package org.wso2.choreo.connect.enforcer.security.jwt;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.util.DateUtils;
import io.opentelemetry.context.Scope;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.ThreadContext;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTConfigurationDto;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
import org.wso2.carbon.apimgt.common.gateway.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator;
import org.wso2.choreo.connect.enforcer.common.CacheProvider;
import org.wso2.choreo.connect.enforcer.commons.model.AuthenticationContext;
import org.wso2.choreo.connect.enforcer.commons.model.RequestContext;
import org.wso2.choreo.connect.enforcer.commons.model.ResourceConfig;
import org.wso2.choreo.connect.enforcer.commons.model.SecuritySchemaConfig;
import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
import org.wso2.choreo.connect.enforcer.config.EnforcerConfig;
import org.wso2.choreo.connect.enforcer.config.dto.ExtendedTokenIssuerDto;
import org.wso2.choreo.connect.enforcer.constants.APIConstants;
import org.wso2.choreo.connect.enforcer.constants.APISecurityConstants;
import org.wso2.choreo.connect.enforcer.constants.GeneralErrorCodeConstants;
import org.wso2.choreo.connect.enforcer.dto.APIKeyValidationInfoDTO;
import org.wso2.choreo.connect.enforcer.exception.APISecurityException;
import org.wso2.choreo.connect.enforcer.exception.EnforcerException;
import org.wso2.choreo.connect.enforcer.security.Authenticator;
import org.wso2.choreo.connect.enforcer.security.KeyValidator;
import org.wso2.choreo.connect.enforcer.security.TokenValidationContext;
import org.wso2.choreo.connect.enforcer.security.jwt.SignedJWTInfo;
import org.wso2.choreo.connect.enforcer.security.jwt.validator.JWTConstants;
import org.wso2.choreo.connect.enforcer.security.jwt.validator.JWTValidator;
import org.wso2.choreo.connect.enforcer.security.jwt.validator.RevokedJWTDataHolder;
import org.wso2.choreo.connect.enforcer.tracing.TracingConstants;
import org.wso2.choreo.connect.enforcer.tracing.TracingSpan;
import org.wso2.choreo.connect.enforcer.tracing.TracingTracer;
import org.wso2.choreo.connect.enforcer.tracing.Utils;
import org.wso2.choreo.connect.enforcer.util.BackendJwtUtils;
import org.wso2.choreo.connect.enforcer.util.FilterUtils;
import org.wso2.choreo.connect.enforcer.util.JWTUtils;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.class */
public class JWTAuthenticator implements Authenticator {
    private static final Logger log = LogManager.getLogger(JWTAuthenticator.class);
    private final JWTValidator jwtValidator = new JWTValidator();
    private final boolean isGatewayTokenCacheEnabled;
    private AbstractAPIMgtGatewayJWTGenerator jwtGenerator;

    public JWTAuthenticator() {
        EnforcerConfig config = ConfigHolder.getInstance().getConfig();
        this.isGatewayTokenCacheEnabled = config.getCacheDto().isEnabled();
        if (config.getJwtConfigurationDto().isEnabled()) {
            this.jwtGenerator = BackendJwtUtils.getApiMgtGatewayJWTGenerator();
        }
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public boolean canAuthenticate(RequestContext requestContext) {
        String retrieveAuthHeaderValue;
        return isJWTEnabled(requestContext) && (retrieveAuthHeaderValue = retrieveAuthHeaderValue(requestContext)) != null && retrieveAuthHeaderValue.split("\\.").length == 3;
    }

    private boolean isJWTEnabled(RequestContext requestContext) {
        Map<String, List<String>> securitySchemas = requestContext.getMatchedResourcePath().getSecuritySchemas();
        if (securitySchemas.isEmpty()) {
            return true;
        }
        Map<String, SecuritySchemaConfig> securitySchemeDefinitions = requestContext.getMatchedAPI().getSecuritySchemeDefinitions();
        for (String str : securitySchemas.keySet()) {
            if (securitySchemeDefinitions.containsKey(str) && APIConstants.API_SECURITY_OAUTH2.equals(securitySchemeDefinitions.get(str).getType())) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Finally extract failed */
    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException {
        TracingTracer tracingTracer = null;
        TracingSpan tracingSpan = null;
        TracingSpan tracingSpan2 = null;
        Scope scope = null;
        TracingSpan tracingSpan3 = null;
        TracingSpan tracingSpan4 = null;
