package org.wso2.carbon.apimgt.gateway.handlers.security.oauth;

import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.cache.Cache;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
import org.wso2.carbon.apimgt.gateway.MethodStats;
import org.wso2.carbon.apimgt.gateway.handlers.analytics.Constants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityUtils;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse;
import org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator;
import org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator;
import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.gateway.threatprotection.utils.ThreatProtectorConstants;
import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.apimgt.impl.APIManagerConfiguration;
import org.wso2.carbon.apimgt.impl.caching.CacheProvider;
import org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO;
import org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.metrics.manager.Level;
import org.wso2.carbon.metrics.manager.MetricManager;
import org.wso2.carbon.metrics.manager.Timer;

/* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/oauth/OAuthAuthenticator.class */
public class OAuthAuthenticator implements Authenticator {
    private static final Log log = LogFactory.getLog(OAuthAuthenticator.class);
    private List<String> keyManagerList;
    protected APIKeyValidator keyValidator;
    protected JWTValidator jwtValidator;
    private String securityHeader;
    private APIManagerConfiguration config;
    private String defaultAPIHeader;
    private String consumerKeyHeaderSegment;
    private String oauthHeaderSplitter;
    private String consumerKeySegmentDelimiter;
    private String securityContextHeader;
    private boolean removeOAuthHeadersFromOutMessage;
    private boolean removeDefaultAPIHeaderFromOutMessage;
    private String requestOrigin;
    private boolean isMandatory;

    public OAuthAuthenticator() {
        this.keyValidator = null;
        this.jwtValidator = null;
        this.securityHeader = APIMgtGatewayConstants.AUTHORIZATION;
        this.config = null;
        this.defaultAPIHeader = "WSO2_AM_API_DEFAULT_VERSION";
        this.consumerKeyHeaderSegment = "Bearer";
        this.oauthHeaderSplitter = APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR;
        this.consumerKeySegmentDelimiter = " ";
        this.removeOAuthHeadersFromOutMessage = true;
        this.removeDefaultAPIHeaderFromOutMessage = true;
    }

