package org.wso2.carbon.apimgt.gateway.inbound.websocket.Authentication;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Map;
import java.util.UUID;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.reflect.MethodSignature;
import org.aspectj.runtime.internal.Conversions;
import org.aspectj.runtime.reflect.Factory;
import org.slf4j.MDC;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
import org.wso2.carbon.apimgt.gateway.MethodTimeLogger;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.apimgt.gateway.handlers.streaming.websocket.WebSocketApiConstants;
import org.wso2.carbon.apimgt.gateway.inbound.InboundMessageContext;
import org.wso2.carbon.apimgt.gateway.inbound.websocket.InboundProcessorResponseDTO;
import org.wso2.carbon.apimgt.gateway.inbound.websocket.utils.InboundWebsocketProcessorUtil;
import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.gateway.utils.ApiKeyAuthenticatorUtils;
import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.apimgt.impl.correlation.MethodCallsCorrelationConfigDataHolder;
import org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO;
import org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto;

/* loaded from: input_file:org/wso2/carbon/apimgt/gateway/inbound/websocket/Authentication/ApiKeyAuthenticator.class */
public class ApiKeyAuthenticator implements Authenticator {
    private static final Log log;
    private String apiKey;
    private String[] splitToken;
    private JWSHeader decodedHeader;
    private JWTClaimsSet payload;
    private SignedJWT signedJWT;
    private static /* synthetic */ JoinPoint.StaticPart ajc$tjp_0;
    private static /* synthetic */ JoinPoint.StaticPart ajc$tjp_1;

    static {
        ajc$preClinit();
        log = LogFactory.getLog(ApiKeyAuthenticator.class);
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    @Override // org.wso2.carbon.apimgt.gateway.inbound.websocket.Authentication.Authenticator
    public boolean validateToken(InboundMessageContext inboundMessageContext) throws APISecurityException {
        boolean isEnable;
        ProceedingJoinPoint makeJP = Factory.makeJP(ajc$tjp_0, this, this, inboundMessageContext);
        isEnable = MethodCallsCorrelationConfigDataHolder.isEnable();
        return (isEnable && MethodTimeLogger.pointCutAll()) ? Conversions.booleanValue(validateToken_aroundBody1$advice(this, inboundMessageContext, makeJP, MethodTimeLogger.aspectOf(), makeJP)) : validateToken_aroundBody0(this, inboundMessageContext, makeJP);
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    @Override // org.wso2.carbon.apimgt.gateway.inbound.websocket.Authentication.Authenticator
    public InboundProcessorResponseDTO authenticate(InboundMessageContext inboundMessageContext) throws APISecurityException {
        boolean isEnable;
        ProceedingJoinPoint makeJP = Factory.makeJP(ajc$tjp_1, this, this, inboundMessageContext);
        isEnable = MethodCallsCorrelationConfigDataHolder.isEnable();
        return (isEnable && MethodTimeLogger.pointCutAll()) ? (InboundProcessorResponseDTO) authenticate_aroundBody3$advice(this, inboundMessageContext, makeJP, MethodTimeLogger.aspectOf(), makeJP) : authenticate_aroundBody2(this, inboundMessageContext, makeJP);
    }

    private static final /* synthetic */ boolean validateToken_aroundBody0(ApiKeyAuthenticator apiKeyAuthenticator, InboundMessageContext inboundMessageContext, JoinPoint joinPoint) {
        if (!InboundWebsocketProcessorUtil.isAuthenticatorEnabled("api_key", inboundMessageContext)) {
            return false;
        }
        log.debug("ApiKey Authentication initialized");
        try {
            apiKeyAuthenticator.apiKey = inboundMessageContext.getRequestHeaders().get("apikey");
            apiKeyAuthenticator.splitToken = apiKeyAuthenticator.apiKey.split("\\.");
            ApiKeyAuthenticatorUtils.validateAPIKeyFormat(apiKeyAuthenticator.splitToken);
            apiKeyAuthenticator.signedJWT = JWTParser.parse(apiKeyAuthenticator.apiKey);
            apiKeyAuthenticator.decodedHeader = apiKeyAuthenticator.signedJWT.getHeader();
            apiKeyAuthenticator.payload = apiKeyAuthenticator.signedJWT.getJWTClaimsSet();
            return ApiKeyAuthenticatorUtils.isAPIKey(apiKeyAuthenticator.splitToken, apiKeyAuthenticator.decodedHeader, apiKeyAuthenticator.payload);
        } catch (ParseException e) {
            log.error("Error while parsing API Key", e);
            return false;
        }
    }

