forked from quarkusio/quarkus
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request quarkusio#39063 from sberyozkin/oidc_cert_chain_cname
Fix the OIDC token verification failure with the inlined cert chain
- Loading branch information
Showing
8 changed files
with
132 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+1.82 KB
integration-tests/oidc-wiremock/src/main/resources/truststore-rootcert.p12
Binary file not shown.
Binary file modified
BIN
+1.56 KB
(200%)
integration-tests/oidc-wiremock/src/main/resources/truststore.p12
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -65,12 +65,12 @@ public void testAccessResourceAzure() throws Exception { | |
wireMockServer.stubFor(WireMock.get("/auth/azure/jwk") | ||
.withHeader("Authorization", matching("Access token: " + azureToken)) | ||
.willReturn(WireMock.aResponse().withBody(azureJwk))); | ||
// RestAssured.given().auth().oauth2(azureToken) | ||
// .when().get("/api/admin/bearer-azure") | ||
// .then() | ||
// .statusCode(200) | ||
// .body(Matchers.equalTo( | ||
// "Name:[email protected],Issuer:https://sts.windows.net/e7861267-92c5-4a03-bdb2-2d3e491e7831/")); | ||
RestAssured.given().auth().oauth2(azureToken) | ||
.when().get("/api/admin/bearer-azure") | ||
.then() | ||
.statusCode(200) | ||
.body(Matchers.equalTo( | ||
"Name:[email protected],Issuer:https://sts.windows.net/e7861267-92c5-4a03-bdb2-2d3e491e7831/")); | ||
|
||
String accessTokenWithCert = TestUtils.createTokenWithInlinedCertChain("alice-certificate"); | ||
|
||
|
@@ -217,7 +217,7 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception { | |
.then() | ||
.statusCode(401); | ||
|
||
// Send the token with the valid certificates but which are are in the wrong order in the chain | ||
// Send the token with the valid certificates but which are in the wrong order in the chain | ||
accessToken = getAccessTokenWithCertChain( | ||
List.of(intermediateCert, subjectCert, rootCert), | ||
subjectPrivateKey); | ||
|
@@ -246,6 +246,58 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception { | |
|
||
} | ||
|
||
@Test | ||
public void testFullCertChainWithOnlyRootInTruststore() throws Exception { | ||
X509Certificate rootCert = KeyUtils.getCertificate(ResourceUtils.readResource("/ca.cert.pem")); | ||
X509Certificate intermediateCert = KeyUtils.getCertificate(ResourceUtils.readResource("/intermediate.cert.pem")); | ||
X509Certificate subjectCert = KeyUtils.getCertificate(ResourceUtils.readResource("/www.quarkustest.com.cert.pem")); | ||
PrivateKey subjectPrivateKey = KeyUtils.readPrivateKey("/www.quarkustest.com.key.pem"); | ||
|
||
// Send the token with the valid certificate chain | ||
String accessToken = getAccessTokenWithCertChain( | ||
List.of(subjectCert, intermediateCert, rootCert), | ||
subjectPrivateKey); | ||
|
||
RestAssured.given().auth().oauth2(accessToken) | ||
.when().get("/api/admin/bearer-certificate-full-chain-root-only") | ||
.then() | ||
.statusCode(200) | ||
.body(Matchers.containsString("admin")); | ||
|
||
// Send the same token to the service expecting a different leaf certificate name | ||
RestAssured.given().auth().oauth2(accessToken) | ||
.when().get("/api/admin/bearer-certificate-full-chain-root-only-wrongcname") | ||
.then() | ||
.statusCode(401); | ||
|
||
// Send the token with the valid certificates but which are in the wrong order in the chain | ||
accessToken = getAccessTokenWithCertChain( | ||
List.of(intermediateCert, subjectCert, rootCert), | ||
subjectPrivateKey); | ||
RestAssured.given().auth().oauth2(accessToken) | ||
.when().get("/api/admin/bearer-certificate-full-chain-root-only") | ||
.then() | ||
.statusCode(401); | ||
|
||
// Send the token with the valid certificates but with the intermediate one omitted from the chain | ||
accessToken = getAccessTokenWithCertChain( | ||
List.of(subjectCert, rootCert), | ||
subjectPrivateKey); | ||
RestAssured.given().auth().oauth2(accessToken) | ||
.when().get("/api/admin/bearer-certificate-full-chain-root-only") | ||
.then() | ||
.statusCode(401); | ||
|
||
// Send the token with the only the last valid certificate | ||
accessToken = getAccessTokenWithCertChain( | ||
List.of(subjectCert), | ||
subjectPrivateKey); | ||
RestAssured.given().auth().oauth2(accessToken) | ||
.when().get("/api/admin/bearer-certificate-full-chain-root-only") | ||
.then() | ||
.statusCode(401); | ||
} | ||
|
||
@Test | ||
public void testAccessAdminResourceWithKidOrChain() throws Exception { | ||
// token with a matching kid, not x5c | ||
|