added whitelist/blacklist support to server & client services

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java

@@ -19,6 +19,8 @@
  */
 package org.mitre.openid.connect.client.service.impl;
 
+import java.util.HashSet;
+import java.util.Set;
 import java.util.concurrent.ExecutionException;
 
 import org.apache.http.client.HttpClient;
@@ -35,6 +37,7 @@ import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.MediaType;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.web.client.RestTemplate;
 
@@ -59,6 +62,9 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
 	// TODO: make sure the template doesn't have "client_id", "client_secret", or "registration_access_token" set on it already
 	private RegisteredClient template;
 	
+	private Set<String> whitelist = new HashSet<String>();
+	private Set<String> blacklist = new HashSet<String>();
+	
 	public DynamicRegistrationClientConfigurationService() {
 		clients = CacheBuilder.newBuilder().build(new DynamicClientRegistrationLoader());
 	}
@@ -66,6 +72,14 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
 	@Override
 	public RegisteredClient getClientConfiguration(ServerConfiguration issuer) {
 		try {
+			if (!whitelist.isEmpty() && !whitelist.contains(issuer)) {
+				throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer);
+			}
+			
+			if (blacklist.contains(issuer)) {
+				throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer);
+			}
+			
 			return clients.get(issuer);
 		} catch (ExecutionException e) {
 			logger.warn("Unable to get client configuration", e);
@@ -102,6 +116,35 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
 	}
 
 
+	/**
+	 * @return the whitelist
+	 */
+	public Set<String> getWhitelist() {
+		return whitelist;
+	}
+
+	/**
+	 * @param whitelist the whitelist to set
+	 */
+	public void setWhitelist(Set<String> whitelist) {
+		this.whitelist = whitelist;
+	}
+
+	/**
+	 * @return the blacklist
+	 */
+	public Set<String> getBlacklist() {
+		return blacklist;
+	}
+
+	/**
+	 * @param blacklist the blacklist to set
+	 */
+	public void setBlacklist(Set<String> blacklist) {
+		this.blacklist = blacklist;
+	}
+
+
 	/**
 	 * Loader class that fetches the client information.
 	 * 

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java

@@ -19,6 +19,8 @@
  */
 package org.mitre.openid.connect.client.service.impl;
 
+import java.util.HashSet;
+import java.util.Set;
 import java.util.concurrent.ExecutionException;
 
 import org.apache.http.client.HttpClient;
@@ -28,6 +30,7 @@ import org.mitre.openid.connect.config.ServerConfiguration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.web.client.RestTemplate;
 
 import com.google.common.cache.CacheBuilder;
@@ -51,14 +54,54 @@ public class DynamicServerConfigurationService implements ServerConfigurationSer
 	// map of issuer -> server configuration, loaded dynamically from service discovery
 	private LoadingCache<String, ServerConfiguration> servers;
 
+	private Set<String> whitelist = new HashSet<String>();
+	private Set<String> blacklist = new HashSet<String>();
+	
 	public DynamicServerConfigurationService() {
 		// initialize the cache
 		servers = CacheBuilder.newBuilder().build(new OpenIDConnectServiceConfigurationFetcher());
 	}
 
+	/**
+	 * @return the whitelist
+	 */
+	public Set<String> getWhitelist() {
+		return whitelist;
+	}
+
+	/**
+	 * @param whitelist the whitelist to set
+	 */
+	public void setWhitelist(Set<String> whitelist) {
+		this.whitelist = whitelist;
+	}
+
+	/**
+	 * @return the blacklist
+	 */
+	public Set<String> getBlacklist() {
+		return blacklist;
+	}
+
+	/**
+	 * @param blacklist the blacklist to set
+	 */
+	public void setBlacklist(Set<String> blacklist) {
+		this.blacklist = blacklist;
+	}
+
 	@Override
 	public ServerConfiguration getServerConfiguration(String issuer) {
 		try {
+			
+			if (!whitelist.isEmpty() && !whitelist.contains(issuer)) {
+				throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer);
+			}
+			
+			if (blacklist.contains(issuer)) {
+				throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer);
+			}
+			
 			return servers.get(issuer);
 		} catch (ExecutionException e) {
 			logger.warn("Couldn't load configuration for " + issuer, e);

