package org.wso2.micro.gateway.enforcer.security.jwt;

import com.google.common.cache.LoadingCache;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.util.DateUtils;
import java.text.ParseException;
import java.util.Base64;
import java.util.Date;
import java.util.HashSet;
import net.minidev.json.JSONArray;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.json.JSONObject;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTConfigurationDto;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTInfoDto;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
import org.wso2.carbon.apimgt.common.gateway.exception.JWTGeneratorException;
import org.wso2.carbon.apimgt.common.gateway.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator;
import org.wso2.micro.gateway.enforcer.api.RequestContext;
import org.wso2.micro.gateway.enforcer.api.config.ResourceConfig;
import org.wso2.micro.gateway.enforcer.common.CacheProvider;
import org.wso2.micro.gateway.enforcer.common.ReferenceHolder;
import org.wso2.micro.gateway.enforcer.config.ConfigHolder;
import org.wso2.micro.gateway.enforcer.constants.APIConstants;
import org.wso2.micro.gateway.enforcer.constants.APISecurityConstants;
import org.wso2.micro.gateway.enforcer.dto.APIKeyValidationInfoDTO;
import org.wso2.micro.gateway.enforcer.exception.APISecurityException;
import org.wso2.micro.gateway.enforcer.exception.MGWException;
import org.wso2.micro.gateway.enforcer.security.AuthenticationContext;
import org.wso2.micro.gateway.enforcer.security.Authenticator;
import org.wso2.micro.gateway.enforcer.security.TokenValidationContext;
import org.wso2.micro.gateway.enforcer.security.jwt.validator.JWTConstants;
import org.wso2.micro.gateway.enforcer.security.jwt.validator.JWTValidator;
import org.wso2.micro.gateway.enforcer.security.jwt.validator.RevokedJWTDataHolder;
import org.wso2.micro.gateway.enforcer.util.FilterUtils;

/* loaded from: input_file:org/wso2/micro/gateway/enforcer/security/jwt/JWTAuthenticator.class */
public class JWTAuthenticator implements Authenticator {
    private static final Logger log = LogManager.getLogger((Class<?>) JWTAuthenticator.class);
    private JWTValidator jwtValidator = new JWTValidator();
    private boolean isGatewayTokenCacheEnabled = ConfigHolder.getInstance().getConfig().getCacheDto().isEnabled();
    private AbstractAPIMgtGatewayJWTGenerator jwtGenerator;

    @Override // org.wso2.micro.gateway.enforcer.security.Authenticator
    public boolean canAuthenticate(RequestContext requestContext) {
        String str = requestContext.getHeaders().get(JWTConstants.AUTHORIZATION);
        return str != null && str.split("\\.").length == 3;
    }

