package io.microlam.aws.lambda.auth;

import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.RequestHandler;
import java.util.Collections;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/microlam/aws/lambda/auth/AbstractCognitoTokenAuthorizerHandler.class */
public abstract class AbstractCognitoTokenAuthorizerHandler implements RequestHandler<TokenAuthorizerContext, AuthorizerResponse> {
    private static Logger LOGGER = LoggerFactory.getLogger(AbstractCognitoTokenAuthorizerHandler.class);
    public static String iss;
    public static String aud;
    public static JwtConsumer jwtConsumer;

    public AbstractCognitoTokenAuthorizerHandler(String str, String str2, boolean z) {
        this(str, str2, z, (VerificationKeyResolver) generateFromIssuer(str));
    }

    public AbstractCognitoTokenAuthorizerHandler(String str, String str2) {
        this(str, str2, true, (VerificationKeyResolver) generateFromIssuer(str));
    }

    protected static HttpsJwksVerificationKeyResolver generateFromIssuer(String str) {
        return new HttpsJwksVerificationKeyResolver(new HttpsJwks(str + "/.well-known/jwks.json"));
    }

    public AbstractCognitoTokenAuthorizerHandler(String str, String str2, String str3, boolean z) {
        this(str, str2, z, (VerificationKeyResolver) generateFromKeySet(str3));
    }

    public AbstractCognitoTokenAuthorizerHandler(String str, String str2, String str3) {
        this(str, str2, true, (VerificationKeyResolver) generateFromKeySet(str3));
    }

    protected static JwksVerificationKeyResolver generateFromKeySet(String str) {
        try {
            return new JwksVerificationKeyResolver(new JsonWebKeySet(str).getJsonWebKeys());
        } catch (JoseException e) {
            e.printStackTrace();
            throw new RuntimeException("Cannot generate JwksVerificationKeyResolver from KeySet [" + str + "]", e);
        }
    }

    public AbstractCognitoTokenAuthorizerHandler(String str, String str2, boolean z, VerificationKeyResolver verificationKeyResolver) {
        this(str, str2, new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(30).setRequireSubject().setExpectedIssuer(str).setExpectedAudience(z, new String[]{str2}).setVerificationKeyResolver(verificationKeyResolver).setJwsAlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, new String[]{"RS256"}).build());
    }

    public AbstractCognitoTokenAuthorizerHandler(String str, String str2, JwtConsumer jwtConsumer2) {
        iss = str;
        aud = str2;
        jwtConsumer = jwtConsumer2;
    }

    public AuthorizerResponse handleRequest(TokenAuthorizerContext tokenAuthorizerContext, Context context) {
        try {
            return generateResponse(jwtConsumer.processToClaims(tokenAuthorizerContext.getAuthorizationToken()), tokenAuthorizerContext, context);
        } catch (InvalidJwtException e) {
            LOGGER.warn("Invalid JWT!", e);
            if (e.hasExpired()) {
                try {
                    LOGGER.warn("JWT expired at " + e.getJwtContext().getJwtClaims().getExpirationTime());
                } catch (MalformedClaimException e2) {
                    LOGGER.warn("MalformedClaimException", e2);
                }
            }
            if (e.hasErrorCode(8)) {
                try {
                    LOGGER.warn("JWT had wrong audience: " + e.getJwtContext().getJwtClaims().getAudience());
                } catch (MalformedClaimException e3) {
                    LOGGER.warn("MalformedClaimException", e3);
                }
            }
            if (e.hasErrorCode(12)) {
                try {
                    LOGGER.warn("JWT had wrong issuer: " + e.getJwtContext().getJwtClaims().getIssuer());
                } catch (MalformedClaimException e4) {
                    LOGGER.warn("MalformedClaimException", e4);
                }
            }
            throw new RuntimeException("Unauthorized");
        }
    }

    protected AuthorizerResponse generateResponse(JwtClaims jwtClaims, TokenAuthorizerContext tokenAuthorizerContext, Context context) {
        context.getLogger().log(jwtClaims.toString());
        String allowEverythingOnStage = new MethodArn(tokenAuthorizerContext.getMethodArn()).allowEverythingOnStage();
        try {
            String subject = jwtClaims.getSubject();
            return AuthorizerResponse.builder().principalId(subject).policyDocument(PolicyDocument.builder().statements(Collections.singletonList(Statement.builder().effect("Allow").resource(allowEverythingOnStage).build())).build()).context(jwtClaims.getClaimsMap()).build();
        } catch (MalformedClaimException e) {
            throw new RuntimeException("", e);
        }
    }
}
