wip

f38a784b · Felix Sidokhine · af97af56 · f38a784b · f38a784b · f38a784b
Commit f38a784b authored 4 years ago by Felix Sidokhine
--- a/authentication-module/src/main/java/net/jami/jams/authmodule/UserAuthenticationModule.java
+++ b/authentication-module/src/main/java/net/jami/jams/authmodule/UserAuthenticationModule.java
@@ -37,6 +37,7 @@ import net.jami.jams.common.objects.user.AccessLevel;
 import net.jami.jams.common.objects.user.User;
 import net.jami.jams.common.utils.LibraryLoader;
 import net.jami.jams.common.utils.X509Utils;
+import org.bouncycastle.cert.X509CRLHolder;

 import java.io.File;
 import java.io.FileInputStream;
@@ -160,8 +161,29 @@ public class UserAuthenticationModule implements AuthenticationModule {
    }

    @Override
-    public AuthTokenResponse authenticateUser(X509Certificate[] certificates) {
-        return null;
+    public AuthTokenResponse authenticateUser(X509Certificate[] certificates, X509CRLHolder crl,
+                                              X509Certificate ca) {
+        //Extract the username for the certificate and verify that it is not revoked.
+        X509Certificate clientCert = certificates[0];
+        try {
+            //Check if the certificate is even valid.
+            clientCert.checkValidity();
+            //Check if the certificate was provided by a valid authority.
+            clientCert.verify(ca.getPublicKey());
+            //Here we need to make a request to the CRL to find out if it has been revoked.
+            if(crl.getRevokedCertificate(clientCert.getSerialNumber()) != null) return null;
+            //If the above cases have passed, then this user is indded valid.
+            //This is yet to be confirmed.
+            String username = clientCert.getSubjectDN().getName();
+            StatementList statementList = new StatementList();
+            StatementElement statementElement = new StatementElement("username","=",username,"");
+            statementList.addStatement(statementElement);
+            User user = datastore.getUserDao().getObjects(statementList).get(0);
+            return tokenController.getToken(user);
+        }
+        catch (Exception e){
+            return null;
+        }
    }

    @Override

--- a/integration-test/buildcert.sh
+++ b/integration-test/buildcert.sh
+openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -keyout user.key -out user.crt -subj "/CN=fsidokhine"
+openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt
+curl -d -k -v -X POST "https://localhost:8080/api/auth/login" -E user.pfx --pass abc123
--- a/integration-test/install-server.py
+++ b/integration-test/install-server.py
 import json
 import requests

+baseUri = "https://localhost:8080"
+
 data = {}
 data['username'] = "admin"
 data['password'] = "abc123"
@@ -8,7 +10,7 @@ data['password'] = "abc123"
 header = {}
 header['Content-type'] = "application/json"

-response = requests.put('http://localhost:8080/api/install/start',data=json.dumps(data),headers=header)
+response = requests.put(baseUri + '/api/install/start',data=json.dumps(data),headers=header,verify=False)
 if response.status_code == 200:
    print("Succesfully created the administrative user!")
    token = json.loads(response.text)['access_token']
@@ -24,7 +26,7 @@ data['fields']['commonName'] = "TEST CA"
 data['fields']['country'] = "FR"
 data['fields']['lifetime'] = 10000000

-response = requests.post('http://localhost:8080/api/install/ca',data=json.dumps(data),headers=header)
+response = requests.post(baseUri + '/api/install/ca',data=json.dumps(data),headers=header,verify=False)
 if response.status_code == 200:
    print("Added CA parameters!")
 else:
@@ -52,7 +54,7 @@ data['ldapSettings']['fieldMappings']['facsimileTelephoneNumber'] = "FaxNumber"
 data['ldapSettings']['fieldMappings']['extensionName'] = "PhoneNumberExtension"
 data['ldapSettings']['fieldMappings']['o'] = "Organization"

-response = requests.post('http://localhost:8080/api/install/auth',data=json.dumps(data),headers=header)
+response = requests.post(baseUri + '/api/install/auth',data=json.dumps(data),headers=header,verify=False)
 if response.status_code == 200:
    print("Added LDAP parameters!")
 else:
@@ -65,12 +67,12 @@ data['crlLifetime'] = 100000
 data['userLifetime'] = 100000
 data['deviceLifetime'] = 100000

