Commit graph

243 commits

Author SHA1 Message Date
Thomas Darimont
3103e0fd0a KEYCLOAK-5244 Add BlacklistPasswordPolicyProvider (#4370)
* KEYCLOAK-5244 Add BlacklistPasswordPolicyProvider

This introduces a new PasswordPolicy which can refer to
a named predefined password-blacklist to avoid users
choosing too easy to guess passwords.

The BlacklistPasswordPolicyProvider supports built-in as
well as custom blacklists.
built-in blacklists use the form `default/filename`
and custom ones `custom/filename`, where filename
is the name of the found blacklist-filename.

I'd propose to use some of the freely available password blacklists
from the [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Passwords) project.

For testing purposes one can download the password blacklist
```
wget -O 10_million_password_list_top_1000000.txt https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_1000000.txt?raw=true
```
to /data/keycloak/blacklists/

Custom password policies can be configured with the SPI
configuration mechanism via jboss-cli:
```
/subsystem=keycloak-server/spi=password-policy:add()
/subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:add(enabled=true)
/subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:write-attribute(name=properties.blacklistsFolderUri, value=file:///data/keycloak/blacklists/)
```

Password blacklist is stored in a TreeSet.

* KEYCLOAK-5244 Encode PasswordBlacklist as a BloomFilter

We now use a dynamically sized BloomFilter with a
false positive probability of 1% as a backing store
for PasswordBlacklists.

BloomFilter implementation is provided by google-guava
which is available in wildfly.

Password blacklist files are now resolved against
the ${jboss.server.data.dir}/password-blacklists.

This can be overridden via system property, or SPI config.
See JavaDoc of BlacklistPasswordPolicyProviderFactory for details.

Revised implementation to be more extensible, e.g. it could be
possible to use other stores like databases etc.

Moved FileSystem specific methods to FileBasesPasswordBlacklistPolicy.

The PasswordBlacklistProvider uses the guava version 20.0
shipped with wildfly. Unfortunately the arquillian testsuite
transitively depends on guava 23.0 via the selenium-3.5.1
dependency. Hence we need to use version 23.0 for tests but 20.0
for the policy provider to avoid NoClassDefFoundErrors in the
server-dist.

