KEYCLOAK-5715

filipeferraz · Nov 17, 2017 · c66ff60 · c66ff60
1 parent feaf834
commit c66ff60
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 3 deletions.
diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java
@@ -611,6 +611,8 @@ public List<UserModel> getUsers(RealmModel realm) {
 
     @Override
     public List<UserModel> getUsers(RealmModel realm, int firstResult, int maxResults) {
+        // NOTE: If we ever end up caching this query, or the users returned by this query.  The UsersResource.getUsers
+        // method must be reimplemented when "localOnly" query parameter is true.
         return getUsers(realm, firstResult, maxResults, false);
     }
 
@@ -621,6 +623,8 @@ public List<UserModel> searchForUser(String search, RealmModel realm) {
 
     @Override
     public List<UserModel> searchForUser(String search, RealmModel realm, int firstResult, int maxResults) {
+        // NOTE: If we ever end up caching this query, or the users returned by this query.  The UsersResource.getUsers
+        // method must be reimplemented when "localOnly" query parameter is true.
         return getDelegate().searchForUser(search, realm, firstResult, maxResults);
     }
 
@@ -631,6 +635,8 @@ public List<UserModel> searchForUser(Map<String, String> attributes, RealmModel
 
     @Override
     public List<UserModel> searchForUser(Map<String, String> attributes, RealmModel realm, int firstResult, int maxResults) {
+        // NOTE: If we ever end up caching this query, or the users returned by this query.  The UsersResource.getUsers
+        // method must be reimplemented when "localOnly" query parameter is true.
         return getDelegate().searchForUser(attributes, realm, firstResult, maxResults);
     }
 

diff --git a/...er-spi-private/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java b/...er-spi-private/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
@@ -73,6 +73,16 @@ public void encode(String rawPassword, int iterations, CredentialModel credentia
         credential.setValue(encodedPassword);
     }
 
+    @Override
+    public String encode(String rawPassword, int iterations) {
+        if (iterations == -1) {
+            iterations = defaultIterations;
+        }
+
+        byte[] salt = getSalt();
+        return encode(rawPassword, iterations, salt);
+    }
+
     @Override
     public boolean verify(String rawPassword, CredentialModel credential) {
         return encode(rawPassword, credential.getHashIterations(), credential.getSalt()).equals(credential.getValue());

diff --git a/server-spi/src/main/java/org/keycloak/credential/hash/PasswordHashProvider.java b/server-spi/src/main/java/org/keycloak/credential/hash/PasswordHashProvider.java
@@ -29,5 +29,10 @@ public interface PasswordHashProvider extends Provider {
 
     void encode(String rawPassword, int iterations, CredentialModel credential);
 
+    default
+    String encode(String rawPassword, int iterations) {
+        return rawPassword;
+    }
+
     boolean verify(String rawPassword, CredentialModel credential);
 }
diff --git a/...org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java b/...org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
@@ -22,9 +22,12 @@
 import org.keycloak.authentication.AuthenticationFlowContext;
 import org.keycloak.authentication.AuthenticationFlowError;
 import org.keycloak.credential.CredentialInput;
+import org.keycloak.credential.CredentialModel;
+import org.keycloak.credential.hash.PasswordHashProvider;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
 import org.keycloak.models.ModelDuplicateException;
+import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
@@ -83,8 +86,32 @@ protected Response setDuplicateUserChallenge(AuthenticationFlowContext context,
         return challengeResponse;
     }
 
+    protected void runDefaultDummyHash(AuthenticationFlowContext context) {
+        PasswordHashProvider hash = context.getSession().getProvider(PasswordHashProvider.class, PasswordPolicy.HASH_ALGORITHM_DEFAULT);
+        hash.encode("dummypassword", PasswordPolicy.HASH_ITERATIONS_DEFAULT);
+    }
+
+    protected void dummyHash(AuthenticationFlowContext context) {
+        PasswordPolicy policy = context.getRealm().getPasswordPolicy();
+        if (policy == null) {
+            runDefaultDummyHash(context);
+            return;
+        } else {
+            PasswordHashProvider hash = context.getSession().getProvider(PasswordHashProvider.class, policy.getHashAlgorithm());
+            if (hash == null) {
+                runDefaultDummyHash(context);
+                return;
+
+            } else {
+                hash.encode("dummypassword", policy.getHashIterations());
+            }
+        }
+
+    }
+
     public boolean invalidUser(AuthenticationFlowContext context, UserModel user) {
         if (user == null) {
+            dummyHash(context);
             context.getEvent().error(Errors.USER_NOT_FOUND);
             Response challengeResponse = invalidUser(context);
             context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);
@@ -144,15 +171,15 @@ public boolean validateUserAndPassword(AuthenticationFlowContext context, Multiv
             return false;
         }
 
-        if (invalidUser(context, user)){
+        if (invalidUser(context, user)) {
             return false;
         }
 
-        if (!validatePassword(context, user, inputData)){
+        if (!validatePassword(context, user, inputData)) {
             return false;
         }
 
-        if(!enabledUser(context, user)){
+        if (!enabledUser(context, user)) {
             return false;
         }