libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

move credential validation to UserProvider

Browse source
This commit is contained in:
Bill Burke 2014-07-16 12:05:15 -04:00
parent a5593469ae
commit f342a8c7a3
18 changed files with 211 additions and 131 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
authentication/authentication-model/src/main/java/org/keycloak/authentication/model/AbstractModelAuthenticationProvider.java
View file

@ -52,7 +52,7 @@ public abstract class AbstractModelAuthenticationProvider implements Authenticat
RealmModel realm = getRealm(currentRealm, config);
UserModel user = KeycloakModelUtils.findUserByNameOrEmail(keycloakSession, realm, username);
boolean result = realm.validatePassword(user, password);
boolean result = keycloakSession.users().validCredentials(realm, user, UserCredentialModel.password(password));
return result ? AuthProviderStatus.SUCCESS : AuthProviderStatus.INVALID_CREDENTIALS;
}

53
model/api/src/main/java/org/keycloak/models/CredentialValidation.java
View file

@ -1,53 +0,0 @@
package org.keycloak.models;
import org.keycloak.models.utils.Pbkdf2PasswordEncoder;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class CredentialValidation {
private static int hashIterations(RealmModel realm) {
PasswordPolicy policy = realm.getPasswordPolicy();
if (policy != null) {
return policy.getHashIterations();
}
return -1;
}
/**
* Will update password if hash iteration policy has changed
*
* @param realm
* @param user
* @param password
* @return
*/
public static boolean validatePassword(RealmModel realm, UserModel user, String password) {
boolean validated = false;
UserCredentialValueModel passwordCred = null;
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
validated = new Pbkdf2PasswordEncoder(cred.getSalt()).verify(password, cred.getValue(), cred.getHashIterations());
passwordCred = cred;
}
}
if (validated) {
int iterations = hashIterations(realm);
if (iterations > -1 && iterations != passwordCred.getHashIterations()) {
UserCredentialValueModel newCred = new UserCredentialValueModel();
newCred.setType(passwordCred.getType());
newCred.setDevice(passwordCred.getDevice());
newCred.setSalt(passwordCred.getSalt());
newCred.setHashIterations(iterations);
newCred.setValue(new Pbkdf2PasswordEncoder(newCred.getSalt()).encode(password, iterations));
user.updateCredentialDirectly(newCred);
}
}
return validated;
}
}

4
model/api/src/main/java/org/keycloak/models/RealmModel.java
View file

@ -106,10 +106,6 @@ public interface RealmModel extends RoleContainerModel {
void setPasswordPolicy(PasswordPolicy policy);
boolean validatePassword(UserModel user, String password);
boolean validateTOTP(UserModel user, String password, String token);
RoleModel getRoleById(String id);
List<String> getDefaultRoles();

7
model/api/src/main/java/org/keycloak/models/UserCredentialModel.java
View file

@ -35,6 +35,13 @@ public class UserCredentialModel {
return model;
}
public static UserCredentialModel totp(String key) {
UserCredentialModel model = new UserCredentialModel();
model.setType(TOTP);
model.setValue(key);
return model;
}
public static UserCredentialModel generateSecret() {
UserCredentialModel model = new UserCredentialModel();
model.setType(SECRET);

3
model/api/src/main/java/org/keycloak/models/UserProvider.java
View file

@ -33,6 +33,7 @@ public interface UserProvider extends Provider {
void preRemove(RealmModel realm);
void preRemove(RoleModel role);
boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input);
boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input);
void close();
}

130
model/api/src/main/java/org/keycloak/models/utils/CredentialValidation.java Executable file
View file

