package org.keycloak.policy;

import com.google.common.hash.BloomFilter;
import com.google.common.hash.Funnels;
import java.io.BufferedReader;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.models.BrowserSecurityHeaders;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;

/* loaded from: input_file:org/keycloak/policy/BlacklistPasswordPolicyProviderFactory.class */
public class BlacklistPasswordPolicyProviderFactory implements PasswordPolicyProviderFactory {
    private static final Logger LOG = Logger.getLogger(BlacklistPasswordPolicyProviderFactory.class);
    public static final String ID = "passwordBlacklist";
    public static final String SYSTEM_PROPERTY = "keycloak.password.blacklists.path";
    public static final String BLACKLISTS_PATH_PROPERTY = "blacklistsPath";
    public static final String JBOSS_SERVER_DATA_DIR = "jboss.server.data.dir";
    public static final String PASSWORD_BLACKLISTS_FOLDER = "password-blacklists/";
    private ConcurrentMap<String, FileBasedPasswordBlacklist> blacklistRegistry = new ConcurrentHashMap();
    private volatile Path blacklistsBasePath;
    private Config.Scope config;

    /* loaded from: input_file:org/keycloak/policy/BlacklistPasswordPolicyProviderFactory$FileBasedPasswordBlacklist.class */
    public static class FileBasedPasswordBlacklist implements PasswordBlacklist {
        private static final double FALSE_POSITIVE_PROBABILITY = 0.01d;
        private static final int BUFFER_SIZE_IN_BYTES = 524288;
        private final String name;
        private final Path path;
        private BloomFilter<String> blacklist;

        public FileBasedPasswordBlacklist(Path path, String str) {
            this.name = str;
            this.path = path.resolve(str);
            if (str.contains("/")) {
                throw new IllegalArgumentException(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY_REPORT_ONLY_DEFAULT + str + " must not contain slashes!");
            }
            if (!Files.exists(this.path, new LinkOption[0])) {
                throw new IllegalArgumentException("Password blacklist " + str + " not found!");
            }
        }

        @Override // org.keycloak.policy.BlacklistPasswordPolicyProviderFactory.PasswordBlacklist
        public String getName() {
            return this.name;
        }

        @Override // org.keycloak.policy.BlacklistPasswordPolicyProviderFactory.PasswordBlacklist
        public boolean contains(String str) {
            return this.blacklist != null && this.blacklist.mightContain(str);
        }

        void lazyInit() {
            if (this.blacklist != null) {
                return;
            }
            this.blacklist = load();
        }

        private BloomFilter<String> load() {
            try {
                BlacklistPasswordPolicyProviderFactory.LOG.infof("Loading blacklist with name %s from %s - start", this.name, this.path);
                BloomFilter<String> create = BloomFilter.create(Funnels.stringFunnel(StandardCharsets.UTF_8), getPasswordCount(), FALSE_POSITIVE_PROBABILITY);
                BufferedReader newReader = newReader(this.path);
                Throwable th = null;
                try {
                    try {
                        Stream<String> lines = newReader.lines();
                        create.getClass();
                        lines.forEach((v1) -> {
                            r1.put(v1);
                        });
                        if (newReader != null) {
                            if (0 != 0) {
                                try {
                                    newReader.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                newReader.close();
                            }
                        }
                        BlacklistPasswordPolicyProviderFactory.LOG.infof("Loading blacklist with name %s from %s - end", this.name, this.path);
                        return create;
                    } finally {
                    }
                } finally {
                }
            } catch (IOException e) {
                throw new RuntimeException("Could not load password blacklist from path: " + this.path, e);
            }
        }

        private long getPasswordCount() throws IOException {
            BufferedReader newReader = newReader(this.path);
            Throwable th = null;
            try {
                long count = newReader.lines().count();
                if (newReader != null) {
                    if (0 != 0) {
                        try {
                            newReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newReader.close();
                    }
                }
                return count;
            } catch (Throwable th3) {
                if (newReader != null) {
                    if (0 != 0) {
                        try {
                            newReader.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newReader.close();
                    }
                }
                throw th3;
            }
        }

        private static BufferedReader newReader(Path path) throws IOException {
            return new BufferedReader(Files.newBufferedReader(path), BUFFER_SIZE_IN_BYTES);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static Path detectBlacklistsBasePath(Config.Scope scope) {
            String property = System.getProperty(BlacklistPasswordPolicyProviderFactory.SYSTEM_PROPERTY);
            if (property != null) {
                return ensureExists(Paths.get(property, new String[0]));
            }
            String str = scope.get(BlacklistPasswordPolicyProviderFactory.BLACKLISTS_PATH_PROPERTY);
            if (str != null) {
                return ensureExists(Paths.get(str, new String[0]));
            }
            String str2 = System.getProperty(BlacklistPasswordPolicyProviderFactory.JBOSS_SERVER_DATA_DIR) + "/" + BlacklistPasswordPolicyProviderFactory.PASSWORD_BLACKLISTS_FOLDER;
            if (!Files.exists(Paths.get(str2, new String[0]), new LinkOption[0]) && !Paths.get(str2, new String[0]).toFile().mkdirs()) {
                BlacklistPasswordPolicyProviderFactory.LOG.errorf("Could not create folder for password blacklists: %s", str2);
            }
            return ensureExists(Paths.get(str2, new String[0]));
        }

        private static Path ensureExists(Path path) {
            Objects.requireNonNull(path, "path");
            if (Files.exists(path, new LinkOption[0])) {
                return path;
            }
            throw new IllegalStateException("Password blacklists location does not exist: " + path);
        }
    }

    /* loaded from: input_file:org/keycloak/policy/BlacklistPasswordPolicyProviderFactory$PasswordBlacklist.class */
    public interface PasswordBlacklist {
        String getName();

        boolean contains(String str);
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public PasswordPolicyProvider m79create(KeycloakSession keycloakSession) {
        if (this.blacklistsBasePath == null) {
            synchronized (this) {
                if (this.blacklistsBasePath == null) {
                    this.blacklistsBasePath = FileBasedPasswordBlacklist.detectBlacklistsBasePath(this.config);
                }
            }
        }
        return new BlacklistPasswordPolicyProvider(keycloakSession.getContext(), this);
    }

    public void init(Config.Scope scope) {
        this.config = scope;
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public void close() {
    }

    @Override // org.keycloak.policy.PasswordPolicyProviderFactory
    public String getDisplayName() {
        return "Password Blacklist";
    }

    @Override // org.keycloak.policy.PasswordPolicyProviderFactory
    public String getConfigType() {
        return "String";
    }

    @Override // org.keycloak.policy.PasswordPolicyProviderFactory
    public String getDefaultConfigValue() {
        return BrowserSecurityHeaders.CONTENT_SECURITY_POLICY_REPORT_ONLY_DEFAULT;
    }

    @Override // org.keycloak.policy.PasswordPolicyProviderFactory
    public boolean isMultiplSupported() {
        return false;
    }

    public String getId() {
        return ID;
    }

    public PasswordBlacklist resolvePasswordBlacklist(String str) {
        Objects.requireNonNull(str, "blacklistName");
        String trim = str.trim();
        if (trim.isEmpty()) {
            throw new IllegalArgumentException("Password blacklist name must not be empty!");
        }
        return this.blacklistRegistry.computeIfAbsent(trim, str2 -> {
            FileBasedPasswordBlacklist fileBasedPasswordBlacklist = new FileBasedPasswordBlacklist(this.blacklistsBasePath, str2);
            fileBasedPasswordBlacklist.lazyInit();
            return fileBasedPasswordBlacklist;
        });
    }
}
