Example 1 with ResourceCRLRevocationChecker
use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker in project cas by apereo.
the class ResourceCRLRevocationCheckerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
*/
@Parameters
public static Collection<Object[]> getTestParameters() {
final Collection<Object[]> params = new ArrayList<>();
final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
// Test case #1
// Valid certificate on valid CRL data
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt" }, null });
// Test case #2
// Revoked certificate on valid CRL data
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl"), new ClassPathResource("intermediateCA-valid.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-revoked.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1")) });
// Test case #3
// Valid certificate on expired CRL data for head cert
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-expired.crl"), new ClassPathResource("intermediateCA-valid.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)) });
// Test case #4
// Valid certificate on expired CRL data for intermediate cert
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl"), new ClassPathResource("intermediateCA-expired.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)) });
// Test case #5
// Valid certificate on expired CRL data with custom expiration
// policy to always allow expired CRL data
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-expired.crl") }, crl -> {
}), new String[] { "user-valid.crt" }, null });
return params;
}
Also used :
ZonedDateTime(java.time.ZonedDateTime)
Collection(java.util.Collection)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
RunWith(org.junit.runner.RunWith)
Parameters(org.junit.runners.Parameterized.Parameters)
ClassPathResource(org.springframework.core.io.ClassPathResource)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
ArrayList(java.util.ArrayList)
GeneralSecurityException(java.security.GeneralSecurityException)
RevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
BigInteger(java.math.BigInteger)
ZoneOffset(java.time.ZoneOffset)
Parameterized(org.junit.runners.Parameterized)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
ArrayList(java.util.ArrayList)
BigInteger(java.math.BigInteger)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
ClassPathResource(org.springframework.core.io.ClassPathResource)
Parameters(org.junit.runners.Parameterized.Parameters)
Example 2 with ResourceCRLRevocationChecker
use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker in project cas by apereo.
the class X509CredentialsAuthenticationHandlerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
* @throws Exception On test data setup errors.
*/
@Parameters
public static Collection<Object[]> getTestParameters() throws Exception {
final Collection<Object[]> params = new ArrayList<>();
X509CredentialsAuthenticationHandler handler;
X509CertificateCredential credential;
// Test case #1: Unsupported credential type
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(new Object[] { handler, new UsernamePasswordCredential(), false, null });
// Test case #2:Valid certificate
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #3: Expired certificate
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-expired.crt")), true, new CertificateExpiredException() });
// Test case #4: Untrusted issuer
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"), true, false, false);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
// Test case #5: Disallowed subject
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), true, RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
// Test case #6: Check key usage on a cert without keyUsage extension
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, false);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #7: Require key usage on a cert without keyUsage extension
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new FailedLoginException() });
// Test case #8: Require key usage on a cert with acceptable keyUsage extension values
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
credential = new X509CertificateCredential(createCertificates("user-valid-keyUsage.crt"));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #9: Require key usage on a cert with unacceptable keyUsage extension values
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-invalid-keyUsage.crt")), true, new FailedLoginException() });
//===================================
// Revocation tests
//===================================
ResourceCRLRevocationChecker checker;
// Test case #10: Valid certificate with CRL checking
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #11: Revoked end user certificate
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-revoked.crt")), true, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), null) });
// Test case #12: Valid certificate on expired CRL data
final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-expired.crl"), null, zeroThresholdPolicy);
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new ExpiredCRLException(null, ZonedDateTime.now(ZoneOffset.UTC)) });
return params;
}
Also used :
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
ArrayList(java.util.ArrayList)
DefaultPrincipalFactory(org.apereo.cas.authentication.principal.DefaultPrincipalFactory)
ClassPathResource(org.springframework.core.io.ClassPathResource)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
DefaultHandlerResult(org.apereo.cas.authentication.DefaultHandlerResult)
UsernamePasswordCredential(org.apereo.cas.authentication.UsernamePasswordCredential)
Parameters(org.junit.runners.Parameterized.Parameters)
Example 3 with ResourceCRLRevocationChecker
use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker in project cas by apereo.
the class X509AuthenticationConfiguration method x509CredentialsAuthenticationHandler.
@Bean
@RefreshScope
public AuthenticationHandler x509CredentialsAuthenticationHandler() {
final X509Properties x509 = casProperties.getAuthn().getX509();
final RevocationChecker revChecker;
switch(x509.getRevocationChecker().trim().toLowerCase()) {
case "resource":
revChecker = resourceCrlRevocationChecker();
break;
case "crl":
revChecker = crlDistributionPointRevocationChecker();
break;
case "none":
default:
revChecker = noOpRevocationChecker();
break;
}
return new X509CredentialsAuthenticationHandler(x509.getName(), servicesManager, x509PrincipalFactory(), StringUtils.isNotBlank(x509.getRegExTrustedIssuerDnPattern()) ? RegexUtils.createPattern(x509.getRegExTrustedIssuerDnPattern()) : null, x509.getMaxPathLength(), x509.isMaxPathLengthAllowUnspecified(), x509.isCheckKeyUsage(), x509.isRequireKeyUsage(), StringUtils.isNotBlank(x509.getRegExSubjectDnPattern()) ? RegexUtils.createPattern(x509.getRegExSubjectDnPattern()) : null, revChecker);
}
Also used :
X509CredentialsAuthenticationHandler(org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler)
RevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker)
CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
NoOpRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.NoOpRevocationChecker)
X509Properties(org.apereo.cas.configuration.model.support.x509.X509Properties)
RefreshScope(org.springframework.cloud.context.config.annotation.RefreshScope)
ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)
Bean(org.springframework.context.annotation.Bean)
Example 4 with ResourceCRLRevocationChecker
use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker in project cas by apereo.
the class X509AuthenticationConfiguration method resourceCrlRevocationChecker.
