private void authenticateIapRequest()

in sources/src/main/java/com/google/solutions/jitaccess/web/RequireIapPrincipalFilter.java [66:117]

• 45 lines of code
• 5 McCabe index (conditional complexity)

  private void authenticateIapRequest(@NotNull ContainerRequestContext requestContext) {
    //
    // Read IAP assertion header and validate it.
    //
    var assertion = requestContext.getHeaderString(IAP_ASSERTION_HEADER);
    if (assertion == null) {
      this.logger.warn(
        EventIds.API_AUTHENTICATE,
        "Missing IAP assertion in header, IAP might be disabled");

      throw new ForbiddenException("Identity-Aware Proxy must be enabled for this application");
    }

    try {
      final var verifiedAssertion = new IapAssertion(
        TokenVerifier.newBuilder()
          .setAudience(this.options.expectedAudience)
          .setIssuer(IAP_ISSUER_URL)
          .build()
          .verify(assertion));

      if (verifiedAssertion.user() instanceof EndUserId endUserId) {
        this.requestContext.authenticate(
          endUserId,
          verifiedAssertion.directory(),
          verifiedAssertion.device());
      }
      else  {
        throw new ForbiddenException("Access is limited to end users");
      }
    }
    catch (TokenVerifier.VerificationException | IllegalArgumentException e) {
      if (this.options.expectedAudience != null) {
        this.logger.error(
          EventIds.API_AUTHENTICATE,
          String.format(
              "Verifying IAP assertion failed. This might be because the " +
                "IAP assertion was tampered with, or because it had the wrong audience " +
                "(expected audience: %s).", this.options.expectedAudience),
          e);
      }
      else {
        this.logger.error(
          EventIds.API_AUTHENTICATE,
          "Verifying IAP assertion failed. This might be because the " +
            "IAP assertion was tampered with",
          e);
      }

      throw new ForbiddenException("Invalid IAP assertion", e);
    }
  }