package org.wso2.carbon.apimgt.gateway.handlers.security.jwt;

import io.swagger.v3.oas.models.OpenAPI;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.util.Base64;
import javax.cache.Cache;
import javax.cache.Caching;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.internal.Conversions;
import org.aspectj.runtime.reflect.Factory;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
import org.wso2.carbon.apimgt.gateway.MethodStats;
import org.wso2.carbon.apimgt.gateway.MethodTimeLogger;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext;
import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.gateway.threatprotection.utils.ThreatProtectorConstants;
import org.wso2.carbon.apimgt.gateway.utils.OpenAPIUtils;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;

/* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator.class */
public class JWTValidator {
    private static final Log log;
    private String apiLevelPolicy;
    private boolean isGatewayTokenCacheEnabled = isGatewayTokenCacheEnabled();
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;
    private static final JoinPoint.StaticPart ajc$tjp_1 = null;
    private static final JoinPoint.StaticPart ajc$tjp_2 = null;
    private static final JoinPoint.StaticPart ajc$tjp_3 = null;
    private static final JoinPoint.StaticPart ajc$tjp_4 = null;
    private static final JoinPoint.StaticPart ajc$tjp_5 = null;
    private static final JoinPoint.StaticPart ajc$tjp_6 = null;
    private static final JoinPoint.StaticPart ajc$tjp_7 = null;
    private static final JoinPoint.StaticPart ajc$tjp_8 = null;
    private static final JoinPoint.StaticPart ajc$tjp_9 = null;
    private static final JoinPoint.StaticPart ajc$tjp_10 = null;
    private static final JoinPoint.StaticPart ajc$tjp_11 = null;
    private static final JoinPoint.StaticPart ajc$tjp_12 = null;
    private static final JoinPoint.StaticPart ajc$tjp_13 = null;
    private static final JoinPoint.StaticPart ajc$tjp_14 = null;
    private static final JoinPoint.StaticPart ajc$tjp_15 = null;

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.authenticate_aroundBody0((JWTValidator) objArr2[0], (String) objArr2[1], (MessageContext) objArr2[2], (OpenAPI) objArr2[3], (JoinPoint) objArr2[4]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure11.class */
    public class AjcClosure11 extends AroundClosure {
        public AjcClosure11(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return Conversions.booleanObject(JWTValidator.verifyTokenSignature_aroundBody10((JWTValidator) objArr2[0], (String[]) objArr2[1], (JoinPoint) objArr2[2]));
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure13.class */
    public class AjcClosure13 extends AroundClosure {
        public AjcClosure13(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getSignatureAlgorithm_aroundBody12((JWTValidator) objArr2[0], (String[]) objArr2[1], (JoinPoint) objArr2[2]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure15.class */
    public class AjcClosure15 extends AroundClosure {
        public AjcClosure15(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getTenantDomain_aroundBody14((JWTValidator) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure17.class */
    public class AjcClosure17 extends AroundClosure {
        public AjcClosure17(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return Conversions.booleanObject(JWTValidator.isGatewayTokenCacheEnabled_aroundBody16((JWTValidator) objArr2[0], (JoinPoint) objArr2[1]));
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure19.class */
    public class AjcClosure19 extends AroundClosure {
        public AjcClosure19(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getGatewayTokenCache_aroundBody18((JWTValidator) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure21.class */
    public class AjcClosure21 extends AroundClosure {
        public AjcClosure21(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getInvalidTokenCache_aroundBody20((JWTValidator) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure23.class */
    public class AjcClosure23 extends AroundClosure {
        public AjcClosure23(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getGatewayKeyCache_aroundBody22((JWTValidator) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure25.class */
    public class AjcClosure25 extends AroundClosure {
        public AjcClosure25(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getCacheFromCacheManager_aroundBody24((JWTValidator) objArr2[0], (String) objArr2[1], (JoinPoint) objArr2[2]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure27.class */
    public class AjcClosure27 extends AroundClosure {
        public AjcClosure27(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getAccessTokenCacheKey_aroundBody26((JWTValidator) objArr2[0], (String) objArr2[1], (String) objArr2[2], (String) objArr2[3], (String) objArr2[4], (String) objArr2[5], (JoinPoint) objArr2[6]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure29.class */
    public class AjcClosure29 extends AroundClosure {
        public AjcClosure29(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getApiLevelPolicy_aroundBody28((JWTValidator) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure3.class */
    public class AjcClosure3 extends AroundClosure {
        public AjcClosure3(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.generateAuthenticationContext_aroundBody2((JWTValidator) objArr2[0], (String) objArr2[1], (JSONObject) objArr2[2], (JSONObject) objArr2[3], (String) objArr2[4], (JoinPoint) objArr2[5]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure31.class */
    public class AjcClosure31 extends AroundClosure {
        public AjcClosure31(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.getMaskedToken_aroundBody30((JWTValidator) objArr2[0], (String[]) objArr2[1], (JoinPoint) objArr2[2]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure5.class */
    public class AjcClosure5 extends AroundClosure {
        public AjcClosure5(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return JWTValidator.validateAPISubscription_aroundBody4((JWTValidator) objArr2[0], (String) objArr2[1], (String) objArr2[2], (JSONObject) objArr2[3], (JoinPoint) objArr2[4]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure7.class */
    public class AjcClosure7 extends AroundClosure {
        public AjcClosure7(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            JWTValidator.validateScopes_aroundBody6((JWTValidator) objArr2[0], (MessageContext) objArr2[1], (OpenAPI) objArr2[2], (JSONObject) objArr2[3], (JoinPoint) objArr2[4]);
            return null;
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator$AjcClosure9.class */
    public class AjcClosure9 extends AroundClosure {
        public AjcClosure9(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            JWTValidator.checkTokenExpiration_aroundBody8((JWTValidator) objArr2[0], (String) objArr2[1], (JSONObject) objArr2[2], (String) objArr2[3], (JoinPoint) objArr2[4]);
            return null;
        }
    }

