KEYCLOAK-6043 Use same urls for get and posts in account

This commit is contained in:
stianst 2017-12-14 15:52:37 +01:00 committed by Stian Thorgersen
parent 1a541889f4
commit a8943fb323
7 changed files with 45 additions and 78 deletions

View file

@ -70,18 +70,6 @@ public class UrlBean {
return Urls.accountSessionsPage(baseQueryURI, realm).toString();
}
public String getSessionsLogoutUrl() {
return Urls.accountSessionsLogoutPage(baseQueryURI, realm).toString();
}
public String getRevokeClientUrl() {
return Urls.accountRevokeClientPage(baseQueryURI, realm).toString();
}
public String getTotpRemoveUrl() {
return Urls.accountTotpRemove(baseQueryURI, realm).toString();
}
public String getLogoutUrl() {
return Urls.accountLogout(baseQueryURI, currentURI, realm).toString();
}

View file

@ -131,11 +131,6 @@ public class Urls {
return accountBase(baseUri).path(AccountFormService.class, "totpPage").build(realmName);
}
public static URI accountTotpRemove(URI baseUri, String realmName) {
return accountBase(baseUri).path(AccountFormService.class, "processTotpRemove")
.build(realmName);
}
public static URI accountLogPage(URI baseUri, String realmName) {
return accountBase(baseUri).path(AccountFormService.class, "logPage").build(realmName);
}
@ -144,16 +139,6 @@ public class Urls {
return accountBase(baseUri).path(AccountFormService.class, "sessionsPage").build(realmName);
}
public static URI accountSessionsLogoutPage(URI baseUri, String realmName) {
return accountBase(baseUri).path(AccountFormService.class, "processSessionsLogout")
.build(realmName);
}
public static URI accountRevokeClientPage(URI baseUri, String realmName) {
return accountBase(baseUri).path(AccountFormService.class, "processRevokeGrant")
.build(realmName);
}
public static URI accountLogout(URI baseUri, URI redirectUri, String realmName) {
return realmLogout(baseUri).queryParam("redirect_uri", redirectUri).build(realmName);
}

View file

@ -349,28 +349,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
}
}
@Path("totp-remove")
@POST
public Response processTotpRemove(final MultivaluedMap<String, String> formData) {
if (auth == null) {
return login("totp");
}
auth.require(AccountRoles.MANAGE_ACCOUNT);
csrfCheck(formData);
UserModel user = auth.getUser();
session.userCredentialManager().disableCredentialType(realm, user, CredentialModel.OTP);
event.event(EventType.REMOVE_TOTP).client(auth.getClient()).user(auth.getUser()).success();
setReferrerOnPage();
return account.setSuccess(Messages.SUCCESS_TOTP_REMOVED).createResponse(AccountPages.TOTP);
}
@Path("sessions-logout")
@Path("sessions")
@POST
public Response processSessionsLogout(final MultivaluedMap<String, String> formData) {
if (auth == null) {
@ -401,7 +380,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
return Response.seeOther(location).build();
}
@Path("revoke-grant")
@Path("applications")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response processRevokeGrant(final MultivaluedMap<String, String> formData) {
@ -473,32 +452,41 @@ public class AccountFormService extends AbstractSecuredLocalService {
UserModel user = auth.getUser();
String totp = formData.getFirst("totp");
String totpSecret = formData.getFirst("totpSecret");
if (action != null && action.equals("Delete")) {
session.userCredentialManager().disableCredentialType(realm, user, CredentialModel.OTP);
event.event(EventType.REMOVE_TOTP).client(auth.getClient()).user(auth.getUser()).success();
if (Validation.isBlank(totp)) {
setReferrerOnPage();
return account.setError(Response.Status.BAD_REQUEST, Messages.MISSING_TOTP).createResponse(AccountPages.TOTP);
} else if (!CredentialValidation.validOTP(realm, totp, totpSecret)) {
return account.setSuccess(Messages.SUCCESS_TOTP_REMOVED).createResponse(AccountPages.TOTP);
} else {
String totp = formData.getFirst("totp");
String totpSecret = formData.getFirst("totpSecret");
if (Validation.isBlank(totp)) {
setReferrerOnPage();
return account.setError(Response.Status.BAD_REQUEST, Messages.MISSING_TOTP).createResponse(AccountPages.TOTP);
} else if (!CredentialValidation.validOTP(realm, totp, totpSecret)) {
setReferrerOnPage();
return account.setError(Response.Status.BAD_REQUEST, Messages.INVALID_TOTP).createResponse(AccountPages.TOTP);
}
UserCredentialModel credentials = new UserCredentialModel();
credentials.setType(realm.getOTPPolicy().getType());
credentials.setValue(totpSecret);
session.userCredentialManager().updateCredential(realm, user, credentials);
// to update counter
UserCredentialModel cred = new UserCredentialModel();
cred.setType(realm.getOTPPolicy().getType());
cred.setValue(totp);
session.userCredentialManager().isValid(realm, user, cred);
event.event(EventType.UPDATE_TOTP).client(auth.getClient()).user(auth.getUser()).success();
setReferrerOnPage();
return account.setError(Response.Status.BAD_REQUEST, Messages.INVALID_TOTP).createResponse(AccountPages.TOTP);
return account.setSuccess(Messages.SUCCESS_TOTP).createResponse(AccountPages.TOTP);
}
UserCredentialModel credentials = new UserCredentialModel();
credentials.setType(realm.getOTPPolicy().getType());
credentials.setValue(totpSecret);
session.userCredentialManager().updateCredential(realm, user, credentials);
// to update counter
UserCredentialModel cred = new UserCredentialModel();
cred.setType(realm.getOTPPolicy().getType());
cred.setValue(totp);
session.userCredentialManager().isValid(realm, user, cred);
event.event(EventType.UPDATE_TOTP).client(auth.getClient()).user(auth.getUser()).success();
setReferrerOnPage();
return account.setSuccess(Messages.SUCCESS_TOTP).createResponse(AccountPages.TOTP);
}
/**

