protected boolean validateToken()

in gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java [399:464]

• 55 lines of code
• 11 McCabe index (conditional complexity)

  protected boolean validateToken(final HttpServletRequest request, final HttpServletResponse response,
      final FilterChain chain, final JWT token)
      throws IOException, ServletException {
    final String tokenId = TokenUtils.getTokenId(token);
    final String displayableTokenId = Tokens.getTokenIDDisplayText(tokenId);
    final String displayableToken = Tokens.getTokenDisplayText(token.toString());
    // confirm that issuer matches the intended target
    if (expectedIssuers.contains(token.getIssuer())) {
      // if there is no expiration data then the lifecycle is tied entirely to
      // the cookie validity - otherwise ensure that the current time is before
      // the designated expiration time
      try {
        if (tokenIsStillValid(token)) {
          boolean audValid = validateAudiences(token);
          if (audValid) {
            Date nbf = token.getNotBeforeDate();
            if (nbf == null || new Date().after(nbf)) {
              final TokenMetadata tokenMetadata = tokenStateService == null ? null : tokenStateService.getTokenMetadata(tokenId);
              if (isTokenEnabled(tokenMetadata)) {
                if (isIdleTimeoutLimitNotExceeded(tokenMetadata)) {
                  if (verifyTokenSignature(token)) {
                    markLastUsedAt(tokenId, tokenMetadata);
                    return true;
                  } else {
                    log.failedToVerifyTokenSignature(displayableToken, displayableTokenId);
                    handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, null);
                  }
                } else {
                  log.idleTimoutExceeded(token.getSubject(), displayableTokenId, idleTimeoutSeconds);
                  handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, TOKEN_PREFIX + displayableTokenId + IDLE_TIMEOUT_POSTFIX);
                }
              } else {
                log.disabledToken(displayableTokenId);
                handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, TOKEN_PREFIX + displayableTokenId + DISABLED_POSTFIX);
              }
            } else {
              log.notBeforeCheckFailed();
              handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST,
                      "Bad request: the NotBefore check failed");
            }
          } else {
            log.failedToValidateAudience(displayableToken, displayableTokenId);
            handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST,
                    "Bad request: missing required token audience");
          }
        } else {
          log.tokenHasExpired(displayableToken, displayableTokenId);

          // Explicitly evict the record of this token's signature verification (if present).
          // There is no value in keeping this record for expired tokens, and explicitly removing them may prevent
          // records for other valid tokens from being prematurely evicted from the cache.
          removeSignatureVerificationRecord(token.toString());

          handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, "Token has expired");

        }
      } catch (UnknownTokenException e) {
        log.unableToVerifyExpiration(e);
        handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());
      }
    } else {
      handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, null);
    }

    return false;
  }