    static {
        ajc$preClinit();
        log = LogFactory.getLog(JWTValidator.class);
    }

    public JWTValidator(String str) {
        this.apiLevelPolicy = str;
    }

    @MethodStats
    public AuthenticationContext authenticate(String str, MessageContext messageContext, OpenAPI openAPI) throws APISecurityException {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_0, this, this, new Object[]{str, messageContext, openAPI});
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled()) || MethodTimeLogger.isConfigEnabled()) ? (AuthenticationContext) MethodTimeLogger.aspectOf().log(new AjcClosure1(new Object[]{this, str, messageContext, openAPI, makeJP}).linkClosureAndJoinPoint(69648)) : authenticate_aroundBody0(this, str, messageContext, openAPI, makeJP);
    }

    private AuthenticationContext generateAuthenticationContext(String str, JSONObject jSONObject, JSONObject jSONObject2, String str2) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_1, this, this, new Object[]{str, jSONObject, jSONObject2, str2});
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (AuthenticationContext) MethodTimeLogger.aspectOf().log(new AjcClosure3(new Object[]{this, str, jSONObject, jSONObject2, str2, makeJP}).linkClosureAndJoinPoint(69648)) : generateAuthenticationContext_aroundBody2(this, str, jSONObject, jSONObject2, str2, makeJP);
    }

    private JSONObject validateAPISubscription(String str, String str2, JSONObject jSONObject) throws APISecurityException {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_2, this, this, new Object[]{str, str2, jSONObject});
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (JSONObject) MethodTimeLogger.aspectOf().log(new AjcClosure5(new Object[]{this, str, str2, jSONObject, makeJP}).linkClosureAndJoinPoint(69648)) : validateAPISubscription_aroundBody4(this, str, str2, jSONObject, makeJP);
    }

    private void validateScopes(MessageContext messageContext, OpenAPI openAPI, JSONObject jSONObject) throws APISecurityException {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_3, this, this, new Object[]{messageContext, openAPI, jSONObject});
        if ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) {
            MethodTimeLogger.aspectOf().log(new AjcClosure7(new Object[]{this, messageContext, openAPI, jSONObject, makeJP}).linkClosureAndJoinPoint(69648));
        } else {
            validateScopes_aroundBody6(this, messageContext, openAPI, jSONObject, makeJP);
        }
    }

