예제 #1
0
  @Override
  public void updateCredential(UserCredentialModel cred) {
    CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());

    if (credentialEntity == null) {
      credentialEntity = new CredentialEntity();
      credentialEntity.setId(KeycloakModelUtils.generateId());
      credentialEntity.setType(cred.getType());
      credentialEntity.setDevice(cred.getDevice());
      credentialEntity.setUser(user);
      em.persist(credentialEntity);
      user.getCredentials().add(credentialEntity);
    }
    if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
      byte[] salt = getSalt();
      int hashIterations = 1;
      PasswordPolicy policy = realm.getPasswordPolicy();
      if (policy != null) {
        hashIterations = policy.getHashIterations();
        if (hashIterations == -1) hashIterations = 1;
      }
      credentialEntity.setValue(
          new Pbkdf2PasswordEncoder(salt).encode(cred.getValue(), hashIterations));
      credentialEntity.setSalt(salt);
      credentialEntity.setHashIterations(hashIterations);
    } else {
      credentialEntity.setValue(cred.getValue());
    }
    credentialEntity.setDevice(cred.getDevice());
    em.flush();
  }
  @Override
  public void updateCredential(UserCredentialModel cred) {
    if (!provider.getSupportedCredentialTypes(delegate).contains(cred.getType())) {
      delegate.updateCredential(cred);
      return;
    }
    IdentityManager identityManager = provider.getIdentityManager();

    try {
      User picketlinkUser = BasicModel.getUser(identityManager, getUsername());
      if (picketlinkUser == null) {
        logger.debugf("User '%s' doesn't exists. Skip password update", getUsername());
        throw new IllegalStateException("User doesn't exist in LDAP storage");
      }
      if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
        identityManager.updateCredential(
            picketlinkUser, new Password(cred.getValue().toCharArray()));
      } else if (cred.getType().equals(UserCredentialModel.TOTP)) {
        TOTPCredential credential = new TOTPCredential(cred.getValue());
        credential.setDevice(cred.getDevice());
        identityManager.updateCredential(picketlinkUser, credential);
      }
    } catch (IdentityManagementException ie) {
      throw new ModelException(ie);
    }
  }
예제 #3
0
  @Override
  public void updateCredential(UserCredentialModel cred) {

    if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
      updatePasswordCredential(cred);
    } else {
      CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());

      if (credentialEntity == null) {
        credentialEntity = setCredentials(user, cred);
        credentialEntity.setValue(cred.getValue());
        user.getCredentials().add(credentialEntity);
      } else {
        credentialEntity.setValue(cred.getValue());
      }
    }
  }
  @Override
  public void updateCredential(UserCredentialModel cred) {
    if (!provider.getSupportedCredentialTypes(delegate).contains(cred.getType())) {
      delegate.updateCredential(cred);
      return;
    }

    if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
      LDAPIdentityStore ldapIdentityStore = provider.getLdapIdentityStore();
      String password = cred.getValue();
      ldapIdentityStore.updatePassword(ldapObject, password);
    } else {
      logger.warnf(
          "Don't know how to update credential of type [%s] for user [%s]",
          cred.getType(), delegate.getUsername());
    }
  }
예제 #5
0
 private CredentialEntity setCredentials(UserEntity user, UserCredentialModel cred) {
   CredentialEntity credentialEntity = new CredentialEntity();
   credentialEntity.setId(KeycloakModelUtils.generateId());
   credentialEntity.setType(cred.getType());
   credentialEntity.setDevice(cred.getDevice());
   credentialEntity.setUser(user);
   return credentialEntity;
 }
 @Override
 public boolean validCredentials(
     RealmModel realm, UserModel user, List<UserCredentialModel> input) {
   for (UserCredentialModel cred : input) {
     if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
       return validPassword(realm, user, cred.getValue());
     } else {
       return false; // invalid cred type
     }
   }
   return true;
 }
  @Override
  public CredentialValidationOutput validCredentials(
      RealmModel realm, UserCredentialModel credential) {
    if (credential.getType().equals(UserCredentialModel.KERBEROS)) {
      if (kerberosConfig.isAllowKerberosAuthentication()) {
        String spnegoToken = credential.getValue();
        SPNEGOAuthenticator spnegoAuthenticator =
            factory.createSPNEGOAuthenticator(spnegoToken, kerberosConfig);

        spnegoAuthenticator.authenticate();

        Map<String, String> state = new HashMap<String, String>();
        if (spnegoAuthenticator.isAuthenticated()) {

