package org.wso2.choreo.connect.enforcer.security.jwt;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.text.ParseException;
import java.util.Iterator;
import java.util.Map;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.wso2.carbon.apimgt.common.gateway.constants.GraphQLConstants;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTConfigurationDto;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
import org.wso2.carbon.apimgt.common.gateway.jwtgenerator.AbstractAPIMgtGatewayJWTGenerator;
import org.wso2.choreo.connect.enforcer.common.CacheProvider;
import org.wso2.choreo.connect.enforcer.commons.exception.APISecurityException;
import org.wso2.choreo.connect.enforcer.commons.logging.ErrorDetails;
import org.wso2.choreo.connect.enforcer.commons.logging.LoggingConstants;
import org.wso2.choreo.connect.enforcer.commons.model.AuthenticationContext;
import org.wso2.choreo.connect.enforcer.commons.model.RequestContext;
import org.wso2.choreo.connect.enforcer.commons.model.ResourceConfig;
import org.wso2.choreo.connect.enforcer.commons.model.SecuritySchemaConfig;
import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
import org.wso2.choreo.connect.enforcer.config.EnforcerConfig;
import org.wso2.choreo.connect.enforcer.config.dto.ExtendedTokenIssuerDto;
import org.wso2.choreo.connect.enforcer.constants.APIConstants;
import org.wso2.choreo.connect.enforcer.constants.APISecurityConstants;
import org.wso2.choreo.connect.enforcer.constants.GeneralErrorCodeConstants;
import org.wso2.choreo.connect.enforcer.dto.APIKeyValidationInfoDTO;
import org.wso2.choreo.connect.enforcer.dto.JWTTokenPayloadInfo;
import org.wso2.choreo.connect.enforcer.security.KeyValidator;
import org.wso2.choreo.connect.enforcer.subscription.SubscriptionDataStoreUtil;
import org.wso2.choreo.connect.enforcer.util.BackendJwtUtils;
import org.wso2.choreo.connect.enforcer.util.FilterUtils;
import org.wso2.choreo.connect.enforcer.util.JWTUtils;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/security/jwt/APIKeyAuthenticator.class */
public class APIKeyAuthenticator extends APIKeyHandler {
    private static final Logger log = LogManager.getLogger(APIKeyAuthenticator.class);
    private static String certAlias;
    private static boolean apiKeySubValidationEnabled;
    private AbstractAPIMgtGatewayJWTGenerator jwtGenerator;
    private final boolean isGatewayTokenCacheEnabled;
    private static final int IPV4_ADDRESS_BIT_LENGTH = 32;
    private static final int IPV6_ADDRESS_BIT_LENGTH = 128;

    public APIKeyAuthenticator() {
        log.debug("API key authenticator initialized.");
        EnforcerConfig config = ConfigHolder.getInstance().getConfig();
        this.isGatewayTokenCacheEnabled = config.getCacheDto().isEnabled();
        if (config.getJwtConfigurationDto().isEnabled()) {
            this.jwtGenerator = BackendJwtUtils.getApiMgtGatewayJWTGenerator();
        }
        Iterator<ExtendedTokenIssuerDto> it = config.getIssuersMap().values().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ExtendedTokenIssuerDto next = it.next();
            if (APIConstants.KeyManager.APIM_APIKEY_ISSUER.equals(next.getName())) {
                certAlias = next.getCertificateAlias();
                apiKeySubValidationEnabled = next.isValidateSubscriptions();
                break;
            }
        }
        if (StringUtils.isBlank(certAlias)) {
            Iterator<ExtendedTokenIssuerDto> it2 = config.getIssuersMap().values().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                ExtendedTokenIssuerDto next2 = it2.next();
                if (APIConstants.KeyManager.APIM_PUBLISHER_ISSUER.equals(next2.getName())) {
                    certAlias = next2.getCertificateAlias();
                    apiKeySubValidationEnabled = next2.isValidateSubscriptions();
                    break;
                }
            }
        }
        if (StringUtils.isBlank(certAlias)) {
            log.error("Could not properly initialize APIKeyAuthenticator. Empty certificate alias. {}", ErrorDetails.errorLog(LoggingConstants.Severity.CRITICAL, 6604));
