[KEYCLOAK-18473] Add max length to password policy

2021-06-17 17:06:06 +02:00 · 2021-06-17 17:06:06 +02:00 · b8452374d2
commit b8452374d2
parent bfb134a6ce
8 changed files with 178 additions and 6 deletions
--- a/server-spi-private/src/main/java/org/keycloak/policy/MaximumLengthPasswordPolicyProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/policy/MaximumLengthPasswordPolicyProvider.java
@ -0,0 +1,56 @@
+/*
+ * Copyright 2021 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.policy;
+
+import org.keycloak.models.KeycloakContext;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+
+/**
+ *
+ * @author rmartinc
+ */
+public class MaximumLengthPasswordPolicyProvider implements PasswordPolicyProvider {
+
+    private static final String ERROR_MESSAGE = "invalidPasswordMaxLengthMessage";
+
+    private final KeycloakContext context;
+
+    public MaximumLengthPasswordPolicyProvider(KeycloakContext context) {
+        this.context = context;
+    }
+
+    @Override
+    public PolicyError validate(String username, String password) {
+        int max = context.getRealm().getPasswordPolicy().getPolicyConfig(MaximumLengthPasswordPolicyProviderFactory.ID);
+        return password.length() > max ? new PolicyError(ERROR_MESSAGE, max) : null;
+    }
+
+    @Override
+    public PolicyError validate(RealmModel realm, UserModel user, String password) {
+        return validate(user.getUsername(), password);
+    }
+
+    @Override
+    public Object parseConfig(String value) {
+        return parseInteger(value, MaximumLengthPasswordPolicyProviderFactory.DEFAULT_MAX_LENGTH);
+    }
+
+    @Override
+    public void close() {
+    }
+}
--- a/server-spi-private/src/main/java/org/keycloak/policy/MaximumLengthPasswordPolicyProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/policy/MaximumLengthPasswordPolicyProviderFactory.java
@ -0,0 +1,73 @@
+/*
+ * Copyright 2021 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.policy;
+
+import org.keycloak.Config;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+
+/**
+ * @author rmartinc
+ */
+public class MaximumLengthPasswordPolicyProviderFactory implements PasswordPolicyProviderFactory {
+
+    public static final String ID = "maxLength";
+
+    public static final int DEFAULT_MAX_LENGTH = 64;
+
+    @Override
+    public String getId() {
+        return ID;
+    }
+
+    @Override
+    public PasswordPolicyProvider create(KeycloakSession session) {
+        return new MaximumLengthPasswordPolicyProvider(session.getContext());
+    }
+
+    @Override
+    public void init(Config.Scope config) {
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {
+    }
+
+    @Override
+    public String getDisplayName() {
+        return "Maximum Length";
+    }
+
+    @Override
+    public String getConfigType() {
+        return PasswordPolicyProvider.INT_CONFIG_TYPE;
+    }
+
+    @Override
+    public String getDefaultConfigValue() {
+        return Integer.toString(DEFAULT_MAX_LENGTH);
+    }
+
+    @Override
+    public boolean isMultiplSupported() {
+        return false;
+    }
+
+    @Override
+    public void close() {
+    }
+}
--- a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.policy.PasswordPolicyProviderFactory
+++ b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.policy.PasswordPolicyProviderFactory
@ -22,6 +22,7 @@ org.keycloak.policy.HashIterationsPasswordPolicyProviderFactory
 org.keycloak.policy.HistoryPasswordPolicyProviderFactory
 org.keycloak.policy.LengthPasswordPolicyProviderFactory
 org.keycloak.policy.LowerCasePasswordPolicyProviderFactory
+org.keycloak.policy.MaximumLengthPasswordPolicyProviderFactory
 org.keycloak.policy.NotUsernamePasswordPolicyProviderFactory
 org.keycloak.policy.RegexPatternsPasswordPolicyProviderFactory
 org.keycloak.policy.SpecialCharsPasswordPolicyProviderFactory
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/policy/PasswordPolicyTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/policy/PasswordPolicyTest.java
@ -23,10 +23,12 @@ import org.keycloak.models.ModelException;
 import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.RealmModel;
 import org.keycloak.policy.BlacklistPasswordPolicyProvider;
+import org.keycloak.policy.MaximumLengthPasswordPolicyProviderFactory;
 import org.keycloak.policy.PasswordPolicyManagerProvider;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
+import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import org.keycloak.testsuite.util.ContainerAssume;
 import org.keycloak.testsuite.util.RealmBuilder;

