Java Code Examples for org.keycloak.models.RealmModel#getPasswordPolicy()

The following examples show how to use org.keycloak.models.RealmModel#getPasswordPolicy() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: DefaultPasswordPolicyManagerProvider.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
private List<PasswordPolicyProvider> getProviders(RealmModel realm, KeycloakSession session) {
    LinkedList<PasswordPolicyProvider> list = new LinkedList<>();
    PasswordPolicy policy = realm.getPasswordPolicy();
    for (String id : policy.getPolicies()) {
        PasswordPolicyProvider provider = session.getProvider(PasswordPolicyProvider.class, id);
        list.add(provider);
    }
    return list;
}
Example 2
Source File: PasswordCredentialProvider.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
public boolean createCredential(RealmModel realm, UserModel user, String password) {
    PasswordPolicy policy = realm.getPasswordPolicy();

    PolicyError error = session.getProvider(PasswordPolicyManagerProvider.class).validate(realm, user, password);
    if (error != null) throw new ModelException(error.getMessage(), error.getParameters());

    PasswordHashProvider hash = getHashProvider(policy);
    if (hash == null) {
        return false;
    }
    PasswordCredentialModel credentialModel = hash.encodedCredential(password, policy.getHashIterations());
    credentialModel.setCreatedDate(Time.currentTimeMillis());
    createCredential(realm, user, credentialModel);
    return true;
}
Example 3
Source File: PasswordCredentialProvider.java    From keycloak with Apache License 2.0 4 votes vote down vote up 
@Override
public CredentialModel createCredential(RealmModel realm, UserModel user, PasswordCredentialModel credentialModel) {

    PasswordPolicy policy = realm.getPasswordPolicy();
    int expiredPasswordsPolicyValue = policy.getExpiredPasswords();

    // 1) create new or reset existing password
    CredentialModel createdCredential;
    CredentialModel oldPassword = getPassword(realm, user);
    if (credentialModel.getCreatedDate() == null) {
        credentialModel.setCreatedDate(Time.currentTimeMillis());
    }
    if (oldPassword == null) { // no password exists --> create new
        createdCredential = getCredentialStore().createCredential(realm, user, credentialModel);
    } else { // password exists --> update existing
        credentialModel.setId(oldPassword.getId());
        getCredentialStore().updateCredential(realm, user, credentialModel);
        createdCredential = credentialModel;

        // 2) add a password history item based on the old password
        if (expiredPasswordsPolicyValue > 1) {
            oldPassword.setId(null);
            oldPassword.setType(PasswordCredentialModel.PASSWORD_HISTORY);
            getCredentialStore().createCredential(realm, user, oldPassword);
        }
    }
    
    // 3) remove old password history items
    List<CredentialModel> passwordHistoryList = getCredentialStore().getStoredCredentialsByType(realm, user, PasswordCredentialModel.PASSWORD_HISTORY);
    final int passwordHistoryListMaxSize = Math.max(0, expiredPasswordsPolicyValue - 1);
    if (passwordHistoryList.size() > passwordHistoryListMaxSize) {
        passwordHistoryList.stream()
                .sorted(CredentialModel.comparingByStartDateDesc())
                .skip(passwordHistoryListMaxSize)
                .forEach(p -> getCredentialStore().removeStoredCredential(realm, user, p.getId()));
    }

    UserCache userCache = session.userCache();
    if (userCache != null) {
        userCache.evict(realm, user);
    }
    return createdCredential;
}
Example 4
Source File: PasswordCredentialProvider.java    From keycloak with Apache License 2.0 4 votes vote down vote up 
@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
    if (!(input instanceof UserCredentialModel)) {
        logger.debug("Expected instance of UserCredentialModel for CredentialInput");
        return false;

    }
    if (input.getChallengeResponse() == null) {
        logger.debugv("Input password was null for user {0} ", user.getUsername());
        return false;
    }
    PasswordCredentialModel password = getPassword(realm, user);
    if (password == null) {
        logger.debugv("No password cached or stored for user {0} ", user.getUsername());
        return false;
    }
    PasswordHashProvider hash = session.getProvider(PasswordHashProvider.class, password.getPasswordCredentialData().getAlgorithm());
    if (hash == null) {
        logger.debugv("PasswordHashProvider {0} not found for user {1} ", password.getPasswordCredentialData().getAlgorithm(), user.getUsername());
        return false;
    }
    if (!hash.verify(input.getChallengeResponse(), password)) {
        logger.debugv("Failed password validation for user {0} ", user.getUsername());
        return false;
    }
    PasswordPolicy policy = realm.getPasswordPolicy();
    if (policy == null) {
        return true;
    }
    hash = getHashProvider(policy);
    if (hash == null) {
        return true;
    }
    if (hash.policyCheck(policy, password)) {
        return true;
    }

    PasswordCredentialModel newPassword = hash.encodedCredential(input.getChallengeResponse(), policy.getHashIterations());
    newPassword.setId(password.getId());
    newPassword.setCreatedDate(password.getCreatedDate());
    newPassword.setUserLabel(password.getUserLabel());
    getCredentialStore().updateCredential(realm, user, newPassword);

    UserCache userCache = session.userCache();
    if (userCache != null) {
        userCache.evict(realm, user);
    }

    return true;
}