package org.apache.hadoop.yarn.server.resourcemanager.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import java.io.BufferedOutputStream;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.util.BackOff;
import org.apache.hadoop.util.ExponentialBackOff;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.AllocationFileLoaderService;
import org.apache.hadoop.yarn.server.resourcemanager.security.JWTSecurityHandler;
import org.apache.hadoop.yarn.server.resourcemanager.security.X509SecurityHandler;
import org.apache.http.Header;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.message.BasicHeader;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemWriter;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/HopsworksRMAppSecurityActions.class */
public class HopsworksRMAppSecurityActions implements RMAppSecurityActions, Configurable {
    public static final String REVOKE_CERT_ID_PARAM = "certId";
    protected static final int MAX_CONNECTIONS_PER_ROUTE = 50;
    private static final String AUTH_HEADER_CONTENT = "Bearer %s";
    private final AtomicReference<Header> authHeader;
    private final JsonParser jsonParser;
    private Configuration conf;
    private Configuration sslConf;
    private URL hopsworksHost;
    private URL signEndpoint;
    private String revokePath;
    private CertificateFactory certificateFactory;
    private URL jwtGeneratePath;
    private URL jwtInvalidatePath;
    private URL jwtRenewPath;
    private URL jwtAlivePath;
    private long jwtAliveIntervalSeconds;
    private final ExecutorService tokenRenewer;
    public static final Pattern JWT_PATTERN = Pattern.compile("^Bearer\\s(.+)");
    private static final Log LOG = LogFactory.getLog(HopsworksRMAppSecurityActions.class);
    private static final Set<Integer> ACCEPTABLE_HTTP_RESPONSES = new HashSet(2);
    private static final Pattern SUBJECT_USERNAME = Pattern.compile("^(.+)(?>_{2})(.+)$");
    private boolean x509Configured = false;
    private boolean jwtConfigured = false;
    private PoolingHttpClientConnectionManager httpConnectionManager = null;
    protected CloseableHttpClient httpClient = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/HopsworksRMAppSecurityActions$TokenRenewer.class */
    public class TokenRenewer implements Runnable {
        private final BackOff backoff;
        private long backoffTime;

        private TokenRenewer() {
            this.backoffTime = 0L;
            this.backoff = new ExponentialBackOff.Builder().setInitialIntervalMillis(1000L).setMaximumIntervalMillis(AllocationFileLoaderService.ALLOC_RELOAD_INTERVAL_MS).setMultiplier(1.5d).setMaximumRetries(Integer.MAX_VALUE).build();
        }

        @Override // java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    String jWTFromResponse = HopsworksRMAppSecurityActions.this.getJWTFromResponse();
                    if (jWTFromResponse != null && !((Header) HopsworksRMAppSecurityActions.this.authHeader.get()).getValue().equals(String.format(HopsworksRMAppSecurityActions.AUTH_HEADER_CONTENT, jWTFromResponse))) {
                        HopsworksRMAppSecurityActions.this.authHeader.set(HopsworksRMAppSecurityActions.this.createAuthenticationHeader(jWTFromResponse));
                        HopsworksRMAppSecurityActions.this.sslConf.set(YarnConfiguration.RM_JWT_TOKEN, jWTFromResponse);
                        BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(new File(HopsworksRMAppSecurityActions.this.sslConf.getResource(HopsworksRMAppSecurityActions.this.conf.get("hadoop.ssl.server.conf", "ssl-server.xml")).getFile())));
                        Throwable th = null;
                        try {
                            try {
                                HopsworksRMAppSecurityActions.this.sslConf.writeXml(bufferedOutputStream);
                                bufferedOutputStream.flush();
                                if (bufferedOutputStream != null) {
                                    if (0 != 0) {
                                        try {
                                            bufferedOutputStream.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        bufferedOutputStream.close();
                                    }
                                }
                                HopsworksRMAppSecurityActions.LOG.info("Renewed Hopsworks JWT");
                            } catch (Throwable th3) {
                                th = th3;
                                throw th3;
                                break;
                            }
                        } catch (Throwable th4) {
                            if (bufferedOutputStream != null) {
                                if (th != null) {
                                    try {
                                        bufferedOutputStream.close();
                                    } catch (Throwable th5) {
                                        th.addSuppressed(th5);
                                    }
                                } else {
                                    bufferedOutputStream.close();
                                }
                            }
                            throw th4;
                            break;
                        }
                    }
                    this.backoff.reset();
                    TimeUnit.SECONDS.sleep(HopsworksRMAppSecurityActions.this.jwtAliveIntervalSeconds);
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                } catch (URISyntaxException e2) {
                    HopsworksRMAppSecurityActions.LOG.fatal(e2, e2);
                    Thread.currentThread().interrupt();
                } catch (Exception e3) {
                    this.backoffTime = this.backoff.getBackOffInMillis();
                    HopsworksRMAppSecurityActions.LOG.warn(e3 + "Retrying in " + this.backoffTime + "ms", e3);
                    try {
                        TimeUnit.MILLISECONDS.sleep(this.backoffTime);
                    } catch (InterruptedException e4) {
                        Thread.currentThread().interrupt();
                    }
                }
            }
        }
    }

