Examples with ThresholdExpiredCRLRevocationPolicy org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy used on opensource projects

Example 1 with ThresholdExpiredCRLRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy in project cas by apereo.

the class ResourceCRLRevocationCheckerTests method getTestParameters.

/**
 * Gets the unit test parameters.
 *
 * @return Test parameter data.
 */
@Parameters
public static Collection<Object[]> getTestParameters() {
    final Collection<Object[]> params = new ArrayList<>();
    final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    // Test case #1
    // Valid certificate on valid CRL data
    params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt" }, null });
    // Test case #2
    // Revoked certificate on valid CRL data
    params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl"), new ClassPathResource("intermediateCA-valid.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-revoked.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1")) });
    // Test case #3
    // Valid certificate on expired CRL data for head cert
    params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-expired.crl"), new ClassPathResource("intermediateCA-valid.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)) });
    // Test case #4
    // Valid certificate on expired CRL data for intermediate cert
    params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl"), new ClassPathResource("intermediateCA-expired.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)) });
    // Test case #5
    // Valid certificate on expired CRL data with custom expiration
    // policy to always allow expired CRL data
    params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-expired.crl") }, crl -> {
    }), new String[] { "user-valid.crt" }, null });
    return params;
}

Example 2 with ThresholdExpiredCRLRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy in project cas by apereo.

the class CRLDistributionPointRevocationCheckerTests method getTestParameters.

/**
 * Gets the unit test parameters.
 *
 * @return Test parameter data.
 */
public static Stream<Arguments> getTestParameters() {
    val params = new ArrayList<Arguments>();
    val defaultPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    val zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    /*
         * Test case #0
         * Valid certificate on valid CRL data with encoded url
         */
    var cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "uservalid-encoded-crl.crt" }, "test ca.crl", null));
    /*
         * Test case #1
         * Valid certificate on valid CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null, true), new String[] { "user-valid-distcrl.crt" }, "userCA-valid.crl", null));
    /* Test case #2
         * Revoked certificate on valid CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1"))));
    /* Test case #3
         * Valid certificate on expired CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, zeroThresholdPolicy, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC))));
    /* Test case #4
         * Valid certificate on expired CRL data with custom expiration
         * policy to always allow expired CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, crl -> {
    }, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", null));
    /* Test case #5
         * Valid certificate with no CRL distribution points defined but with
         * "AllowRevocationPolicy" set to allow unavailable CRL data
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, new AllowRevocationPolicy()), new String[] { "user-valid.crt" }, "userCA-expired.crl", null));
    /* Test case #6
         * EJBCA test case
         * Revoked certificate with CRL distribution point URI that is technically
         * not a valid URI since the issuer DN in the query string is not encoded per
         * the escaping of reserved characters in RFC 2396.
         * Make sure we can convert given URI to valid URI and confirm it's revoked
         */
    cache = getCache(100);
    params.add(arguments(new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl2.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1"))));
    return params.stream();
}

Example 3 with ThresholdExpiredCRLRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy in project cas by apereo.

the class ThresholdExpiredCRLRevocationPolicyTests method getTestParameters.

/**
 * Gets the unit test parameters.
 *
 * @return Test parameter data.
 */
public static Stream<Arguments> getTestParameters() {
    val now = ZonedDateTime.now(ZoneOffset.UTC);
    val twoHoursAgo = now.minusHours(2);
    val oneHourAgo = now.minusHours(1);
    val halfHourAgo = now.minusMinutes(30);
    val issuer = new X500Principal("CN=CAS");
    return Stream.of(/* Test case #1
             * Expect expired for zero leniency on CRL expiring 1ms ago
             */
    arguments(new ThresholdExpiredCRLRevocationPolicy(0), new MockX509CRL(issuer, DateTimeUtils.dateOf(oneHourAgo), DateTimeUtils.dateOf(now.minusSeconds(1))), new ExpiredCRLException("CN=CAS", ZonedDateTime.now(ZoneOffset.UTC))), /* Test case #2
             * Expect expired for 1h leniency on CRL expired 1 hour 1ms ago
             */
    arguments(new ThresholdExpiredCRLRevocationPolicy(3600), new MockX509CRL(issuer, DateTimeUtils.dateOf(twoHoursAgo), DateTimeUtils.dateOf(oneHourAgo.minusSeconds(1))), new ExpiredCRLException("CN=CAS", ZonedDateTime.now(ZoneOffset.UTC))), /* Test case #3
             * Expect valid for 1h leniency on CRL expired 30m ago
             */
    arguments(new ThresholdExpiredCRLRevocationPolicy(3600), new MockX509CRL(issuer, DateTimeUtils.dateOf(twoHoursAgo), DateTimeUtils.dateOf(halfHourAgo)), null));
}

Example 4 with ThresholdExpiredCRLRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy in project cas by apereo.

the class X509CredentialsAuthenticationHandlerTests method getTestParameters.

