Search in sources :

Example 1 with X509CredentialsAuthenticationHandler

use of org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler in project cas by apereo.

the class X509CredentialsAuthenticationHandlerTests method getTestParameters.

/**
     * Gets the unit test parameters.
     *
     * @return Test parameter data.
     * @throws Exception On test data setup errors.
     */
@Parameters
public static Collection<Object[]> getTestParameters() throws Exception {
    final Collection<Object[]> params = new ArrayList<>();
    X509CredentialsAuthenticationHandler handler;
    X509CertificateCredential credential;
    // Test case #1: Unsupported credential type
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    params.add(new Object[] { handler, new UsernamePasswordCredential(), false, null });
    // Test case #2:Valid certificate
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
    // Test case #3: Expired certificate
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-expired.crt")), true, new CertificateExpiredException() });
    // Test case #4: Untrusted issuer
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"), true, false, false);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
    // Test case #5: Disallowed subject
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), true, RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"));
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
    // Test case #6: Check key usage on a cert without keyUsage extension
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, false);
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
    // Test case #7: Require key usage on a cert without keyUsage extension
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new FailedLoginException() });
    // Test case #8: Require key usage on a cert with acceptable keyUsage extension values
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    credential = new X509CertificateCredential(createCertificates("user-valid-keyUsage.crt"));
    params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
    // Test case #9: Require key usage on a cert with unacceptable keyUsage extension values
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-invalid-keyUsage.crt")), true, new FailedLoginException() });
    //===================================
    // Revocation tests
    //===================================
    ResourceCRLRevocationChecker checker;
    // Test case #10: Valid certificate with CRL checking
    checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
    // Test case #11: Revoked end user certificate
    checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-revoked.crt")), true, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), null) });
    // Test case #12: Valid certificate on expired CRL data
    final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-expired.crl"), null, zeroThresholdPolicy);
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new ExpiredCRLException(null, ZonedDateTime.now(ZoneOffset.UTC)) });
    return params;
}
Also used : RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException) CertificateExpiredException(java.security.cert.CertificateExpiredException) ArrayList(java.util.ArrayList) DefaultPrincipalFactory(org.apereo.cas.authentication.principal.DefaultPrincipalFactory) ClassPathResource(org.springframework.core.io.ClassPathResource) ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy) ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException) FailedLoginException(javax.security.auth.login.FailedLoginException) X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential) ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker) DefaultHandlerResult(org.apereo.cas.authentication.DefaultHandlerResult) UsernamePasswordCredential(org.apereo.cas.authentication.UsernamePasswordCredential) Parameters(org.junit.runners.Parameterized.Parameters)

Example 2 with X509CredentialsAuthenticationHandler

use of org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler in project cas by apereo.

the class X509AuthenticationConfiguration method x509CredentialsAuthenticationHandler.

@Bean
@RefreshScope
public AuthenticationHandler x509CredentialsAuthenticationHandler() {
    final X509Properties x509 = casProperties.getAuthn().getX509();
    final RevocationChecker revChecker;
    switch(x509.getRevocationChecker().trim().toLowerCase()) {
        case "resource":
            revChecker = resourceCrlRevocationChecker();
            break;
        case "crl":
            revChecker = crlDistributionPointRevocationChecker();
            break;
        case "none":
        default:
            revChecker = noOpRevocationChecker();
            break;
    }
    return new X509CredentialsAuthenticationHandler(x509.getName(), servicesManager, x509PrincipalFactory(), StringUtils.isNotBlank(x509.getRegExTrustedIssuerDnPattern()) ? RegexUtils.createPattern(x509.getRegExTrustedIssuerDnPattern()) : null, x509.getMaxPathLength(), x509.isMaxPathLengthAllowUnspecified(), x509.isCheckKeyUsage(), x509.isRequireKeyUsage(), StringUtils.isNotBlank(x509.getRegExSubjectDnPattern()) ? RegexUtils.createPattern(x509.getRegExSubjectDnPattern()) : null, revChecker);
}
Also used : X509CredentialsAuthenticationHandler(org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler) RevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker) CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker) ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker) NoOpRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.NoOpRevocationChecker) X509Properties(org.apereo.cas.configuration.model.support.x509.X509Properties) RefreshScope(org.springframework.cloud.context.config.annotation.RefreshScope) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) Bean(org.springframework.context.annotation.Bean)

Aggregations

ResourceCRLRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)2 CertificateExpiredException (java.security.cert.CertificateExpiredException)1 ArrayList (java.util.ArrayList)1 FailedLoginException (javax.security.auth.login.FailedLoginException)1 ExpiredCRLException (org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)1 X509CredentialsAuthenticationHandler (org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler)1 X509CertificateCredential (org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)1 RevokedCertificateException (org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)1 CRLDistributionPointRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker)1 NoOpRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.NoOpRevocationChecker)1 RevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker)1 ThresholdExpiredCRLRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)1 DefaultHandlerResult (org.apereo.cas.authentication.DefaultHandlerResult)1 UsernamePasswordCredential (org.apereo.cas.authentication.UsernamePasswordCredential)1 DefaultPrincipalFactory (org.apereo.cas.authentication.principal.DefaultPrincipalFactory)1 X509Properties (org.apereo.cas.configuration.model.support.x509.X509Properties)1 Parameters (org.junit.runners.Parameterized.Parameters)1 ConditionalOnMissingBean (org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)1 RefreshScope (org.springframework.cloud.context.config.annotation.RefreshScope)1 Bean (org.springframework.context.annotation.Bean)1