View file

@ -68,6 +68,7 @@ import java.util.Map;
import static org.hamcrest.Matchers.containsInAnyOrder;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.hasItems;
import static org.junit.Assert.assertFalse;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -215,7 +216,7 @@ public class AccountFormServiceTest extends AbstractTestRealmKeycloakTest {
driver.navigate().to(profilePage.getPath() + "?referrer=test-app&referrer_uri=http://localhost:8180/auth/realms/master/app/auth/test%2Ffkrenu%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E");
Assert.assertTrue(profilePage.isCurrent());
Assert.assertFalse(driver.getPageSource().contains("<script>alert"));
assertFalse(driver.getPageSource().contains("<script>alert"));
}
@Test
@ -567,7 +568,7 @@ public class AccountFormServiceTest extends AbstractTestRealmKeycloakTest {
profilePage.open();
loginPage.login("test-user@localhost", "password");
Assert.assertFalse(driver.findElements(By.id("username")).size() > 0);
assertFalse(driver.findElements(By.id("username")).size() > 0);
// Revert
setRegistrationEmailAsUsername(false);
@ -767,7 +768,7 @@ public class AccountFormServiceTest extends AbstractTestRealmKeycloakTest {
Assert.assertTrue(totpPage.isCurrent());
Assert.assertFalse(driver.getPageSource().contains("Remove Google"));
assertFalse(driver.getPageSource().contains("Remove Google"));
// Error with false code
totpPage.configure(totp.generateTOTP(totpPage.getTotpSecret() + "123"));
@ -785,6 +786,10 @@ public class AccountFormServiceTest extends AbstractTestRealmKeycloakTest {
totpPage.removeTotp();
events.expectAccount(EventType.REMOVE_TOTP).assertEvent();
accountPage.logOut();
assertFalse(errorPage.isCurrent());
}
@Test

View file

@ -7,7 +7,7 @@
</div>
</div>
<form action="${url.revokeClientUrl}" method="post">
<form action="${url.applicationsUrl}" method="post">
<input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}">
<input type="hidden" id="referrer" name="referrer" value="${stateChecker}">

View file

@ -36,7 +36,7 @@
</table>
<form action="${url.sessionsLogoutUrl}" method="post">
<form action="${url.sessionsUrl}" method="post">
<input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}">
<button id="logout-all-sessions" class="btn btn-default">${msg("doLogOutAllSessions")}</button>
</form>

View file

@ -14,8 +14,9 @@
<tr>
<td class="provider">${msg("mobile")}</td>
<td class="action">
<form action="${url.totpRemoveUrl}" method="post" class="form-inline">
<form action="${url.totpUrl}" method="post" class="form-inline">
<input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}">
<input type="hidden" id="submitAction" name="submitAction" value="Delete">
<button id="remove-mobile" class="btn btn-default"><i class="pficon pficon-delete"></i></button>
</form>
</td>