@ -0,0 +1,130 @@
package org.keycloak.models.utils;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserModel;
import java.util.List;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class CredentialValidation {
private static int hashIterations(RealmModel realm) {
PasswordPolicy policy = realm.getPasswordPolicy();
if (policy != null) {
return policy.getHashIterations();
}
return -1;
}
/**
* Will update password if hash iteration policy has changed
*
* @param realm
* @param user
* @param password
* @return
*/
public static boolean validPassword(RealmModel realm, UserModel user, String password) {
boolean validated = false;
UserCredentialValueModel passwordCred = null;
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
validated = new Pbkdf2PasswordEncoder(cred.getSalt()).verify(password, cred.getValue(), cred.getHashIterations());
passwordCred = cred;
}
}
if (validated) {
int iterations = hashIterations(realm);
if (iterations > -1 && iterations != passwordCred.getHashIterations()) {
UserCredentialValueModel newCred = new UserCredentialValueModel();
newCred.setType(passwordCred.getType());
newCred.setDevice(passwordCred.getDevice());
newCred.setSalt(passwordCred.getSalt());
newCred.setHashIterations(iterations);
newCred.setValue(new Pbkdf2PasswordEncoder(newCred.getSalt()).encode(password, iterations));
user.updateCredentialDirectly(newCred);
}
}
return validated;
}
public static boolean validTOTP(RealmModel realm, UserModel user, String otp) {
UserCredentialValueModel passwordCred = null;
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.TOTP)) {
if (new TimeBasedOTP().validate(otp, cred.getValue().getBytes())) {
return true;
}
}
}
return false;
}
public static boolean validSecret(RealmModel realm, UserModel user, String secret) {
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.SECRET)) {
if (cred.getValue().equals(secret)) return true;
}
}
return false;
}
/**
* Must validate all credentials. FYI, password hashes may be rehashed and updated based on realm hash password policies.
*
* @param realm
* @param user
* @param credentials
* @return
*/
public static boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> credentials) {
for (UserCredentialModel credential : credentials) {
if (!validCredential(realm, user, credential)) return false;
}
return true;
}
/**
* Must validate all credentials. FYI, password hashes may be rehashed and updated based on realm hash password policies.
*
* @param realm
* @param user
* @param credentials
* @return
*/
public static boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... credentials) {
for (UserCredentialModel credential : credentials) {
if (!validCredential(realm, user, credential)) return false;
}
return true;
}
private static boolean validCredential(RealmModel realm, UserModel user, UserCredentialModel credential) {
if (credential.getType().equals(UserCredentialModel.PASSWORD)) {
if (!validPassword(realm, user, credential.getValue())) {
return false;
}
} else if (credential.getType().equals(UserCredentialModel.TOTP)) {
if (!validTOTP(realm, user, credential.getValue())) {
return false;
}
} else if (credential.getType().equals(UserCredentialModel.SECRET)) {
if (!validSecret(realm, user, credential.getValue())) {
return false;
}
} else {
return false;
}
return true;
}
}

11
model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/DefaultCacheUserProvider.java vendored
View file

@ -5,6 +5,7 @@ import org.keycloak.models.KeycloakTransaction;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.models.cache.entities.CachedUser;
@ -231,6 +232,16 @@ public class DefaultCacheUserProvider implements CacheUserProvider {
return getDelegate().removeSocialLink(realm, user, socialProvider);
}
@Override
public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input) {
return getDelegate().validCredentials(realm, user, input);
}
@Override
public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {
return getDelegate().validCredentials(realm, user, input);
}
@Override
public void preRemove(RealmModel realm) {
realmInvalidations.add(realm.getId());

15
model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/NoCacheUserProvider.java vendored
View file

@ -1,16 +1,13 @@
package org.keycloak.models.cache;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakTransaction;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.models.cache.entities.CachedUser;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
@ -114,6 +111,16 @@ public class NoCacheUserProvider implements CacheUserProvider {
return getDelegate().removeSocialLink(realm, user, socialProvider);
}
@Override
public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input) {
return getDelegate().validCredentials(realm, user, input);
}
@Override
public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {
return getDelegate().validCredentials(realm, user, input);
}
@Override
public void preRemove(RealmModel realm) {
getDelegate().preRemove(realm);

18
model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java vendored
View file

@ -3,7 +3,7 @@ package org.keycloak.models.cache;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.CredentialValidation;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.OAuthClientModel;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
@ -375,22 +375,6 @@ public class RealmAdapter implements RealmModel {
updated.setPasswordPolicy(policy);
}
@Override
public boolean validatePassword(UserModel user, String password) {
return CredentialValidation.validatePassword(this, user, password);
}
@Override
public boolean validateTOTP(UserModel user, String password, String token) {
if (!validatePassword(user, password)) return false;
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.TOTP)) {
return new TimeBasedOTP().validate(token, cred.getValue().getBytes());
}
}
return false;
}
@Override
public RoleModel getRoleById(String id) {
if (updated != null) return updated.getRoleById(id);

