use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509BrowserLoginTest method loginNoIdentityConfirmationPage.
@Test
public void loginNoIdentityConfirmationPage() {
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setConfirmationPageAllowed(false).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
String cfgId = createConfig(browserExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
oauth.openLoginForm();
// X509 authenticator extracts the user identity, maps it to an existing
// user and automatically logs the user in without prompting to confirm
// the identity.
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
AssertEvents.ExpectedEvent expectedEvent = events.expectLogin().user(userId).detail(Details.USERNAME, "test-user@localhost").removeDetail(Details.REDIRECT_URI);
addX509CertificateDetails(expectedEvent).assertEvent();
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509BrowserLoginTest method loginWithNonSupportedCertKeyUsage.
@Test
public void loginWithNonSupportedCertKeyUsage() throws Exception {
// Set the X509 authenticator configuration
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginSubjectEmailWithKeyUsage("dataEncipherment").getConfig());
String cfgId = createConfig(browserExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
loginConfirmationPage.open();
Assert.assertThat(loginPage.getError(), containsString("Certificate validation's failed.\n" + "Key Usage bit 'dataEncipherment' is not set."));
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509BrowserLoginTest method loginWithX509CertCustomAttributeSuccess.
@Test
public void loginWithX509CertCustomAttributeSuccess() {
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(SUBJECTDN).setRegularExpression("O=(.*?)(?:,|$)").setCustomAttributeName("x509_certificate_identity").setUserIdentityMapperType(USER_ATTRIBUTE);
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
String cfgId = createConfig(browserExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
// Update the attribute used to match the user identity to that
// extracted from the client certificate
UserRepresentation user = findUser("test-user@localhost");
Assert.assertNotNull(user);
user.singleAttribute("x509_certificate_identity", "Red Hat");
this.updateUser(user);
events.clear();
loginConfirmationPage.open();
Assert.assertTrue(loginConfirmationPage.getSubjectDistinguishedNameText().startsWith("EMAILADDRESS=test-user@localhost"));
Assert.assertEquals("test-user@localhost", loginConfirmationPage.getUsernameText());
loginConfirmationPage.confirm();
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509OCSPResponderFailOpenTest method ocspFailCloseLoginFailed.
@Test
public void ocspFailCloseLoginFailed() throws Exception {
// Test of OCSP failure (invalid OCSP responder host) when OCSP Fail-Open is set to OFF
// If test is successful, it should return an auth error
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ".invalid.host:" + OCSP_RESPONDER_PORT + "/oscp").setOCSPFailOpen(false).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatusCode());
assertEquals("invalid_request", response.getError());
// Make sure we got the right error
Assert.assertThat(response.getErrorDescription(), containsString("OCSP check failed"));
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509OCSPResponderFailOpenTest method ocspFailOpenLoginSuccess.
@Test
public void ocspFailOpenLoginSuccess() throws Exception {
// Test of OCSP failure (invalid OCSP responder host) when OCSP Fail-Open is set to ON
// If test is successful, it should continue the login
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setOCSPFailOpen(true).setMappingSourceType(SUBJECTDN_EMAIL).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ".invalid.host:" + OCSP_RESPONDER_PORT + "/oscp").setOCSPResponderCertificate(IOUtils.toString(this.getClass().getResourceAsStream(OcspHandler.OCSP_RESPONDER_CERT_PATH), Charsets.UTF_8).replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "")).setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
String keyStorePath = Paths.get(System.getProperty("client.certificate.keystore")).getParent().resolve("client-ca.jks").toString();
String keyStorePassword = System.getProperty("client.certificate.keystore.passphrase");
String trustStorePath = System.getProperty("client.truststore");
String trustStorePassword = System.getProperty("client.truststore.passphrase");
Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
try {
oauth.clientId("resource-owner");
oauth.httpClient(() -> OAuthClient.newCloseableHttpClientSSL(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
// Make sure authentication is allowed
assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
} finally {
oauth.httpClient(previous);
}
}
Aggregations