package org.apache.hadoop.yarn.server.resourcemanager.security;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAuthenticationHandler.class */
public class RMAuthenticationHandler extends KerberosAuthenticationHandler {
    public static final String TYPE = "kerberos-dt";
    public static final String HEADER = "Hadoop-YARN-Auth-Delegation-Token";
    static RMDelegationTokenSecretManager secretManager;
    static boolean secretManagerInitialized = false;

    public String getType() {
        return TYPE;
    }

    public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return true;
    }

    public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticate;
        String encodedDelegationTokenFromRequest = getEncodedDelegationTokenFromRequest(httpServletRequest);
        if (encodedDelegationTokenFromRequest != null) {
            Token<RMDelegationTokenIdentifier> token = new Token<>();
            token.decodeFromUrlString(encodedDelegationTokenFromRequest);
            UserGroupInformation verifyToken = verifyToken(token);
            if (verifyToken == null) {
                throw new AuthenticationException("Invalid token");
            }
            authenticate = new AuthenticationToken(verifyToken.getShortUserName(), verifyToken.getUserName(), getType());
        } else {
            authenticate = super.authenticate(httpServletRequest, httpServletResponse);
            if (authenticate != null) {
                authenticate = new AuthenticationToken(authenticate.getUserName(), authenticate.getName(), super.getType());
            }
        }
        return authenticate;
    }

    protected UserGroupInformation verifyToken(Token<RMDelegationTokenIdentifier> token) throws IOException {
        if (!secretManagerInitialized) {
            throw new IllegalStateException("Secret manager not initialized");
        }
        DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(token.getIdentifier()));
        AbstractDelegationTokenIdentifier m352createIdentifier = secretManager.m352createIdentifier();
        try {
            m352createIdentifier.readFields(dataInputStream);
            secretManager.verifyToken(m352createIdentifier, token.getPassword());
            dataInputStream.close();
            return m352createIdentifier.getUser();
        } catch (Throwable th) {
            dataInputStream.close();
            return null;
        }
    }

    protected String getEncodedDelegationTokenFromRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader(HEADER);
    }

    public static void setSecretManager(RMDelegationTokenSecretManager rMDelegationTokenSecretManager) {
        secretManager = rMDelegationTokenSecretManager;
        secretManagerInitialized = true;
    }
}
