package com.pingidentity.pf.pcv;

import com.pingidentity.access.PasswordCredentialValidatorAccessor;
import com.pingidentity.sdk.GuiConfigDescriptor;
import com.pingidentity.sdk.PluginDescriptor;
import com.pingidentity.sdk.account.AccountUnlockablePasswordCredential;
import com.pingidentity.sdk.password.ChangeablePasswordCredential;
import com.pingidentity.sdk.password.PasswordChangeResult;
import com.pingidentity.sdk.password.PasswordCredentialValidator;
import com.pingidentity.sdk.password.PasswordCredentialValidatorAuthnException;
import com.pingidentity.sdk.password.PasswordResetException;
import com.pingidentity.sdk.password.PasswordValidationException;
import com.pingidentity.sdk.password.RecoverableUsername;
import com.pingidentity.sdk.password.ResettablePasswordCredential;
import com.pingidentity.sdk.password.UsernameRecoveryException;
import java.io.ByteArrayInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.sourceid.saml20.adapter.conf.Configuration;
import org.sourceid.saml20.adapter.conf.Field;
import org.sourceid.saml20.adapter.conf.FieldList;
import org.sourceid.saml20.adapter.gui.CheckBoxFieldDescriptor;
import org.sourceid.saml20.adapter.gui.PasswordCredentialValidatorFieldDescriptor;
import org.sourceid.saml20.adapter.gui.TextFieldDescriptor;
import org.sourceid.saml20.adapter.gui.UploadFileFieldDescriptor;
import org.sourceid.saml20.adapter.gui.validation.FieldValidator;
import org.sourceid.saml20.adapter.gui.validation.ValidationException;
import org.sourceid.saml20.adapter.gui.validation.impl.IntegerValidator;
import org.sourceid.saml20.adapter.gui.validation.impl.LongValidator;
import org.sourceid.saml20.adapter.gui.validation.impl.RequiredFieldValidator;
import org.sourceid.util.log.AttributeMap;

/* loaded from: input_file:com/pingidentity/pf/pcv/HIBP.class */
public class HIBP implements PasswordCredentialValidator, ChangeablePasswordCredential, ResettablePasswordCredential, AccountUnlockablePasswordCredential, RecoverableUsername {
    private static final String ARG_SUBSEQUENT_PCV_NAME = "PCV Name";
    private static final String ARG_TRUST_ALL = "trustAll";
    private static final String ARG_INTERVAL_MILLIS = "intervalMillis";
    private static final String ARG_NOISE_RATE = "noiseRate";
    private static final String ARG_MAX_POOL_SIZE = "maxPoolSize";
    private static final String ARG_TRUST_STORE = "trustStore";
    private static final String TMP_HIBP_JKS = "/tmp/hibp.jks";
    private static final String ARG_COMPROMISED_ATTRIBUTE = "Compromised state attribute name";
    private static final String ARG_CHECK_ON_PASSWORD_UPDATE = "Check on password change";
    private static final String PCV_NAME = "HaveIBeenPwned Password Credentials Validator";
    public static final String ARG_COMPROMISED_MESSAGE = "Compromised Password Change Message";
    private PasswordCredentialValidator passwordCredentialValidator;
    private HIBPPool pool;
    private String isCompromisedAttribute;
    private boolean checkOnPasswordUpdate;
    private PluginDescriptor descriptor;
    private String updateFailMessage;
    private final Log logger = LogFactory.getLog(getClass());
    private PasswordCredentialValidatorAccessor pcvAccessor = new PasswordCredentialValidatorAccessor();
    private ChangeablePasswordCredential changeablePasswordCredential = null;
    private ResettablePasswordCredential resettablePasswordCredential = null;
    private AccountUnlockablePasswordCredential accountUnlockablePasswordCredential = null;
    private RecoverableUsername recoverableUsername = null;

