package org.wso2.carbon.apimgt.gateway.handlers.security.apikey;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import io.swagger.v3.oas.models.OpenAPI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import javax.cache.Cache;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.apache.synapse.util.xpath.SynapseXPath;
import org.jaxen.JaxenException;
import org.json.JSONException;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTInfoDto;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
import org.wso2.carbon.apimgt.common.gateway.exception.JWTGeneratorException;
import org.wso2.carbon.apimgt.common.gateway.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator;
import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
import org.wso2.carbon.apimgt.gateway.dto.JWTTokenPayloadInfo;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityUtils;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse;
import org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator;
import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.gateway.jwt.RevokedJWTDataHolder;
import org.wso2.carbon.apimgt.gateway.threatprotection.utils.ThreatProtectorConstants;
import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.apimgt.gateway.utils.OpenAPIUtils;
import org.wso2.carbon.apimgt.impl.caching.CacheProvider;
import org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO;
import org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto;
import org.wso2.carbon.apimgt.impl.dto.VerbInfoDTO;
import org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.impl.utils.SigningUtil;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;

/* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/apikey/ApiKeyAuthenticator.class */
public class ApiKeyAuthenticator implements Authenticator {
    private Boolean jwtGenerationEnabled = null;
    private AbstractAPIMgtGatewayJWTGenerator apiMgtGatewayJWTGenerator = null;
    private ExtendedJWTConfigurationDto jwtConfigurationDto = null;
    private Boolean isGatewayTokenCacheEnabled = null;
    private String contextHeader = null;
    private String securityParam;
    private String apiLevelPolicy;
    private boolean isMandatory;
    private static final Log log = LogFactory.getLog(ApiKeyAuthenticator.class);
    private static boolean gatewayApiKeyKeyCacheInit = false;
    private static boolean gatewayInvalidApiKeyCacheInit = false;
    private static volatile long ttl = -1;

