org.keycloak.services.managers.DefaultBruteForceProtector クラス

org.keycloak.services.managers.DefaultBruteForceProtector の継承関係図

org.keycloak.services.managers.DefaultBruteForceProtector 連携図

クラス
class	FailedLogin
class	LoginEvent
class	ShutdownEvent
class	SuccessfulLogin

公開メンバ関数
	DefaultBruteForceProtector (KeycloakSessionFactory factory)
void	failure (KeycloakSession session, LoginEvent event)
void	start ()
void	shutdown ()
void	run ()
void	failedLogin (RealmModel realm, UserModel user, ClientConnection clientConnection)
void	successfulLogin (final RealmModel realm, final UserModel user, final ClientConnection clientConnection)
boolean	isTemporarilyDisabled (KeycloakSession session, RealmModel realm, UserModel user)
void	close ()

静的公開変数類
static final int	TRANSACTION_SIZE = 20

限定公開メンバ関数
UserLoginFailureModel	getUserModel (KeycloakSession session, LoginEvent event)
RealmModel	getRealmModel (KeycloakSession session, LoginEvent event)
void	logFailure (LoginEvent event)

限定公開変数類
volatile boolean	run = true
int	maxDeltaTimeSeconds = 60 * 60 * 12
KeycloakSessionFactory	factory
CountDownLatch	shutdownLatch = new CountDownLatch(1)
volatile long	failures
volatile long	lastFailure
volatile long	totalTime
LinkedBlockingQueue< LoginEvent >	queue = new LinkedBlockingQueue<LoginEvent>()

非公開メンバ関数
void	success (KeycloakSession session, LoginEvent event)

静的非公開変数類
static final Logger	logger = Logger.getLogger(DefaultBruteForceProtector.class)

詳解

A single thread will log failures. This is so that we can avoid concurrent writes as we want an accurate failure count

著者

Bill Burke

バージョン

Revision

1

構築子と解体子

DefaultBruteForceProtector()

org.keycloak.services.managers.DefaultBruteForceProtector.DefaultBruteForceProtector ( KeycloakSessionFactory  factory )

inline

                                                                      {
        this.factory = factory;
    }

関数詳解

close()

void org.keycloak.services.managers.DefaultBruteForceProtector.close ( )

inline

                        {

    }

failedLogin()

void org.keycloak.services.managers.DefaultBruteForceProtector.failedLogin ( RealmModel  realm, UserModel  user, ClientConnection  clientConnection  )

inline

                                                                                                 {
        try {
            FailedLogin event = new FailedLogin(realm.getId(), user.getId(), clientConnection.getRemoteAddr());
            queue.offer(event);
            // wait a minimum of seconds for type to process so that a hacker
            // cannot flood with failed logins and overwhelm the queue and not have notBefore updated to block next requests
            // todo failure HTTP responses should be queued via async HTTP
            event.latch.await(5, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
        }
        logger.trace("sent failure event");
    }

failure()

void org.keycloak.services.managers.DefaultBruteForceProtector.failure ( KeycloakSession  session, LoginEvent  event  )

inline

                                                                   {
        logger.debug("failure");
        RealmModel realm = getRealmModel(session, event);
        logFailure(event);

        String userId = event.userId;
        UserModel user = session.users().getUserById(userId, realm);
        if (user == null) {
            return;
        }

        UserLoginFailureModel userLoginFailure = getUserModel(session, event);
        if (userLoginFailure == null) {
            userLoginFailure = session.sessions().addUserLoginFailure(realm, userId);
        }
        userLoginFailure.setLastIPFailure(event.ip);
        long currentTime = Time.currentTimeMillis();
        long last = userLoginFailure.getLastFailure();
        long deltaTime = 0;
        if (last > 0) {
            deltaTime = currentTime - last;
        }
        userLoginFailure.setLastFailure(currentTime);

        if(realm.isPermanentLockout()) {
            userLoginFailure.incrementFailures();
            logger.debugv("new num failures: {0}", userLoginFailure.getNumFailures());

            if(userLoginFailure.getNumFailures() == realm.getFailureFactor()) {
                logger.debugv("user {0} locked permanently due to too many login attempts", user.getUsername());
                user.setEnabled(false);
                return;
            }

