Skip to content

Commit

Permalink
Added dataset options for setting password hashing algorithm and iter…
Browse files Browse the repository at this point in the history
…ations. (#778) (#780)

* Added options for setting password hashing algorithm and iterations to the dataset provider module.

Signed-off-by: Tomas Kyjovsky <[email protected]>

* updating docs

Signed-off-by: Kamesh Akella <[email protected]>

---------

Signed-off-by: Tomas Kyjovsky <[email protected]>
Signed-off-by: Kamesh Akella <[email protected]>
Co-authored-by: Kamesh Akella <[email protected]>

# Conflicts:
#	dataset/dataset-import.sh
#	dataset/src/main/java/org/keycloak/benchmark/dataset/DatasetResourceProvider.java
#	dataset/src/main/java/org/keycloak/benchmark/dataset/config/DatasetConfig.java
#	doc/dataset/modules/ROOT/pages/using-provider.adoc
  • Loading branch information
tkyjovsk authored Apr 19, 2024
1 parent bcdc240 commit 0131b88
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 14 deletions.
18 changes: 9 additions & 9 deletions dataset/dataset-import.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,13 @@ set_environment_variables () {
USERS_COUNT="100"
EVENTS_COUNT="100"
SESSIONS_COUNT="100"
HASH_ITERATIONS="27500"
if ( minikube version &>/dev/null ); then
KEYCLOAK_URI="https://keycloak-keycloak.$(minikube ip || echo 'unknown').nip.io/realms/master/dataset"
fi
REALM_PREFIX="realm"
STATUS_TIMEOUT="120"

while getopts ":a:r:n:c:u:e:o:i:p:l:t:" OPT
while getopts ":a:r:n:c:u:e:o:g:i:p:l:t:" OPT
do
case $OPT in
a)
Expand All @@ -44,6 +43,9 @@ set_environment_variables () {
o)
SESSIONS_COUNT=$OPTARG
;;
g)
HASH_ALGORITHM=$OPTARG
;;
i)
HASH_ITERATIONS=$OPTARG
;;
Expand All @@ -64,11 +66,6 @@ set_environment_variables () {
done
}

create_realms () {
echo "Creating $1 realm/s with $2 client/s and $3 user/s with $4 password hash iterations."
execute_command "create-realms?count=$1&clients-per-realm=$2&users-per-realm=$3&password-hash-iterations=$4"
}

create_clients () {
echo "Creating $1 client/s in realm $2"
execute_command "create-clients?count=$1&realm-name=$2"
Expand Down Expand Up @@ -163,7 +160,7 @@ check_dataset_status () {

help () {
echo "Dataset import to the local minikube Keycloak application - usage:"
echo "1) create realm/s with clients, users and password hash iterations - run -a (action) with or without other arguments: -a create-realms -r 10 -c 100 -u 100 -i 20000 -l 'https://keycloak.url.com'"
echo "1) create realm/s with clients, users and password hash algorithm & iterations - run -a (action) with or without other arguments: -a create-realms -r 10 -g argon2 -i 5 -c 100 -u 100 -l 'https://keycloak.url.com'"
echo "2) create clients in specific realm: -a create-clients -c 100 -n realm-0 -l 'https://keycloak.url.com'"
echo "3) create users in specific realm: -a create-users -u 100 -n realm-0 -l 'https://keycloak.url.com'"
echo "4) create events in specific realm: -a create-events -e 100 -n realm-0 -l 'https://keycloak.url.com'"
Expand All @@ -181,7 +178,10 @@ main () {
echo "Action: [$ACTION] "
case "$ACTION" in
create-realms)
create_realms $REALM_COUNT $CLIENTS_COUNT $USERS_COUNT $HASH_ITERATIONS
if [ -z "$HASH_ALGORITHM" ]; then HA_PARAM=""; HASH_ALGORITHM="default"; else HA_PARAM="&password-hash-algorithm=$HASH_ALGORITHM"; fi
if [ -z "$HASH_ITERATIONS" ]; then HI_PARAM=""; HASH_ITERATIONS="default"; else HI_PARAM="&password-hash-iterations=$HASH_ITERATIONS"; fi
echo "Creating $REALM_COUNT realms with $CLIENTS_COUNT clients and $USERS_COUNT users with $HASH_ITERATIONS password-hashing iterations using the $HASH_ALGORITHM algorithm."
execute_command "create-realms?count=$REALM_COUNT&clients-per-realm=$CLIENTS_COUNT&users-per-realm=$USERS_COUNT$HI_PARAM$HA_PARAM"
exit 0
;;
create-clients)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -913,7 +913,14 @@ private void createAndSetRealm(RealmContext context, int index, KeycloakSession
realm.setEnabled(true);
realm.setRegistrationAllowed(true);
realm.setAccessCodeLifespan(60);
realm.setPasswordPolicy(PasswordPolicy.parse(session, "hashIterations(" + config.getPasswordHashIterations() + ")"));
PasswordPolicy.Builder b = PasswordPolicy.build();
if (!config.getPasswordHashAlgorithm().isEmpty()) { // only set if parameter explicitly provided, see QueryParamFill.defaultValue()
b.put("hashAlgorithm", config.getPasswordHashAlgorithm());
}
if (config.getPasswordHashIterations() != -1) { // only set if parameter explicitly provided, see QueryParamIntFill.defaultValue()
b.put("hashIterations", config.getPasswordHashIterations().toString());
}
realm.setPasswordPolicy(b.build(session));

