public void parseSAMLRequest()

in services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java [105:167]

• 50 lines of code
• 11 McCabe index (conditional complexity)

    public void parseSAMLRequest(RequestContext context, Idp idp, String samlRequest,
                                 String sigAlg, String signature, String relayState) throws ProcessingException {
        LOG.debug("Received SAML Request: {}", samlRequest);

        if (samlRequest == null) {
            WebUtils.removeAttribute(context, IdpConstants.SAML_AUTHN_REQUEST);
            throw new ProcessingException(TYPE.BAD_REQUEST);
        } else {
            final RequestAbstractType parsedRequest;
            try {
                parsedRequest = extractRequest(context, samlRequest);
            } catch (Exception ex) {
                LOG.warn("Error parsing request: {}", ex.getMessage());
                throw new ProcessingException(TYPE.BAD_REQUEST);
            }

            // Store various attributes from the AuthnRequest/LogoutRequest
            if (parsedRequest instanceof AuthnRequest) {
                SAMLAuthnRequest authnRequest = new SAMLAuthnRequest((AuthnRequest)parsedRequest);
                WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, authnRequest);
            } else if (parsedRequest instanceof LogoutRequest) {
                SAMLLogoutRequest logoutRequest = new SAMLLogoutRequest((LogoutRequest)parsedRequest);
                WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_LOGOUT_REQUEST, logoutRequest);
                if (logoutRequest.getNotOnOrAfter() != null && (new Date()).after(logoutRequest.getNotOnOrAfter())) {
                    LOG.debug("The LogoutRequest is expired");
                    throw new ProcessingException(TYPE.BAD_REQUEST);
                }
            }

            validateRequest(parsedRequest);

            // Check the signature
            try {
                if (parsedRequest.isSigned()) {
                    // Check destination
                    checkDestination(context, parsedRequest);

                    // Check signature
                    X509Certificate validatingCert =
                        getValidatingCertificate(idp, parsedRequest.getIssuer().getValue());
                    Crypto issuerCrypto = new CertificateStore(new X509Certificate[] {validatingCert});
                    validateRequestSignature(parsedRequest.getSignature(), issuerCrypto);
                } else if (signature != null) {
                    // Check destination
                    checkDestination(context, parsedRequest);

                    // Check signature
                    validateSeparateSignature(idp, sigAlg, signature, relayState,
                              samlRequest, parsedRequest.getIssuer().getValue());
                } else if (requireSignature) {
                    LOG.debug("No signature is present, therefore the request is rejected");
                    throw new ProcessingException(TYPE.BAD_REQUEST);
                } else {
                    LOG.debug("No signature is present, but this is allowed by configuration");
                }
            } catch (Exception ex) {
                LOG.debug("Error validating SAML Signature", ex);
                throw new ProcessingException(TYPE.BAD_REQUEST);
            }

            LOG.debug("SAML Request with id '{}' successfully parsed", parsedRequest.getID());
        }
    }