    private static final /* synthetic */ Object validateToken_aroundBody1$advice(ApiKeyAuthenticator apiKeyAuthenticator, InboundMessageContext inboundMessageContext, JoinPoint joinPoint, MethodTimeLogger methodTimeLogger, ProceedingJoinPoint proceedingJoinPoint) {
        Map map;
        long currentTimeMillis = System.currentTimeMillis();
        MethodSignature signature = proceedingJoinPoint.getSignature();
        Object booleanObject = Conversions.booleanObject(validateToken_aroundBody0(apiKeyAuthenticator, inboundMessageContext, proceedingJoinPoint));
        String[] parameterNames = signature.getParameterNames();
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        if (parameterNames != null && parameterNames.length != 0) {
            String str = "";
            for (String str2 : parameterNames) {
                sb.append(str);
                str = ", ";
                sb.append(str2);
            }
        }
        sb.append("]");
        String sb2 = sb.toString();
        MessageContext currentMessageContext = MessageContext.getCurrentMessageContext();
        if (MDC.get("Correlation-ID") == null && currentMessageContext != null && (map = (Map) currentMessageContext.getProperty(APIMgtGatewayConstants.TRANSPORT_HEADERS)) != null) {
            String str3 = (String) map.get("activityid");
            if (StringUtils.isNotEmpty(str3)) {
                MDC.put("Correlation-ID", str3);
            }
            if (StringUtils.isEmpty(MDC.get("Correlation-ID"))) {
                String uuid = UUID.randomUUID().toString();
                MDC.put("Correlation-ID", uuid);
                map.put("activityid", uuid);
            }
        }
        MethodTimeLogger.log.info(String.valueOf(System.currentTimeMillis() - currentTimeMillis) + "|METHOD|" + ((MethodSignature) MethodSignature.class.cast(proceedingJoinPoint.getSignature())).getDeclaringTypeName() + "|" + ((MethodSignature) MethodSignature.class.cast(proceedingJoinPoint.getSignature())).getMethod().getName() + "|" + sb2);
        return booleanObject;
    }

    private static final /* synthetic */ InboundProcessorResponseDTO authenticate_aroundBody2(ApiKeyAuthenticator apiKeyAuthenticator, InboundMessageContext inboundMessageContext, JoinPoint joinPoint) {
        if (!InboundWebsocketProcessorUtil.isAuthenticatorEnabled("api_key", inboundMessageContext)) {
            return InboundWebsocketProcessorUtil.getFrameErrorDTO(WebSocketApiConstants.FrameErrorConstants.API_AUTH_GENERAL_ERROR, "Authentication has not enabled for the Authentication type: api_key", true);
        }
        try {
            String keyID = apiKeyAuthenticator.decodedHeader.getKeyID();
            String jwtid = apiKeyAuthenticator.payload.getJWTID();
            String tenantDomain = GatewayUtils.getTenantDomain();
            String apiContext = inboundMessageContext.getApiContext();
            String version = inboundMessageContext.getVersion();
            String accessTokenCacheKey = GatewayUtils.getAccessTokenCacheKey(jwtid, apiContext, version, inboundMessageContext.getMatchingResource(), null);
            boolean isGatewayTokenCacheEnabled = GatewayUtils.isGatewayTokenCacheEnabled();
            boolean verifyAPIKeySignatureFromTokenCache = ApiKeyAuthenticatorUtils.verifyAPIKeySignatureFromTokenCache(isGatewayTokenCacheEnabled, jwtid, accessTokenCacheKey, apiKeyAuthenticator.apiKey, apiKeyAuthenticator.splitToken[0]);
            if (!verifyAPIKeySignatureFromTokenCache) {
                verifyAPIKeySignatureFromTokenCache = ApiKeyAuthenticatorUtils.verifyAPIKeySignature(apiKeyAuthenticator.signedJWT, keyID);
            }
            ApiKeyAuthenticatorUtils.addTokenToTokenCache(isGatewayTokenCacheEnabled, jwtid, verifyAPIKeySignatureFromTokenCache, tenantDomain);
            if (!verifyAPIKeySignatureFromTokenCache) {
                if (log.isDebugEnabled()) {
                    log.debug("Api Key signature verification failure. Api Key: " + GatewayUtils.getMaskedToken(apiKeyAuthenticator.splitToken[0]));
                }
                log.error("Invalid Api Key. Signature verification failed.");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
            }
            ExtendedJWTConfigurationDto jwtConfigurationDto = ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getJwtConfigurationDto();
            ApiKeyAuthenticatorUtils.overridePayloadFromDataCache(isGatewayTokenCacheEnabled, accessTokenCacheKey, apiKeyAuthenticator.payload);
            ApiKeyAuthenticatorUtils.checkTokenExpired(isGatewayTokenCacheEnabled, accessTokenCacheKey, jwtid, apiKeyAuthenticator.apiKey, tenantDomain, apiKeyAuthenticator.payload);
            ApiKeyAuthenticatorUtils.validateAPIKeyRestrictions(apiKeyAuthenticator.payload, inboundMessageContext.getUserIP(), apiContext, version, inboundMessageContext.getRequestHeaders().get(APIMgtGatewayConstants.REFERER));
            APIKeyValidationInfoDTO validateAPISubscription = GatewayUtils.validateAPISubscription(apiContext, version, apiKeyAuthenticator.payload, apiKeyAuthenticator.splitToken[0]);
            if (!InboundWebsocketProcessorUtil.validateAuthenticationContext(GatewayUtils.generateAuthenticationContext(jwtid, apiKeyAuthenticator.payload, validateAPISubscription, ApiKeyAuthenticatorUtils.getEndUserToken(validateAPISubscription, jwtConfigurationDto, apiKeyAuthenticator.apiKey, apiKeyAuthenticator.signedJWT, apiKeyAuthenticator.payload, jwtid, apiContext, version, isGatewayTokenCacheEnabled)), inboundMessageContext)) {
                return InboundWebsocketProcessorUtil.getFrameErrorDTO(WebSocketApiConstants.FrameErrorConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials", true);
            }
            log.debug("User is authorized to access the resource using Api Key.");
            InboundProcessorResponseDTO inboundProcessorResponseDTO = new InboundProcessorResponseDTO();
            inboundProcessorResponseDTO.setErrorCode(0);
            inboundProcessorResponseDTO.setErrorMessage(null);
            return inboundProcessorResponseDTO;
        } catch (APIManagementException e) {
            log.error("Error while setting public cert/private key for backend jwt generation", e);
            return InboundWebsocketProcessorUtil.getFrameErrorDTO(900900, "Unclassified Authentication Failure", true);
        }
    }

