package com.microsoft.workaccount.authenticatorservice;

import android.accounts.Account;
import android.accounts.AccountManager;
import android.accounts.AuthenticatorDescription;
import android.content.Context;
import android.content.SharedPreferences;
import android.os.Build;
import android.os.Bundle;
import android.os.Looper;
import android.os.RemoteException;
import android.preference.PreferenceManager;
import android.text.TextUtils;
import android.util.Log;
import com.microsoft.identity.common.adal.internal.AuthenticationConstants;
import com.microsoft.identity.common.adal.internal.PowerManagerWrapper;
import com.microsoft.identity.common.adal.internal.cache.StorageHelper;
import com.microsoft.identity.common.adal.internal.util.StringExtensions;
import com.microsoft.identity.common.exception.BrokerCommunicationException;
import com.microsoft.identity.common.exception.ClientException;
import com.microsoft.identity.common.exception.ErrorStrings;
import com.microsoft.identity.common.internal.broker.BrokerAccountServiceClient;
import com.microsoft.identity.common.internal.broker.BrokerCacheMigrationUtility;
import com.microsoft.identity.common.internal.broker.BrokerData;
import com.microsoft.identity.common.internal.broker.BrokerValidator;
import com.microsoft.identity.common.internal.broker.ipc.BrokerOperationBundle;
import com.microsoft.identity.common.internal.logging.Logger;
import com.microsoft.workaccount.workplacejoin.AccountManagerStorageHelper;
import com.microsoft.workaccount.workplacejoin.WorkplaceJoinDataStore;
import com.microsoft.workaccount.workplacejoin.core.WorkplaceJoinApplication;
import com.microsoft.workaccount.workplacejoin.telemetry.TelemetryLogger;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeoutException;
import javax.crypto.SecretKey;

/* loaded from: classes3.dex */
public class ReencryptionManager {
    public static final int KEY_BIND_TIMEOUT_IN_SECONDS = 5;
    public static final String KEY_MIGRATION_VERSION_SHARED_PREFERENCE_KEY = "com.microsoft.workaccount.authenticatorservice.reencryption_manager.key_migration_version";
    public static final String REENCRYPTION_VERSION_SHARED_PREFERENCE_KEY = "com.microsoft.workaccount.authenticatorservice.reencryption_manager.reencryption_version";
    private static final String TAG = "ReencryptionManager";
    private static final String currentKeyMigrationVersion = "1";
    private static final String currentReencryptionVersion = "1";
    private final AccountManagerStorageHelper mAccountManagerStorageHelper;
    private final String[] mAccountManagerStorageHelperKeysMock;
    private final Context mContext;
    private boolean mReEncryptionEnabled;
    private SharedPreferences mSharedPreferences;
    private final StorageHelper mStorageHelper;

    public ReencryptionManager(Context context) {
        this(context, new AccountManagerStorageHelper(context), null, false, false);
    }

    public ReencryptionManager(Context context, AccountManagerStorageHelper accountManagerStorageHelper, String[] strArr, boolean z, boolean z2) {
        this.mContext = context;
        this.mAccountManagerStorageHelper = accountManagerStorageHelper;
        this.mStorageHelper = this.mAccountManagerStorageHelper.getStorageHelper();
        if (this.mStorageHelper == null) {
            throw new IllegalArgumentException("StorageHelper should not be null.");
        }
        this.mSharedPreferences = PreferenceManager.getDefaultSharedPreferences(context);
        this.mAccountManagerStorageHelperKeysMock = strArr;
        if (z) {
            this.mSharedPreferences.edit().remove(REENCRYPTION_VERSION_SHARED_PREFERENCE_KEY).apply();
            this.mSharedPreferences.edit().remove(KEY_MIGRATION_VERSION_SHARED_PREFERENCE_KEY).apply();
        }
        this.mReEncryptionEnabled = z2;
    }

    private void deleteAllAccount() {
        Account[] allBrokerAccounts = this.mAccountManagerStorageHelper.getAllBrokerAccounts();
        AccountManager accountManager = AccountManager.get(this.mContext);
        for (Account account : allBrokerAccounts) {
            Bundle bundle = new Bundle();
            bundle.putBoolean(WorkplaceJoinApplication.DATA_DELETE, true);
            accountManager.updateCredentials(account, "", bundle, null, null, null);
        }
    }

    private String[] getAccountManagerStorageHelperKeyToBeWiped() {
        return new String[]{"account.interaction.header.required"};
    }