        }
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public boolean canAuthenticate(RequestContext requestContext) {
        return isAPIKey(getAPIKeyFromRequest(requestContext, requestContext.getMatchedResourcePaths().get(0)));
    }

    private static String getAPIKeyFromRequest(RequestContext requestContext, ResourceConfig resourceConfig) {
        Map<String, SecuritySchemaConfig> securitySchemeDefinitions = requestContext.getMatchedAPI().getSecuritySchemeDefinitions();
        for (String str : resourceConfig.getSecuritySchemas().keySet()) {
            if (securitySchemeDefinitions.containsKey(str)) {
                SecuritySchemaConfig securitySchemaConfig = securitySchemeDefinitions.get(str);
                if ("apiKey".equalsIgnoreCase(securitySchemaConfig.getType())) {
                    if ("header".equalsIgnoreCase(securitySchemaConfig.getIn())) {
                        String lowerCase = StringUtils.lowerCase(securitySchemaConfig.getName());
                        if (requestContext.getHeaders().containsKey(lowerCase)) {
                            return requestContext.getHeaders().get(lowerCase);
                        }
                    }
                    if ("query".equalsIgnoreCase(securitySchemaConfig.getIn()) && requestContext.getQueryParameters().containsKey(securitySchemaConfig.getName())) {
                        return requestContext.getQueryParameters().get(securitySchemaConfig.getName());
                    }
                } else {
                    continue;
                }
            }
        }
        return "";
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException {
        if (StringUtils.isBlank(certAlias)) {
            log.error("APIKeyAuthenticator has not been properly initialized. Empty certificate alias.", ErrorDetails.errorLog(LoggingConstants.Severity.CRITICAL, 6604));
            throw new APISecurityException(APIConstants.StatusCodes.INTERNAL_SERVER_ERROR.getCode(), 900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
        }
        if (requestContext.getMatchedAPI() != null) {
            return processAPIKey(requestContext, getAPIKeyFromRequest(requestContext, requestContext.getMatchedResourcePaths().get(0)));
        }
        log.debug("API Key Authentication failed");
        throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900900, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private AuthenticationContext processAPIKey(RequestContext requestContext, String str) throws APISecurityException {
        APIKeyValidationInfoDTO aPIKeyValidationInfoDTO;
        try {
            String[] split = str.split("\\.");
            SignedJWT parse = SignedJWT.parse(str);
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            String version = requestContext.getMatchedAPI().getVersion();
            String basePath = requestContext.getMatchedAPI().getBasePath();
            String uuid = requestContext.getMatchedAPI().getUuid();
            if (isInternalKey(jWTClaimsSet)) {
                log.error("Invalid API Key token type. {} ", FilterUtils.getMaskedToken(split[0]));
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
            }
            String jwtid = jWTClaimsSet.getJWTID();
            checkInRevokedMap(jwtid, split);
            JWTTokenPayloadInfo jWTTokenPayloadInfo = (JWTTokenPayloadInfo) CacheProvider.getGatewayAPIKeyDataCache().getIfPresent(jwtid);
            boolean isVerifiedApiKeyInCache = isVerifiedApiKeyInCache(jwtid, str, jWTClaimsSet, split, "API Key", jWTTokenPayloadInfo);
            if (!isVerifiedApiKeyInCache) {
                isVerifiedApiKeyInCache = verifyTokenWhenNotInCache(certAlias, parse, split, jWTClaimsSet, "API Key");
            }
            if (!isVerifiedApiKeyInCache) {
                log.warn("API Key authentication failed.");
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, "API key authentication failed.");
            }
            log.debug("API Key signature is verified.");
            if (jWTTokenPayloadInfo == null) {
