public boolean keep()

in core/src/main/java/jenkins/security/stapler/DoActionFilter.java [52:132]

• 61 lines of code
• 20 McCabe index (conditional complexity)

    public boolean keep(@NonNull Function m) {

        if (m.getAnnotation(StaplerNotDispatchable.class) != null) {
            return false;
        }

        if (m.getAnnotation(StaplerDispatchable.class) != null) {
            return true;
        }

        String methodName = m.getName();
        String signature = m.getSignature();

        // check whitelist
        ExtensionList<RoutingDecisionProvider> whitelistProviders = ExtensionList.lookup(RoutingDecisionProvider.class);
        if (whitelistProviders.size() > 0) {
            for (RoutingDecisionProvider provider : whitelistProviders) {
                RoutingDecisionProvider.Decision methodDecision = provider.decide(signature);
                if (methodDecision == RoutingDecisionProvider.Decision.ACCEPTED) {
                    LOGGER.log(Level.CONFIG, "Action " + signature + " is acceptable because it is whitelisted by " + provider);
                    return true;
                }
                if (methodDecision == RoutingDecisionProvider.Decision.REJECTED) {
                    LOGGER.log(Level.CONFIG, "Action " + signature + " is not acceptable because it is blacklisted by " + provider);
                    return false;
                }
            }
        }

        if (methodName.equals("doDynamic")) {
            // reject doDynamic because it's treated separately by Stapler.
            return false;
        }

        for (Annotation a : m.getAnnotations()) {
            if (WebMethodConstants.WEB_METHOD_ANNOTATION_NAMES.contains(a.annotationType().getName())) {
                return true;
            }
            if (a.annotationType().getAnnotation(InterceptorAnnotation.class) != null) {
                // This is a Stapler interceptor annotation like RequirePOST or JsonResponse
                return true;
            }
        }

        // there is rarely more than two annotations in a method signature
        for (Annotation[] perParameterAnnotation : m.getParameterAnnotations()) {
            for (Annotation annotation : perParameterAnnotation) {
                if (WebMethodConstants.WEB_METHOD_PARAMETER_ANNOTATION_NAMES.contains(annotation.annotationType().getName())) {
                    return true;
                }
            }
        }

        if (!DO_METHOD_REGEX.matcher(methodName).matches()) {
            return false;
        }

        // after the method name check to avoid allowing methods that are meant to be used by routable ones
        // normally they should be private in such case
        for (Class<?> parameterType : m.getParameterTypes()) {
            if (WebMethodConstants.WEB_METHOD_PARAMETERS_NAMES.contains(parameterType.getName())) {
                return true;
            }
        }

        Class<?> returnType = m.getReturnType();
        if (HttpResponse.class.isAssignableFrom(returnType)) {
            return true;
        }

        // as HttpResponseException inherits from RuntimeException, 
        // there is no requirement for the developer to explicitly checks it.
        Class<?>[] checkedExceptionTypes = m.getCheckedExceptionTypes();
        for (Class<?> checkedExceptionType : checkedExceptionTypes) {
            if (HttpResponse.class.isAssignableFrom(checkedExceptionType)) {
                return true;
            }
        }
        
        return false;
    }