use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.
the class HashAlgorithmPasswordPolicyProviderFactory method parseConfig.
@Override
public Object parseConfig(String value) {
String providerId = value != null && value.length() > 0 ? value : PasswordPolicy.HASH_ALGORITHM_DEFAULT;
PasswordHashProvider provider = session.getProvider(PasswordHashProvider.class, providerId);
if (provider == null) {
throw new PasswordPolicyConfigException("Password hashing provider not found");
}
return providerId;
}
use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.
the class HistoryPasswordPolicyProvider method validate.
@Override
public PolicyError validate(RealmModel realm, UserModel user, String password) {
PasswordPolicy policy = session.getContext().getRealm().getPasswordPolicy();
int passwordHistoryPolicyValue = policy.getPolicyConfig(PasswordPolicy.PASSWORD_HISTORY_ID);
if (passwordHistoryPolicyValue != -1) {
if (session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, PasswordCredentialModel.TYPE).map(PasswordCredentialModel::createFromCredentialModel).anyMatch(passwordCredential -> {
PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, passwordCredential.getPasswordCredentialData().getAlgorithm());
return hash != null && hash.verify(password, passwordCredential);
})) {
return new PolicyError(ERROR_MESSAGE, passwordHistoryPolicyValue);
}
if (passwordHistoryPolicyValue > 0) {
if (this.getRecent(session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, PasswordCredentialModel.PASSWORD_HISTORY), passwordHistoryPolicyValue - 1).map(PasswordCredentialModel::createFromCredentialModel).anyMatch(passwordCredential -> {
PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, passwordCredential.getPasswordCredentialData().getAlgorithm());
return hash.verify(password, passwordCredential);
})) {
return new PolicyError(ERROR_MESSAGE, passwordHistoryPolicyValue);
}
}
}
return null;
}
use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.
the class BackwardsCompatibilityUserStorage method updateCredential.
@Override
public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
if (!(input instanceof UserCredentialModel))
return false;
if (input.getType().equals(UserCredentialModel.PASSWORD)) {
// Compatibility with 4.8.3 - Using "legacy" type PasswordUserCredentialModel
if (!(input instanceof PasswordUserCredentialModel)) {
log.warn("Input is not PasswordUserCredentialModel");
return false;
}
PasswordUserCredentialModel userCredentialModel = (PasswordUserCredentialModel) input;
// Those are not supposed to be set when calling this method in Keycloak 4.8.3 for password credential
assertNull(userCredentialModel.getDevice());
assertNull(userCredentialModel.getAlgorithm());
PasswordPolicy policy = session.getContext().getRealm().getPasswordPolicy();
PasswordHashProvider hashProvider = getHashProvider(policy);
CredentialModel newPassword = new CredentialModel();
newPassword.setType(CredentialModel.PASSWORD);
long createdDate = Time.currentTimeMillis();
newPassword.setCreatedDate(createdDate);
// Compatibility with 4.8.3 - Using "legacy" signature of the method on hashProvider
hashProvider.encode(userCredentialModel.getValue(), policy.getHashIterations(), newPassword);
// Test expected values of credentialModel
assertEquals(newPassword.getAlgorithm(), policy.getHashAlgorithm());
assertNotNull(newPassword.getValue());
assertNotNull(newPassword.getSalt());
users.get(translateUserName(user.getUsername())).hashedPassword = newPassword;
UserCache userCache = session.userCache();
if (userCache != null) {
userCache.evict(realm, user);
}
return true;
} else if (isOTPType(input.getType())) {
UserCredentialModel otpCredential = (UserCredentialModel) input;
// Those are not supposed to be set when calling this method in Keycloak 4.8.3 for password credential
assertNull(otpCredential.getDevice());
assertNull(otpCredential.getAlgorithm());
OTPPolicy otpPolicy = session.getContext().getRealm().getOTPPolicy();
CredentialModel newOTP = new CredentialModel();
newOTP.setType(input.getType());
long createdDate = Time.currentTimeMillis();
newOTP.setCreatedDate(createdDate);
newOTP.setValue(otpCredential.getValue());
newOTP.setCounter(otpPolicy.getInitialCounter());
newOTP.setDigits(otpPolicy.getDigits());
newOTP.setAlgorithm(otpPolicy.getAlgorithm());
newOTP.setPeriod(otpPolicy.getPeriod());
users.get(translateUserName(user.getUsername())).otp = newOTP;
return true;
} else {
log.infof("Attempt to update unsupported credential of type: %s", input.getType());
return false;
}
}
use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.
the class BackwardsCompatibilityUserStorage method isValid.