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java

@@ -4,9 +4,11 @@
 package org.mitre.openid.connect.client.service.impl;
 
 import java.util.Map;
+import java.util.Set;
 
 import org.mitre.oauth2.model.RegisteredClient;
 import org.mitre.openid.connect.client.service.ClientConfigurationService;
+import org.mitre.openid.connect.client.service.RegisteredClientService;
 import org.mitre.openid.connect.config.ServerConfiguration;
 
 /**
@@ -14,8 +16,8 @@ import org.mitre.openid.connect.config.ServerConfiguration;
  * service in one object. Checks the static service first, then falls through to
  * the dynamic service.
  * 
- * Provides configuration passthrough for the template and the static
+ * Provides configuration passthrough for the template, registered client service, whitelist,
- * client map.
+ * and blacklist for the dynamic service, and to the static service's client map.
  * 
  * @author jricher
  * 
@@ -73,4 +75,52 @@ public class HybridClientConfigurationService implements ClientConfigurationServ
 	    dynamicClientService.setTemplate(template);
     }
 
+	/**
+	 * @return
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getRegisteredClientService()
+	 */
+    public RegisteredClientService getRegisteredClientService() {
+	    return dynamicClientService.getRegisteredClientService();
+    }
+
+	/**
+	 * @param registeredClientService
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setRegisteredClientService(org.mitre.openid.connect.client.service.RegisteredClientService)
+	 */
+    public void setRegisteredClientService(RegisteredClientService registeredClientService) {
+	    dynamicClientService.setRegisteredClientService(registeredClientService);
+    }
+
+	/**
+	 * @return
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getWhitelist()
+	 */
+    public Set<String> getWhitelist() {
+	    return dynamicClientService.getWhitelist();
+    }
+
+	/**
+	 * @param whitelist
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setWhitelist(java.util.Set)
+	 */
+    public void setWhitelist(Set<String> whitelist) {
+	    dynamicClientService.setWhitelist(whitelist);
+    }
+
+	/**
+	 * @return
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getBlacklist()
+	 */
+    public Set<String> getBlacklist() {
+	    return dynamicClientService.getBlacklist();
+    }
+
+	/**
+	 * @param blacklist
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setBlacklist(java.util.Set)
+	 */
+    public void setBlacklist(Set<String> blacklist) {
+	    dynamicClientService.setBlacklist(blacklist);
+    }
+
 }

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java

@@ -4,6 +4,7 @@
 package org.mitre.openid.connect.client.service.impl;
 
 import java.util.Map;
+import java.util.Set;
 
 import org.mitre.openid.connect.client.service.ServerConfigurationService;
 import org.mitre.openid.connect.config.ServerConfiguration;
@@ -13,8 +14,9 @@ import org.mitre.openid.connect.config.ServerConfiguration;
  * service in one object. Checks the static service first, then falls through to
  * the dynamic service.
  * 
- * Provides configuration passthrough for the template and the static
+ * Provides configuration passthrough to the dynamic service's whitelist and blacklist, 
- * client map.
+ * and to the static service's server map.
+ * 
  * 
  * @author jricher
  *
@@ -57,4 +59,40 @@ public class HybridServerConfigurationService implements ServerConfigurationServ
 	    staticServerService.setServers(servers);
     }
 
+
+	/**
+	 * @return
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#getWhitelist()
+	 */
+    public Set<String> getWhitelist() {
+	    return dynamicServerService.getWhitelist();
+    }
+
+
+	/**
+	 * @param whitelist
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#setWhitelist(java.util.Set)
+	 */
+    public void setWhitelist(Set<String> whitelist) {
+	    dynamicServerService.setWhitelist(whitelist);
+    }
+
+
+	/**
+	 * @return
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#getBlacklist()
+	 */
+    public Set<String> getBlacklist() {
+	    return dynamicServerService.getBlacklist();
+    }
+
+
+	/**
+	 * @param blacklist
+	 * @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#setBlacklist(java.util.Set)
+	 */
+    public void setBlacklist(Set<String> blacklist) {
+	    dynamicServerService.setBlacklist(blacklist);
+    }
+
 }

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java

@@ -36,7 +36,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.security.authentication.AuthenticationServiceException;
-import org.springframework.util.StringUtils;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;