if (config.getEventsEnabled()) {
realm.setEventsEnabled(true);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -153,8 +153,12 @@ public class DatasetConfig {
@QueryParamIntFill(paramName = "client-roles-per-user", defaultValue = 4, operations = { CREATE_REALMS, CREATE_USERS })
private Integer clientRolesPerUser;

// Password policy with the number of password hash iterations. It is 27500 by default
@QueryParamIntFill(paramName = "password-hash-iterations", defaultValue = PasswordPolicy.HASH_ITERATIONS_DEFAULT, operations = { CREATE_REALMS })
// Password policy with the password hash algorithm.
@QueryParamFill(paramName = "password-hash-algorithm", operations = { CREATE_REALMS })
private String passwordHashAlgorithm;

// Password policy with the number of password hash iterations.
@QueryParamIntFill(paramName = "password-hash-iterations", operations = { CREATE_REALMS })
private Integer passwordHashIterations;

// Check if eventStorage will be enabled for newly created realms
Expand Down Expand Up @@ -304,6 +308,10 @@ public Integer getClientRolesPerUser() {
return clientRolesPerUser;
}

public String getPasswordHashAlgorithm() {
return passwordHashAlgorithm;
}

public Integer getPasswordHashIterations() {
return passwordHashIterations;
}
Expand Down
10 changes: 8 additions & 2 deletions doc/dataset/modules/ROOT/pages/using-provider.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ You will see these options:

----
Dataset import to the local minikube Keycloak application - usage:
1) create realm/s with clients, users and password hash iterations - run -a (action) with or without other arguments: -a create-realms -r 10 -c 100 -u 100 -h 20000 -l 'https://keycloak.url.com'
1) create realm/s with clients, users and password hash algorithm & iterations - run -a (action) with or without other arguments: -a create-realms -r 10 -g argon2 -i 5 -c 100 -u 100 -l 'https://keycloak.url.com'
2) create clients in specific realm: -a create-clients -c 100 -n realm-0 -l 'https://keycloak.url.com'
3) create users in specific realm: -a create-users -u 100 -n realm-0 -l 'https://keycloak.url.com'
4) create events in specific realm: -a create-events -e 100 -n realm-0 -l 'https://keycloak.url.com'
Expand Down Expand Up @@ -168,12 +168,18 @@ You can use parameters to remove all realms for example just from `foorealm5` to

For change the parameters, take a look at link:{github-files}/dataset/src/main/java/org/keycloak/benchmark/dataset/config/DatasetConfig.java[DataSetConfig class]
to see available parameters and default values and which endpoint the particular parameter is applicable.
For example to create realms with prefix `foo` and with just 1000 hash iterations used for the password policy, you can use these parameters:
For example to create realms with prefix `foo` and with just 1000 hash iterations (with the default hashing algorithm) used for the password policy you can use these parameters:

----
.../realms/master/dataset/create-realms?count=10&realm-prefix=foo&password-hash-iterations=1000
----

Another example would be, to specify a particular hashing algorithm in combination with the hashing iterations with the below parameters:

----
.../realms/master/dataset/create-realms?count=10&realm-prefix=foo&password-hash-algorithm=argon2&password-hash-iterations=1000
----

The configuration is written to the server log when HTTP endpoint is triggered, so you can monitor the progress and what parameters were effectively applied.

Note that creation of new objects will automatically start from the next available index.
Expand Down

0 comments on commit 0131b88

Please sign in to comment.