package org.wso2.carbon.apimgt.gateway.handlers.security.authenticator;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.swagger.v3.oas.models.OpenAPI;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Map;
import javax.cache.Cache;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
import org.wso2.carbon.apimgt.gateway.dto.JWTTokenPayloadInfo;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityUtils;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse;
import org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator;
import org.wso2.carbon.apimgt.gateway.threatprotection.utils.ThreatProtectorConstants;
import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.apimgt.gateway.utils.OpenAPIUtils;
import org.wso2.carbon.apimgt.impl.caching.CacheProvider;
import org.wso2.carbon.apimgt.impl.dto.VerbInfoDTO;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.keymgt.model.entity.API;
import org.wso2.carbon.context.PrivilegedCarbonContext;

/* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/authenticator/InternalAPIKeyAuthenticator.class */
public class InternalAPIKeyAuthenticator implements Authenticator {
    private static final Log log = LogFactory.getLog(InternalAPIKeyAuthenticator.class);
    private String securityParam;

    public InternalAPIKeyAuthenticator(String str) {
        this.securityParam = str;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void init(SynapseEnvironment synapseEnvironment) {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void destroy() {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public AuthenticationResponse authenticate(MessageContext messageContext) {
        API api = GatewayUtils.getAPI(messageContext);
        if (api == null) {
            return new AuthenticationResponse(false, true, false, 900900, "Unclassified Authentication Failure");
        }
        if (log.isDebugEnabled()) {
            log.info("Internal Key Authentication initialized");
        }
        try {
            String extractInternalKey = extractInternalKey(messageContext);
            if (StringUtils.isEmpty(extractInternalKey)) {
                return new AuthenticationResponse(false, false, true, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            OpenAPI openAPI = (OpenAPI) messageContext.getProperty(APIMgtGatewayConstants.OPEN_API_OBJECT);
            if (openAPI == null && !"GRAPHQL".equals(messageContext.getProperty("API_TYPE"))) {
                log.error("Swagger is missing in the gateway. Therefore, Internal Key authentication cannot be performed.");
                return new AuthenticationResponse(false, true, false, APISecurityConstants.API_AUTH_MISSING_OPEN_API_DEF, APISecurityConstants.API_AUTH_MISSING_OPEN_API_DEF_ERROR_MESSAGE);
            }
            JWTTokenPayloadInfo jWTTokenPayloadInfo = null;
            String[] split = extractInternalKey.split("\\.");
            if (split.length != 3) {
                log.error("Internal Key does not have the format {header}.{payload}.{signature} ");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            SignedJWT parse = SignedJWT.parse(extractInternalKey);
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            String jwtid = jWTClaimsSet.getJWTID();
            JWSHeader header = parse.getHeader();
            String internalApiKeyAlias = (header == null || !StringUtils.isNotEmpty(header.getKeyID())) ? APIUtil.getInternalApiKeyAlias() : header.getKeyID();
            if (!GatewayUtils.isInternalKey(jWTClaimsSet)) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Internal Key token type. Internal Key: " + GatewayUtils.getMaskedToken(split[0]));
                }
                log.error("Invalid Internal Key token type.");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            String str = (String) messageContext.getProperty(ThreatProtectorConstants.API_CONTEXT);
            String str2 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
            String str3 = (String) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty(ThreatProtectorConstants.HTTP_METHOD);
            String str4 = (String) messageContext.getProperty("API_ELECTED_RESOURCE");
            String resourceInfoDTOCacheKey = APIUtil.getResourceInfoDTOCacheKey(str, str2, str4, str3);
            VerbInfoDTO verbInfoDTO = new VerbInfoDTO();
            verbInfoDTO.setHttpVerb(str3);
            verbInfoDTO.setAuthType("None");
            verbInfoDTO.setRequestKey(resourceInfoDTOCacheKey);
            verbInfoDTO.setThrottling(OpenAPIUtils.getResourceThrottlingTier(openAPI, messageContext));
            ArrayList arrayList = new ArrayList();
            arrayList.add(verbInfoDTO);
            messageContext.setProperty("VERB_INFO", arrayList);
            String accessTokenCacheKey = GatewayUtils.getAccessTokenCacheKey(jwtid, str, str2, str4, str3);
            String tenantDomain = GatewayUtils.getTenantDomain();
            boolean z = false;
            if (((String) getGatewayInternalKeyCache().get(jwtid)) != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Internal Key retrieved from the Internal Key cache.");
                }
                if (getGatewayInternalKeyDataCache().get(accessTokenCacheKey) != null) {