    public HopsworksRMAppSecurityActions() throws MalformedURLException, GeneralSecurityException {
        ACCEPTABLE_HTTP_RESPONSES.add(200);
        ACCEPTABLE_HTTP_RESPONSES.add(204);
        this.authHeader = new AtomicReference<>();
        this.jsonParser = new JsonParser();
        this.tokenRenewer = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat("JWT renewer thread").setDaemon(true).build());
    }

    public void setConf(Configuration configuration) {
        this.conf = configuration;
    }

    public Configuration getConf() {
        return this.conf;
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public void init() throws MalformedURLException, GeneralSecurityException, IOException {
        this.httpConnectionManager = createConnectionManager();
        this.httpClient = HttpClients.custom().setConnectionManager(this.httpConnectionManager).build();
        this.hopsworksHost = new URL(this.conf.get(YarnConfiguration.HOPS_HOPSWORKS_HOST_KEY, "http://127.0.0.1"));
        if (this.conf.getBoolean("ipc.server.ssl.enabled", false)) {
            initX509();
        }
        if (this.conf.getBoolean(YarnConfiguration.RM_JWT_ENABLED, YarnConfiguration.DEFAULT_RM_JWT_ENABLED)) {
            initJWT();
        }
    }

    protected PoolingHttpClientConnectionManager createConnectionManager() throws GeneralSecurityException {
        PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager();
        poolingHttpClientConnectionManager.setDefaultMaxPerRoute(MAX_CONNECTIONS_PER_ROUTE);
        return poolingHttpClientConnectionManager;
    }

    private void initX509() throws MalformedURLException, GeneralSecurityException {
        this.signEndpoint = new URL(this.hopsworksHost, this.conf.get(YarnConfiguration.HOPS_HOPSWORKS_SIGN_ENDPOINT_KEY, YarnConfiguration.DEFAULT_HOPS_HOPSWORKS_SIGN_ENDPOINT));
        this.revokePath = this.conf.get(YarnConfiguration.HOPS_HOPSWORKS_REVOKE_ENDPOINT_KEY, YarnConfiguration.DEFAULT_HOPS_HOPSWORKS_REVOKE_ENDPOINT);
        if (this.revokePath.startsWith("/")) {
            this.revokePath = "%s" + this.revokePath;
        } else {
            this.revokePath = "%s/" + this.revokePath;
        }
        this.certificateFactory = CertificateFactory.getInstance("X.509", "BC");
        this.x509Configured = true;
    }

