package keywhiz.service.providers;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Throwables;
import io.dropwizard.auth.AuthenticationException;
import io.dropwizard.java8.auth.Authenticator;
import java.security.Principal;
import java.util.Optional;
import javax.inject.Inject;
import javax.ws.rs.NotAuthorizedException;
import keywhiz.api.model.Client;
import keywhiz.service.daos.ClientDAO;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.glassfish.jersey.server.ContainerRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:keywhiz/service/providers/ClientAuthFactory.class */
public class ClientAuthFactory {
    private static final Logger logger = LoggerFactory.getLogger(ClientAuthFactory.class);
    private final Authenticator<String, Client> authenticator;

    /* loaded from: input_file:keywhiz/service/providers/ClientAuthFactory$MyAuthenticator.class */
    private static class MyAuthenticator implements Authenticator<String, Client> {
        private final ClientDAO clientDAO;

        private MyAuthenticator(ClientDAO clientDAO) {
            this.clientDAO = clientDAO;
        }

        public Optional<Client> authenticate(String str) throws AuthenticationException {
            Optional<Client> client = this.clientDAO.getClient(str);
            if (!client.isPresent()) {
                return Optional.of(this.clientDAO.getClientById(this.clientDAO.createClient(str, "automatic", "Client created automatically from valid certificate authentication")).get());
            }
            Client client2 = client.get();
            if (client2.isEnabled()) {
                return client;
            }
            ClientAuthFactory.logger.warn("Client {} authenticated but disabled via DB", client2);
            return Optional.empty();
        }
    }

    @Inject
    public ClientAuthFactory(ClientDAO.ClientDAOFactory clientDAOFactory) {
        this.authenticator = new MyAuthenticator(clientDAOFactory.readwrite());
    }

    @VisibleForTesting
    ClientAuthFactory(ClientDAO clientDAO) {
        this.authenticator = new MyAuthenticator(clientDAO);
    }

    public Client provide(ContainerRequest containerRequest) {
        Optional<String> clientName = getClientName(containerRequest);
        if (!clientName.isPresent()) {
            throw new NotAuthorizedException("ClientCert not authorized as a Client", new Object[0]);
        }
        String str = clientName.get();
        try {
            return (Client) this.authenticator.authenticate(str).orElseThrow(() -> {
                return new NotAuthorizedException(String.format("ClientCert name %s not authorized as a Client", str), new Object[0]);
            });
        } catch (AuthenticationException e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<String> getClientName(ContainerRequest containerRequest) {
        Principal userPrincipal = containerRequest.getSecurityContext().getUserPrincipal();
        if (userPrincipal == null) {
            return Optional.empty();
        }
        RDN[] rDNs = new X500Name(userPrincipal.getName()).getRDNs(BCStyle.CN);
        if (rDNs.length != 0) {
            return Optional.of(IETFUtils.valueToString(rDNs[0].getFirst().getValue()));
        }
        logger.warn("Certificate does not contain CN=xxx,...: {}", userPrincipal.getName());
        return Optional.empty();
    }
}