    @Override // org.wso2.micro.gateway.enforcer.security.Authenticator
    public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException {
        String str = requestContext.getHeaders().get(JWTConstants.AUTHORIZATION);
        String[] split = str.split("\\s");
        if (split.length > 1) {
            str = split[1];
        }
        String basePath = requestContext.getMathedAPI().getAPIConfig().getBasePath();
        String name = requestContext.getMathedAPI().getAPIConfig().getName();
        String version = requestContext.getMathedAPI().getAPIConfig().getVersion();
        String str2 = basePath + "/" + version;
        ResourceConfig matchedResourcePath = requestContext.getMatchedResourcePath();
        requestContext.getMatchedResourcePath().getMethod().toString();
        try {
            SignedJWTInfo signedJwt = getSignedJwt(str);
            JWTClaimsSet jwtClaimsSet = signedJwt.getJwtClaimsSet();
            String jWTTokenIdentifier = getJWTTokenIdentifier(signedJwt);
            String jWSHeader = signedJwt.getSignedJWT().getHeader().toString();
            if (StringUtils.isNotEmpty(jWTTokenIdentifier) && RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(jWTTokenIdentifier)) {
                if (log.isDebugEnabled()) {
                    log.debug("Token retrieved from the revoked jwt token map. Token: " + FilterUtils.getMaskedToken(jWSHeader));
                }
                log.error("Invalid JWT token. " + FilterUtils.getMaskedToken(jWSHeader));
                throw new APISecurityException(900901, "Invalid JWT token");
            }
            JWTValidationInfo jwtValidationInfo = getJwtValidationInfo(signedJwt, jWTTokenIdentifier);
            if (jwtValidationInfo == null) {
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
            }
            if (!jwtValidationInfo.isValid()) {
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), jwtValidationInfo.getValidationCode(), APISecurityConstants.getAuthenticationFailureMessage(jwtValidationInfo.getValidationCode()));
            }
            APIKeyValidationInfoDTO aPIKeyValidationInfoDTO = null;
            if (ConfigHolder.getInstance().getConfig().getIssuersMap().get(jwtValidationInfo.getIssuer()).isValidateSubscriptions() && validateSubscriptionFromClaim(name, version, jwtClaimsSet, split, true) == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Begin subscription validation via Key Manager: " + jwtValidationInfo.getKeyManager());
                }
                aPIKeyValidationInfoDTO = validateSubscriptionUsingKeyManager(requestContext, jwtValidationInfo);
                if (log.isDebugEnabled()) {
                    log.debug("Subscription validation via Key Manager. Status: " + aPIKeyValidationInfoDTO.isAuthorized());
                }
                if (!aPIKeyValidationInfoDTO.isAuthorized()) {
                    throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), aPIKeyValidationInfoDTO.getValidationStatus(), "User is NOT authorized to access the Resource. API Subscription validation failed.");
                }
            }
            validateScopes(str2, version, matchedResourcePath, jwtValidationInfo, signedJwt);
            log.debug("JWT authentication successful.");
            String str3 = null;
            JWTConfigurationDto jwtConfigurationDto = ConfigHolder.getInstance().getConfig().getJwtConfigurationDto();
            if (jwtConfigurationDto.isEnabled()) {
                jwtConfigurationDto.setTtl(JWTUtil.getTTL());
                str3 = generateAndRetrieveJWTToken(jWTTokenIdentifier, FilterUtils.generateJWTInfoDto(null, jwtValidationInfo, aPIKeyValidationInfoDTO, requestContext));
                requestContext.addResponseHeaders(jwtConfigurationDto.getJwtHeader(), str3);
            }
            AuthenticationContext generateAuthenticationContext = FilterUtils.generateAuthenticationContext(requestContext, jWTTokenIdentifier, jwtValidationInfo, aPIKeyValidationInfoDTO, str3, true);
            if (jwtClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE) != null) {
                generateAuthenticationContext.setKeyType(jwtClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE).toString());
            }
            return generateAuthenticationContext;
        } catch (IllegalArgumentException | ParseException e) {
            throw new SecurityException("Not a JWT token. Failed to decode the token header.", e);
        }
    }

    private String generateAndRetrieveJWTToken(String str, JWTInfoDto jWTInfoDto) throws APISecurityException {
        log.debug("Inside generateAndRetrieveJWTToken");
        String str2 = null;
        boolean z = false;
        String concat = jWTInfoDto.getApicontext().concat(":").concat(jWTInfoDto.getVersion()).concat(":").concat(str);
        JWTConfigurationDto jwtConfigurationDto = ConfigHolder.getInstance().getConfig().getJwtConfigurationDto();
        this.jwtGenerator = JWTUtil.getApiMgtGatewayJWTGenerator();
        if (this.jwtGenerator != null) {
            this.jwtGenerator.setJWTConfigurationDto(jwtConfigurationDto);
            if (this.isGatewayTokenCacheEnabled) {
                try {
                    Object obj = CacheProvider.getGatewayJWTTokenCache().get(concat);
                    if (obj != null) {
                        str2 = (String) obj;
                        z = new JSONObject(new String(Base64.getUrlDecoder().decode(((String) obj).split("\\.")[1]))).getLong("exp") - System.currentTimeMillis() > getTimeStampSkewInSeconds() * 1000;
                    }
                } catch (Exception e) {
                    log.error("Error while getting token from the cache", (Throwable) e);
                }
                if (StringUtils.isEmpty(str2) || !z) {
                    try {
                        str2 = this.jwtGenerator.generateToken(jWTInfoDto);
                        CacheProvider.getGatewayJWTTokenCache().put(concat, str2);
                    } catch (JWTGeneratorException e2) {
                        log.error("Error while Generating Backend JWT", (Throwable) e2);
                        throw new APISecurityException(900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE, e2);
                    }
                }
            } else {
                try {
                    str2 = this.jwtGenerator.generateToken(jWTInfoDto);
                } catch (JWTGeneratorException e3) {
                    log.error("Error while Generating Backend JWT", (Throwable) e3);
                    throw new APISecurityException(900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE, e3);
                }
            }
        } else {
            log.debug("Error while loading JWTGenerator");
        }
        return str2;
    }

