private boolean validateSaml2Conditions()

in src/main/java/org/apache/sling/auth/saml2/impl/AuthenticationHandlerSAML2Impl.java [581:607]

• 21 lines of code
• 6 McCabe index (conditional complexity)

    private boolean validateSaml2Conditions(HttpServletRequest req, Assertion assertion) {
        final List<SubjectConfirmation> subjectConfirmations = assertion.getSubject().getSubjectConfirmations();
        if (subjectConfirmations.isEmpty()) {
            return false;
        }
        final SubjectConfirmationData subjectConfirmationData = subjectConfirmations.get(0).getSubjectConfirmationData();
        final Instant notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
        // validate expiration

        final boolean validTime = notOnOrAfter.isAfter(Instant.now());
        if (!validTime) {
            logger.error("SAML2 Subject Confirmation failed validation: Expired.");
        }
        // validate recipient
        final String recipient = subjectConfirmationData.getRecipient();
        final boolean validRecipient = recipient.equals(this.getACSURL());
        if (!validRecipient) {
            logger.error("SAML2 Subject Confirmation failed validation: Invalid Recipient.");
        }
        // validate In Response To (ID saved in session from authnRequest)
        final String inResponseTo = subjectConfirmationData.getInResponseTo();
        final String savedInResponseTo = new SessionStorage(SAML2_REQUEST_ID).getString(req);
        boolean validID = savedInResponseTo.equals(inResponseTo);

        // return true if subject confirmation is validated
        return validTime && validRecipient && validID;
    }