    private void initJWT() throws MalformedURLException, GeneralSecurityException {
        this.jwtGeneratePath = new URL(this.hopsworksHost, this.conf.get(YarnConfiguration.RM_JWT_GENERATE_PATH, YarnConfiguration.DEFAULT_RM_JWT_GENERATE_PATH));
        String str = this.conf.get(YarnConfiguration.RM_JWT_INVALIDATE_PATH, YarnConfiguration.DEFAULT_RM_JWT_INVALIDATE_PATH);
        if (!str.endsWith("/")) {
            str = str + "/";
        }
        this.jwtInvalidatePath = new URL(this.hopsworksHost, str);
        this.jwtRenewPath = new URL(this.hopsworksHost, this.conf.get(YarnConfiguration.RM_JWT_RENEW_PATH, YarnConfiguration.DEFAULT_RM_JWT_RENEW_PATH));
        this.sslConf = new Configuration(false);
        this.sslConf.addResource(this.conf.get("hadoop.ssl.server.conf", "ssl-server.xml"));
        String str2 = this.sslConf.get(YarnConfiguration.RM_JWT_TOKEN);
        if (str2 == null) {
            throw new GeneralSecurityException("Could not parse JWT from configuration");
        }
        this.authHeader.set(createAuthenticationHeader(str2));
        this.jwtAlivePath = new URL(this.hopsworksHost, this.conf.get(YarnConfiguration.RM_JWT_ALIVE_PATH, YarnConfiguration.DEFAULT_RM_JWT_ALIVE_PATH));
        this.jwtAliveIntervalSeconds = this.conf.getTimeDuration(YarnConfiguration.RM_JWT_ALIVE_INTERVAL, YarnConfiguration.DEFAULT_RM_JWT_ALIVE_INTERVAL, TimeUnit.SECONDS);
        this.tokenRenewer.execute(new TokenRenewer());
        this.jwtConfigured = true;
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public void destroy() {
        try {
            this.tokenRenewer.shutdown();
            if (!this.tokenRenewer.awaitTermination(1L, TimeUnit.SECONDS)) {
                this.tokenRenewer.shutdownNow();
            }
        } catch (InterruptedException e) {
            this.tokenRenewer.shutdownNow();
        }
        if (this.httpConnectionManager != null) {
            this.httpConnectionManager.shutdown();
        }
    }

    private void x509NotConfigured(String str) throws GeneralSecurityException {
        notConfigured(str, "X.509");
    }

    private void jwtNotConfigured(String str) throws GeneralSecurityException {
        notConfigured(str, "JWT");
    }

