package com.techempower.gemini.pyxis.password;

import com.techempower.cache.EntityStore;
import com.techempower.gemini.Context;
import com.techempower.gemini.GeminiApplication;
import com.techempower.gemini.pyxis.PyxisSecurity;
import com.techempower.gemini.pyxis.PyxisUser;
import com.techempower.gemini.pyxis.listener.SecurityListener;
import com.techempower.util.Configurable;
import com.techempower.util.EnhancedProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/techempower/gemini/pyxis/password/PasswordHistoryManager.class */
public class PasswordHistoryManager implements SecurityListener<Context>, PasswordRequirement, Configurable {
    public static final int HARD_MAXIMUM_HISTORY_SIZE = 100;
    public static final int DEFAULT_MAXIMUM_HISTORY_SIZE = 5;
    private final PyxisSecurity security;
    private final EntityStore store;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private int maximumHistorySize = 5;
    private boolean captureNonPrincipalChanges = false;

    public PasswordHistoryManager(GeminiApplication geminiApplication, PyxisSecurity pyxisSecurity) {
        this.security = pyxisSecurity;
        this.store = geminiApplication.getStore();
        pyxisSecurity.addListener(this);
    }

    @Override // com.techempower.util.Configurable
    public void configure(EnhancedProperties enhancedProperties) {
        EnhancedProperties.Focus focus = enhancedProperties.focus("PasswordHistory.");
        this.maximumHistorySize = focus.getInt("MaximumHistorySize", 5, 1, 100);
        this.captureNonPrincipalChanges = focus.getBoolean("CaptureNonPrincipalChanges", false);
        if (!this.security.getPasswordHasher().isSecure()) {
            throw new IllegalArgumentException("PasswordHistoryManager cannot be used with an insecure password hasher. Provided: " + this.security.getPasswordHasher().getName() + ".");
        }
    }

    @Override // com.techempower.gemini.pyxis.listener.SecurityListener
    public void passwordChanged(PasswordProposal passwordProposal) {
        PyxisUser user = passwordProposal.context != null ? this.security.getUser(passwordProposal.context) : null;
        if (!this.captureNonPrincipalChanges && passwordProposal.user != user) {
            this.log.info("Not recording historical hash for {} because password change was made by non-principal.", passwordProposal.user.getUserUsername());
            return;
        }
        PasswordHistory passwordHistory = (PasswordHistory) this.store.get(PasswordHistory.class, passwordProposal.user.getId());
        if (passwordHistory == null) {
            passwordHistory = new PasswordHistory();
            passwordHistory.setId(passwordProposal.user.getId());
        }
        this.log.info("Recording new password hash for {}.", passwordProposal.user.getUserUsername());
        passwordHistory.addHash(passwordProposal.hashedPassword, this.maximumHistorySize);
        this.store.put(passwordHistory);
    }

    @Override // com.techempower.gemini.pyxis.password.PasswordRequirement
    public String validate(PasswordProposal passwordProposal) {
        PasswordHistory passwordHistory;
        if (passwordProposal.user == null || (passwordHistory = (PasswordHistory) this.store.get(PasswordHistory.class, passwordProposal.user.getId())) == null) {
            return null;
        }
        String[] hashesArray = passwordHistory.getHashesArray();
        this.log.info("Checking proposed new password for {} against {} previous hashes.", passwordProposal.username, Integer.valueOf(hashesArray.length));
        for (String str : hashesArray) {
            if (this.security.getPasswordHasher().testPassword(passwordProposal.password, str)) {
                this.log.info("Proposed new password for {} matches a previous hash; it does not pass validation.", passwordProposal.username);
                return "The provided password was used previously. Please create a new password.";
            }
        }
        this.log.info("Proposed new password for {} is not in recent history; it passes validation.", passwordProposal.username);
        return null;
    }

    @Override // com.techempower.gemini.pyxis.listener.SecurityListener
    public void loginSuccessful(Context context, PyxisUser pyxisUser) {
    }

    @Override // com.techempower.gemini.pyxis.listener.SecurityListener
    public void logoutSuccessful(Context context, PyxisUser pyxisUser) {
    }

    @Override // com.techempower.gemini.pyxis.listener.SecurityListener
    public void loginFailed(Context context) {
    }
}
