KEYCLOAK-16917

399 views
Skip to first unread message

Douglas Palmer

unread,
May 14, 2021, 11:37:38 AM5/14/21
to Keycloak Dev
Hi everyone

I’m trying to write a test to reproduce KEYCLOAK-16917 but I’m having problems with certificates and SSL. My test uses GreenMail and sets the SSL SocketFactory to DummySSLSocketFactory which should result in Keycloak skipping the verification. However, the test keep fail with " java.io.IOException: Can't verify identity of server: localhost”.

Can anyone see what I’m doing wrong? My changes can be found here: https://github.com/douglaspalmer/keycloak/tree/KEYCLOAK-16917

Regards
Doug


package org.keycloak.testsuite.admin;

import com.icegreen.greenmail.util.DummySSLSocketFactory;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.GreenMailRule;
import org.keycloak.testsuite.util.MailServerConfiguration;
import org.keycloak.testsuite.util.UserBuilder;

import javax.mail.internet.MimeMessage;
import javax.ws.rs.core.Response;
import java.security.Security;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;

public class SecureSMTPConnectionTest extends AbstractKeycloakTest {

    @Rule
    public GreenMailRule greenMailRule = new GreenMailRule(Integer.parseInt(MailServerConfiguration.PORT_SSL), MailServerConfiguration.HOST, "smtps");
    private RealmResource realm;

    @Override
    public void addTestRealms(List<RealmRepresentation> testRealms) {
    }

    @Before
    public void before() {
        testingClient.server().run(session -> Security.setProperty("ssl.SocketFactory.provider", DummySSLSocketFactory.class.getName()));

        realm = adminClient.realm("master");
        List<UserRepresentation> admin = realm.users().search("admin", 0, 1);
        UserRepresentation user = UserBuilder.edit(admin.get(0)).email("admin@localhost").build();
        realm.users().get(user.getId()).update(user);
    }

    private Map<String, String> smtpMap(String host, String port, String from, String auth, String ssl, String starttls,
                                        String username, String password, String replyTo, String envelopeFrom) {
        Map<String, String> config = new HashMap<>();
        config.put("host", host);
        config.put("port", port);
        config.put("from", from);
        config.put("auth", auth);
        config.put("ssl", ssl);
        config.put("starttls", starttls);
        config.put("user", username);
        config.put("password", password);
        config.put("replyTo", replyTo);
        config.put("envelopeFrom", envelopeFrom);
        return config;
    }

    //KEYCLOAK-16917
    @Test
    @AuthServerContainerExclude(AuthServerContainerExclude.AuthServer.REMOTE)
    public void testStartTls() throws Exception {
        greenMailRule.credentials("admin@localhost", "admin");
        Response response = realm.testSMTPConnection(smtpMap(MailServerConfiguration.HOST, MailServerConfiguration.PORT_SSL, "admin@localhost", "true", "true", "true",
                "admin@localhost", "admin", "", ""));
        assertStatus(response, 204);
        assertMailReceived();
    }

    private void assertStatus(Response response, int status) {
        assertEquals(status, response.getStatus());
        response.close();
    }

    private void assertMailReceived() {
        if (greenMailRule.getReceivedMessages().length == 1) {
            try {
                MimeMessage message = greenMailRule.getReceivedMessages()[0];
                assertEquals("[KEYCLOAK] - SMTP test message", message.getSubject());
            } catch (Exception e) {
                e.printStackTrace();
            }
        } else {
            fail("E-mail was not received");
        }
    }
}

Jan Lieskovsky

unread,
May 17, 2021, 12:03:21 PM5/17/21
to Douglas Palmer, Keycloak Dev
Hey Doug,

  per the following three posts:
  * https://github.com/bbottema/simple-java-mail/issues/221
  * https://github.com/bbottema/simple-java-mail/issues/155
  * https://stackoverflow.com/questions/21488938/javamail-ssl-with-no-authentication-trust-certificate-regardless

it should be possible to configure mail SMTP server properties to:
* Trust all hosts (so even certs with CN not matching hostname)
    props.put("mail.smtp.ssl.trust", "*");

* Or even disable mail server certificate validation (for case of
  use of self-signed certificates on the mail server):
   
    props.put("mail.smtp.ssl.checkserveridentity", "false");

Didn't actually try them to see if it works TBH. But hopefully experimenting
with those a bit, you can find the setup working for you.

HTH,
Jan


--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CB4B385E-5DC9-4659-BB6C-D998E95941CD%40redhat.com.

Douglas Palmer

unread,
May 17, 2021, 2:37:09 PM5/17/21
to Jan Lieskovsky, Keycloak Dev
Hi Jan

In theory, both of those properties should be set by DefaultEmailSenderProvider.setupTruststore()
Running with -Dkeycloak.truststore.policy=ANY should set mail.smtp.ssl.trust to * and set prevent mail.smtp.ssl.checkserveridentity from being set to true.

Regards
Doug
Reply all
Reply to author
Forward
0 new messages