added whitelist/blacklist to issuer services
Justin Richer
parent
a668fb964d
commit
70958376cb
|
|
@ -20,6 +20,8 @@
|
||||||
package org.mitre.openid.connect.client.service.impl;
|
package org.mitre.openid.connect.client.service.impl;
|
||||||
|
|
||||||
import java.net.URISyntaxException;
|
import java.net.URISyntaxException;
|
||||||
|
import java.util.HashSet;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
|
|
@ -41,6 +43,9 @@ import com.google.common.base.Strings;
|
||||||
public class ThirdPartyIssuerService implements IssuerService, InitializingBean {
|
public class ThirdPartyIssuerService implements IssuerService, InitializingBean {
|
||||||
|
|
||||||
private String accountChooserUrl;
|
private String accountChooserUrl;
|
||||||
|
|
||||||
|
private Set<String> whitelist = new HashSet<String>();
|
||||||
|
private Set<String> blacklist = new HashSet<String>();
|
||||||
|
|
||||||
/* (non-Javadoc)
|
/* (non-Javadoc)
|
||||||
* @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest)
|
* @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest)
|
||||||
|
|
@ -49,8 +54,17 @@ public class ThirdPartyIssuerService implements IssuerService, InitializingBean
|
||||||
public IssuerServiceResponse getIssuer(HttpServletRequest request) {
|
public IssuerServiceResponse getIssuer(HttpServletRequest request) {
|
||||||
|
|
||||||
// if the issuer is passed in, return that
|
// if the issuer is passed in, return that
|
||||||
if (!Strings.isNullOrEmpty(request.getParameter("iss"))) {
|
String iss = request.getParameter("iss");
|
||||||
return new IssuerServiceResponse(request.getParameter("iss"), request.getParameter("login_hint"), request.getParameter("target_link_uri"));
|
if (!Strings.isNullOrEmpty(iss)) {
|
||||||
|
if (!whitelist.isEmpty() && !whitelist.contains(iss)) {
|
||||||
|
throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + iss);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (blacklist.contains(iss)) {
|
||||||
|
throw new AuthenticationServiceException("Issuer was in blacklist: " + iss);
|
||||||
|
}
|
||||||
|
|
||||||
|
return new IssuerServiceResponse(iss, request.getParameter("login_hint"), request.getParameter("target_link_uri"));
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
@ -85,6 +99,34 @@ public class ThirdPartyIssuerService implements IssuerService, InitializingBean
|
||||||
this.accountChooserUrl = accountChooserUrl;
|
this.accountChooserUrl = accountChooserUrl;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the whitelist
|
||||||
|
*/
|
||||||
|
public Set<String> getWhitelist() {
|
||||||
|
return whitelist;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param whitelist the whitelist to set
|
||||||
|
*/
|
||||||
|
public void setWhitelist(Set<String> whitelist) {
|
||||||
|
this.whitelist = whitelist;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the blacklist
|
||||||
|
*/
|
||||||
|
public Set<String> getBlacklist() {
|
||||||
|
return blacklist;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param blacklist the blacklist to set
|
||||||
|
*/
|
||||||
|
public void setBlacklist(Set<String> blacklist) {
|
||||||
|
this.blacklist = blacklist;
|
||||||
|
}
|
||||||
|
|
||||||
/* (non-Javadoc)
|
/* (non-Javadoc)
|
||||||
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
|
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,8 @@
|
||||||
*/
|
*/
|
||||||
package org.mitre.openid.connect.client.service.impl;
|
package org.mitre.openid.connect.client.service.impl;
|
||||||
|
|
||||||
|
import java.util.HashSet;
|
||||||
|
import java.util.Set;
|
||||||
import java.util.concurrent.ExecutionException;
|
import java.util.concurrent.ExecutionException;
|
||||||
import java.util.regex.Matcher;
|
import java.util.regex.Matcher;
|
||||||
import java.util.regex.Pattern;
|
import java.util.regex.Pattern;
|
||||||
|
|
@ -33,6 +35,7 @@ import org.mitre.openid.connect.client.service.IssuerService;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
|
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
|
||||||
|
import org.springframework.security.authentication.AuthenticationServiceException;
|
||||||
import org.springframework.web.client.RestTemplate;
|
import org.springframework.web.client.RestTemplate;
|
||||||
|
|
||||||
import com.google.common.base.Strings;
|
import com.google.common.base.Strings;
|
||||||
|
|
@ -59,6 +62,9 @@ public class WebfingerIssuerService implements IssuerService {
|
||||||
// map of user input -> issuer, loaded dynamically from webfinger discover
|
// map of user input -> issuer, loaded dynamically from webfinger discover
|
||||||
private LoadingCache<NormalizedURI, String> issuers;
|
private LoadingCache<NormalizedURI, String> issuers;
|
||||||
|
|
||||||
|
private Set<String> whitelist = new HashSet<String>();
|
||||||
|
private Set<String> blacklist = new HashSet<String>();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Name of the incoming parameter to check for discovery purposes.
|
* Name of the incoming parameter to check for discovery purposes.
|
||||||
*/
|
*/
|
||||||
|
|
@ -83,6 +89,14 @@ public class WebfingerIssuerService implements IssuerService {
|
||||||
if (!Strings.isNullOrEmpty(identifier)) {
|
if (!Strings.isNullOrEmpty(identifier)) {
|
||||||
try {
|
try {
|
||||||
String issuer = issuers.get(normalizeResource(identifier));
|
String issuer = issuers.get(normalizeResource(identifier));
|
||||||
|
if (!whitelist.isEmpty() && !whitelist.contains(issuer)) {
|
||||||
|
throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + issuer);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (blacklist.contains(issuer)) {
|
||||||
|
throw new AuthenticationServiceException("Issuer was in blacklist: " + issuer);
|
||||||
|
}
|
||||||
|
|
||||||
return new IssuerServiceResponse(issuer, null, null);
|
return new IssuerServiceResponse(issuer, null, null);
|
||||||
} catch (ExecutionException e) {
|
} catch (ExecutionException e) {
|
||||||
logger.warn("Issue fetching issuer for user input: " + identifier, e);
|
logger.warn("Issue fetching issuer for user input: " + identifier, e);
|
||||||
|
|
@ -176,6 +190,33 @@ public class WebfingerIssuerService implements IssuerService {
|
||||||
this.loginPageUrl = loginPageUrl;
|
this.loginPageUrl = loginPageUrl;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the whitelist
|
||||||
|
*/
|
||||||
|
public Set<String> getWhitelist() {
|
||||||
|
return whitelist;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param whitelist the whitelist to set
|
||||||
|
*/
|
||||||
|
public void setWhitelist(Set<String> whitelist) {
|
||||||
|
this.whitelist = whitelist;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the blacklist
|
||||||
|
*/
|
||||||
|
public Set<String> getBlacklist() {
|
||||||
|
return blacklist;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param blacklist the blacklist to set
|
||||||
|
*/
|
||||||
|
public void setBlacklist(Set<String> blacklist) {
|
||||||
|
this.blacklist = blacklist;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author jricher
|
* @author jricher
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue