Search in sources :

Example 1 with PasswordHashProvider

use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.

the class HashAlgorithmPasswordPolicyProviderFactory method parseConfig.

@Override
public Object parseConfig(String value) {
    String providerId = value != null && value.length() > 0 ? value : PasswordPolicy.HASH_ALGORITHM_DEFAULT;
    PasswordHashProvider provider = session.getProvider(PasswordHashProvider.class, providerId);
    if (provider == null) {
        throw new PasswordPolicyConfigException("Password hashing provider not found");
    }
    return providerId;
}
Also used : PasswordHashProvider(org.keycloak.credential.hash.PasswordHashProvider)

Example 2 with PasswordHashProvider

use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.

the class HistoryPasswordPolicyProvider method validate.

@Override
public PolicyError validate(RealmModel realm, UserModel user, String password) {
    PasswordPolicy policy = session.getContext().getRealm().getPasswordPolicy();
    int passwordHistoryPolicyValue = policy.getPolicyConfig(PasswordPolicy.PASSWORD_HISTORY_ID);
    if (passwordHistoryPolicyValue != -1) {
        if (session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, PasswordCredentialModel.TYPE).map(PasswordCredentialModel::createFromCredentialModel).anyMatch(passwordCredential -> {
            PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, passwordCredential.getPasswordCredentialData().getAlgorithm());
            return hash != null && hash.verify(password, passwordCredential);
        })) {
            return new PolicyError(ERROR_MESSAGE, passwordHistoryPolicyValue);
        }
        if (passwordHistoryPolicyValue > 0) {
            if (this.getRecent(session.userCredentialManager().getStoredCredentialsByTypeStream(realm, user, PasswordCredentialModel.PASSWORD_HISTORY), passwordHistoryPolicyValue - 1).map(PasswordCredentialModel::createFromCredentialModel).anyMatch(passwordCredential -> {
                PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, passwordCredential.getPasswordCredentialData().getAlgorithm());
                return hash.verify(password, passwordCredential);
            })) {
                return new PolicyError(ERROR_MESSAGE, passwordHistoryPolicyValue);
            }
        }
    }
    return null;
}
Also used : PasswordPolicy(org.keycloak.models.PasswordPolicy) PasswordHashProvider(org.keycloak.credential.hash.PasswordHashProvider)

Example 3 with PasswordHashProvider

use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.

the class BackwardsCompatibilityUserStorage method updateCredential.

@Override
public boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input) {
    if (!(input instanceof UserCredentialModel))
        return false;
    if (input.getType().equals(UserCredentialModel.PASSWORD)) {
        // Compatibility with 4.8.3 - Using "legacy" type PasswordUserCredentialModel
        if (!(input instanceof PasswordUserCredentialModel)) {
            log.warn("Input is not PasswordUserCredentialModel");
            return false;
        }
        PasswordUserCredentialModel userCredentialModel = (PasswordUserCredentialModel) input;
        // Those are not supposed to be set when calling this method in Keycloak 4.8.3 for password credential
        assertNull(userCredentialModel.getDevice());
        assertNull(userCredentialModel.getAlgorithm());
        PasswordPolicy policy = session.getContext().getRealm().getPasswordPolicy();
        PasswordHashProvider hashProvider = getHashProvider(policy);
        CredentialModel newPassword = new CredentialModel();
        newPassword.setType(CredentialModel.PASSWORD);
        long createdDate = Time.currentTimeMillis();
        newPassword.setCreatedDate(createdDate);
        // Compatibility with 4.8.3 - Using "legacy" signature of the method on hashProvider
        hashProvider.encode(userCredentialModel.getValue(), policy.getHashIterations(), newPassword);
        // Test expected values of credentialModel
        assertEquals(newPassword.getAlgorithm(), policy.getHashAlgorithm());
        assertNotNull(newPassword.getValue());
        assertNotNull(newPassword.getSalt());
        users.get(translateUserName(user.getUsername())).hashedPassword = newPassword;
        UserCache userCache = session.userCache();
        if (userCache != null) {
            userCache.evict(realm, user);
        }
        return true;
    } else if (isOTPType(input.getType())) {
        UserCredentialModel otpCredential = (UserCredentialModel) input;
        // Those are not supposed to be set when calling this method in Keycloak 4.8.3 for password credential
        assertNull(otpCredential.getDevice());
        assertNull(otpCredential.getAlgorithm());
        OTPPolicy otpPolicy = session.getContext().getRealm().getOTPPolicy();
        CredentialModel newOTP = new CredentialModel();
        newOTP.setType(input.getType());
        long createdDate = Time.currentTimeMillis();
        newOTP.setCreatedDate(createdDate);
        newOTP.setValue(otpCredential.getValue());
        newOTP.setCounter(otpPolicy.getInitialCounter());
        newOTP.setDigits(otpPolicy.getDigits());
        newOTP.setAlgorithm(otpPolicy.getAlgorithm());
        newOTP.setPeriod(otpPolicy.getPeriod());
        users.get(translateUserName(user.getUsername())).otp = newOTP;
        return true;
    } else {
        log.infof("Attempt to update unsupported credential of type: %s", input.getType());
        return false;
    }
}
Also used : PasswordUserCredentialModel(org.keycloak.models.credential.PasswordUserCredentialModel) PasswordUserCredentialModel(org.keycloak.models.credential.PasswordUserCredentialModel) UserCredentialModel(org.keycloak.models.UserCredentialModel) CredentialModel(org.keycloak.credential.CredentialModel) PasswordPolicy(org.keycloak.models.PasswordPolicy) OTPPolicy(org.keycloak.models.OTPPolicy) UserCache(org.keycloak.models.cache.UserCache) PasswordUserCredentialModel(org.keycloak.models.credential.PasswordUserCredentialModel) UserCredentialModel(org.keycloak.models.UserCredentialModel) PasswordHashProvider(org.keycloak.credential.hash.PasswordHashProvider)

