ThirdPartyIssuerService.java

  1. /*******************************************************************************
  2.  * Copyright 2017 The MIT Internet Trust Consortium
  3.  *
  4.  * Portions copyright 2011-2013 The MITRE Corporation
  5.  *
  6.  * Licensed under the Apache License, Version 2.0 (the "License");
  7.  * you may not use this file except in compliance with the License.
  8.  * You may obtain a copy of the License at
  9.  *
  10.  *   http://www.apache.org/licenses/LICENSE-2.0
  11.  *
  12.  * Unless required by applicable law or agreed to in writing, software
  13.  * distributed under the License is distributed on an "AS IS" BASIS,
  14.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15.  * See the License for the specific language governing permissions and
  16.  * limitations under the License.
  17.  *******************************************************************************/
  18. /**
  19.  *
  20.  */
  21. package org.mitre.openid.connect.client.service.impl;

  22. import java.net.URISyntaxException;
  23. import java.util.HashSet;
  24. import java.util.Set;

  25. import javax.annotation.PostConstruct;
  26. import javax.servlet.http.HttpServletRequest;

  27. import org.apache.http.client.utils.URIBuilder;
  28. import org.mitre.openid.connect.client.model.IssuerServiceResponse;
  29. import org.mitre.openid.connect.client.service.IssuerService;
  30. import org.springframework.security.authentication.AuthenticationServiceException;

  31. import com.google.common.base.Strings;

  32. /**
  33.  *
  34.  * Determines the issuer using an account chooser or other third-party-initiated login
  35.  *
  36.  * @author jricher
  37.  *
  38.  */
  39. public class ThirdPartyIssuerService implements IssuerService {

  40.     private String accountChooserUrl;

  41.     private Set<String> whitelist = new HashSet<>();
  42.     private Set<String> blacklist = new HashSet<>();

  43.     /* (non-Javadoc)
  44.      * @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest)
  45.      */
  46.     @Override
  47.     public IssuerServiceResponse getIssuer(HttpServletRequest request) {

  48.         // if the issuer is passed in, return that
  49.         String iss = request.getParameter("iss");
  50.         if (!Strings.isNullOrEmpty(iss)) {
  51.             if (!whitelist.isEmpty() && !whitelist.contains(iss)) {
  52.                 throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + iss);
  53.             }

  54.             if (blacklist.contains(iss)) {
  55.                 throw new AuthenticationServiceException("Issuer was in blacklist: " + iss);
  56.             }

  57.             return new IssuerServiceResponse(iss, request.getParameter("login_hint"), request.getParameter("target_link_uri"));
  58.         } else {

  59.             try {
  60.                 // otherwise, need to forward to the account chooser
  61.                 String redirectUri = request.getRequestURL().toString();
  62.                 URIBuilder builder = new URIBuilder(accountChooserUrl);

  63.                 builder.addParameter("redirect_uri", redirectUri);

  64.                 return new IssuerServiceResponse(builder.build().toString());

  65.             } catch (URISyntaxException e) {
  66.                 throw new AuthenticationServiceException("Account Chooser URL is not valid", e);
  67.             }


  68.         }

  69.     }

  70.     /**
  71.      * @return the accountChooserUrl
  72.      */
  73.     public String getAccountChooserUrl() {
  74.         return accountChooserUrl;
  75.     }

  76.     /**
  77.      * @param accountChooserUrl the accountChooserUrl to set
  78.      */
  79.     public void setAccountChooserUrl(String accountChooserUrl) {
  80.         this.accountChooserUrl = accountChooserUrl;
  81.     }

  82.     /**
  83.      * @return the whitelist
  84.      */
  85.     public Set<String> getWhitelist() {
  86.         return whitelist;
  87.     }

  88.     /**
  89.      * @param whitelist the whitelist to set
  90.      */
  91.     public void setWhitelist(Set<String> whitelist) {
  92.         this.whitelist = whitelist;
  93.     }

  94.     /**
  95.      * @return the blacklist
  96.      */
  97.     public Set<String> getBlacklist() {
  98.         return blacklist;
  99.     }

  100.     /**
  101.      * @param blacklist the blacklist to set
  102.      */
  103.     public void setBlacklist(Set<String> blacklist) {
  104.         this.blacklist = blacklist;
  105.     }

  106.     @PostConstruct
  107.     public void afterPropertiesSet() {
  108.         if (Strings.isNullOrEmpty(this.accountChooserUrl)) {
  109.             throw new IllegalArgumentException("Account Chooser URL cannot be null or empty");
  110.         }

  111.     }

  112. }