    public OAuthAuthenticator(String str, boolean z, boolean z2) {
        this.keyValidator = null;
        this.jwtValidator = null;
        this.securityHeader = APIMgtGatewayConstants.AUTHORIZATION;
        this.config = null;
        this.defaultAPIHeader = "WSO2_AM_API_DEFAULT_VERSION";
        this.consumerKeyHeaderSegment = "Bearer";
        this.oauthHeaderSplitter = APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR;
        this.consumerKeySegmentDelimiter = " ";
        this.removeOAuthHeadersFromOutMessage = true;
        this.removeDefaultAPIHeaderFromOutMessage = true;
        this.securityHeader = str;
        this.removeOAuthHeadersFromOutMessage = z2;
        this.isMandatory = z;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void init(SynapseEnvironment synapseEnvironment) {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void destroy() {
        if (this.keyValidator != null) {
            this.keyValidator.cleanup();
        }
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    @MethodStats
    public AuthenticationResponse authenticate(MessageContext messageContext) throws APIManagementException {
        APIKeyValidationInfoDTO keyValidationInfo;
        boolean z = false;
        String str = null;
        String str2 = "";
        boolean z2 = false;
        Map map = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty(APIMgtGatewayConstants.TRANSPORT_HEADERS);
        String tenantDomain = GatewayUtils.getTenantDomain();
        this.keyManagerList = GatewayUtils.getKeyManagers(messageContext);
        if (this.keyValidator == null) {
            this.keyValidator = new APIKeyValidator();
        }
        if (this.jwtValidator == null) {
            this.jwtValidator = new JWTValidator(this.keyValidator, tenantDomain);
        }
        this.config = getApiManagerConfiguration();
        this.removeOAuthHeadersFromOutMessage = isRemoveOAuthHeadersFromOutMessage();
        this.securityContextHeader = getSecurityContextHeader();
        if (map != null) {
            this.requestOrigin = (String) map.get("Origin");
            String str3 = (String) map.get(getSecurityHeader());
            if (str3 != null) {
                ArrayList arrayList = new ArrayList();
                boolean z3 = false;
                String[] split = str3.split(this.oauthHeaderSplitter);
                if (split != null) {
                    for (int i = 0; i < split.length; i++) {
                        String[] split2 = split[i].split(this.consumerKeySegmentDelimiter);
                        if (split2 != null && split2.length > 1) {
                            int i2 = 0;
                            boolean z4 = false;
                            for (String str4 : split2) {
                                if (!"".equals(str4.trim())) {
                                    if (this.consumerKeyHeaderSegment.equals(split2[i2].trim())) {
                                        z4 = true;
                                    } else if (z4) {
                                        str = removeLeadingAndTrailing(split2[i2].trim());
                                        z3 = true;
                                    }
                                }
                                i2++;
                            }
                        }
                        if (z3) {
                            z3 = false;
                        } else {
                            arrayList.add(split[i]);
                        }
                    }
                }
                str2 = String.join(this.oauthHeaderSplitter, arrayList);
            } else if (log.isDebugEnabled()) {
                log.debug("OAuth2 Authentication: Expected authorization header with the name '".concat(getSecurityHeader()).concat("' was not found."));
            }
            if (log.isDebugEnabled()) {
                log.debug(str != null ? "Received Token ".concat(str) : "No valid Authorization header found");
            }
            z2 = map.containsKey(this.defaultAPIHeader);
        }
        if (log.isDebugEnabled()) {
            log.debug("Default Version API invoked");
        }
        if (this.removeOAuthHeadersFromOutMessage) {
            if (StringUtils.isNotBlank(str2)) {
                if (log.isDebugEnabled()) {
                    log.debug("Removing OAuth key from Authorization header");
                }
                map.put(getSecurityHeader(), str2);
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Removing Authorization header from headers");
                }
                map.remove(getSecurityHeader());
            }
        }
        if (this.removeDefaultAPIHeaderFromOutMessage) {
            map.remove(this.defaultAPIHeader);
        }
        String str5 = (String) messageContext.getProperty(ThreatProtectorConstants.API_CONTEXT);
        String str6 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        String str7 = (String) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty(ThreatProtectorConstants.HTTP_METHOD);