@ -37,7 +39,6 @@ import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
-import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -65,6 +66,30 @@ public class PasswordPolicyTest extends AbstractKeycloakTest {
        });
    }

+    @Test
+    public void testMaximumLength() {
+        testingClient.server("passwordPolicy").run(session -> {
+            RealmModel realmModel = session.getContext().getRealm();
+            PasswordPolicyManagerProvider policyManager = session.getProvider(PasswordPolicyManagerProvider.class);
+
+            realmModel.setPasswordPolicy(PasswordPolicy.parse(session, "maxLength"));
+
+            Assert.assertEquals("invalidPasswordMaxLengthMessage",
+                    policyManager.validate("jdoe", "12345678901234567890123456789012345678901234567890123456789012345").getMessage());
+            Assert.assertArrayEquals(new Object[]{MaximumLengthPasswordPolicyProviderFactory.DEFAULT_MAX_LENGTH},
+                    policyManager.validate("jdoe", "12345678901234567890123456789012345678901234567890123456789012345").getParameters());
+            assertNull(policyManager.validate("jdoe", "1234567890123456789012345678901234567890123456789012345678901234"));
+
+            realmModel.setPasswordPolicy(PasswordPolicy.parse(session, "maxLength(24)"));
+
+            Assert.assertEquals("invalidPasswordMaxLengthMessage",
+                    policyManager.validate("jdoe", "1234567890123456789012345").getMessage());
+            Assert.assertArrayEquals(new Object[]{24},
+                    policyManager.validate("jdoe", "1234567890123456789012345").getParameters());
+            assertNull(policyManager.validate("jdoe", "123456789012345678901234"));
+        });
+    }
+
    @Test
    public void testDigits() {
        testingClient.server("passwordPolicy").run(session -> {
@ -240,13 +265,14 @@ public class PasswordPolicyTest extends AbstractKeycloakTest {
            RealmModel realmModel = session.getContext().getRealm();
            PasswordPolicyManagerProvider policyManager = session.getProvider(PasswordPolicyManagerProvider.class);

-            realmModel.setPasswordPolicy(PasswordPolicy.parse(session, "length(8) and digits(2) and lowerCase(2) and upperCase(2) and specialChars(2) and notUsername()"));
+            realmModel.setPasswordPolicy(PasswordPolicy.parse(session, "length(8) and maxLength(32) and digits(2) and lowerCase(2) and upperCase(2) and specialChars(2) and notUsername()"));
            Assert.assertNotNull(policyManager.validate("jdoe", "12aaBB&"));
            Assert.assertNotNull(policyManager.validate("jdoe", "aaaaBB&-"));
            Assert.assertNotNull(policyManager.validate("jdoe", "12AABB&-"));
            Assert.assertNotNull(policyManager.validate("jdoe", "12aabb&-"));
            Assert.assertNotNull(policyManager.validate("jdoe", "12aaBBcc"));
            Assert.assertNotNull(policyManager.validate("12aaBB&-", "12aaBB&-"));
+            Assert.assertNotNull(policyManager.validate("jdoe", "12aaBB&-12aaBB&-12aaBB&-12aaBB&-1"));

            assertNull(policyManager.validate("jdoe", "12aaBB&-"));
        });
--- a/testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/authentication/PasswordPolicyTest.java
+++ b/testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/authentication/PasswordPolicyTest.java
@ -19,7 +19,6 @@ package org.keycloak.testsuite.console.authentication;

 import org.jboss.arquillian.graphene.page.Page;
 import org.junit.Before;
-import org.junit.Ignore;
 import org.junit.Test;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.testsuite.console.AbstractConsoleTest;
@ -81,6 +80,20 @@ public class PasswordPolicyTest extends AbstractConsoleTest {
        assertAlertSuccess();
    }