-response = requests.post('http://localhost:8080/api/install/settings',data=json.dumps(data),headers=header)
+response = requests.post(baseUri + '/api/install/settings',data=json.dumps(data),headers=header,verify=False)

 #This completes the install, now we'll try to enroll.

 data = {}
-response = requests.post('http://localhost:8080/api/auth/login',data={"username":"fsidokhine","password":"mes87hesm97daa"})
+response = requests.post(baseUri + '/api/auth/login',data={"username":"fsidokhine","password":"mes87hesm97daa"},verify=False)
 if response.status_code == 200:
    token = json.loads(response.text)['access_token']

@@ -110,31 +112,31 @@ oTBLLnRmdyi/SFreL5WRhMm67DHne08LCqnkzEVwMIUECN5f2mkx9KP3BrsXuH2W
 sxMmX+s/PapsdSyUJ2g3hAf6Iv5m0pcUeQ==
 -----END NEW CERTIFICATE REQUEST-----'''

-response = requests.post('http://localhost:8080/api/auth/device',headers=header,data=json.dumps(data))
+response = requests.post(baseUri + '/api/auth/device',headers=header,data=json.dumps(data),verify=False)
 print(response.status_code)
 print(response.text)

 print(token)

-response = requests.get("http://localhost:8080/api/nameserver/name/aberaud",headers=header)
+response = requests.get("http://localhost:8080/api/nameserver/name/aberaud",headers=header,verify=False)
 print(response.status_code)
 print(response.text)


-response = requests.get("http://localhost:8080//api/auth/directories",headers=header)
+response = requests.get("http://localhost:8080//api/auth/directories",headers=header,verify=False)
 print(response.status_code)
 print(response.text)

-response = requests.get("http://localhost:8080/api/auth/user",headers=header)
+response = requests.get("http://localhost:8080/api/auth/user",headers=header,verify=False)
 print(response.status_code)
 print(response.text)

 print("Getting user profile as vcard")
-response = requests.get("http://localhost:8080/api/auth/directory/entry?username=aberaud&format=vcard",headers=header)
+response = requests.get("http://localhost:8080/api/auth/directory/entry?username=aberaud&format=vcard",headers=header,verify=False)
 print(response.status_code)
 print(response.text)


