use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.
the class CRLDistributionPointRevocationCheckerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
*/
public static Stream<Arguments> getTestParameters() {
val params = new ArrayList<Arguments>();
val defaultPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
val zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
/*
* Test case #0
* Valid certificate on valid CRL data with encoded url
*/
var cache = getCache(100);
params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "uservalid-encoded-crl.crt" }, "test ca.crl", null));
/*
* Test case #1
* Valid certificate on valid CRL data
*/
cache = getCache(100);
params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null, true), new String[] { "user-valid-distcrl.crt" }, "userCA-valid.crl", null));
/* Test case #2
* Revoked certificate on valid CRL data
*/
cache = getCache(100);
params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1"))));
/* Test case #3
* Valid certificate on expired CRL data
*/
cache = getCache(100);
params.add(arguments(new CRLDistributionPointRevocationChecker(cache, zeroThresholdPolicy, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC))));
/* Test case #4
* Valid certificate on expired CRL data with custom expiration
* policy to always allow expired CRL data
*/
cache = getCache(100);
params.add(arguments(new CRLDistributionPointRevocationChecker(cache, crl -> {
}, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", null));
/* Test case #5
* Valid certificate with no CRL distribution points defined but with
* "AllowRevocationPolicy" set to allow unavailable CRL data
*/
cache = getCache(100);
params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, new AllowRevocationPolicy()), new String[] { "user-valid.crt" }, "userCA-expired.crl", null));
/* Test case #6
* EJBCA test case
* Revoked certificate with CRL distribution point URI that is technically
* not a valid URI since the issuer DN in the query string is not encoded per
* the escaping of reserved characters in RFC 2396.
* Make sure we can convert given URI to valid URI and confirm it's revoked
*/
cache = getCache(100);
params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl2.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1"))));
return params.stream();
}
use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.
the class X509AuthenticationConfiguration method crlDistributionPointRevocationChecker.
@Bean
@RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
@ConditionalOnMissingBean(name = "crlDistributionPointRevocationChecker")
public RevocationChecker crlDistributionPointRevocationChecker(final CasConfigurationProperties casProperties, @Qualifier("crlFetcher") final CRLFetcher crlFetcher, @Qualifier("allowRevocationPolicy") final RevocationPolicy allowRevocationPolicy, @Qualifier("thresholdExpiredCRLRevocationPolicy") final RevocationPolicy thresholdExpiredCRLRevocationPolicy, @Qualifier("denyRevocationPolicy") final RevocationPolicy denyRevocationPolicy) {
val x509 = casProperties.getAuthn().getX509();
var builder = UserManagedCacheBuilder.newUserManagedCacheBuilder(URI.class, byte[].class);
if (x509.isCacheDiskOverflow()) {
val capacity = Capacity.parse(x509.getCacheDiskSize());
builder = builder.withResourcePools(ResourcePoolsBuilder.newResourcePoolsBuilder().disk(capacity.getSize().longValue(), MemoryUnit.valueOf(capacity.getUnitOfMeasure().name()), false));
}
builder = builder.withResourcePools(ResourcePoolsBuilder.newResourcePoolsBuilder().heap(x509.getCacheMaxElementsInMemory(), EntryUnit.ENTRIES));
if (x509.isCacheEternal()) {
builder = builder.withExpiry(ExpiryPolicyBuilder.noExpiration());
} else {
builder = builder.withExpiry(ExpiryPolicyBuilder.timeToLiveExpiration(Duration.ofSeconds(x509.getCacheTimeToLiveSeconds())));
}
var cache = builder.build(true);
return new CRLDistributionPointRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlUnavailablePolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), getRevocationPolicy(x509.getCrlExpiredPolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), cache, crlFetcher, x509.isThrowOnFetchFailure());
}
use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.
the class LdaptiveResourceCRLFetcherTests method getCrlFromLdapWithNoCaching.
@Test
public void getCrlFromLdapWithNoCaching() throws Exception {
for (int i = 0; i < 10; i++) {
CacheManager.getInstance().removeAllCaches();
final Cache cache = new Cache("crlCache-1", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
final CRLDistributionPointRevocationChecker checker = new CRLDistributionPointRevocationChecker(false, new AllowRevocationPolicy(), null, cache, fetcher, true);
final X509Certificate cert = CertUtils.readCertificate(new ClassPathResource("ldap-crl.crt"));
checker.check(cert);
}
}
use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.
the class LdaptiveResourceCRLFetcherTests method getCrlFromLdap.
@Test
public void getCrlFromLdap() throws Exception {
CacheManager.getInstance().removeAllCaches();
final Cache cache = new Cache("crlCache-1", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
for (int i = 0; i < 10; i++) {
final CRLDistributionPointRevocationChecker checker = new CRLDistributionPointRevocationChecker(false, new AllowRevocationPolicy(), null, cache, fetcher, true);
final X509Certificate cert = CertUtils.readCertificate(new ClassPathResource("ldap-crl.crt"));
checker.check(cert);
}
}
use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.
the class X509AuthenticationConfiguration method resourceCrlRevocationChecker.
@Bean
@RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
@ConditionalOnMissingBean(name = "resourceCrlRevocationChecker")
public RevocationChecker resourceCrlRevocationChecker(final CasConfigurationProperties casProperties, final ConfigurableApplicationContext applicationContext, @Qualifier("allowRevocationPolicy") final RevocationPolicy allowRevocationPolicy, @Qualifier("thresholdExpiredCRLRevocationPolicy") final RevocationPolicy thresholdExpiredCRLRevocationPolicy, @Qualifier("denyRevocationPolicy") final RevocationPolicy denyRevocationPolicy, @Qualifier("crlFetcher") final CRLFetcher crlFetcher) {
val x509 = casProperties.getAuthn().getX509();
val x509CrlResources = x509.getCrlResources().stream().map(applicationContext::getResource).collect(Collectors.toSet());
return new ResourceCRLRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlResourceUnavailablePolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), getRevocationPolicy(x509.getCrlResourceExpiredPolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), x509.getRefreshIntervalSeconds(), crlFetcher, x509CrlResources);
}
Aggregations