package org.forgerock.openam.auth.nodes;

import com.google.inject.assistedinject.Assisted;
import com.sun.identity.shared.debug.Debug;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.MessageDigest;
import javax.inject.Inject;
import org.apache.commons.codec.binary.Hex;
import org.forgerock.openam.annotations.sm.Attribute;
import org.forgerock.openam.auth.node.api.AbstractDecisionNode;
import org.forgerock.openam.auth.node.api.Action;
import org.forgerock.openam.auth.node.api.Node;
import org.forgerock.openam.auth.node.api.NodeProcessException;
import org.forgerock.openam.auth.node.api.TreeContext;
import org.forgerock.openam.core.CoreWrapper;

@Node.Metadata(outcomeProvider = AbstractDecisionNode.OutcomeProvider.class, configClass = Config.class)
/* loaded from: input_file:org/forgerock/openam/auth/nodes/HaveIBeenPwnedPasswordNode.class */
public class HaveIBeenPwnedPasswordNode extends AbstractDecisionNode {
    private final Config config;
    private final CoreWrapper coreWrapper;
    private static final String DEBUG_FILE = "HaveIBeenPwnedPasswordNode";
    protected Debug debug = Debug.getInstance(DEBUG_FILE);

    /* loaded from: input_file:org/forgerock/openam/auth/nodes/HaveIBeenPwnedPasswordNode$Config.class */
    public interface Config {
        @Attribute(order = 100)
        default String password() {
            return "password";
        }

        @Attribute(order = 200)
        default int threshold() {
            return 0;
        }
    }

    @Inject
    public HaveIBeenPwnedPasswordNode(@Assisted Config config, CoreWrapper coreWrapper) throws NodeProcessException {
        this.config = config;
        this.coreWrapper = coreWrapper;
    }

    public Action process(TreeContext treeContext) throws NodeProcessException {
        String asString = treeContext.transientState.get(this.config.password()).asString();
        if (asString == null) {
            asString = treeContext.sharedState.get(this.config.password()).asString();
        }
        if (asString == null) {
            this.debug.error("[HaveIBeenPwnedPasswordNode]: couldn't find password variable in transient or shared state: " + this.config.password());
            return goTo(true).build();
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(asString.getBytes("UTF-8"));
            String encodeHexString = Hex.encodeHexString(messageDigest.digest());
            this.debug.message("[HaveIBeenPwnedPasswordNode]: SHA1 hash of password: " + encodeHexString);
            return goTo(haveIBeenPwnedPassword(encodeHexString)).build();
        } catch (Exception e) {
            this.debug.error("[HaveIBeenPwnedPasswordNode]: Hash failed");
            return goTo(true).build();
        }
    }

    private boolean haveIBeenPwnedPassword(String str) {
        HttpURLConnection httpURLConnection;
        String upperCase = str.toUpperCase();
        String substring = upperCase.substring(0, 5);
        try {
            URL url = new URL("https://api.pwnedpasswords.com/range/" + substring);
            this.debug.message("[HaveIBeenPwnedPasswordNode]: url = " + url);
            httpURLConnection = (HttpURLConnection) url.openConnection();
            httpURLConnection.setRequestMethod("GET");
            httpURLConnection.setRequestProperty("Accept", "application/json");
            httpURLConnection.setRequestProperty("user-agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.33 Safari/537.36");
        } catch (MalformedURLException e) {
            e.printStackTrace();
        } catch (IOException e2) {
            e2.printStackTrace();
        }
        if (httpURLConnection.getResponseCode() != 200) {
            this.debug.error("[HaveIBeenPwnedPasswordNode]: HTTP failed, response code:" + httpURLConnection.getResponseCode());
            throw new RuntimeException("[HaveIBeenPwnedPasswordNode]: HTTP error code : " + httpURLConnection.getResponseCode());
        }
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream()));
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                httpURLConnection.disconnect();
                break;
            }
            if (substring.concat(readLine).startsWith(upperCase)) {
                this.debug.message("[HaveIBeenPwnedPasswordNode]: found matching password: " + readLine);
                if (Integer.parseInt(readLine.split(":")[1]) > this.config.threshold()) {
                    return true;
                }
            }
        }
        this.debug.message("[HaveIBeenPwnedPasswordNode]: Password is safe.");
        return false;
    }
}