11
model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
View file

@ -5,6 +5,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.models.jpa.entities.RealmEntity;
@ -12,6 +13,7 @@ import org.keycloak.models.jpa.entities.RoleEntity;
import org.keycloak.models.jpa.entities.SocialLinkEntity;
import org.keycloak.models.jpa.entities.UserEntity;
import org.keycloak.models.jpa.entities.UserRoleMappingEntity;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.utils.KeycloakModelUtils;
import javax.persistence.EntityManager;
@ -274,4 +276,13 @@ public class JpaUserProvider implements UserProvider {
return (entity != null) ? new SocialLinkModel(entity.getSocialProvider(), entity.getSocialUserId(), entity.getSocialUsername()) : null;
}
@Override
public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input) {
return CredentialValidation.validCredentials(realm, user, input);
}
@Override
public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {
return CredentialValidation.validCredentials(realm, user, input);
}
}

18
model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
View file

@ -3,7 +3,7 @@ package org.keycloak.models.jpa;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.CredentialValidation;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuthClientModel;
import org.keycloak.models.PasswordPolicy;
@ -795,22 +795,6 @@ public class RealmAdapter implements RealmModel {
return role.getContainer().removeRole(role);
}
@Override
public boolean validatePassword(UserModel user, String password) {
return CredentialValidation.validatePassword(this, user, password);
}
@Override
public boolean validateTOTP(UserModel user, String password, String token) {
if (!validatePassword(user, password)) return false;
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.TOTP)) {
return new TimeBasedOTP().validate(token, cred.getValue().getBytes());
}
}
return false;
}
@Override
public PasswordPolicy getPasswordPolicy() {
if (passwordPolicy == null) {

12
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java
View file

@ -9,10 +9,12 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.models.entities.SocialLinkEntity;
import org.keycloak.models.mongo.keycloak.entities.MongoUserEntity;
import org.keycloak.models.utils.CredentialValidation;
import java.util.ArrayList;
import java.util.Collections;
@ -311,4 +313,14 @@ public class MongoUserProvider implements UserProvider {
public void preRemove(RoleModel role) {
// todo not sure what to do for this
}
@Override
public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input) {
return CredentialValidation.validCredentials(realm, user, input);
}
@Override
public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {
return CredentialValidation.validCredentials(realm, user, input);
}
}

18
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
View file

@ -7,7 +7,7 @@ import org.keycloak.connections.mongo.api.context.MongoStoreInvocationContext;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.AuthenticationProviderModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.CredentialValidation;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmProvider;
import org.keycloak.models.OAuthClientModel;
@ -723,22 +723,6 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
return result;
}
@Override
public boolean validatePassword(UserModel user, String password) {
return CredentialValidation.validatePassword(this, user, password);
}
@Override
public boolean validateTOTP(UserModel user, String password, String token) {
if (!validatePassword(user, password)) return false;
for (UserCredentialValueModel cred : user.getCredentialsDirectly()) {
if (cred.getType().equals(UserCredentialModel.TOTP)) {
return new TimeBasedOTP().validate(token, cred.getValue().getBytes());
}
}
return false;
}
protected void updateRealm() {
super.updateMongoEntity();
}

8
model/tests/src/test/java/org/keycloak/model/test/AdapterTest.java
View file

@ -15,6 +15,7 @@ import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.services.managers.RealmManager;
@ -129,16 +130,17 @@ public class AdapterTest extends AbstractModelTest {
@Test
public void testCredentialValidation() throws Exception {
test1CreateRealm();
UserModel user = realmManager.getSession().users().addUser(realmModel, "bburke");
UserProvider userProvider = realmManager.getSession().users();
UserModel user = userProvider.addUser(realmModel, "bburke");
UserCredentialModel cred = new UserCredentialModel();
cred.setType(CredentialRepresentation.PASSWORD);
cred.setValue("geheim");
user.updateCredential(cred);
Assert.assertTrue(realmModel.validatePassword(user, "geheim"));
Assert.assertTrue(userProvider.validCredentials(realmModel, user, UserCredentialModel.password("geheim")));
List<UserCredentialValueModel> creds = user.getCredentialsDirectly();
Assert.assertEquals(creds.get(0).getHashIterations(), 1);
realmModel.setPasswordPolicy( new PasswordPolicy("hashIterations(200)"));
Assert.assertTrue(realmModel.validatePassword(user, "geheim"));
Assert.assertTrue(userProvider.validCredentials(realmModel, user, UserCredentialModel.password("geheim")));
creds = user.getCredentialsDirectly();
Assert.assertEquals(creds.get(0).getHashIterations(), 200);
realmModel.setPasswordPolicy( new PasswordPolicy("hashIterations(1)"));

