package org.springframework.security.web.authentication.password;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Locale;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.password.CompromisedPasswordDecision;
import org.springframework.security.authentication.password.ReactiveCompromisedPasswordChecker;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.reactive.function.client.WebClientResponseException;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
import reactor.core.scheduler.Schedulers;

/* loaded from: input_file:BOOT-INF/lib/spring-security-web-6.4.4.jar:org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.class */
public class HaveIBeenPwnedRestApiReactivePasswordChecker implements ReactiveCompromisedPasswordChecker {
    private static final String API_URL = "https://api.pwnedpasswords.com/range/";
    private static final int PREFIX_LENGTH = 5;
    private final Log logger = LogFactory.getLog(getClass());
    private WebClient webClient = WebClient.builder().baseUrl(API_URL).build();
    private final MessageDigest sha1Digest = getSha1Digest();

    @Override // org.springframework.security.authentication.password.ReactiveCompromisedPasswordChecker
    public Mono<CompromisedPasswordDecision> check(String str) {
        return getHash(str).map(bArr -> {
            return new String(Hex.encode(bArr));
        }).flatMap(this::findLeakedPassword).map((v1) -> {
            return new CompromisedPasswordDecision(v1);
        });
    }

    private Mono<Boolean> findLeakedPassword(String str) {
        String upperCase = str.substring(0, 5).toUpperCase(Locale.ROOT);
        String upperCase2 = str.substring(5).toUpperCase(Locale.ROOT);
        return getLeakedPasswordsForPrefix(upperCase).any(str2 -> {
            return str2.startsWith(upperCase2);
        });
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [org.springframework.web.reactive.function.client.WebClient$RequestHeadersSpec] */
    private Flux<String> getLeakedPasswordsForPrefix(String str) {
        return this.webClient.get().uri(str, new Object[0]).retrieve().bodyToMono(String.class).flatMapMany(str2 -> {
            return StringUtils.hasText(str2) ? Flux.fromStream(str2.lines()) : Flux.empty();
        }).doOnError(th -> {
            this.logger.error("Request for leaked passwords failed", th);
        }).onErrorResume(WebClientResponseException.class, webClientResponseException -> {
            return Flux.empty();
        });
    }

    public void setWebClient(WebClient webClient) {
        Assert.notNull(webClient, "webClient cannot be null");
        this.webClient = webClient;
    }

    private Mono<byte[]> getHash(String str) {
        return Mono.fromSupplier(() -> {
            return this.sha1Digest.digest(str.getBytes(StandardCharsets.UTF_8));
        }).subscribeOn(Schedulers.boundedElastic()).publishOn(Schedulers.parallel());
    }

    private static MessageDigest getSha1Digest() {
        try {
            return MessageDigest.getInstance("SHA-1");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e.getMessage());
        }
    }
}
