use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509OCSPResponderTest method loginOKOnOCSPResponderRevocationCheckWithoutCA.
@Test
public void loginOKOnOCSPResponderRevocationCheckWithoutCA() throws Exception {
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(SUBJECTDN_EMAIL).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ":" + OCSP_RESPONDER_PORT + "/oscp").setOCSPResponderCertificate(IOUtils.toString(this.getClass().getResourceAsStream(OcspHandler.OCSP_RESPONDER_CERT_PATH), Charsets.UTF_8).replace(PemUtils.BEGIN_CERT, "").replace(PemUtils.END_CERT, "")).setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
String keyStorePath = Paths.get(System.getProperty("client.certificate.keystore")).getParent().resolve("client-ca.jks").toString();
String keyStorePassword = System.getProperty("client.certificate.keystore.passphrase");
String trustStorePath = System.getProperty("client.truststore");
String trustStorePassword = System.getProperty("client.truststore.passphrase");
Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
try {
oauth.clientId("resource-owner");
oauth.httpClient(() -> OAuthClient.newCloseableHttpClientSSL(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
// now it's OK because the certificate is fixed
assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
} finally {
oauth.httpClient(previous);
}
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509OCSPResponderTest method loginFailedOnOCSPResponderRevocationCheck.
@Test
public void loginFailedOnOCSPResponderRevocationCheck() throws Exception {
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatusCode());
assertEquals("invalid_request", response.getError());
Assert.assertThat(response.getErrorDescription(), containsString("Certificate's been revoked."));
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509OCSPResponderTest method loginFailedOnOCSPResponderRevocationCheckWithoutCA.
@Test
public void loginFailedOnOCSPResponderRevocationCheckWithoutCA() throws Exception {
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(SUBJECTDN_EMAIL).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ":" + OCSP_RESPONDER_PORT + "/oscp").setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
String keyStorePath = Paths.get(System.getProperty("client.certificate.keystore")).getParent().resolve("client-ca.jks").toString();
String keyStorePassword = System.getProperty("client.certificate.keystore.passphrase");
String trustStorePath = System.getProperty("client.truststore");
String trustStorePassword = System.getProperty("client.truststore.passphrase");
Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
try {
oauth.clientId("resource-owner");
oauth.httpClient(() -> OAuthClient.newCloseableHttpClientSSL(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatusCode());
assertEquals("invalid_request", response.getError());
// the ocsp signer cert is issued by the same CA but no OCSP-Signing extension so error
Assert.assertThat(response.getErrorDescription(), containsString("Responder's certificate not valid for signing OCSP responses"));
} finally {
oauth.httpClient(previous);
}
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509OCSPResponderTest method loginClientCertSignedByIntermediateCA.
@Test
public void loginClientCertSignedByIntermediateCA() throws Exception {
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(SUBJECTDN_EMAIL).setOCSPResponder("http://" + OCSP_RESPONDER_HOST + ":" + OCSP_RESPONDER_PORT + "/oscp").setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
String keyStorePath = Paths.get(System.getProperty("client.certificate.keystore")).getParent().resolve("test-user-cert-intermediary-ca.jks").toString();
String keyStorePassword = System.getProperty("client.certificate.keystore.passphrase");
String trustStorePath = System.getProperty("client.truststore");
String trustStorePassword = System.getProperty("client.truststore.passphrase");
Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
try {
oauth.clientId("resource-owner");
oauth.httpClient(() -> OAuthClient.newCloseableHttpClientSSL(keyStorePath, keyStorePassword, trustStorePath, trustStorePassword));
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
// now it's OK because the certificate is fixed
assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
} finally {
oauth.httpClient(previous);
}
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509DirectGrantTest method loginFailedTemporarilyDisabledUser.
@Test
@Ignore
public void loginFailedTemporarilyDisabledUser() throws Exception {
loginForceTemporaryAccountLock();
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
events.expectLogin().user(userId).session((String) null).error(Errors.USER_TEMPORARILY_DISABLED).detail(Details.USERNAME, "test-user@localhost").removeDetail(Details.CODE_ID).removeDetail(Details.CONSENT).removeDetail(Details.REDIRECT_URI).assertEvent();
assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
assertEquals("invalid_grant", response.getError());
assertEquals("Account temporarily disabled", response.getErrorDescription());
}
Aggregations