package org.wso2.choreo.connect.enforcer.security.jwt;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.opentelemetry.context.Scope;
import java.text.ParseException;
import net.minidev.json.JSONObject;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.ThreadContext;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTConfigurationDto;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
import org.wso2.carbon.apimgt.common.gateway.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator;
import org.wso2.choreo.connect.enforcer.common.CacheProvider;
import org.wso2.choreo.connect.enforcer.commons.logging.ErrorDetails;
import org.wso2.choreo.connect.enforcer.commons.logging.LoggingConstants;
import org.wso2.choreo.connect.enforcer.commons.model.AuthenticationContext;
import org.wso2.choreo.connect.enforcer.commons.model.RequestContext;
import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
import org.wso2.choreo.connect.enforcer.config.EnforcerConfig;
import org.wso2.choreo.connect.enforcer.constants.APIConstants;
import org.wso2.choreo.connect.enforcer.constants.APISecurityConstants;
import org.wso2.choreo.connect.enforcer.dto.APIKeyValidationInfoDTO;
import org.wso2.choreo.connect.enforcer.dto.JWTTokenPayloadInfo;
import org.wso2.choreo.connect.enforcer.exception.APISecurityException;
import org.wso2.choreo.connect.enforcer.tracing.TracingConstants;
import org.wso2.choreo.connect.enforcer.tracing.TracingSpan;
import org.wso2.choreo.connect.enforcer.tracing.TracingTracer;
import org.wso2.choreo.connect.enforcer.tracing.Utils;
import org.wso2.choreo.connect.enforcer.util.BackendJwtUtils;
import org.wso2.choreo.connect.enforcer.util.FilterUtils;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/security/jwt/InternalAPIKeyAuthenticator.class */
public class InternalAPIKeyAuthenticator extends APIKeyHandler {
    private static final Logger log = LogManager.getLogger(InternalAPIKeyAuthenticator.class);
    private String securityParam;
    private AbstractAPIMgtGatewayJWTGenerator jwtGenerator;
    private final boolean isGatewayTokenCacheEnabled;

    public InternalAPIKeyAuthenticator(String str) {
        this.securityParam = str;
        EnforcerConfig config = ConfigHolder.getInstance().getConfig();
        this.isGatewayTokenCacheEnabled = config.getCacheDto().isEnabled();
        if (config.getJwtConfigurationDto().isEnabled()) {
            this.jwtGenerator = BackendJwtUtils.getApiMgtGatewayJWTGenerator();
        }
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public boolean canAuthenticate(RequestContext requestContext) {
        return isAPIKey(requestContext.getHeaders().get(ConfigHolder.getInstance().getConfig().getAuthHeader().getTestConsoleHeaderName().toLowerCase()));
    }

    /* JADX WARN: Finally extract failed */
    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException {
        TracingTracer tracingTracer = null;
        TracingSpan tracingSpan = null;
        Scope scope = null;
        TracingSpan tracingSpan2 = null;
        TracingSpan tracingSpan3 = null;
        TracingSpan tracingSpan4 = null;
        if (requestContext.getMatchedAPI() == null) {
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
        }
        log.debug("Internal Key Authentication initialized");
        try {
            try {
                if (Utils.tracingEnabled()) {
                    tracingTracer = Utils.getGlobalTracer();
                    tracingSpan = Utils.startSpan(TracingConstants.API_KEY_AUTHENTICATOR_SPAN, tracingTracer);
                    scope = tracingSpan.getSpan().makeCurrent();
                    Utils.setTag(tracingSpan, "traceId", ThreadContext.get("traceId"));
                }
                String extractInternalKey = extractInternalKey(requestContext);
                String[] split = extractInternalKey.split("\\.");
                SignedJWT parse = SignedJWT.parse(extractInternalKey);
                JWSHeader header = parse.getHeader();
                JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
                if (!isInternalKey(jWTClaimsSet)) {
                    log.error("Invalid Internal Key token type. " + FilterUtils.getMaskedToken(split[0]));
