diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java index 79de205b6..c5693d10b 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java @@ -19,6 +19,8 @@ */ package org.mitre.openid.connect.client.service.impl; +import java.util.HashSet; +import java.util.Set; import java.util.concurrent.ExecutionException; import org.apache.http.client.HttpClient; @@ -35,6 +37,7 @@ import org.springframework.http.HttpHeaders; import org.springframework.http.HttpMethod; import org.springframework.http.MediaType; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; +import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.web.client.RestTemplate; @@ -59,6 +62,9 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf // TODO: make sure the template doesn't have "client_id", "client_secret", or "registration_access_token" set on it already private RegisteredClient template; + private Set whitelist = new HashSet(); + private Set blacklist = new HashSet(); + public DynamicRegistrationClientConfigurationService() { clients = CacheBuilder.newBuilder().build(new DynamicClientRegistrationLoader()); } @@ -66,6 +72,14 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf @Override public RegisteredClient getClientConfiguration(ServerConfiguration issuer) { try { + if (!whitelist.isEmpty() && !whitelist.contains(issuer)) { + throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer); + } + + if (blacklist.contains(issuer)) { + throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer); + } + return clients.get(issuer); } catch (ExecutionException e) { logger.warn("Unable to get client configuration", e); @@ -102,6 +116,35 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf } + /** + * @return the whitelist + */ + public Set getWhitelist() { + return whitelist; + } + + /** + * @param whitelist the whitelist to set + */ + public void setWhitelist(Set whitelist) { + this.whitelist = whitelist; + } + + /** + * @return the blacklist + */ + public Set getBlacklist() { + return blacklist; + } + + /** + * @param blacklist the blacklist to set + */ + public void setBlacklist(Set blacklist) { + this.blacklist = blacklist; + } + + /** * Loader class that fetches the client information. * diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java index a2017a4bc..d0b61a38f 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java @@ -19,6 +19,8 @@ */ package org.mitre.openid.connect.client.service.impl; +import java.util.HashSet; +import java.util.Set; import java.util.concurrent.ExecutionException; import org.apache.http.client.HttpClient; @@ -28,6 +30,7 @@ import org.mitre.openid.connect.config.ServerConfiguration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; +import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.web.client.RestTemplate; import com.google.common.cache.CacheBuilder; @@ -51,14 +54,54 @@ public class DynamicServerConfigurationService implements ServerConfigurationSer // map of issuer -> server configuration, loaded dynamically from service discovery private LoadingCache servers; + private Set whitelist = new HashSet(); + private Set blacklist = new HashSet(); + public DynamicServerConfigurationService() { // initialize the cache servers = CacheBuilder.newBuilder().build(new OpenIDConnectServiceConfigurationFetcher()); } + /** + * @return the whitelist + */ + public Set getWhitelist() { + return whitelist; + } + + /** + * @param whitelist the whitelist to set + */ + public void setWhitelist(Set whitelist) { + this.whitelist = whitelist; + } + + /** + * @return the blacklist + */ + public Set getBlacklist() { + return blacklist; + } + + /** + * @param blacklist the blacklist to set + */ + public void setBlacklist(Set blacklist) { + this.blacklist = blacklist; + } + @Override public ServerConfiguration getServerConfiguration(String issuer) { try { + + if (!whitelist.isEmpty() && !whitelist.contains(issuer)) { + throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer); + } + + if (blacklist.contains(issuer)) { + throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer); + } + return servers.get(issuer); } catch (ExecutionException e) { logger.warn("Couldn't load configuration for " + issuer, e); diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java index a76e00ee3..cd08b8a11 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java @@ -4,9 +4,11 @@ package org.mitre.openid.connect.client.service.impl; import java.util.Map; +import java.util.Set; import org.mitre.oauth2.model.RegisteredClient; import org.mitre.openid.connect.client.service.ClientConfigurationService; +import org.mitre.openid.connect.client.service.RegisteredClientService; import org.mitre.openid.connect.config.ServerConfiguration; /** @@ -14,8 +16,8 @@ import org.mitre.openid.connect.config.ServerConfiguration; * service in one object. Checks the static service first, then falls through to * the dynamic service. * - * Provides configuration passthrough for the template and the static - * client map. + * Provides configuration passthrough for the template, registered client service, whitelist, + * and blacklist for the dynamic service, and to the static service's client map. * * @author jricher * @@ -73,4 +75,52 @@ public class HybridClientConfigurationService implements ClientConfigurationServ dynamicClientService.setTemplate(template); } + /** + * @return + * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getRegisteredClientService() + */ + public RegisteredClientService getRegisteredClientService() { + return dynamicClientService.getRegisteredClientService(); + } + + /** + * @param registeredClientService + * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setRegisteredClientService(org.mitre.openid.connect.client.service.RegisteredClientService) + */ + public void setRegisteredClientService(RegisteredClientService registeredClientService) { + dynamicClientService.setRegisteredClientService(registeredClientService); + } + + /** + * @return + * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getWhitelist() + */ + public Set getWhitelist() { + return dynamicClientService.getWhitelist(); + } + + /** + * @param whitelist + * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setWhitelist(java.util.Set) + */ + public void setWhitelist(Set whitelist) { + dynamicClientService.setWhitelist(whitelist); + } + + /** + * @return + * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getBlacklist() + */ + public Set getBlacklist() { + return dynamicClientService.getBlacklist(); + } + + /** + * @param blacklist + * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setBlacklist(java.util.Set) + */ + public void setBlacklist(Set blacklist) { + dynamicClientService.setBlacklist(blacklist); + } + } diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java index 881372a01..272efb13a 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java @@ -4,6 +4,7 @@ package org.mitre.openid.connect.client.service.impl; import java.util.Map; +import java.util.Set; import org.mitre.openid.connect.client.service.ServerConfigurationService; import org.mitre.openid.connect.config.ServerConfiguration; @@ -13,8 +14,9 @@ import org.mitre.openid.connect.config.ServerConfiguration; * service in one object. Checks the static service first, then falls through to * the dynamic service. * - * Provides configuration passthrough for the template and the static - * client map. + * Provides configuration passthrough to the dynamic service's whitelist and blacklist, + * and to the static service's server map. + * * * @author jricher * @@ -57,4 +59,40 @@ public class HybridServerConfigurationService implements ServerConfigurationServ staticServerService.setServers(servers); } + + /** + * @return + * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#getWhitelist() + */ + public Set getWhitelist() { + return dynamicServerService.getWhitelist(); + } + + + /** + * @param whitelist + * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#setWhitelist(java.util.Set) + */ + public void setWhitelist(Set whitelist) { + dynamicServerService.setWhitelist(whitelist); + } + + + /** + * @return + * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#getBlacklist() + */ + public Set getBlacklist() { + return dynamicServerService.getBlacklist(); + } + + + /** + * @param blacklist + * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#setBlacklist(java.util.Set) + */ + public void setBlacklist(Set blacklist) { + dynamicServerService.setBlacklist(blacklist); + } + } diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java index e562eaba7..d30a15357 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java @@ -36,7 +36,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; import org.springframework.security.authentication.AuthenticationServiceException; -import org.springframework.util.StringUtils; import org.springframework.web.client.RestTemplate; import org.springframework.web.util.UriComponents; import org.springframework.web.util.UriComponentsBuilder;