@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
MyUser myUser = users.get(translateUserName(user.getUsername()));
if (myUser == null)
return false;
if (input.getType().equals(UserCredentialModel.PASSWORD)) {
if (!(input instanceof PasswordUserCredentialModel))
return false;
CredentialModel hashedPassword = myUser.hashedPassword;
if (hashedPassword == null) {
log.warnf("Password not set for user %s", user.getUsername());
return false;
}
PasswordUserCredentialModel userCredentialModel = (PasswordUserCredentialModel) input;
// Those are not supposed to be set when calling this method in Keycloak 4.8.3 for password credential
assertNull(userCredentialModel.getDevice());
assertNull(userCredentialModel.getAlgorithm());
PasswordPolicy policy = session.getContext().getRealm().getPasswordPolicy();
PasswordHashProvider hashProvider = getHashProvider(policy);
String rawPassword = userCredentialModel.getValue();
// Compatibility with 4.8.3 - using "legacy" signature of this method
return hashProvider.verify(rawPassword, hashedPassword);
} else if (isOTPType(input.getType())) {
UserCredentialModel otpCredential = (UserCredentialModel) input;
// Special hardcoded OTP, which is always considered valid
if ("123456".equals(otpCredential.getValue())) {
return true;
}
CredentialModel storedOTPCredential = myUser.otp;
if (storedOTPCredential == null) {
log.warnf("Not found credential for the user %s", user.getUsername());
return false;
}
TimeBasedOTP validator = new TimeBasedOTP(storedOTPCredential.getAlgorithm(), storedOTPCredential.getDigits(), storedOTPCredential.getPeriod(), realm.getOTPPolicy().getLookAheadWindow());
return validator.validateTOTP(otpCredential.getValue(), storedOTPCredential.getValue().getBytes());
} else {
log.infof("Not supported to validate credential of type '%s' for user '%s'", input.getType(), user.getUsername());
return false;
}
}
use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.
the class PasswordCredentialProvider method isValid.
@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
if (!(input instanceof UserCredentialModel)) {
logger.debug("Expected instance of UserCredentialModel for CredentialInput");
return false;
}
if (input.getChallengeResponse() == null) {
logger.debugv("Input password was null for user {0} ", user.getUsername());
return false;
}
PasswordCredentialModel password = getPassword(realm, user);
if (password == null) {
logger.debugv("No password cached or stored for user {0} ", user.getUsername());
return false;
}
PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, password.getPasswordCredentialData().getAlgorithm());
if (hash == null) {
logger.debugv("PasswordHashProvider {0} not found for user {1} ", password.getPasswordCredentialData().getAlgorithm(), user.getUsername());
return false;
}
if (!hash.verify(input.getChallengeResponse(), password)) {
logger.debugv("Failed password validation for user {0} ", user.getUsername());
return false;
}
PasswordPolicy policy = realm.getPasswordPolicy();
if (policy == null) {
return true;
}
hash = getHashProvider(policy);
if (hash == null) {
return true;
}
if (hash.policyCheck(policy, password)) {
return true;
}
PasswordCredentialModel newPassword = hash.encodedCredential(input.getChallengeResponse(), policy.getHashIterations());
newPassword.setId(password.getId());
newPassword.setCreatedDate(password.getCreatedDate());
newPassword.setUserLabel(password.getUserLabel());
getCredentialStore().updateCredential(realm, user, newPassword);
UserCache userCache = session.userCache();
if (userCache != null) {
userCache.evict(realm, user);
}
return true;
}
Aggregations