Configure password blacklist folder for tests

* KEYCLOAK-5244 Configure jboss.server.data.dir for test servers

* KEYCLOAK-5244 Translate blacklisted message in base/login
2017-10-17 20:41:44 +02:00
Hynek Mlnarik
056ba75a72 KEYCLOAK-5656 Use standard infinispan remote-store 2017-10-16 21:49:42 +02:00
mposolda
1874820008 KEYCLOAK-5371 Fix ConcurrentLoginCrossDCTest.concurrentLoginWithRandomDcFailures 2017-10-11 13:02:55 +02:00
Hynek Mlnarik
fe972ce12b KEYCLOAK-5656 Remove remoteServers configuration option 2017-10-09 11:58:28 +02:00
Hynek Mlnarik
6cbfbeca0b KEYCLOAK-5656 Remove KeycloakTcpTransportFactory 2017-10-06 13:20:17 +02:00
mposolda
bca4c35708 KEYCLOAK-5371 Fix ActionTokenCrossDCTest and BruteForceCrossDCTest 2017-10-04 13:25:45 +02:00
Hynek Mlnařík
9aa4c3cf22 Merge pull request #4530 from vramik/KEYCLOAK-5586
KEYCLOAK-5586 crossdc tests on Wildfly using real database
2017-10-04 13:10:08 +02:00
vramik
b0a1550df5 KEYCLOAK-5586 crossdc tests on Wildfly using real database 2017-10-04 12:00:18 +02:00
Pavel Drozd
8e5db87b50 Merge pull request #4505 from mhajas/KEYCLOAK-5568
KEYCLOAK-5568 Run ConsoleProtection tests only with elytron
2017-10-04 08:02:31 +02:00
vramik
f806d4a5d6 KEYCLOAK-5586 Add support for testing cross dc tests on jboss-based containers 2017-10-03 14:01:45 +02:00
mposolda
3b6e1f4e93 KEYCLOAK-5007 Used single-use cache for tracke OAuth code. OAuth code changed to be encrypted and signed JWT 2017-09-29 13:20:22 +02:00
mhajas
efb43682a9 KEYCLOAK-5568 Run ConsoleProtection tests only with elytron 2017-09-27 17:45:20 +02:00
Antonio Howcroft Ferreira
a551195ddf KEYCLOAK-2035 update with feedback from PR by bburke 2017-09-22 15:05:49 +01:00
howcroft
e78bf5f876 Keycloak 2035
This PR adds:
* an endpoint to Role that lists users with the Role
* a tab "Users in Role" in Admin console Role page
* it is applicable to Realm and Client Roles
* Extends UserQueryProvider with default methods (throwing Runtime Exception if not overriden)
* Testing in base testsuite and Console
2017-09-22 15:05:49 +01:00
mhajas
330cb022eb KEYCLOAK-5320 Configure SSL using creaper 2017-09-08 13:19:48 +02:00
Stian Thorgersen
463661b051 Set version to 3.4.0.CR1-SNAPSHOT 2017-08-28 15:46:22 +02:00
Hynek Mlnarik
794c508b10 KEYCLOAK-4995 Support for distributed SAML logout in cross DC 2017-08-28 13:15:11 +02:00
mposolda
05c8c74c96 KEYCLOAK-5294 Updated README for cross-dc setup on Wildfly 2017-08-25 17:53:45 +02:00
Stian Thorgersen
20ac70d3fd KEYCLOAK-5119 (#4400) 2017-08-22 08:07:36 +02:00
mposolda
868e76fcf3 KEYCLOAK-4630 Added SessionsPreloadCrossDCTest for test preloading sessions and offline sessions. Support for manual.mode to control manually lifecycle of all servers. 2017-08-11 17:44:00 +02:00
Pavel Drozd
6bdc49048a KEYCLOAK-5267 Fuse tests - added timeouts for closing ssh channel 2017-08-09 13:39:04 +02:00
mposolda
251b41a7ac KEYCLOAK-4187 Fix LastSessionRefreshCrossDCTest and ConcurrentLoginCrossDCTest 2017-08-07 11:55:49 +02:00
mposolda
07e2136b3b KEYCLOAK-4187 Added UserSession support for cross-dc 2017-07-27 22:32:58 +02:00
Stian Thorgersen
badba7adaf KEYCLOAK-5143 Run auth-server-wildfly profile on Travis (#4317) 2017-07-14 07:01:54 +02:00
Stian Thorgersen
5fbb362710 KEYCLOAK-5119 Set encoding for TestingResourceProvider.runOnServer (#4292) 2017-07-05 13:39:16 +02:00
Stian Thorgersen
9a9f4137e5 KEYCLOAK-4556 KEYCLOAK-5022 Only cache keycloak.js and iframe if specific version is requested (#4289) 2017-07-04 21:18:34 +02:00
Stian Thorgersen
454c5f4d83 Set version to 3.3.0.CR1-SNAPSHOT 2017-06-30 09:47:11 +02:00
Hynek Mlnarik
5e16a32f86 KEYCLOAK-5106 Fix BasicSamlTest on auth-server-wildfly 2017-06-28 20:47:43 +02:00
mhajas
29c2ef4c60 KEYCLOAK-5097 fix property name 2017-06-27 12:28:32 +02:00
Pavel Drozd
b02d48f772 Merge pull request #4249 from vramik/KEYCLOAK-5048
KEYCLOAK-5048 missing keycloak version in logs when staring auth-serv…
2017-06-27 11:40:26 +02:00
Bill Burke
22987bb90b Merge pull request #4250 from mposolda/RHSSO-1027
KEYCLOAK-5085 Easy fix to just handle the exception
2017-06-26 10:04:02 -04:00
Hynek Mlnarik
955cbc76d7 KEYCLOAK-5030 Change action tokens cache type to distributed 2017-06-26 10:11:53 +02:00
mposolda
756d996a4a KEYCLOAK-5085 RHSSO-1027 Fix to handle the exception thrown from alternative flow 2017-06-23 19:13:43 +02:00
vramik
e75f47d523 KEYCLOAK-5048 missing keycloak version in logs when staring auth-server-wildfly container. 2017-06-22 09:20:11 +02:00
mposolda
fc61a4e89f KEYCLOAK-4631 Move ClientInitialAccessModel from userSession model to realm model 2017-06-21 22:14:20 +02:00
Hynek Mlnarik
2e2d15be9f KEYCLOAK-4189 Infinispan cache and channel statistics for Cross-DC-testing 2017-06-20 12:48:08 +02:00
vramik
5d72def1bc KEYCLOAK-4189 add possibility to use jdg as cache server 2017-06-15 12:57:25 +02:00
Hynek Mlnarik
bdadef1282 KEYCLOAK-4189 Fix in instructions for running Cross-DC tests 2017-06-14 14:36:10 +02:00
Hynek Mlnarik
a0f3a6469f KEYCLOAK-4189 - Cross DC testing 2017-06-12 11:14:28 +02:00
Pavel Drozd
a52a1f4618 Merge pull request #4196 from vramik/KEYCLOAK-4481
KEYCLOAK-4481 some authz export tests
2017-05-30 16:56:54 +02:00
Tomas Kyjovsky
67bee0dfc2 Upgraded wildfly-arquillian-container-* artifacts to 2.1.0.Alpha2 and added wildfly10 modules in app servers and adapter tests 2017-05-30 14:25:51 +02:00
vramik
8f1938c28d KEYCLOAK-4481 Role based permission test 2017-05-30 13:10:09 +02:00
mposolda
c4f172afe7 KEYCLOAK-4977 Upgrade infinispan and undertow version to align with Wildfly 11.0.0.Alpha1 2017-05-26 14:29:30 +02:00
mhajas
88473ce3c1 KEYCLOAK-4959 Use desired version of adapter 2017-05-25 12:02:16 +02:00
Pavel Drozd
c230edbf72 Merge pull request #4151 from pdrozd/KEYCLOAK-4931
KEYCLOAK-4931 - install patch available from http
2017-05-23 14:01:44 +02:00
Pavel Drozd
60ef910b5b KEYCLOAK-4931 - install patch available from http 2017-05-18 23:47:12 +02:00
Pavel Drozd
53ab314eb9 KEYCLOAK-4930 - Updated install-keycloak script for overlay installation - added ha installation. 2017-05-18 23:35:04 +02:00
mposolda
7d8796e614 KEYCLOAK-4626 Support for sticky sessions with AUTH_SESSION_ID cookie. Clustering tests with embedded undertow. Last fixes. 2017-05-11 22:24:07 +02:00
mposolda
e7272dc05a KEYCLOAK-4626 AuthenticationSessions - brokering works. Few other fixes and tests added 2017-05-11 22:16:26 +02:00
mposolda
a9ec69e424 KEYCLOAK-4626: AuthenticationSessions - working login, registration, resetPassword flows 2017-05-11 22:16:26 +02:00