Merge pull request quarkusio#44808 from sberyozkin/fix_oidc_wiremock_…

…tests Use CertificateGenerator in OIDC Wiremock tests
aloubyansky · Dec 1, 2024 · 2d19846 · 2d19846
2 parents 2649fa7 + ebb2c0c
commit 2d19846
Show file tree

Hide file tree

Showing 13 changed files with 120 additions and 180 deletions.
diff --git a/integration-tests/oidc-wiremock/pom.xml b/integration-tests/oidc-wiremock/pom.xml
@@ -43,6 +43,11 @@
             <artifactId>rest-assured</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>    
+           <groupId>io.smallrye.certs</groupId>
+           <artifactId>smallrye-certificate-generator</artifactId>
+           <scope>test</scope>  
+        </dependency>
         <dependency>
             <groupId>org.htmlunit</groupId>
             <artifactId>htmlunit</artifactId>

diff --git a/...-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CustomTenantConfigResolver.java b/...-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CustomTenantConfigResolver.java
@@ -71,7 +71,7 @@ public Uni<OidcTenantConfig> resolve(RoutingContext context,
         } else if (path.endsWith("bearer-certificate-full-chain-root-only")) {
             OidcTenantConfig config = new OidcTenantConfig();
             config.setTenantId("bearer-certificate-full-chain-root-only");
-            config.getCertificateChain().setTrustStoreFile(Path.of("truststore-rootcert.p12"));
+            config.getCertificateChain().setTrustStoreFile(Path.of("target/chain/truststore-rootcert.p12"));
             config.getCertificateChain().setTrustStorePassword("storepassword");
             config.getCertificateChain().setLeafCertificateName("www.quarkustest.com");
             return Uni.createFrom().item(config);

diff --git a/integration-tests/oidc-wiremock/src/main/resources/application.properties b/integration-tests/oidc-wiremock/src/main/resources/application.properties
@@ -143,7 +143,7 @@ quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.authentication.verify-
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.client-id=quarkus-web-app
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.credentials.client-secret.value=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.credentials.client-secret.method=query
-quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-file=truststore.p12
+quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-file=target/chain/truststore.p12
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-password=storepassword
 
 
@@ -172,7 +172,7 @@ quarkus.oidc.bearer-kid-or-chain.client-id=quarkus-app
 quarkus.oidc.bearer-kid-or-chain.credentials.secret=secret
 quarkus.oidc.bearer-kid-or-chain.token.audience=https://service.example.com
 quarkus.oidc.bearer-kid-or-chain.allow-token-introspection-cache=false
-quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-file=truststore.p12
+quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-file=target/chain/truststore.p12
 quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-password=storepassword
 
 quarkus.oidc.bearer-id.auth-server-url=${keycloak.url}/realms/quarkus/
@@ -199,7 +199,7 @@ quarkus.oidc.bearer-azure.jwks-path=${keycloak.url}/azure/jwk
 quarkus.oidc.bearer-azure.jwks.resolve-early=false
 quarkus.oidc.bearer-azure.token.lifespan-grace=2147483647
 quarkus.oidc.bearer-azure.token.customizer-name=azure-access-token-customizer
-quarkus.oidc.bearer-azure.certificate-chain.trust-store-file=truststore.p12
+quarkus.oidc.bearer-azure.certificate-chain.trust-store-file=target/chain/truststore.p12
 quarkus.oidc.bearer-azure.certificate-chain.trust-store-password=storepassword
 
 quarkus.oidc.bearer-role-claim-path.auth-server-url=${keycloak.url}/realms/quarkus/
@@ -215,14 +215,14 @@ quarkus.oidc.bearer-no-introspection.credentials.secret=secret
 quarkus.oidc.bearer-no-introspection.token.audience=https://service.example.com
 quarkus.oidc.bearer-no-introspection.token.allow-jwt-introspection=false
 
-quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-file=truststore.p12
+quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-file=target/chain/truststore.p12
 quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-password=storepassword
 
-quarkus.oidc.bearer-chain-custom-validator.certificate-chain.trust-store-file=truststore.p12
+quarkus.oidc.bearer-chain-custom-validator.certificate-chain.trust-store-file=target/chain/truststore.p12
 quarkus.oidc.bearer-chain-custom-validator.certificate-chain.trust-store-password=storepassword
 quarkus.oidc.bearer-chain-custom-validator.token.audience=https://service.example.com
 
-quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-file=truststore-rootcert.p12
+quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-file=target/chain/truststore-rootcert.p12
 quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-password=storepassword
 quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.leaf-certificate-name=www.quarkusio.com
 

diff --git a/integration-tests/oidc-wiremock/src/main/resources/truststore-rootcert.p12 b/integration-tests/oidc-wiremock/src/main/resources/truststore-rootcert.p12
diff --git a/integration-tests/oidc-wiremock/src/main/resources/truststore.p12 b/integration-tests/oidc-wiremock/src/main/resources/truststore.p12
diff --git a/...ests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java b/...ests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java
@@ -22,7 +22,6 @@
 import org.awaitility.Awaitility;
 import org.hamcrest.Matchers;
 import org.jose4j.jwx.HeaderParameterNames;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 import com.github.tomakehurst.wiremock.WireMockServer;
@@ -39,12 +38,10 @@
 import io.smallrye.jwt.algorithm.SignatureAlgorithm;
 import io.smallrye.jwt.build.Jwt;
 import io.smallrye.jwt.build.JwtClaimsBuilder;
-import io.smallrye.jwt.util.KeyUtils;
-import io.smallrye.jwt.util.ResourceUtils;
 import io.vertx.core.json.JsonObject;
 
 @QuarkusTest
-@QuarkusTestResource(OidcWiremockTestResource.class)
+@QuarkusTestResource(CustomOidcWiremockTestResource.class)
 public class BearerTokenAuthorizationTest {
 
     @OidcWireMock
@@ -62,7 +59,6 @@ public void testSecureAccessSuccessPreferredUsername() {
     }
 
     @Test
-    @Disabled
     public void testAccessResourceAzure() throws Exception {
         String azureToken = readFile("token.txt");
         String azureJwk = readFile("jwks.json");
@@ -192,16 +188,13 @@ public void testAccessAdminResourceWithWrongCertS256Thumbprint() {
     }
 
     @Test
-    @Disabled
     public void testCertChainWithCustomValidator() throws Exception {
-        X509Certificate rootCert = KeyUtils.getCertificate(ResourceUtils.readResource("/ca.cert.pem"));
-        X509Certificate intermediateCert = KeyUtils.getCertificate(ResourceUtils.readResource("/intermediate.cert.pem"));
-        X509Certificate subjectCert = KeyUtils.getCertificate(ResourceUtils.readResource("/www.quarkustest.com.cert.pem"));
-        PrivateKey subjectPrivateKey = KeyUtils.readPrivateKey("/www.quarkustest.com.key.pem");
+        List<X509Certificate> chain = TestUtils.loadCertificateChain();
+        PrivateKey subjectPrivateKey = TestUtils.loadLeafCertificatePrivateKey();
 
         // Send the token with the valid certificate chain and bind it to the token claim
         String accessToken = getAccessTokenForCustomValidator(
-                List.of(subjectCert, intermediateCert, rootCert),
+                chain,
                 subjectPrivateKey, "https://service.example.com", true, false);
 
         RestAssured.given().auth().oauth2(accessToken)
@@ -212,7 +205,7 @@ public void testCertChainWithCustomValidator() throws Exception {
 
         // Send the token with the valid certificate chain but do not bind it to the token claim
         accessToken = getAccessTokenForCustomValidator(
-                List.of(subjectCert, intermediateCert, rootCert),
+                chain,
                 subjectPrivateKey, "https://service.example.com", false, false);
 
         RestAssured.given().auth().oauth2(accessToken)
@@ -222,7 +215,7 @@ public void testCertChainWithCustomValidator() throws Exception {
 
         // Send the token with the valid certificate chain bound to the token claim, but expired
         accessToken = getAccessTokenForCustomValidator(
-                List.of(subjectCert, intermediateCert, rootCert),
+                chain,
                 subjectPrivateKey, "https://service.example.com", true, true);
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-chain-custom-validator")
@@ -231,7 +224,7 @@ public void testCertChainWithCustomValidator() throws Exception {
 
         // Send the token with the valid certificate chain but with the wrong audience
         accessToken = getAccessTokenForCustomValidator(
-                List.of(subjectCert, intermediateCert, rootCert),
+                chain,
                 subjectPrivateKey, "https://server.example.com", true, false);
 
         RestAssured.given().auth().oauth2(accessToken)
@@ -242,16 +235,14 @@ public void testCertChainWithCustomValidator() throws Exception {
     }
 
     @Test
-    @Disabled
     public void testAccessAdminResourceWithFullCertChain() throws Exception {
-        X509Certificate rootCert = KeyUtils.getCertificate(ResourceUtils.readResource("/ca.cert.pem"));
-        X509Certificate intermediateCert = KeyUtils.getCertificate(ResourceUtils.readResource("/intermediate.cert.pem"));
-        X509Certificate subjectCert = KeyUtils.getCertificate(ResourceUtils.readResource("/www.quarkustest.com.cert.pem"));
-        PrivateKey subjectPrivateKey = KeyUtils.readPrivateKey("/www.quarkustest.com.key.pem");
+        // index 2 - root, index 1 - intermediate, index 0 - leaf
+        List<X509Certificate> chain = TestUtils.loadCertificateChain();
+        PrivateKey subjectPrivateKey = TestUtils.loadLeafCertificatePrivateKey();
 
