From b0c6f5bfe12cf9d3f347749c4b1f4bd7e1fd9fdf Mon Sep 17 00:00:00 2001
From: senthalan <senthalank@gmail.com>
Date: Wed, 27 Sep 2023 15:10:08 +0530
Subject: [PATCH] Add environment wise key support

---
 adapter/internal/discovery/xds/marshaller.go  |   1 +
 .../messaging/notification_listener.go        |   9 +-
 .../application_key_mapping.pb.go             |  35 +++--
 adapter/pkg/eventhub/types/types.go           |   1 +
 adapter/pkg/messaging/event_types.go          |   1 +
 .../application_key_mapping.proto             |   1 +
 .../subscription/ApplicationKeyMapping.java   | 138 ++++++++++++++++++
 .../ApplicationKeyMappingOrBuilder.java       |  12 ++
 .../ApplicationKeyMappingProto.java           |  16 +-
 .../constants/APISecurityConstants.java       |   5 +
 .../enforcer/dto/APIKeyValidationInfoDTO.java |  11 ++
 .../models/ApplicationKeyMapping.java         |  12 ++
 .../enforcer/security/KeyValidator.java       |   1 +
 .../security/jwt/JWTAuthenticator.java        |  28 +++-
 .../SubscriptionDataStoreImpl.java            |   1 +
 .../security/jwt/JWTAuthenticatorTest.java    |  50 ++++++-
 16 files changed, 298 insertions(+), 24 deletions(-)

diff --git a/adapter/internal/discovery/xds/marshaller.go b/adapter/internal/discovery/xds/marshaller.go
index dad24ecaad..b0c7b639de 100644
--- a/adapter/internal/discovery/xds/marshaller.go
+++ b/adapter/internal/discovery/xds/marshaller.go
@@ -629,6 +629,7 @@ func marshalKeyMapping(keyMappingInternal *types.ApplicationKeyMapping) *subscri
 		TenantId:        keyMappingInternal.TenantID,
 		TenantDomain:    keyMappingInternal.TenantDomain,
 		Timestamp:       keyMappingInternal.TimeStamp,
+		EnvId:           keyMappingInternal.EnvID,
 	}
 }
 
diff --git a/adapter/internal/messaging/notification_listener.go b/adapter/internal/messaging/notification_listener.go
index 41250c5173..42cb421e36 100644
--- a/adapter/internal/messaging/notification_listener.go
+++ b/adapter/internal/messaging/notification_listener.go
@@ -287,6 +287,8 @@ func handleLifeCycleEvents(data []byte) {
 
 // handleApplicationEvents to process application related events
 func handleApplicationEvents(data []byte, eventType string) {
+	//todo  Need to check this event handling.
+	logger.LoggerInternalMsg.Infof("Application event type : %s", eventType)
 	if strings.EqualFold(applicationRegistration, eventType) ||
 		strings.EqualFold(removeApplicationKeyMapping, eventType) {
 		var applicationRegistrationEvent msg.ApplicationRegistrationEvent
@@ -302,10 +304,13 @@ func handleApplicationEvents(data []byte, eventType string) {
 			return
 		}
 
+		logger.LoggerInternalMsg.Infof("Application Key Mapping event for the Consumer Key : %+v", applicationRegistrationEvent)
+
 		applicationKeyMapping := types.ApplicationKeyMapping{ApplicationID: applicationRegistrationEvent.ApplicationID,
 			ConsumerKey: applicationRegistrationEvent.ConsumerKey, KeyType: applicationRegistrationEvent.KeyType,
 			KeyManager: applicationRegistrationEvent.KeyManager, TenantID: -1, TenantDomain: applicationRegistrationEvent.TenantDomain,
-			TimeStamp: applicationRegistrationEvent.TimeStamp, ApplicationUUID: applicationRegistrationEvent.ApplicationUUID}
+			TimeStamp: applicationRegistrationEvent.TimeStamp, ApplicationUUID: applicationRegistrationEvent.ApplicationUUID,
+			EnvID: applicationRegistrationEvent.EnvID}
 
 		applicationKeyMappingReference := xds.GetApplicationKeyMappingReference(&applicationKeyMapping)
 