                log.debug("API Key payload not found in the cache.");
                JWTTokenPayloadInfo jWTTokenPayloadInfo2 = new JWTTokenPayloadInfo();
                jWTTokenPayloadInfo2.setPayload(jWTClaimsSet);
                jWTTokenPayloadInfo2.setAccessToken(str);
                CacheProvider.getGatewayAPIKeyDataCache().put(jwtid, jWTTokenPayloadInfo2);
            }
            validateAPIKeyRestrictions(jWTClaimsSet, requestContext, basePath, version);
            if (ConfigHolder.getInstance().isControlPlaneEnabled()) {
                log.debug("Validating subscription for API Key against subscription store. context: {} version: {}", basePath, version);
                aPIKeyValidationInfoDTO = KeyValidator.validateSubscription(uuid, basePath, jWTClaimsSet);
            } else if (apiKeySubValidationEnabled) {
                log.debug("Validating subscription for API Key using JWT claims against invoked API info. context: {} version: {}", basePath, version);
                aPIKeyValidationInfoDTO = getAPIKeyValidationDTO(requestContext, jWTClaimsSet);
            } else {
                log.debug("Creating API Key info DTO for unknown API and Application. context: {} version: {}", basePath, version);
                aPIKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
                JWTUtils.updateApplicationNameForSubscriptionDisabledKM(aPIKeyValidationInfoDTO, APIConstants.KeyManager.APIM_APIKEY_ISSUER);
                aPIKeyValidationInfoDTO.setAuthorized(true);
            }
            if (!aPIKeyValidationInfoDTO.isAuthorized()) {
                if (700700 == aPIKeyValidationInfoDTO.getValidationStatus()) {
                    FilterUtils.setErrorToContext(requestContext, GeneralErrorCodeConstants.API_BLOCKED_CODE, APIConstants.StatusCodes.SERVICE_UNAVAILABLE.getCode(), GeneralErrorCodeConstants.API_BLOCKED_MESSAGE, GeneralErrorCodeConstants.API_BLOCKED_DESCRIPTION);
                    throw new APISecurityException(APIConstants.StatusCodes.SERVICE_UNAVAILABLE.getCode(), aPIKeyValidationInfoDTO.getValidationStatus(), GeneralErrorCodeConstants.API_BLOCKED_MESSAGE);
                }
                if (900907 != aPIKeyValidationInfoDTO.getValidationStatus()) {
                    throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), aPIKeyValidationInfoDTO.getValidationStatus(), "User is NOT authorized to access the Resource. API Subscription validation failed.");
                }
                FilterUtils.setErrorToContext(requestContext, 900907, APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), APISecurityConstants.API_SUBSCRIPTION_BLOCKED_MESSAGE, APISecurityConstants.API_SUBSCRIPTION_BLOCKED_DESCRIPTION);
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), aPIKeyValidationInfoDTO.getValidationStatus(), APISecurityConstants.API_SUBSCRIPTION_BLOCKED_MESSAGE);
            }
            log.debug("API Key authentication successful.");
            if (APIConstants.ApiType.GRAPHQL.equals(requestContext.getMatchedAPI().getApiType())) {
                requestContext.getProperties().put(GraphQLConstants.MAXIMUM_QUERY_DEPTH, Integer.valueOf(aPIKeyValidationInfoDTO.getGraphQLMaxDepth()));
                requestContext.getProperties().put(GraphQLConstants.MAXIMUM_QUERY_COMPLEXITY, Integer.valueOf(aPIKeyValidationInfoDTO.getGraphQLMaxComplexity()));
            }
            SignedJWTInfo signedJwt = JWTUtils.getSignedJwt(str);
            JWTValidationInfo jWTValidationInfo = new JWTValidationInfo();
            jWTValidationInfo.setUser(jWTClaimsSet.getSubject());
            String str2 = null;
            JWTConfigurationDto jwtConfigurationDto = ConfigHolder.getInstance().getConfig().getJwtConfigurationDto();
            if (jwtConfigurationDto.isEnabled()) {
                str2 = BackendJwtUtils.generateAndRetrieveJWTToken(this.jwtGenerator, jwtid, FilterUtils.generateJWTInfoDto(null, jWTValidationInfo, aPIKeyValidationInfoDTO, requestContext), this.isGatewayTokenCacheEnabled);
                requestContext.addOrModifyHeaders(jwtConfigurationDto.getJwtHeader(), str2);