    public ApiKeyAuthenticator(String str, String str2, boolean z) {
        this.securityParam = str;
        this.apiLevelPolicy = str2;
        this.isMandatory = z;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void init(SynapseEnvironment synapseEnvironment) {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void destroy() {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public AuthenticationResponse authenticate(MessageContext messageContext) {
        if (log.isDebugEnabled()) {
            log.info("ApiKey Authentication initialized");
        }
        try {
            String extractApiKey = extractApiKey(messageContext);
            JWTTokenPayloadInfo jWTTokenPayloadInfo = null;
            if (this.jwtConfigurationDto == null) {
                this.jwtConfigurationDto = ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getJwtConfigurationDto();
            }
            if (this.jwtGenerationEnabled == null) {
                this.jwtGenerationEnabled = Boolean.valueOf(this.jwtConfigurationDto.isEnabled());
            }
            if (this.apiMgtGatewayJWTGenerator == null) {
                this.apiMgtGatewayJWTGenerator = ServiceReferenceHolder.getInstance().getApiMgtGatewayJWTGenerator().get(this.jwtConfigurationDto.getGatewayJWTGeneratorImpl());
            }
            String tenantDomain = GatewayUtils.getTenantDomain();
            int tenantIdFromTenantDomain = APIUtil.getTenantIdFromTenantDomain(tenantDomain);
            if (this.jwtGenerationEnabled.booleanValue()) {
                if (this.jwtConfigurationDto.isTenantBasedSigningEnabled()) {
                    this.jwtConfigurationDto.setPublicCert(SigningUtil.getPublicCertificate(tenantIdFromTenantDomain));
                    this.jwtConfigurationDto.setPrivateKey(SigningUtil.getSigningKey(tenantIdFromTenantDomain));
                } else {
                    this.jwtConfigurationDto.setPublicCert(ServiceReferenceHolder.getInstance().getPublicCert());
                    this.jwtConfigurationDto.setPrivateKey(ServiceReferenceHolder.getInstance().getPrivateKey());
                }
                this.jwtConfigurationDto.setTtl(org.wso2.carbon.apimgt.impl.utils.GatewayUtils.getTtl());
                this.apiMgtGatewayJWTGenerator.setJWTConfigurationDto(this.jwtConfigurationDto);
            }
            String[] split = extractApiKey.split("\\.");
            if (split.length != 3) {
                log.error("Api Key does not have the format {header}.{payload}.{signature} ");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            SignedJWT parse = SignedJWT.parse(extractApiKey);
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            JWSHeader header = parse.getHeader();
            String jwtid = jWTClaimsSet.getJWTID();
            if (!JOSEObjectType.JWT.equals(header.getType())) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Api Key token type. Api Key: " + GatewayUtils.getMaskedToken(split[0]));
                }
                log.error("Invalid Api Key token type.");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            if (!GatewayUtils.isAPIKey(jWTClaimsSet)) {
                log.error("Invalid Api Key. Internal Key Sent");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            if (header.getKeyID() == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Invalid Api Key. Could not find alias in header. Api Key: " + GatewayUtils.getMaskedToken(split[0]));
                }
                log.error("Invalid Api Key. Could not find alias in header");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            String keyID = header.getKeyID();
            String str = (String) messageContext.getProperty(ThreatProtectorConstants.API_CONTEXT);
            String str2 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
            String str3 = (String) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty(ThreatProtectorConstants.HTTP_METHOD);
            String str4 = (String) messageContext.getProperty("API_ELECTED_RESOURCE");
            OpenAPI openAPI = (OpenAPI) messageContext.getProperty(APIMgtGatewayConstants.OPEN_API_OBJECT);
            if (openAPI == null && !"GRAPHQL".equals(messageContext.getProperty("API_TYPE"))) {
                log.error("Swagger is missing in the gateway. Therefore, Api Key authentication cannot be performed.");
                return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.API_AUTH_MISSING_OPEN_API_DEF, APISecurityConstants.API_AUTH_MISSING_OPEN_API_DEF_ERROR_MESSAGE);
            }
            String resourceInfoDTOCacheKey = APIUtil.getResourceInfoDTOCacheKey(str, str2, str4, str3);
            VerbInfoDTO verbInfoDTO = new VerbInfoDTO();
            verbInfoDTO.setHttpVerb(str3);
            verbInfoDTO.setAuthType("None");
            verbInfoDTO.setRequestKey(resourceInfoDTOCacheKey);
            verbInfoDTO.setThrottling(OpenAPIUtils.getResourceThrottlingTier(openAPI, messageContext));
            ArrayList arrayList = new ArrayList();
            arrayList.add(verbInfoDTO);
            messageContext.setProperty("VERB_INFO", arrayList);
            String accessTokenCacheKey = GatewayUtils.getAccessTokenCacheKey(jwtid, str, str2, str4, str3);
            boolean z = false;
            if (this.isGatewayTokenCacheEnabled == null) {
                this.isGatewayTokenCacheEnabled = Boolean.valueOf(GatewayUtils.isGatewayTokenCacheEnabled());
            }
            if (this.isGatewayTokenCacheEnabled.booleanValue()) {
                if (((String) getGatewayApiKeyCache().get(jwtid)) != null) {
                    if (log.isDebugEnabled()) {
                        log.debug("Api Key retrieved from the Api Key cache.");
                    }
                    if (getGatewayApiKeyDataCache().get(accessTokenCacheKey) != null) {
                        jWTTokenPayloadInfo = (JWTTokenPayloadInfo) getGatewayApiKeyDataCache().get(accessTokenCacheKey);
                        z = jWTTokenPayloadInfo.getAccessToken().equals(extractApiKey);
                    }
                } else {
                    if (getInvalidGatewayApiKeyCache().get(jwtid) != null) {
                        if (log.isDebugEnabled()) {
                            log.debug("Api Key retrieved from the invalid Api Key cache. Api Key: " + GatewayUtils.getMaskedToken(split[0]));
                        }
                        log.error("Invalid Api Key." + GatewayUtils.getMaskedToken(split[0]));
                        throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                    }
                    if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(jwtid)) {
                        if (log.isDebugEnabled()) {
                            log.debug("Token retrieved from the revoked jwt token map. Token: " + GatewayUtils.getMaskedToken(split[0]));
                        }
                        log.error("Invalid API Key. " + GatewayUtils.getMaskedToken(split[0]));
                        throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid API Key");
                    }
                }
            } else if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(jwtid)) {
                if (log.isDebugEnabled()) {
                    log.debug("Token retrieved from the revoked jwt token map. Token: " + GatewayUtils.getMaskedToken(split[0]));
                }
                log.error("Invalid JWT token. " + GatewayUtils.getMaskedToken(split[0]));
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
            }
            if (!z) {
                if (log.isDebugEnabled()) {
                    log.debug("Api Key not found in the cache.");
                }
                try {
                    parse = (SignedJWT) JWTParser.parse(extractApiKey);
                    jWTClaimsSet = parse.getJWTClaimsSet();
                    try {
                        z = GatewayUtils.verifyTokenSignature(parse, keyID);
                        if (this.isGatewayTokenCacheEnabled.booleanValue()) {
                            if (z) {
                                getGatewayApiKeyCache().put(jwtid, tenantDomain);
                            } else {
                                getInvalidGatewayApiKeyCache().put(jwtid, tenantDomain);
                            }
                            if (!"carbon.super".equals(tenantDomain)) {
                                try {
                                    PrivilegedCarbonContext.startTenantFlow();
                                    PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain("carbon.super", true);
                                    if (z) {
                                        getGatewayApiKeyCache().put(jwtid, tenantDomain);
                                    } else {
                                        getInvalidGatewayApiKeyCache().put(jwtid, tenantDomain);
                                    }
                                    PrivilegedCarbonContext.endTenantFlow();
                                } catch (Throwable th) {
                                    PrivilegedCarbonContext.endTenantFlow();
                                    throw th;
                                }
                            }
                        }
                    } catch (APISecurityException e) {
                        if (e.getErrorCode() == 900901) {
                            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                        }
                        throw e;
                    }
                } catch (IllegalArgumentException | ParseException | JSONException e2) {
                    if (log.isDebugEnabled()) {
                        log.debug("Invalid Api Key. Api Key: " + GatewayUtils.getMaskedToken(split[0]), e2);
                    }
                    log.error("Invalid JWT token. Failed to decode the Api Key body.");
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials", e2);
                }
            }
            if (!z) {
                if (log.isDebugEnabled()) {
                    log.debug("Api Key signature verification failure. Api Key: " + GatewayUtils.getMaskedToken(split[0]));
                }
                log.error("Invalid Api Key. Signature verification failed.");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            if (log.isDebugEnabled()) {
                log.debug("Api Key signature is verified.");
            }
            if (!this.isGatewayTokenCacheEnabled.booleanValue() || jWTTokenPayloadInfo == null) {
                if (log.isDebugEnabled()) {
                    log.debug("ApiKey payload not found in the cache.");
                }
                if (jWTClaimsSet == null) {
                    try {
                        parse = (SignedJWT) JWTParser.parse(extractApiKey);
                        jWTClaimsSet = parse.getJWTClaimsSet();
                    } catch (IllegalArgumentException | ParseException | JSONException e3) {
                        if (log.isDebugEnabled()) {
                            log.debug("Invalid ApiKey. ApiKey: " + GatewayUtils.getMaskedToken(split[0]));
                        }
                        log.error("Invalid Api Key. Failed to decode the Api Key body.");
                        throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials", e3);
                    }
                }
                if (isJwtTokenExpired(jWTClaimsSet)) {
                    if (this.isGatewayTokenCacheEnabled.booleanValue()) {
                        getGatewayApiKeyCache().remove(jwtid);
                        getInvalidGatewayApiKeyCache().put(jwtid, tenantDomain);
                    }
                    log.error("Api Key is expired");
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                }
                validateAPIKeyRestrictions(jWTClaimsSet, messageContext);
                if (this.isGatewayTokenCacheEnabled.booleanValue()) {
                    JWTTokenPayloadInfo jWTTokenPayloadInfo2 = new JWTTokenPayloadInfo();
                    jWTTokenPayloadInfo2.setPayload(jWTClaimsSet);
                    jWTTokenPayloadInfo2.setAccessToken(extractApiKey);
                    getGatewayApiKeyDataCache().put(accessTokenCacheKey, jWTTokenPayloadInfo2);
                }
            } else {
                jWTClaimsSet = jWTTokenPayloadInfo.getPayload();
                if (isJwtTokenExpired(jWTClaimsSet)) {
                    getGatewayApiKeyCache().remove(jwtid);
                    getInvalidGatewayApiKeyCache().put(jwtid, tenantDomain);
                    log.error("Api Key is expired");
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                }
                validateAPIKeyRestrictions(jWTClaimsSet, messageContext);
            }
            JSONObject validateAPISubscription = GatewayUtils.validateAPISubscription(str, str2, jWTClaimsSet, split, false);
            if (log.isDebugEnabled()) {
                log.debug("Api Key authentication successful.");
            }
            String str5 = null;
            String str6 = null;
            if (this.jwtGenerationEnabled.booleanValue()) {
                str5 = generateAndRetrieveBackendJWTToken(jwtid, GatewayUtils.generateJWTInfoDto(validateAPISubscription, getJwtValidationInfo(new SignedJWTInfo(extractApiKey, parse, jWTClaimsSet)), (APIKeyValidationInfoDTO) null, messageContext));
                str6 = getContextHeader();
            }
            APISecurityUtils.setAuthenticationContext(messageContext, GatewayUtils.generateAuthenticationContext(jwtid, jWTClaimsSet, validateAPISubscription, getApiLevelPolicy(), str5, messageContext), str6);
            if (log.isDebugEnabled()) {
                log.debug("User is authorized to access the resource using Api Key.");
            }
            return new AuthenticationResponse(true, this.isMandatory, false, 0, null);
        } catch (APIManagementException e4) {
            log.error("Error while setting public cert/private key for backend jwt generation", e4);
            return new AuthenticationResponse(false, this.isMandatory, true, 900900, "Unclassified Authentication Failure");
        } catch (ParseException e5) {
            log.error("Error while parsing API Key", e5);
            return new AuthenticationResponse(false, this.isMandatory, true, 900900, "Unclassified Authentication Failure");
        } catch (APISecurityException e6) {
            return new AuthenticationResponse(false, this.isMandatory, true, e6.getErrorCode(), e6.getMessage());
        }
    }