    public AttributeMap processPasswordCredential(String str, String str2) throws PasswordValidationException {
        AttributeMap processPasswordCredential = this.passwordCredentialValidator.processPasswordCredential(str, str2);
        if (processPasswordCredential != null && !processPasswordCredential.isEmpty() && str2 != null) {
            AttributeMap attributeMap = new AttributeMap(processPasswordCredential);
            Boolean valueOf = Boolean.valueOf(this.pool.isCompromised(str2.getBytes(), true));
            attributeMap.put(this.isCompromisedAttribute, valueOf.toString());
            if (valueOf.booleanValue()) {
                this.logger.info("User " + str + " has presented credentials found to be compromised on HaveIBeenPwned.com");
            }
        }
        return processPasswordCredential;
    }

    public void configure(Configuration configuration) {
        String value = configuration.getField(ARG_SUBSEQUENT_PCV_NAME).getValue();
        if (value == null || value.isEmpty()) {
            this.logger.error("The provided PCV name cannot null or empty. Please provide the name of a configured PCV.");
            return;
        }
        ChangeablePasswordCredential passwordCredentialValidator = this.pcvAccessor.getPasswordCredentialValidator(value);
        if (passwordCredentialValidator == null) {
            this.logger.error("The provided value[" + value + "] does not appear to be a configured PCV. Please provide the name of a configured PCV.");
            return;
        }
        this.passwordCredentialValidator = passwordCredentialValidator;
        if (passwordCredentialValidator != null) {
            if (passwordCredentialValidator instanceof ChangeablePasswordCredential) {
                this.changeablePasswordCredential = passwordCredentialValidator;
            }
            if (passwordCredentialValidator instanceof ResettablePasswordCredential) {
                this.resettablePasswordCredential = (ResettablePasswordCredential) passwordCredentialValidator;
            }
            if (passwordCredentialValidator instanceof AccountUnlockablePasswordCredential) {
                this.accountUnlockablePasswordCredential = (AccountUnlockablePasswordCredential) passwordCredentialValidator;
            }
            if (this.passwordCredentialValidator instanceof RecoverableUsername) {
                this.recoverableUsername = (RecoverableUsername) passwordCredentialValidator;
            }
        }
        this.checkOnPasswordUpdate = configuration.getBooleanFieldValue(ARG_CHECK_ON_PASSWORD_UPDATE);
        this.updateFailMessage = configuration.getFieldValue(ARG_COMPROMISED_MESSAGE);
        FieldList advancedFields = configuration.getAdvancedFields();
        Boolean valueOf = Boolean.valueOf(advancedFields.getBooleanFieldValue(ARG_TRUST_ALL));
        Integer valueOf2 = Integer.valueOf(advancedFields.getIntFieldValue(ARG_MAX_POOL_SIZE));
        Integer valueOf3 = Integer.valueOf(advancedFields.getIntFieldValue(ARG_NOISE_RATE));
        Long valueOf4 = Long.valueOf(advancedFields.getLongFieldValue(ARG_INTERVAL_MILLIS));
        byte[] fileFieldValueAsByteArray = advancedFields.getFileFieldValueAsByteArray(ARG_TRUST_STORE);
        this.isCompromisedAttribute = advancedFields.getFieldValue(ARG_COMPROMISED_ATTRIBUTE);
        Path path = null;
        if (fileFieldValueAsByteArray != null && fileFieldValueAsByteArray.length > 0) {
            path = Paths.get(TMP_HIBP_JKS, new String[0]);
            try {
                FileOutputStream fileOutputStream = new FileOutputStream(path.toFile());
                fileOutputStream.write(fileFieldValueAsByteArray);
                fileOutputStream.close();
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        this.pool = HIBPPool.build(valueOf, path, valueOf2, valueOf3, valueOf4, this.logger);
    }

