Search in sources :

Example 6 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509OCSPResponderFailOpenTest method ocspFailOpenLoginSuccess.

@Test
public void ocspFailOpenLoginSuccess() throws Exception {
    // Test of OCSP failure (invalid OCSP responder host) when OCSP Fail-Open is set to ON
    // If test is successful, it should continue the login
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setOCSPFailOpen(true).setMappingSourceType(SUBJECTDN_EMAIL).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ".invalid.host:" + OCSP_RESPONDER_PORT + "/oscp").setOCSPResponderCertificate(IOUtils.toString(this.getClass().getResourceAsStream(OcspHandler.OCSP_RESPONDER_CERT_PATH), Charsets.UTF_8).replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "")).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
    String cfgId = createConfig(directGrantExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    String keyStorePath = Paths.get(System.getProperty("client.certificate.keystore")).getParent().resolve("client-ca.jks").toString();
    String keyStorePassword = System.getProperty("client.certificate.keystore.passphrase");
    String trustStorePath = System.getProperty("client.truststore");
    String trustStorePassword = System.getProperty("client.truststore.passphrase");
    Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
    try {
        oauth.clientId("resource-owner");
        oauth.httpClient(() -> OAuthClient.newCloseableHttpClientSSL(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
        OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
        // Make sure authentication is allowed
        assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
    } finally {
        oauth.httpClient(previous);
    }
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) OAuthClient(org.keycloak.testsuite.util.OAuthClient) X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 7 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509OCSPResponderTest method loginOKOnOCSPResponderRevocationCheckWithoutCA.

@Test
public void loginOKOnOCSPResponderRevocationCheckWithoutCA() throws Exception {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(SUBJECTDN_EMAIL).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ":" + OCSP_RESPONDER_PORT + "/oscp").setOCSPResponderCertificate(IOUtils.toString(this.getClass().getResourceAsStream(OcspHandler.OCSP_RESPONDER_CERT_PATH), Charsets.UTF_8).replace(PemUtils.BEGIN_CERT, "").replace(PemUtils.END_CERT, "")).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
    String cfgId = createConfig(directGrantExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    String keyStorePath = Paths.get(System.getProperty("client.certificate.keystore")).getParent().resolve("client-ca.jks").toString();
    String keyStorePassword = System.getProperty("client.certificate.keystore.passphrase");
    String trustStorePath = System.getProperty("client.truststore");
    String trustStorePassword = System.getProperty("client.truststore.passphrase");
    Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
    try {
        oauth.clientId("resource-owner");
        oauth.httpClient(() -> OAuthClient.newCloseableHttpClientSSL(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
        OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
        // now it's OK because the certificate is fixed
        assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
    } finally {
        oauth.httpClient(previous);
    }
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) OAuthClient(org.keycloak.testsuite.util.OAuthClient) X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 8 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509OCSPResponderTest method loginFailedOnOCSPResponderRevocationCheck.

@Test
public void loginFailedOnOCSPResponderRevocationCheck() throws Exception {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
    String cfgId = createConfig(directGrantExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    oauth.clientId("resource-owner");
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
    assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatusCode());
    assertEquals("invalid_request", response.getError());
    Assert.assertThat(response.getErrorDescription(), containsString("Certificate's been revoked."));
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 9 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509OCSPResponderTest method loginFailedOnOCSPResponderRevocationCheckWithoutCA.

@Test
public void loginFailedOnOCSPResponderRevocationCheckWithoutCA() throws Exception {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(SUBJECTDN_EMAIL).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ":" + OCSP_RESPONDER_PORT + "/oscp").setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
    String cfgId = createConfig(directGrantExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    String keyStorePath = Paths.get(System.getProperty("client.certificate.keystore")).getParent().resolve("client-ca.jks").toString();
    String keyStorePassword = System.getProperty("client.certificate.keystore.passphrase");
    String trustStorePath = System.getProperty("client.truststore");
    String trustStorePassword = System.getProperty("client.truststore.passphrase");
    Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
    try {
        oauth.clientId("resource-owner");
        oauth.httpClient(() -> OAuthClient.newCloseableHttpClientSSL(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
        OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
        assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatusCode());
        assertEquals("invalid_request", response.getError());
        // the ocsp signer cert is issued by the same CA but no OCSP-Signing extension so error
        Assert.assertThat(response.getErrorDescription(), containsString("Responder's certificate not valid for signing OCSP responses"));
    } finally {
        oauth.httpClient(previous);
    }
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) OAuthClient(org.keycloak.testsuite.util.OAuthClient) X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 10 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509OCSPResponderTest method loginClientCertSignedByIntermediateCA.

@Test
public void loginClientCertSignedByIntermediateCA() throws Exception {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(SUBJECTDN_EMAIL).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ":" + OCSP_RESPONDER_PORT + "/oscp").setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
    String cfgId = createConfig(directGrantExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    String keyStorePath = Paths.get(System.getProperty("client.certificate.keystore")).getParent().resolve("test-user-cert-intermediary-ca.jks").toString();
    String keyStorePassword = System.getProperty("client.certificate.keystore.passphrase");
    String trustStorePath = System.getProperty("client.truststore");
    String trustStorePassword = System.getProperty("client.truststore.passphrase");
    Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
    try {
        oauth.clientId("resource-owner");
        oauth.httpClient(() -> OAuthClient.newCloseableHttpClientSSL(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
        OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
        // now it's OK because the certificate is fixed
        assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
    } finally {
        oauth.httpClient(previous);
    }
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) OAuthClient(org.keycloak.testsuite.util.OAuthClient) X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Aggregations

X509AuthenticatorConfigModel (org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel)28 Test (org.junit.Test)27 Matchers.containsString (org.hamcrest.Matchers.containsString)24 AuthenticatorConfigRepresentation (org.keycloak.representations.idm.AuthenticatorConfigRepresentation)24 OAuthClient (org.keycloak.testsuite.util.OAuthClient)12 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)4 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)4 AssertEvents (org.keycloak.testsuite.AssertEvents)2