@@ -335,6 +340,8 @@ func handleApplicationEvents(data []byte, eventType string) {
 			return
 		}
 
+		logger.LoggerInternalMsg.Infof("Application Key Mapping event for the Consumer Key : %+v", applicationEvent)
+
 		app := types.Application{UUID: applicationEvent.UUID, ID: applicationEvent.ApplicationID,
 			Name: applicationEvent.ApplicationName, SubName: applicationEvent.Subscriber,
 			Policy: applicationEvent.ApplicationPolicy, TokenType: applicationEvent.TokenType,
diff --git a/adapter/pkg/discovery/api/wso2/discovery/subscription/application_key_mapping.pb.go b/adapter/pkg/discovery/api/wso2/discovery/subscription/application_key_mapping.pb.go
index aa77510265..9a186c8baa 100644
--- a/adapter/pkg/discovery/api/wso2/discovery/subscription/application_key_mapping.pb.go
+++ b/adapter/pkg/discovery/api/wso2/discovery/subscription/application_key_mapping.pb.go
@@ -34,6 +34,7 @@ type ApplicationKeyMapping struct {
 	TenantDomain    string `protobuf:"bytes,6,opt,name=tenantDomain,proto3" json:"tenantDomain,omitempty"`
 	Timestamp       int64  `protobuf:"varint,7,opt,name=timestamp,proto3" json:"timestamp,omitempty"`
 	ApplicationUUID string `protobuf:"bytes,8,opt,name=applicationUUID,proto3" json:"applicationUUID,omitempty"`
+	EnvId           string `protobuf:"bytes,9,opt,name=envId,proto3" json:"envId,omitempty"`
 }
 
 func (x *ApplicationKeyMapping) Reset() {
@@ -124,6 +125,13 @@ func (x *ApplicationKeyMapping) GetApplicationUUID() string {
 	return ""
 }
 
+func (x *ApplicationKeyMapping) GetEnvId() string {
+	if x != nil {
+		return x.EnvId
+	}
+	return ""
+}
+
 var File_wso2_discovery_subscription_application_key_mapping_proto protoreflect.FileDescriptor
 