          // TODO: This assumes that LDAP "uid" is equal to kerberos principal name. Like uid
          // "hnelson" and kerberos principal "*****@*****.**".
          // Check if it's correct or if LDAP attribute for mapping kerberos principal should be
          // available (For ApacheDS it seems to be attribute "krb5PrincipalName" but on MSAD it's
          // likely different)
          String username = spnegoAuthenticator.getAuthenticatedUsername();
          UserModel user = findOrCreateAuthenticatedUser(realm, username);

          if (user == null) {
            logger.warnf(
                "Kerberos/SPNEGO authentication succeeded with username [%s], but couldn't find or create user with federation provider [%s]",
                username, model.getDisplayName());
            return CredentialValidationOutput.failed();
          } else {
            String delegationCredential = spnegoAuthenticator.getSerializedDelegationCredential();
            if (delegationCredential != null) {
              state.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, delegationCredential);
            }

            return new CredentialValidationOutput(
                user, CredentialValidationOutput.Status.AUTHENTICATED, state);
          }
        } else {
          state.put(KerberosConstants.RESPONSE_TOKEN, spnegoAuthenticator.getResponseToken());
          return new CredentialValidationOutput(
              null, CredentialValidationOutput.Status.CONTINUE, state);
        }
      }
    }

    return CredentialValidationOutput.failed();
  }
예제 #8
0
  private void updatePasswordCredential(UserCredentialModel cred) {
    CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());

    if (credentialEntity == null) {
      credentialEntity = setCredentials(user, cred);
      setValue(credentialEntity, cred);
      em.persist(credentialEntity);
      user.getCredentials().add(credentialEntity);
    } else {

      int expiredPasswordsPolicyValue = -1;
      PasswordPolicy policy = realm.getPasswordPolicy();
      if (policy != null) {
        expiredPasswordsPolicyValue = policy.getExpiredPasswords();
      }

      if (expiredPasswordsPolicyValue != -1) {
        user.getCredentials().remove(credentialEntity);
        credentialEntity.setType(UserCredentialModel.PASSWORD_HISTORY);
        user.getCredentials().add(credentialEntity);

        List<CredentialEntity> credentialEntities =
            getCredentialEntities(user, UserCredentialModel.PASSWORD_HISTORY);
        if (credentialEntities.size() > expiredPasswordsPolicyValue - 1) {
          user.getCredentials()
              .removeAll(
                  credentialEntities.subList(
                      expiredPasswordsPolicyValue - 1, credentialEntities.size()));
        }

        credentialEntity = setCredentials(user, cred);
        setValue(credentialEntity, cred);
        em.persist(credentialEntity);
        user.getCredentials().add(credentialEntity);
      } else {
        List<CredentialEntity> credentialEntities =
            getCredentialEntities(user, UserCredentialModel.PASSWORD_HISTORY);
        if (credentialEntities != null && credentialEntities.size() > 0) {
          user.getCredentials().removeAll(credentialEntities);
        }
        setValue(credentialEntity, cred);
      }
    }
  }
예제 #9
0
  private void updateOtpCredential(UserCredentialModel cred) {
    CredentialEntity credentialEntity = getCredentialEntity(user, cred.getType());

    if (credentialEntity == null) {
      credentialEntity = setCredentials(user, cred);

      credentialEntity.setValue(cred.getValue());
      OTPPolicy otpPolicy = realm.getOTPPolicy();
      credentialEntity.setAlgorithm(otpPolicy.getAlgorithm());
      credentialEntity.setDigits(otpPolicy.getDigits());
      credentialEntity.setCounter(otpPolicy.getInitialCounter());
      credentialEntity.setPeriod(otpPolicy.getPeriod());
      em.persist(credentialEntity);
      user.getCredentials().add(credentialEntity);
    } else {
      OTPPolicy policy = realm.getOTPPolicy();
      credentialEntity.setDigits(policy.getDigits());
      credentialEntity.setCounter(policy.getInitialCounter());
      credentialEntity.setAlgorithm(policy.getAlgorithm());
      credentialEntity.setValue(cred.getValue());
      credentialEntity.setPeriod(policy.getPeriod());
    }
  }
예제 #10
0
 private CredentialEntity setCredentials(UserEntity user, UserCredentialModel cred) {
   CredentialEntity credentialEntity = new CredentialEntity();
   credentialEntity.setType(cred.getType());
   credentialEntity.setDevice(cred.getDevice());
   return credentialEntity;
 }