ResourceCRLRevocationCheckerTests.java

package org.apereo.cas.adaptors.x509.authentication.handler.support;

import org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException;
import org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker;
import org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker;
import org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.junit.runners.Parameterized.Parameters;
import org.springframework.core.io.ClassPathResource;

import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Collection;


/**
 * Unit tests for {@link ResourceCRLRevocationChecker} class.
 *
 * @author Marvin S. Addison
 * @since 3.4.6
 */
@RunWith(Parameterized.class)
public class ResourceCRLRevocationCheckerTests extends AbstractCRLRevocationCheckerTests {
    /**
     * Instance under test.
     */
    private final ResourceCRLRevocationChecker checker;

    /**
     * Creates a new test instance with given parameters.
     *
     * @param checker          Revocation checker instance.
     * @param certFiles        File names of certificates to check.
     * @param expected         Expected result of check; null to indicate expected success.
     */
    public ResourceCRLRevocationCheckerTests(
            final ResourceCRLRevocationChecker checker,
            final String[] certFiles,
            final GeneralSecurityException expected) {

        super(certFiles, expected);

        this.checker = checker;
        try {
            this.checker.init();
        } catch (final Exception e) {
            throw new RuntimeException("ResourceCRLRevocationChecker initialization failed", e);
        }
    }

    /**
     * Gets the unit test parameters.
     *
     * @return Test parameter data.
     */
    @Parameters
    public static Collection<Object[]> getTestParameters() {
        final Collection<Object[]> params = new ArrayList<>();

        final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);

        // Test case #1
        // Valid certificate on valid CRL data
        params.add(new Object[]{
                new ResourceCRLRevocationChecker(new ClassPathResource[]{
                        new ClassPathResource("userCA-valid.crl"),
                }, zeroThresholdPolicy),
                new String[]{"user-valid.crt"},
                null,
        });

        // Test case #2
        // Revoked certificate on valid CRL data
        params.add(new Object[]{
                new ResourceCRLRevocationChecker(new ClassPathResource[]{
                        new ClassPathResource("userCA-valid.crl"),
                        new ClassPathResource("intermediateCA-valid.crl"),
                        new ClassPathResource("rootCA-valid.crl"),
                }, zeroThresholdPolicy),
                new String[]{"user-revoked.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt"},
                new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1")),
        });

        // Test case #3
        // Valid certificate on expired CRL data for head cert
        params.add(new Object[]{
                new ResourceCRLRevocationChecker(new ClassPathResource[]{
                        new ClassPathResource("userCA-expired.crl"),
                        new ClassPathResource("intermediateCA-valid.crl"),
                        new ClassPathResource("rootCA-valid.crl"),
                }, zeroThresholdPolicy),
                new String[]{"user-valid.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt"},
                new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)),
        });

        // Test case #4
        // Valid certificate on expired CRL data for intermediate cert
        params.add(new Object[]{
                new ResourceCRLRevocationChecker(new ClassPathResource[]{
                        new ClassPathResource("userCA-valid.crl"),
                        new ClassPathResource("intermediateCA-expired.crl"),
                        new ClassPathResource("rootCA-valid.crl"),
                }, zeroThresholdPolicy),
                new String[]{"user-valid.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt"},
                new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)),
        });

        // Test case #5
        // Valid certificate on expired CRL data with custom expiration
        // policy to always allow expired CRL data
        params.add(new Object[]{
                new ResourceCRLRevocationChecker(new ClassPathResource[]{
                        new ClassPathResource("userCA-expired.crl"),
                }, crl -> {}),
                new String[]{"user-valid.crt"},
                null,
        });

        return params;
    }

    @Override
    protected RevocationChecker getChecker() {
        return this.checker;
    }
}