 var file_wso2_discovery_subscription_application_key_mapping_proto_rawDesc = []byte{
@@ -132,7 +140,7 @@ var file_wso2_discovery_subscription_application_key_mapping_proto_rawDesc = []b
 	0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x61,
 	0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x77, 0x73, 0x6f,
 	0x32, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x73,
-	0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa1, 0x02, 0x0a, 0x15, 0x41, 0x70, 0x70,
+	0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb7, 0x02, 0x0a, 0x15, 0x41, 0x70, 0x70,
 	0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69,
 	0x6e, 0x67, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6d, 0x65, 0x72, 0x4b, 0x65,
 	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6d, 0x65,
@@ -150,18 +158,19 @@ var file_wso2_discovery_subscription_application_key_mapping_proto_rawDesc = []b
 	0x70, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
 	0x6d, 0x70, 0x12, 0x28, 0x0a, 0x0f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
 	0x6e, 0x55, 0x55, 0x49, 0x44, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x61, 0x70, 0x70,
-	0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x55, 0x49, 0x44, 0x42, 0x9f, 0x01, 0x0a,
-	0x2e, 0x6f, 0x72, 0x67, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e, 0x63, 0x68, 0x6f, 0x72, 0x65, 0x6f,
-	0x2e, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65,
-	0x72, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x42,
-	0x1a, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4d,
-	0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x4f, 0x67,
-	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70,
-	0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d,
-	0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x77, 0x73, 0x6f, 0x32, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f,
-	0x76, 0x65, 0x72, 0x79, 0x2f, 0x73, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f,
-	0x6e, 0x3b, 0x73, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x55, 0x49, 0x44, 0x12, 0x14, 0x0a, 0x05,
+	0x65, 0x6e, 0x76, 0x49, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x6e, 0x76,
+	0x49, 0x64, 0x42, 0x9f, 0x01, 0x0a, 0x2e, 0x6f, 0x72, 0x67, 0x2e, 0x77, 0x73, 0x6f, 0x32, 0x2e,
+	0x63, 0x68, 0x6f, 0x72, 0x65, 0x6f, 0x2e, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x2e, 0x64,
+	0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69,
+	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x1a, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74,
+	0x6f, 0x50, 0x01, 0x5a, 0x4f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f,
+	0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x77, 0x73, 0x6f, 0x32,
+	0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2f, 0x73, 0x75, 0x62, 0x73, 0x63,
+	0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x3b, 0x73, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x70,
+	0x74, 0x69, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/adapter/pkg/eventhub/types/types.go b/adapter/pkg/eventhub/types/types.go
index da6effb681..cac88f848b 100644
--- a/adapter/pkg/eventhub/types/types.go
+++ b/adapter/pkg/eventhub/types/types.go
@@ -66,6 +66,7 @@ type ApplicationKeyMapping struct {
 	ConsumerKey     string `json:"consumerKey"`
 	KeyType         string `json:"keyType"`
 	KeyManager      string `json:"keyManager"`
+	EnvID           string `json:"EnvId"`
 	TenantID        int32  `json:"tenanId,omitempty"`
 	TenantDomain    string `json:"tenanDomain,omitempty"`
 	TimeStamp       int64  `json:"timeStamp,omitempty"`
diff --git a/adapter/pkg/messaging/event_types.go b/adapter/pkg/messaging/event_types.go
index 6cf2a1097f..bbbff6ce1e 100644
--- a/adapter/pkg/messaging/event_types.go
+++ b/adapter/pkg/messaging/event_types.go
@@ -138,6 +138,7 @@ type ApplicationRegistrationEvent struct {
 	ConsumerKey     string `json:"consumerKey"`
 	KeyType         string `json:"keyType"`
 	KeyManager      string `json:"keyManager"`
+	EnvID           string `json:"EnvId"`
 	Event
 }
 
diff --git a/api/proto/wso2/discovery/subscription/application_key_mapping.proto b/api/proto/wso2/discovery/subscription/application_key_mapping.proto
index 6f4d02e0e4..d97a48d633 100644
--- a/api/proto/wso2/discovery/subscription/application_key_mapping.proto
+++ b/api/proto/wso2/discovery/subscription/application_key_mapping.proto
@@ -19,4 +19,5 @@ message ApplicationKeyMapping {
     string tenantDomain = 6;
     int64 timestamp = 7;
     string applicationUUID = 8;
+    string envId = 9;
 }
diff --git a/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMapping.java b/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMapping.java
index f8ea05694a..eb83cbb5c9 100644
--- a/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMapping.java
+++ b/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMapping.java
@@ -25,6 +25,7 @@ private ApplicationKeyMapping() {
     keyManager_ = "";
     tenantDomain_ = "";
     applicationUUID_ = "";
+    envId_ = "";
   }
 
   @java.lang.Override
@@ -102,6 +103,12 @@ private ApplicationKeyMapping(
             applicationUUID_ = s;
             break;
           }
+          case 74: {
+            java.lang.String s = input.readStringRequireUtf8();
+
+            envId_ = s;
+            break;
+          }
           default: {
             if (!parseUnknownField(
                 input, unknownFields, extensionRegistry, tag)) {
@@ -357,6 +364,44 @@ public java.lang.String getApplicationUUID() {
     }
   }
 