        try {
            if (Utils.tracingEnabled()) {
                tracingTracer = Utils.getGlobalTracer();
                tracingSpan2 = Utils.startSpan(TracingConstants.JWT_AUTHENTICATOR_SPAN, tracingTracer);
                scope = tracingSpan2.getSpan().makeCurrent();
                Utils.setTag(tracingSpan2, APIConstants.LOG_TRACE_ID, ThreadContext.get(APIConstants.LOG_TRACE_ID));
            }
            String retrieveAuthHeaderValue = retrieveAuthHeaderValue(requestContext);
            if (retrieveAuthHeaderValue == null || !retrieveAuthHeaderValue.toLowerCase().contains(JWTConstants.BEARER)) {
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, APISecurityConstants.API_AUTH_MISSING_CREDENTIALS_MESSAGE);
            }
            String[] split = retrieveAuthHeaderValue.split("\\s");
            if (split.length > 1) {
                retrieveAuthHeaderValue = split[1];
            }
            String basePath = requestContext.getMatchedAPI().getBasePath();
            String name = requestContext.getMatchedAPI().getName();
            String version = requestContext.getMatchedAPI().getVersion();
            String str = basePath + "/" + version;
            ResourceConfig matchedResourcePath = requestContext.getMatchedResourcePath();
            Scope scope2 = null;
            try {
                try {
                    if (Utils.tracingEnabled()) {
                        tracingSpan = Utils.startSpan(TracingConstants.DECODE_TOKEN_HEADER_SPAN, tracingTracer);
                        scope2 = tracingSpan.getSpan().makeCurrent();
                        Utils.setTag(tracingSpan, APIConstants.LOG_TRACE_ID, ThreadContext.get(APIConstants.LOG_TRACE_ID));
                    }
                    SignedJWTInfo signedJwt = JWTUtils.getSignedJwt(retrieveAuthHeaderValue);
                    if (Utils.tracingEnabled()) {
                        scope2.close();
                        Utils.finishSpan(tracingSpan);
                    }
                    JWTClaimsSet jwtClaimsSet = signedJwt.getJwtClaimsSet();
                    String jWTTokenIdentifier = getJWTTokenIdentifier(signedJwt);
                    String jWSHeader = signedJwt.getSignedJWT().getHeader().toString();
                    if (StringUtils.isNotEmpty(jWTTokenIdentifier) && RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(jWTTokenIdentifier)) {
                        if (log.isDebugEnabled()) {
                            log.debug("Token retrieved from the revoked jwt token map. Token: " + FilterUtils.getMaskedToken(jWSHeader));
                        }
                        log.error("Invalid JWT token. " + FilterUtils.getMaskedToken(jWSHeader));
                        throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, "Invalid JWT token");
                    }
                    JWTValidationInfo jwtValidationInfo = getJwtValidationInfo(signedJwt, jWTTokenIdentifier);
                    if (jwtValidationInfo == null) {
                        throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
                    }
                    if (!jwtValidationInfo.isValid()) {
                        throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), jwtValidationInfo.getValidationCode(), APISecurityConstants.getAuthenticationFailureMessage(jwtValidationInfo.getValidationCode()));
                    }
                    APIKeyValidationInfoDTO aPIKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
                    ExtendedTokenIssuerDto extendedTokenIssuerDto = ConfigHolder.getInstance().getConfig().getIssuersMap().get(jwtValidationInfo.getIssuer());
                    Scope scope3 = null;
                    try {
                        if (extendedTokenIssuerDto.isValidateSubscriptions()) {
                            if (Utils.tracingEnabled()) {
                                tracingSpan3 = Utils.startSpan(TracingConstants.SUBSCRIPTION_VALIDATION_SPAN, tracingTracer);
                                scope3 = tracingSpan3.getSpan().makeCurrent();
                                Utils.setTag(tracingSpan3, APIConstants.LOG_TRACE_ID, ThreadContext.get(APIConstants.LOG_TRACE_ID));
                            }
                            if (validateSubscriptionFromClaim(name, version, jwtClaimsSet, split, aPIKeyValidationInfoDTO, true) == null) {
                                if (log.isDebugEnabled()) {
