added whitelist/blacklist to issuer services
Justin Richer
parent
a668fb964d
commit
70958376cb
|
|
@ -20,6 +20,8 @@
|
|||
package org.mitre.openid.connect.client.service.impl;
|
||||
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
|
|
@ -41,6 +43,9 @@ import com.google.common.base.Strings;
|
|||
public class ThirdPartyIssuerService implements IssuerService, InitializingBean {
|
||||
|
||||
private String accountChooserUrl;
|
||||
|
||||
private Set<String> whitelist = new HashSet<String>();
|
||||
private Set<String> blacklist = new HashSet<String>();
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest)
|
||||
|
|
@ -49,8 +54,17 @@ public class ThirdPartyIssuerService implements IssuerService, InitializingBean
|
|||
public IssuerServiceResponse getIssuer(HttpServletRequest request) {
|
||||
|
||||
// if the issuer is passed in, return that
|
||||
if (!Strings.isNullOrEmpty(request.getParameter("iss"))) {
|
||||
return new IssuerServiceResponse(request.getParameter("iss"), request.getParameter("login_hint"), request.getParameter("target_link_uri"));
|
||||
String iss = request.getParameter("iss");
|
||||
if (!Strings.isNullOrEmpty(iss)) {
|
||||
if (!whitelist.isEmpty() && !whitelist.contains(iss)) {
|
||||
throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + iss);
|
||||
}
|
||||
|
||||
if (blacklist.contains(iss)) {
|
||||
throw new AuthenticationServiceException("Issuer was in blacklist: " + iss);
|
||||
}
|
||||
|
||||
return new IssuerServiceResponse(iss, request.getParameter("login_hint"), request.getParameter("target_link_uri"));
|
||||
} else {
|
||||
|
||||
try {
|
||||
|
|
@ -85,6 +99,34 @@ public class ThirdPartyIssuerService implements IssuerService, InitializingBean
|
|||
this.accountChooserUrl = accountChooserUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the whitelist
|
||||
*/
|
||||
public Set<String> getWhitelist() {
|
||||
return whitelist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param whitelist the whitelist to set
|
||||
*/
|
||||
public void setWhitelist(Set<String> whitelist) {
|
||||
this.whitelist = whitelist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the blacklist
|
||||
*/
|
||||
public Set<String> getBlacklist() {
|
||||
return blacklist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param blacklist the blacklist to set
|
||||
*/
|
||||
public void setBlacklist(Set<String> blacklist) {
|
||||
this.blacklist = blacklist;
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@
|
|||
*/
|
||||
package org.mitre.openid.connect.client.service.impl;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.ExecutionException;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
|
@ -33,6 +35,7 @@ import org.mitre.openid.connect.client.service.IssuerService;
|
|||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
|
||||
import org.springframework.security.authentication.AuthenticationServiceException;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
|
|
@ -59,6 +62,9 @@ public class WebfingerIssuerService implements IssuerService {
|
|||
// map of user input -> issuer, loaded dynamically from webfinger discover
|
||||
private LoadingCache<NormalizedURI, String> issuers;
|
||||
|
||||
private Set<String> whitelist = new HashSet<String>();
|
||||
private Set<String> blacklist = new HashSet<String>();
|
||||
|
||||
/**
|
||||
* Name of the incoming parameter to check for discovery purposes.
|
||||
*/
|
||||
|
|
@ -83,6 +89,14 @@ public class WebfingerIssuerService implements IssuerService {
|
|||
if (!Strings.isNullOrEmpty(identifier)) {
|
||||
try {
|
||||
String issuer = issuers.get(normalizeResource(identifier));
|
||||
if (!whitelist.isEmpty() && !whitelist.contains(issuer)) {
|
||||
throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer);
|
||||
}
|
||||
|
||||
if (blacklist.contains(issuer)) {
|
||||
throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer);
|
||||
}
|
||||
|
||||
return new IssuerServiceResponse(issuer, null, null);
|
||||
} catch (ExecutionException e) {
|
||||
logger.warn("Issue fetching issuer for user input: " + identifier, e);
|
||||
|
|
@ -176,6 +190,33 @@ public class WebfingerIssuerService implements IssuerService {
|
|||
this.loginPageUrl = loginPageUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the whitelist
|
||||
*/
|
||||
public Set<String> getWhitelist() {
|
||||
return whitelist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param whitelist the whitelist to set
|
||||
*/
|
||||
public void setWhitelist(Set<String> whitelist) {
|
||||
this.whitelist = whitelist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the blacklist
|
||||
*/
|
||||
public Set<String> getBlacklist() {
|
||||
return blacklist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param blacklist the blacklist to set
|
||||
*/
|
||||
public void setBlacklist(Set<String> blacklist) {
|
||||
this.blacklist = blacklist;
|
||||
}
|
||||
|
||||
/**
|
||||
* @author jricher
|
||||
|
|
|
|||
Loading…
Reference in New Issue