+  public static final int ENVID_FIELD_NUMBER = 9;
+  private volatile java.lang.Object envId_;
+  /**
+   * <code>string envId = 9;</code>
+   * @return The envId.
+   */
+  @java.lang.Override
+  public java.lang.String getEnvId() {
+    java.lang.Object ref = envId_;
+    if (ref instanceof java.lang.String) {
+      return (java.lang.String) ref;
+    } else {
+      com.google.protobuf.ByteString bs = 
+          (com.google.protobuf.ByteString) ref;
+      java.lang.String s = bs.toStringUtf8();
+      envId_ = s;
+      return s;
+    }
+  }
+  /**
+   * <code>string envId = 9;</code>
+   * @return The bytes for envId.
+   */
+  @java.lang.Override
+  public com.google.protobuf.ByteString
+      getEnvIdBytes() {
+    java.lang.Object ref = envId_;
+    if (ref instanceof java.lang.String) {
+      com.google.protobuf.ByteString b = 
+          com.google.protobuf.ByteString.copyFromUtf8(
+              (java.lang.String) ref);
+      envId_ = b;
+      return b;
+    } else {
+      return (com.google.protobuf.ByteString) ref;
+    }
+  }
+
   private byte memoizedIsInitialized = -1;
   @java.lang.Override
   public final boolean isInitialized() {
@@ -395,6 +440,9 @@ public void writeTo(com.google.protobuf.CodedOutputStream output)
     if (!getApplicationUUIDBytes().isEmpty()) {
       com.google.protobuf.GeneratedMessageV3.writeString(output, 8, applicationUUID_);
     }
+    if (!getEnvIdBytes().isEmpty()) {
+      com.google.protobuf.GeneratedMessageV3.writeString(output, 9, envId_);
+    }
     unknownFields.writeTo(output);
   }
 
@@ -431,6 +479,9 @@ public int getSerializedSize() {
     if (!getApplicationUUIDBytes().isEmpty()) {
       size += com.google.protobuf.GeneratedMessageV3.computeStringSize(8, applicationUUID_);
     }
+    if (!getEnvIdBytes().isEmpty()) {
+      size += com.google.protobuf.GeneratedMessageV3.computeStringSize(9, envId_);
+    }
     size += unknownFields.getSerializedSize();
     memoizedSize = size;
     return size;
@@ -462,6 +513,8 @@ public boolean equals(final java.lang.Object obj) {
         != other.getTimestamp()) return false;
     if (!getApplicationUUID()
         .equals(other.getApplicationUUID())) return false;
+    if (!getEnvId()
+        .equals(other.getEnvId())) return false;
     if (!unknownFields.equals(other.unknownFields)) return false;
     return true;
   }
@@ -490,6 +543,8 @@ public int hashCode() {
         getTimestamp());
     hash = (37 * hash) + APPLICATIONUUID_FIELD_NUMBER;
     hash = (53 * hash) + getApplicationUUID().hashCode();
+    hash = (37 * hash) + ENVID_FIELD_NUMBER;
+    hash = (53 * hash) + getEnvId().hashCode();
     hash = (29 * hash) + unknownFields.hashCode();
     memoizedHashCode = hash;
     return hash;
@@ -643,6 +698,8 @@ public Builder clear() {
 
       applicationUUID_ = "";
 
