From d9d41b1a094caacc69c147175b5e943ac7f63060 Mon Sep 17 00:00:00 2001
From: Douglas Palmer <dpalmer@redhat.com>
Date: Wed, 31 Jan 2024 11:50:51 -0800
Subject: [PATCH] Brute Force Detection is disabled when updating frontenUrl
 via admin client

Closes #21409

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
---
 .../datastore/DefaultExportImportManager.java |  2 +
 .../testsuite/admin/realm/RealmTest.java      | 51 +++++++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultExportImportManager.java b/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultExportImportManager.java
index 3047caa931..a86a4ba76b 100644
--- a/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultExportImportManager.java
+++ b/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultExportImportManager.java
@@ -59,6 +59,7 @@ import org.keycloak.models.utils.DefaultAuthenticationFlows;
 import org.keycloak.models.utils.DefaultKeyProviders;
 import org.keycloak.models.utils.DefaultRequiredActions;
 import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.models.utils.ModelToRepresentation;
 import org.keycloak.models.utils.RepresentationToModel;
 import org.keycloak.partialimport.PartialImportResults;
 import org.keycloak.protocol.oidc.OIDCConfigAttributes;
@@ -714,6 +715,7 @@ public class DefaultExportImportManager implements ExportImportManager {
         if (rep.getAttributes() != null) {
             Set<String> attrsToRemove = new HashSet<>(realm.getAttributes().keySet());
             attrsToRemove.removeAll(rep.getAttributes().keySet());
+            attrsToRemove.removeAll(ModelToRepresentation.REALM_EXCLUDED_ATTRIBUTES);
 
             for (Map.Entry<String, String> entry : rep.getAttributes().entrySet()) {
                 realm.setAttribute(entry.getKey(), entry.getValue());
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
index 0810cc1094..c8cab1fb3f 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
@@ -263,6 +263,57 @@ public class RealmTest extends AbstractAdminTest {
         assertThat(attributesKeys, CoreMatchers.is(expectedAttributes));
     }
 
+    /**
+     * Checks attributes exposed as fields are not deleted on update realm
+     */
+    @Test
+    public void testFieldNotErased() {
+        Long dummyLong = Long.valueOf(999);
+        Integer dummyInt = Integer.valueOf(999);
+
+        RealmRepresentation rep = new RealmRepresentation();
+        rep.setRealm("attributes");
+        rep.setDisplayName("DISPLAY_NAME");
+        rep.setDisplayNameHtml("DISPLAY_NAME_HTML");
+        rep.setDefaultSignatureAlgorithm("HS256");
+        rep.setBruteForceProtected(true);
+        rep.setPermanentLockout(true);
+        rep.setMaxFailureWaitSeconds(dummyInt);
+        rep.setWaitIncrementSeconds(dummyInt);
+        rep.setQuickLoginCheckMilliSeconds(dummyLong);
+        rep.setMinimumQuickLoginWaitSeconds(dummyInt);
+        rep.setMaxDeltaTimeSeconds(dummyInt);
+        rep.setFailureFactor(dummyInt);
+        rep.setActionTokenGeneratedByAdminLifespan(dummyInt);
+        rep.setActionTokenGeneratedByUserLifespan(dummyInt);
+        rep.setOfflineSessionMaxLifespanEnabled(true);
+        rep.setOfflineSessionMaxLifespan(dummyInt);
+
+        adminClient.realms().create(rep);
+        getCleanup().addCleanup(() -> adminClient.realms().realm("attributes").remove());
+
+        RealmRepresentation rep2 = new RealmRepresentation();
+        rep2.setAttributes(Collections.singletonMap("frontendUrl", "http://localhost/frontEnd"));
+        adminClient.realm("attributes").update(rep2);
+
+        rep = adminClient.realm("attributes").toRepresentation();
+        assertEquals("DISPLAY_NAME", rep.getDisplayName());
+        assertEquals("DISPLAY_NAME_HTML", rep.getDisplayNameHtml());
+        assertEquals("HS256", rep.getDefaultSignatureAlgorithm());
+        assertTrue(rep.isBruteForceProtected());
+        assertTrue(rep.isPermanentLockout());
+        assertEquals(dummyInt, rep.getMaxFailureWaitSeconds());
+        assertEquals(dummyInt, rep.getWaitIncrementSeconds());
+        assertEquals(dummyLong, rep.getQuickLoginCheckMilliSeconds());
+        assertEquals(dummyInt, rep.getMinimumQuickLoginWaitSeconds());
+        assertEquals(dummyInt, rep.getMaxDeltaTimeSeconds());
+        assertEquals(dummyInt, rep.getFailureFactor());
+        assertEquals(dummyInt, rep.getActionTokenGeneratedByAdminLifespan());
+        assertEquals(dummyInt, rep.getActionTokenGeneratedByUserLifespan());
+        assertTrue(rep.getOfflineSessionMaxLifespanEnabled());
+        assertEquals(dummyInt, rep.getOfflineSessionMaxLifespan());
+    }
+
     @Test
     public void smtpPasswordSecret() {
         RealmRepresentation rep = RealmBuilder.create().testEventListener().testMail().build();