Source code

001/*******************************************************************************
002 * Copyright 2017 The MIT Internet Trust Consortium
003 *
004 * Portions copyright 2011-2013 The MITRE Corporation
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License");
007 * you may not use this file except in compliance with the License.
008 * You may obtain a copy of the License at
009 *
010 *   http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 *******************************************************************************/
018/**
019 *
020 */
021package org.mitre.openid.connect.client.service.impl;
022
023import java.net.URISyntaxException;
024import java.util.HashSet;
025import java.util.Set;
026
027import javax.annotation.PostConstruct;
028import javax.servlet.http.HttpServletRequest;
029
030import org.apache.http.client.utils.URIBuilder;
031import org.mitre.openid.connect.client.model.IssuerServiceResponse;
032import org.mitre.openid.connect.client.service.IssuerService;
033import org.springframework.security.authentication.AuthenticationServiceException;
034
035import com.google.common.base.Strings;
036
037/**
038 *
039 * Determines the issuer using an account chooser or other third-party-initiated login
040 *
041 * @author jricher
042 *
043 */
044public class ThirdPartyIssuerService implements IssuerService {
045
046        private String accountChooserUrl;
047
048        private Set<String> whitelist = new HashSet<>();
049        private Set<String> blacklist = new HashSet<>();
050
051        /* (non-Javadoc)
052         * @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest)
053         */
054        @Override
055        public IssuerServiceResponse getIssuer(HttpServletRequest request) {
056
057                // if the issuer is passed in, return that
058                String iss = request.getParameter("iss");
059                if (!Strings.isNullOrEmpty(iss)) {
060                        if (!whitelist.isEmpty() && !whitelist.contains(iss)) {
061                                throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + iss);
062                        }
063
064                        if (blacklist.contains(iss)) {
065                                throw new AuthenticationServiceException("Issuer was in blacklist: " + iss);
066                        }
067
068                        return new IssuerServiceResponse(iss, request.getParameter("login_hint"), request.getParameter("target_link_uri"));
069                } else {
070
071                        try {
072                                // otherwise, need to forward to the account chooser
073                                String redirectUri = request.getRequestURL().toString();
074                                URIBuilder builder = new URIBuilder(accountChooserUrl);
075
076                                builder.addParameter("redirect_uri", redirectUri);
077
078                                return new IssuerServiceResponse(builder.build().toString());
079
080                        } catch (URISyntaxException e) {
081                                throw new AuthenticationServiceException("Account Chooser URL is not valid", e);
082                        }
083
084
085                }
086
087        }
088
089        /**
090         * @return the accountChooserUrl
091         */
092        public String getAccountChooserUrl() {
093                return accountChooserUrl;
094        }
095
096        /**
097         * @param accountChooserUrl the accountChooserUrl to set
098         */
099        public void setAccountChooserUrl(String accountChooserUrl) {
100                this.accountChooserUrl = accountChooserUrl;
101        }
102
103        /**
104         * @return the whitelist
105         */
106        public Set<String> getWhitelist() {
107                return whitelist;
108        }
109
110        /**
111         * @param whitelist the whitelist to set
112         */
113        public void setWhitelist(Set<String> whitelist) {
114                this.whitelist = whitelist;
115        }
116
117        /**
118         * @return the blacklist
119         */
120        public Set<String> getBlacklist() {
121                return blacklist;
122        }
123
124        /**
125         * @param blacklist the blacklist to set
126         */
127        public void setBlacklist(Set<String> blacklist) {
128                this.blacklist = blacklist;
129        }
130
131        @PostConstruct
132        public void afterPropertiesSet() {
133                if (Strings.isNullOrEmpty(this.accountChooserUrl)) {
134                        throw new IllegalArgumentException("Account Chooser URL cannot be null or empty");
135                }
136
137        }
138
139}