            }
            JWTClaimsSet jwtClaimsSet = signedJwt.getJwtClaimsSet();
            AuthenticationContext generateAuthenticationContext = FilterUtils.generateAuthenticationContext(requestContext, jwtid, jWTValidationInfo, aPIKeyValidationInfoDTO, str2, str, false);
            if (jwtClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE) != null) {
                generateAuthenticationContext.setKeyType(jwtClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE).toString());
            }
            log.debug("Analytics data processing for API Key (jiti) {} was successful", jwtid);
            return generateAuthenticationContext;
        } catch (ParseException e) {
            log.warn("API Key authentication failed. ", e);
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, "API key authentication failed.");
        }
    }

    private APIKeyValidationInfoDTO getAPIKeyValidationDTO(RequestContext requestContext, JWTClaimsSet jWTClaimsSet) throws ParseException, APISecurityException {
        APIKeyValidationInfoDTO aPIKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
        JSONObject jSONObjectClaim = jWTClaimsSet.getJSONObjectClaim("application");
        JSONObject jSONObject = null;
        if (jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.KEY_TYPE) != null) {
            aPIKeyValidationInfoDTO.setType(jWTClaimsSet.getStringClaim(APIConstants.JwtTokenConstants.KEY_TYPE));
        } else {
            aPIKeyValidationInfoDTO.setType(APIConstants.API_KEY_TYPE_PRODUCTION);
        }
        if (jSONObjectClaim != null) {
            aPIKeyValidationInfoDTO.setApplicationId(jSONObjectClaim.getAsNumber("id").intValue());
            aPIKeyValidationInfoDTO.setApplicationUUID(jSONObjectClaim.getAsString(APIConstants.JwtTokenConstants.APPLICATION_UUID));
            aPIKeyValidationInfoDTO.setApplicationName(jSONObjectClaim.getAsString("name"));
            aPIKeyValidationInfoDTO.setApplicationTier(jSONObjectClaim.getAsString("tier"));
            aPIKeyValidationInfoDTO.setSubscriber(jSONObjectClaim.getAsString("owner"));
        }
        String name = requestContext.getMatchedAPI().getName();
        String version = requestContext.getMatchedAPI().getVersion();
        aPIKeyValidationInfoDTO.setApiName(name);
        aPIKeyValidationInfoDTO.setApiVersion(version);
        if (jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS) != null) {
            Iterator<Object> it = ((JSONArray) jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.SUBSCRIBED_APIS)).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                JSONObject jSONObject2 = (JSONObject) it.next();
                if (name.equals(jSONObject2.getAsString("name")) && version.equals(jSONObject2.getAsString("version"))) {
                    jSONObject = jSONObject2;
                    aPIKeyValidationInfoDTO.setAuthorized(true);
                    String asString = jSONObject2.getAsString("subscriptionTier");
                    String asString2 = jSONObject2.getAsString(APIConstants.JwtTokenConstants.API_PUBLISHER);
                    String asString3 = jSONObject2.getAsString("subscriberTenantDomain");
                    if (asString != null) {
                        aPIKeyValidationInfoDTO.setTier(asString);
                        AuthenticatorUtils.populateTierInfo(aPIKeyValidationInfoDTO, jWTClaimsSet, asString);
                    }
                    if (asString2 != null) {
                        aPIKeyValidationInfoDTO.setApiPublisher(asString2);
                    }
                    if (asString3 != null) {
                        aPIKeyValidationInfoDTO.setSubscriberTenantDomain(asString3);
                    }
                    log.debug("APIKeyValidationInfoDTO populated for API: {}, version: {}.", name, version);
                }
            }
            if (jSONObject == null) {
                log.debug("Subscription data not populated in APIKeyValidationInfoDTO for the API: {}, version: {}.", name, version);