+      envId_ = "";
+
       return this;
     }
 
@@ -677,6 +734,7 @@ public org.wso2.choreo.connect.discovery.subscription.ApplicationKeyMapping buil
       result.tenantDomain_ = tenantDomain_;
       result.timestamp_ = timestamp_;
       result.applicationUUID_ = applicationUUID_;
+      result.envId_ = envId_;
       onBuilt();
       return result;
     }
@@ -754,6 +812,10 @@ public Builder mergeFrom(org.wso2.choreo.connect.discovery.subscription.Applicat
         applicationUUID_ = other.applicationUUID_;
         onChanged();
       }
+      if (!other.getEnvId().isEmpty()) {
+        envId_ = other.envId_;
+        onChanged();
+      }
       this.mergeUnknownFields(other.unknownFields);
       onChanged();
       return this;
@@ -1255,6 +1317,82 @@ public Builder setApplicationUUIDBytes(
       onChanged();
       return this;
     }
+
+    private java.lang.Object envId_ = "";
+    /**
+     * <code>string envId = 9;</code>
+     * @return The envId.
+     */
+    public java.lang.String getEnvId() {
+      java.lang.Object ref = envId_;
+      if (!(ref instanceof java.lang.String)) {
+        com.google.protobuf.ByteString bs =
+            (com.google.protobuf.ByteString) ref;
+        java.lang.String s = bs.toStringUtf8();
+        envId_ = s;
+        return s;
+      } else {
+        return (java.lang.String) ref;
+      }
+    }
+    /**
+     * <code>string envId = 9;</code>
+     * @return The bytes for envId.
+     */
+    public com.google.protobuf.ByteString
+        getEnvIdBytes() {
+      java.lang.Object ref = envId_;
+      if (ref instanceof String) {
+        com.google.protobuf.ByteString b = 
+            com.google.protobuf.ByteString.copyFromUtf8(
+                (java.lang.String) ref);
+        envId_ = b;
+        return b;
+      } else {
+        return (com.google.protobuf.ByteString) ref;
+      }
+    }
+    /**
+     * <code>string envId = 9;</code>
+     * @param value The envId to set.
+     * @return This builder for chaining.
+     */
+    public Builder setEnvId(
+        java.lang.String value) {
+      if (value == null) {
+    throw new NullPointerException();
+  }
+  
+      envId_ = value;
+      onChanged();
+      return this;
+    }
+    /**
+     * <code>string envId = 9;</code>
+     * @return This builder for chaining.
+     */
+    public Builder clearEnvId() {
+      
+      envId_ = getDefaultInstance().getEnvId();
+      onChanged();
+      return this;
+    }
+    /**
+     * <code>string envId = 9;</code>
+     * @param value The bytes for envId to set.
+     * @return This builder for chaining.
+     */
+    public Builder setEnvIdBytes(
+        com.google.protobuf.ByteString value) {
+      if (value == null) {
+    throw new NullPointerException();
+  }
+  checkByteStringIsUtf8(value);
+      
+      envId_ = value;
+      onChanged();
+      return this;
+    }
     @java.lang.Override
     public final Builder setUnknownFields(
         final com.google.protobuf.UnknownFieldSet unknownFields) {
diff --git a/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMappingOrBuilder.java b/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMappingOrBuilder.java
index 4e389552be..030db358ab 100644
--- a/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMappingOrBuilder.java
+++ b/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMappingOrBuilder.java
@@ -84,4 +84,16 @@ public interface ApplicationKeyMappingOrBuilder extends
    */
   com.google.protobuf.ByteString
       getApplicationUUIDBytes();
+
+  /**
+   * <code>string envId = 9;</code>
+   * @return The envId.
+   */
+  java.lang.String getEnvId();
+  /**
+   * <code>string envId = 9;</code>
+   * @return The bytes for envId.
+   */
+  com.google.protobuf.ByteString
+      getEnvIdBytes();
 }
diff --git a/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMappingProto.java b/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMappingProto.java
index 030ff6349f..02979ba795 100644
--- a/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMappingProto.java
+++ b/enforcer-parent/enforcer/src/main/gen/org/wso2/choreo/connect/discovery/subscription/ApplicationKeyMappingProto.java
@@ -30,16 +30,16 @@ public static void registerAllExtensions(
     java.lang.String[] descriptorData = {
       "\n9wso2/discovery/subscription/applicatio" +
       "n_key_mapping.proto\022\033wso2.discovery.subs" +
-      "cription\"\274\001\n\025ApplicationKeyMapping\022\023\n\013co" +
+      "cription\"\313\001\n\025ApplicationKeyMapping\022\023\n\013co" +
       "nsumerKey\030\001 \001(\t\022\017\n\007keyType\030\002 \001(\t\022\022\n\nkeyM" +
       "anager\030\003 \001(\t\022\025\n\rapplicationId\030\004 \001(\005\022\020\n\010t" +
       "enantId\030\005 \001(\005\022\024\n\014tenantDomain\030\006 \001(\t\022\021\n\tt" +
-      "imestamp\030\007 \001(\003\022\027\n\017applicationUUID\030\010 \001(\tB" +
-      "\237\001\n.org.wso2.choreo.connect.discovery.su" +
-      "bscriptionB\032ApplicationKeyMappingProtoP\001" +
-      "ZOgithub.com/envoyproxy/go-control-plane" +
-      "/wso2/discovery/subscription;subscriptio" +
-      "nb\006proto3"
+      "imestamp\030\007 \001(\003\022\027\n\017applicationUUID\030\010 \001(\t\022" +
+      "\r\n\005envId\030\t \001(\tB\237\001\n.org.wso2.choreo.conne" +
+      "ct.discovery.subscriptionB\032ApplicationKe" +
+      "yMappingProtoP\001ZOgithub.com/envoyproxy/g" +
+      "o-control-plane/wso2/discovery/subscript" +
+      "ion;subscriptionb\006proto3"
     };
     descriptor = com.google.protobuf.Descriptors.FileDescriptor
       .internalBuildGeneratedFileFrom(descriptorData,
@@ -50,7 +50,7 @@ public static void registerAllExtensions(
     internal_static_wso2_discovery_subscription_ApplicationKeyMapping_fieldAccessorTable = new
       com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
         internal_static_wso2_discovery_subscription_ApplicationKeyMapping_descriptor,
-        new java.lang.String[] { "ConsumerKey", "KeyType", "KeyManager", "ApplicationId", "TenantId", "TenantDomain", "Timestamp", "ApplicationUUID", });
+        new java.lang.String[] { "ConsumerKey", "KeyType", "KeyManager", "ApplicationId", "TenantId", "TenantDomain", "Timestamp", "ApplicationUUID", "EnvId", });
   }
 