@Bean
public RevocationChecker resourceCrlRevocationChecker() {
final X509Properties x509 = casProperties.getAuthn().getX509();
final Set<Resource> x509CrlResources = x509.getCrlResources().stream().map(s -> this.resourceLoader.getResource(s)).collect(Collectors.toSet());
return new ResourceCRLRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlResourceUnavailablePolicy()), getRevocationPolicy(x509.getCrlResourceExpiredPolicy()), x509.getRefreshIntervalSeconds(), crlFetcher(), x509CrlResources);
}
Also used :
CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties)
X509SubjectAlternativeNameUPNPrincipalResolver(org.apereo.cas.adaptors.x509.authentication.principal.X509SubjectAlternativeNameUPNPrincipalResolver)
X509SubjectPrincipalResolver(org.apereo.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver)
RevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy)
X509SerialNumberAndIssuerDNPrincipalResolver(org.apereo.cas.adaptors.x509.authentication.principal.X509SerialNumberAndIssuerDNPrincipalResolver)
Autowired(org.springframework.beans.factory.annotation.Autowired)
Beans(org.apereo.cas.configuration.support.Beans)
StringUtils(org.apache.commons.lang3.StringUtils)
AuthenticationEventExecutionPlan(org.apereo.cas.authentication.AuthenticationEventExecutionPlan)
IPersonAttributeDao(org.apereo.services.persondir.IPersonAttributeDao)
RefreshScope(org.springframework.cloud.context.config.annotation.RefreshScope)
AuthenticationHandler(org.apereo.cas.authentication.AuthenticationHandler)
PrincipalFactory(org.apereo.cas.authentication.principal.PrincipalFactory)
RevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker)
EnableConfigurationProperties(org.springframework.boot.context.properties.EnableConfigurationProperties)
Qualifier(org.springframework.beans.factory.annotation.Qualifier)
X509SubjectDNPrincipalResolver(org.apereo.cas.adaptors.x509.authentication.principal.X509SubjectDNPrincipalResolver)
ServicesManager(org.apereo.cas.services.ServicesManager)
Resource(org.springframework.core.io.Resource)
ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)
ResourceLoader(org.springframework.core.io.ResourceLoader)
CRLFetcher(org.apereo.cas.adaptors.x509.authentication.CRLFetcher)
X509SerialNumberPrincipalResolver(org.apereo.cas.adaptors.x509.authentication.principal.X509SerialNumberPrincipalResolver)
PrincipalResolver(org.apereo.cas.authentication.principal.PrincipalResolver)
Set(java.util.Set)
UUID(java.util.UUID)
Collectors(java.util.stream.Collectors)
AuthenticationEventExecutionPlanConfigurer(org.apereo.cas.config.support.authentication.AuthenticationEventExecutionPlanConfigurer)
CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
RegexUtils(org.apereo.cas.util.RegexUtils)
Configuration(org.springframework.context.annotation.Configuration)
DenyRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.DenyRevocationPolicy)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
X509Properties(org.apereo.cas.configuration.model.support.x509.X509Properties)
AllowRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy)
NoOpRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.NoOpRevocationChecker)
ResourceCRLFetcher(org.apereo.cas.adaptors.x509.authentication.ResourceCRLFetcher)
LdaptiveResourceCRLFetcher(org.apereo.cas.adaptors.x509.authentication.ldap.LdaptiveResourceCRLFetcher)
Bean(org.springframework.context.annotation.Bean)
Cache(net.sf.ehcache.Cache)
X509CredentialsAuthenticationHandler(org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler)
DefaultPrincipalFactory(org.apereo.cas.authentication.principal.DefaultPrincipalFactory)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
Resource(org.springframework.core.io.Resource)
X509Properties(org.apereo.cas.configuration.model.support.x509.X509Properties)
ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)
Bean(org.springframework.context.annotation.Bean)
Aggregations
ResourceCRLRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)4
RevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker)3
ThresholdExpiredCRLRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)3
ArrayList (java.util.ArrayList)2
ExpiredCRLException (org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)2
X509CredentialsAuthenticationHandler (org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler)2
RevokedCertificateException (org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)2
CRLDistributionPointRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker)2
NoOpRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.NoOpRevocationChecker)2
DefaultPrincipalFactory (org.apereo.cas.authentication.principal.DefaultPrincipalFactory)2
X509Properties (org.apereo.cas.configuration.model.support.x509.X509Properties)2
Parameters (org.junit.runners.Parameterized.Parameters)2
ConditionalOnMissingBean (org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)2
RefreshScope (org.springframework.cloud.context.config.annotation.RefreshScope)2
Bean (org.springframework.context.annotation.Bean)2
ClassPathResource (org.springframework.core.io.ClassPathResource)2
BigInteger (java.math.BigInteger)1
GeneralSecurityException (java.security.GeneralSecurityException)1
CertificateExpiredException (java.security.cert.CertificateExpiredException)1
ZoneOffset (java.time.ZoneOffset)1