    private void checkTokenExpiration(String str, JSONObject jSONObject, String str2) throws APISecurityException {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_4, this, this, new Object[]{str, jSONObject, str2});
        if ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) {
            MethodTimeLogger.aspectOf().log(new AjcClosure9(new Object[]{this, str, jSONObject, str2, makeJP}).linkClosureAndJoinPoint(69648));
        } else {
            checkTokenExpiration_aroundBody8(this, str, jSONObject, str2, makeJP);
        }
    }

    private boolean verifyTokenSignature(String[] strArr) throws APISecurityException {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_5, this, this, strArr);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? Conversions.booleanValue(MethodTimeLogger.aspectOf().log(new AjcClosure11(new Object[]{this, strArr, makeJP}).linkClosureAndJoinPoint(69648))) : verifyTokenSignature_aroundBody10(this, strArr, makeJP);
    }

    private String getSignatureAlgorithm(String[] strArr) throws APISecurityException {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_6, this, this, strArr);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (String) MethodTimeLogger.aspectOf().log(new AjcClosure13(new Object[]{this, strArr, makeJP}).linkClosureAndJoinPoint(69648)) : getSignatureAlgorithm_aroundBody12(this, strArr, makeJP);
    }

    private String getTenantDomain() {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_7, this, this);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (String) MethodTimeLogger.aspectOf().log(new AjcClosure15(new Object[]{this, makeJP}).linkClosureAndJoinPoint(69648)) : getTenantDomain_aroundBody14(this, makeJP);
    }

    private boolean isGatewayTokenCacheEnabled() {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_8, this, this);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? Conversions.booleanValue(MethodTimeLogger.aspectOf().log(new AjcClosure17(new Object[]{this, makeJP}).linkClosureAndJoinPoint(69648))) : isGatewayTokenCacheEnabled_aroundBody16(this, makeJP);
    }

    private Cache getGatewayTokenCache() {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_9, this, this);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (Cache) MethodTimeLogger.aspectOf().log(new AjcClosure19(new Object[]{this, makeJP}).linkClosureAndJoinPoint(69648)) : getGatewayTokenCache_aroundBody18(this, makeJP);
    }

    private Cache getInvalidTokenCache() {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_10, this, this);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (Cache) MethodTimeLogger.aspectOf().log(new AjcClosure21(new Object[]{this, makeJP}).linkClosureAndJoinPoint(69648)) : getInvalidTokenCache_aroundBody20(this, makeJP);
    }

    private Cache getGatewayKeyCache() {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_11, this, this);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (Cache) MethodTimeLogger.aspectOf().log(new AjcClosure23(new Object[]{this, makeJP}).linkClosureAndJoinPoint(69648)) : getGatewayKeyCache_aroundBody22(this, makeJP);
    }

    private Cache getCacheFromCacheManager(String str) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_12, this, this, str);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (Cache) MethodTimeLogger.aspectOf().log(new AjcClosure25(new Object[]{this, str, makeJP}).linkClosureAndJoinPoint(69648)) : getCacheFromCacheManager_aroundBody24(this, str, makeJP);
    }

    private String getAccessTokenCacheKey(String str, String str2, String str3, String str4, String str5) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_13, this, this, new Object[]{str, str2, str3, str4, str5});
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (String) MethodTimeLogger.aspectOf().log(new AjcClosure27(new Object[]{this, str, str2, str3, str4, str5, makeJP}).linkClosureAndJoinPoint(69648)) : getAccessTokenCacheKey_aroundBody26(this, str, str2, str3, str4, str5, makeJP);
    }

    private String getApiLevelPolicy() {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_14, this, this);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (String) MethodTimeLogger.aspectOf().log(new AjcClosure29(new Object[]{this, makeJP}).linkClosureAndJoinPoint(69648)) : getApiLevelPolicy_aroundBody28(this, makeJP);
    }

    private String getMaskedToken(String[] strArr) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_15, this, this, strArr);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (String) MethodTimeLogger.aspectOf().log(new AjcClosure31(new Object[]{this, strArr, makeJP}).linkClosureAndJoinPoint(69648)) : getMaskedToken_aroundBody30(this, strArr, makeJP);
    }