    private void validateAPIKeyRestrictions(JWTClaimsSet jWTClaimsSet, MessageContext messageContext) throws APISecurityException {
        Map map;
        org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
        String str = jWTClaimsSet.getClaim("permittedIP") != null ? (String) jWTClaimsSet.getClaim("permittedIP") : null;
        if (StringUtils.isNotEmpty(str)) {
            String ip = GatewayUtils.getIp(axis2MessageContext);
            if (StringUtils.isNotEmpty(ip)) {
                for (String str2 : str.split(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR)) {
                    if (APIUtil.isIpInNetwork(ip, str2.trim())) {
                        return;
                    }
                }
                if (log.isDebugEnabled()) {
                    String str3 = (String) messageContext.getProperty(ThreatProtectorConstants.API_CONTEXT);
                    String str4 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
                    if (StringUtils.isNotEmpty(ip)) {
                        log.debug("Invocations to API: " + str3 + ":" + str4 + " is not permitted for client with IP: " + ip);
                    }
                }
                throw new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN, "Access forbidden for the invocations");
            }
        }
        String str5 = jWTClaimsSet.getClaim("permittedReferer") != null ? (String) jWTClaimsSet.getClaim("permittedReferer") : null;
        if (!StringUtils.isNotEmpty(str5) || (map = (Map) axis2MessageContext.getProperty(APIMgtGatewayConstants.TRANSPORT_HEADERS)) == null) {
            return;
        }
        String str6 = (String) map.get("Referer");
        if (!StringUtils.isNotEmpty(str6)) {
            throw new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN, "Access forbidden for the invocations");
        }
        for (String str7 : str5.split(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR)) {
            if (str6.matches(str7.trim().replace("*", "[^ ]*"))) {
                return;
            }
        }
        if (log.isDebugEnabled()) {
            String str8 = (String) messageContext.getProperty(ThreatProtectorConstants.API_CONTEXT);
            String str9 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
            if (StringUtils.isNotEmpty(str6)) {
                log.debug("Invocations to API: " + str8 + ":" + str9 + " is not permitted for referer: " + str6);
            }
        }
        throw new APISecurityException(APISecurityConstants.API_AUTH_FORBIDDEN, "Access forbidden for the invocations");
    }

