Search in sources :

Example 1 with AllowRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.

the class CRLDistributionPointRevocationCheckerTests method getTestParameters.

/**
 * Gets the unit test parameters.
 *
 * @return Test parameter data.
 */
public static Stream<Arguments> getTestParameters() {
    val params = new ArrayList<Arguments>();
    val defaultPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    val zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    /*
         * Test case #0
         * Valid certificate on valid CRL data with encoded url
         */
    var cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "uservalid-encoded-crl.crt" }, "test ca.crl", null));
    /*
         * Test case #1
         * Valid certificate on valid CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null, true), new String[] { "user-valid-distcrl.crt" }, "userCA-valid.crl", null));
    /* Test case #2
         * Revoked certificate on valid CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1"))));
    /* Test case #3
         * Valid certificate on expired CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, zeroThresholdPolicy, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC))));
    /* Test case #4
         * Valid certificate on expired CRL data with custom expiration
         * policy to always allow expired CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, crl -> {
    }, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", null));
    /* Test case #5
         * Valid certificate with no CRL distribution points defined but with
         * "AllowRevocationPolicy" set to allow unavailable CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, new AllowRevocationPolicy()), new String[] { "user-valid.crt" }, "userCA-expired.crl", null));
    /* Test case #6
         * EJBCA test case
         * Revoked certificate with CRL distribution point URI that is technically
         * not a valid URI since the issuer DN in the query string is not encoded per
         * the escaping of reserved characters in RFC 2396.
         * Make sure we can convert given URI to valid URI and confirm it's revoked
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl2.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1"))));
    return params.stream();
}
Also used : lombok.val(lombok.val) ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException) CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker) RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException) AllowRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy) ArrayList(java.util.ArrayList) BigInteger(java.math.BigInteger) ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)

Example 2 with AllowRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.

the class X509AuthenticationConfiguration method crlDistributionPointRevocationChecker.

@Bean
@RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
@ConditionalOnMissingBean(name = "crlDistributionPointRevocationChecker")
public RevocationChecker crlDistributionPointRevocationChecker(final CasConfigurationProperties casProperties, @Qualifier("crlFetcher") final CRLFetcher crlFetcher, @Qualifier("allowRevocationPolicy") final RevocationPolicy allowRevocationPolicy, @Qualifier("thresholdExpiredCRLRevocationPolicy") final RevocationPolicy thresholdExpiredCRLRevocationPolicy, @Qualifier("denyRevocationPolicy") final RevocationPolicy denyRevocationPolicy) {
    val x509 = casProperties.getAuthn().getX509();
    var builder = UserManagedCacheBuilder.newUserManagedCacheBuilder(URI.class, byte[].class);
    if (x509.isCacheDiskOverflow()) {
        val capacity = Capacity.parse(x509.getCacheDiskSize());
        builder = builder.withResourcePools(ResourcePoolsBuilder.newResourcePoolsBuilder().disk(capacity.getSize().longValue(), MemoryUnit.valueOf(capacity.getUnitOfMeasure().name()), false));
    }
    builder = builder.withResourcePools(ResourcePoolsBuilder.newResourcePoolsBuilder().heap(x509.getCacheMaxElementsInMemory(), EntryUnit.ENTRIES));
    if (x509.isCacheEternal()) {
        builder = builder.withExpiry(ExpiryPolicyBuilder.noExpiration());
    } else {
        builder = builder.withExpiry(ExpiryPolicyBuilder.timeToLiveExpiration(Duration.ofSeconds(x509.getCacheTimeToLiveSeconds())));
    }
    var cache = builder.build(true);
    return new CRLDistributionPointRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlUnavailablePolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), getRevocationPolicy(x509.getCrlExpiredPolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), cache, crlFetcher, x509.isThrowOnFetchFailure());
}
Also used : lombok.val(lombok.val) CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker) RefreshScope(org.springframework.cloud.context.config.annotation.RefreshScope) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) Bean(org.springframework.context.annotation.Bean)

Example 3 with AllowRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.

the class LdaptiveResourceCRLFetcherTests method getCrlFromLdapWithNoCaching.

