Fix for certificate revalidation

closes https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-5291542
This commit is contained in:
mposolda 2023-05-30 10:33:53 +02:00 committed by Marek Posolda
parent 30c7808d9d
commit bf9c5821cb
6 changed files with 75 additions and 3 deletions

View file

@ -585,7 +585,7 @@ public class CertificateValidator {
TruststoreProvider truststoreProvider = session.getProvider(TruststoreProvider.class);
if (truststoreProvider == null || truststoreProvider.getTruststore() == null) {
logger.error("Cannot validate client certificate trust: Truststore not available");
throw new GeneralSecurityException("Cannot validate client certificate trust: Truststore not available. Please make sure to correctly configure truststore provider in order to be able to revalidate certificate trust");
}
else
{

View file

@ -62,6 +62,11 @@ public class FileTruststoreProviderFactory implements TruststoreProviderFactory
return provider;
}
// For testing purposes
public void setProvider(TruststoreProvider provider) {
this.provider = provider;
}
@Override
public void init(Config.Scope config) {

View file

@ -88,6 +88,8 @@ import org.keycloak.testsuite.runonserver.RunOnServer;
import org.keycloak.testsuite.runonserver.SerializationUtil;
import org.keycloak.testsuite.util.FeatureDeployerUtil;
import org.keycloak.timer.TimerProvider;
import org.keycloak.truststore.FileTruststoreProviderFactory;
import org.keycloak.truststore.TruststoreProvider;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;
@ -132,13 +134,16 @@ public class TestingResourceProvider implements RealmResourceProvider {
private final HttpRequest request;
private final TestingResourceProviderFactory factory;
@Override
public Object getResource() {
return this;
}
public TestingResourceProvider(KeycloakSession session, Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks) {
public TestingResourceProvider(KeycloakSession session, TestingResourceProviderFactory factory, Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks) {
this.session = session;
this.factory = factory;
this.suspendedTimerTasks = suspendedTimerTasks;
this.request = session.getContext().getHttpRequest();
}
@ -1064,4 +1069,24 @@ public class TestingResourceProvider implements RealmResourceProvider {
return realm;
}
@GET
@Path("/disable-truststore-spi")
@NoCache
public void disableTruststoreSpi() {
FileTruststoreProviderFactory factory = (FileTruststoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(TruststoreProvider.class);
this.factory.truststoreProvider = factory.create(session);
factory.setProvider(null);
}
@GET
@Path("/reenable-truststore-spi")
@NoCache
public void reenableTruststoreSpi() {
if (this.factory.truststoreProvider == null) {
throw new IllegalStateException("Cannot reenable provider as it was not disabled");
}
FileTruststoreProviderFactory factory = (FileTruststoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(TruststoreProvider.class);
factory.setProvider(this.factory.truststoreProvider);
}
}

View file

@ -26,6 +26,7 @@ import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.services.resource.RealmResourceProvider;
import org.keycloak.services.resource.RealmResourceProviderFactory;
import org.keycloak.timer.TimerProvider;
import org.keycloak.truststore.TruststoreProvider;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -34,9 +35,11 @@ public class TestingResourceProviderFactory implements RealmResourceProviderFact
private Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks = new ConcurrentHashMap<>();
protected TruststoreProvider truststoreProvider;
@Override
public RealmResourceProvider create(KeycloakSession session) {
return new TestingResourceProvider(session, suspendedTimerTasks);
return new TestingResourceProvider(session, this, suspendedTimerTasks);
}
@Override

View file

@ -398,4 +398,21 @@ public interface TestingResource {
@Path("/get-provider-implementation-class")
@Produces(MediaType.APPLICATION_JSON)
String getProviderClassName(@QueryParam("providerClass") String providerClass, @QueryParam("providerId") String providerId);
/**
* Temporarily disables truststore SPI from the file. Useful for example to test some error scenarios, which require truststore SPI to be unset (or set incorrectly)
*/
@GET
@Path("/disable-truststore-spi")
@NoCache
void disableTruststoreSpi();
/**
* Re-enable truststore SPI after it was temporarily disabled by {@link #disableTruststoreSpi()}
*/
@GET
@Path("/reenable-truststore-spi")
@NoCache
void reenableTruststoreSpi();
}

View file

@ -119,6 +119,28 @@ public class X509BrowserLoginTest extends AbstractX509AuthenticationTest {
x509BrowserLogin(createLoginSubjectEmailWithRevalidateCert(true), userId, "test-user@localhost", "test-user@localhost");
}
@Test
public void loginWithRevalidateCertEnabledCertWithIncorrectTruststoreConfig() throws Exception {
try {
// Simulate disabling of Truststore SPI on server
testingClient.testing().disableTruststoreSpi();
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginSubjectEmailWithRevalidateCert(true).getConfig());
String cfgId = createConfig(browserExecution.getId(), cfg);
Assert.assertNotNull(cfgId);
loginConfirmationPage.open();
loginPage.assertCurrent();
// Verify there is an error message
Assert.assertNotNull(loginPage.getError());
Assert.assertThat(loginPage.getError(), containsString("Certificate validation's failed."));
} finally {
testingClient.testing().reenableTruststoreSpi();
}
}
@Test
public void loginIgnoreX509IdentityContinueToFormLogin() throws Exception {
// Set the X509 authenticator configuration