    private String generateAndRetrieveBackendJWTToken(String str, JWTInfoDto jWTInfoDto) throws APISecurityException {
        String str2 = null;
        boolean z = false;
        String concat = jWTInfoDto.getApiContext().concat(":").concat(jWTInfoDto.getVersion()).concat(":").concat(str);
        if (this.isGatewayTokenCacheEnabled.booleanValue()) {
            Object obj = getGatewayApiKeyCache().get(concat);
            if (obj != null) {
                str2 = (String) obj;
                z = new org.json.JSONObject(new String(Base64.getUrlDecoder().decode(((String) obj).split("\\.")[1]))).getLong("exp") - System.currentTimeMillis() > OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
            }
            if (StringUtils.isEmpty(str2) || !z) {
                try {
                    str2 = this.apiMgtGatewayJWTGenerator.generateToken(jWTInfoDto);
                    getGatewayApiKeyCache().put(concat, str2);
                } catch (JWTGeneratorException e) {
                    log.error("Error while Generating Backend JWT", e);
                    throw new APISecurityException(900900, "Unclassified Authentication Failure", e);
                }
            }
        } else {
            try {
                str2 = this.apiMgtGatewayJWTGenerator.generateToken(jWTInfoDto);
            } catch (JWTGeneratorException e2) {
                log.error("Error while Generating Backend JWT", e2);
                throw new APISecurityException(900900, "Unclassified Authentication Failure", e2);
            }
        }
        return str2;
    }

