package org.springframework.security.web.authentication.password;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.lang.NonNull;
import org.springframework.security.authentication.password.CompromisedPasswordChecker;
import org.springframework.security.authentication.password.CompromisedPasswordDecision;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestClient;
import org.springframework.web.client.RestClientException;

/* loaded from: input_file:BOOT-INF/lib/spring-security-web-6.3.4.jar:org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.class */
public final class HaveIBeenPwnedRestApiPasswordChecker implements CompromisedPasswordChecker {
    private static final String API_URL = "https://api.pwnedpasswords.com/range/";
    private static final int PREFIX_LENGTH = 5;
    private final Log logger = LogFactory.getLog(getClass());
    private RestClient restClient = RestClient.builder().baseUrl(API_URL).build();
    private final MessageDigest sha1Digest = getSha1Digest();

    @Override // org.springframework.security.authentication.password.CompromisedPasswordChecker
    @NonNull
    public CompromisedPasswordDecision check(String str) {
        String upperCase = new String(Hex.encode(this.sha1Digest.digest(str.getBytes(StandardCharsets.UTF_8)))).toUpperCase();
        String substring = upperCase.substring(0, 5);
        return new CompromisedPasswordDecision(findLeakedPassword(getLeakedPasswordsForPrefix(substring), upperCase.substring(5)));
    }

    public void setRestClient(RestClient restClient) {
        Assert.notNull(restClient, "restClient cannot be null");
        this.restClient = restClient;
    }

    private boolean findLeakedPassword(List<String> list, String str) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().startsWith(str)) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Type inference failed for: r0v6, types: [org.springframework.web.client.RestClient$RequestHeadersSpec] */
    private List<String> getLeakedPasswordsForPrefix(String str) {
        try {
            String str2 = (String) this.restClient.get().uri(str, new Object[0]).retrieve().body(String.class);
            return !StringUtils.hasText(str2) ? Collections.emptyList() : str2.lines().toList();
        } catch (RestClientException e) {
            this.logger.error("Request for leaked passwords failed", e);
            return Collections.emptyList();
        }
    }

    private static MessageDigest getSha1Digest() {
        try {
            return MessageDigest.getInstance("SHA-1");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e.getMessage());
        }
    }
}