    private void validateScopes(String str, String str2, ResourceConfig resourceConfig, JWTValidationInfo jWTValidationInfo, SignedJWTInfo signedJWTInfo) throws APISecurityException {
        try {
            TokenValidationContext tokenValidationContext = new TokenValidationContext();
            APIKeyValidationInfoDTO aPIKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
            HashSet hashSet = new HashSet();
            hashSet.addAll(jWTValidationInfo.getScopes());
            aPIKeyValidationInfoDTO.setScopes(hashSet);
            tokenValidationContext.setValidationInfoDTO(aPIKeyValidationInfoDTO);
            tokenValidationContext.setAccessToken(signedJWTInfo.getToken());
            tokenValidationContext.setHttpVerb(resourceConfig.getPath().toUpperCase());
            tokenValidationContext.setMatchingResourceConfig(resourceConfig);
            tokenValidationContext.setContext(str);
            tokenValidationContext.setVersion(str2);
            if (ReferenceHolder.getInstance().getKeyValidationHandler("carbon.super").validateScopes(tokenValidationContext)) {
                if (log.isDebugEnabled()) {
                    log.debug("Scope validation successful for the resource: " + resourceConfig + ", user: " + jWTValidationInfo.getUser());
                }
            } else {
                String str3 = "User is NOT authorized to access the Resource: " + resourceConfig.getPath() + ". Scope validation failed.";
                log.debug(str3);
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900910, str3);
            }
        } catch (MGWException e) {
            log.error("Error while accessing backend services for token scope validation", (Throwable) e);
            throw new APISecurityException(900900, "Error while accessing backend services for token scope validation", e);
        }
    }

    private APIKeyValidationInfoDTO validateSubscriptionUsingKeyManager(RequestContext requestContext, JWTValidationInfo jWTValidationInfo) throws APISecurityException {
        return validateSubscriptionUsingKeyManager(requestContext.getMathedAPI().getAPIConfig().getBasePath(), requestContext.getMathedAPI().getAPIConfig().getVersion(), jWTValidationInfo);
    }

    private APIKeyValidationInfoDTO validateSubscriptionUsingKeyManager(String str, String str2, JWTValidationInfo jWTValidationInfo) throws APISecurityException {
        String consumerKey = jWTValidationInfo.getConsumerKey();
        String keyManager = jWTValidationInfo.getKeyManager();
        if (consumerKey != null && keyManager != null) {
            return ReferenceHolder.getInstance().getKeyValidationHandler("carbon.super").validateSubscription(str, str2, consumerKey, keyManager);
        }
        log.debug("Cannot call Key Manager to validate subscription. Payload of the token does not contain the Authorized party - the party to which the ID Token was issued");
        throw new APISecurityException(900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
    }