   // @@protoc_insertion_point(outer_class_scope)
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/constants/APISecurityConstants.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/constants/APISecurityConstants.java
index 5157f4185e..664f9d018d 100644
--- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/constants/APISecurityConstants.java
+++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/constants/APISecurityConstants.java
@@ -73,6 +73,11 @@ public class APISecurityConstants {
     public static final String API_AUTH_INVALID_ENVIRONMENT_ERROR_MESSAGE = "The access token is not authorized "
             + "to access the environment.";
 
+
+    public static final int API_AUTH_KEY_ENVIRONMENT_MISMATCH = 900913;
+    public static final String API_AUTH_KEY_ENVIRONMENT_MISMATCH_ERROR_MESSAGE = "The access token is not authorized "
+            + "to access the application environment.";
+
     // We have added this because we need to add an additional description to the original one and we need to
     // separate the 2 messages
     public static final String DESCRIPTION_SEPARATOR = ". ";
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/dto/APIKeyValidationInfoDTO.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/dto/APIKeyValidationInfoDTO.java
index 455b29b3ec..a3d49c7432 100644
--- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/dto/APIKeyValidationInfoDTO.java
+++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/dto/APIKeyValidationInfoDTO.java
@@ -67,6 +67,7 @@ public class APIKeyValidationInfoDTO implements Serializable {
     private String apiUUID;
     private String applicationUUID;
     private Map<String, String> appAttributes;
+    private String envId;
 
     public List<String> getThrottlingDataList() {
         return throttlingDataList;
@@ -396,5 +397,15 @@ public String getApiUUID() {
     public void setApiUUID(String apiUUID) {
         this.apiUUID = apiUUID;
     }
+
+    public void setEnvId(String envId) {
+
+        this.envId = envId;
+    }
+
+    public String getEnvId() {
+
+        return envId;
+    }
 }
 
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/models/ApplicationKeyMapping.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/models/ApplicationKeyMapping.java
index cd6a4ed438..74ffc5fffa 100644
--- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/models/ApplicationKeyMapping.java
+++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/models/ApplicationKeyMapping.java
@@ -31,6 +31,7 @@ public class ApplicationKeyMapping implements CacheableEntity<ApplicationKeyMapp
     private String wfState;
     private String applicationUUID;
     private int applicationId;
+    private String envId;
 
     public String getConsumerKey() {
 
@@ -96,6 +97,7 @@ public String toString() {
                 ", keyManager='" + keyManager + '\'' +
                 ", wfState='" + wfState + '\'' +
                 ", applicationId=" + applicationId +
+                ", envId=" + envId.toString() +
                 '}';
     }
 
