From af66c5dbd2c2276fe6a35276be5a7e363f870542 Mon Sep 17 00:00:00 2001 From: Bruno Oliveira Date: Mon, 27 Nov 2017 12:41:26 -0200 Subject: [PATCH] [KEYCLOAK-5483] X.509 Auth - log in attempt is not sometimes logged in the Login Events --- .../x509/ValidateX509CertificateUsername.java | 2 +- .../X509ClientCertificateAuthenticator.java | 3 +-- .../testsuite/x509/X509BrowserLoginTest.java | 20 +++++++++++++++ .../testsuite/x509/X509DirectGrantTest.java | 25 +++++++++++++++++++ 4 files changed, 47 insertions(+), 3 deletions(-) diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java index 89048acd5e..73e2f43367 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java @@ -18,7 +18,6 @@ package org.keycloak.authentication.authenticators.x509; -import java.security.GeneralSecurityException; import java.security.cert.X509Certificate; import javax.ws.rs.core.Response; @@ -82,6 +81,7 @@ public class ValidateX509CertificateUsername extends AbstractX509ClientCertifica Object userIdentity = getUserIdentityExtractor(config).extractUserIdentity(certs); if (userIdentity == null) { + context.getEvent().error(Errors.INVALID_USER_CREDENTIALS); logger.errorf("[ValidateX509CertificateUsername:authenticate] Unable to extract user identity from certificate."); // TODO use specific locale to load error messages String errorMessage = "Unable to extract user identity from specified certificate"; diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java index 2aa5a63140..01339f6369 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java @@ -18,7 +18,6 @@ package org.keycloak.authentication.authenticators.x509; -import java.security.GeneralSecurityException; import java.security.cert.X509Certificate; import java.util.Enumeration; import java.util.LinkedList; @@ -28,7 +27,6 @@ import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import org.keycloak.authentication.AuthenticationFlowContext; -import org.keycloak.authentication.AuthenticationProcessor; import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator; import org.keycloak.events.Details; import org.keycloak.events.Errors; @@ -99,6 +97,7 @@ public class X509ClientCertificateAuthenticator extends AbstractX509ClientCertif Object userIdentity = getUserIdentityExtractor(config).extractUserIdentity(certs); if (userIdentity == null) { + context.getEvent().error(Errors.INVALID_USER_CREDENTIALS); logger.warnf("[X509ClientCertificateAuthenticator:authenticate] Unable to extract user identity from certificate."); // TODO use specific locale to load error messages String errorMessage = "Unable to extract user identity from specified certificate"; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java index 3168483913..e75e0b8f9f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java @@ -85,6 +85,26 @@ public class X509BrowserLoginTest extends AbstractX509AuthenticationTest { login(createLoginSubjectEmail2UsernameOrEmailConfig(), userId, "test-user@localhost", "test-user@localhost"); } + @Test + public void loginWithNonMatchingRegex() throws Exception { + X509AuthenticatorConfigModel config = createLoginIssuerDN_OU2CustomAttributeConfig(); + config.setRegularExpression("INVALID=(.*?)(?:,|$)"); + AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig()); + + String cfgId = createConfig(browserExecution.getId(), cfg); + Assert.assertNotNull(cfgId); + + loginConfirmationPage.open(); + + events.expectLogin() + .user((String) null) + .session((String) null) + .error("invalid_user_credentials") + .removeDetail(Details.CONSENT) + .removeDetail(Details.REDIRECT_URI) + .assertEvent(); + } + @Test public void loginWithNonSupportedCertKeyUsage() throws Exception { // Set the X509 authenticator configuration diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java index 1cec13f35f..6d01778ddf 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java @@ -145,6 +145,31 @@ public class X509DirectGrantTest extends AbstractX509AuthenticationTest { assertEquals(200, response.getStatusCode()); } + @Test + public void loginWithNonMatchingRegex() throws Exception { + X509AuthenticatorConfigModel config = createLoginIssuerDN_OU2CustomAttributeConfig(); + config.setRegularExpression("INVALID=(.*?)(?:,|$)"); + AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig()); + + String cfgId = createConfig(directGrantExecution.getId(), cfg); + Assert.assertNotNull(cfgId); + + oauth.clientId("resource-owner"); + OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null); + + assertEquals(401, response.getStatusCode()); + + events.expectLogin() + .user((String) null) + .session((String) null) + .error("invalid_user_credentials") + .client("resource-owner") + .removeDetail(Details.CODE_ID) + .removeDetail(Details.CONSENT) + .removeDetail(Details.REDIRECT_URI) + .assertEvent(); + } + @Test public void loginFailedDisabledUser() throws Exception { setUserEnabled("test-user@localhost", false);