Example 4 with PasswordHashProvider

use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.

the class BackwardsCompatibilityUserStorage method isValid.

@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
    MyUser myUser = users.get(translateUserName(user.getUsername()));
    if (myUser == null)
        return false;
    if (input.getType().equals(UserCredentialModel.PASSWORD)) {
        if (!(input instanceof PasswordUserCredentialModel))
            return false;
        CredentialModel hashedPassword = myUser.hashedPassword;
        if (hashedPassword == null) {
            log.warnf("Password not set for user %s", user.getUsername());
            return false;
        }
        PasswordUserCredentialModel userCredentialModel = (PasswordUserCredentialModel) input;
        // Those are not supposed to be set when calling this method in Keycloak 4.8.3 for password credential
        assertNull(userCredentialModel.getDevice());
        assertNull(userCredentialModel.getAlgorithm());
        PasswordPolicy policy = session.getContext().getRealm().getPasswordPolicy();
        PasswordHashProvider hashProvider = getHashProvider(policy);
        String rawPassword = userCredentialModel.getValue();
        // Compatibility with 4.8.3 - using "legacy" signature of this method
        return hashProvider.verify(rawPassword, hashedPassword);
    } else if (isOTPType(input.getType())) {
        UserCredentialModel otpCredential = (UserCredentialModel) input;
        // Special hardcoded OTP, which is always considered valid
        if ("123456".equals(otpCredential.getValue())) {
            return true;
        }
        CredentialModel storedOTPCredential = myUser.otp;
        if (storedOTPCredential == null) {
            log.warnf("Not found credential for the user %s", user.getUsername());
            return false;
        }
        TimeBasedOTP validator = new TimeBasedOTP(storedOTPCredential.getAlgorithm(), storedOTPCredential.getDigits(), storedOTPCredential.getPeriod(), realm.getOTPPolicy().getLookAheadWindow());
        return validator.validateTOTP(otpCredential.getValue(), storedOTPCredential.getValue().getBytes());
    } else {
        log.infof("Not supported to validate credential of type '%s' for user '%s'", input.getType(), user.getUsername());
        return false;
    }
}
Also used : PasswordUserCredentialModel(org.keycloak.models.credential.PasswordUserCredentialModel) PasswordUserCredentialModel(org.keycloak.models.credential.PasswordUserCredentialModel) UserCredentialModel(org.keycloak.models.UserCredentialModel) CredentialModel(org.keycloak.credential.CredentialModel) TimeBasedOTP(org.keycloak.models.utils.TimeBasedOTP) PasswordPolicy(org.keycloak.models.PasswordPolicy) PasswordUserCredentialModel(org.keycloak.models.credential.PasswordUserCredentialModel) UserCredentialModel(org.keycloak.models.UserCredentialModel) PasswordHashProvider(org.keycloak.credential.hash.PasswordHashProvider)

Example 5 with PasswordHashProvider

use of org.keycloak.credential.hash.PasswordHashProvider in project keycloak by keycloak.

the class PasswordCredentialProvider method isValid.

