Search in sources :

Example 16 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509OCSPResponderSpecificCertTest method loginFailedOnOCSPResponderRevocationCheck.

@Test
public void loginFailedOnOCSPResponderRevocationCheck() throws Exception {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ":" + OCSP_RESPONDER_PORT + "/oscp").setOCSPResponderCertificate("MIIDSDCCAjACCQDutBlh01xKxDANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJV\n" + "UzELMAkGA1UECBMCTUExETAPBgNVBAcTCFdlc3R3b3JkMRAwDgYDVQQKEwdSZWQg\n" + "SGF0MREwDwYDVQQLEwhLZXljbG9hazESMBAGA1UEAxMJbG9jYWxob3N0MCAXDTE4\n" + "MTEyOTE1MzYxNFoYDzMwMTgwNDAxMTUzNjE0WjBkMQswCQYDVQQGEwJVUzELMAkG\n" + "A1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8G\n" + "A1UECwwIS2V5Y2xvYWsxEjAQBgNVBAMMCUtleWNsb2FrMjCCASIwDQYJKoZIhvcN\n" + "AQEBBQADggEPADCCAQoCggEBALxnRdlqot+p3fAZ8BPt/ZeytVy2ZFXd7zG8jVCu\n" + "j/u/IqrN9fE7esdaiZYEwMvaTPKG7pAxb5NlRgWsE8UfNNN9a0GCp3wPJsmj4Lfx\n" + "K7LmH9QLtq+K7Ap5UGXXRNU0BZqcDMznMaIz04N4DimX5uGAwFQCy/NM5yUP2iOa\n" + "dPlB6ECpLavHDT09rMSVl5RgLQLx/TeX7pT4IW7kbpdTVI02rzE90O72riK61c6P\n" + "Q9Zb6bGSaNZwfNGIVQ8u6AVimLJx66p3BNP+3kEfg7xvXkw6UcaXM5LlMVcxi7cr\n" + "Se1k2UR95gPwJC1AVVPUPqHVb3Ix/wLl7GGhHcuBLPODF0cCAwEAATANBgkqhkiG\n" + "9w0BAQsFAAOCAQEADX2znEyqJZHGWLazrSHFn9Rn1mREqH+OCRq38ymz3tCNyVhs\n" + "OTSO1t6Fo1PP4RvlxB6gd4BYH7/cSCsO00s/OjPf8ptqz59TQAmCIM0+dwQuyxKO\n" + "gq55nWpy5gbqf/zqQiWsMXW5nkMVEMUvf1qbKx6xYP61B83vZh+t65LZh7meG6S5\n" + "B5qT6nDGKN7C8AHuxHHJjpgvYL8kNb47fASTYdHzW57Yi92NrkmAq4PCEt6FQTkX\n" + "WybC/Il6hS0jPdR2ExNV9ykKJrNGGhiwg3C8sf97/Kf+qQgRK8wQIdT88g81aJaG\n" + "qpwfJXd9AZO7DdDJdZ75lR9N1YSnhSq3Ur6IJg==").setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
    String cfgId = createConfig(directGrantExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    oauth.clientId("resource-owner");
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
    assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatusCode());
    assertEquals("invalid_request", response.getError());
    Assert.assertThat(response.getErrorDescription(), containsString("Certificate's been revoked."));
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 17 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509BrowserCRLTest method loginSuccessWithEmptyRevocationListFromFile.

@Test
public void loginSuccessWithEmptyRevocationListFromFile() {
    // Not possible to test file CRL on undertow at this moment - jboss config dir doesn't exist
    ContainerAssume.assumeNotAuthServerUndertow();
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath(EMPTY_CRL_PATH).setConfirmationPageAllowed(true).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
    x509BrowserLogin(config, userId, "test-user@localhost", "test-user@localhost");
}
Also used : X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Test(org.junit.Test)

Example 18 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509BrowserCRLTest method loginSuccessWithCRLSignedWithIntermediateCA3FromTruststore.

@Test
public void loginSuccessWithCRLSignedWithIntermediateCA3FromTruststore() {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath(CRLRule.CRL_RESPONDER_ORIGIN + "/" + INTERMEDIATE_CA_3_CRL_PATH).setConfirmationPageAllowed(true).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
    String cfgId = createConfig(browserExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    // Verify there is an error message because of invalid CRL signature
    x509BrowserLogin(config, userId, "test-user@localhost", "test-user@localhost");
}
Also used : X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 19 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509BrowserCRLTest method loginFailedWithIntermediateRevocationListFromFile.

@Test
public void loginFailedWithIntermediateRevocationListFromFile() {
    // Not possible to test file CRL on undertow at this moment - jboss config dir doesn't exist
    ContainerAssume.assumeNotAuthServerUndertow();
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath(INTERMEDIATE_CA_CRL_PATH).setConfirmationPageAllowed(true).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
    String cfgId = createConfig(browserExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    assertLoginFailedDueRevokedCertificate();
}
Also used : X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Example 20 with X509AuthenticatorConfigModel

use of org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel in project keycloak by keycloak.

the class X509BrowserCRLTest method loginWithMultipleRevocationLists.

@Test
public void loginWithMultipleRevocationLists() {
    X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath(CRLRule.CRL_RESPONDER_ORIGIN + "/" + EMPTY_CRL_PATH + Constants.CFG_DELIMITER + CRLRule.CRL_RESPONDER_ORIGIN + "/" + INTERMEDIATE_CA_CRL_PATH).setConfirmationPageAllowed(true).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
    AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
    String cfgId = createConfig(browserExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);
    assertLoginFailedDueRevokedCertificate();
}
Also used : X509AuthenticatorConfigModel(org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticatorConfigRepresentation(org.keycloak.representations.idm.AuthenticatorConfigRepresentation) Test(org.junit.Test)

Aggregations

X509AuthenticatorConfigModel (org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel)28 Test (org.junit.Test)27 Matchers.containsString (org.hamcrest.Matchers.containsString)24 AuthenticatorConfigRepresentation (org.keycloak.representations.idm.AuthenticatorConfigRepresentation)24 OAuthClient (org.keycloak.testsuite.util.OAuthClient)12 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)4 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)4 AssertEvents (org.keycloak.testsuite.AssertEvents)2