From af892d469cdcabefff8f09ea5cd7cd60dab6c8f1 Mon Sep 17 00:00:00 2001
From: Thomas Darimont <thomas.darimont@googlemail.com>
Date: Sun, 22 Aug 2021 22:47:03 +0200
Subject: [PATCH] KEYCLOAK-18880 TimeBasedOTP should use look-around to
 mitigate clock skew

Add test case
---
 .../java/org/keycloak/models/TotpTest.java    | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 server-spi-private/src/test/java/org/keycloak/models/TotpTest.java

diff --git a/server-spi-private/src/test/java/org/keycloak/models/TotpTest.java b/server-spi-private/src/test/java/org/keycloak/models/TotpTest.java
new file mode 100644
index 0000000000..a7cd0ba886
--- /dev/null
+++ b/server-spi-private/src/test/java/org/keycloak/models/TotpTest.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2021 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.models;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.keycloak.models.utils.TimeBasedOTP;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Calendar;
+
+public class TotpTest {
+
+    @Test
+    public void testTotp() {
+
+        TimeBasedOTP totp = new TimeBasedOTP("HmacSHA1", 8, 30, 1);
+        String secret = "dSdmuHLQhkm54oIm0A0S";
+        String otp = totp.generateTOTP(secret);
+
+        Assert.assertTrue(totp.validateTOTP(otp, secret.getBytes(StandardCharsets.UTF_8)));
+    }
+
+    /**
+     * KEYCLOAK-18880
+     */
+    @Test
+    public void testTotpLookAround() {
+
+        int lookAroundWindow = 2;
+        TimeBasedOTP totp = new TimeBasedOTP("HmacSHA1", 8, 60, lookAroundWindow);
+        String secret = "dSdmuHLQhkm54oIm0A0S";
+        String otp = totp.generateTOTP(secret);
+
+        for (int i = -lookAroundWindow; i <= lookAroundWindow; i++) {
+
+            Calendar calendar = Calendar.getInstance();
+            calendar.add(Calendar.MINUTE, i);
+            totp.setCalendar(calendar);
+
+            Assert.assertTrue("Should accept code with skew offset " + i,totp.validateTOTP(otp, secret.getBytes(StandardCharsets.UTF_8)));
+        }
+    }
+}