package keywhiz.service.providers;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Throwables;
import io.dropwizard.auth.AuthenticationException;
import io.dropwizard.java8.auth.Authenticator;
import java.util.Optional;
import javax.inject.Inject;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotAuthorizedException;
import keywhiz.api.model.AutomationClient;
import keywhiz.service.daos.ClientDAO;
import org.glassfish.jersey.server.ContainerRequest;

/* loaded from: input_file:keywhiz/service/providers/AutomationClientAuthFactory.class */
public class AutomationClientAuthFactory {
    private final Authenticator<String, AutomationClient> authenticator;

    /* loaded from: input_file:keywhiz/service/providers/AutomationClientAuthFactory$MyAuthenticator.class */
    private static class MyAuthenticator implements Authenticator<String, AutomationClient> {
        private final ClientDAO clientDAO;

        private MyAuthenticator(ClientDAO clientDAO) {
            this.clientDAO = clientDAO;
        }

        @Override // io.dropwizard.java8.auth.Authenticator
        public Optional<AutomationClient> authenticate(String str) throws AuthenticationException {
            return this.clientDAO.getClient(str).map(AutomationClient::of);
        }
    }

    @Inject
    public AutomationClientAuthFactory(ClientDAO.ClientDAOFactory clientDAOFactory) {
        this.authenticator = new MyAuthenticator(clientDAOFactory.readonly());
    }

    @VisibleForTesting
    AutomationClientAuthFactory(ClientDAO clientDAO) {
        this.authenticator = new MyAuthenticator(clientDAO);
    }

    public AutomationClient provide(ContainerRequest containerRequest) {
        Optional<String> clientName = ClientAuthFactory.getClientName(containerRequest);
        if (!clientName.isPresent()) {
            throw new NotAuthorizedException("Not authorized as a AutomationClient", new Object[0]);
        }
        String str = clientName.get();
        try {
            return this.authenticator.authenticate(str).orElseThrow(() -> {
                return new ForbiddenException(String.format("ClientCert name %s not authorized as a AutomationClient", str));
            });
        } catch (AuthenticationException e) {
            throw Throwables.propagate(e);
        }
    }
}
