keycloak-memoizeit
Changes
services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java 2(+1 -1)
services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java 3(+1 -2)
Details
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java
index 89048ac..73e2f43 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java
@@ -18,7 +18,6 @@
package org.keycloak.authentication.authenticators.x509;
-import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import javax.ws.rs.core.Response;
@@ -82,6 +81,7 @@ public class ValidateX509CertificateUsername extends AbstractX509ClientCertifica
Object userIdentity = getUserIdentityExtractor(config).extractUserIdentity(certs);
if (userIdentity == null) {
+ context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
logger.errorf("[ValidateX509CertificateUsername:authenticate] Unable to extract user identity from certificate.");
// TODO use specific locale to load error messages
String errorMessage = "Unable to extract user identity from specified certificate";
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java
index 2aa5a63..01339f6 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java
@@ -18,7 +18,6 @@
package org.keycloak.authentication.authenticators.x509;
-import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.LinkedList;
@@ -28,7 +27,6 @@ import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowContext;
-import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
@@ -99,6 +97,7 @@ public class X509ClientCertificateAuthenticator extends AbstractX509ClientCertif
Object userIdentity = getUserIdentityExtractor(config).extractUserIdentity(certs);
if (userIdentity == null) {
+ context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
logger.warnf("[X509ClientCertificateAuthenticator:authenticate] Unable to extract user identity from certificate.");
// TODO use specific locale to load error messages
String errorMessage = "Unable to extract user identity from specified certificate";
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java
index 3168483..e75e0b8 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java
@@ -86,6 +86,26 @@ public class X509BrowserLoginTest extends AbstractX509AuthenticationTest {
}
@Test
+ public void loginWithNonMatchingRegex() throws Exception {
+ X509AuthenticatorConfigModel config = createLoginIssuerDN_OU2CustomAttributeConfig();
+ config.setRegularExpression("INVALID=(.*?)(?:,|$)");
+ AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
+
+ String cfgId = createConfig(browserExecution.getId(), cfg);
+ Assert.assertNotNull(cfgId);
+
+ loginConfirmationPage.open();
+
+ events.expectLogin()
+ .user((String) null)
+ .session((String) null)
+ .error("invalid_user_credentials")
+ .removeDetail(Details.CONSENT)
+ .removeDetail(Details.REDIRECT_URI)
+ .assertEvent();
+ }
+
+ @Test
public void loginWithNonSupportedCertKeyUsage() throws Exception {
// Set the X509 authenticator configuration
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config",
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java
index 1cec13f..6d01778 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java
@@ -146,6 +146,31 @@ public class X509DirectGrantTest extends AbstractX509AuthenticationTest {
}
@Test
+ public void loginWithNonMatchingRegex() throws Exception {
+ X509AuthenticatorConfigModel config = createLoginIssuerDN_OU2CustomAttributeConfig();
+ config.setRegularExpression("INVALID=(.*?)(?:,|$)");
+ AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config", config.getConfig());
+
+ String cfgId = createConfig(directGrantExecution.getId(), cfg);
+ Assert.assertNotNull(cfgId);
+
+ oauth.clientId("resource-owner");
+ OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
+
+ assertEquals(401, response.getStatusCode());
+
+ events.expectLogin()
+ .user((String) null)
+ .session((String) null)
+ .error("invalid_user_credentials")
+ .client("resource-owner")
+ .removeDetail(Details.CODE_ID)
+ .removeDetail(Details.CONSENT)
+ .removeDetail(Details.REDIRECT_URI)
+ .assertEvent();
+ }
+
+ @Test
public void loginFailedDisabledUser() throws Exception {
setUserEnabled("test-user@localhost", false);