Commit graph

9143 commits

Author SHA1 Message Date
Stian Thorgersen
0b2896458a Merge pull request #3974 from stianst/KEYCLOAK-3250-PROD-PROFILE
KEYCLOAK-4658 Updates client-cli
2017-03-24 11:19:56 +01:00
Stian Thorgersen
e74f037732 KEYCLOAK-4658 Updates client-cli 2017-03-24 09:41:56 +01:00
Stian Thorgersen
ef7cb1e0cb Merge pull request #3973 from stianst/KEYCLOAK-3250-PROD-PROFILE
KEYCLOAK-3251 Add product Maven profile
2017-03-24 09:36:28 +01:00
vramik
49e43e59c4 patch MigrationServerConfigTest 2017-03-24 09:31:53 +01:00
Pavel Drozd
996f60ff57 Merge pull request #3963 from Pepo48/KEYCLOAK-4488
KEYCLOAK-4488 Fix Auth Flows Console UI tests
2017-03-24 08:45:48 +01:00
Stian Thorgersen
90c4de27e5 KEYCLOAK-3251 Add product Maven profile
KEYCLOAK-3254 Product profile should include RH-SSO theme and change default theme
2017-03-24 07:10:11 +01:00
Bill Burke
815e9e8e02 Merge pull request #3968 from vramik/KEYCLOAK-4229
KEYCLOAK-4229 Add migration test from 2.5.5
2017-03-23 14:48:39 -04:00
Bill Burke
d1e71acf10 Merge pull request #3961 from jblashka/maxLifespanInvalidationFixes
KEYCLOAK-4612 Fix CachePolicy.MAX_LIFESPAN invalidation
2017-03-23 14:25:21 -04:00
Stian Thorgersen
fc009969c9 Merge pull request #3971 from ssilvert/KEYCLOAK-4396-ng2-wrapper
KEYCLOAK-4396: Add keycloak.d.ts for TypeScript
2017-03-23 14:12:03 +01:00
Bartosz Majsak
63e8e7f842 Alings SimpleHttp API with new version 2017-03-23 13:51:14 +01:00
Bartosz Majsak
210143738e Merge branch 'master' into oso_provider 2017-03-23 13:45:07 +01:00
Pedro Igor
deae380941 Merge pull request #3964 from pedroigor/KEYCLOAK-4587
[KEYCLOAK-4587] - Missing breadcrumb
2017-03-22 13:55:50 -03:00
vramik
1fccff7e7c KEYCLOAK-4229 Add migration test from 2.5.5 2017-03-22 14:19:35 +01:00
Stian Thorgersen
275e871618 Merge pull request #3966 from vramik/KEYCLOAK-4638
KEYCLOAK-4638 Migrator to 3.0.0 contains code coppied from 2.5.0
2017-03-22 13:43:23 +01:00
vramik
c41bc65bf8 KEYCLOAK-4638 Migrator to 3.0.0 contains code coppied from 2.5.0 2017-03-22 13:08:12 +01:00
Marek Posolda
975dfe9489 Merge pull request #3167 from brat000012001/master
X509 Certificate user authentication
2017-03-22 08:26:26 +01:00
Stian Thorgersen
5cf6438a45 Merge pull request #3965 from thomasdarimont/issue/KEYCLOAK-4614-fix-linkonly-tooltip-reference
KEYCLOAK-4614 Fix linkOnly tooltip reference
2017-03-22 08:18:29 +01:00
Thomas Darimont
05a8fffdbf KEYCLOAK-4614 Fix linkOnly tooltip reference 2017-03-22 00:07:40 +01:00
Pedro Igor
c517565cc5 [KEYCLOAK-4587] - Missing breadcrumb 2017-03-21 16:55:21 -03:00
Peter Zaoral
0a8ca19944 KEYCLOAK-4488 Fix Auth Flows Console UI tests
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2017-03-21 11:16:08 +01:00
mhajas
7c1eb5582a KEYCLOAK-4141 Added saml tests 2017-03-21 10:41:06 +01:00
Jared Blashka
61bd9bb58c Fix CachePolicy.MAX_LIFESPAN invalidation 2017-03-20 22:56:35 -04:00
Stan Silvert
e2970fcf8a KEYCLOAK-4396: Add keycloak.d.ts for TypeScript 2017-03-20 12:42:26 -04:00
mhajas
8b8b5174eb KEYCLOAK-3961 Fix wrong conflict merge 2017-03-20 15:04:32 +01:00
Pedro Igor
b30b96b9a1 Merge pull request #3956 from pedroigor/KEYCLOAK-4602
Improve path matcher when using handling patterns and caching
2017-03-17 16:15:56 -03:00
Stian Thorgersen
dce2b1dfde Merge pull request #3955 from vramik/KEYCLOAK-4601
KEYCLOAK-4601 Add nexus-staging-maven-plugin fo keycloak-bom-parent
2017-03-17 13:49:31 +01:00
Pedro Igor
258af94889 Delegating caching of resource instances to to path matcher 2017-03-17 09:35:19 -03:00
Pedro Igor
dabd7c0b27 [KEYCLOAK-4602] - Improving pattern matching algorithm 2017-03-17 09:34:52 -03:00
Pedro Igor
f6786e29c6 [KEYCLOAK-4602] - A runtime cache for path configurations 2017-03-17 09:34:16 -03:00
vramik
eb852265ef KEYCLOAK-4601 Add nexus-staging-maven-plugin fo keycloak-bom-parent 2017-03-17 13:11:59 +01:00
Peter Nalyvayko
b2f10359c8 KEYCLOAK-4335: x509 client certificate authentication
Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments

x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute

Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received

Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes

Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document

A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README

Changes to the formating of the readme

Added a list of features to readme

Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions

Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master

Removed a superfluous file created when merging x509 and main branches

X509 authentication: removed the PKIX path validation as superflous

Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main

Merge the unit tests from x509 branch

added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured

CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing.

changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail

Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway)

X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them

X509 fixed a compile error caused by the changes to the user model in master

Integration tests to validate X509 client certificate authentication

Minor tweaks to X509 client auth related integration tests

CRLs to support x509 client cert auth integration tests

X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime

X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class

X509 separated the browser and direct grant x509 authenction integration tests

x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator

x509 removed the dependency on mockito

x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests

index.txt.attr is needed by openssl to run a simple OCSP server

x509: minor grammar fixes

Add OCSP stub responder to integration tests

This commit adds OCSP stub responder needed for the integration tests,
and eliminates the need to run external OCSP responder in order to run
the OCSP in X509OCSPResponderTest.

Replace printStackTrece with logging

This commit replaces call to printStackTrace that will end up going to
the stderr with logging statement of WARN severity.

Remove unused imports

Removed unused imports in
org.keycloak.authentication.authenticators.x509 package.

Parameterized Hashtable variable

Removed unused CertificateFactory variable

Declared serialVersionUID for Serializable class

Removed unused CertificateBuilder class

The CertificateBuilder was not used anywhere in the code, removing it to
prevent technical debt.

Removing unused variable declaration

`response` variable is not used in the test, removed it.

Made sure InputStreams are closed

Even though the InputStreams are memory based, added try-with-resources
to make sure that they are closed.

Removed deprecated usage of URLEncoder

Replaced invocation of deprecated method from URLEncoder with Encode
from Keycloak util package.

Made it more clear how to control OCSP stub responder in the tests

X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job

KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests

KEYCLOAK-4335: fixed a few issues after rebasing
2017-03-17 05:24:57 -04:00
Stian Thorgersen
3551912506 Merge pull request #3954 from stianst/master
Bump to 3.1.0.CR1-SNAPSHOT
2017-03-16 15:01:35 +01:00
Stian Thorgersen
a87ee04024 Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
Stian Thorgersen
cda563e672 Merge pull request #3952 from stianst/master
Added jboss parent to boms parent
2017-03-16 12:44:52 +01:00
Stian Thorgersen
a434e0540b Added jboss parent to boms parent 2017-03-16 12:44:31 +01:00
vramik
d0992ef9bd KEYCLOAK-4571 Adapt server-config-migration module for testing both project and product 2017-03-16 10:53:14 +01:00
Pavel Drozd
c30cdb5411 Merge pull request #3932 from vmuzikar/KEYCLOAK-4169
KEYCLOAK-4169 Instructions on how to run UI and Welcome Page tests
2017-03-15 23:53:49 +01:00
Pavel Drozd
b2d677256d Merge pull request #3877 from mhajas/KEYCLOAK-3955
KEYCLOAK-3955 Add CORS tests to integration arquillian testsuite
2017-03-15 23:52:03 +01:00
Bartosz Majsak
a250f08b6c Removes trailing slash from the base url 2017-03-15 22:27:24 +01:00
Stian Thorgersen
f44405207b Merge pull request #3828 from wildloop/master
verifySSL() - debug info
2017-03-15 09:55:42 +01:00
Stian Thorgersen
feeac69197 Merge pull request #3888 from daklassen/KEYCLOAK-4421
KEYCLOAK-4421 Change any http maven urls to https to reduce build-time MITM vulnerability
2017-03-15 09:54:21 +01:00
Stian Thorgersen
2aa93d7d55 Merge pull request #3924 from daklassen/KEYCLOAK-2486
KEYCLOAK-2486: Update SimpleHTTP to use Apache HTTP Client
2017-03-15 09:50:06 +01:00
wildloop
80c9e23282 Update RequestAuthenticator.java 2017-03-15 09:14:48 +01:00
wildloop
366dee6575 Update RequestAuthenticator.java 2017-03-15 09:13:41 +01:00
Stian Thorgersen
44907503a4 Merge pull request #3935 from knutz3n/KEYCLOAK-4559
KEYCLOAK-4559 Filter users by realm id when search for user by attribute
2017-03-15 08:44:43 +01:00
Thomas Darimont
b782892769 KEYCLOAK-4163 Improve support for e-mail addresses
Added support for user friendly email addresses as well as dedicated
reply-to addresses for emails being sent by Keycloak.
Both can be customized via the email settings per realm in
the admin-console.
User friendly email addresses use the format:
"Friendly Name"<email@example.org> and provide way to add a meaning
full name to an e-mail address.

We also allow to specify an optional envelope from bounce address.
If a mail sent to a user could not be delivered the email-provider
will sent a notification to that address.

See: https://en.wikipedia.org/wiki/Bounce_address

Add test for proper email headers in sent messages
2017-03-14 18:22:54 +01:00
Bill Burke
1974b34c29 Merge pull request #3928 from sebastienblanc/test-utilities
KEYCLOAK-4322 : adding a helper class
2017-03-14 11:32:49 -04:00
Bill Burke
6d51862057 Merge pull request #3897 from anderius/feature/KEYCLOAK-4504-redirect-logout
[WIP] Saml broker: Option to specify logout request binding
2017-03-14 11:32:26 -04:00
wildloop
d723c608d6 Update RequestAuthenticator.java 2017-03-14 11:36:57 +01:00
Johannes Knutsen
9a0de676c4 KEYCLOAK-4559 Filter users by realm id when searching for user by user attribute 2017-03-14 11:05:12 +01:00