            if (last > 0 && deltaTime < realm.getQuickLoginCheckMilliSeconds()) {
                logger.debugv("quick login, set min wait seconds");
                int waitSeconds = realm.getMinimumQuickLoginWaitSeconds();
                int notBefore = (int) (currentTime / 1000) + waitSeconds;
                logger.debugv("set notBefore: {0}", notBefore);
                userLoginFailure.setFailedLoginNotBefore(notBefore);
            }
            return;
        }

        if (deltaTime > 0) {
            // if last failure was more than MAX_DELTA clear failures
            if (deltaTime > (long) realm.getMaxDeltaTimeSeconds() * 1000L) {
                userLoginFailure.clearFailures();
            }
        }
        userLoginFailure.incrementFailures();
        logger.debugv("new num failures: {0}", userLoginFailure.getNumFailures());

        int waitSeconds = realm.getWaitIncrementSeconds() *  (userLoginFailure.getNumFailures() / realm.getFailureFactor());
        logger.debugv("waitSeconds: {0}", waitSeconds);
        logger.debugv("deltaTime: {0}", deltaTime);

        if (waitSeconds == 0) {
            if (last > 0 && deltaTime < realm.getQuickLoginCheckMilliSeconds()) {
                logger.debugv("quick login, set min wait seconds");
                waitSeconds = realm.getMinimumQuickLoginWaitSeconds();
            }
        }
        if (waitSeconds > 0) {
            waitSeconds = Math.min(realm.getMaxFailureWaitSeconds(), waitSeconds);
            int notBefore = (int) (currentTime / 1000) + waitSeconds;
            logger.debugv("set notBefore: {0}", notBefore);
            userLoginFailure.setFailedLoginNotBefore(notBefore);
        }
    }

getRealmModel()

RealmModel org.keycloak.services.managers.DefaultBruteForceProtector.getRealmModel ( KeycloakSession  session, LoginEvent  event  )

inlineprotected

                                                                                  {
        RealmModel realm = session.realms().getRealm(event.realmId);
        if (realm == null) return null;
        return realm;
    }

getUserModel()

UserLoginFailureModel org.keycloak.services.managers.DefaultBruteForceProtector.getUserModel ( KeycloakSession  session, LoginEvent  event  )

inlineprotected

                                                                                            {
        RealmModel realm = getRealmModel(session, event);
        if (realm == null) return null;
        UserLoginFailureModel user = session.sessions().getUserLoginFailure(realm, event.userId);
        if (user == null) return null;
        return user;
    }

isTemporarilyDisabled()

boolean org.keycloak.services.managers.DefaultBruteForceProtector.isTemporarilyDisabled ( KeycloakSession  session, RealmModel  realm, UserModel  user  )

inline

                                                                                                    {
        UserLoginFailureModel failure = session.sessions().getUserLoginFailure(realm, user.getId());

        if (failure != null) {
            int currTime = (int) (Time.currentTimeMillis() / 1000);
            int failedLoginNotBefore = failure.getFailedLoginNotBefore();
            if (currTime < failedLoginNotBefore) {
                logger.debugv("Current: {0} notBefore: {1}", currTime, failedLoginNotBefore);
                return true;
            }
        }


        return false;
    }

logFailure()

void org.keycloak.services.managers.DefaultBruteForceProtector.logFailure ( LoginEvent  event )

inlineprotected

                                                {
        ServicesLogger.LOGGER.loginFailure(event.userId, event.ip);
        failures++;
        long delta = 0;
        if (lastFailure > 0) {
            delta = Time.currentTimeMillis() - lastFailure;
            if (delta > (long)maxDeltaTimeSeconds * 1000L) {
                totalTime = 0;

