From 697caaa805adb0ddd061fb6ab299f3e649c52365 Mon Sep 17 00:00:00 2001 From: Bruno Oliveira Date: Thu, 23 Nov 2017 18:29:00 -0200 Subject: [PATCH] [KEYCLOAK-4683] Add key usage tests for X.509 Authentication These tests cover the scenarios already available at our certificates: * Key Usage with the flag critical * Extended Key Usage without the flag critical --- .../x509/AbstractX509AuthenticationTest.java | 10 ++++++ .../testsuite/x509/X509BrowserLoginTest.java | 19 ++++++++++++ .../testsuite/x509/X509DirectGrantTest.java | 31 +++++++++++++++++++ 3 files changed, 60 insertions(+) diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java index 2422bdec94..f0b2fe59af 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java @@ -301,6 +301,16 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe .setUserIdentityMapperType(USERNAME_EMAIL); } + protected static X509AuthenticatorConfigModel createLoginSubjectEmailWithKeyUsage(String keyUsage) { + return createLoginSubjectEmail2UsernameOrEmailConfig() + .setKeyUsage(keyUsage); + } + + protected static X509AuthenticatorConfigModel createLoginSubjectEmailWithExtendedKeyUsage(String extendedKeyUsage) { + return createLoginSubjectEmail2UsernameOrEmailConfig() + .setExtendedKeyUsage(extendedKeyUsage); + } + protected static X509AuthenticatorConfigModel createLoginSubjectCN2UsernameOrEmailConfig() { return new X509AuthenticatorConfigModel() .setConfirmationPageAllowed(true) diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java index d5a69f128f..13de1a98b5 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java @@ -86,6 +86,25 @@ public class X509BrowserLoginTest extends AbstractX509AuthenticationTest { login(createLoginSubjectEmail2UsernameOrEmailConfig(), userId, "test-user@localhost", "test-user@localhost"); } + @Test + public void loginWithNonSupportedCertKeyUsage() throws Exception { + // Set the X509 authenticator configuration + AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", + createLoginSubjectEmailWithKeyUsage("dataEncipherment").getConfig()); + String cfgId = createConfig(browserExecution.getId(), cfg); + Assert.assertNotNull(cfgId); + + loginConfirmationPage.open(); + + Assert.assertThat(loginPage.getError(), containsString("Certificate validation's failed.\n" + + "Key Usage bit 'dataEncipherment' is not set.")); + } + + @Test + public void loginWithNonSupportedCertExtendedKeyUsage() throws Exception { + login(createLoginSubjectEmailWithExtendedKeyUsage("serverAuth"), userId, "test-user@localhost", "test-user@localhost"); + } + @Test public void loginIgnoreX509IdentityContinueToFormLogin() throws Exception { // Set the X509 authenticator configuration diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java index 25826044f1..9411320329 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java @@ -114,6 +114,37 @@ public class X509DirectGrantTest extends AbstractX509AuthenticationTest { assertEquals("Invalid user credentials", response.getErrorDescription()); } + @Test + public void loginWithNonSupportedCertKeyUsage() throws Exception { + // Set the X509 authenticator configuration + AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", + createLoginSubjectEmailWithKeyUsage("dataEncipherment").getConfig()); + String cfgId = createConfig(directGrantExecution.getId(), cfg); + Assert.assertNotNull(cfgId); + + oauth.clientId("resource-owner"); + OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null); + + assertEquals(401, response.getStatusCode()); + assertEquals("invalid_request", response.getError()); + Assert.assertThat(response.getErrorDescription(), containsString("Key Usage bit 'dataEncipherment' is not set.")); + events.clear(); + } + + @Test + public void loginWithNonSupportedCertExtendedKeyUsage() throws Exception { + // Set the X509 authenticator configuration + AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", + createLoginSubjectEmailWithExtendedKeyUsage("serverAuth").getConfig()); + String cfgId = createConfig(directGrantExecution.getId(), cfg); + Assert.assertNotNull(cfgId); + + oauth.clientId("resource-owner"); + OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null); + + assertEquals(200, response.getStatusCode()); + } + @Test public void loginFailedDisabledUser() throws Exception { setUserEnabled("test-user@localhost", false);