package org.apache.syncope.core.persistence.jpa.dao;

import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.apache.commons.collections4.IterableUtils;
import org.apache.commons.collections4.Predicate;
import org.apache.commons.lang3.StringUtils;
import org.apache.syncope.common.lib.policy.HaveIBeenPwnedPasswordRuleConf;
import org.apache.syncope.common.lib.policy.PasswordRuleConf;
import org.apache.syncope.common.lib.types.CipherAlgorithm;
import org.apache.syncope.core.persistence.api.dao.PasswordRule;
import org.apache.syncope.core.persistence.api.dao.PasswordRuleConfClass;
import org.apache.syncope.core.persistence.api.entity.user.User;
import org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException;
import org.apache.syncope.core.spring.security.Encryptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestTemplate;

@PasswordRuleConfClass(HaveIBeenPwnedPasswordRuleConf.class)
/* loaded from: input_file:org/apache/syncope/core/persistence/jpa/dao/HaveIBeenPwnedPasswordRule.class */
public class HaveIBeenPwnedPasswordRule implements PasswordRule {
    protected static final Logger LOG = LoggerFactory.getLogger(HaveIBeenPwnedPasswordRule.class);
    private static final Encryptor ENCRYPTOR = Encryptor.getInstance();

    public void enforce(PasswordRuleConf passwordRuleConf, User user) {
        String clearPassword = user.getClearPassword();
        if (user.getPassword() == null || clearPassword == null) {
            return;
        }
        try {
            final String encode = ENCRYPTOR.encode(clearPassword, CipherAlgorithm.SHA1);
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.set("User-Agent", "Apache Syncope");
            ResponseEntity exchange = new RestTemplate().exchange(URI.create("https://api.pwnedpasswords.com/range/" + encode.substring(0, 5)), HttpMethod.GET, new HttpEntity((Object) null, httpHeaders), String.class);
            if (StringUtils.isNotBlank((CharSequence) exchange.getBody()) && IterableUtils.matchesAny(Arrays.asList(((String) exchange.getBody()).split("\\n")), new Predicate<String>() { // from class: org.apache.syncope.core.persistence.jpa.dao.HaveIBeenPwnedPasswordRule.1
                public boolean evaluate(String str) {
                    return encode.equals(encode.substring(0, 5) + StringUtils.substringBefore(str, ":"));
                }
            })) {
                throw new PasswordPolicyException("Password pwned");
            }
        } catch (UnsupportedEncodingException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            LOG.error("Could not encode the password value as SHA1", e);
        } catch (HttpStatusCodeException e2) {
            LOG.error("Error while contacting the PwnedPasswords service", e2);
        }
    }
}
