package org.apache.spark.ui.filters;

import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.JWTDecodeException;
import java.io.IOException;
import java.util.Properties;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.sparkproject.jetty.http.HttpStatus;

/* loaded from: input_file:org/apache/spark/ui/filters/JWTAuthHandler.class */
public final class JWTAuthHandler implements AuthenticationHandler {
    private static Logger logger = LoggerFactory.getLogger(JWTAuthHandler.class);
    private static final String IDENTITY_CLAIM_PARAM = "user.identity.claim";
    private final String type = "jwt-bearer";
    private String userIdentityClaim;

    public String getType() {
        return "jwt-bearer";
    }

    public void init(Properties properties) throws ServletException {
        logger.info("Initializing JWTAuthHandler");
        this.userIdentityClaim = properties.getProperty(IDENTITY_CLAIM_PARAM, "preferred-username");
        logger.info("Will use {} as identity claim", this.userIdentityClaim);
    }

    public void destroy() {
    }

    public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        return true;
    }

    public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String header = httpServletRequest.getHeader(HttpConstants.AUTHORIZATION_HEADER);
        if (header == null || !header.toLowerCase().startsWith("bearer")) {
            logger.error("Unexpected or empty auth header: {}", header);
            throw new AuthenticationException("Unsupported auth scheme in header: " + header);
        }
        String[] split = header.split(" ");
        if (split.length != 2) {
            logger.error("Too many parts in auth header (expected exactly 2, but was {}): {}", Integer.valueOf(split.length), header);
            httpServletResponse.setStatus(HttpStatus.FORBIDDEN_403);
            return null;
        }
        try {
            String asString = JWT.decode(split[1]).getClaim(this.userIdentityClaim).asString();
            if (asString == null || "".equals(asString.trim())) {
                logger.info("Failed to retrieve username from token by claim {}", this.userIdentityClaim);
                httpServletResponse.setStatus(HttpStatus.FORBIDDEN_403);
            } else {
                logger.info("Authenticating user {}", asString);
                authenticationToken = new AuthenticationToken(asString, asString, "jwt-bearer");
            }
            return authenticationToken;
        } catch (JWTDecodeException e) {
            logger.error("Failed to decode given JWT", e);
            httpServletResponse.setStatus(HttpStatus.FORBIDDEN_403);
            return null;
        }
    }
}