@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
    if (!(input instanceof UserCredentialModel)) {
        logger.debug("Expected instance of UserCredentialModel for CredentialInput");
        return false;
    }
    if (input.getChallengeResponse() == null) {
        logger.debugv("Input password was null for user {0} ", user.getUsername());
        return false;
    }
    PasswordCredentialModel password = getPassword(realm, user);
    if (password == null) {
        logger.debugv("No password cached or stored for user {0} ", user.getUsername());
        return false;
    }
    PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, password.getPasswordCredentialData().getAlgorithm());
    if (hash == null) {
        logger.debugv("PasswordHashProvider {0} not found for user {1} ", password.getPasswordCredentialData().getAlgorithm(), user.getUsername());
        return false;
    }
    if (!hash.verify(input.getChallengeResponse(), password)) {
        logger.debugv("Failed password validation for user {0} ", user.getUsername());
        return false;
    }
    PasswordPolicy policy = realm.getPasswordPolicy();
    if (policy == null) {
        return true;
    }
    hash = getHashProvider(policy);
    if (hash == null) {
        return true;
    }
    if (hash.policyCheck(policy, password)) {
        return true;
    }
    PasswordCredentialModel newPassword = hash.encodedCredential(input.getChallengeResponse(), policy.getHashIterations());
    newPassword.setId(password.getId());
    newPassword.setCreatedDate(password.getCreatedDate());
    newPassword.setUserLabel(password.getUserLabel());
    getCredentialStore().updateCredential(realm, user, newPassword);
    UserCache userCache = session.userCache();
    if (userCache != null) {
        userCache.evict(realm, user);
    }
    return true;
}
Also used : PasswordCredentialModel(org.keycloak.models.credential.PasswordCredentialModel) PasswordPolicy(org.keycloak.models.PasswordPolicy) OnUserCache(org.keycloak.models.cache.OnUserCache) UserCache(org.keycloak.models.cache.UserCache) UserCredentialModel(org.keycloak.models.UserCredentialModel) PasswordHashProvider(org.keycloak.credential.hash.PasswordHashProvider)

Aggregations

PasswordHashProvider (org.keycloak.credential.hash.PasswordHashProvider)8 PasswordPolicy (org.keycloak.models.PasswordPolicy)5 UserCredentialModel (org.keycloak.models.UserCredentialModel)3 PasswordCredentialModel (org.keycloak.models.credential.PasswordCredentialModel)3 CredentialModel (org.keycloak.credential.CredentialModel)2 UserCache (org.keycloak.models.cache.UserCache)2 PasswordUserCredentialModel (org.keycloak.models.credential.PasswordUserCredentialModel)2 TypeReference (com.fasterxml.jackson.core.type.TypeReference)1 FileInputStream (java.io.FileInputStream)1 FileOutputStream (java.io.FileOutputStream)1 CommandNotFoundException (org.aesh.command.CommandNotFoundException)1 CommandRegistryException (org.aesh.command.registry.CommandRegistryException)1 PasswordHashProviderFactory (org.keycloak.credential.hash.PasswordHashProviderFactory)1 ModelException (org.keycloak.models.ModelException)1 OTPPolicy (org.keycloak.models.OTPPolicy)1 OnUserCache (org.keycloak.models.cache.OnUserCache)1 TimeBasedOTP (org.keycloak.models.utils.TimeBasedOTP)1 PasswordPolicyManagerProvider (org.keycloak.policy.PasswordPolicyManagerProvider)1 PolicyError (org.keycloak.policy.PolicyError)1 CredentialRepresentation (org.keycloak.representations.idm.CredentialRepresentation)1