                log.error("User's subscription details cannot obtain for the API : {}", name);
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
            }
        }
        return aPIKeyValidationInfoDTO;
    }

    private void validateAPIKeyRestrictions(JWTClaimsSet jWTClaimsSet, RequestContext requestContext, String str, String str2) throws APISecurityException {
        Map<String, String> headers;
        String str3 = jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.PERMITTED_IP) != null ? (String) jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.PERMITTED_IP) : null;
        if (StringUtils.isNotEmpty(str3)) {
            String clientIp = requestContext.getClientIp();
            if (StringUtils.isNotEmpty(clientIp)) {
                for (String str4 : str3.split(",")) {
                    if (isIpInNetwork(clientIp, str4.trim())) {
                        return;
                    }
                }
                if (StringUtils.isNotEmpty(clientIp)) {
                    log.debug("Invocations to API: {}:{} is not permitted for client with IP: {}", str, str2, clientIp);
                }
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
            }
        }
        String str5 = jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.PERMITTED_REFERER) != null ? (String) jWTClaimsSet.getClaim(APIConstants.JwtTokenConstants.PERMITTED_REFERER) : null;
        if (!StringUtils.isNotEmpty(str5) || (headers = requestContext.getHeaders()) == null) {
            return;
        }
        String str6 = headers.get("referer");
        if (!StringUtils.isNotEmpty(str6)) {
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
        }
        for (String str7 : str5.split(",")) {
            if (str6.matches(str7.trim().replace("*", "[^ ]*"))) {
                return;
            }
        }
        if (StringUtils.isNotEmpty(str6)) {
            log.debug("Invocations to API: {}:{} is not permitted for referer: {}", str, str2, str6);
        }
        throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), 900908, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
    }

    private boolean isIpInNetwork(String str, String str2) {
        if (StringUtils.isEmpty(str) || StringUtils.isEmpty(str2)) {
            return false;
        }
        String trim = str.trim();
        String trim2 = str2.trim();
        if (!trim2.contains("/")) {
            return trim.equals(trim2);
        }
        String[] split = trim2.split("/");
        if (split.length < 2) {
            return false;
        }
        if (trim.contains(SubscriptionDataStoreUtil.DELEM_PERIOD) && !trim2.contains(SubscriptionDataStoreUtil.DELEM_PERIOD)) {
            return false;
        }
        if (trim.contains(":") && !trim2.contains(":")) {
            return false;
        }
        BigInteger ipToBigInteger = ipToBigInteger(split[0]);
        int parseInt = Integer.parseInt(split[1]);
        BigInteger ipToBigInteger2 = ipToBigInteger(trim);
        return trim.contains(SubscriptionDataStoreUtil.DELEM_PERIOD) ? ipToBigInteger.shiftRight(32 - parseInt).shiftLeft(32 - parseInt).compareTo(ipToBigInteger2.shiftRight(32 - parseInt).shiftLeft(32 - parseInt)) == 0 : trim.contains(":") && ipToBigInteger.shiftRight(128 - parseInt).shiftLeft(128 - parseInt).compareTo(ipToBigInteger2.shiftRight(128 - parseInt).shiftLeft(128 - parseInt)) == 0;
    }

    private BigInteger ipToBigInteger(String str) {
        try {
            return new BigInteger(1, getAddress(str).getAddress());
        } catch (UnknownHostException e) {
            log.error("Error while parsing host IP {}", str, e);
            return BigInteger.ZERO;
        }
    }

    private InetAddress getAddress(String str) throws UnknownHostException {
        return InetAddress.getByName(str);
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getChallengeString() {
        return "";
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getName() {
        return "API Key";
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public int getPriority() {
        return 30;
    }
}
