent();
} }
@Test @Test
@ -147,7 +150,10 @@ public class LoginTest {
Assert.assertEquals("Invalid username or password.", loginPage.getError()); Assert.assertEquals("Invalid username or password.", loginPage.getError());
events.expectLogin().user(userId).session((String) null).error("invalid_user_credentials").detail(Details.USERNAME, "login-test").assertEvent(); events.expectLogin().user(userId).session((String) null).error("invalid_user_credentials")
.detail(Details.USERNAME, "login-test")
.removeDetail(Details.CONSENT)
.assertEvent();
} finally { } finally {
keycloakRule.configure(new KeycloakRule.KeycloakSetup() { keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
@Override @Override
@ -175,7 +181,10 @@ public class LoginTest {
Assert.assertEquals("Account is disabled, contact admin.", loginPage.getError()); Assert.assertEquals("Account is disabled, contact admin.", loginPage.getError());
events.expectLogin().user(userId).session((String) null).error("user_disabled").detail(Details.USERNAME, "login-test").assertEvent(); events.expectLogin().user(userId).session((String) null).error("user_disabled")
.detail(Details.USERNAME, "login-test")
.removeDetail(Details.CONSENT)
.assertEvent();
} finally { } finally {
keycloakRule.configure(new KeycloakRule.KeycloakSetup() { keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
@Override @Override
@ -195,7 +204,10 @@ public class LoginTest {
Assert.assertEquals("Invalid username or password.", loginPage.getError()); Assert.assertEquals("Invalid username or password.", loginPage.getError());
events.expectLogin().user((String) null).session((String) null).error("user_not_found").detail(Details.USERNAME, "invalid").assertEvent(); events.expectLogin().user((String) null).session((String) null).error("user_not_found")
.detail(Details.USERNAME, "invalid")
.removeDetail(Details.CONSENT)
.assertEvent();
} }
@Test @Test
@ -413,7 +425,10 @@ public class LoginTest {
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
Assert.assertEquals("access_denied", oauth.getCurrentQuery().get(OAuth2Constants.ERROR)); Assert.assertEquals("access_denied", oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
events.expectLogin().error("rejected_by_user").user((String) null).session((String) null).removeDetail(Details.USERNAME).assertEvent(); events.expectLogin().error("rejected_by_user").user((String) null).session((String) null)
.removeDetail(Details.USERNAME)
.removeDetail(Details.CONSENT)
.assertEvent();
} }
// KEYCLOAK-1037 // KEYCLOAK-1037
@ -427,7 +442,10 @@ public class LoginTest {
loginPage.assertCurrent(); loginPage.assertCurrent();
Assert.assertEquals("Login timeout. Please login again.", loginPage.getError()); Assert.assertEquals("Login timeout. Please login again.", loginPage.getError());
events.expectLogin().user((String) null).session((String) null).error("expired_code").clearDetails().detail(Details.CODE_ID, AssertEvents.isCodeId()).assertEvent(); events.expectLogin().user((String) null).session((String) null).error("expired_code").clearDetails()
.detail(Details.CODE_ID, AssertEvents.isCodeId())
.removeDetail(Details.CONSENT)
.assertEvent();
} finally { } finally {
Time.setOffset(0); Time.setOffset(0);

