adding lockout expiration timestamp for attempt behaviour of authenti…

…cation module

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/FocusAuthenticationResultRecorder.java

@@ -65,6 +65,9 @@ public void recordModuleAuthenticationAttemptSuccess(MidPointPrincipal principal
         //authAttemptData.(behavioralData.getLastSuccessfulLogin());
         authAttemptData.setLastSuccessfulAuthentication(event);
 
+        authAttemptData.setLockoutTimestamp(null);
+        authAttemptData.setLockoutExpirationTimestamp(null);
+
         ActivationType activation = principal.getFocus().getActivation();
         if (activation != null) {
             if (LockoutStatusType.LOCKED.equals(activation.getLockoutStatus())) {
@@ -130,6 +133,8 @@ public void recordModuleAuthenticationAttemptFailure(MidPointPrincipal principal
                 lockoutExpirationTs = XmlTypeConverter.addDuration(event.getTimestamp(), lockoutDuration);
             }
             activation.setLockoutExpirationTimestamp(lockoutExpirationTs);
+            authAttemptData.setLockoutExpirationTimestamp(lockoutExpirationTs);
+            authAttemptData.setLockoutTimestamp(event.getTimestamp());
             focusAfter.getTrigger().add(
                     new TriggerType()
                             .handlerUri(ModelPublicConstants.UNLOCK_TRIGGER_HANDLER_URI)

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/evaluator/AuthenticationEvaluatorImpl.java

@@ -51,7 +51,6 @@
 
 /**
  * @author semancik
- *
  */
 public abstract class AuthenticationEvaluatorImpl<C extends AbstractCredentialType, T extends AbstractAuthenticationContext>
         implements AuthenticationEvaluator<T>, MessageSourceAware {
@@ -171,7 +170,7 @@ private boolean checkCredentials(MidPointPrincipal principal, T authnCtx, Connec
         return passwordMatches(connEnv, principal, getCredential(credentials), authnCtx);
     }
 
-    private CredentialPolicyType getCredentialsPolicy(MidPointPrincipal principal, T authnCtx){
+    private CredentialPolicyType getCredentialsPolicy(MidPointPrincipal principal, T authnCtx) {
         SecurityPolicyType securityPolicy = principal.getApplicableSecurityPolicy();
         CredentialPolicyType credentialsPolicy;
         try {
@@ -184,7 +183,6 @@ private CredentialPolicyType getCredentialsPolicy(MidPointPrincipal principal, T
         return credentialsPolicy;
     }
 
-
     /**
      * Special-purpose method used for Web Service authentication based on javax.security callbacks.
      *
@@ -208,7 +206,6 @@ public String getAndCheckUserPassword(ConnectionEnvironment connEnv, String user
         }
         PasswordType passwordType = credentials.getPassword();
 
-
         AuthenticationAttemptDataType authenticationAttemptData = getAuthenticationData(principal, connEnv);
         // Lockout
         if (isLockedOut(authenticationAttemptData, passwordCredentialsPolicy)) {
@@ -256,7 +253,7 @@ protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndChec
         ObjectQuery query = authCtx.createFocusQuery();
         String username = authCtx.getUsername();
         if (query == null) {
-            recordModuleAuthenticationFailure(username, null, connEnv, null,"no username");
+            recordModuleAuthenticationFailure(username, null, connEnv, null, "no username");
             throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
         }
 
@@ -298,12 +295,12 @@ protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndChec
 
     protected boolean hasNoneAuthorization(MidPointPrincipal principal) {
         Collection<Authorization> authorizations = principal.getAuthorities();
-        if (authorizations == null || authorizations.isEmpty()){
+        if (authorizations == null || authorizations.isEmpty()) {
             return true;
         }
         boolean exist = false;
-        for (Authorization auth : authorizations){
-            if (auth.getAction() != null && !auth.getAction().isEmpty()){
+        for (Authorization auth : authorizations) {
+            if (auth.getAction() != null && !auth.getAction().isEmpty()) {
                 exist = true;
             }
         }
@@ -387,20 +384,29 @@ private int getFailedLogins(AuthenticationAttemptDataType authenticationAttemptD
     }
 
     private boolean isLockoutExpired(AuthenticationAttemptDataType authenticationAttemptData, CredentialPolicyType credentialsPolicy) {
-            Duration lockoutDuration = credentialsPolicy.getLockoutDuration();
-            if (lockoutDuration == null) {
-                return false;
-            }
+        XMLGregorianCalendar lockoutExpiration = authenticationAttemptData.getLockoutExpirationTimestamp();
+        if (lockoutExpiration != null) {
+            return clock.isPast(lockoutExpiration);
+        }
+
+        Duration lockoutDuration = credentialsPolicy.getLockoutDuration();
+        if (lockoutDuration == null) {
+            return false;
+        }
+
+        XMLGregorianCalendar lockTimestamp = authenticationAttemptData.getLockoutTimestamp();
+        if (lockTimestamp == null) {
             LoginEventType lastFailedLogin = getLastFailedLogin(authenticationAttemptData);
             if (lastFailedLogin == null) {
                 return true;
             }
-            XMLGregorianCalendar lastFailedLoginTimestamp = lastFailedLogin.getTimestamp();
-            if (lastFailedLoginTimestamp == null) {
+            lockTimestamp = lastFailedLogin.getTimestamp();
+            if (lockTimestamp == null) {
                 return true;
             }
-            XMLGregorianCalendar lockedUntilTimestamp = XmlTypeConverter.addDuration(lastFailedLoginTimestamp, lockoutDuration);
-            return clock.isPast(lockedUntilTimestamp);
+        }
+        XMLGregorianCalendar lockedUntilTimestamp = XmlTypeConverter.addDuration(lockTimestamp, lockoutDuration);
+        return clock.isPast(lockedUntilTimestamp);
     }
 
     private LoginEventType getLastFailedLogin(AuthenticationAttemptDataType authenticationAttemptData) {