+    @Test
+    public void testMaximumLengthPolicy() {
+        RealmRepresentation realm = testRealmResource().toRepresentation();
+        realm.setPasswordPolicy("maxLength(32) and ");
+        testRealmResource().update(realm);
+
+        testUserCredentialsPage.navigateTo();
+        testUserCredentialsPage.resetPassword("123456789012345678901234567890123");
+        assertAlertDanger();
+
+        testUserCredentialsPage.resetPassword("12345678901234567890123456789012");
+        assertAlertSuccess();
+    }
+
    @Test
    public void testDigitsPolicy() {
        RealmRepresentation realm = testRealmResource().toRepresentation();
--- a/themes/src/main/resources/theme/base/account/messages/messages_en.properties
+++ b/themes/src/main/resources/theme/base/account/messages/messages_en.properties
@ -209,6 +209,7 @@ accountDisabledMessage=Account is disabled, contact your administrator.

 accountTemporarilyDisabledMessage=Account is temporarily disabled, contact your administrator or try again later.
 invalidPasswordMinLengthMessage=Invalid password: minimum length {0}.
+invalidPasswordMaxLengthMessage=Invalid password: maximum length {0}.
 invalidPasswordMinLowerCaseCharsMessage=Invalid password: must contain at least {0} lower case characters.
 invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits.
 invalidPasswordMinUpperCaseCharsMessage=Invalid password: must contain at least {0} upper case characters.
@ -386,4 +387,4 @@ error-pattern-no-match=Invalid value.
 error-invalid-uri=Invalid URL.
 error-invalid-uri-scheme=Invalid URL scheme.
 error-invalid-uri-fragment=Invalid URL fragment.
-error-user-attribute-required=Please specify attribute {0}.
+error-user-attribute-required=Please specify attribute {0}.
--- a/themes/src/main/resources/theme/base/admin/messages/messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/messages_en.properties
@ -1,4 +1,5 @@
 invalidPasswordMinLengthMessage=Invalid password: minimum length {0}.
+invalidPasswordMaxLengthMessage=Invalid password: maximum length {0}.
 invalidPasswordMinLowerCaseCharsMessage=Invalid password: must contain at least {0} lower case characters.
 invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits.
 invalidPasswordMinUpperCaseCharsMessage=Invalid password: must contain at least {0} upper case characters.
@ -54,4 +55,4 @@ error-invalid-uri-fragment=Invalid URL fragment.
 error-user-attribute-required=Please specify attribute {0}.
 error-invalid-date=Invalid date.

-error-user-attribute-read-only=Attribute {0} is read only.
+error-user-attribute-read-only=Attribute {0} is read only.
--- a/themes/src/main/resources/theme/base/login/messages/messages_en.properties
+++ b/themes/src/main/resources/theme/base/login/messages/messages_en.properties
@ -259,6 +259,7 @@ delegationFailedMessage=You may close this browser window and go back to your co
 noAccessMessage=No access

 invalidPasswordMinLengthMessage=Invalid password: minimum length {0}.
+invalidPasswordMaxLengthMessage=Invalid password: maximum length {0}.
 invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits.
 invalidPasswordMinLowerCaseCharsMessage=Invalid password: must contain at least {0} lower case characters.
 invalidPasswordMinUpperCaseCharsMessage=Invalid password: must contain at least {0} upper case characters.
@ -426,4 +427,4 @@ loggingOutImmediately=Logging you out immediately
 accountUnusable=Any subsequent use of the application will not be possible with this account
 userDeletedSuccessfully=User deleted successfully

-access-denied=Access denied
+access-denied=Access denied