    private net.minidev.json.JSONObject validateSubscriptionFromClaim(String str, String str2, JWTClaimsSet jWTClaimsSet, String[] strArr, boolean z) throws APISecurityException {
        net.minidev.json.JSONObject jSONObject = null;
        if (jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS) != null) {
            JSONArray jSONArray = (JSONArray) jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS);
            int i = 0;
            while (true) {
                if (i >= jSONArray.size()) {
                    break;
                }
                net.minidev.json.JSONObject jSONObject2 = (net.minidev.json.JSONObject) jSONArray.get(i);
                if (str.equals(jSONObject2.getAsString("name")) && str2.equals(jSONObject2.getAsString("version"))) {
                    jSONObject = jSONObject2;
                    if (log.isDebugEnabled()) {
                        log.debug("User is subscribed to the API: " + str + ", version: " + str2 + ". Token: " + FilterUtils.getMaskedToken(strArr[0]));
                    }
                } else {
                    i++;
                }
            }
            if (jSONObject == null) {
                if (log.isDebugEnabled()) {
                    log.debug("User is not subscribed to access the API: " + str + ", version: " + str2 + ". Token: " + FilterUtils.getMaskedToken(strArr[0]));
                }
                log.error("User is not subscribed to access the API.");
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("No subscription information found in the token.");
            }
            if (!z) {
                log.error("User is not subscribed to access the API.");
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
            }
        }
        return jSONObject;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private JWTValidationInfo getJwtValidationInfo(SignedJWTInfo signedJWTInfo, String str) throws APISecurityException {
        String jWSHeader = signedJWTInfo.getSignedJWT().getHeader().toString();
        JWTValidationInfo jWTValidationInfo = null;
        if (this.isGatewayTokenCacheEnabled) {
            V ifPresent = CacheProvider.getGatewayTokenCache().getIfPresent(str);
            if (ifPresent == 0 || !((Boolean) ifPresent).booleanValue()) {
                if (CacheProvider.getInvalidTokenCache().getIfPresent(str) != 0) {
                    if (log.isDebugEnabled()) {
                        log.debug("Token retrieved from the invalid token cache. Token: " + FilterUtils.getMaskedToken(jWSHeader));
                    }
                    log.error("Invalid JWT token. " + FilterUtils.getMaskedToken(jWSHeader));
                    if (CacheProvider.getGatewayKeyCache().getIfPresent(str) != 0) {
                        jWTValidationInfo = (JWTValidationInfo) CacheProvider.getGatewayKeyCache().getIfPresent(str);
                    } else {
                        log.warn("Token retrieved from the invalid token cache. But the validation info not found in the key cache for the Token: " + FilterUtils.getMaskedToken(jWSHeader));
                        jWTValidationInfo = new JWTValidationInfo();
                        jWTValidationInfo.setValidationCode(900900);
                        jWTValidationInfo.setValid(false);
                    }
                }
            } else if (CacheProvider.getGatewayKeyCache().getIfPresent(str) != 0) {
                JWTValidationInfo jWTValidationInfo2 = (JWTValidationInfo) CacheProvider.getGatewayKeyCache().getIfPresent(str);
                checkTokenExpiration(str, jWTValidationInfo2);
                jWTValidationInfo = jWTValidationInfo2;
            }
        }
        if (jWTValidationInfo != null) {
            return jWTValidationInfo;
        }
        try {
            JWTValidationInfo validateJWTToken = this.jwtValidator.validateJWTToken(signedJWTInfo);
            if (this.isGatewayTokenCacheEnabled) {
                if (validateJWTToken.isValid()) {
                    CacheProvider.getGatewayTokenCache().put(str, true);
                } else {
                    CacheProvider.getInvalidTokenCache().put(str, true);
                }
                CacheProvider.getGatewayKeyCache().put(str, validateJWTToken);
            }
            return validateJWTToken;
        } catch (MGWException e) {
            throw new APISecurityException(900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
        }
    }

    private JWTValidationInfo checkTokenExpiration(String str, JWTValidationInfo jWTValidationInfo) {
        long timeStampSkewInSeconds = getTimeStampSkewInSeconds();
        if (DateUtils.isAfter(new Date(jWTValidationInfo.getExpiryTime()), new Date(), timeStampSkewInSeconds)) {
            return jWTValidationInfo;
        }
        if (this.isGatewayTokenCacheEnabled) {
            CacheProvider.getGatewayTokenCache().invalidate(str);
            CacheProvider.getGatewayJWTTokenCache().invalidate(str);
            CacheProvider.getInvalidTokenCache().put(str, true);
        }
        jWTValidationInfo.setValid(false);
        jWTValidationInfo.setValidationCode(900901);
        return jWTValidationInfo;
    }

    protected long getTimeStampSkewInSeconds() {
        return 5L;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private SignedJWTInfo getSignedJwt(String str) throws ParseException {
        SignedJWTInfo signedJWTInfo;
        String str2 = str.split("\\.")[2];
        LoadingCache gatewaySignedJWTParseCache = CacheProvider.getGatewaySignedJWTParseCache();
        if (gatewaySignedJWTParseCache != null) {
            V ifPresent = gatewaySignedJWTParseCache.getIfPresent(str);
            if (ifPresent != 0) {
                signedJWTInfo = (SignedJWTInfo) ifPresent;
            } else {
                SignedJWT parse = SignedJWT.parse(str);
                signedJWTInfo = new SignedJWTInfo(str, parse, parse.getJWTClaimsSet());
                gatewaySignedJWTParseCache.put(str2, signedJWTInfo);
            }
        } else {
            SignedJWT parse2 = SignedJWT.parse(str);
            signedJWTInfo = new SignedJWTInfo(str, parse2, parse2.getJWTClaimsSet());
        }
        return signedJWTInfo;
    }

    private String getJWTTokenIdentifier(SignedJWTInfo signedJWTInfo) {
        String jwtid = signedJWTInfo.getJwtClaimsSet().getJWTID();
        return StringUtils.isNotEmpty(jwtid) ? jwtid : signedJWTInfo.getSignedJWT().getSignature().toString();
    }
}