-response = requests.post("http://localhost:8080/api/update",headers=header)
+response = requests.post("http://localhost:8080/api/update",headers=header,verify=False)
 print(response.status_code)
 print(response.text)
--- a/integration-test/user.crt
+++ b/integration-test/user.crt
+-----BEGIN CERTIFICATE-----
+MIIFCzCCAvOgAwIBAgIUFmkFCfLO2IiOp5zMv8saqdIGtbQwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKZnNpZG9raGluZTAeFw0yMDA1MzExNTIzNDNaFw0zMDA1
+MjkxNTIzNDNaMBUxEzARBgNVBAMMCmZzaWRva2hpbmUwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDVTpTBD/cyq/1qP+RSTw6blyYWmkqsdeMOvCJHAFrf
+mFhgD7cKZSGxjtsdpCgB2yFxqT11yo0uLzCSz24HYmb7ZsAVgh4PvqPVeyxIHdig
+fS79xT8nKZY+tUuZPt7A402fMqMf+E9P+NxdvPErL9yTtuHSx3uWXjsGGRI8BUr/
+W6W5Mrr9xbYaa17GeBLExGCTm3pfPsIy4TugLItxDKYGRx1Es6NBNsdBrICJDRaG
+2jNARXD5r8WBsc9GSOEuBF+LAb85eDXjV38DWHGN3eMt3Bqa6kisK2TU+P2ub8L2
+hsstEpNyxW+MC90q3cKDpZF+EA3VzNOlRxXSfNSbDQ2Ljrp9cl/PKy2zUMCApriO
+GeGFkfWD8JqUdjY/cuBE6OwtMTOeHaQD3ORGYnyiu5JOrAqNOcCyQa/NcU3g+5hl
+I1dxZIbbkRErG0fPSzlWx3nF5KRkxPS1h7ZRObKfSYN/2UNk2lmKh9N8puaqWaDJ
+rNzft050PkcZjnLpkEj+H2LIxNhJeEe95pmlDulLa/3MRAOKhJhcp49XXQ8gW+N6
+DRhfg1E/LzbVQvIrq0O03wpzmTD7V8nTc0juo3n9hTggiWOIUwNZ+grA3sb/+8nU
+nrvq1z+0bUKYApM/DDGD7E1hIl/2p4y9OhcP/b1ZdTh9OvxCmJQebox53ZNkyj/s
+jQIDAQABo1MwUTAdBgNVHQ4EFgQUIJYrdvDdXK9BVaPEonPSuxMxPu4wHwYDVR0j
+BBgwFoAUIJYrdvDdXK9BVaPEonPSuxMxPu4wDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAoCN0Dh/MfwnV7wjaHN8SZjgQfAcsLantjhfaUHSfhswI
+eFiuXs6V8ZIICyG70hdHoY/aoia24bwaNN/I6t9GM9SxW+5OaWDzQjm1Ph6XyF46
+/wplgVC1hbuKV4V3TyAGTVdy6TQ/d/BuHSX1pGAnq4x17pdfI/zSFxbdUCUO2j64
+4OXKg+u0gDyai3rR+38ICaEDo47ZBLdNjzXJ+qxcXOTEWErb6K7O1ccAuT6hU6rR
+Pm6SSsWLer9L9zK08pdGPOUQ2ZJYg0EeaIt4bpknpk6ueV1M/r/WUkfKYNgSZYGY
+jD/xb7TPx8qyK9pyD5SZDkp/hBPb1LybtxVMkWzAzAIDBixQujs3ygy/87cSt8W6
+/ntU4v8qqgAi+QBWtYG8H1HXeru8U5V84cjVazxy5j4mxpJ5W/hETDZc6rR3zs5B
+SIkAeVCx8MlMEGQGSWUl9JZoa/hjYsmR/dvSd8+FdGtuW8NJlNqKy8P5Qjk9BFg6
+oV4iK9sm52kQ4bYybTL8nhj9QUSn1EU3a/DC72mwQSFVYYZ4bbfMIA8zWy9x3tYt
+wqiKvLQF+6TNaAgb3i7maPNaK3Au5uKSebgIvcUJlC2daClD2cR1cfQbKdO8qq6K
+JPKcfBaByepFAyHNxCX7NRQtcbRrI4HZjrehHGnlsaMqGZMLCzbyMBA7Aml0r9Y=
+-----END CERTIFICATE-----
--- a/integration-test/user.key
+++ b/integration-test/user.key
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDVTpTBD/cyq/1q
+P+RSTw6blyYWmkqsdeMOvCJHAFrfmFhgD7cKZSGxjtsdpCgB2yFxqT11yo0uLzCS
+z24HYmb7ZsAVgh4PvqPVeyxIHdigfS79xT8nKZY+tUuZPt7A402fMqMf+E9P+Nxd
+vPErL9yTtuHSx3uWXjsGGRI8BUr/W6W5Mrr9xbYaa17GeBLExGCTm3pfPsIy4Tug
+LItxDKYGRx1Es6NBNsdBrICJDRaG2jNARXD5r8WBsc9GSOEuBF+LAb85eDXjV38D
+WHGN3eMt3Bqa6kisK2TU+P2ub8L2hsstEpNyxW+MC90q3cKDpZF+EA3VzNOlRxXS
+fNSbDQ2Ljrp9cl/PKy2zUMCApriOGeGFkfWD8JqUdjY/cuBE6OwtMTOeHaQD3ORG
+Ynyiu5JOrAqNOcCyQa/NcU3g+5hlI1dxZIbbkRErG0fPSzlWx3nF5KRkxPS1h7ZR
+ObKfSYN/2UNk2lmKh9N8puaqWaDJrNzft050PkcZjnLpkEj+H2LIxNhJeEe95pml
+DulLa/3MRAOKhJhcp49XXQ8gW+N6DRhfg1E/LzbVQvIrq0O03wpzmTD7V8nTc0ju
+o3n9hTggiWOIUwNZ+grA3sb/+8nUnrvq1z+0bUKYApM/DDGD7E1hIl/2p4y9OhcP
+/b1ZdTh9OvxCmJQebox53ZNkyj/sjQIDAQABAoICAQC0Y2sbRiQ4PwjlVLkC/oaN