        String str8 = (String) messageContext.getProperty("API_ELECTED_RESOURCE");
        SignedJWTInfo signedJWTInfo = null;
        Timer.Context start = getTimer(MetricManager.name("org.wso2.am", new String[]{getClass().getSimpleName(), "GET_RESOURCE_AUTH"})).start();
        org.apache.axis2.context.MessageContext.setCurrentMessageContext(((Axis2MessageContext) messageContext).getAxis2MessageContext());
        try {
            if (StringUtils.isNotEmpty(str) && str.contains(".")) {
                try {
                    try {
                        if (StringUtils.countMatches(str, ".") != 2) {
                            log.debug("Invalid JWT token. The expected token format is <header.payload.signature>");
                            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
                        }
                        signedJWTInfo = getSignedJwt(str);
                        if (GatewayUtils.isInternalKey(signedJWTInfo.getJwtClaimsSet()) || GatewayUtils.isAPIKey(signedJWTInfo.getJwtClaimsSet())) {
                            log.debug("Invalid Token Provided");
                            return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                        }
                        String keyManagerNameIfJwtValidatorExist = ServiceReferenceHolder.getInstance().getJwtValidationService().getKeyManagerNameIfJwtValidatorExist(signedJWTInfo);
                        if (StringUtils.isNotEmpty(keyManagerNameIfJwtValidatorExist)) {
                            if (log.isDebugEnabled()) {
                                log.debug("KeyManager " + keyManagerNameIfJwtValidatorExist + "found for authenticate token " + GatewayUtils.getMaskedToken(str));
                            }
                            if (!this.keyManagerList.contains("all") && !this.keyManagerList.contains(keyManagerNameIfJwtValidatorExist)) {
                                if (log.isDebugEnabled()) {
                                    log.debug("Elected KeyManager " + keyManagerNameIfJwtValidatorExist + " not found in API level list " + String.join(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR, this.keyManagerList));
                                }
                                return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                            }
                            if (log.isDebugEnabled()) {
                                log.debug("Elected KeyManager " + keyManagerNameIfJwtValidatorExist + "found in API level list " + String.join(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR, this.keyManagerList));
                            }
                            z = true;
                        } else if (log.isDebugEnabled()) {
                            log.debug("KeyManager not found for accessToken " + GatewayUtils.getMaskedToken(str));
                        }
                    } catch (IllegalArgumentException | ParseException e) {
                        log.debug("Not a JWT token. Failed to decode the token header.", e);
                    }
                } catch (APIManagementException e2) {
                    log.error("error while check validation of JWt", e2);
                    return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                }
            }
            String resourceAuthenticationScheme = getAPIKeyValidator().getResourceAuthenticationScheme(messageContext);
            start.stop();
            if ("noMatchedAuthScheme".equals(resourceAuthenticationScheme)) {
                keyValidationInfo = new APIKeyValidationInfoDTO();
                keyValidationInfo.setAuthorized(false);
                keyValidationInfo.setValidationStatus(APISecurityConstants.API_AUTH_INCORRECT_API_RESOURCE);
            } else {
                if (str == null || str5 == null || str6 == null) {
                    if (log.isDebugEnabled()) {
                        if (str == null) {
                            log.debug("OAuth headers not found");
                        } else if (str5 == null) {
                            log.debug("Couldn't find API Context");
                        } else {
                            log.debug("Could not find api version");
                        }
                    }
                    return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, "Required OAuth credentials not provided");
                }
                if (z) {
                    try {
                        AuthenticationContext authenticate = this.jwtValidator.authenticate(signedJWTInfo, messageContext);
                        APISecurityUtils.setAuthenticationContext(messageContext, authenticate, this.securityContextHeader);
                        log.debug("User is authorized using JWT token to access the resource.");
                        messageContext.setProperty(APIMgtGatewayConstants.END_USER_NAME, authenticate.getUsername());
                        return new AuthenticationResponse(true, this.isMandatory, false, 0, null);
                    } catch (APISecurityException e3) {