    public PluginDescriptor getPluginDescriptor() {
        GuiConfigDescriptor guiConfigDescriptor = new GuiConfigDescriptor();
        guiConfigDescriptor.setDescription(PCV_NAME);
        this.descriptor = new PluginDescriptor(PCV_NAME, this, guiConfigDescriptor, "1.0");
        this.descriptor.setSupportsExtendedContract(true);
        PasswordCredentialValidatorFieldDescriptor passwordCredentialValidatorFieldDescriptor = new PasswordCredentialValidatorFieldDescriptor(ARG_SUBSEQUENT_PCV_NAME, "The name of the PCV to call after the call to HaveIBeenPwned.com");
        passwordCredentialValidatorFieldDescriptor.addValidator(new RequiredFieldValidator());
        guiConfigDescriptor.addField(passwordCredentialValidatorFieldDescriptor);
        CheckBoxFieldDescriptor checkBoxFieldDescriptor = new CheckBoxFieldDescriptor(ARG_CHECK_ON_PASSWORD_UPDATE, "Prevents password update with known compromised password");
        checkBoxFieldDescriptor.setDefaultValue(true);
        guiConfigDescriptor.addField(checkBoxFieldDescriptor);
        TextFieldDescriptor textFieldDescriptor = new TextFieldDescriptor(ARG_COMPROMISED_MESSAGE, "Message to display when a user attempts to update their password with one that is compromised");
        textFieldDescriptor.setDefaultValue("The new password was found to be compromised. Pick a stronger password.");
        guiConfigDescriptor.addAdvancedField(textFieldDescriptor);
        TextFieldDescriptor textFieldDescriptor2 = new TextFieldDescriptor(ARG_COMPROMISED_ATTRIBUTE, "The name of the attribute to return the result of the lookup in the compromised database");
        textFieldDescriptor2.addValidator(new RequiredFieldValidator());
        textFieldDescriptor2.setDefaultValue("isCompromised");
        guiConfigDescriptor.addAdvancedField(textFieldDescriptor2);
        guiConfigDescriptor.addAdvancedField(new CheckBoxFieldDescriptor(ARG_TRUST_ALL, "Blind Trust"));
        TextFieldDescriptor textFieldDescriptor3 = new TextFieldDescriptor(ARG_MAX_POOL_SIZE, "Maximum HTTP pool size");
        textFieldDescriptor3.addValidator(new IntegerValidator(1, Integer.MAX_VALUE));
        textFieldDescriptor3.setDefaultValue("4");
        guiConfigDescriptor.addAdvancedField(textFieldDescriptor3);
        TextFieldDescriptor textFieldDescriptor4 = new TextFieldDescriptor(ARG_NOISE_RATE, "NOISE RATE (0=disabled)");
        textFieldDescriptor4.addValidator(new IntegerValidator(0, Integer.MAX_VALUE));
        textFieldDescriptor4.setDefaultValue("0");
        guiConfigDescriptor.addAdvancedField(textFieldDescriptor4);
        TextFieldDescriptor textFieldDescriptor5 = new TextFieldDescriptor(ARG_INTERVAL_MILLIS, "NOISE RATE INTERVAL IN MS");
        textFieldDescriptor5.addValidator(new LongValidator(1L, Long.MAX_VALUE));
        textFieldDescriptor5.setDefaultValue("1000");
        guiConfigDescriptor.addAdvancedField(textFieldDescriptor5);
        UploadFileFieldDescriptor uploadFileFieldDescriptor = new UploadFileFieldDescriptor(ARG_TRUST_STORE, "JKS Trust store to use for HaveIBeenPwned.com");
        uploadFileFieldDescriptor.addValidator(new FieldValidator() { // from class: com.pingidentity.pf.pcv.HIBP.1
            public void validate(Field field) throws ValidationException {
                byte[] fileValueAsByteArray = field.getFileValueAsByteArray();
                if (fileValueAsByteArray == null || fileValueAsByteArray.length == 0) {
                    throw new ValidationException("The provided JKS trust store cannot be empty");
                }
                try {
                    KeyStore.getInstance("JKS").load(new ByteArrayInputStream(field.getFileValueAsByteArray()), null);
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                    throw new ValidationException(e.getMessage());
                }
            }
        }, true);
        guiConfigDescriptor.addAdvancedField(uploadFileFieldDescriptor);
        return this.descriptor;
    }