                    AuthenticationContext authenticationContext = new AuthenticationContext();
                    authenticationContext.setAuthenticated(false);
                    FilterUtils.setUnauthenticatedErrorToContext(requestContext);
                    return authenticationContext;
                }
                String jwtid = jWTClaimsSet.getJWTID();
                checkInRevokedMap(jwtid, split);
                String version = requestContext.getMatchedAPI().getVersion();
                String basePath = requestContext.getMatchedAPI().getBasePath();
                JWTTokenPayloadInfo jWTTokenPayloadInfo = (JWTTokenPayloadInfo) CacheProvider.getGatewayInternalKeyDataCache().getIfPresent(jwtid);
                boolean isVerifiedApiKeyInCache = isVerifiedApiKeyInCache(jwtid, extractInternalKey, jWTClaimsSet, split, APIConstants.JwtTokenConstants.INTERNAL_KEY_TOKEN_TYPE, jWTTokenPayloadInfo);
                Scope scope2 = null;
                if (jWTTokenPayloadInfo != null) {
                    if (Utils.tracingEnabled()) {
                        tracingSpan3 = Utils.startSpan(TracingConstants.VERIFY_TOKEN_IN_CACHE_SPAN, tracingTracer);
                        scope2 = tracingSpan3.getSpan().makeCurrent();
                        Utils.setTag(tracingSpan3, "traceId", ThreadContext.get("traceId"));
                    }
                    isVerifiedApiKeyInCache = jWTTokenPayloadInfo.getAccessToken().equals(extractInternalKey) && !isJwtTokenExpired(jWTClaimsSet, APIConstants.JwtTokenConstants.INTERNAL_KEY_TOKEN_TYPE);
                    if (Utils.tracingEnabled()) {
                        scope2.close();
                        Utils.finishSpan(tracingSpan3);
                    }
                } else if (CacheProvider.getInvalidGatewayInternalKeyCache().getIfPresent(jwtid) != 0 && extractInternalKey.equals(CacheProvider.getInvalidGatewayInternalKeyCache().getIfPresent(jwtid))) {
                    log.debug("Internal Key retrieved from the invalid internal Key cache. Internal Key: " + FilterUtils.getMaskedToken(split[0]));
                    log.error("Invalid Internal Key. " + FilterUtils.getMaskedToken(split[0]));
                    throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
                }
                Scope scope3 = null;
                if (!isVerifiedApiKeyInCache) {
                    log.debug("Internal Key not found in the cache.");
                    if (Utils.tracingEnabled()) {
                        tracingSpan4 = Utils.startSpan(TracingConstants.VERIFY_TOKEN_SPAN, tracingTracer);
                        scope3 = tracingSpan4.getSpan().makeCurrent();
                        Utils.setTag(tracingSpan4, "traceId", ThreadContext.get("traceId"));
                    }
                    try {
                        isVerifiedApiKeyInCache = verifyTokenWhenNotInCache(header, parse, split, jWTClaimsSet, APIConstants.JwtTokenConstants.INTERNAL_KEY_TOKEN_TYPE);
                        if (Utils.tracingEnabled()) {
                            scope3.close();
                            Utils.finishSpan(tracingSpan4);
                        }
                    } finally {
                        if (Utils.tracingEnabled()) {
                            scope3.close();
                            Utils.finishSpan(tracingSpan4);
                        }
                    }
                }
                if (!isVerifiedApiKeyInCache) {
                    log.error("Internal Key authentication failed. " + FilterUtils.getMaskedToken(split[0]), ErrorDetails.errorLog(LoggingConstants.Severity.MINOR, 6602));
                    CacheProvider.getGatewayInternalKeyDataCache().invalidate(jWTClaimsSet.getJWTID());
                    CacheProvider.getInvalidGatewayInternalKeyCache().put(jWTClaimsSet.getJWTID(), extractInternalKey);
                    throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
                }
                log.debug("Internal Key signature is verified.");
                if (jWTTokenPayloadInfo == null) {
                    log.debug("InternalKey payload not found in the cache.");
                    JWTTokenPayloadInfo jWTTokenPayloadInfo2 = new JWTTokenPayloadInfo();
                    jWTTokenPayloadInfo2.setPayload(jWTClaimsSet);