2
model/tests/src/test/java/org/keycloak/model/test/AuthProvidersLDAPTest.java
View file

@ -158,7 +158,7 @@ public class AuthProvidersLDAPTest extends AbstractModelTest {
Assert.assertEquals(AuthenticationManager.AuthenticationStatus.SUCCESS, am.authenticateForm(session, null, realm, formData));
// Password updated just in LDAP, so validating directly in realm should fail
Assert.assertFalse(realm.validatePassword(john, "password-updated"));
Assert.assertFalse(session.users().validCredentials(realm, john, UserCredentialModel.password("password-updated")));
// Switch to not allow updating passwords in ldap
AuthProvidersExternalModelTest.setPasswordUpdateForProvider(false, AuthProviderConstants.PROVIDER_NAME_PICKETLINK, realm);

24
model/tests/src/test/java/org/keycloak/model/test/MultipleRealmsTest.java
View file

@ -9,6 +9,7 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@ -31,8 +32,9 @@ public class MultipleRealmsTest extends AbstractModelTest {
@Test
public void testUsers() {
UserModel r1user1 = realmManager.getSession().users().getUserByUsername("user1", realm1);
UserModel r2user1 = realmManager.getSession().users().getUserByUsername("user1", realm2);
UserProvider userProvider = realmManager.getSession().users();
UserModel r1user1 = userProvider.getUserByUsername("user1", realm1);
UserModel r2user1 = userProvider.getUserByUsername("user1", realm2);
Assert.assertEquals(r1user1.getUsername(), r2user1.getUsername());
Assert.assertNotEquals(r1user1.getId(), r2user1.getId());
@ -40,22 +42,22 @@ public class MultipleRealmsTest extends AbstractModelTest {
r1user1.updateCredential(UserCredentialModel.password("pass1"));
r2user1.updateCredential(UserCredentialModel.password("pass2"));
Assert.assertTrue(realm1.validatePassword(r1user1, "pass1"));
Assert.assertFalse(realm1.validatePassword(r1user1, "pass2"));
Assert.assertFalse(realm2.validatePassword(r2user1, "pass1"));
Assert.assertTrue(realm2.validatePassword(r2user1, "pass2"));
Assert.assertTrue(userProvider.validCredentials(realm1, r1user1, UserCredentialModel.password("pass1")));
Assert.assertFalse(userProvider.validCredentials(realm1, r1user1, UserCredentialModel.password("pass2")));
Assert.assertFalse(userProvider.validCredentials(realm2, r2user1, UserCredentialModel.password("pass1")));
Assert.assertTrue(userProvider.validCredentials(realm2, r2user1, UserCredentialModel.password("pass2")));
// Test searching
Assert.assertEquals(2, realmManager.getSession().users().searchForUser("user", realm1).size());
Assert.assertEquals(2, userProvider.searchForUser("user", realm1).size());
commit();
realm1 = model.getRealm("id1");
realm2 = model.getRealm("id2");
realmManager.getSession().users().removeUser(realm1, "user1");
realmManager.getSession().users().removeUser(realm1, "user2");
Assert.assertEquals(0, realmManager.getSession().users().searchForUser("user", realm1).size());
Assert.assertEquals(2, realmManager.getSession().users().searchForUser("user", realm2).size());
userProvider.removeUser(realm1, "user1");
userProvider.removeUser(realm1, "user2");
Assert.assertEquals(0, userProvider.searchForUser("user", realm1).size());
Assert.assertEquals(2, userProvider.searchForUser("user", realm2).size());
}
@Test

3
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -11,6 +11,7 @@ import org.keycloak.models.AuthenticationLinkModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
@ -296,7 +297,7 @@ public class AuthenticationManager {
}
logger.debug("validating TOTP");
if (!realm.validateTOTP(user, password, token)) {
if (!session.users().validCredentials(realm, user, UserCredentialModel.totp(token))) {
return AuthenticationStatus.INVALID_CREDENTIALS;
}
} else {

3
testsuite/performance/src/test/java/org/keycloak/testsuite/performance/ReadUsersWorker.java
View file

@ -6,6 +6,7 @@ import org.apache.log.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import java.util.concurrent.atomic.AtomicInteger;
@ -101,7 +102,7 @@ public class ReadUsersWorker implements Worker {
// Validate password (shoould be same as username)
if (readPassword) {
realm.validatePassword(user, username);
session.users().validCredentials(realm, user, UserCredentialModel.password(username));
}
// Read socialLinks of user