Search in sources :

Example 1 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509BrowserLoginTest method loginWithX509CertCustomAttributeUserNotFound.

@Test
public void loginWithX509CertCustomAttributeUserNotFound() {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(SUBJECTDN).setRegularExpression("O=(.*?)(?:,|$)").setCustomAttributeName("x509_certificate_identity").setUserIdentityMapperType(USER_ATTRIBUTE);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
    String cfgId = createConfig(browserExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    loginConfirmationPage.open();
    loginPage.assertCurrent();
    // Verify there is an error message
    Assert.assertNotNull(loginPage.getError());
    Assert.assertThat(loginPage.getError(), containsString("X509 certificate authentication's failed."));
    events.expectLogin().user((String) null).session((String) null).error("user_not_found").detail(Details.USERNAME, "Red Hat").removeDetail(Details.CONSENT).removeDetail(Details.REDIRECT_URI).assertEvent();
    // Continue with form based login
    loginPage.login("test-user@localhost", "password");
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
    events.expectLogin().user(userId).detail(Details.USERNAME, "test-user@localhost").removeDetail(Details.REDIRECT_URI).assertEvent();
}
Also used : X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 2 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509BrowserLoginTest method loginNoIdentityConfirmationPage.

@Test
public void loginNoIdentityConfirmationPage() {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setConfirmationPageAllowed(false).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
    String cfgId = createConfig(browserExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    oauth.openLoginForm();
    // X509 authenticator extracts the user identity, maps it to an existing
    // user and automatically logs the user in without prompting to confirm
    // the identity.
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
    AssertEvents.ExpectedEvent expectedEvent = events.expectLogin().user(userId).detail(Details.USERNAME, "test-user@localhost").removeDetail(Details.REDIRECT_URI);
    addX509CertificateDetails(expectedEvent).assertEvent();
}
Also used : AssertEvents(org.keycloak.testsuite.AssertEvents) X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 3 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509BrowserLoginTest method loginWithX509CertCustomAttributeSuccess.

@Test
public void loginWithX509CertCustomAttributeSuccess() {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(SUBJECTDN).setRegularExpression("O=(.*?)(?:,|$)").setCustomAttributeName("x509_certificate_identity").setUserIdentityMapperType(USER_ATTRIBUTE);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
    String cfgId = createConfig(browserExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    // Update the attribute used to match the user identity to that
    // extracted from the client certificate
    UserRepresentation user = findUser("test-user@localhost");
    Assert.assertNotNull(user);
    user.singleAttribute("x509_certificate_identity", "Red Hat");
    this.updateUser(user);
    events.clear();
    loginConfirmationPage.open();
    Assert.assertTrue(loginConfirmationPage.getSubjectDistinguishedNameText().startsWith("EMAILADDRESS=test-user@localhost"));
    Assert.assertEquals("test-user@localhost", loginConfirmationPage.getUsernameText());
    loginConfirmationPage.confirm();
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
}
Also used : X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 4 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509BrowserLoginTest method loginAsUserFromHexCertSerialNumberMappedToUserAttribute.

@Test
public void loginAsUserFromHexCertSerialNumberMappedToUserAttribute() {
    UserRepresentation user = testRealm().users().get(userId2).toRepresentation();
    Assert.assertNotNull(user);
    user.singleAttribute("x509_serial_number", "1009");
    this.updateUser(user);
    events.clear();
    X509AuthenticatorConfigModel config = createLoginWithSpecifiedSourceTypeToCustomAttributeConfig(SERIALNUMBER, "x509_serial_number");
    config.setSerialnumberHex(true);
    x509BrowserLogin(config, userId2, "keycloak", "1009");
}
Also used : X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 5 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509OCSPResponderFailOpenTest method ocspFailCloseLoginFailed.

@Test
public void ocspFailCloseLoginFailed() throws Exception {
    // Test of OCSP failure (invalid OCSP responder host) when OCSP Fail-Open is set to OFF
    // If test is successful, it should return an auth error
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ".invalid.host:" + OCSP_RESPONDER_PORT + "/oscp").setOCSPFailOpen(false).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
    String cfgId = createConfig(directGrantExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    oauth.clientId("resource-owner");
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
    assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatusCode());
    assertEquals("invalid_request", response.getError());
    // Make sure we got the right error
    Assert.assertThat(response.getErrorDescription(), containsString("OCSP check failed"));
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Aggregations

X509AuthenticatorConfigModel (org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel)28 Test (org.junit.Test)27 Matchers.containsString (org.hamcrest.Matchers.containsString)24 AuthenticatorConfigRepresentation (org.keycloak.representations.idm.AuthenticatorConfigRepresentation)24 OAuthClient (org.keycloak.testsuite.util.OAuthClient)12 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)4 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)4 AssertEvents (org.keycloak.testsuite.AssertEvents)2