View file

@ -114,7 +114,9 @@ public class LoginTotpTest {
loginPage.assertCurrent(); loginPage.assertCurrent();
Assert.assertEquals("Invalid username or password.", loginPage.getError()); Assert.assertEquals("Invalid username or password.", loginPage.getError());
events.expectLogin().error("invalid_user_credentials").session((String) null).assertEvent(); events.expectLogin().error("invalid_user_credentials").session((String) null)
.removeDetail(Details.CONSENT)
.assertEvent();
} }
@Test @Test
@ -140,7 +142,9 @@ public class LoginTotpTest {
Assert.assertEquals("Invalid username or password.", loginPage.getError()); Assert.assertEquals("Invalid username or password.", loginPage.getError());
events.expectLogin().error("invalid_user_credentials").session((String) null).assertEvent(); events.expectLogin().error("invalid_user_credentials").session((String) null)
.removeDetail(Details.CONSENT)
.assertEvent();
} }
@Test @Test
@ -159,7 +163,8 @@ public class LoginTotpTest {
Assert.assertEquals("Invalid username or password.", loginPage.getError()); Assert.assertEquals("Invalid username or password.", loginPage.getError());
AssertEvents.ExpectedEvent expectedEvent = events.expectLogin().error("invalid_user_credentials") AssertEvents.ExpectedEvent expectedEvent = events.expectLogin().error("invalid_user_credentials")
.session((String) null); .session((String) null)
.removeDetail(Details.CONSENT);
expectedEvent.assertEvent(); expectedEvent.assertEvent();
} finally { } finally {
Time.setOffset(0); Time.setOffset(0);

View file

@ -141,6 +141,7 @@ public class AuthorizationCodeTest {
events.expectLogin().error("rejected_by_user").user((String) null).session((String) null) events.expectLogin().error("rejected_by_user").user((String) null).session((String) null)
.removeDetail(Details.USERNAME) .removeDetail(Details.USERNAME)
.removeDetail(Details.CONSENT)
.detail(Details.REDIRECT_URI, "http://localhost:8081/auth/realms/test/protocol/openid-connect/oauth/oob") .detail(Details.REDIRECT_URI, "http://localhost:8081/auth/realms/test/protocol/openid-connect/oauth/oob")
.assertEvent().getDetails().get(Details.CODE_ID); .assertEvent().getDetails().get(Details.CODE_ID);

View file

@ -36,7 +36,6 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel; import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper; import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.services.managers.RealmManager; import org.keycloak.services.managers.RealmManager;
@ -51,7 +50,6 @@ import org.keycloak.testsuite.rule.WebResource;
import org.keycloak.testsuite.rule.WebRule; import org.keycloak.testsuite.rule.WebRule;
import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebDriver;
import java.io.IOException;
import java.util.Map; import java.util.Map;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
@ -104,7 +102,10 @@ public class OAuthGrantTest {
Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.CODE)); Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.CODE));
Event loginEvent = events.expectLogin().client("third-party").assertEvent(); Event loginEvent = events.expectLogin()
.client("third-party")
.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED)
.assertEvent();
String codeId = loginEvent.getDetails().get(Details.CODE_ID); String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String sessionId = loginEvent.getSessionId(); String sessionId = loginEvent.getSessionId();
@ -147,7 +148,11 @@ public class OAuthGrantTest {
Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.ERROR)); Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.ERROR));
assertEquals("access_denied", oauth.getCurrentQuery().get(OAuth2Constants.ERROR)); assertEquals("access_denied", oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
events.expectLogin().client("third-party").error("rejected_by_user").assertEvent(); events.expectLogin()
.client("third-party")
.error("rejected_by_user")
.removeDetail(Details.CONSENT)
.assertEvent();
} }
@Test @Test
@ -159,7 +164,10 @@ public class OAuthGrantTest {
grantPage.assertCurrent(); grantPage.assertCurrent();
grantPage.accept(); grantPage.accept();
events.expectLogin().client("third-party").assertEvent(); events.expectLogin()
.client("third-party")
.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED)
.assertEvent();
// Assert permissions granted on Account mgmt. applications page // Assert permissions granted on Account mgmt. applications page
accountAppsPage.open(); accountAppsPage.open();
@ -172,7 +180,11 @@ public class OAuthGrantTest {
// Open login form and assert grantPage not shown // Open login form and assert grantPage not shown
oauth.openLoginForm(); oauth.openLoginForm();
appPage.assertCurrent(); appPage.assertCurrent();
events.expectLogin().detail(Details.AUTH_METHOD, "sso").removeDetail(Details.USERNAME).client("third-party").assertEvent(); events.expectLogin()
.detail(Details.AUTH_METHOD, "sso")
.detail(Details.CONSENT, Details.CONSENT_VALUE_PERSISTED_CONSENT)
.removeDetail(Details.USERNAME)
.client("third-party").assertEvent();
// Revoke grant in account mgmt. // Revoke grant in account mgmt.
accountAppsPage.open(); accountAppsPage.open();
@ -219,7 +231,10 @@ public class OAuthGrantTest {
// Confirm grant page // Confirm grant page
grantPage.assertCurrent(); grantPage.assertCurrent();
grantPage.accept(); grantPage.accept();
events.expectLogin().client("third-party").assertEvent(); events.expectLogin()
.client("third-party")
.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED)
.assertEvent();
// Assert new role and protocol mapper not in account mgmt. // Assert new role and protocol mapper not in account mgmt.
accountAppsPage.open(); accountAppsPage.open();
@ -235,7 +250,10 @@ public class OAuthGrantTest {
Assert.assertTrue(driver.getPageSource().contains("new-role")); Assert.assertTrue(driver.getPageSource().contains("new-role"));
Assert.assertTrue(driver.getPageSource().contains(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME)); Assert.assertTrue(driver.getPageSource().contains(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME));
grantPage.accept(); grantPage.accept();
events.expectLogin().client("third-party").assertEvent(); events.expectLogin()
.client("third-party")
.detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED)
.assertEvent();
// Go to account mgmt. Everything is granted now // Go to account mgmt. Everything is granted now
accountAppsPage.open(); accountAppsPage.open();