    private void notConfigured(String str, String str2) throws GeneralSecurityException {
        throw new GeneralSecurityException("Called method " + str + " of " + HopsworksRMAppSecurityActions.class.getSimpleName() + " but " + str2 + " is not configured");
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public X509SecurityHandler.CertificateBundle sign(PKCS10CertificationRequest pKCS10CertificationRequest) throws URISyntaxException, IOException, GeneralSecurityException {
        if (!this.x509Configured) {
            x509NotConfigured("sign");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            String stringifyCSR = stringifyCSR(pKCS10CertificationRequest);
            JsonObject jsonObject = new JsonObject();
            jsonObject.addProperty("csr", stringifyCSR);
            closeableHttpResponse = post(jsonObject, this.signEndpoint.toURI(), "Hopsworks CA could not sign CSR");
            JsonObject asJsonObject = this.jsonParser.parse(EntityUtils.toString(closeableHttpResponse.getEntity())).getAsJsonObject();
            X509SecurityHandler.CertificateBundle certificateBundle = new X509SecurityHandler.CertificateBundle(parseCertificate(asJsonObject.get("signedCert").getAsString()), parseCertificate(asJsonObject.get("intermediateCaCert").getAsString()));
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            return certificateBundle;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public int revoke(String str) throws URISyntaxException, IOException, GeneralSecurityException {
        if (!this.x509Configured) {
            x509NotConfigured("revoke");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            closeableHttpResponse = delete(buildUrl(this.revokePath, buildQueryParams(new BasicNameValuePair(REVOKE_CERT_ID_PARAM, str))).toURI(), "Hopsworks CA could not revoke certificate " + str);
            int statusCode = closeableHttpResponse.getStatusLine().getStatusCode();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            return statusCode;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public String generateJWT(JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter) throws URISyntaxException, IOException, GeneralSecurityException {
        if (!this.jwtConfigured) {
            jwtNotConfigured("generateJWT");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            Matcher matcher = SUBJECT_USERNAME.matcher(jWTMaterialParameter.getAppUser());
            String group = matcher.matches() ? matcher.group(2) : jWTMaterialParameter.getAppUser();
            JsonObject jsonObject = new JsonObject();
            jsonObject.addProperty("subject", group);
            jsonObject.addProperty("keyName", jWTMaterialParameter.getApplicationId().toString());
            jsonObject.addProperty("audiences", String.join(",", jWTMaterialParameter.getAudiences()));
            jsonObject.addProperty("expiresAt", jWTMaterialParameter.getExpirationDate().toString());
            jsonObject.addProperty("notBefore", jWTMaterialParameter.getValidNotBefore().toString());
            jsonObject.addProperty("renewable", Boolean.valueOf(jWTMaterialParameter.isRenewable()));
            jsonObject.addProperty("expLeeway", Integer.valueOf(jWTMaterialParameter.getExpLeeway()));
            closeableHttpResponse = post(jsonObject, this.jwtGeneratePath.toURI(), "Hopsworks could not generate JWT for " + jWTMaterialParameter.getAppUser() + "/" + jWTMaterialParameter.getApplicationId().toString());
            String asString = this.jsonParser.parse(EntityUtils.toString(closeableHttpResponse.getEntity())).getAsJsonObject().get("token").getAsString();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            return asString;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public String renewJWT(JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter) throws URISyntaxException, IOException, GeneralSecurityException {
        if (!this.jwtConfigured) {
            jwtNotConfigured("renewJWT");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            JsonObject jsonObject = new JsonObject();
            jsonObject.addProperty("token", jWTMaterialParameter.getToken());
            jsonObject.addProperty("expiresAt", jWTMaterialParameter.getExpirationDate().toString());
            jsonObject.addProperty("nbf", jWTMaterialParameter.getValidNotBefore().toString());
            closeableHttpResponse = post(jsonObject, this.jwtRenewPath.toURI(), "Could not renew JWT for " + jWTMaterialParameter.getAppUser() + "/" + jWTMaterialParameter.getApplicationId());
            String asString = this.jsonParser.parse(EntityUtils.toString(closeableHttpResponse.getEntity())).getAsJsonObject().get("token").getAsString();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            return asString;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public void invalidateJWT(String str) throws URISyntaxException, IOException, GeneralSecurityException {
        if (!this.jwtConfigured) {
            jwtNotConfigured("invalidateJWT");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            closeableHttpResponse = put(new URL(this.jwtInvalidatePath, str).toURI(), "Hopsworks could to invalidate JWT signing key " + str);
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    private CloseableHttpResponse post(JsonObject jsonObject, URI uri, String str) throws IOException {
        HttpPost httpPost = new HttpPost(uri);
        addAuthenticationHeader(httpPost);
        httpPost.setEntity(new StringEntity(jsonObject.toString()));
        httpPost.addHeader("Content-Type", "application/json");
        HttpResponse execute = this.httpClient.execute(httpPost);
        checkHTTPResponseCode(execute, str);
        return execute;
    }

    private CloseableHttpResponse get(URI uri, String str) throws IOException {
        HttpGet httpGet = new HttpGet(uri);
        addAuthenticationHeader(httpGet);
        HttpResponse execute = this.httpClient.execute(httpGet);
        checkHTTPResponseCode(execute, str);
        return execute;
    }

    private CloseableHttpResponse delete(URI uri, String str) throws IOException {
        HttpDelete httpDelete = new HttpDelete(uri);
        addAuthenticationHeader(httpDelete);
        httpDelete.addHeader("Content-Type", "text/plain");
        HttpResponse execute = this.httpClient.execute(httpDelete);
        checkHTTPResponseCode(execute, str);
        return execute;
    }

