Fix for certificate revalidation
closes https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-5291542
This commit is contained in:
parent
30c7808d9d
commit
bf9c5821cb
6 changed files with 75 additions and 3 deletions
|
@ -585,7 +585,7 @@ public class CertificateValidator {
|
|||
|
||||
TruststoreProvider truststoreProvider = session.getProvider(TruststoreProvider.class);
|
||||
if (truststoreProvider == null || truststoreProvider.getTruststore() == null) {
|
||||
logger.error("Cannot validate client certificate trust: Truststore not available");
|
||||
throw new GeneralSecurityException("Cannot validate client certificate trust: Truststore not available. Please make sure to correctly configure truststore provider in order to be able to revalidate certificate trust");
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
@ -62,6 +62,11 @@ public class FileTruststoreProviderFactory implements TruststoreProviderFactory
|
|||
return provider;
|
||||
}
|
||||
|
||||
// For testing purposes
|
||||
public void setProvider(TruststoreProvider provider) {
|
||||
this.provider = provider;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(Config.Scope config) {
|
||||
|
||||
|
|
|
@ -88,6 +88,8 @@ import org.keycloak.testsuite.runonserver.RunOnServer;
|
|||
import org.keycloak.testsuite.runonserver.SerializationUtil;
|
||||
import org.keycloak.testsuite.util.FeatureDeployerUtil;
|
||||
import org.keycloak.timer.TimerProvider;
|
||||
import org.keycloak.truststore.FileTruststoreProviderFactory;
|
||||
import org.keycloak.truststore.TruststoreProvider;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
import org.keycloak.utils.MediaType;
|
||||
|
||||
|
@ -132,13 +134,16 @@ public class TestingResourceProvider implements RealmResourceProvider {
|
|||
|
||||
private final HttpRequest request;
|
||||
|
||||
private final TestingResourceProviderFactory factory;
|
||||
|
||||
@Override
|
||||
public Object getResource() {
|
||||
return this;
|
||||
}
|
||||
|
||||
public TestingResourceProvider(KeycloakSession session, Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks) {
|
||||
public TestingResourceProvider(KeycloakSession session, TestingResourceProviderFactory factory, Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks) {
|
||||
this.session = session;
|
||||
this.factory = factory;
|
||||
this.suspendedTimerTasks = suspendedTimerTasks;
|
||||
this.request = session.getContext().getHttpRequest();
|
||||
}
|
||||
|
@ -1064,4 +1069,24 @@ public class TestingResourceProvider implements RealmResourceProvider {
|
|||
return realm;
|
||||
}
|
||||
|
||||
@GET
|
||||
@Path("/disable-truststore-spi")
|
||||
@NoCache
|
||||
public void disableTruststoreSpi() {
|
||||
FileTruststoreProviderFactory factory = (FileTruststoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(TruststoreProvider.class);
|
||||
this.factory.truststoreProvider = factory.create(session);
|
||||
factory.setProvider(null);
|
||||
}
|
||||
|
||||
@GET
|
||||
@Path("/reenable-truststore-spi")
|
||||
@NoCache
|
||||
public void reenableTruststoreSpi() {
|
||||
if (this.factory.truststoreProvider == null) {
|
||||
throw new IllegalStateException("Cannot reenable provider as it was not disabled");
|
||||
}
|
||||
FileTruststoreProviderFactory factory = (FileTruststoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(TruststoreProvider.class);
|
||||
factory.setProvider(this.factory.truststoreProvider);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -26,6 +26,7 @@ import org.keycloak.models.KeycloakSessionFactory;
|
|||
import org.keycloak.services.resource.RealmResourceProvider;
|
||||
import org.keycloak.services.resource.RealmResourceProviderFactory;
|
||||
import org.keycloak.timer.TimerProvider;
|
||||
import org.keycloak.truststore.TruststoreProvider;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
|
@ -34,9 +35,11 @@ public class TestingResourceProviderFactory implements RealmResourceProviderFact
|
|||
|
||||
private Map<String, TimerProvider.TimerTaskContext> suspendedTimerTasks = new ConcurrentHashMap<>();
|
||||
|
||||
protected TruststoreProvider truststoreProvider;
|
||||
|
||||
@Override
|
||||
public RealmResourceProvider create(KeycloakSession session) {
|
||||
return new TestingResourceProvider(session, suspendedTimerTasks);
|
||||
return new TestingResourceProvider(session, this, suspendedTimerTasks);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -398,4 +398,21 @@ public interface TestingResource {
|
|||
@Path("/get-provider-implementation-class")
|
||||
@Produces(MediaType.APPLICATION_JSON)
|
||||
String getProviderClassName(@QueryParam("providerClass") String providerClass, @QueryParam("providerId") String providerId);
|
||||
|
||||
/**
|
||||
* Temporarily disables truststore SPI from the file. Useful for example to test some error scenarios, which require truststore SPI to be unset (or set incorrectly)
|
||||
*/
|
||||
@GET
|
||||
@Path("/disable-truststore-spi")
|
||||
@NoCache
|
||||
void disableTruststoreSpi();
|
||||
|
||||
/**
|
||||
* Re-enable truststore SPI after it was temporarily disabled by {@link #disableTruststoreSpi()}
|
||||
*/
|
||||
@GET
|
||||
@Path("/reenable-truststore-spi")
|
||||
@NoCache
|
||||
void reenableTruststoreSpi();
|
||||
|
||||
}
|
||||
|
|
|
@ -119,6 +119,28 @@ public class X509BrowserLoginTest extends AbstractX509AuthenticationTest {
|
|||
x509BrowserLogin(createLoginSubjectEmailWithRevalidateCert(true), userId, "test-user@localhost", "test-user@localhost");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loginWithRevalidateCertEnabledCertWithIncorrectTruststoreConfig() throws Exception {
|
||||
try {
|
||||
// Simulate disabling of Truststore SPI on server
|
||||
testingClient.testing().disableTruststoreSpi();
|
||||
|
||||
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginSubjectEmailWithRevalidateCert(true).getConfig());
|
||||
String cfgId = createConfig(browserExecution.getId(), cfg);
|
||||
Assert.assertNotNull(cfgId);
|
||||
|
||||
loginConfirmationPage.open();
|
||||
loginPage.assertCurrent();
|
||||
|
||||
// Verify there is an error message
|
||||
Assert.assertNotNull(loginPage.getError());
|
||||
|
||||
Assert.assertThat(loginPage.getError(), containsString("Certificate validation's failed."));
|
||||
} finally {
|
||||
testingClient.testing().reenableTruststoreSpi();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loginIgnoreX509IdentityContinueToFormLogin() throws Exception {
|
||||
// Set the X509 authenticator configuration
|
||||
|
|
Loading…
Reference in a new issue