                                    log.debug("Begin subscription validation via Key Manager: " + jwtValidationInfo.getKeyManager());
                                }
                                aPIKeyValidationInfoDTO = validateSubscriptionUsingKeyManager(requestContext, jwtValidationInfo);
                                if (log.isDebugEnabled()) {
                                    log.debug("Subscription validation via Key Manager. Status: " + aPIKeyValidationInfoDTO.isAuthorized());
                                }
                                if (!aPIKeyValidationInfoDTO.isAuthorized()) {
                                    if (700700 != aPIKeyValidationInfoDTO.getValidationStatus()) {
                                        throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), aPIKeyValidationInfoDTO.getValidationStatus(), "User is NOT authorized to access the Resource. API Subscription validation failed.");
                                    }
                                    requestContext.getProperties().put(APIConstants.MessageFormat.ERROR_MESSAGE, GeneralErrorCodeConstants.API_BLOCKED_MESSAGE);
                                    requestContext.getProperties().put(APIConstants.MessageFormat.ERROR_DESCRIPTION, GeneralErrorCodeConstants.API_BLOCKED_DESCRIPTION);
                                    throw new APISecurityException(APIConstants.StatusCodes.SERVICE_UNAVAILABLE.getCode(), aPIKeyValidationInfoDTO.getValidationStatus(), GeneralErrorCodeConstants.API_BLOCKED_MESSAGE);
                                }
                            }
                        } else {
                            updateApplicationNameForSubscriptionDisabledKM(aPIKeyValidationInfoDTO, extendedTokenIssuerDto.getName());
                        }
                        if (Utils.tracingEnabled() && tracingSpan3 != null) {
                            scope3.close();
                            Utils.finishSpan(tracingSpan3);
                        }
                        Scope scope4 = null;
                        try {
                            if (Utils.tracingEnabled()) {
                                tracingSpan4 = Utils.startSpan(TracingConstants.SCOPES_VALIDATION_SPAN, tracingTracer);
                                scope4 = tracingSpan4.getSpan().makeCurrent();
                                Utils.setTag(tracingSpan4, APIConstants.LOG_TRACE_ID, ThreadContext.get(APIConstants.LOG_TRACE_ID));
                            }
                            validateScopes(str, version, matchedResourcePath, jwtValidationInfo, signedJwt);
                            if (Utils.tracingEnabled()) {
                                scope4.close();
                                Utils.finishSpan(tracingSpan4);
                            }
                            log.debug("JWT authentication successful.");
                            String str2 = null;
                            JWTConfigurationDto jwtConfigurationDto = ConfigHolder.getInstance().getConfig().getJwtConfigurationDto();
                            if (jwtConfigurationDto.isEnabled()) {
                                str2 = BackendJwtUtils.generateAndRetrieveJWTToken(this.jwtGenerator, jWTTokenIdentifier, FilterUtils.generateJWTInfoDto(null, jwtValidationInfo, aPIKeyValidationInfoDTO, requestContext), this.isGatewayTokenCacheEnabled);
                                requestContext.addOrModifyHeaders(jwtConfigurationDto.getJwtHeader(), str2);
                            }
                            AuthenticationContext generateAuthenticationContext = FilterUtils.generateAuthenticationContext(requestContext, jWTTokenIdentifier, jwtValidationInfo, aPIKeyValidationInfoDTO, str2, retrieveAuthHeaderValue, true);
                            if (jwtClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE) != null) {
                                generateAuthenticationContext.setKeyType(jwtClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE).toString());
                            }
                            if (Utils.tracingEnabled()) {
                                scope.close();
                                Utils.finishSpan(tracingSpan2);
                            }
                            return generateAuthenticationContext;
                        } catch (Throwable th) {