    private String[] getAccountManagerStorageHelperKeysToBeReencrypted(Account account) throws UnsupportedEncodingException, NoSuchAlgorithmException {
        String[] strArr = this.mAccountManagerStorageHelperKeysMock;
        if (strArr != null) {
            return strArr;
        }
        return new String[]{WorkplaceJoinDataStore.ACCOUNT_MANAGER_STORAGE_KEY_STK_PRIVATE_KEY_ENC, WorkplaceJoinDataStore.ACCOUNT_MANAGER_STORAGE_KEY_CERT_PKCS12_ENC, WorkplaceJoinDataStore.ACCOUNT_MANAGER_STORAGE_KEY_CERT_PKCS12_PASSWORD_ENC, WorkplaceJoinDataStore.ACCOUNT_MANAGER_STORAGE_KEY_X509_RAW_BODY, AccountManagerStorageHelper.ACCOUNT_MANAGER_STORAGE_KEY_ENCODED_SESSION_KEY, StringExtensions.createHash(AuthenticationConstants.Broker.USERDATA_BROKER_RT + account.name), AccountManagerStorageHelper.ACCOUNT_MANAGER_STORAGE_KEY_PRT, AccountManagerStorageHelper.ACCOUNT_MANAGER_STORAGE_KEY_PRT_IDTOKEN_KEY};
    }

    public static BrokerData getInactiveBrokerData(Context context, String str) throws ClientException {
        String str2 = AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME;
        if (AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME.equalsIgnoreCase(str)) {
            str2 = "com.microsoft.windowsintune.companyportal";
        }
        return BrokerData.getBrokerDataForBrokerApp(context, str2);
    }

    private SecretKey getSymmetricKeyFromInactiveBroker(String str) throws InterruptedException, ExecutionException, TimeoutException, RemoteException, BrokerCommunicationException {
        logFlowStart(":getSerializedSymmetricKeyFromInactiveBroker", AuthenticationConstants.TelemetryEvents.KEY_RETRIEVAL_START);
        if (Looper.myLooper() == Looper.getMainLooper()) {
            logFlowError(":getSerializedSymmetricKeyFromInactiveBroker", AuthenticationConstants.TelemetryEvents.KEY_RETRIEVAL_END, ":getSerializedSymmetricKeyFromInactiveBroker is invoked on main thread. Do not perform.", null);
            throw new IllegalStateException(":getSerializedSymmetricKeyFromInactiveBroker is invoked on main thread. Do not perform.");
        }
        String str2 = Build.VERSION.SDK_INT >= 23 ? PowerManagerWrapper.getInstance().isDeviceIdleMode(this.mContext) ? "YES" : "NO" : "UNKNOWN";
        try {
            BrokerData inactiveBrokerData = getInactiveBrokerData(this.mContext, str);
            BrokerAccountServiceClient brokerAccountServiceClient = new BrokerAccountServiceClient(this.mContext, 5);
            try {
                try {
                    Bundle bundle = new Bundle();
                    bundle.putString("caller.info.package", str);
                    Bundle performOperation = brokerAccountServiceClient.performOperation(new BrokerOperationBundle(BrokerOperationBundle.Operation.BROKER_GET_KEY_FROM_INACTIVE_BROKER, inactiveBrokerData.packageName, bundle));
                    if (performOperation == null) {
                        logFlowSuccess(":getSerializedSymmetricKeyFromInactiveBroker", AuthenticationConstants.TelemetryEvents.KEY_RETRIEVAL_END, "resultBundle is null. Inactive broker doesn't support getInactiveBrokerKey(). InactiveBroker packageName:" + inactiveBrokerData.packageName + " SignatureHash:" + inactiveBrokerData.signatureHash + " Is device on idle mode:" + str2);
                        return null;
                    }
                    if (performOperation.getString("error") == null) {
                        SecretKey deserializeSecretKey = this.mStorageHelper.deserializeSecretKey(performOperation.getString(AuthenticationConstants.Broker.BROKER_KEYSTORE_SYMMETRIC_KEY));
                        logFlowSuccess(":getSerializedSymmetricKeyFromInactiveBroker", AuthenticationConstants.TelemetryEvents.KEY_RETRIEVAL_END, "Key was successfully transferred. InactiveBroker packageName:" + inactiveBrokerData.packageName + " SignatureHash:" + inactiveBrokerData.signatureHash + " Is device on idle mode:" + str2);
                        return deserializeSecretKey;
                    }
                    logFlowSuccess(":getSerializedSymmetricKeyFromInactiveBroker", AuthenticationConstants.TelemetryEvents.KEY_RETRIEVAL_END, "Receiving error result: " + performOperation.getString("error_description") + " InactiveBroker packageName:" + inactiveBrokerData.packageName + " SignatureHash:" + inactiveBrokerData.signatureHash + " Is device on idle mode:" + str2);
                    return null;
                } finally {
                    brokerAccountServiceClient.disconnect();
                }
            } catch (RemoteException | BrokerCommunicationException | InterruptedException | ExecutionException | TimeoutException e) {
                logFlowError(":getSerializedSymmetricKeyFromInactiveBroker", AuthenticationConstants.TelemetryEvents.KEY_RETRIEVAL_END, "Exception is thrown when trying to connect to inactive broker: " + e.toString() + " InactiveBroker packageName:" + inactiveBrokerData.packageName + " SignatureHash:" + inactiveBrokerData.signatureHash + " Is device on idle mode:" + str2, e);
                throw e;
            }
        } catch (ClientException e2) {
            if (e2.getErrorCode() == ErrorStrings.APP_PACKAGE_NAME_NOT_FOUND) {
                logFlowSuccess(":getSerializedSymmetricKeyFromInactiveBroker", AuthenticationConstants.TelemetryEvents.KEY_RETRIEVAL_END, "Inactive broker not found");
            } else {
                logFlowError(":getSerializedSymmetricKeyFromInactiveBroker", AuthenticationConstants.TelemetryEvents.KEY_RETRIEVAL_END, "Broker verification failed for inactive broker: " + e2.getMessage(), e2);
            }
            return null;
        }
    }

