added whitelist/blacklist support to server & client services
Justin Richer
parent
a4a18fd54c
commit
35d1e1b6d4
|
|
@ -19,6 +19,8 @@
|
|||
*/
|
||||
package org.mitre.openid.connect.client.service.impl;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.ExecutionException;
|
||||
|
||||
import org.apache.http.client.HttpClient;
|
||||
|
|
@ -35,6 +37,7 @@ import org.springframework.http.HttpHeaders;
|
|||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
|
||||
import org.springframework.security.authentication.AuthenticationServiceException;
|
||||
import org.springframework.security.oauth2.common.OAuth2AccessToken;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
|
|
@ -59,6 +62,9 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
|
|||
// TODO: make sure the template doesn't have "client_id", "client_secret", or "registration_access_token" set on it already
|
||||
private RegisteredClient template;
|
||||
|
||||
private Set<String> whitelist = new HashSet<String>();
|
||||
private Set<String> blacklist = new HashSet<String>();
|
||||
|
||||
public DynamicRegistrationClientConfigurationService() {
|
||||
clients = CacheBuilder.newBuilder().build(new DynamicClientRegistrationLoader());
|
||||
}
|
||||
|
|
@ -66,6 +72,14 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
|
|||
@Override
|
||||
public RegisteredClient getClientConfiguration(ServerConfiguration issuer) {
|
||||
try {
|
||||
if (!whitelist.isEmpty() && !whitelist.contains(issuer)) {
|
||||
throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer);
|
||||
}
|
||||
|
||||
if (blacklist.contains(issuer)) {
|
||||
throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer);
|
||||
}
|
||||
|
||||
return clients.get(issuer);
|
||||
} catch (ExecutionException e) {
|
||||
logger.warn("Unable to get client configuration", e);
|
||||
|
|
@ -102,6 +116,35 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
* @return the whitelist
|
||||
*/
|
||||
public Set<String> getWhitelist() {
|
||||
return whitelist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param whitelist the whitelist to set
|
||||
*/
|
||||
public void setWhitelist(Set<String> whitelist) {
|
||||
this.whitelist = whitelist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the blacklist
|
||||
*/
|
||||
public Set<String> getBlacklist() {
|
||||
return blacklist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param blacklist the blacklist to set
|
||||
*/
|
||||
public void setBlacklist(Set<String> blacklist) {
|
||||
this.blacklist = blacklist;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Loader class that fetches the client information.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@
|
|||
*/
|
||||
package org.mitre.openid.connect.client.service.impl;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.ExecutionException;
|
||||
|
||||
import org.apache.http.client.HttpClient;
|
||||
|
|
@ -28,6 +30,7 @@ import org.mitre.openid.connect.config.ServerConfiguration;
|
|||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
|
||||
import org.springframework.security.authentication.AuthenticationServiceException;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
import com.google.common.cache.CacheBuilder;
|
||||
|
|
@ -51,14 +54,54 @@ public class DynamicServerConfigurationService implements ServerConfigurationSer
|
|||
// map of issuer -> server configuration, loaded dynamically from service discovery
|
||||
private LoadingCache<String, ServerConfiguration> servers;
|
||||
|
||||
private Set<String> whitelist = new HashSet<String>();
|
||||
private Set<String> blacklist = new HashSet<String>();
|
||||
|
||||
public DynamicServerConfigurationService() {
|
||||
// initialize the cache
|
||||
servers = CacheBuilder.newBuilder().build(new OpenIDConnectServiceConfigurationFetcher());
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the whitelist
|
||||
*/
|
||||
public Set<String> getWhitelist() {
|
||||
return whitelist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param whitelist the whitelist to set
|
||||
*/
|
||||
public void setWhitelist(Set<String> whitelist) {
|
||||
this.whitelist = whitelist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the blacklist
|
||||
*/
|
||||
public Set<String> getBlacklist() {
|
||||
return blacklist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param blacklist the blacklist to set
|
||||
*/
|
||||
public void setBlacklist(Set<String> blacklist) {
|
||||
this.blacklist = blacklist;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ServerConfiguration getServerConfiguration(String issuer) {
|
||||
try {
|
||||
|
||||
if (!whitelist.isEmpty() && !whitelist.contains(issuer)) {
|
||||
throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer);
|
||||
}
|
||||
|
||||
if (blacklist.contains(issuer)) {
|
||||
throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer);
|
||||
}
|
||||
|
||||
return servers.get(issuer);
|
||||
} catch (ExecutionException e) {
|
||||
logger.warn("Couldn't load configuration for " + issuer, e);
|
||||
|
|
|
|||
|
|
@ -4,9 +4,11 @@
|
|||
package org.mitre.openid.connect.client.service.impl;
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import org.mitre.oauth2.model.RegisteredClient;
|
||||
import org.mitre.openid.connect.client.service.ClientConfigurationService;
|
||||
import org.mitre.openid.connect.client.service.RegisteredClientService;
|
||||
import org.mitre.openid.connect.config.ServerConfiguration;
|
||||
|
||||
/**
|
||||
|
|
@ -14,8 +16,8 @@ import org.mitre.openid.connect.config.ServerConfiguration;
|
|||
* service in one object. Checks the static service first, then falls through to
|
||||
* the dynamic service.