    static final AuthenticationContext authenticate_aroundBody0(JWTValidator jWTValidator, String str, MessageContext messageContext, OpenAPI openAPI, JoinPoint joinPoint) {
        String[] split = str.split("\\.");
        JSONObject jSONObject = null;
        boolean z = false;
        String str2 = split[2];
        String str3 = (String) messageContext.getProperty("REST_API_CONTEXT");
        String str4 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        String accessTokenCacheKey = jWTValidator.getAccessTokenCacheKey(str2, str3, str4, (String) messageContext.getProperty(APIMgtGatewayConstants.API_ELECTED_RESOURCE), (String) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty(ThreatProtectorConstants.HTTP_METHOD));
        String tenantDomain = jWTValidator.getTenantDomain();
        if (jWTValidator.isGatewayTokenCacheEnabled) {
            if (((String) jWTValidator.getGatewayTokenCache().get(str2)) != null) {
                log.debug("Token retrieved from the token cache.");
                z = true;
            } else if (jWTValidator.getInvalidTokenCache().get(str2) != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Token retrieved from the invalid token cache. Token: " + jWTValidator.getMaskedToken(split));
                }
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
            }
        }
        if (!z) {
            log.debug("Token not found in the cache.");
            try {
                jSONObject = new JSONObject(new String(Base64.getUrlDecoder().decode(split[1])));
                z = jWTValidator.verifyTokenSignature(split);
                if (jWTValidator.isGatewayTokenCacheEnabled) {
                    if (z) {
                        jWTValidator.getGatewayTokenCache().put(str2, tenantDomain);
                    } else {
                        jWTValidator.getInvalidTokenCache().put(str2, tenantDomain);
                    }
                    if (!"carbon.super".equals(tenantDomain)) {
                        try {
                            PrivilegedCarbonContext.startTenantFlow();
                            PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain("carbon.super", true);
                            if (z) {
                                jWTValidator.getGatewayTokenCache().put(str2, tenantDomain);
                            } else {
                                jWTValidator.getInvalidTokenCache().put(str2, tenantDomain);
                            }
                        } finally {
                            PrivilegedCarbonContext.endTenantFlow();
                        }
                    }
                }
            } catch (IllegalArgumentException | JSONException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid JWT token. Token: " + jWTValidator.getMaskedToken(split));
                }
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token. Failed to decode the token.", e);
            }
        }
        if (!z) {
            if (log.isDebugEnabled()) {
                log.debug("Token signature verification failure. Token: " + jWTValidator.getMaskedToken(split));
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token. Signature verification failed.");
        }
        log.debug("Token signature is verified.");
        if (!jWTValidator.isGatewayTokenCacheEnabled || jWTValidator.getGatewayKeyCache().get(accessTokenCacheKey) == null) {
            log.debug("Token payload not found in the cache.");
            if (jSONObject == null) {
                try {
                    jSONObject = new JSONObject(new String(Base64.getUrlDecoder().decode(split[1])));
                } catch (IllegalArgumentException | JSONException e2) {
                    if (log.isDebugEnabled()) {
                        log.debug("Token decryption failure when retrieving payload. Token: " + jWTValidator.getMaskedToken(split), e2);
                    }
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
                }
            }
            jWTValidator.checkTokenExpiration(str2, jSONObject, tenantDomain);
            jWTValidator.validateScopes(messageContext, openAPI, jSONObject);
            if (jWTValidator.isGatewayTokenCacheEnabled) {
                jWTValidator.getGatewayKeyCache().put(accessTokenCacheKey, jSONObject);
            }
        } else {
            jSONObject = (JSONObject) jWTValidator.getGatewayKeyCache().get(accessTokenCacheKey);
            jWTValidator.checkTokenExpiration(str2, jSONObject, tenantDomain);
        }
        JSONObject validateAPISubscription = jWTValidator.validateAPISubscription(str3, str4, jSONObject);
        log.debug("JWT authentication successful.");
        return jWTValidator.generateAuthenticationContext(str2, jSONObject, validateAPISubscription, jWTValidator.getApiLevelPolicy());
    }