                            if (Utils.tracingEnabled()) {
                                scope4.close();
                                Utils.finishSpan(tracingSpan4);
                            }
                            throw th;
                        }
                    } finally {
                        if (Utils.tracingEnabled() && 0 != 0) {
                            scope3.close();
                            Utils.finishSpan(null);
                        }
                    }
                } finally {
                    if (Utils.tracingEnabled()) {
                        scope2.close();
                        Utils.finishSpan(null);
                    }
                }
            } catch (IllegalArgumentException | ParseException e) {
                log.error("Failed to decode the token header", e);
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, "Not a JWT token. Failed to decode the token header", e);
            }
        } catch (Throwable th2) {
            if (Utils.tracingEnabled()) {
                scope.close();
                Utils.finishSpan(tracingSpan2);
            }
            throw th2;
        }
    }

    private void updateApplicationNameForSubscriptionDisabledKM(APIKeyValidationInfoDTO aPIKeyValidationInfoDTO, String str) {
        String str2 = "anon:" + str;
        aPIKeyValidationInfoDTO.setApplicationName(str2);
        aPIKeyValidationInfoDTO.setApplicationId(-1);
        aPIKeyValidationInfoDTO.setApplicationUUID(UUID.nameUUIDFromBytes(str2.getBytes(StandardCharsets.UTF_8)).toString());
        aPIKeyValidationInfoDTO.setApplicationTier("Unlimited");
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getChallengeString() {
        return "Bearer realm=\"Choreo Connect\"";
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getName() {
        return "JWT";
    }

    private String retrieveAuthHeaderValue(RequestContext requestContext) {
        return requestContext.getHeaders().get(FilterUtils.getAuthHeaderName(requestContext));
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public int getPriority() {
        return 10;
    }

    private void validateScopes(String str, String str2, ResourceConfig resourceConfig, JWTValidationInfo jWTValidationInfo, SignedJWTInfo signedJWTInfo) throws APISecurityException {
        try {
            APIKeyValidationInfoDTO aPIKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
            HashSet hashSet = new HashSet();
            hashSet.addAll(jWTValidationInfo.getScopes());
            aPIKeyValidationInfoDTO.setScopes(hashSet);
            TokenValidationContext tokenValidationContext = new TokenValidationContext();
            tokenValidationContext.setValidationInfoDTO(aPIKeyValidationInfoDTO);
            tokenValidationContext.setAccessToken(signedJWTInfo.getToken());
            tokenValidationContext.setHttpVerb(resourceConfig.getPath().toUpperCase());
            tokenValidationContext.setMatchingResourceConfig(resourceConfig);
            tokenValidationContext.setContext(str);
            tokenValidationContext.setVersion(str2);
            if (KeyValidator.validateScopes(tokenValidationContext)) {
                if (log.isDebugEnabled()) {
                    log.debug("Scope validation successful for the resource: " + resourceConfig.getPath());
                }
            } else {
                String str3 = "User is NOT authorized to access the Resource: " + resourceConfig.getPath() + ". Scope validation failed.";
                log.debug(str3);
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900910, str3);
            }
        } catch (EnforcerException e) {
            log.error("Error while accessing backend services for token scope validation", e);
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900900, "Error while accessing backend services for token scope validation", e);
        }
    }

    private APIKeyValidationInfoDTO validateSubscriptionUsingKeyManager(RequestContext requestContext, JWTValidationInfo jWTValidationInfo) throws APISecurityException {
        String basePath = requestContext.getMatchedAPI().getBasePath();
        String version = requestContext.getMatchedAPI().getVersion();
        String uuid = requestContext.getMatchedAPI().getUuid();
        String consumerKey = jWTValidationInfo.getConsumerKey();
        String keyManager = jWTValidationInfo.getKeyManager();