|
||||
*
|
||||
* Provides configuration passthrough for the template and the static
|
||||
* client map.
|
||||
* Provides configuration passthrough for the template, registered client service, whitelist,
|
||||
* and blacklist for the dynamic service, and to the static service's client map.
|
||||
*
|
||||
* @author jricher
|
||||
*
|
||||
|
|
@ -73,4 +75,52 @@ public class HybridClientConfigurationService implements ClientConfigurationServ
|
|||
dynamicClientService.setTemplate(template);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getRegisteredClientService()
|
||||
*/
|
||||
public RegisteredClientService getRegisteredClientService() {
|
||||
return dynamicClientService.getRegisteredClientService();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param registeredClientService
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setRegisteredClientService(org.mitre.openid.connect.client.service.RegisteredClientService)
|
||||
*/
|
||||
public void setRegisteredClientService(RegisteredClientService registeredClientService) {
|
||||
dynamicClientService.setRegisteredClientService(registeredClientService);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getWhitelist()
|
||||
*/
|
||||
public Set<String> getWhitelist() {
|
||||
return dynamicClientService.getWhitelist();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param whitelist
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setWhitelist(java.util.Set)
|
||||
*/
|
||||
public void setWhitelist(Set<String> whitelist) {
|
||||
dynamicClientService.setWhitelist(whitelist);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#getBlacklist()
|
||||
*/
|
||||
public Set<String> getBlacklist() {
|
||||
return dynamicClientService.getBlacklist();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param blacklist
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService#setBlacklist(java.util.Set)
|
||||
*/
|
||||
public void setBlacklist(Set<String> blacklist) {
|
||||
dynamicClientService.setBlacklist(blacklist);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@
|
|||
package org.mitre.openid.connect.client.service.impl;
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import org.mitre.openid.connect.client.service.ServerConfigurationService;
|
||||
import org.mitre.openid.connect.config.ServerConfiguration;
|
||||
|
|
@ -13,8 +14,9 @@ import org.mitre.openid.connect.config.ServerConfiguration;
|
|||
* service in one object. Checks the static service first, then falls through to
|
||||
* the dynamic service.
|
||||
*
|
||||
* Provides configuration passthrough for the template and the static
|
||||
* client map.
|
||||
* Provides configuration passthrough to the dynamic service's whitelist and blacklist,
|
||||
* and to the static service's server map.
|
||||
*
|
||||
*
|
||||
* @author jricher
|
||||
*
|
||||
|
|
@ -57,4 +59,40 @@ public class HybridServerConfigurationService implements ServerConfigurationServ
|
|||
staticServerService.setServers(servers);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @return
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#getWhitelist()
|
||||
*/
|
||||
public Set<String> getWhitelist() {
|
||||
return dynamicServerService.getWhitelist();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param whitelist
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#setWhitelist(java.util.Set)
|
||||
*/
|
||||
public void setWhitelist(Set<String> whitelist) {
|
||||
dynamicServerService.setWhitelist(whitelist);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @return
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#getBlacklist()
|
||||
*/
|
||||
public Set<String> getBlacklist() {
|
||||
return dynamicServerService.getBlacklist();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @param blacklist
|
||||
* @see org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService#setBlacklist(java.util.Set)
|
||||
*/
|
||||
public void setBlacklist(Set<String> blacklist) {
|
||||
dynamicServerService.setBlacklist(blacklist);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,7 +36,6 @@ import org.slf4j.Logger;
|
|||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
|
||||
import org.springframework.security.authentication.AuthenticationServiceException;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
import org.springframework.web.util.UriComponents;
|
||||
import org.springframework.web.util.UriComponentsBuilder;
|
||||
|
|
|
|||
Loading…
Reference in New Issue