Example 1 with CasX509Certificate
use of org.apereo.cas.adaptors.x509.authentication.CasX509Certificate in project cas by apereo.
the class X509CredentialsAuthenticationHandlerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
*/
@SuppressWarnings("PMD.ExcessiveMethodLength")
public static Stream<Arguments> getTestParameters() {
val params = new ArrayList<Arguments>();
/* Test case #1: Unsupported credential type */
var handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(arguments(handler, new UsernamePasswordCredential(), false, null, null));
/* Test case #2:Valid certificate /*/
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
var credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
/* Test case #3: Expired certificate */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-expired.crt")), true, null, new CertificateExpiredException()));
/* Test case #4: Untrusted issuer */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"), true, false, false);
params.add(arguments(handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, null, new FailedLoginException()));
/* Test case #5: Disallowed subject */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), true, RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"));
params.add(arguments(handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, null, new FailedLoginException()));
/* Test case #6: Check key usage on a cert without keyUsage extension */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, false);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
/* Test case #7: Require key usage on a cert without keyUsage extension */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, null, new FailedLoginException()));
/* Test case #8: Require key usage on a cert with acceptable keyUsage extension values */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
credential = new X509CertificateCredential(createCertificates("user-valid-keyUsage.crt"));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
/* Test case #9: Require key usage on a cert with unacceptable keyUsage extension values */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-invalid-keyUsage.crt")), true, null, new FailedLoginException()));
/*
* Revocation tests
*/
/* Test case #10: Valid certificate with CRL checking */
var checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
/* Test case #11: Revoked end user certificate */
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-revoked.crt")), true, null, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), null)));
/* Test case #12: Valid certificate on expired CRL data */
val zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-expired.crl"), null, zeroThresholdPolicy);
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, null, new ExpiredCRLException(null, ZonedDateTime.now(ZoneOffset.UTC))));
/* Certificate not allowed */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, RegexUtils.MATCH_NOTHING_PATTERN);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, 0);
var certificate = new CasX509Certificate(true);
certificate.setBasicConstraints(Integer.MAX_VALUE);
credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, 1);
certificate = new CasX509Certificate(true);
certificate.setBasicConstraints(10);
credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".+"), true, true, false);
certificate = new CasX509Certificate(true);
certificate.setKeyUsage(true);
credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
return params.stream();
}
Also used :
lombok.val(lombok.val)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
ArrayList(java.util.ArrayList)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
CasX509Certificate(org.apereo.cas.adaptors.x509.authentication.CasX509Certificate)
ClassPathResource(org.springframework.core.io.ClassPathResource)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
UsernamePasswordCredential(org.apereo.cas.authentication.credential.UsernamePasswordCredential)
Example 2 with CasX509Certificate
use of org.apereo.cas.adaptors.x509.authentication.CasX509Certificate in project cas by apereo.
the class X509CertificateCredentialTests method verifySerializeAX509CertificateCredentialToJson.
@Test
public void verifySerializeAX509CertificateCredentialToJson() throws IOException {
MAPPER.findAndRegisterModules();
val certificate = new CasX509Certificate(true);
val credentialWritten = new X509CertificateCredential(new X509Certificate[] { certificate });
MAPPER.writeValue(JSON_FILE, credentialWritten);
val credentialRead = MAPPER.readValue(JSON_FILE, X509CertificateCredential.class);
assertEquals(credentialWritten, credentialRead);
}
Also used :
lombok.val(lombok.val)
CasX509Certificate(org.apereo.cas.adaptors.x509.authentication.CasX509Certificate)
Test(org.junit.jupiter.api.Test)
Example 3 with CasX509Certificate
use of org.apereo.cas.adaptors.x509.authentication.CasX509Certificate in project cas by apereo.
the class SamlAssertionRealmCodecTests method verifyOperation.
@Test
public void verifyOperation() {
val codec = new SamlAssertionRealmCodec("CAS");
val wrapper = mock(SamlAssertionWrapper.class);
val keyInfo = mock(SAMLKeyInfo.class);
when(keyInfo.getCerts()).thenReturn(new X509Certificate[] { new CasX509Certificate(true) });
when(wrapper.getSignatureKeyInfo()).thenReturn(keyInfo);
assertNotNull(codec.getRealmFromToken(wrapper));
}
Also used :
lombok.val(lombok.val)
CasX509Certificate(org.apereo.cas.adaptors.x509.authentication.CasX509Certificate)
Test(org.junit.jupiter.api.Test)
Example 4 with CasX509Certificate
use of org.apereo.cas.adaptors.x509.authentication.CasX509Certificate in project cas by apereo.
the class X509CertificateCredentialsNonInteractiveActionTests method verifyBadCertificateError.
@Test
public void verifyBadCertificateError() throws Exception {
val context = new MockRequestContext();
val messageContext = (DefaultMessageContext) context.getMessageContext();
messageContext.setMessageSource(mock(MessageSource.class));
val request = new MockHttpServletRequest();
request.setAttribute(X509CertificateCredentialsNonInteractiveAction.REQUEST_ATTRIBUTE_X509_CERTIFICATE, new X509Certificate[] { new CasX509Certificate(false) });
context.setExternalContext(new ServletExternalContext(new MockServletContext(), request, new MockHttpServletResponse()));
assertEquals(CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE, this.action.execute(context).getId());
}
Also used :
lombok.val(lombok.val)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
ServletExternalContext(org.springframework.webflow.context.servlet.ServletExternalContext)
DefaultMessageContext(org.springframework.binding.message.DefaultMessageContext)
MessageSource(org.springframework.context.MessageSource)
MockRequestContext(org.springframework.webflow.test.MockRequestContext)
CasX509Certificate(org.apereo.cas.adaptors.x509.authentication.CasX509Certificate)
MockServletContext(org.springframework.mock.web.MockServletContext)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
Test(org.junit.jupiter.api.Test)
Aggregations
lombok.val (lombok.val)4
CasX509Certificate (org.apereo.cas.adaptors.x509.authentication.CasX509Certificate)4
Test (org.junit.jupiter.api.Test)3
CertificateExpiredException (java.security.cert.CertificateExpiredException)1
ArrayList (java.util.ArrayList)1
FailedLoginException (javax.security.auth.login.FailedLoginException)1
ExpiredCRLException (org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)1
X509CertificateCredential (org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)1
RevokedCertificateException (org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)1
ResourceCRLRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)1
ThresholdExpiredCRLRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)1
DefaultAuthenticationHandlerExecutionResult (org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)1
UsernamePasswordCredential (org.apereo.cas.authentication.credential.UsernamePasswordCredential)1
DefaultMessageContext (org.springframework.binding.message.DefaultMessageContext)1
MessageSource (org.springframework.context.MessageSource)1
ClassPathResource (org.springframework.core.io.ClassPathResource)1
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)1
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)1
MockServletContext (org.springframework.mock.web.MockServletContext)1
ServletExternalContext (org.springframework.webflow.context.servlet.ServletExternalContext)1
