From 2bcd2dbe74ac038c1b56b51b49087a9818541f2a Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 18 Feb 2025 10:41:10 +0100 Subject: [PATCH] Password policies like NoUsername should compare in case-insensitive way closes #37431 Signed-off-by: mposolda --- ...ContainsUsernamePasswordPolicyProvider.java | 2 +- .../policy/NotEmailPasswordPolicyProvider.java | 2 +- .../NotUsernamePasswordPolicyProvider.java | 2 +- .../keycloak/testsuite/forms/RegisterTest.java | 18 ++++++++++++++++++ 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/server-spi-private/src/main/java/org/keycloak/policy/NotContainsUsernamePasswordPolicyProvider.java b/server-spi-private/src/main/java/org/keycloak/policy/NotContainsUsernamePasswordPolicyProvider.java index 7d1e020b486..b23060bb76a 100644 --- a/server-spi-private/src/main/java/org/keycloak/policy/NotContainsUsernamePasswordPolicyProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/policy/NotContainsUsernamePasswordPolicyProvider.java @@ -36,7 +36,7 @@ public class NotContainsUsernamePasswordPolicyProvider implements PasswordPolicy if (username == null) { return null; } - return password.contains(username) ? new PolicyError(ERROR_MESSAGE) : null; + return password.toLowerCase().contains(username.toLowerCase()) ? new PolicyError(ERROR_MESSAGE) : null; } @Override diff --git a/server-spi-private/src/main/java/org/keycloak/policy/NotEmailPasswordPolicyProvider.java b/server-spi-private/src/main/java/org/keycloak/policy/NotEmailPasswordPolicyProvider.java index ae0e711d930..45335fa46f2 100644 --- a/server-spi-private/src/main/java/org/keycloak/policy/NotEmailPasswordPolicyProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/policy/NotEmailPasswordPolicyProvider.java @@ -42,7 +42,7 @@ public class NotEmailPasswordPolicyProvider implements PasswordPolicyProvider { if (email == null) { return null; } - return email.equals(password) ? POLICY_ERROR : null; + return email.equalsIgnoreCase(password) ? POLICY_ERROR : null; } @Override diff --git a/server-spi-private/src/main/java/org/keycloak/policy/NotUsernamePasswordPolicyProvider.java b/server-spi-private/src/main/java/org/keycloak/policy/NotUsernamePasswordPolicyProvider.java index f08edab0d6d..993c8b0f774 100644 --- a/server-spi-private/src/main/java/org/keycloak/policy/NotUsernamePasswordPolicyProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/policy/NotUsernamePasswordPolicyProvider.java @@ -39,7 +39,7 @@ public class NotUsernamePasswordPolicyProvider implements PasswordPolicyProvider if (username == null) { return null; } - return username.equals(password) ? new PolicyError(ERROR_MESSAGE) : null; + return username.equalsIgnoreCase(password) ? new PolicyError(ERROR_MESSAGE) : null; } @Override diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java index 745ab1fadde..86269686056 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java @@ -580,6 +580,12 @@ public class RegisterTest extends AbstractTestRealmKeycloakTest { assertTrue(registerPage.isCurrent()); assertEquals("Invalid password: must not be equal to the username.", registerPage.getInputPasswordErrors().getPasswordError()); + // Case-sensitivity - still should not allow to create password when lower-cased + registerPage.register("firstName", "lastName", "registerUserNotUsername@email", "registerUserNotUsername", "registerusernotusername", "registerusernotusername"); + + assertTrue(registerPage.isCurrent()); + assertEquals("Invalid password: must not be equal to the username.", registerPage.getInputPasswordErrors().getPasswordError()); + try (Response response = adminClient.realm("test").users().create(UserBuilder.create().username("registerUserNotUsername").build())) { assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus()); } @@ -615,6 +621,12 @@ public class RegisterTest extends AbstractTestRealmKeycloakTest { assertTrue(registerPage.isCurrent()); assertEquals("Invalid password: Can not contain the username.", registerPage.getInputPasswordErrors().getPasswordError()); + // Case-sensitivity - still should not allow to create password when lower-cased + registerPage.register("firstName", "lastName", "registerUserNotUsername@email", "Bob", "123bob", "123bob"); + + assertTrue(registerPage.isCurrent()); + assertEquals("Invalid password: Can not contain the username.", registerPage.getInputPasswordErrors().getPasswordError()); + try (Response response = adminClient.realm("test").users().create(UserBuilder.create().username("Bob").build())) { assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus()); } @@ -648,6 +660,12 @@ public class RegisterTest extends AbstractTestRealmKeycloakTest { assertTrue(registerPage.isCurrent()); assertEquals("Invalid password: must not be equal to the email.", registerPage.getInputPasswordErrors().getPasswordError()); + + // Case-sensitivity - still should not allow to create password when lower-cased + registerPage.registerWithEmailAsUsername("firstName", "lastName", "registerUserNotEmail@email", "registerusernotemail@email", "registerusernotemail@email"); + + assertTrue(registerPage.isCurrent()); + assertEquals("Invalid password: must not be equal to the email.", registerPage.getInputPasswordErrors().getPasswordError()); } }