keycloak-uncached
Changes
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java 5(+0 -5)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java 71(+69 -2)
Details
diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
index d186f28..a9fb79f 100755
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@@ -34,6 +34,7 @@ import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.common.util.Time;
import org.keycloak.events.Details;
+import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
@@ -323,6 +324,11 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
return Response.status(302).location(redirect).build();
} else {
+ Response response = validateUser(federatedUser, realmModel);
+ if (response != null) {
+ return response;
+ }
+
updateFederatedIdentity(context, federatedUser);
clientSession.setAuthenticatedUser(federatedUser);
@@ -330,6 +336,18 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
}
}
+ public Response validateUser(UserModel user, RealmModel realm) {
+ if (!user.isEnabled()) {
+ event.error(Errors.USER_DISABLED);
+ return ErrorPage.error(session, Messages.ACCOUNT_DISABLED);
+ }
+ if (realm.isBruteForceProtected()) {
+ event.error(Errors.USER_TEMPORARILY_DISABLED);
+ return ErrorPage.error(session, Messages.ACCOUNT_DISABLED);
+ }
+ return null;
+ }
+
// Callback from LoginActionsService after first login with broker was done and Keycloak account is successfully linked/created
@GET
@Path("/after-first-broker-login")
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
index f5f80f5..4ccf3cb 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
@@ -172,10 +172,6 @@ public abstract class AbstractIdentityProviderTest {
Time.setOffset(0);
}
- String afterLogoutUrl = driver.getCurrentUrl();
- String afterLogoutPageSource = driver.getPageSource();
- System.out.println("afterLogoutUrl: " + afterLogoutUrl);
- //System.out.println("after logout page source: " + afterLogoutPageSource);
driver.navigate().to("http://localhost:8081/test-app");
@@ -219,7 +215,6 @@ public abstract class AbstractIdentityProviderTest {
String currentUrl = this.driver.getCurrentUrl();
assertTrue(currentUrl.startsWith("http://localhost:8082/auth/"));
- System.out.println(this.driver.getCurrentUrl());
// log in to identity provider
this.loginPage.login(username, "password");
doAfterProviderAuthentication();
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
index 76911d2..1af21f5 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractKeycloakIdentityProviderTest.java
@@ -38,6 +38,7 @@ import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserFederationProviderModel;
@@ -70,6 +71,73 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
}
@Test
+ public void testDisabledUser() {
+ setUpdateProfileFirstLogin(session.realms().getRealmByName("realm-with-broker"), IdentityProviderRepresentation.UPFLM_OFF);
+
+ driver.navigate().to("http://localhost:8081/test-app");
+ loginPage.clickSocial(getProviderId());
+ loginPage.login("test-user", "password");
+ System.out.println(driver.getPageSource());
+ driver.navigate().to("http://localhost:8081/test-app/logout");
+
+ try {
+ KeycloakSession session = brokerServerRule.startSession();
+ session.users().getUserByUsername("test-user", session.realms().getRealmByName("realm-with-broker")).setEnabled(false);
+ brokerServerRule.stopSession(session, true);
+
+ driver.navigate().to("http://localhost:8081/test-app");
+
+ loginPage.clickSocial(getProviderId());
+ loginPage.login("test-user", "password");
+
+ assertTrue(errorPage.isCurrent());
+ assertEquals("Account is disabled, contact admin.", errorPage.getError());
+ } finally {
+ KeycloakSession session = brokerServerRule.startSession();
+ session.users().getUserByUsername("test-user", session.realms().getRealmByName("realm-with-broker")).setEnabled(true);
+ brokerServerRule.stopSession(session, true);
+ }
+ }
+
+ @Test
+ public void testTemporarilyDisabledUser() {
+ setUpdateProfileFirstLogin(session.realms().getRealmByName("realm-with-broker"), IdentityProviderRepresentation.UPFLM_OFF);
+
+ driver.navigate().to("http://localhost:8081/test-app");
+ loginPage.clickSocial(getProviderId());
+ loginPage.login("test-user", "password");
+ driver.navigate().to("http://localhost:8081/test-app/logout");
+
+ try {
+ KeycloakSession session = brokerServerRule.startSession();
+ RealmModel brokerRealm = session.realms().getRealmByName("realm-with-broker");
+ brokerRealm.setBruteForceProtected(true);
+ brokerRealm.setFailureFactor(2);
+ brokerServerRule.stopSession(session, true);
+
+ driver.navigate().to("http://localhost:8081/test-app");
+ loginPage.login("test-user", "fail");
+ loginPage.login("test-user", "fail");
+
+ driver.navigate().to("http://localhost:8081/test-app");
+
+ assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth"));
+
+ loginPage.clickSocial(getProviderId());
+ loginPage.login("test-user", "password");
+
+ assertTrue(errorPage.isCurrent());
+ assertEquals("Account is disabled, contact admin.", errorPage.getError());
+ } finally {
+ KeycloakSession session = brokerServerRule.startSession();
+ RealmModel brokerRealm = session.realms().getRealmByName("realm-with-broker");
+ brokerRealm.setBruteForceProtected(false);
+ brokerRealm.setFailureFactor(0);
+ brokerServerRule.stopSession(session, true);
+ }
+ }
+
+ @Test
public void testSuccessfulAuthenticationUpdateProfileOnMissing_nothingMissing() {
IdentityProviderModel identityProviderModel = getIdentityProviderModel();
setUpdateProfileFirstLogin(IdentityProviderRepresentation.UPFLM_MISSING);
@@ -362,7 +430,6 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
revokeGrant();
// Logout from account management
- System.out.println("*** logout from account management");
accountFederatedIdentityPage.logout();
assertTrue(driver.getTitle().equals("Log in to realm-with-broker"));
assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth"));
@@ -502,7 +569,7 @@ public abstract class AbstractKeycloakIdentityProviderTest extends AbstractIdent
driver.navigate().to("http://localhost:8081/test-app/logout");
String currentUrl = this.driver.getCurrentUrl();
- System.out.println("after logout currentUrl: " + currentUrl);
+// System.out.println("after logout currentUrl: " + currentUrl);
assertTrue(currentUrl.startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth"));
unconfigureUserRetrieveToken("test-user");
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
index 63cf639..5626751 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
@@ -116,6 +116,16 @@ public class OIDCKeyCloakServerBrokerBasicTest extends AbstractKeycloakIdentityP
}
@Test
+ public void testDisabledUser() {
+ super.testDisabledUser();
+ }
+
+ @Test
+ public void testTemporarilyDisabledUser() {
+ super.testTemporarilyDisabledUser();
+ }
+
+ @Test
public void testLogoutWorksWithTokenTimeout() {
Keycloak keycloak = Keycloak.getInstance("http://localhost:8081/auth", "master", "admin", "admin", org.keycloak.models.Constants.ADMIN_CLI_CLIENT_ID);
RealmRepresentation realm = keycloak.realm("realm-with-oidc-identity-provider").toRepresentation();
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/ErrorPage.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/ErrorPage.java
index 1cee306..3077db4 100644
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/ErrorPage.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/pages/ErrorPage.java
@@ -46,7 +46,7 @@ public class ErrorPage extends AbstractPage {
}
public boolean isCurrent() {
- return driver.getTitle().equals("We're sorry...");
+ return driver.getTitle() != null && driver.getTitle().equals("We're sorry...");
}
@Override