package org.apache.hadoop.yarn.server.timeline.security;

import java.io.IOException;
import java.io.PrintWriter;
import java.text.MessageFormat;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.yarn.api.records.timeline.TimelineDelegationTokenResponse;
import org.apache.hadoop.yarn.security.client.TimelineAuthenticationConsts;
import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier;
import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenOperation;
import org.apache.hadoop.yarn.server.applicationhistoryservice.webapp.AHSWebApp;
import org.apache.hadoop.yarn.webapp.YarnJacksonJaxbJsonProvider;
import org.codehaus.jackson.map.ObjectMapper;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/timeline/security/TimelineClientAuthenticationService.class */
public class TimelineClientAuthenticationService extends KerberosAuthenticationHandler {
    public static final String TYPE = "kerberos-dt";
    private static final String OP_PARAM = "op";
    private ObjectMapper mapper = new ObjectMapper();
    private static final Set<String> DELEGATION_TOKEN_OPS = new HashSet();
    private static final String ENTER = System.getProperty("line.separator");

    public TimelineClientAuthenticationService() {
        YarnJacksonJaxbJsonProvider.configObjectMapper(this.mapper);
    }

    @Override // org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler, org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public String getType() {
        return "kerberos-dt";
    }

    @Override // org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler, org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        boolean z = true;
        String parameter = httpServletRequest.getParameter("op");
        String upperCase = parameter != null ? parameter.toUpperCase() : null;
        if (DELEGATION_TOKEN_OPS.contains(upperCase) && !httpServletRequest.getMethod().equals("OPTIONS")) {
            TimelineDelegationTokenOperation valueOf = TimelineDelegationTokenOperation.valueOf(upperCase);
            if (!valueOf.getHttpMethod().equals(httpServletRequest.getMethod())) {
                httpServletResponse.sendError(400, MessageFormat.format("Wrong HTTP method [{0}] for operation [{1}], it should be [{2}]", httpServletRequest.getMethod(), valueOf, valueOf.getHttpMethod()));
                z = false;
            } else if (valueOf.requiresKerberosCredentials() && authenticationToken == null) {
                httpServletResponse.sendError(401, MessageFormat.format("Operation [{0}] requires SPNEGO authentication established", valueOf));
                z = false;
            } else {
                TimelineDelegationTokenSecretManagerService timelineDelegationTokenSecretManagerService = AHSWebApp.getInstance().getTimelineDelegationTokenSecretManagerService();
                try {
                    TimelineDelegationTokenResponse timelineDelegationTokenResponse = null;
                    switch (valueOf) {
                        case GETDELEGATIONTOKEN:
                            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(authenticationToken.getUserName());
                            String parameter2 = httpServletRequest.getParameter("renewer");
                            if (parameter2 == null) {
                                parameter2 = authenticationToken.getUserName();
                            }
                            Token<TimelineDelegationTokenIdentifier> createToken = timelineDelegationTokenSecretManagerService.createToken(createRemoteUser, parameter2);
                            timelineDelegationTokenResponse = new TimelineDelegationTokenResponse();
                            timelineDelegationTokenResponse.setType("url");
                            timelineDelegationTokenResponse.setContent(createToken.encodeToUrlString());
                            break;
                        case RENEWDELEGATIONTOKEN:
                        case CANCELDELEGATIONTOKEN:
                            String parameter3 = httpServletRequest.getParameter("token");
                            if (parameter3 != null) {
                                if (valueOf != TimelineDelegationTokenOperation.CANCELDELEGATIONTOKEN) {
                                    Token<TimelineDelegationTokenIdentifier> token = new Token<>();
                                    token.decodeFromUrlString(parameter3);
                                    long renewToken = timelineDelegationTokenSecretManagerService.renewToken(token, authenticationToken.getUserName());
                                    timelineDelegationTokenResponse = new TimelineDelegationTokenResponse();
                                    timelineDelegationTokenResponse.setType(TimelineAuthenticationConsts.DELEGATION_TOKEN_EXPIRATION_TIME);
                                    timelineDelegationTokenResponse.setContent(Long.valueOf(renewToken));
                                    break;
                                } else {
                                    Token<TimelineDelegationTokenIdentifier> token2 = new Token<>();
                                    token2.decodeFromUrlString(parameter3);
                                    timelineDelegationTokenSecretManagerService.cancelToken(token2, authenticationToken.getUserName());
                                    break;
                                }
                            } else {
                                httpServletResponse.sendError(400, MessageFormat.format("Operation [{0}] requires the parameter [{1}]", valueOf, "token"));
                                z = false;
                                break;
                            }
                    }
                    if (z) {
                        httpServletResponse.setStatus(200);
                        if (timelineDelegationTokenResponse != null) {
                            httpServletResponse.setContentType("application/json");
                            PrintWriter writer = httpServletResponse.getWriter();
                            this.mapper.writeValue(writer, timelineDelegationTokenResponse);
                            writer.write(ENTER);
                            writer.flush();
                        }
                        z = false;
                    }
                } catch (IOException e) {
                    throw new AuthenticationException(e.toString(), e);
                }
            }
        }
        return z;
    }

    @Override // org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler, org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticate;
        String parameter = httpServletRequest.getParameter("delegation");
        if (parameter != null) {
            Token<TimelineDelegationTokenIdentifier> token = new Token<>();
            token.decodeFromUrlString(parameter);
            UserGroupInformation verifyToken = AHSWebApp.getInstance().getTimelineDelegationTokenSecretManagerService().verifyToken(token);
            authenticate = new AuthenticationToken(verifyToken.getShortUserName(), verifyToken.getUserName(), getType());
            authenticate.setExpires(0L);
        } else {
            authenticate = super.authenticate(httpServletRequest, httpServletResponse);
        }
        return authenticate;
    }

    static {
        DELEGATION_TOKEN_OPS.add(TimelineDelegationTokenOperation.GETDELEGATIONTOKEN.toString());
        DELEGATION_TOKEN_OPS.add(TimelineDelegationTokenOperation.RENEWDELEGATIONTOKEN.toString());
        DELEGATION_TOKEN_OPS.add(TimelineDelegationTokenOperation.CANCELDELEGATIONTOKEN.toString());
    }
}