@Test
public void getCrlFromLdapWithNoCaching() throws Exception {
    for (int i = 0; i < 10; i++) {
        CacheManager.getInstance().removeAllCaches();
        final Cache cache = new Cache("crlCache-1", 100, false, false, 20, 10);
        CacheManager.getInstance().addCache(cache);
        final CRLDistributionPointRevocationChecker checker = new CRLDistributionPointRevocationChecker(false, new AllowRevocationPolicy(), null, cache, fetcher, true);
        final X509Certificate cert = CertUtils.readCertificate(new ClassPathResource("ldap-crl.crt"));
        checker.check(cert);
    }
}
Also used : CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker) AllowRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy) X509Certificate(java.security.cert.X509Certificate) ClassPathResource(org.springframework.core.io.ClassPathResource) Cache(net.sf.ehcache.Cache) Test(org.junit.Test) SpringBootTest(org.springframework.boot.test.context.SpringBootTest)

Example 4 with AllowRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.

the class LdaptiveResourceCRLFetcherTests method getCrlFromLdap.

@Test
public void getCrlFromLdap() throws Exception {
    CacheManager.getInstance().removeAllCaches();
    final Cache cache = new Cache("crlCache-1", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    for (int i = 0; i < 10; i++) {
        final CRLDistributionPointRevocationChecker checker = new CRLDistributionPointRevocationChecker(false, new AllowRevocationPolicy(), null, cache, fetcher, true);
        final X509Certificate cert = CertUtils.readCertificate(new ClassPathResource("ldap-crl.crt"));
        checker.check(cert);
    }
}
Also used : CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker) AllowRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy) X509Certificate(java.security.cert.X509Certificate) ClassPathResource(org.springframework.core.io.ClassPathResource) Cache(net.sf.ehcache.Cache) Test(org.junit.Test) SpringBootTest(org.springframework.boot.test.context.SpringBootTest)

Example 5 with AllowRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy in project cas by apereo.

the class X509AuthenticationConfiguration method resourceCrlRevocationChecker.

@Bean
@RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
@ConditionalOnMissingBean(name = "resourceCrlRevocationChecker")
public RevocationChecker resourceCrlRevocationChecker(final CasConfigurationProperties casProperties, final ConfigurableApplicationContext applicationContext, @Qualifier("allowRevocationPolicy") final RevocationPolicy allowRevocationPolicy, @Qualifier("thresholdExpiredCRLRevocationPolicy") final RevocationPolicy thresholdExpiredCRLRevocationPolicy, @Qualifier("denyRevocationPolicy") final RevocationPolicy denyRevocationPolicy, @Qualifier("crlFetcher") final CRLFetcher crlFetcher) {
    val x509 = casProperties.getAuthn().getX509();
    val x509CrlResources = x509.getCrlResources().stream().map(applicationContext::getResource).collect(Collectors.toSet());
    return new ResourceCRLRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlResourceUnavailablePolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), getRevocationPolicy(x509.getCrlResourceExpiredPolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), x509.getRefreshIntervalSeconds(), crlFetcher, x509CrlResources);
}
Also used : lombok.val(lombok.val) ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker) RefreshScope(org.springframework.cloud.context.config.annotation.RefreshScope) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) Bean(org.springframework.context.annotation.Bean)

Aggregations

CRLDistributionPointRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker)4 lombok.val (lombok.val)3 AllowRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy)3 X509Certificate (java.security.cert.X509Certificate)2 Cache (net.sf.ehcache.Cache)2 Test (org.junit.Test)2 ConditionalOnMissingBean (org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)2 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)2 RefreshScope (org.springframework.cloud.context.config.annotation.RefreshScope)2 Bean (org.springframework.context.annotation.Bean)2 ClassPathResource (org.springframework.core.io.ClassPathResource)2 BigInteger (java.math.BigInteger)1 ArrayList (java.util.ArrayList)1 ExpiredCRLException (org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)1 RevokedCertificateException (org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)1 ResourceCRLRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)1 ThresholdExpiredCRLRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)1