    static final AuthenticationContext generateAuthenticationContext_aroundBody2(JWTValidator jWTValidator, String str, JSONObject jSONObject, JSONObject jSONObject2, String str2, JoinPoint joinPoint) {
        JSONObject jSONObject3 = jSONObject.getJSONObject("application");
        AuthenticationContext authenticationContext = new AuthenticationContext();
        authenticationContext.setAuthenticated(true);
        authenticationContext.setApiKey(str);
        if (jSONObject.has("keytype")) {
            authenticationContext.setKeyType(jSONObject.getString("keytype"));
        } else {
            authenticationContext.setKeyType("PRODUCTION");
        }
        authenticationContext.setUsername(jSONObject.getString("sub"));
        authenticationContext.setApiTier(str2);
        authenticationContext.setApplicationId(String.valueOf(jSONObject3.getInt("id")));
        authenticationContext.setApplicationName(jSONObject3.getString("name"));
        authenticationContext.setApplicationTier(jSONObject3.getString("tier"));
        authenticationContext.setSubscriber(jSONObject3.getString("owner"));
        authenticationContext.setConsumerKey(jSONObject.getString("consumerKey"));
        if (jSONObject2 != null) {
            String string = jSONObject2.getString("subscriptionTier");
            authenticationContext.setTier(string);
            authenticationContext.setSubscriberTenantDomain(jSONObject2.getString("subscriberTenantDomain"));
            JSONObject jSONObject4 = (JSONObject) jSONObject.get("tierInfo");
            if (jSONObject4.has(string)) {
                JSONObject jSONObject5 = (JSONObject) jSONObject4.get(string);
                authenticationContext.setStopOnQuotaReach(jSONObject5.getBoolean("stopOnQuotaReach"));
                authenticationContext.setSpikeArrestLimit(jSONObject5.getInt("spikeArrestLimit"));
                if (!JSONObject.NULL.equals(jSONObject5.get("spikeArrestUnit"))) {
                    authenticationContext.setSpikeArrestUnit(jSONObject5.getString("spikeArrestUnit"));
                }
            }
        }
        if (jSONObject.has("backendJwt")) {
            authenticationContext.setCallerToken(jSONObject.getString("backendJwt"));
        }
        return authenticationContext;
    }

    static final JSONObject validateAPISubscription_aroundBody4(JWTValidator jWTValidator, String str, String str2, JSONObject jSONObject, JoinPoint joinPoint) {
        JSONObject jSONObject2 = null;
        if (jSONObject.has("subscribedAPIs")) {
            JSONArray jSONArray = jSONObject.getJSONArray("subscribedAPIs");
            int i = 0;
            while (true) {
                if (i >= jSONArray.length()) {
                    break;
                }
                JSONObject jSONObject3 = jSONArray.getJSONObject(i);
                if (str.equals(jSONObject3.getString("context")) && str2.equals(jSONObject3.getString("version"))) {
                    jSONObject2 = jSONObject3;
                    if (log.isDebugEnabled()) {
                        log.debug("User is subscribed to the API: " + str + ", version: " + str2);
                    }
                } else {
                    i++;
                }
            }
            if (jSONObject2 == null) {
                if (log.isDebugEnabled()) {
                    log.debug("User is not subscribed to access the API: " + str + ", version: " + str2);
                }
                throw new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN, "User is not subscribed to access the API: " + str + ", version: " + str2);
            }
        } else {
            log.debug("No subscription information found in the token.");
        }
        return jSONObject2;
    }

    static final void validateScopes_aroundBody6(JWTValidator jWTValidator, MessageContext messageContext, OpenAPI openAPI, JSONObject jSONObject, JoinPoint joinPoint) {
        String scopesOfResource = OpenAPIUtils.getScopesOfResource(openAPI, messageContext);
        if (StringUtils.isNotBlank(scopesOfResource)) {
            if (!jSONObject.has("scope")) {
                log.error("Scopes not found in the token.");
                throw new APISecurityException(APISecurityConstants.INVALID_SCOPE, "Scope validation failed");
            }
            String[] split = jSONObject.getString("scope").split(" ");
            boolean z = false;
            int length = split.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (split[i].trim().equals(scopesOfResource)) {
                    z = true;
                    break;
                }
                i++;
            }
            if (!z) {
                if (log.isDebugEnabled()) {
                    log.debug("Scope validation failed. User: " + jSONObject.getString("sub"));
                }
                throw new APISecurityException(APISecurityConstants.INVALID_SCOPE, "Scope validation failed");
            }
            if (log.isDebugEnabled()) {
                log.debug("Scope validation successful. Resource Scope: " + scopesOfResource + ", User: " + jSONObject.getString("sub"));
            }
        }
        log.debug("No scopes assigned to the resource.");
    }