    private String extractApiKey(MessageContext messageContext) throws APISecurityException {
        String str;
        org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
        Map map = (Map) axis2MessageContext.getProperty(APIMgtGatewayConstants.TRANSPORT_HEADERS);
        if (map != null && (str = (String) map.get(this.securityParam)) != null) {
            map.remove(this.securityParam);
            return str.trim();
        }
        try {
            String stringValueOf = new SynapseXPath("$url:apikey").stringValueOf(messageContext);
            if (StringUtils.isNotBlank(stringValueOf)) {
                axis2MessageContext.setProperty(APIMgtGatewayConstants.REST_URL_POSTFIX, removeApiKeyFromQueryParameters((String) axis2MessageContext.getProperty(APIMgtGatewayConstants.REST_URL_POSTFIX), URLEncoder.encode(stringValueOf)));
                return stringValueOf.trim();
            }
            if (log.isDebugEnabled()) {
                log.debug("Api Key Authentication failed: Header or Query parameter with the name '".concat(this.securityParam).concat("' was not found."));
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, APISecurityConstants.API_AUTH_MISSING_CREDENTIALS_MESSAGE);
        } catch (JaxenException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while retrieving apikey from the request query params.", e);
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, APISecurityConstants.API_AUTH_MISSING_CREDENTIALS_MESSAGE);
        }
    }

    private String removeApiKeyFromQueryParameters(String str, String str2) {
        String replace = str.replace("?apikey=" + str2, "?").replace("&apikey=" + str2, "").replace("?&", "?");
        if (replace.lastIndexOf("?") == replace.length() - 1) {
            replace = replace.replace("?", "");
        }
        return replace;
    }

    private static boolean isJwtTokenExpired(JWTClaimsSet jWTClaimsSet) {
        int timeStampSkewInSeconds = (int) OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds();
        DefaultJWTClaimsVerifier defaultJWTClaimsVerifier = new DefaultJWTClaimsVerifier();
        defaultJWTClaimsVerifier.setMaxClockSkew(timeStampSkewInSeconds);
        try {
            defaultJWTClaimsVerifier.verify(jWTClaimsSet);
            if (log.isDebugEnabled()) {
                log.debug("Token is not expired. User: " + jWTClaimsSet.getSubject());
            }
        } catch (BadJWTException e) {
            if ("Expired JWT".equals(e.getMessage())) {
                return true;
            }
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Token is not expired. User: " + jWTClaimsSet.getSubject());
        return false;
    }

    private JWTValidationInfo getJwtValidationInfo(SignedJWTInfo signedJWTInfo) {
        JWTValidationInfo jWTValidationInfo = new JWTValidationInfo();
        jWTValidationInfo.setClaims(new HashMap(signedJWTInfo.getJwtClaimsSet().getClaims()));
        jWTValidationInfo.setUser(signedJWTInfo.getJwtClaimsSet().getSubject());
        return jWTValidationInfo;
    }

    private byte[] decode(String str) throws IllegalArgumentException {
        return Base64.getUrlDecoder().decode(str.getBytes(StandardCharsets.UTF_8));
    }

    public String getContextHeader() {
        return ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getJwtConfigurationDto().getJwtHeader();
    }

    public void setContextHeader(String str) {
        this.contextHeader = str;
    }

    private Cache getGatewayApiKeyCache() {
        return CacheProvider.getGatewayApiKeyCache();
    }

    private Cache getInvalidGatewayApiKeyCache() {
        return CacheProvider.getInvalidGatewayApiKeyCache();
    }

    private Cache getGatewayApiKeyDataCache() {
        return CacheProvider.getGatewayApiKeyDataCache();
    }

    private String getApiLevelPolicy() {
        return this.apiLevelPolicy;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getChallengeString() {
        return "API Key realm=\"WSO2 API Manager\"";
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getRequestOrigin() {
        return null;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public int getPriority() {
        return 30;
    }
}
