package io.micronaut.function.aws.proxy.security;

import com.amazonaws.serverless.proxy.model.ApiGatewayAuthorizerContext;
import com.amazonaws.serverless.proxy.model.CognitoAuthorizerClaims;
import io.micronaut.context.annotation.Requires;
import io.micronaut.core.async.publisher.Publishers;
import io.micronaut.function.aws.proxy.MicronautAwsProxyRequest;
import io.micronaut.http.HttpRequest;
import io.micronaut.security.authentication.Authentication;
import io.micronaut.security.authentication.DefaultAuthentication;
import io.micronaut.security.filters.AuthenticationFetcher;
import jakarta.inject.Singleton;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.reactivestreams.Publisher;

@Singleton
@Requires(classes = {AuthenticationFetcher.class})
/* loaded from: input_file:io/micronaut/function/aws/proxy/security/MicronautLambdaAuthenticationFetcher.class */
public class MicronautLambdaAuthenticationFetcher implements AuthenticationFetcher {
    public static final String HEADER_OIDC_IDENTITY = "x-amzn-oidc-identity";
    private static final List<String> REGISTERED_CLAIMS_NAMES = Arrays.asList("iss", "sub", "exp", "nbf", "iat", "jti", "aud");
    private static final List<String> ID_TOKEN_STANDARD_CLAIMS_NAMES = Arrays.asList("name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "auth_time", "nonce", "acr", "amr", "azp");

    public Publisher<Authentication> fetchAuthentication(HttpRequest<?> httpRequest) {
        if (httpRequest instanceof MicronautAwsProxyRequest) {
            ApiGatewayAuthorizerContext authorizer = ((MicronautAwsProxyRequest) httpRequest).getAwsProxyRequest().getRequestContext().getAuthorizer();
            if (authorizer != null) {
                return Publishers.just(new DefaultAuthentication(authorizer.getPrincipalId(), attributesOfClaims(authorizer.getClaims())));
            }
            String str = (String) httpRequest.getHeaders().get(HEADER_OIDC_IDENTITY);
            if (str != null) {
                return Publishers.just(new DefaultAuthentication(str, Collections.emptyMap()));
            }
        }
        return Publishers.empty();
    }

    protected Map<String, Object> attributesOfClaims(CognitoAuthorizerClaims cognitoAuthorizerClaims) {
        if (cognitoAuthorizerClaims == null) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        hashMap.put("sub", cognitoAuthorizerClaims.getSubject());
        hashMap.put("aud", cognitoAuthorizerClaims.getAudience());
        hashMap.put("iss", cognitoAuthorizerClaims.getIssuer());
        hashMap.put("token_use", cognitoAuthorizerClaims.getTokenUse());
        hashMap.put("cognito:username", cognitoAuthorizerClaims.getUsername());
        hashMap.put("preferred_username", cognitoAuthorizerClaims.getUsername());
        hashMap.put("email", cognitoAuthorizerClaims.getEmail());
        hashMap.put("email_verified", Boolean.valueOf(cognitoAuthorizerClaims.isEmailVerified()));
        hashMap.put("auth_time", cognitoAuthorizerClaims.getAuthTime());
        hashMap.put("iat", cognitoAuthorizerClaims.getIssuedAt());
        hashMap.put("exp", cognitoAuthorizerClaims.getExpiration());
        for (String str : (List) Stream.concat(ID_TOKEN_STANDARD_CLAIMS_NAMES.stream(), REGISTERED_CLAIMS_NAMES.stream()).collect(Collectors.toList())) {
            String claim = cognitoAuthorizerClaims.getClaim(str);
            if (claim != null) {
                hashMap.putIfAbsent(str, claim);
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }
}