    static final void checkTokenExpiration_aroundBody8(JWTValidator jWTValidator, String str, JSONObject jSONObject, String str2, JoinPoint joinPoint) {
        long j = jSONObject.getLong("iat") * 1000;
        long j2 = jSONObject.getLong("exp") * 1000;
        long j3 = j2 - j;
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long currentTimeMillis = System.currentTimeMillis();
        if (j3 == Long.MAX_VALUE || currentTimeMillis - timeStampSkewInSeconds <= j3 || currentTimeMillis - timeStampSkewInSeconds <= j2) {
            if (log.isDebugEnabled()) {
                log.debug("Token is not expired. User: " + jSONObject.getString("sub"));
            }
        } else {
            if (jWTValidator.isGatewayTokenCacheEnabled) {
                jWTValidator.getGatewayTokenCache().remove(str);
                jWTValidator.getInvalidTokenCache().put(str, str2);
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_ACCESS_TOKEN_EXPIRED, "JWT token is expired");
        }
    }

    static final boolean verifyTokenSignature_aroundBody10(JWTValidator jWTValidator, String[] strArr, JoinPoint joinPoint) {
        String signatureAlgorithm = jWTValidator.getSignatureAlgorithm(strArr);
        Certificate certificate = null;
        try {
            KeyStore trustStore = ServiceReferenceHolder.getInstance().getTrustStore();
            if (trustStore != null) {
                certificate = trustStore.getCertificate("gateway_certificate_alias");
            }
            if (certificate == null) {
                throw new APISecurityException(APISecurityConstants.API_AUTH_GENERAL_ERROR, "Couldn't find a public certificate to verify signature");
            }
            PublicKey publicKey = certificate.getPublicKey();
            try {
                Signature signature = Signature.getInstance(signatureAlgorithm);
                signature.initVerify(publicKey);
                signature.update((String.valueOf(strArr[0]) + "." + strArr[1]).getBytes());
                return signature.verify(Base64.getUrlDecoder().decode(strArr[2]));
            } catch (IllegalArgumentException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
                log.error("Signature verification failed. Token: " + jWTValidator.getMaskedToken(strArr), e);
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token", e);
            }
        } catch (KeyStoreException e2) {
            throw new APISecurityException(APISecurityConstants.API_AUTH_GENERAL_ERROR, "Error in retrieving public certificate from the trust store with alias : gateway_certificate_alias", e2);
        }
    }

    static final String getSignatureAlgorithm_aroundBody12(JWTValidator jWTValidator, String[] strArr, JoinPoint joinPoint) {
        try {
            String string = new JSONObject(new String(Base64.getUrlDecoder().decode(strArr[0]))).getString("alg");
            if (StringUtils.isBlank(string)) {
                if (log.isDebugEnabled()) {
                    log.debug("Signature algorithm not found in the token. Token: " + jWTValidator.getMaskedToken(strArr));
                }
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
            }
            if ("RS256".equals(string)) {
                string = "SHA256withRSA";
            }
            return string;
        } catch (IllegalArgumentException | JSONException e) {
            if (log.isDebugEnabled()) {
                log.debug("Token decryption failure when retrieving header. Token: " + jWTValidator.getMaskedToken(strArr), e);
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token", e);
        }
    }

    static final String getTenantDomain_aroundBody14(JWTValidator jWTValidator, JoinPoint joinPoint) {
        return PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
    }

    static final boolean isGatewayTokenCacheEnabled_aroundBody16(JWTValidator jWTValidator, JoinPoint joinPoint) {
        try {
            return Boolean.parseBoolean(ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getFirstProperty("CacheConfigurations.EnableGatewayTokenCache"));
        } catch (Exception e) {
            log.error("Did not found valid API Validation Information cache configuration. Use default configuration.", e);
            return true;
        }
    }

    static final Cache getGatewayTokenCache_aroundBody18(JWTValidator jWTValidator, JoinPoint joinPoint) {
        return jWTValidator.getCacheFromCacheManager("GATEWAY_TOKEN_CACHE");
    }

