fixes

services/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java

@@ -64,7 +64,7 @@ public class Pbkdf2PasswordHashProvider implements PasswordHashProviderFactory,
 
     @Override
     public boolean policyCheck(PasswordPolicy policy, CredentialModel credential) {
-        return credential.getHashIterations() == policy.getHashIterations() && PBKDF2_ALGORITHM.equals(credential.getAlgorithm());
+        return credential.getHashIterations() == policy.getHashIterations() && ID.equals(credential.getAlgorithm());
     }
 
     @Override

services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java

@@ -53,19 +53,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
     protected LinkedBlockingQueue<LoginEvent> queue = new LinkedBlockingQueue<LoginEvent>();
     public static final int TRANSACTION_SIZE = 20;
 
-    public static volatile int markNotBefore = -1;
-    public static volatile int markCheck = -1;
-    public static volatile int testCount = 0;
-    public static volatile int clearCount = 0;
-    public static volatile int nullFailureCount = 0;
-    public static volatile int logFailureCalled = 0;
-    public static volatile int logFailure = 0;
-    public static volatile int didntWait = 0;
-    public static volatile int exception = 0;
-    public static volatile Exception exceptionObject = null;
-    public static volatile String notFoundUserId = null;
-
-
     protected abstract class LoginEvent implements Comparable<LoginEvent> {
         protected final String realmId;
         protected final String userId;
@@ -103,7 +90,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
 
     public void failure(KeycloakSession session, LoginEvent event) {
         logger.debug("failure");
-        logFailureCalled++;
         RealmModel realm = getRealmModel(session, event);
         logFailure(event);
 
@@ -111,7 +97,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
         UserModel user = session.users().getUserById(userId, realm);
         UserLoginFailureModel userLoginFailure = getUserModel(session, event);
         if (user != null) {
-            logFailure++;
             if (userLoginFailure == null) {
                 userLoginFailure = session.sessions().addUserLoginFailure(realm, userId);
             }
@@ -126,7 +111,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
             if (deltaTime > 0) {
                 // if last failure was more than MAX_DELTA clear failures
                 if (deltaTime > (long) realm.getMaxDeltaTimeSeconds() * 1000L) {
-                    clearCount++;
                     userLoginFailure.clearFailures();
                 }
             }
@@ -147,12 +131,8 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
                 waitSeconds = Math.min(realm.getMaxFailureWaitSeconds(), waitSeconds);
                 int notBefore = (int) (currentTime / 1000) + waitSeconds;
                 logger.debugv("set notBefore: {0}", notBefore);
-                markNotBefore = notBefore;
                 userLoginFailure.setFailedLoginNotBefore(notBefore);
             }
-        } else {
-            notFoundUserId = event.userId;
-
         }
     }
 
@@ -210,8 +190,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
                             }
                             session.getTransactionManager().commit();
                         } catch (Exception e) {
-                            exception++;
-                            exceptionObject = e;
                             session.getTransactionManager().rollback();
                             throw e;
                         } finally {
@@ -258,13 +236,8 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
             // wait a minimum of seconds for type to process so that a hacker
             // cannot flood with failed logins and overwhelm the queue and not have notBefore updated to block next requests
             // todo failure HTTP responses should be queued via async HTTP
-            boolean awaited =
             event.latch.await(5, TimeUnit.SECONDS);
-            if (!awaited) {
-                    didntWait++;
-            }
         } catch (InterruptedException e) {
-            didntWait++;
         }
         logger.trace("sent failure event");
     }
@@ -274,19 +247,12 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
         UserLoginFailureModel failure = session.sessions().getUserLoginFailure(realm, user.getId());
 
         if (failure != null) {
-            int currTime = markCheck = (int) (Time.currentTimeMillis() / 1000);
+            int currTime = (int) (Time.currentTimeMillis() / 1000);
             int failedLoginNotBefore = failure.getFailedLoginNotBefore();
-            testCount++;
             if (currTime < failedLoginNotBefore) {
                 logger.debugv("Current: {0} notBefore: {1}", currTime, failedLoginNotBefore);
                 return true;
-            } else if (failedLoginNotBefore > 0){
-                logger.debugv("failedLoginNotBefore > 0 Current: {0} notBefore: {1}", currTime, failedLoginNotBefore);
             }
-        } else {
-            logger.debugv("failure was null");
-            nullFailureCount++;
-
         }
 
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java

@@ -173,7 +173,6 @@ public class BruteForceTest extends TestRealmKeycloakTest {
 
     @Test
     public void testGrantInvalidOtp() throws Exception {
-        clearVariables();
         {
             String totpSecret = totp.generateTOTP("totpSecret");
             OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
@@ -215,40 +214,14 @@ public class BruteForceTest extends TestRealmKeycloakTest {
 
     }
 
-    public void clearVariables() {
-        DefaultBruteForceProtector.testCount = 0;
-        DefaultBruteForceProtector.markNotBefore = -1;
-        DefaultBruteForceProtector.markCheck = -1;
-        DefaultBruteForceProtector.testCount = 0;
-        DefaultBruteForceProtector.clearCount = 0;
-        DefaultBruteForceProtector.logFailure = 0;
-        DefaultBruteForceProtector.logFailureCalled = 0;
-        DefaultBruteForceProtector.didntWait = 0;
-        DefaultBruteForceProtector.nullFailureCount = 0;
-        DefaultBruteForceProtector.notFoundUserId = null;
-    }
-
     public void assertTokenNull(OAuthClient.AccessTokenResponse response) {
-        if (response.getAccessToken() != null) {
+        Assert.assertNull(response.getAccessToken());
-            if (DefaultBruteForceProtector.exceptionObject != null) {
-                DefaultBruteForceProtector.exceptionObject.printStackTrace();
-            }
-        }
-        Assert.assertNull("was mark set: " + DefaultBruteForceProtector.markNotBefore + " time test: " + DefaultBruteForceProtector.markCheck
-                        + " test count " + DefaultBruteForceProtector.testCount
-                        + " nullFailure: " + DefaultBruteForceProtector.nullFailureCount
-                        + " logFailureCalled: " + DefaultBruteForceProtector.logFailureCalled
-                        + " logFailure: " + DefaultBruteForceProtector.logFailure
-                        + " notFoundUserId: " + DefaultBruteForceProtector.notFoundUserId
-                        + " exception: " + DefaultBruteForceProtector.exception
-                , response.getAccessToken());
     }
 
 
 
     @Test
     public void testGrantMissingOtp() throws Exception {
-        clearVariables();
         {
             String totpSecret = totp.generateTOTP("totpSecret");
             OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);