Example 11 with UserCredentialModel
use of org.keycloak.models.UserCredentialModel in project keycloak by keycloak.
the class LDAPProvidersIntegrationTest method testReadonly.
@Test
public void testReadonly() {
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
ctx.getLdapModel().getConfig().putSingle(LDAPConstants.EDIT_MODE, UserStorageProvider.EditMode.READ_ONLY.toString());
appRealm.updateComponent(ctx.getLdapModel());
});
UserRepresentation userRep = ApiUtil.findUserByUsername(testRealm(), "johnkeycloak");
assertFederatedUserLink(userRep);
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
UserModel user = session.users().getUserByUsername(appRealm, "johnkeycloak");
Assert.assertNotNull(user);
try {
user.setEmail("error@error.com");
Assert.fail("should fail");
} catch (ReadOnlyException e) {
}
try {
user.setLastName("Berk");
Assert.fail("should fail");
} catch (ReadOnlyException e) {
}
try {
user.setFirstName("Bilbo");
Assert.fail("should fail");
} catch (ReadOnlyException e) {
}
try {
UserCredentialModel cred = UserCredentialModel.password("PoopyPoop1", true);
session.userCredentialManager().updateCredential(appRealm, user, cred);
Assert.fail("should fail");
} catch (ReadOnlyException e) {
}
Assert.assertTrue(session.users().removeUser(appRealm, user));
});
// Revert
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
ctx.getLdapModel().put(LDAPConstants.EDIT_MODE, UserStorageProvider.EditMode.WRITABLE.toString());
appRealm.updateComponent(ctx.getLdapModel());
Assert.assertEquals(UserStorageProvider.EditMode.WRITABLE.toString(), appRealm.getComponent(ctx.getLdapModel().getId()).getConfig().getFirst(LDAPConstants.EDIT_MODE));
});
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
CachedUserModel(org.keycloak.models.cache.CachedUserModel)
UserModel(org.keycloak.models.UserModel)
UserCredentialModel(org.keycloak.models.UserCredentialModel)
ReadOnlyException(org.keycloak.storage.ReadOnlyException)
UserRepresentation(org.keycloak.representations.idm.UserRepresentation)
AbstractAuthTest(org.keycloak.testsuite.AbstractAuthTest)
Test(org.junit.Test)
Example 12 with UserCredentialModel
use of org.keycloak.models.UserCredentialModel in project keycloak by keycloak.
the class SecretQuestionAuthenticator method validateAnswer.
protected boolean validateAnswer(AuthenticationFlowContext context) {
MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
String secret = formData.getFirst("secret_answer");
String credentialId = formData.getFirst("credentialId");
if (credentialId == null || credentialId.isEmpty()) {
credentialId = getCredentialProvider(context.getSession()).getDefaultCredential(context.getSession(), context.getRealm(), context.getUser()).getId();
}
UserCredentialModel input = new UserCredentialModel(credentialId, getType(context.getSession()), secret);
return getCredentialProvider(context.getSession()).isValid(context.getRealm(), context.getUser(), input);
}
Also used :
UserCredentialModel(org.keycloak.models.UserCredentialModel)
Example 13 with UserCredentialModel
use of org.keycloak.models.UserCredentialModel in project keycloak by keycloak.
the class SecretQuestionCredentialProvider method isValid.
@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
if (!(input instanceof UserCredentialModel)) {
logger.debug("Expected instance of UserCredentialModel for CredentialInput");
return false;
}
if (!input.getType().equals(getType())) {
return false;
}
String challengeResponse = input.getChallengeResponse();
if (challengeResponse == null) {
return false;
}
CredentialModel credentialModel = getCredentialStore().getStoredCredentialById(realm, user, input.getCredentialId());
SecretQuestionCredentialModel sqcm = getCredentialFromModel(credentialModel);
return sqcm.getSecretQuestionSecretData().getAnswer().equals(challengeResponse);
}
Also used :
UserCredentialModel(org.keycloak.models.UserCredentialModel)
CredentialModel(org.keycloak.credential.CredentialModel)
SecretQuestionCredentialModel(org.keycloak.examples.authenticator.credential.SecretQuestionCredentialModel)
UserCredentialModel(org.keycloak.models.UserCredentialModel)
SecretQuestionCredentialModel(org.keycloak.examples.authenticator.credential.SecretQuestionCredentialModel)
Example 14 with UserCredentialModel
use of org.keycloak.models.UserCredentialModel in project keycloak by keycloak.
the class KerberosFederationProvider method authenticate.