         // Send the token with the valid certificate chain and bind it to the token claim
         String accessToken = getAccessTokenWithCertChain(
-                List.of(subjectCert, intermediateCert, rootCert),
+                chain,
                 subjectPrivateKey);
 
         RestAssured.given().auth().oauth2(accessToken)
@@ -268,7 +259,7 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
 
         // Send the token with the valid certificate chain, but with the token signed by a non-matching private key
         accessToken = getAccessTokenWithCertChain(
-                List.of(subjectCert, intermediateCert, rootCert),
+                chain,
                 KeyPairGenerator.getInstance("RSA").generateKeyPair().getPrivate());
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-certificate-full-chain")
@@ -277,7 +268,7 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
 
         // Send the token with the valid certificates but which are in the wrong order in the chain
         accessToken = getAccessTokenWithCertChain(
-                List.of(intermediateCert, subjectCert, rootCert),
+                List.of(chain.get(1), chain.get(0), chain.get(2)),
                 subjectPrivateKey);
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-certificate-full-chain")
@@ -286,7 +277,7 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
 
         // Send the token with the valid certificates but with the intermediate one omitted from the chain
         accessToken = getAccessTokenWithCertChain(
-                List.of(subjectCert, rootCert),
+                List.of(chain.get(0), chain.get(2)),
                 subjectPrivateKey);
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-certificate-full-chain")
@@ -295,7 +286,7 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
 
         // Send the token with the only the last valid certificate
         accessToken = getAccessTokenWithCertChain(
-                List.of(subjectCert),
+                List.of(chain.get(0)),
                 subjectPrivateKey);
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-certificate-full-chain")
@@ -305,16 +296,13 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
     }
 
     @Test
-    @Disabled
     public void testFullCertChainWithOnlyRootInTruststore() throws Exception {
-        X509Certificate rootCert = KeyUtils.getCertificate(ResourceUtils.readResource("/ca.cert.pem"));
-        X509Certificate intermediateCert = KeyUtils.getCertificate(ResourceUtils.readResource("/intermediate.cert.pem"));
-        X509Certificate subjectCert = KeyUtils.getCertificate(ResourceUtils.readResource("/www.quarkustest.com.cert.pem"));
-        PrivateKey subjectPrivateKey = KeyUtils.readPrivateKey("/www.quarkustest.com.key.pem");
+        List<X509Certificate> chain = TestUtils.loadCertificateChain();
+        PrivateKey subjectPrivateKey = TestUtils.loadLeafCertificatePrivateKey();
 
         // Send the token with the valid certificate chain
         String accessToken = getAccessTokenWithCertChain(
-                List.of(subjectCert, intermediateCert, rootCert),
+                chain,
                 subjectPrivateKey);
 
         RestAssured.given().auth().oauth2(accessToken)
@@ -331,7 +319,7 @@ public void testFullCertChainWithOnlyRootInTruststore() throws Exception {
 
         // Send the token with the valid certificates but which are in the wrong order in the chain
         accessToken = getAccessTokenWithCertChain(
-                List.of(intermediateCert, subjectCert, rootCert),
+                List.of(chain.get(1), chain.get(0), chain.get(2)),
                 subjectPrivateKey);
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-certificate-full-chain-root-only")
@@ -340,7 +328,7 @@ public void testFullCertChainWithOnlyRootInTruststore() throws Exception {
 
         // Send the token with the valid certificates but with the intermediate one omitted from the chain
         accessToken = getAccessTokenWithCertChain(
-                List.of(subjectCert, rootCert),
+                List.of(chain.get(0), chain.get(2)),
                 subjectPrivateKey);
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-certificate-full-chain-root-only")
@@ -349,7 +337,7 @@ public void testFullCertChainWithOnlyRootInTruststore() throws Exception {
 
         // Send the token with the only the last valid certificate
         accessToken = getAccessTokenWithCertChain(
-                List.of(subjectCert),
+                List.of(chain.get(0)),
                 subjectPrivateKey);
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-certificate-full-chain-root-only")
@@ -358,7 +346,6 @@ public void testFullCertChainWithOnlyRootInTruststore() throws Exception {
     }
 
     @Test
-    @Disabled
     public void testAccessAdminResourceWithKidOrChain() throws Exception {
         // token with a matching kid, not x5c
         String token = Jwt.preferredUserName("admin")
@@ -403,14 +390,12 @@ public void testAccessAdminResourceWithKidOrChain() throws Exception {
                 .then()
                 .statusCode(401);
 