+ACsezEbASEXHzURzpRI0q0J5onCaIuJ2pSgajhujTiyfUY9/UNdKKnA6h582MXqD
+uuZQiiRgDknBHRRavJrZRmR6CdgZh2rfBzSymV+J4fBf5FPdkoGIUR4TS9jsO+Kf
+LPcW6MpUZMYnpwYrqhI9l8SztPo76HrTJuAUmbDNpIFD8yVu7MUQgDeLgoA+D4NM
+JdHTqtMyMGAb4wUkYeQeEONsxA0BqystPjDa8IE2CE7AYK7VrBpucy0fqCkH35Di
+1JPPVLg2mdAA57ypSyymjWG/cUkus1ddKR9VxApeiKNc57i7iSenS1FiG1007rn3
+M3OlFkaN/Kc84EvgPJwfK1YixU1gKTGSnKk5cAsoP3elNBKXNKeHLGo54o+eLGgR
+q0pJw6mbLyEixOigGDAtG9z9jmxqBDubj7LIFxogwNzy7dM/hgTXgcOtgd56ljwA
+ms/WbjVYi9GkoFmNjF/3Cksg5Bn2EPrcPL3z/L1IDfYVm9058FmyKa4Qe7zJa2YP
+uA+QmrKpSyG2mjVByY0ELTHqQcgLjUiRVCFfDWftaH2rUmviy61HocuyznQU0b/t
+RnhNHhiMnbNVfF4qDt3X6786gE0amE+4vtLDBXi3eeomAMBb42ti3Ui5Dc8bf3Pc
+YqoXP2bM1hOoy5clscqlRQKCAQEA6mYM+8TLon9UAC2r4P7lYGS/4v4j9GlxV5F0
+QfUZ1qfWZMI4lckBvQlys4tWzbocX9imYwbbjqpj+DTmLkfs1kNCbAlC5hvsn+hz
+mt5YVcNwjAoYfX0RnAQItjBxX8E1IbOgz6GOvLhEQcSJFUS8E92t6ZZ7AHLZiqc6
+sdpaDPimCNayxfHpXn+dE6jJ4GoZQKkGCt8W2rjBIW45mer+R9TB6GkrCa5Ok2eD
+lHC/g+/E4C16t9ABYppCXmSoEt4Rcujns185bBnWdy1haNHv+FdtMQ/qEQrtx3WL
+4TaCUNXhRPY0vXN9Zr5n5ajAJ0TmvqWpCSrUcRuEs1yUp+IDSwKCAQEA6PbvGUek
+1XK/X8Hmr/MTFHw9kp+R4I2OMl9QXr2+Uqbn5t6MIqUN5zgY7sZtvqyIU0MhYpVk
+A809lTiRtM8mWtfTJbFGzBsWsmbki+DGeb3RMT0Voon0+PPAg2qL3Fe0Pnn9mDuP
+5/luGuVFK8eGzd6402Q4gi6EwcZsWzylRGMbhjt5or0QHYMZa07kwG9PYVhAR29q
+IAWrdSsWswwoOt+K3ytvtA16KQqvjyPxz6fXNUAipMndTYp/o+J3xXtCpepZf4IU
+6dKn09bWhQA45MDVSI09BViWzjAbffUyH2DnUnsEC8ZPEeKY9a6PAr9hOdhj3vzQ
+mRv0VRMDqOKQhwKCAQEA3Httzw1INuvqSdisCpH5lPhv/sbrbyYX9TTe1IQG8AEk
+C9cdftd6iSRv/i8dUZq0wft6Vz/GGqZwLrMjqXkCcHEH87Oqd+TgaXIv/AcVtGaI
+YVHFw5R3kffBcg6TNmz422Cp7WScbSwvGGYURCtJdq5YvpZL0Ro3QtMWxOENP5JM
+K5g4xTVOPRNw32MvsaZbZpUXF/bM+qQ7FoUmLX/7+/lHBKSYVRze0IzYGjMMEsDg
+wbZF7sz74JIVx9CKwGSeqSYnfHQgAW00bRoEvKJtRX6HOVUs6ScMj0gkcY3iesMU
+iNfGuEYAOTr1Y/Od+9I18jLFk9fzyQkHg+eb9WcFjQKCAQEA1mUSrAg0GT/OAXk4
+LSsdnxerrrltjeOYPqFbHKWwdu4ls2GSQ/v0bJtCztQMgZLUrxOzsL9dWOZUS3TR
+Gz4cxTOknSalygcP/0UUBerpnXZkA9V8iKY/rbDdtdOjPTf1qB2qlaQTDuCNRPFE
+lEK+u83B+MFeA+h9wrsyU1Dfo6010nX/vhYSs6ZICWqEuNh3jFWkalmNqESvg1gR
+PtvsVioN6s5VsbVJfGXaJXhl/L4xH0+T0mX4ZXkVeKRdp3+FWZ3vmZoEVx/H1fv8
+VlBbC6KvZmKdCsN5ne3GD0hNRXVvzYdqtM9fS01niYqJEHVCK/MKDlhKPO3uETE7
+h/xiFwKCAQAWHjWxHDfSv/EAYIP+uTfvSDggVXJiN8b5dXZ7VGF7ljUg8q5jdLau
+TGiLfDTCEChu2ZsTowkeLaLMPOFq2I5F8p4AOoDTwRoNYVnMG63/fZVQU9ZsAh6D
+V0xUbMgcvlIzxG6+3sEfw7867g9jaVuDF0kE/d13B0c0Mk74SNkRcLZiz0RdvWJA
+xcFJnyhv32V7rYL1R6DtaRvnmvAeKODeJ2Sdc8pn26NUH/M8hF0TPkASBGnf2wo
+J6XcvcFLa6USB7hVX887JJgeFQCkQqyRdWmyVTio+xz4xj0w43CRKYvyn1PUYe4m
+6aIeoWpTJNW1E4sjnz7eu5ojhoYLLx2t
+-----END PRIVATE KEY-----
--- a/integration-test/user.pfx
+++ b/integration-test/user.pfx
--- a/jams-common/src/main/java/net/jami/jams/common/authmodule/AuthenticationModule.java
+++ b/jams-common/src/main/java/net/jami/jams/common/authmodule/AuthenticationModule.java
@@ -26,6 +26,7 @@ import net.jami.jams.common.authentication.AuthenticationSource;
 import net.jami.jams.common.authentication.AuthenticationSourceType;
 import net.jami.jams.common.jami.NameServer;
 import net.jami.jams.common.objects.user.User;
+import org.bouncycastle.cert.X509CRLHolder;