                        return new AuthenticationResponse(false, this.isMandatory, true, e3.getErrorCode(), e3.getMessage());
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("Matching resource is: ".concat(str8));
                }
                Timer.Context start2 = getTimer(MetricManager.name("org.wso2.am", new String[]{getClass().getSimpleName(), "GET_KEY_VALIDATION_INFO"})).start();
                try {
                    keyValidationInfo = getAPIKeyValidator().getKeyValidationInfo(str5, str, str6, resourceAuthenticationScheme, str8, str7, z2, this.keyManagerList);
                    start2.stop();
                    messageContext.setProperty(APIMgtGatewayConstants.APPLICATION_NAME, keyValidationInfo.getApplicationName());
                    messageContext.setProperty(APIMgtGatewayConstants.END_USER_NAME, keyValidationInfo.getEndUserName());
                    messageContext.setProperty(APIMgtGatewayConstants.SCOPES, keyValidationInfo.getScopes() == null ? null : keyValidationInfo.getScopes().toString());
                } catch (APISecurityException e4) {
                    return new AuthenticationResponse(false, this.isMandatory, true, e4.getErrorCode(), e4.getMessage());
                }
            }
            if (!keyValidationInfo.isAuthorized()) {
                if (log.isDebugEnabled()) {
                    log.debug("User is NOT authorized to access the Resource");
                }
                return new AuthenticationResponse(false, this.isMandatory, true, keyValidationInfo.getValidationStatus(), "Access failure for API: " + str5 + ", version: " + str6 + " status: (" + keyValidationInfo.getValidationStatus() + ") - " + APISecurityConstants.getAuthenticationFailureMessage(keyValidationInfo.getValidationStatus()));
            }
            AuthenticationContext authenticationContext = new AuthenticationContext();
            authenticationContext.setAuthenticated(true);
            authenticationContext.setTier(keyValidationInfo.getTier());
            authenticationContext.setApiKey(str);
            authenticationContext.setKeyType(keyValidationInfo.getType());
            if (keyValidationInfo.getEndUserName() != null) {
                authenticationContext.setUsername(keyValidationInfo.getEndUserName());
            } else {
                authenticationContext.setUsername(Constants.ANONYMOUS_VALUE);
            }
            authenticationContext.setCallerToken(keyValidationInfo.getEndUserToken());
            authenticationContext.setApplicationId(keyValidationInfo.getApplicationId());
            authenticationContext.setApplicationUUID(keyValidationInfo.getApplicationUUID());
            authenticationContext.setApplicationGroupIds(keyValidationInfo.getApplicationGroupIds());
            authenticationContext.setApplicationName(keyValidationInfo.getApplicationName());
            authenticationContext.setApplicationTier(keyValidationInfo.getApplicationTier());
            authenticationContext.setSubscriber(keyValidationInfo.getSubscriber());
            authenticationContext.setConsumerKey(keyValidationInfo.getConsumerKey());
            authenticationContext.setApiTier(keyValidationInfo.getApiTier());
            authenticationContext.setThrottlingDataList(keyValidationInfo.getThrottlingDataList());
            authenticationContext.setSubscriberTenantDomain(keyValidationInfo.getSubscriberTenantDomain());
            authenticationContext.setSpikeArrestLimit(keyValidationInfo.getSpikeArrestLimit());
            authenticationContext.setSpikeArrestUnit(keyValidationInfo.getSpikeArrestUnit());
            authenticationContext.setStopOnQuotaReach(keyValidationInfo.isStopOnQuotaReach());
            authenticationContext.setIsContentAware(keyValidationInfo.isContentAware());
            APISecurityUtils.setAuthenticationContext(messageContext, authenticationContext, this.securityContextHeader);
            if (keyValidationInfo.getProductName() != null && keyValidationInfo.getProductProvider() != null) {
                authenticationContext.setProductName(keyValidationInfo.getProductName());
                authenticationContext.setProductProvider(keyValidationInfo.getProductProvider());
            }
            messageContext.setProperty(APIMgtGatewayConstants.API_PUBLISHER, keyValidationInfo.getApiPublisher());
            messageContext.setProperty("API_NAME", keyValidationInfo.getApiName());
            if ("GRAPHQL".equals(messageContext.getProperty("API_TYPE"))) {
                messageContext.setProperty("max_query_depth", Integer.valueOf(keyValidationInfo.getGraphQLMaxDepth()));
                messageContext.setProperty("max_query_complexity", Integer.valueOf(keyValidationInfo.getGraphQLMaxComplexity()));
            }
            if (log.isDebugEnabled()) {
                log.debug("User is authorized to access the Resource");
            }
            return new AuthenticationResponse(true, this.isMandatory, false, 0, null);
        } catch (APISecurityException e5) {
            return new AuthenticationResponse(false, this.isMandatory, true, e5.getErrorCode(), e5.getMessage());
        }
    }