                    jWTTokenPayloadInfo = (JWTTokenPayloadInfo) getGatewayInternalKeyDataCache().get(accessTokenCacheKey);
                    z = jWTTokenPayloadInfo.getAccessToken().equals(extractInternalKey);
                }
            } else if (getInvalidGatewayInternalKeyCache().get(jwtid) != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Internal Key retrieved from the invalid Internal Key cache. Internal Key: " + GatewayUtils.getMaskedToken(split[0]));
                }
                log.error("Invalid Internal Key." + GatewayUtils.getMaskedToken(split[0]));
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            if (!z) {
                if (log.isDebugEnabled()) {
                    log.debug("Internal Key not found in the cache.");
                }
                z = GatewayUtils.verifyTokenSignature(parse, internalApiKeyAlias) && !GatewayUtils.isJwtTokenExpired(jWTClaimsSet);
                if (z) {
                    getGatewayInternalKeyCache().put(jwtid, tenantDomain);
                } else {
                    getInvalidGatewayInternalKeyCache().put(jwtid, tenantDomain);
                }
                if (!"carbon.super".equals(tenantDomain)) {
                    try {
                        PrivilegedCarbonContext.startTenantFlow();
                        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain("carbon.super", true);
                        if (z) {
                            getGatewayInternalKeyCache().put(jwtid, tenantDomain);
                        }
                        PrivilegedCarbonContext.endTenantFlow();
                    } catch (Throwable th) {
                        PrivilegedCarbonContext.endTenantFlow();
                        throw th;
                    }
                }
            }
            if (!z) {
                if (log.isDebugEnabled()) {
                    log.debug("Internal Key signature verification failure. Internal Key: " + GatewayUtils.getMaskedToken(split[0]));
                }
                log.error("Invalid Internal Key. Signature verification failed.");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            if (log.isDebugEnabled()) {
                log.debug("Internal Key signature is verified.");
            }
            if (jWTTokenPayloadInfo != null) {
                jWTClaimsSet = jWTTokenPayloadInfo.getPayload();
                if (GatewayUtils.isJwtTokenExpired(jWTClaimsSet)) {
                    getGatewayInternalKeyCache().remove(jwtid);
                    getInvalidGatewayInternalKeyCache().put(jwtid, tenantDomain);
                    log.error("Internal Key is expired");
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("InternalKey payload not found in the cache.");
                }
                JWTTokenPayloadInfo jWTTokenPayloadInfo2 = new JWTTokenPayloadInfo();
                jWTTokenPayloadInfo2.setPayload(jWTClaimsSet);
                jWTTokenPayloadInfo2.setAccessToken(extractInternalKey);
                getGatewayInternalKeyDataCache().put(accessTokenCacheKey, jWTTokenPayloadInfo2);
            }
            JSONObject validateAPISubscription = GatewayUtils.validateAPISubscription(str, str2, jWTClaimsSet, split, false);
            if (log.isDebugEnabled()) {
                log.debug("Internal Key authentication successful.");
            }
            APISecurityUtils.setAuthenticationContext(messageContext, GatewayUtils.generateAuthenticationContext(jwtid, jWTClaimsSet, validateAPISubscription, api.getApiTier()));
            if (log.isDebugEnabled()) {
                log.debug("User is authorized to access the resource using Internal Key.");
            }
            return new AuthenticationResponse(true, true, false, 0, null);
        } catch (ParseException e) {
            log.error("Error while parsing Internal Key", e);
            return new AuthenticationResponse(false, true, false, 900900, "Unclassified Authentication Failure");
        } catch (APISecurityException e2) {
            return new AuthenticationResponse(false, true, false, e2.getErrorCode(), e2.getMessage());
        }
    }

    private String extractInternalKey(MessageContext messageContext) {
        String str;
        Map map = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty(APIMgtGatewayConstants.TRANSPORT_HEADERS);
        if (map == null || (str = (String) map.get(this.securityParam)) == null) {
            return null;
        }
        map.remove(this.securityParam);
        return str.trim();
    }

    private Cache getGatewayInternalKeyCache() {
        return CacheProvider.getGatewayInternalKeyCache();
    }

    private Cache getInvalidGatewayInternalKeyCache() {
        return CacheProvider.getInvalidGatewayInternalKeyCache();
    }

    private Cache getGatewayInternalKeyDataCache() {
        return CacheProvider.getGatewayInternalKeyDataCache();
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getChallengeString() {
        return "Internal API Key realm=\"WSO2 API Manager\"";
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getRequestOrigin() {
        return null;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public int getPriority() {
        return -10;
    }
}
