Failure reset time is applied to Permanent Lockout

Closes keycloak#28821 Signed-off-by: Douglas Palmer <[email protected]>
edewit · Jul 18, 2024 · 3500618 · 3500618
1 parent 12d76a6
commit 3500618
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java b/services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java
@@ -168,7 +168,7 @@ protected void failure(KeycloakSession session, LoginEvent event) {
         }
         userLoginFailure.setLastFailure(currentTime);
 
-        if (deltaTime > 0) {
+        if (!(realm.isPermanentLockout() && realm.getMaxTemporaryLockouts() == 0) && deltaTime > 0) {
             // if last failure was more than MAX_DELTA clear failures
             if (deltaTime > (long) realm.getMaxDeltaTimeSeconds() * 1000L) {
                 userLoginFailure.clearFailures();

diff --git a/...tion-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java b/...tion-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
@@ -402,6 +402,47 @@ public void testBrowserInvalidPassword() throws Exception {
         loginSuccess();
     }
 
+    @Test
+    public void testFailureResetForTemporaryLockout() throws Exception {
+        RealmRepresentation realm = testRealm().toRepresentation();
+        try {
+            realm.setMaxDeltaTimeSeconds(5);
+            testRealm().update(realm);
+            loginInvalidPassword();
+
+            testingClient.testing().setTimeOffset(Collections.singletonMap("offset", String.valueOf(5)));
+
+            loginInvalidPassword();
+            loginSuccess();
+        } finally {
+            realm.setMaxDeltaTimeSeconds(20);
+            testRealm().update(realm);
+        }
+    }
+
+    @Test
+    public void testNoFailureResetForPermanentLockout() throws Exception {
+        RealmRepresentation realm = testRealm().toRepresentation();
+        try {
+            realm.setMaxDeltaTimeSeconds(5);
+            realm.setPermanentLockout(true);
+            testRealm().update(realm);
+            loginInvalidPassword();
+
+            testingClient.testing().setTimeOffset(Collections.singletonMap("offset", String.valueOf(5)));
+
+            loginInvalidPassword();
+            expectPermanentlyDisabled();
+        } finally {
+            realm.setPermanentLockout(false);
+            realm.setMaxDeltaTimeSeconds(20);
+            testRealm().update(realm);
+            UserRepresentation user = adminClient.realm("test").users().search("test-user@localhost", 0, 1).get(0);
+            user.setEnabled(true);
+            updateUser(user);
+        }
+    }
+
     @Test
     public void testWait() throws Exception {
         loginSuccess();