/**
 * Gets the unit test parameters.
 *
 * @return Test parameter data.
 */
@SuppressWarnings("PMD.ExcessiveMethodLength")
public static Stream<Arguments> getTestParameters() {
    val params = new ArrayList<Arguments>();
    /* Test case #1: Unsupported credential type */
    var handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    params.add(arguments(handler, new UsernamePasswordCredential(), false, null, null));
    /* Test case #2:Valid certificate /*/
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    var credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
    /* Test case #3: Expired certificate */
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-expired.crt")), true, null, new CertificateExpiredException()));
    /* Test case #4: Untrusted issuer */
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"), true, false, false);
    params.add(arguments(handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, null, new FailedLoginException()));
    /* Test case #5: Disallowed subject  */
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), true, RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"));
    params.add(arguments(handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, null, new FailedLoginException()));
    /* Test case #6: Check key usage on a cert without keyUsage extension */
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, false);
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
    /* Test case #7: Require key usage on a cert without keyUsage extension */
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, null, new FailedLoginException()));
    /* Test case #8: Require key usage on a cert with acceptable keyUsage extension values */
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    credential = new X509CertificateCredential(createCertificates("user-valid-keyUsage.crt"));
    params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
    /* Test case #9: Require key usage on a cert with unacceptable keyUsage extension values */
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-invalid-keyUsage.crt")), true, null, new FailedLoginException()));
    /*
         * Revocation tests
         */
    /* Test case #10: Valid certificate with CRL checking */
    var checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
    /* Test case #11: Revoked end user certificate */
    checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-revoked.crt")), true, null, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), null)));
    /* Test case #12: Valid certificate on expired CRL data */
    val zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-expired.crl"), null, zeroThresholdPolicy);
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, null, new ExpiredCRLException(null, ZonedDateTime.now(ZoneOffset.UTC))));
    /* Certificate not allowed */
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, RegexUtils.MATCH_NOTHING_PATTERN);
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, 0);
    var certificate = new CasX509Certificate(true);
    certificate.setBasicConstraints(Integer.MAX_VALUE);
    credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
    params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, 1);
    certificate = new CasX509Certificate(true);
    certificate.setBasicConstraints(10);
    credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
    params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".+"), true, true, false);
    certificate = new CasX509Certificate(true);
    certificate.setKeyUsage(true);
    credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
    params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
    return params.stream();
}

Example 5 with ThresholdExpiredCRLRevocationPolicy

use of org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy in project cas by apereo.

the class X509AuthenticationConfiguration method crlDistributionPointRevocationChecker.

@Bean
@RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
@ConditionalOnMissingBean(name = "crlDistributionPointRevocationChecker")
public RevocationChecker crlDistributionPointRevocationChecker(final CasConfigurationProperties casProperties, @Qualifier("crlFetcher") final CRLFetcher crlFetcher, @Qualifier("allowRevocationPolicy") final RevocationPolicy allowRevocationPolicy, @Qualifier("thresholdExpiredCRLRevocationPolicy") final RevocationPolicy thresholdExpiredCRLRevocationPolicy, @Qualifier("denyRevocationPolicy") final RevocationPolicy denyRevocationPolicy) {
    val x509 = casProperties.getAuthn().getX509();
    var builder = UserManagedCacheBuilder.newUserManagedCacheBuilder(URI.class, byte[].class);
    if (x509.isCacheDiskOverflow()) {
        val capacity = Capacity.parse(x509.getCacheDiskSize());
        builder = builder.withResourcePools(ResourcePoolsBuilder.newResourcePoolsBuilder().disk(capacity.getSize().longValue(), MemoryUnit.valueOf(capacity.getUnitOfMeasure().name()), false));
    }
    builder = builder.withResourcePools(ResourcePoolsBuilder.newResourcePoolsBuilder().heap(x509.getCacheMaxElementsInMemory(), EntryUnit.ENTRIES));
    if (x509.isCacheEternal()) {
        builder = builder.withExpiry(ExpiryPolicyBuilder.noExpiration());
    } else {
        builder = builder.withExpiry(ExpiryPolicyBuilder.timeToLiveExpiration(Duration.ofSeconds(x509.getCacheTimeToLiveSeconds())));
    }
    var cache = builder.build(true);
    return new CRLDistributionPointRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlUnavailablePolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), getRevocationPolicy(x509.getCrlExpiredPolicy(), allowRevocationPolicy, thresholdExpiredCRLRevocationPolicy, denyRevocationPolicy), cache, crlFetcher, x509.isThrowOnFetchFailure());
}