        if (consumerKey != null && keyManager != null) {
            return KeyValidator.validateSubscription(uuid, basePath, version, consumerKey, keyManager);
        }
        log.debug("Cannot call Key Manager to validate subscription. Payload of the token does not contain the Authorized party - the party to which the ID Token was issued");
        throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
    }

    private JSONObject validateSubscriptionFromClaim(String str, String str2, JWTClaimsSet jWTClaimsSet, String[] strArr, APIKeyValidationInfoDTO aPIKeyValidationInfoDTO, boolean z) throws APISecurityException {
        JSONObject jSONObject = null;
        try {
            aPIKeyValidationInfoDTO.setEndUserName(jWTClaimsSet.getSubject());
            if (jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE) != null) {
                aPIKeyValidationInfoDTO.setType(jWTClaimsSet.getStringClaim(APIConstants.JwtTokenConstants.KEY_TYPE));
            } else {
                aPIKeyValidationInfoDTO.setType(APIConstants.API_KEY_TYPE_PRODUCTION);
            }
            if (jWTClaimsSet.getClaim("consumerKey") != null) {
                aPIKeyValidationInfoDTO.setConsumerKey(jWTClaimsSet.getStringClaim("consumerKey"));
            }
            JSONObject jSONObjectClaim = jWTClaimsSet.getJSONObjectClaim("application");
            if (jSONObjectClaim != null) {
                aPIKeyValidationInfoDTO.setApplicationUUID(jSONObjectClaim.getAsString("uuid"));
                aPIKeyValidationInfoDTO.setApplicationId(jSONObjectClaim.getAsNumber("id").intValue());
                aPIKeyValidationInfoDTO.setApplicationName(jSONObjectClaim.getAsString("name"));
                aPIKeyValidationInfoDTO.setApplicationTier(jSONObjectClaim.getAsString("tier"));
                aPIKeyValidationInfoDTO.setSubscriber(jSONObjectClaim.getAsString("owner"));
                if (jSONObjectClaim.containsKey(APIConstants.JwtTokenConstants.QUOTA_TYPE) && "bandwidthVolume".equals(jSONObjectClaim.getAsString(APIConstants.JwtTokenConstants.QUOTA_TYPE))) {
                    aPIKeyValidationInfoDTO.setContentAware(true);
                }
            }
            if (jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS) != null) {
                Iterator<Object> it = ((JSONArray) jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS)).iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    JSONObject jSONObject2 = (JSONObject) it.next();
                    if (str.equals(jSONObject2.getAsString("name")) && str2.equals(jSONObject2.getAsString("version"))) {
                        jSONObject = jSONObject2;
                        aPIKeyValidationInfoDTO.setAuthorized(true);
                        String asString = jSONObject2.getAsString("subscriptionTier");
                        String asString2 = jSONObject2.getAsString(APIConstants.JwtTokenConstants.API_PUBLISHER);
                        String asString3 = jSONObject2.getAsString("subscriberTenantDomain");
                        if (asString != null) {
                            aPIKeyValidationInfoDTO.setTier(asString);
                            AuthenticatorUtils.populateTierInfo(aPIKeyValidationInfoDTO, jWTClaimsSet, asString);
                        }
                        if (asString2 != null) {
                            aPIKeyValidationInfoDTO.setApiPublisher(asString2);
                        }
                        if (asString3 != null) {
                            aPIKeyValidationInfoDTO.setSubscriberTenantDomain(asString3);
                        }
                        if (log.isDebugEnabled()) {
                            log.debug("User is subscribed to the API: " + str + ", version: " + str2 + ". Token: " + FilterUtils.getMaskedToken(strArr[0]));
                        }
                    }
                }
                if (jSONObject == null) {
                    if (log.isDebugEnabled()) {
                        log.debug("User is not subscribed to access the API: " + str + ", version: " + str2 + ". Token: " + FilterUtils.getMaskedToken(strArr[0]));
                    }
                    log.error("User is not subscribed to access the API.");
                    throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("No subscription information found in the token.");
                }
