package org.apache.hadoop.security.authentication.server;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.io.IOException;
import java.util.Properties;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.JWTUtils;
import org.apache.hadoop.security.authentication.util.SsoConfigurationUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-auth-3.4.1.0-eep-940.jar:org/apache/hadoop/security/authentication/server/JWTAuthHandler.class */
public class JWTAuthHandler extends MultiMechsAuthenticationHandler {
    private static Logger LOG = LoggerFactory.getLogger((Class<?>) JWTAuthHandler.class);
    private static final String BEARER_AUTH = "Bearer";

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler, org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void init(Properties properties) throws ServletException {
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
    public AuthenticationToken postauthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        String[] split;
        AuthenticationToken authenticationToken = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.toLowerCase().startsWith("Bearer".toLowerCase())) {
            LOG.error("Unexpected or empty auth header: {}", header);
            throw new AuthenticationException("Unsupported auth scheme in header: " + header);
        }
        try {
            split = header.split(" ");
        } catch (Exception e) {
            LOG.warn("AUTH FAILURE: " + e.toString());
        }
        if (split.length != 2) {
            LOG.error("Too many parts in auth header (expected exactly 2, but was {}): {}", Integer.valueOf(split.length), header);
            httpServletResponse.setStatus(403);
            return null;
        }
        String str = null;
        DecodedJWT decode = JWT.decode(split[1]);
        boolean validateToken = JWTUtils.validateToken(decode);
        if (validateToken) {
            str = decode.getClaim(SsoConfigurationUtil.getInstance().getUserAttrName()).asString();
        } else {
            LOG.warn("jwtToken failed validation: " + decode.getToken());
        }
        if (validateToken) {
            LOG.debug("Issuing AuthenticationToken for user.");
            authenticationToken = new AuthenticationToken(str, str, getType());
            return authenticationToken;
        }
        LOG.error("Token validation failed.");
        httpServletResponse.setStatus(403);
        return null;
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
    public void addHeader(HttpServletResponse httpServletResponse) {
        httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"master\"");
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
    public MultiMechsAuthenticationHandler getAuthBasedEntity(String str) {
        if (str == null || !str.startsWith("Bearer")) {
            return null;
        }
        return this;
    }
}
