Testing whether bruteforce protection together with lockout mechanisms is implemented

bruteforce.sh

#!/bin/bash

set -x

threads=10
iterations=200
valid_username="admin"
valid_password="admin"
client_id="client"
url="https://127.0.0.1/auth/realms/realm/protocol/openid-connect/token"

do_request_random() {
    #local username=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 6 | head -n 1)
    local password=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1)

    echo "Trying $valid_username with password $password"
    curl -k -X POST "$url" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" \
        -d "grant_type=password&client_id=$client_id&username=$valid_username&password=$password"
}

do_request_valid() {
    curl -k -X POST "$url" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" \
        -d "grant_type=password&client_id=$client_id&username=$valid_username&password=$valid_password"
}

export -f do_request_random do_request_valid
export url client_id valid_username valid_password

seq "$iterations" | xargs -I {} -P "$threads" bash -c 'do_request_random'
do_request_valid