Commit graph

66 commits

Author SHA1 Message Date
vramik
dfa27b9f0f KEYCLOAK-14856 fix migration, add ssl for migration server 2021-01-05 11:05:18 +01:00
mhajas
93149d6b47 KEYCLOAK-14234 Adjust Adapter testsuite to work with app/auth.server.host including TLS configured 2020-07-20 11:22:16 +02:00
mhajas
5d1d75db40 KEYCLOAK-14103 Add Warn message for possibly missing SameSite configuration 2020-06-15 14:45:57 +02:00
Stefan Guilhen
8c627fdb20 [KEYCLOAK-13036] Fix KeycloakElytronCSVaultTest failures on IBM JDK
- credential store is generated on the fly for the test, avoiding incompatibilities between implementations of keystores
2020-03-17 17:07:55 +01:00
vramik
83461d033b KEYCLOAK-11808 update testsuite to use current jdbc driver version for migration testing 2020-03-09 15:05:12 +01:00
Stefan Guilhen
9f69386a53 [KEYCLOAK-11707] Add support for Elytron credential store vault
- Adds the elytron-cs-keystore provider that reads secrets from a keystore-backed elytron credential store
 - Introduces an abstract provider and factory that unifies code that is common to the existing implementations
 - Introduces a VaultKeyResolver interface to allow the creation of different algorithms to combine the realm
   and key names when constructing the vault entry id
 - Introduces a keyResolvers property to the existing implementation via superclass that allows for the
   configuration of one or more VaultKeyResolvers, creating a fallback mechanism in which different key formats
   are tried in the order they were declared when retrieving a secret from the vault
 - Adds more tests for the files-plaintext provider using the new key resolvers
 - Adds a VaultTestExecutionDecider to skip the elytron-cs-keystore tests when running in Undertow. This is
   needed because the new provider is available only as a Wildfly extension
2019-12-18 11:54:06 +01:00
vramik
c3d80651bf KEYCLOAK-12473 Add possibility to specify length of event detail when storing to database 2019-12-17 17:15:50 +01:00
mhajas
37b7b595a5 KEYCLOAK-11410 Do not throw exception in PlaintextVaultProvider if unconfigured 2019-09-19 14:56:19 +02:00
mhajas
2703388946 KEYCLOAK-11245 Adapt LDAPConnectionTestManager to use newly introduced LDAPContextManager 2019-09-10 22:51:19 +02:00
mhajas
9c2525ec1a KEYCLOAK-11245 Use transcription object for LDAP bindCredential 2019-09-09 19:39:53 +02:00
Martin Kanis
4235422798 KEYCLOAK-11246 Use the transcription object for SMTP password 2019-09-09 13:27:11 +02:00
Martin Kanis
b1be6c2bdd KEYCLOAK-11247 Use the transcription object for Identity providers password 2019-09-06 15:29:11 +02:00
Stefan Guilhen
bb9c811a65 [KEYCLOAK-10935] Add a vault transcriber implementation that can be obtained from the session.
- automatically parses ${vault.<KEY>} expressions to obtain the key that contains the secret in the vault.
 - enchances the capabilities of the VaultProvider by offering methods to convert the raw secrets into other types.
2019-09-04 22:34:08 +02:00
rmartinc
6d6db1f3e5 KEYCLOAK-10345: OCSP validation fails if there is no intermediate CA in the client certificate 2019-07-12 15:16:00 +02:00
mposolda
5f9feee3f8 KEYCLOAK-9846 Verifying signatures on CRL during X509 authentication 2019-07-08 20:20:38 +02:00
mposolda
a980629e66 KEYCLOAK-10295 Tweaks for MariaDB testing in docker container 2019-05-24 12:52:55 +02:00
vramik
1928fa3fb9 KEYCLOAK-10268 adapt configure.xml for windows 2019-05-20 12:38:12 +02:00
Sebastian Laskawiec
2e7f717e50 KEYCLOAK-9536 DB Allocator Plugin 2019-04-08 09:06:19 +02:00
mposolda
db271f7150 KEYCLOAK-9572 Support for multiple CRLs with X509 authentication 2019-03-20 15:00:44 +01:00
mposolda
a48698caa3 KEYCLOAK-6056 Map user by Subject Alternative Name (otherName) when authenticating user with X509 2019-03-15 23:11:47 +01:00
vramik
cf35a4648b KEYCLOAK-9780 Replace XSLT transformations by ant/CLI scripts 2019-03-15 22:18:09 +01:00
mposolda
e4d4159743 KEYCLOAK-9586 Fix cluster tests. Fix cross-dc tests on embedded undertow 2019-02-20 19:11:38 +01:00
vramik
7a96911a83 KEYCLOAK-8300 KEYCLOAK-8301 Wildfly 14 upgrade
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2018-10-17 20:01:07 +02:00
mposolda
6fc99cd749 KEYCLOAK-7594 Upgrade to Wildfly 13. Cross-DC: Upgrade to infinispan server 9.2.4 and JDG 7.2
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: stianst <stianst@gmail.com>
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2018-08-27 12:52:53 +02:00
Martin Kanis
ee8c35a48e KEYCLOAK-6119 Create CI job for Postgres with schema 2018-08-08 08:57:11 +02:00
Tomas Kyjovsky
1b4d9a6147 KEYCLOAK-7440 Modcluster configuration for functional cluster test is broken 2018-06-06 20:40:50 +02:00
Takashi Norimatsu
c586c63533 KEYCLOAK-6771 Holder of Key mechanism
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access
Tokens
2018-06-05 08:18:29 +02:00
Pedro Igor
f824582aac
Merge pull request #5009 from pedroigor/KEYCLOAK-6116
[KEYCLOAK-6116] - Get email attribute from 'subject alternative name' using X509 certificate
2018-03-12 09:58:02 -03:00
Hynek Mlnarik
190771ddf1 KEYCLOAK-6783 Add authentication into cross-dc testing 2018-03-09 15:08:55 +01:00
pedroigor
6aee573e2e [KEYCLOAK-6116] - Tests for X509 Subject Alternative Name Extension 2018-03-09 10:56:35 -03:00
pedroigor
c5c285abc3 [KEYCLOAK-6116] - Adding a OpenSSL CA Authority for testing 2018-03-09 10:56:35 -03:00
vmuzikar
d70e4740fc KEYCLOAK-6693 Support external truststore in testsuite 2018-02-27 07:45:21 +01:00
Hynek Mlnarik
75c354fd94 KEYCLOAK-5745 Separate user and client sessions in infinispan 2017-10-26 10:39:41 +02:00
Hynek Mlnarik
056ba75a72 KEYCLOAK-5656 Use standard infinispan remote-store 2017-10-16 21:49:42 +02:00
Hynek Mlnarik
fe972ce12b KEYCLOAK-5656 Remove remoteServers configuration option 2017-10-09 11:58:28 +02:00
Hynek Mlnarik
6cbfbeca0b KEYCLOAK-5656 Remove KeycloakTcpTransportFactory 2017-10-06 13:20:17 +02:00
vramik
f806d4a5d6 KEYCLOAK-5586 Add support for testing cross dc tests on jboss-based containers 2017-10-03 14:01:45 +02:00
mhajas
330cb022eb KEYCLOAK-5320 Configure SSL using creaper 2017-09-08 13:19:48 +02:00
Hynek Mlnarik
5e16a32f86 KEYCLOAK-5106 Fix BasicSamlTest on auth-server-wildfly 2017-06-28 20:47:43 +02:00
Pavel Drozd
c230edbf72 Merge pull request #4151 from pdrozd/KEYCLOAK-4931
KEYCLOAK-4931 - install patch available from http
2017-05-23 14:01:44 +02:00
Pavel Drozd
60ef910b5b KEYCLOAK-4931 - install patch available from http 2017-05-18 23:47:12 +02:00
Pavel Drozd
53ab314eb9 KEYCLOAK-4930 - Updated install-keycloak script for overlay installation - added ha installation. 2017-05-18 23:35:04 +02:00
mposolda
7d8796e614 KEYCLOAK-4626 Support for sticky sessions with AUTH_SESSION_ID cookie. Clustering tests with embedded undertow. Last fixes. 2017-05-11 22:24:07 +02:00
Peter Nalyvayko
b2f10359c8 KEYCLOAK-4335: x509 client certificate authentication
Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments

