Merge pull request #4865 from patriot1burke/master

KEYCLOAK-5420
2017-12-16 14:31:37 -05:00 · 2017-12-16 14:31:37 -05:00 · f3fcac2d8d
commit f3fcac2d8d
parent b121306749 b5ae7e836d
2 changed files with 57 additions and 2 deletions
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
@ -125,7 +125,9 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
            context.getEvent().user(user);
            context.getEvent().error(Errors.USER_DISABLED);
            Response challengeResponse = disabledUser(context);
-            context.failureChallenge(AuthenticationFlowError.USER_DISABLED, challengeResponse);
+            // this is not a failure so don't call failureChallenge.
+            //context.failureChallenge(AuthenticationFlowError.USER_DISABLED, challengeResponse);
+            context.forceChallenge(challengeResponse);
            return false;
        }
        if (context.getRealm().isBruteForceProtected()) {
@ -133,7 +135,9 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
                context.getEvent().user(user);
                context.getEvent().error(Errors.USER_TEMPORARILY_DISABLED);
                Response challengeResponse = temporarilyDisabledUser(context);
-                context.failureChallenge(AuthenticationFlowError.USER_TEMPORARILY_DISABLED, challengeResponse);
+                // this is not a failure so don't call failureChallenge.
+                //context.failureChallenge(AuthenticationFlowError.USER_TEMPORARILY_DISABLED, challengeResponse);
+                context.forceChallenge(challengeResponse);
                return false;
            }
        }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
@ -45,6 +45,7 @@ import org.keycloak.testsuite.util.RealmRepUtil;
 import org.keycloak.testsuite.util.UserBuilder;

 import java.net.MalformedURLException;
+import java.util.Collections;

 import static org.junit.Assert.assertEquals;

@ -67,6 +68,10 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {

        testRealm.setBruteForceProtected(true);
        testRealm.setFailureFactor(2);
+        testRealm.setMaxDeltaTimeSeconds(20);
+        testRealm.setMaxFailureWaitSeconds(100);
+        testRealm.setWaitIncrementSeconds(5);
+        //testRealm.setQuickLoginCheckMilliSeconds(0L);

        userId = user.getId();

@ -76,11 +81,40 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {

    @Before
    public void config() {
+        try {
+            clearUserFailures();
+            clearAllUserFailures();
+            RealmRepresentation realm = adminClient.realm("test").toRepresentation();
+            realm.setFailureFactor(2);
+            realm.setMaxDeltaTimeSeconds(20);
+            realm.setMaxFailureWaitSeconds(100);
+            realm.setWaitIncrementSeconds(5);
+            adminClient.realm("test").update(realm);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+        events.clear();

    }

    @After
    public void slowItDown() throws Exception {
+        try {
+            clearUserFailures();
+            clearAllUserFailures();
+            RealmRepresentation realm = adminClient.realm("test").toRepresentation();
+            realm.setMaxFailureWaitSeconds(900);
+            realm.setMinimumQuickLoginWaitSeconds(60);
+            realm.setWaitIncrementSeconds(60);
+            realm.setQuickLoginCheckMilliSeconds(1000L);
+            realm.setMaxDeltaTimeSeconds(60 * 60 * 12); // 12 hours
+            realm.setFailureFactor(30);
+            adminClient.realm("test").update(realm);
+            testingClient.testing().setTimeOffset(Collections.singletonMap("offset", String.valueOf(0)));
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+        events.clear();
        Thread.sleep(100);
    }

@ -286,6 +320,23 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
        loginSuccess();
    }

+    @Test
+    public void testWait() throws Exception {
+        loginSuccess();
+        loginInvalidPassword();
+        loginInvalidPassword();
+        expectTemporarilyDisabled();
+        // KEYCLOAK-5420
+        // Test to make sure that temporarily disabled doesn't increment failure count
+        testingClient.testing().setTimeOffset(Collections.singletonMap("offset", String.valueOf(6)));
+        // should be unlocked now
+        loginSuccess();
+        clearUserFailures();
+        clearAllUserFailures();
+        loginSuccess();
+        testingClient.testing().setTimeOffset(Collections.singletonMap("offset", String.valueOf(0)));
+    }
+
    @Test
    public void testBrowserInvalidPasswordDifferentCase() throws Exception {
        loginSuccess("test-user@localhost");