keycloak-uncached
Changes
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java 10(+10 -0)
Details
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
index 2422bde..f0b2fe5 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
@@ -301,6 +301,16 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe
.setUserIdentityMapperType(USERNAME_EMAIL);
}
+ protected static X509AuthenticatorConfigModel createLoginSubjectEmailWithKeyUsage(String keyUsage) {
+ return createLoginSubjectEmail2UsernameOrEmailConfig()
+ .setKeyUsage(keyUsage);
+ }
+
+ protected static X509AuthenticatorConfigModel createLoginSubjectEmailWithExtendedKeyUsage(String extendedKeyUsage) {
+ return createLoginSubjectEmail2UsernameOrEmailConfig()
+ .setExtendedKeyUsage(extendedKeyUsage);
+ }
+
protected static X509AuthenticatorConfigModel createLoginSubjectCN2UsernameOrEmailConfig() {
return new X509AuthenticatorConfigModel()
.setConfirmationPageAllowed(true)
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java
index d5a69f1..13de1a9 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginTest.java
@@ -87,6 +87,25 @@ public class X509BrowserLoginTest extends AbstractX509AuthenticationTest {
}
@Test
+ public void loginWithNonSupportedCertKeyUsage() throws Exception {
+ // Set the X509 authenticator configuration
+ AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config",
+ createLoginSubjectEmailWithKeyUsage("dataEncipherment").getConfig());
+ String cfgId = createConfig(browserExecution.getId(), cfg);
+ Assert.assertNotNull(cfgId);
+
+ loginConfirmationPage.open();
+
+ Assert.assertThat(loginPage.getError(), containsString("Certificate validation's failed.\n" +
+ "Key Usage bit 'dataEncipherment' is not set."));
+ }
+
+ @Test
+ public void loginWithNonSupportedCertExtendedKeyUsage() throws Exception {
+ login(createLoginSubjectEmailWithExtendedKeyUsage("serverAuth"), userId, "test-user@localhost", "test-user@localhost");
+ }
+
+ @Test
public void loginIgnoreX509IdentityContinueToFormLogin() throws Exception {
// Set the X509 authenticator configuration
AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig());
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java
index 2582604..9411320 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509DirectGrantTest.java
@@ -115,6 +115,37 @@ public class X509DirectGrantTest extends AbstractX509AuthenticationTest {
}
@Test
+ public void loginWithNonSupportedCertKeyUsage() throws Exception {
+ // Set the X509 authenticator configuration
+ AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config",
+ createLoginSubjectEmailWithKeyUsage("dataEncipherment").getConfig());
+ String cfgId = createConfig(directGrantExecution.getId(), cfg);
+ Assert.assertNotNull(cfgId);
+
+ oauth.clientId("resource-owner");
+ OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
+
+ assertEquals(401, response.getStatusCode());
+ assertEquals("invalid_request", response.getError());
+ Assert.assertThat(response.getErrorDescription(), containsString("Key Usage bit 'dataEncipherment' is not set."));
+ events.clear();
+ }
+
+ @Test
+ public void loginWithNonSupportedCertExtendedKeyUsage() throws Exception {
+ // Set the X509 authenticator configuration
+ AuthenticatorConfigRepresentation cfg = newConfig("x509-directgrant-config",
+ createLoginSubjectEmailWithExtendedKeyUsage("serverAuth").getConfig());
+ String cfgId = createConfig(directGrantExecution.getId(), cfg);
+ Assert.assertNotNull(cfgId);
+
+ oauth.clientId("resource-owner");
+ OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "", "", null);
+
+ assertEquals(200, response.getStatusCode());
+ }
+
+ @Test
public void loginFailedDisabledUser() throws Exception {
setUserEnabled("test-user@localhost", false);