use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509DirectGrantTest method loginFailedOnInvalidUser.
@Test
public void loginFailedOnInvalidUser() throws Exception {
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", createLoginIssuerDN_OU2CustomAttributeConfig().getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
UserRepresentation user = testRealm().users().get(userId2).toRepresentation();
Assert.assertNotNull(user);
user.singleAttribute("x509_certificate_identity", "-");
this.updateUser(user);
events.clear();
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
events.expectLogin().user((String) null).session((String) null).error(Errors.INVALID_USER_CREDENTIALS).client("resource-owner").removeDetail(Details.CODE_ID).removeDetail(Details.USERNAME).removeDetail(Details.CONSENT).removeDetail(Details.REDIRECT_URI).assertEvent();
assertEquals(401, response.getStatusCode());
assertEquals("invalid_grant", response.getError());
assertEquals("Invalid user credentials", response.getErrorDescription());
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509DirectGrantTest method loginFailedDisabledUser.
@Test
public void loginFailedDisabledUser() throws Exception {
setUserEnabled("test-user@localhost", false);
try {
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
events.expectLogin().user(userId).session((String) null).error(Errors.USER_DISABLED).client("resource-owner").detail(Details.USERNAME, "test-user@localhost").removeDetail(Details.CODE_ID).removeDetail(Details.CONSENT).removeDetail(Details.REDIRECT_URI).assertEvent();
assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
assertEquals("invalid_grant", response.getError());
assertEquals("Account disabled", response.getErrorDescription());
} finally {
setUserEnabled("test-user@localhost", true);
}
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509DirectGrantTest method loginFailedOnDuplicateUsers.
@Test
public void loginFailedOnDuplicateUsers() throws Exception {
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", createLoginIssuerDN_OU2CustomAttributeConfig().getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
// Set up the users so that the identity extracted from X509 client cert
// matches more than a single user to trigger DuplicateModelException.
UserRepresentation user = testRealm().users().get(userId2).toRepresentation();
Assert.assertNotNull(user);
user.singleAttribute("x509_certificate_identity", "Red Hat");
this.updateUser(user);
user = testRealm().users().get(userId).toRepresentation();
Assert.assertNotNull(user);
user.singleAttribute("x509_certificate_identity", "Red Hat");
this.updateUser(user);
events.clear();
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
assertEquals(401, response.getStatusCode());
assertEquals("invalid_request", response.getError());
Assert.assertThat(response.getErrorDescription(), containsString("X509 certificate authentication's failed."));
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509DirectGrantTest method loginWithNonMatchingRegex.
@Test
public void loginWithNonMatchingRegex() throws Exception {
X509AuthenticatorConfigModel config = createLoginIssuerDN_OU2CustomAttributeConfig();
config.setRegularExpression("INVALID=(.*?)(?:,|$)");
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
assertEquals(401, response.getStatusCode());
AssertEvents.ExpectedEvent expectedEvent = events.expectLogin().user((String) null).session((String) null).error("invalid_user_credentials").client("resource-owner").removeDetail(Details.CODE_ID).removeDetail(Details.CONSENT).removeDetail(Details.REDIRECT_URI);
addX509CertificateDetails(expectedEvent).assertEvent();
}
use of org.keycloak.representations.idm.AuthenticatorConfigRepresentation in project keycloak by keycloak.
the class X509DirectGrantTest method loginCertificateNotExpired.
@Test
public void loginCertificateNotExpired() throws Exception {
X509AuthenticatorConfigModel config = new X509AuthenticatorConfigModel().setCertValidationEnabled(true).setConfirmationPageAllowed(true).setMappingSourceType(SUBJECTDN_EMAIL).setUserIdentityMapperType(USERNAME_EMAIL);
AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
String cfgId = createConfig(directGrantExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
assertEquals(200, response.getStatusCode());
}
Aggregations