                    jWTTokenPayloadInfo2.setAccessToken(extractInternalKey);
                    CacheProvider.getGatewayInternalKeyDataCache().put(jwtid, jWTTokenPayloadInfo2);
                }
                Scope scope4 = null;
                if (Utils.tracingEnabled()) {
                    tracingSpan2 = Utils.startSpan(TracingConstants.API_KEY_VALIDATE_SUBSCRIPTION_SPAN, tracingTracer);
                    scope4 = tracingSpan2.getSpan().makeCurrent();
                    Utils.setTag(tracingSpan2, "traceId", ThreadContext.get("traceId"));
                }
                try {
                    JSONObject validateAPISubscription = validateAPISubscription(basePath, version, jWTClaimsSet, split, false);
                    log.debug("Internal Key authentication successful.");
                    if (Utils.tracingEnabled()) {
                        scope4.close();
                        Utils.finishSpan(tracingSpan2);
                    }
                    APIKeyValidationInfoDTO aPIKeyValidationDTO = getAPIKeyValidationDTO(requestContext, jWTClaimsSet);
                    JWTConfigurationDto jwtConfigurationDto = ConfigHolder.getInstance().getConfig().getJwtConfigurationDto();
                    if (jwtConfigurationDto.isEnabled()) {
                        JWTValidationInfo jWTValidationInfo = new JWTValidationInfo();
                        jWTValidationInfo.setUser(jWTClaimsSet.getSubject());
                        requestContext.addOrModifyHeaders(jwtConfigurationDto.getJwtHeader(), BackendJwtUtils.generateAndRetrieveJWTToken(this.jwtGenerator, jwtid, FilterUtils.generateJWTInfoDto(null, jWTValidationInfo, aPIKeyValidationDTO, requestContext), this.isGatewayTokenCacheEnabled));
                    }
                    AuthenticationContext generateAuthenticationContext = FilterUtils.generateAuthenticationContext(jwtid, jWTClaimsSet, validateAPISubscription, requestContext.getMatchedAPI().getUuid(), extractInternalKey);
                    if (Utils.tracingEnabled()) {
                        scope3.close();
                        Utils.finishSpan(tracingSpan4);
                    }
                    return generateAuthenticationContext;
                } catch (Throwable th) {
                    log.debug("Internal Key authentication successful.");
                    if (Utils.tracingEnabled()) {
                        scope4.close();
                        Utils.finishSpan(tracingSpan2);
                    }
                    throw th;
                }
            } catch (ParseException e) {
                log.warn("Internal Key authentication failed. ", e);
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, "Internal key authentication failed.");
            }
        } catch (Throwable th2) {
            if (Utils.tracingEnabled()) {
                scope.close();
                Utils.finishSpan(null);
            }
            throw th2;
        }
    }

    private APIKeyValidationInfoDTO getAPIKeyValidationDTO(RequestContext requestContext, JWTClaimsSet jWTClaimsSet) throws ParseException {
        APIKeyValidationInfoDTO aPIKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
        if (jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE) != null) {
            aPIKeyValidationInfoDTO.setType(jWTClaimsSet.getStringClaim(APIConstants.JwtTokenConstants.KEY_TYPE));
        } else {
            aPIKeyValidationInfoDTO.setType(APIConstants.API_KEY_TYPE_PRODUCTION);
        }
        aPIKeyValidationInfoDTO.setApiName(requestContext.getMatchedAPI().getName());
        aPIKeyValidationInfoDTO.setApiVersion(requestContext.getMatchedAPI().getVersion());
        return aPIKeyValidationInfoDTO;
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getChallengeString() {
        return "";
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getName() {
        return "Internal Key";
    }

    private String extractInternalKey(RequestContext requestContext) {
        String str = requestContext.getHeaders().get(this.securityParam);
        if (str != null) {
            return str.trim();
        }
        return null;
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public int getPriority() {
        return -10;
    }
}