x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute

Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received

Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes

Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document

A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README

Changes to the formating of the readme

Added a list of features to readme

Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions

Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master

Removed a superfluous file created when merging x509 and main branches

X509 authentication: removed the PKIX path validation as superflous

Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main

Merge the unit tests from x509 branch

added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured

CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing.

changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail

Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway)

X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them

X509 fixed a compile error caused by the changes to the user model in master

Integration tests to validate X509 client certificate authentication

Minor tweaks to X509 client auth related integration tests

CRLs to support x509 client cert auth integration tests

X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime

X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class

X509 separated the browser and direct grant x509 authenction integration tests

x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator

x509 removed the dependency on mockito

x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests

index.txt.attr is needed by openssl to run a simple OCSP server

x509: minor grammar fixes

Add OCSP stub responder to integration tests

This commit adds OCSP stub responder needed for the integration tests,
and eliminates the need to run external OCSP responder in order to run
the OCSP in X509OCSPResponderTest.

Replace printStackTrece with logging

This commit replaces call to printStackTrace that will end up going to
the stderr with logging statement of WARN severity.

Remove unused imports

Removed unused imports in
org.keycloak.authentication.authenticators.x509 package.

Parameterized Hashtable variable

Removed unused CertificateFactory variable

Declared serialVersionUID for Serializable class

Removed unused CertificateBuilder class

The CertificateBuilder was not used anywhere in the code, removing it to
prevent technical debt.

Removing unused variable declaration

`response` variable is not used in the test, removed it.

Made sure InputStreams are closed

Even though the InputStreams are memory based, added try-with-resources
to make sure that they are closed.

Removed deprecated usage of URLEncoder

Replaced invocation of deprecated method from URLEncoder with Encode
from Keycloak util package.

Made it more clear how to control OCSP stub responder in the tests

X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job

KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests

KEYCLOAK-4335: fixed a few issues after rebasing
2017-03-17 05:24:57 -04:00
Tomas Kyjovsky
c94b7922aa Added profile jdbc-driver-depencency to arq. testsuite; changed jdbc module path from layers/base/com/${db} to layers/base/test/jdbc/${db} 2017-03-01 01:37:53 +01:00
Stian Thorgersen
5b5dc3e442 KEYCLOAK-4265 Social login tests 2017-02-06 13:50:10 +01:00
Vlasta Ramik
041413d8de KEYCLOAK-3619 Update default datasource definition to non-XA 2016-10-18 12:12:41 +02:00
Vlasta Ramik
b0448d1b6f KEYCLOAK-3589 Add support for manual upgrade of database schema to testsuite 2016-10-17 11:32:43 +02:00
Stian Thorgersen
f1156a49cf Merge pull request #3273 from vramik/KEYCLOAK-3619
KEYCLOAK-3619 Update default datasource definition to XA
2016-10-03 13:54:20 +02:00
Vlasta Ramik
550ec2ff51 Update default datasource definition to XA 2016-09-30 12:50:17 +02:00