    private static final /* synthetic */ Object authenticate_aroundBody3$advice(ApiKeyAuthenticator apiKeyAuthenticator, InboundMessageContext inboundMessageContext, JoinPoint joinPoint, MethodTimeLogger methodTimeLogger, ProceedingJoinPoint proceedingJoinPoint) {
        Map map;
        long currentTimeMillis = System.currentTimeMillis();
        MethodSignature signature = proceedingJoinPoint.getSignature();
        InboundProcessorResponseDTO authenticate_aroundBody2 = authenticate_aroundBody2(apiKeyAuthenticator, inboundMessageContext, proceedingJoinPoint);
        String[] parameterNames = signature.getParameterNames();
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        if (parameterNames != null && parameterNames.length != 0) {
            String str = "";
            for (String str2 : parameterNames) {
                sb.append(str);
                str = ", ";
                sb.append(str2);
            }
        }
        sb.append("]");
        String sb2 = sb.toString();
        MessageContext currentMessageContext = MessageContext.getCurrentMessageContext();
        if (MDC.get("Correlation-ID") == null && currentMessageContext != null && (map = (Map) currentMessageContext.getProperty(APIMgtGatewayConstants.TRANSPORT_HEADERS)) != null) {
            String str3 = (String) map.get("activityid");
            if (StringUtils.isNotEmpty(str3)) {
                MDC.put("Correlation-ID", str3);
            }
            if (StringUtils.isEmpty(MDC.get("Correlation-ID"))) {
                String uuid = UUID.randomUUID().toString();
                MDC.put("Correlation-ID", uuid);
                map.put("activityid", uuid);
            }
        }
        MethodTimeLogger.log.info(String.valueOf(System.currentTimeMillis() - currentTimeMillis) + "|METHOD|" + ((MethodSignature) MethodSignature.class.cast(proceedingJoinPoint.getSignature())).getDeclaringTypeName() + "|" + ((MethodSignature) MethodSignature.class.cast(proceedingJoinPoint.getSignature())).getMethod().getName() + "|" + sb2);
        return authenticate_aroundBody2;
    }

    private static /* synthetic */ void ajc$preClinit() {
        Factory factory = new Factory("ApiKeyAuthenticator.java", ApiKeyAuthenticator.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "validateToken", "org.wso2.carbon.apimgt.gateway.inbound.websocket.Authentication.ApiKeyAuthenticator", "org.wso2.carbon.apimgt.gateway.inbound.InboundMessageContext", "inboundMessageContext", "org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException", "boolean"), 58);
        ajc$tjp_1 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "authenticate", "org.wso2.carbon.apimgt.gateway.inbound.websocket.Authentication.ApiKeyAuthenticator", "org.wso2.carbon.apimgt.gateway.inbound.InboundMessageContext", "inboundMessageContext", "org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException", "org.wso2.carbon.apimgt.gateway.inbound.websocket.InboundProcessorResponseDTO"), 80);
    }
}