    public PasswordChangeResult changePassword(String str, String str2, String str3, Map<String, Object> map) throws PasswordValidationException {
        this.logger.debug("Initiating password update");
        if (this.changeablePasswordCredential == null) {
            this.logger.debug("The provided PCV cannot be used to update passwords");
            throw new PasswordValidationException("The provided PCV cannot be used to update passwords");
        }
        if (this.checkOnPasswordUpdate && this.pool.isCompromised(str3.getBytes(), true)) {
            this.logger.info("user [" + str + "] attempted to update their password with one that was found in HIBP");
            throw new PasswordCredentialValidatorAuthnException(true, this.updateFailMessage);
        }
        this.logger.debug("Password deemed acceptable. Passing on to proxied PCV");
        return this.changeablePasswordCredential.changePassword(str, str2, str3, map);
    }

    public boolean isPasswordChangeable() {
        return this.changeablePasswordCredential != null && this.changeablePasswordCredential.isPasswordChangeable();
    }

    public boolean isPendingPasswordExpiryNotifiable() {
        if (this.changeablePasswordCredential == null) {
            return false;
        }
        return this.changeablePasswordCredential.isPendingPasswordExpiryNotifiable();
    }

    public boolean isChangePasswordEmailNotifiable() {
        if (this.changeablePasswordCredential == null) {
            return false;
        }
        return this.changeablePasswordCredential.isChangePasswordEmailNotifiable();
    }

    public AttributeMap findUser(String str) throws PasswordResetException {
        if (this.resettablePasswordCredential == null) {
            return null;
        }
        return this.resettablePasswordCredential.findUser(str);
    }

    public void resetPassword(String str, String str2) throws PasswordResetException {
        if (this.resettablePasswordCredential == null) {
            return;
        }
        this.resettablePasswordCredential.resetPassword(str, str2);
    }

    public boolean isPasswordResettable() {
        return this.resettablePasswordCredential != null && this.resettablePasswordCredential.isPasswordResettable();
    }

    public String getMailAttribute() {
        if (this.resettablePasswordCredential == null) {
            return null;
        }
        return this.resettablePasswordCredential.getMailAttribute();
    }

    public String getSmsAttribute() {
        if (this.resettablePasswordCredential == null) {
            return null;
        }
        return this.resettablePasswordCredential.getSmsAttribute();
    }

    public String getPingIdUsernameAttribute() {
        if (this.resettablePasswordCredential == null) {
            return null;
        }
        return this.resettablePasswordCredential.getPingIdUsernameAttribute();
    }

    public List<AttributeMap> findUsersByMail(String str) throws UsernameRecoveryException {
        if (this.recoverableUsername != null) {
            return this.recoverableUsername.findUsersByMail(str);
        }
        return null;
    }

    public String getNameAttribute() {
        if (this.resettablePasswordCredential != null) {
            return this.resettablePasswordCredential.getNameAttribute();
        }
        if (this.recoverableUsername != null) {
            return this.recoverableUsername.getNameAttribute();
        }
        return null;
    }

    public String getMailVerifiedAttribute() {
        if (this.resettablePasswordCredential != null) {
            return this.resettablePasswordCredential.getMailVerifiedAttribute();
        }
        if (this.recoverableUsername != null) {
            return this.recoverableUsername.getMailVerifiedAttribute();
        }
        return null;
    }

    public String getUsernameAttribute() {
        if (this.recoverableUsername != null) {
            return this.recoverableUsername.getUsernameAttribute();
        }
        return null;
    }

    public boolean unlockAccount(String str) {
        return this.accountUnlockablePasswordCredential != null && this.accountUnlockablePasswordCredential.unlockAccount(str);
    }

    public boolean isAccountLocked(String str) {
        return this.accountUnlockablePasswordCredential != null && this.accountUnlockablePasswordCredential.unlockAccount(str);
    }

    public boolean isAccountUnlockable() {
        return this.accountUnlockablePasswordCredential != null && this.accountUnlockablePasswordCredential.isAccountUnlockable();
    }
}