    private String removeLeadingAndTrailing(String str) {
        String str2 = str;
        if (str.startsWith("\"") || str.endsWith("\"")) {
            str2 = str.replace("\"", "");
        }
        return str2.trim();
    }

    protected APIManagerConfiguration getApiManagerConfiguration() {
        return ServiceReferenceHolder.getInstance().getAPIManagerConfiguration();
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getChallengeString() {
        return "Bearer realm=\"WSO2 API Manager\"";
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getRequestOrigin() {
        return this.requestOrigin;
    }

    public String getSecurityHeader() {
        if (this.securityHeader == null) {
            try {
                this.securityHeader = APIUtil.getOAuthConfigurationFromAPIMConfig("AuthorizationHeader");
                if (this.securityHeader == null) {
                    this.securityHeader = APIMgtGatewayConstants.AUTHORIZATION;
                }
            } catch (APIManagementException e) {
                log.error("Error while reading authorization header from APIM configurations", e);
            }
        }
        return this.securityHeader;
    }

    public void setSecurityHeader(String str) {
        this.securityHeader = str;
    }

    public String getDefaultAPIHeader() {
        return this.defaultAPIHeader;
    }

    public void setDefaultAPIHeader(String str) {
        this.defaultAPIHeader = str;
    }

    public String getConsumerKeyHeaderSegment() {
        return this.consumerKeyHeaderSegment;
    }

    public void setConsumerKeyHeaderSegment(String str) {
        this.consumerKeyHeaderSegment = str;
    }

    public String getOauthHeaderSplitter() {
        return this.oauthHeaderSplitter;
    }

    public void setOauthHeaderSplitter(String str) {
        this.oauthHeaderSplitter = str;
    }

    public String getConsumerKeySegmentDelimiter() {
        return this.consumerKeySegmentDelimiter;
    }

    public void setConsumerKeySegmentDelimiter(String str) {
        this.consumerKeySegmentDelimiter = str;
    }

    private String getSecurityContextHeader() {
        String jwtHeader = this.config.getJwtConfigurationDto().getJwtHeader();
        if (jwtHeader != null) {
            setSecurityContextHeader(jwtHeader);
        }
        return this.securityContextHeader;
    }

    private void setSecurityContextHeader(String str) {
        this.securityContextHeader = str;
    }

    private boolean isRemoveOAuthHeadersFromOutMessage() {
        String firstProperty = this.config.getFirstProperty("OAuthConfigurations.RemoveOAuthHeadersFromOutMessage");
        if (firstProperty != null) {
            setRemoveOAuthHeadersFromOutMessage(Boolean.parseBoolean(firstProperty));
        }
        return this.removeOAuthHeadersFromOutMessage;
    }

    private void setRemoveOAuthHeadersFromOutMessage(boolean z) {
        this.removeOAuthHeadersFromOutMessage = z;
    }

    public boolean isRemoveDefaultAPIHeaderFromOutMessage() {
        return this.removeDefaultAPIHeaderFromOutMessage;
    }

    public void setRemoveDefaultAPIHeaderFromOutMessage(boolean z) {
        this.removeDefaultAPIHeaderFromOutMessage = z;
    }

    public void setRequestOrigin(String str) {
        this.requestOrigin = str;
    }

    protected Timer getTimer(String str) {
        return MetricManager.timer(Level.INFO, str);
    }

    protected APIKeyValidator getAPIKeyValidator() {
        return this.keyValidator;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public int getPriority() {
        return 10;
    }

    private SignedJWTInfo getSignedJwt(String str) throws ParseException {
        String str2 = str.split("\\.")[2];
        SignedJWTInfo signedJWTInfo = null;
        Cache gatewaySignedJWTParseCache = CacheProvider.getGatewaySignedJWTParseCache();
        if (gatewaySignedJWTParseCache != null) {
            Object obj = gatewaySignedJWTParseCache.get(str2);
            if (obj != null) {
                signedJWTInfo = (SignedJWTInfo) obj;
            }
            if (signedJWTInfo == null || !signedJWTInfo.getToken().equals(str)) {
                SignedJWT parse = SignedJWT.parse(str);
                signedJWTInfo = new SignedJWTInfo(str, parse, parse.getJWTClaimsSet());
                gatewaySignedJWTParseCache.put(str2, signedJWTInfo);
            }
        } else {
            SignedJWT parse2 = SignedJWT.parse(str);
            signedJWTInfo = new SignedJWTInfo(str, parse2, parse2.getJWTClaimsSet());
        }
        return signedJWTInfo;
    }
}
