package org.wso2.choreo.connect.enforcer.security.jwt;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import java.util.Iterator;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.wso2.choreo.connect.enforcer.common.CacheProvider;
import org.wso2.choreo.connect.enforcer.commons.logging.ErrorDetails;
import org.wso2.choreo.connect.enforcer.commons.logging.LoggingConstants;
import org.wso2.choreo.connect.enforcer.constants.APIConstants;
import org.wso2.choreo.connect.enforcer.constants.APISecurityConstants;
import org.wso2.choreo.connect.enforcer.dto.JWTTokenPayloadInfo;
import org.wso2.choreo.connect.enforcer.exception.APISecurityException;
import org.wso2.choreo.connect.enforcer.exception.EnforcerException;
import org.wso2.choreo.connect.enforcer.security.Authenticator;
import org.wso2.choreo.connect.enforcer.security.jwt.validator.RevokedJWTDataHolder;
import org.wso2.choreo.connect.enforcer.util.FilterUtils;
import org.wso2.choreo.connect.enforcer.util.JWTUtils;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/security/jwt/APIKeyHandler.class */
public abstract class APIKeyHandler implements Authenticator {
    private static final Logger log = LogManager.getLogger(APIKeyHandler.class);

    public boolean isAPIKey(String str) {
        return str != null && str.split("\\.").length == 3;
    }

    public boolean isInternalKey(JWTClaimsSet jWTClaimsSet) {
        Object claim = jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.TOKEN_TYPE);
        if (claim != null) {
            return APIConstants.JwtTokenConstants.INTERNAL_KEY_TOKEN_TYPE.equals(claim);
        }
        return false;
    }

    public void checkInRevokedMap(String str, String[] strArr) throws APISecurityException {
        if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(str)) {
            log.debug("API key retrieved from the revoked jwt token map. Token: {}", FilterUtils.getMaskedToken(strArr[0]));
            log.error("Invalid API Key. {}", FilterUtils.getMaskedToken(strArr[0]));
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
        }
    }

    public boolean isVerifiedApiKeyInCache(String str, String str2, JWTClaimsSet jWTClaimsSet, String[] strArr, String str3, JWTTokenPayloadInfo jWTTokenPayloadInfo) throws APISecurityException {
        boolean z = false;
        if (jWTTokenPayloadInfo != null) {
            z = jWTTokenPayloadInfo.getAccessToken().equals(str2) && !isJwtTokenExpired(jWTClaimsSet, str3);
        } else {
            boolean z2 = CacheProvider.getInvalidGatewayInternalKeyCache().getIfPresent(str) != 0 && str2.equals(CacheProvider.getInvalidGatewayInternalKeyCache().getIfPresent(str));
            boolean z3 = CacheProvider.getInvalidGatewayAPIKeyCache().getIfPresent(str) != 0 && str2.equals(CacheProvider.getInvalidGatewayAPIKeyCache().getIfPresent(str));
            if (z2 || z3) {
                log.error("API key found in cache for invalid API keys. " + FilterUtils.getMaskedToken(strArr[0]), ErrorDetails.errorLog(LoggingConstants.Severity.MINOR, 6601));
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
            }
        }
        return z;
    }

    public boolean verifyTokenWhenNotInCache(JWSHeader jWSHeader, SignedJWT signedJWT, String[] strArr, JWTClaimsSet jWTClaimsSet, String str) throws APISecurityException {
        boolean z;
        log.debug("{} not found in the cache.", str);
        String str2 = "";
        if (jWSHeader != null && StringUtils.isNotEmpty(jWSHeader.getKeyID())) {
            str2 = jWSHeader.getKeyID();
        }
        try {
            if (JWTUtils.verifyTokenSignature(signedJWT, str2)) {
                if (!isJwtTokenExpired(jWTClaimsSet, str)) {
                    z = true;
                    return z;
                }
            }
            z = false;
            return z;
        } catch (EnforcerException e) {
            log.error(str + " authentication failed. " + FilterUtils.getMaskedToken(strArr[0]));
            return false;
        }
    }

    public boolean isJwtTokenExpired(JWTClaimsSet jWTClaimsSet, String str) throws APISecurityException {
        DefaultJWTClaimsVerifier defaultJWTClaimsVerifier = new DefaultJWTClaimsVerifier();
        defaultJWTClaimsVerifier.setMaxClockSkew((int) FilterUtils.getTimeStampSkewInSeconds());
        try {
            defaultJWTClaimsVerifier.verify(jWTClaimsSet);
            return false;
        } catch (BadJWTException e) {
            if (!"Expired JWT".equals(e.getMessage())) {
                return false;
            }
            log.debug("{} API key is expired.", str);
            if (APIConstants.JwtTokenConstants.INTERNAL_KEY_TOKEN_TYPE.equals(str)) {
                CacheProvider.getGatewayInternalKeyDataCache().invalidate(jWTClaimsSet.getJWTID());
                CacheProvider.getInvalidGatewayInternalKeyCache().put(jWTClaimsSet.getJWTID(), "carbon.super");
            } else {
                CacheProvider.getGatewayAPIKeyDataCache().invalidate(jWTClaimsSet.getJWTID());
                CacheProvider.getInvalidGatewayAPIKeyCache().put(jWTClaimsSet.getJWTID(), "carbon.super");
            }
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
        }
    }

    public static JSONObject validateAPISubscription(String str, String str2, JWTClaimsSet jWTClaimsSet, String[] strArr, boolean z) throws APISecurityException {
        JSONObject jSONObject = null;
        if (jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS) != null) {
            Iterator<Object> it = ((JSONArray) jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS)).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                JSONObject jSONObject2 = (JSONObject) it.next();
                if (str.equals(jSONObject2.getAsString("context")) && str2.equals(jSONObject2.getAsString("version"))) {
                    jSONObject = jSONObject2;
                    break;
                }
            }
            if (jSONObject == null) {
                log.error("User is not subscribed to access the API.");
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
            }
        } else {
            log.debug("No subscription information found in the token.");
            if (!z) {
                log.error("User is not subscribed to access the API.");
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
            }
        }
        return jSONObject;
    }
}