    static final Cache getInvalidTokenCache_aroundBody20(JWTValidator jWTValidator, JoinPoint joinPoint) {
        return jWTValidator.getCacheFromCacheManager("GATEWAY_INVALID_TOKEN_CACHE");
    }

    static final Cache getGatewayKeyCache_aroundBody22(JWTValidator jWTValidator, JoinPoint joinPoint) {
        return jWTValidator.getCacheFromCacheManager("gatewayKeyCache");
    }

    static final Cache getCacheFromCacheManager_aroundBody24(JWTValidator jWTValidator, String str, JoinPoint joinPoint) {
        return Caching.getCacheManager("API_MANAGER_CACHE").getCache(str);
    }

    static final String getAccessTokenCacheKey_aroundBody26(JWTValidator jWTValidator, String str, String str2, String str3, String str4, String str5, JoinPoint joinPoint) {
        return String.valueOf(str) + ":" + str2 + ":" + str3 + ":" + str4 + ":" + str5;
    }

    static final String getApiLevelPolicy_aroundBody28(JWTValidator jWTValidator, JoinPoint joinPoint) {
        return jWTValidator.apiLevelPolicy;
    }

    static final String getMaskedToken_aroundBody30(JWTValidator jWTValidator, String[] strArr, JoinPoint joinPoint) {
        String join = String.join(".", strArr);
        return join.length() >= 10 ? "XXXXX" + join.substring(join.length() - 10) : "XXXXX" + join.substring(join.length() / 2);
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("JWTValidator.java", JWTValidator.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "authenticate", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "java.lang.String:org.apache.synapse.MessageContext:io.swagger.v3.oas.models.OpenAPI", "jwtToken:synCtx:openAPI", "org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException", "org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext"), 80);
        ajc$tjp_1 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "generateAuthenticationContext", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "java.lang.String:org.json.JSONObject:org.json.JSONObject:java.lang.String", "tokenSignature:payload:api:apiLevelPolicy", APIMgtGatewayConstants.EMPTY, "org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext"), 206);
        ajc$tjp_10 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getInvalidTokenCache", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, "javax.cache.Cache"), 479);
        ajc$tjp_11 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getGatewayKeyCache", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, "javax.cache.Cache"), 483);
        ajc$tjp_12 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getCacheFromCacheManager", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "java.lang.String", "cacheName", APIMgtGatewayConstants.EMPTY, "javax.cache.Cache"), 487);
        ajc$tjp_13 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getAccessTokenCacheKey", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "java.lang.String:java.lang.String:java.lang.String:java.lang.String:java.lang.String", "accessToken:apiContext:apiVersion:resourceUri:httpVerb", APIMgtGatewayConstants.EMPTY, "java.lang.String"), 492);
        ajc$tjp_14 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getApiLevelPolicy", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, "java.lang.String"), 497);
        ajc$tjp_15 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getMaskedToken", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "[Ljava.lang.String;", "splitToken", APIMgtGatewayConstants.EMPTY, "java.lang.String"), 501);
        ajc$tjp_2 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "validateAPISubscription", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "java.lang.String:java.lang.String:org.json.JSONObject", "apiContext:apiVersion:payload", "org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException", "org.json.JSONObject"), 266);
        ajc$tjp_3 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "validateScopes", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "org.apache.synapse.MessageContext:io.swagger.v3.oas.models.OpenAPI:org.json.JSONObject", "synCtx:openAPI:payload", "org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException", "void"), 308);
        ajc$tjp_4 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "checkTokenExpiration", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "java.lang.String:org.json.JSONObject:java.lang.String", "tokenSignature:payload:tenantDomain", "org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException", "void"), 349);
        ajc$tjp_5 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "verifyTokenSignature", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "[Ljava.lang.String;", "splitToken", "org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException", "boolean"), 380);
        ajc$tjp_6 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getSignatureAlgorithm", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", "[Ljava.lang.String;", "splitToken", "org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException", "java.lang.String"), 428);
        ajc$tjp_7 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getTenantDomain", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, "java.lang.String"), 459);
        ajc$tjp_8 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "isGatewayTokenCacheEnabled", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, "boolean"), 463);
        ajc$tjp_9 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getGatewayTokenCache", "org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator", APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, APIMgtGatewayConstants.EMPTY, "javax.cache.Cache"), 475);
    }
}