 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPublicKey;
@@ -35,7 +36,7 @@ public interface AuthenticationModule {

    void attachAuthSource(AuthenticationSourceType type, String settings);
    AuthTokenResponse authenticateUser(String username, String password);
-    AuthTokenResponse authenticateUser(X509Certificate[] certificates);
+    AuthTokenResponse authenticateUser(X509Certificate[] certificates, X509CRLHolder crl, X509Certificate ca);
    ConcurrentHashMap<AuthModuleKey, AuthenticationSource> getAuthSources();
    boolean testModuleConfiguration(AuthenticationSourceType type, String configuration);
    boolean createUser(AuthenticationSourceType type, String realm, NameServer nameServer, User user);

--- a/jams-server/src/main/java/net/jami/jams/server/servlets/api/auth/login/AuthRequestProcessor.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/api/auth/login/AuthRequestProcessor.java
@@ -26,13 +26,15 @@ import net.jami.jams.common.authmodule.AuthTokenResponse;

 import java.security.cert.X509Certificate;

+import static net.jami.jams.server.Server.certificateAuthority;
 import static net.jami.jams.server.Server.userAuthenticationModule;

 public class AuthRequestProcessor {

    //This case does not talk to the authentication module, only to the ca
    public static AuthTokenResponse processX509Auth(X509Certificate[] certificates){
-        return userAuthenticationModule.authenticateUser(certificates);
+        return userAuthenticationModule.authenticateUser(certificates,certificateAuthority.getLatestCRL().get(),
+            certificateAuthority.getCA());
    }

    public static AuthTokenResponse processUsernamePasswordAuth(String username, String password){