[KEYCLOAK-5483] X.509 Auth - log in attempt is not sometimes logged in the Login Events

services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java

@@ -18,7 +18,6 @@
 
 package org.keycloak.authentication.authenticators.x509;
 
-import java.security.GeneralSecurityException;
 import java.security.cert.X509Certificate;
 
 import javax.ws.rs.core.Response;
@@ -82,6 +81,7 @@ public class ValidateX509CertificateUsername extends AbstractX509ClientCertifica
 
         Object userIdentity = getUserIdentityExtractor(config).extractUserIdentity(certs);
         if (userIdentity == null) {
+            context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
             logger.errorf("[ValidateX509CertificateUsername:authenticate] Unable to extract user identity from certificate.");
             // TODO use specific locale to load error messages
             String errorMessage = "Unable to extract user identity from specified certificate";

services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java

@@ -18,7 +18,6 @@
 
 package org.keycloak.authentication.authenticators.x509;
 
-import java.security.GeneralSecurityException;
 import java.security.cert.X509Certificate;
 import java.util.Enumeration;
 import java.util.LinkedList;
@@ -28,7 +27,6 @@ import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 
 import org.keycloak.authentication.AuthenticationFlowContext;
-import org.keycloak.authentication.AuthenticationProcessor;
 import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
@@ -99,6 +97,7 @@ public class X509ClientCertificateAuthenticator extends AbstractX509ClientCertif
 
             Object userIdentity = getUserIdentityExtractor(config).extractUserIdentity(certs);
             if (userIdentity == null) {
+                context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
                 logger.warnf("[X509ClientCertificateAuthenticator:authenticate] Unable to extract user identity from certificate.");
                 // TODO use specific locale to load error messages
                 String errorMessage = "Unable to extract user identity from specified certificate";

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java

@@ -85,6 +85,26 @@ public class X509BrowserLoginTest extends AbstractX509AuthenticationTest {
         login(createLoginSubjectEmail2UsernameOrEmailConfig(), userId, "test-user@localhost", "test-user@localhost");
     }
 
+    @Test
+    public void loginWithNonMatchingRegex() throws Exception {
+        X509AuthenticatorConfigModel config = createLoginIssuerDN_OU2CustomAttributeConfig();
+        config.setRegularExpression("INVALID=(.*?)(?:,|$)");
+        AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
+
+        String cfgId = createConfig(browserExecution.getId(), cfg);
+        Assert.assertNotNull(cfgId);
+
+        loginConfirmationPage.open();
+
+        events.expectLogin()
+                .user((String) null)
+                .session((String) null)
+                .error("invalid_user_credentials")
+                .removeDetail(Details.CONSENT)
+                .removeDetail(Details.REDIRECT_URI)
+                .assertEvent();
+    }
+
     @Test
     public void loginWithNonSupportedCertKeyUsage() throws Exception {
         // Set the X509 authenticator configuration

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java

@@ -145,6 +145,31 @@ public class X509DirectGrantTest extends AbstractX509AuthenticationTest {
         assertEquals(200, response.getStatusCode());
     }
 
+    @Test
+    public void loginWithNonMatchingRegex() throws Exception {
+        X509AuthenticatorConfigModel config = createLoginIssuerDN_OU2CustomAttributeConfig();
+        config.setRegularExpression("INVALID=(.*?)(?:,|$)");
+        AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
+
+        String cfgId = createConfig(directGrantExecution.getId(), cfg);
+        Assert.assertNotNull(cfgId);
+
+        oauth.clientId("resource-owner");
+        OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
+
+        assertEquals(401, response.getStatusCode());
+
+        events.expectLogin()
+                .user((String) null)
+                .session((String) null)
+                .error("invalid_user_credentials")
+                .client("resource-owner")
+                .removeDetail(Details.CODE_ID)
+                .removeDetail(Details.CONSENT)
+                .removeDetail(Details.REDIRECT_URI)
+                .assertEvent();
+    }
+
     @Test
     public void loginFailedDisabledUser() throws Exception {
         setUserEnabled("test-user@localhost", false);