package keywhiz.service.resources;

import com.google.common.annotations.VisibleForTesting;
import io.dropwizard.auth.Auth;
import java.text.ParseException;
import java.util.Optional;
import javax.inject.Inject;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.GET;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import keywhiz.api.SecretDeliveryResponse;
import keywhiz.api.model.Client;
import keywhiz.api.model.SanitizedSecret;
import keywhiz.api.model.Secret;
import keywhiz.service.config.Readonly;
import keywhiz.service.daos.AclDAO;
import keywhiz.service.daos.ClientDAO;
import keywhiz.service.daos.SecretController;
import org.hibernate.validator.constraints.NotEmpty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Produces({"application/json"})
@Path("/secret/{secretName}")
/* loaded from: input_file:keywhiz/service/resources/SecretDeliveryResource.class */
public class SecretDeliveryResource {
    private static final Logger logger = LoggerFactory.getLogger(SecretDeliveryResource.class);
    private final SecretController secretController;
    private final AclDAO aclDAO;
    private final ClientDAO clientDAO;

    @Inject
    public SecretDeliveryResource(@Readonly SecretController secretController, AclDAO.AclDAOFactory aclDAOFactory, ClientDAO.ClientDAOFactory clientDAOFactory) {
        this.secretController = secretController;
        this.aclDAO = aclDAOFactory.readonly();
        this.clientDAO = clientDAOFactory.readonly();
    }

    @VisibleForTesting
    SecretDeliveryResource(SecretController secretController, AclDAO aclDAO, ClientDAO clientDAO) {
        this.secretController = secretController;
        this.aclDAO = aclDAO;
        this.clientDAO = clientDAO;
    }

    @GET
    public SecretDeliveryResponse getSecret(@NotEmpty @PathParam("secretName") String str, @Auth Client client) {
        try {
            String[] splitNameAndVersion = Secret.splitNameAndVersion(str);
            String str2 = splitNameAndVersion[0];
            String str3 = splitNameAndVersion[1];
            Optional<SanitizedSecret> sanitizedSecretFor = this.aclDAO.getSanitizedSecretFor(client, str2, str3);
            Optional<Secret> secretByNameAndVersion = this.secretController.getSecretByNameAndVersion(str2, str3);
            if (sanitizedSecretFor.isPresent()) {
                logger.info("Client {} granted access to {}.", client.getName(), str);
                try {
                    return SecretDeliveryResponse.fromSecret(secretByNameAndVersion.get());
                } catch (IllegalArgumentException e) {
                    logger.error("Failed creating response for secret {}: {}", str, e);
                    throw new InternalServerErrorException();
                }
            }
            boolean isPresent = this.clientDAO.getClient(client.getName()).isPresent();
            boolean isPresent2 = secretByNameAndVersion.isPresent();
            if (isPresent && isPresent2) {
                throw new ForbiddenException(String.format("Access denied: %s at '%s' by '%s'", client.getName(), "/secret/" + str, client));
            }
            throw new NotFoundException();
        } catch (ParseException e2) {
            throw new BadRequestException(String.format("Invalid secret name '%s'", str));
        }
    }
}