-        X509Certificate rootCert = KeyUtils.getCertificate(ResourceUtils.readResource("/ca.cert.pem"));
-        X509Certificate intermediateCert = KeyUtils.getCertificate(ResourceUtils.readResource("/intermediate.cert.pem"));
-        X509Certificate subjectCert = KeyUtils.getCertificate(ResourceUtils.readResource("/www.quarkustest.com.cert.pem"));
-        PrivateKey subjectPrivateKey = KeyUtils.readPrivateKey("/www.quarkustest.com.key.pem");
+        List<X509Certificate> chain = TestUtils.loadCertificateChain();
+        PrivateKey subjectPrivateKey = TestUtils.loadLeafCertificatePrivateKey();
 
         // Send the token with the valid certificate chain
         token = getAccessTokenWithCertChain(
-                List.of(subjectCert, intermediateCert, rootCert),
+                chain,
                 subjectPrivateKey);
 
         TestUtils.assertX5cOnlyIsPresent(token);
@@ -429,7 +414,7 @@ public void testAccessAdminResourceWithKidOrChain() throws Exception {
 
         // Send the token with the valid certificate chain with certificates in the wrong order
         token = getAccessTokenWithCertChain(
-                List.of(intermediateCert, subjectCert, rootCert),
+                List.of(chain.get(1), chain.get(0), chain.get(2)),
                 subjectPrivateKey);
 
         TestUtils.assertX5cOnlyIsPresent(token);
@@ -445,7 +430,7 @@ public void testAccessAdminResourceWithKidOrChain() throws Exception {
                 .groups(Set.of("admin"))
                 .issuer("https://server.example.com")
                 .audience("https://service.example.com")
-                .jws().keyId("1").chain(List.of(intermediateCert, subjectCert, rootCert))
+                .jws().keyId("1").chain(List.of(chain.get(1), chain.get(0), chain.get(2)))
                 .sign(subjectPrivateKey);
 
         assertBothKidAndX5cArePresent(token, "1");

diff --git a/...n-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/CodeFlowAuthorizationTest.java b/...n-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/CodeFlowAuthorizationTest.java
@@ -50,7 +50,6 @@
 import org.htmlunit.util.Cookie;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 import com.github.tomakehurst.wiremock.WireMockServer;
@@ -337,7 +336,6 @@ public void testCodeFlowUserInfo() throws Exception {
     }
 
     @Test
-    @Disabled
     public void testCodeFlowUserInfoCachedInIdToken() throws Exception {
         // Internal ID token, allow in memory cache = false, cacheUserInfoInIdtoken = true
         final String refreshJwtToken = generateAlreadyExpiredRefreshToken();

diff --git a/...ts/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/CustomOidcWiremockTestResource.java b/...ts/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/CustomOidcWiremockTestResource.java
@@ -0,0 +1,59 @@
+package io.quarkus.it.keycloak;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+import io.quarkus.test.oidc.server.OidcWiremockTestResource;
+import io.smallrye.certs.chain.CertificateChainGenerator;
+import io.smallrye.jwt.util.KeyUtils;
+
+public class CustomOidcWiremockTestResource extends OidcWiremockTestResource {
+    @Override
+    public Map<String, String> start() {
+        try {
+            generateCertificates();
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+
+        return super.start();
+    }
+
+    private void generateCertificates() throws Exception {
+        File chainDir = new File("target/chain");
+        CertificateChainGenerator chainGenerator = new CertificateChainGenerator(chainDir)
+                .withCN("www.quarkustest.com");
+        chainGenerator.generate();
+
+        Path rootCertPath = Paths.get("target/chain/root.crt");
+        X509Certificate rootCert = KeyUtils.getCertificate(Files.readString(rootCertPath));
+
+        Path leafCertPath = Paths.get("target/chain/www.quarkustest.com.crt");
+        X509Certificate leafCert = KeyUtils.getCertificate(Files.readString(leafCertPath));
+
+        File trustStore = new File(chainDir, "truststore.p12");
+        KeyStore keyStore = KeyStore.getInstance("PKCS12");
+        keyStore.load(null, null);
+        keyStore.setCertificateEntry("root", rootCert);
+        keyStore.setCertificateEntry("leaf", leafCert);
+        var fos = new FileOutputStream(trustStore);
+        keyStore.store(fos, "storepassword".toCharArray());
+        fos.close();
+
+        File trustStoreRoot = new File(chainDir, "truststore-rootcert.p12");
+        KeyStore keyStoreRootCert = KeyStore.getInstance("PKCS12");
+        keyStoreRootCert.load(null, null);
+        keyStoreRootCert.setCertificateEntry("root", rootCert);
+        var fosRootCert = new FileOutputStream(trustStoreRoot);
+        keyStoreRootCert.store(fosRootCert, "storepassword".toCharArray());
+        fosRootCert.close();
+
+    }
+
+}