@Override
public CredentialValidationOutput authenticate(RealmModel realm, CredentialInput input) {
if (!(input instanceof UserCredentialModel))
return null;
UserCredentialModel credential = (UserCredentialModel) input;
if (credential.getType().equals(UserCredentialModel.KERBEROS)) {
String spnegoToken = credential.getChallengeResponse();
SPNEGOAuthenticator spnegoAuthenticator = factory.createSPNEGOAuthenticator(spnegoToken, kerberosConfig);
spnegoAuthenticator.authenticate();
Map<String, String> state = new HashMap<String, String>();
if (spnegoAuthenticator.isAuthenticated()) {
String username = spnegoAuthenticator.getAuthenticatedUsername();
UserModel user = findOrCreateAuthenticatedUser(realm, username);
if (user == null) {
return CredentialValidationOutput.failed();
} else {
String delegationCredential = spnegoAuthenticator.getSerializedDelegationCredential();
if (delegationCredential != null) {
state.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, delegationCredential);
}
return new CredentialValidationOutput(user, CredentialValidationOutput.Status.AUTHENTICATED, state);
}
} else if (spnegoAuthenticator.getResponseToken() != null) {
// Case when SPNEGO handshake requires multiple steps
logger.tracef("SPNEGO Handshake will continue");
state.put(KerberosConstants.RESPONSE_TOKEN, spnegoAuthenticator.getResponseToken());
return new CredentialValidationOutput(null, CredentialValidationOutput.Status.CONTINUE, state);
} else {
logger.tracef("SPNEGO Handshake not successful");
return CredentialValidationOutput.failed();
}
} else {
return null;
}
}
Also used :
UserModel(org.keycloak.models.UserModel)
CredentialValidationOutput(org.keycloak.models.CredentialValidationOutput)
HashMap(java.util.HashMap)
SPNEGOAuthenticator(org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator)
UserCredentialModel(org.keycloak.models.UserCredentialModel)
Example 15 with UserCredentialModel
use of org.keycloak.models.UserCredentialModel in project keycloak by keycloak.
the class PasswordCredentialProvider method isValid.
@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
if (!(input instanceof UserCredentialModel)) {
logger.debug("Expected instance of UserCredentialModel for CredentialInput");
return false;
}
if (input.getChallengeResponse() == null) {
logger.debugv("Input password was null for user {0} ", user.getUsername());
return false;
}
PasswordCredentialModel password = getPassword(realm, user);
if (password == null) {
logger.debugv("No password cached or stored for user {0} ", user.getUsername());
return false;
}
PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, password.getPasswordCredentialData().getAlgorithm());
if (hash == null) {
logger.debugv("PasswordHashProvider {0} not found for user {1} ", password.getPasswordCredentialData().getAlgorithm(), user.getUsername());
return false;
}
if (!hash.verify(input.getChallengeResponse(), password)) {
logger.debugv("Failed password validation for user {0} ", user.getUsername());
return false;
}
PasswordPolicy policy = realm.getPasswordPolicy();
if (policy == null) {
return true;
}
hash = getHashProvider(policy);
if (hash == null) {
return true;
}
if (hash.policyCheck(policy, password)) {
return true;
}
PasswordCredentialModel newPassword = hash.encodedCredential(input.getChallengeResponse(), policy.getHashIterations());
newPassword.setId(password.getId());
newPassword.setCreatedDate(password.getCreatedDate());
newPassword.setUserLabel(password.getUserLabel());
getCredentialStore().updateCredential(realm, user, newPassword);
UserCache userCache = session.userCache();
if (userCache != null) {
userCache.evict(realm, user);
}
return true;
}
Also used :
PasswordCredentialModel(org.keycloak.models.credential.PasswordCredentialModel)
PasswordPolicy(org.keycloak.models.PasswordPolicy)
OnUserCache(org.keycloak.models.cache.OnUserCache)
UserCache(org.keycloak.models.cache.UserCache)
UserCredentialModel(org.keycloak.models.UserCredentialModel)
PasswordHashProvider(org.keycloak.credential.hash.PasswordHashProvider)
Aggregations
UserCredentialModel (org.keycloak.models.UserCredentialModel)20
UserModel (org.keycloak.models.UserModel)8
CredentialModel (org.keycloak.credential.CredentialModel)5
Response (javax.ws.rs.core.Response)4
OTPCredentialModel (org.keycloak.models.credential.OTPCredentialModel)4
PasswordHashProvider (org.keycloak.credential.hash.PasswordHashProvider)3
CredentialValidationOutput (org.keycloak.models.CredentialValidationOutput)3
PasswordPolicy (org.keycloak.models.PasswordPolicy)3
RealmModel (org.keycloak.models.RealmModel)3
CachedUserModel (org.keycloak.models.cache.CachedUserModel)3
HashMap (java.util.HashMap)2
NotFoundException (javax.ws.rs.NotFoundException)2
Path (javax.ws.rs.Path)2
Test (org.junit.Test)2
SPNEGOAuthenticator (org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator)2
OTPPolicy (org.keycloak.models.OTPPolicy)2
UserCache (org.keycloak.models.cache.UserCache)2
PasswordCredentialModel (org.keycloak.models.credential.PasswordCredentialModel)2
PasswordUserCredentialModel (org.keycloak.models.credential.PasswordUserCredentialModel)2
TimeBasedOTP (org.keycloak.models.utils.TimeBasedOTP)2