@@ -106,5 +108,15 @@ public String getApplicationUUID() {
     public void setApplicationUUID(String applicationUUID) {
         this.applicationUUID = applicationUUID;
     }
+
+    public void setEnvId(String envId) {
+
+        this.envId = envId;
+    }
+
+    public String getEnvId() {
+
+        return envId;
+    }
 }
 
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java
index c1d4896956..6e90dac4f9 100644
--- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java
+++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/KeyValidator.java
@@ -188,6 +188,7 @@ public static APIKeyValidationInfoDTO validateSubscription(APIConfig apiConfig,
         if (app != null && key != null && sub != null) {
             String keyType = key.getKeyType();
             validate(infoDTO, datastore, apiConfig, keyType, app, sub);
+            infoDTO.setEnvId(key.getEnvId());
         }
         if (!infoDTO.isAuthorized() && infoDTO.getValidationStatus() == 0) {
             //Scenario where validation failed and message is not set
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java
index 646fec740f..264b3bdbe0 100644
--- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java
+++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticator.java
@@ -245,9 +245,13 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws
                                             "User is NOT authorized to access the Resource. "
                                                     + "API Subscription validation failed.");
                                 }
-                                // Check if the token has access to the gateway configured environment.
+                                // Check if the token has access to the deployment type.
                                 checkTokenEnvAgainstDeploymentType(apiKeyValidationInfoDTO.getType(),
                                         requestContext.getMatchedAPI());
+
+                                // Check if the token has access to the gateway configured environment.
+                                checkTokenEnvAgainstDeploymentEnv(apiKeyValidationInfoDTO.getEnvId(),
+                                        requestContext.getMatchedAPI());
                             }
                         } else {
                             // In this case, the application related properties are populated so that analytics
@@ -334,6 +338,28 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws
 
     }
 
+    protected void checkTokenEnvAgainstDeploymentEnv(String keyEnvId, APIConfig matchedAPI)
+            throws APISecurityException {
+
+        // TODO: This needs to be changed to Choreo env.
+        String apiEnvName = matchedAPI.getEnvironmentName();
+        if (StringUtils.isNotEmpty(keyEnvId) || StringUtils.equals(keyEnvId, "DEFAULT_ENV")) {
+            if (StringUtils.equals(keyEnvId, apiEnvName)) {
+                log.debug("The access token has access to the API environment {}.", apiEnvName);
+            } else {
+                log.debug("The access token does not have access to the app environment {}.", apiEnvName);
+                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHORIZED.getCode(),
+                        APISecurityConstants.API_AUTH_KEY_ENVIRONMENT_MISMATCH,
+                        APISecurityConstants.API_AUTH_KEY_ENVIRONMENT_MISMATCH_ERROR_MESSAGE);
+            }
+        } else {
+            log.debug("The key is not mapped to any specific environment.");
+            // Check whether the application is internal. If so the environment is a mandatory parameter.
+            // If the application is external and key's environment is not defined,
+            // Allow only critical environment access.
+        }
+    }
+
     private void checkTokenEnv(JWTClaimsSet claims, String matchedEnv) throws APISecurityException {
         // If the claim "aud" does not exist, getAudience() returns an empty list.
         // If the value for "aud" is a String, getAudience() appends the value to the list that is returned.
diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/subscription/SubscriptionDataStoreImpl.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/subscription/SubscriptionDataStoreImpl.java
index 272e512f49..01ff7f5123 100644
--- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/subscription/SubscriptionDataStoreImpl.java
+++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/subscription/SubscriptionDataStoreImpl.java
@@ -291,6 +291,7 @@ public void addApplicationKeyMappings(
             mapping.setConsumerKey(applicationKeyMapping.getConsumerKey());
             mapping.setKeyType(applicationKeyMapping.getKeyType());
             mapping.setKeyManager(applicationKeyMapping.getKeyManager());
+            mapping.setEnvId(applicationKeyMapping.getEnvId());
 