            } else {
                totalTime += delta;
            }
        }
    }

run()

void org.keycloak.services.managers.DefaultBruteForceProtector.run ( )

inline

                      {
        final ArrayList<LoginEvent> events = new ArrayList<LoginEvent>(TRANSACTION_SIZE + 1);
        try {
            while (run) {
                try {
                    LoginEvent take = queue.poll(2, TimeUnit.SECONDS);
                    if (take == null) {
                        continue;
                    }
                    try {
                        events.add(take);
                        queue.drainTo(events, TRANSACTION_SIZE);
                        Collections.sort(events); // we sort to avoid deadlock due to ordered updates.  Maybe I'm overthinking this.
                        KeycloakSession session = factory.create();
                        session.getTransactionManager().begin();
                        try {
                            for (LoginEvent event : events) {
                                if (event instanceof FailedLogin) {
                                    failure(session, event);
                                } else if (event instanceof SuccessfulLogin) {
                                    success(session, event);
                                } else if (event instanceof ShutdownEvent) {
                                    run = false;
                                }
                            }
                            session.getTransactionManager().commit();
                        } catch (Exception e) {
                            session.getTransactionManager().rollback();
                            throw e;
                        } finally {
                            for (LoginEvent event : events) {
                                if (event instanceof FailedLogin) {
                                    ((FailedLogin) event).latch.countDown();
                                } else if (event instanceof SuccessfulLogin) {
                                    ((SuccessfulLogin) event).latch.countDown();
                                }
                            }
                            events.clear();
                            session.close();
                        }
                    } catch (Exception e) {
                        ServicesLogger.LOGGER.failedProcessingType(e);
                    }
                } catch (InterruptedException e) {
                    break;
                }
            }
        } finally {
            shutdownLatch.countDown();
        }
    }

shutdown()

void org.keycloak.services.managers.DefaultBruteForceProtector.shutdown ( )

inline

                           {
        run = false;
        try {
            queue.offer(new ShutdownEvent());
            shutdownLatch.await(10, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        }
    }

start()

void org.keycloak.services.managers.DefaultBruteForceProtector.start ( )

inline

                        {
        new Thread(this, "Brute Force Protector").start();
    }

success()

void org.keycloak.services.managers.DefaultBruteForceProtector.success ( KeycloakSession  session, LoginEvent  event  )

inlineprivate

                                                                    {
        String userId = event.userId;
        UserModel model = session.users().getUserById(userId, getRealmModel(session, event));

        UserLoginFailureModel user = getUserModel(session, event);
        if(user == null) return;

        logger.debugv("user {0} successfully logged in, clearing all failures", model.getUsername());
        user.clearFailures();
    }

successfulLogin()

void org.keycloak.services.managers.DefaultBruteForceProtector.successfulLogin ( final RealmModel  realm, final UserModel  user, final ClientConnection  clientConnection  )

inline

                                                                                                                       {
        try {
            SuccessfulLogin event = new SuccessfulLogin(realm.getId(), user.getId(), clientConnection.getRemoteAddr());
            queue.offer(event);

            event.latch.await(5, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
        }
        logger.trace("sent success event");
    }

メンバ詳解

factory

KeycloakSessionFactory org.keycloak.services.managers.DefaultBruteForceProtector.factory

protected

failures

volatile long org.keycloak.services.managers.DefaultBruteForceProtector.failures

protected

lastFailure

volatile long org.keycloak.services.managers.DefaultBruteForceProtector.lastFailure

protected

logger

final Logger org.keycloak.services.managers.DefaultBruteForceProtector.logger = Logger.getLogger(DefaultBruteForceProtector.class)

staticprivate

maxDeltaTimeSeconds

int org.keycloak.services.managers.DefaultBruteForceProtector.maxDeltaTimeSeconds = 60 * 60 * 12

protected

queue

LinkedBlockingQueue<LoginEvent> org.keycloak.services.managers.DefaultBruteForceProtector.queue = new LinkedBlockingQueue<LoginEvent>()

protected

run

volatile boolean org.keycloak.services.managers.DefaultBruteForceProtector.run = true

protected

shutdownLatch

CountDownLatch org.keycloak.services.managers.DefaultBruteForceProtector.shutdownLatch = new CountDownLatch(1)

protected

totalTime

volatile long org.keycloak.services.managers.DefaultBruteForceProtector.totalTime

protected

TRANSACTION_SIZE

final int org.keycloak.services.managers.DefaultBruteForceProtector.TRANSACTION_SIZE = 20

static

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java