    private CloseableHttpResponse put(URI uri, String str) throws IOException {
        HttpPut httpPut = new HttpPut(uri);
        addAuthenticationHeader(httpPut);
        httpPut.addHeader("Content-Type", "application/json");
        HttpResponse execute = this.httpClient.execute(httpPut);
        checkHTTPResponseCode(execute, str);
        return execute;
    }

    private URL buildUrl(String str, String str2) throws MalformedURLException {
        return new URL(String.format(str, this.hopsworksHost.toString()) + str2);
    }

    private String buildQueryParams(NameValuePair... nameValuePairArr) {
        ArrayList arrayList = new ArrayList();
        for (NameValuePair nameValuePair : nameValuePairArr) {
            if (nameValuePair.getValue() != null) {
                arrayList.add(nameValuePair);
            }
        }
        return URLEncodedUtils.format(arrayList, "UTF-8");
    }

    private X509Certificate parseCertificate(String str) throws IOException, GeneralSecurityException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes());
        Throwable th = null;
        try {
            try {
                X509Certificate x509Certificate = (X509Certificate) this.certificateFactory.generateCertificate(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                return x509Certificate;
            } finally {
            }
        } catch (Throwable th3) {
            if (byteArrayInputStream != null) {
                if (th != null) {
                    try {
                        byteArrayInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    byteArrayInputStream.close();
                }
            }
            throw th3;
        }
    }

    private void checkHTTPResponseCode(HttpResponse httpResponse, String str) throws IOException {
        int statusCode = httpResponse.getStatusLine().getStatusCode();
        if (!ACCEPTABLE_HTTP_RESPONSES.contains(Integer.valueOf(statusCode))) {
            throw new IOException("HTTP error, response code " + statusCode + " Reason: " + httpResponse.getStatusLine().getReasonPhrase() + " Message: " + str);
        }
    }

    private String stringifyCSR(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException {
        StringWriter stringWriter = new StringWriter();
        Throwable th = null;
        try {
            try {
                PemWriter pemWriter = new PemWriter(stringWriter);
                pemWriter.writeObject(new JcaMiscPEMGenerator(pKCS10CertificationRequest).generate());
                pemWriter.flush();
                stringWriter.flush();
                pemWriter.close();
                String stringWriter2 = stringWriter.toString();
                if (stringWriter != null) {
                    if (0 != 0) {
                        try {
                            stringWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        stringWriter.close();
                    }
                }
                return stringWriter2;
            } finally {
            }
        } catch (Throwable th3) {
            if (stringWriter != null) {
                if (th != null) {
                    try {
                        stringWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    stringWriter.close();
                }
            }
            throw th3;
        }
    }

    @VisibleForTesting
    protected Header createAuthenticationHeader(String str) {
        return new BasicHeader("Authorization", String.format(AUTH_HEADER_CONTENT, str));
    }

    private void addAuthenticationHeader(HttpRequest httpRequest) {
        httpRequest.addHeader(this.authHeader.get());
    }

    protected String getJWTFromResponse() throws IOException, URISyntaxException {
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            CloseableHttpResponse closeableHttpResponse2 = get(this.jwtAlivePath.toURI(), " Could not ping Hopsworks to renew JWT");
            LOG.debug("Pinged Hopsworks!");
            if (!closeableHttpResponse2.containsHeader("Authorization")) {
                if (closeableHttpResponse2 != null) {
                    closeableHttpResponse2.close();
                }
                return null;
            }
            for (Header header : closeableHttpResponse2.getHeaders("Authorization")) {
                Matcher matcher = JWT_PATTERN.matcher(header.getValue());
                if (matcher.matches()) {
                    String group = matcher.group(1);
                    if (closeableHttpResponse2 != null) {
                        closeableHttpResponse2.close();
                    }
                    return group;
                }
            }
            throw new IOException("Could not extract JWT from authentication header");
        } catch (Throwable th) {
            if (0 != 0) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }
}