View file

@ -93,6 +93,7 @@ public class ResourceOwnerPasswordCredentialsGrantTest {
.detail(Details.USERNAME, login) .detail(Details.USERNAME, login)
.removeDetail(Details.CODE_ID) .removeDetail(Details.CODE_ID)
.removeDetail(Details.REDIRECT_URI) .removeDetail(Details.REDIRECT_URI)
.removeDetail(Details.CONSENT)
.assertEvent(); .assertEvent();
assertEquals(accessToken.getSessionState(), refreshToken.getSessionState()); assertEquals(accessToken.getSessionState(), refreshToken.getSessionState());
@ -128,6 +129,7 @@ public class ResourceOwnerPasswordCredentialsGrantTest {
.detail(Details.REFRESH_TOKEN_ID, refreshToken.getId()) .detail(Details.REFRESH_TOKEN_ID, refreshToken.getId())
.removeDetail(Details.CODE_ID) .removeDetail(Details.CODE_ID)
.removeDetail(Details.REDIRECT_URI) .removeDetail(Details.REDIRECT_URI)
.removeDetail(Details.CONSENT)
.assertEvent(); .assertEvent();
HttpResponse logoutResponse = oauth.doLogout(response.getRefreshToken(), "secret"); HttpResponse logoutResponse = oauth.doLogout(response.getRefreshToken(), "secret");
@ -180,6 +182,7 @@ public class ResourceOwnerPasswordCredentialsGrantTest {
.detail(Details.RESPONSE_TYPE, "token") .detail(Details.RESPONSE_TYPE, "token")
.removeDetail(Details.CODE_ID) .removeDetail(Details.CODE_ID)
.removeDetail(Details.REDIRECT_URI) .removeDetail(Details.REDIRECT_URI)
.removeDetail(Details.CONSENT)
.error(Errors.INVALID_USER_CREDENTIALS) .error(Errors.INVALID_USER_CREDENTIALS)
.assertEvent(); .assertEvent();
} }
@ -203,6 +206,7 @@ public class ResourceOwnerPasswordCredentialsGrantTest {
.detail(Details.USERNAME, "invalid") .detail(Details.USERNAME, "invalid")
.removeDetail(Details.CODE_ID) .removeDetail(Details.CODE_ID)
.removeDetail(Details.REDIRECT_URI) .removeDetail(Details.REDIRECT_URI)
.removeDetail(Details.CONSENT)
.error(Errors.INVALID_USER_CREDENTIALS) .error(Errors.INVALID_USER_CREDENTIALS)
.assertEvent(); .assertEvent();
} }