             newApplicationKeyMappingMap.put(mapping.getCacheKey(), mapping);
         }
diff --git a/enforcer-parent/enforcer/src/test/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticatorTest.java b/enforcer-parent/enforcer/src/test/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticatorTest.java
index 05d55f5289..6a403c5644 100644
--- a/enforcer-parent/enforcer/src/test/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticatorTest.java
+++ b/enforcer-parent/enforcer/src/test/java/org/wso2/choreo/connect/enforcer/security/jwt/JWTAuthenticatorTest.java
@@ -21,21 +21,26 @@
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.powermock.api.mockito.PowerMockito;
 import org.powermock.core.classloader.annotations.PowerMockIgnore;
 import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
 import org.wso2.carbon.apimgt.common.gateway.dto.JWTConfigurationDto;
+import org.wso2.choreo.connect.enforcer.commons.model.APIConfig;
 import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
 import org.wso2.choreo.connect.enforcer.config.EnforcerConfig;
 import org.wso2.choreo.connect.enforcer.config.dto.CacheDto;
+import org.wso2.choreo.connect.enforcer.constants.APIConstants;
+import org.wso2.choreo.connect.enforcer.constants.APISecurityConstants;
 import org.wso2.choreo.connect.enforcer.exception.APISecurityException;
 
 import java.util.HashSet;
 import java.util.Set;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
 @RunWith(PowerMockRunner.class)
 @PrepareForTest({ConfigHolder.class})
 @PowerMockIgnore("javax.management.*")
@@ -87,4 +92,47 @@ public void isAllowedEnvironmentForIDPTest() {
                     "of the API");
         }
     }
+
+    @Test
+    public void checkTokenEnvAgainstDeploymentTypeTest() {
+
+        PowerMockito.mockStatic(ConfigHolder.class);
+        ConfigHolder configHolder = Mockito.mock(ConfigHolder.class);
+        EnforcerConfig enforcerConfig = Mockito.mock(EnforcerConfig.class);
+        CacheDto cacheDto = Mockito.mock(CacheDto.class);
+        Mockito.when(cacheDto.isEnabled()).thenReturn(true);
+        Mockito.when(enforcerConfig.getCacheDto()).thenReturn(cacheDto);
+        JWTConfigurationDto jwtConfigurationDto = Mockito.mock(JWTConfigurationDto.class);
+        Mockito.when(jwtConfigurationDto.isEnabled()).thenReturn(false);
+        Mockito.when(enforcerConfig.getJwtConfigurationDto()).thenReturn(jwtConfigurationDto);
+        Mockito.when(configHolder.getConfig()).thenReturn(enforcerConfig);
+        Mockito.when(ConfigHolder.getInstance()).thenReturn(configHolder);
+
+        JWTAuthenticator jwtAuthenticator = new JWTAuthenticator();
+
+
+        APIConfig apiConfig = new APIConfig.Builder("testAPI")
+                .environmentName("env-1")
+                .build();
+        validate(jwtAuthenticator, "env-1", apiConfig, false);
+        validate(jwtAuthenticator, "env-2", apiConfig, true);
+    }
+
+    private static void validate(JWTAuthenticator jwtAuthenticator, String keyEnv,
+                                 APIConfig apiConfig, boolean isNotValid) {
+
+        try {
+            jwtAuthenticator.checkTokenEnvAgainstDeploymentEnv(keyEnv, apiConfig);
+            if (isNotValid) {
+                fail("JWT authenticator passed the test when it should have failed");
+            }
+        } catch (APISecurityException exception) {
+            if (isNotValid) {
+                assertEquals(APIConstants.StatusCodes.UNAUTHORIZED.getCode(), exception.getStatusCode());
+                assertEquals(APISecurityConstants.API_AUTH_KEY_ENVIRONMENT_MISMATCH, exception.getErrorCode());
+            } else {
+                fail("Expected status code and error code are not thrown");
+            }
+        }
+    }
 }