                if (!z) {
                    log.error("User is not subscribed to access the API.");
                    throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
                }
            }
            return jSONObject;
        } catch (ParseException e) {
            log.error("Error while parsing jwt claims");
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private JWTValidationInfo getJwtValidationInfo(SignedJWTInfo signedJWTInfo, String str) throws APISecurityException {
        String jWSHeader = signedJWTInfo.getSignedJWT().getHeader().toString();
        JWTValidationInfo jWTValidationInfo = null;
        if (this.isGatewayTokenCacheEnabled && !SignedJWTInfo.ValidationStatus.NOT_VALIDATED.equals(signedJWTInfo.getValidationStatus())) {
            V ifPresent = CacheProvider.getGatewayTokenCache().getIfPresent(str);
            if (ifPresent != 0 && ((Boolean) ifPresent).booleanValue() && SignedJWTInfo.ValidationStatus.VALID.equals(signedJWTInfo.getValidationStatus())) {
                if (CacheProvider.getGatewayKeyCache().getIfPresent(str) != 0) {
                    JWTValidationInfo jWTValidationInfo2 = (JWTValidationInfo) CacheProvider.getGatewayKeyCache().getIfPresent(str);
                    checkTokenExpiration(str, jWTValidationInfo2);
                    jWTValidationInfo = jWTValidationInfo2;
                }
            } else if (SignedJWTInfo.ValidationStatus.INVALID.equals(signedJWTInfo.getValidationStatus()) && CacheProvider.getInvalidTokenCache().getIfPresent(str) != 0) {
                if (log.isDebugEnabled()) {
                    log.debug("Token retrieved from the invalid token cache. Token: " + FilterUtils.getMaskedToken(jWSHeader));
                }
                log.error("Invalid JWT token. " + FilterUtils.getMaskedToken(jWSHeader));
                if (CacheProvider.getGatewayKeyCache().getIfPresent(str) != 0) {
                    jWTValidationInfo = (JWTValidationInfo) CacheProvider.getGatewayKeyCache().getIfPresent(str);
                } else {
                    log.warn("Token retrieved from the invalid token cache. But the validation info not found in the key cache for the Token: " + FilterUtils.getMaskedToken(jWSHeader));
                    jWTValidationInfo = new JWTValidationInfo();
                    jWTValidationInfo.setValidationCode(900900);
                    jWTValidationInfo.setValid(false);
                }
            }
        }
        if (jWTValidationInfo != null) {
            return jWTValidationInfo;
        }
        try {
            JWTValidationInfo validateJWTToken = this.jwtValidator.validateJWTToken(signedJWTInfo);
            signedJWTInfo.setValidationStatus(validateJWTToken.isValid() ? SignedJWTInfo.ValidationStatus.VALID : SignedJWTInfo.ValidationStatus.INVALID);
            if (this.isGatewayTokenCacheEnabled) {
                if (validateJWTToken.isValid()) {
                    CacheProvider.getGatewayTokenCache().put(str, true);
                } else {
                    CacheProvider.getInvalidTokenCache().put(str, true);
                }
                CacheProvider.getGatewayKeyCache().put(str, validateJWTToken);
            }
            return validateJWTToken;
        } catch (EnforcerException e) {
            log.error("JWT Validation failed", e);
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
        }
    }

    private JWTValidationInfo checkTokenExpiration(String str, JWTValidationInfo jWTValidationInfo) {
        long timeStampSkewInSeconds = FilterUtils.getTimeStampSkewInSeconds();
        if (DateUtils.isAfter(new Date(jWTValidationInfo.getExpiryTime()), new Date(), timeStampSkewInSeconds)) {
            return jWTValidationInfo;
        }
        if (this.isGatewayTokenCacheEnabled) {
            CacheProvider.getGatewayTokenCache().invalidate(str);
            CacheProvider.getGatewayJWTTokenCache().invalidate(str);
            CacheProvider.getInvalidTokenCache().put(str, true);
        }
        jWTValidationInfo.setValid(false);
        jWTValidationInfo.setValidationCode(900901);
        return jWTValidationInfo;
    }

    private String getJWTTokenIdentifier(SignedJWTInfo signedJWTInfo) {
        String jwtid = signedJWTInfo.getJwtClaimsSet().getJWTID();
        return StringUtils.isNotEmpty(jwtid) ? jwtid : signedJWTInfo.getSignedJWT().getSignature().toString();
    }
}