    private boolean isActiveBroker() {
        try {
            AuthenticatorDescription[] authenticatorTypes = AccountManager.get(this.mContext).getAuthenticatorTypes();
            BrokerValidator brokerValidator = new BrokerValidator(this.mContext);
            for (AuthenticatorDescription authenticatorDescription : authenticatorTypes) {
                if (authenticatorDescription.type.equals("com.microsoft.workaccount") && brokerValidator.verifySignature(authenticatorDescription.packageName)) {
                    return authenticatorDescription.packageName.equalsIgnoreCase(this.mContext.getPackageName());
                }
            }
            return false;
        } catch (SecurityException e) {
            Logger.error("ReencryptionManager:isActiveBroker", "SecurityException in AccountManager callback for Android For Work path: " + e.getMessage(), null);
            TelemetryLogger.logEvent(this.mContext, "AFW-SecurityException", false, e.getMessage());
            return true;
        }
    }

    private void logFlowError(String str, String str2, String str3, Exception exc) {
        Logger.error(TAG + str, str2 + " failed: " + str3, exc);
        TelemetryLogger.logEvent(this.mContext, str2, true, str3 + " | StackTrace: " + Log.getStackTraceString(exc));
    }

    private void logFlowStart(String str, String str2) {
        Logger.info(TAG + str, str2 + " started.");
        TelemetryLogger.logEvent(this.mContext, str2, false);
    }

    private void logFlowSuccess(String str, String str2, String str3) {
        Logger.info(TAG + str, str2 + " successfully finished: " + str3);
        TelemetryLogger.logEvent(this.mContext, str2, false, str3);
    }

    private void reencryptAccountDataIfNeeded(Account account, String str, Boolean bool) throws GeneralSecurityException, IOException {
        String str2 = bool.booleanValue() ? str : "scrubbedKey";
        String accountData = this.mAccountManagerStorageHelper.getAccountData(account, str);
        if (TextUtils.isEmpty(accountData)) {
            Logger.info("ReencryptionManager:reencryptAccountDataIfNeeded", "Data for key:" + str2 + " is empty. Skip.");
            return;
        }
        if (this.mStorageHelper.getEncryptionType(accountData) == StorageHelper.EncryptionType.ANDROID_KEY_STORE) {
            Logger.info("ReencryptionManager:reencryptAccountDataIfNeeded", "Data for key:" + str2 + " has already been encrypted with Keystore-encrypted key. Skip.");
            return;
        }
        Logger.info("ReencryptionManager:reencryptAccountDataIfNeeded", "Re-encrypting Data for key:" + str2 + ".");
        this.mAccountManagerStorageHelper.setAccountData(account, str, this.mStorageHelper.encrypt(this.mStorageHelper.decrypt(accountData)));
    }

    private void reencryptAllAvailableAccountManagerAccounts() throws IOException, GeneralSecurityException {
        for (Account account : this.mAccountManagerStorageHelper.getAllBrokerAccounts()) {
            Logger.info("ReencryptionManager:reencryptAllAvailableAccountManagerAccounts", "Iterate through AccountManagerStorageHelper data for account:" + account.name);
            String[] accountManagerStorageHelperKeyToBeWiped = getAccountManagerStorageHelperKeyToBeWiped();
            int length = accountManagerStorageHelperKeyToBeWiped.length;
            for (int i = 0; i < length; i++) {
                wipeAccountDataIfNeeded(account, accountManagerStorageHelperKeyToBeWiped[i], false);
            }
            for (String str : getAccountManagerStorageHelperKeysToBeReencrypted(account)) {
                reencryptAccountDataIfNeeded(account, str, false);
            }
        }
    }

    private void reencryptBrokerV1TokenCache() throws GeneralSecurityException, IOException {
        for (Account account : this.mAccountManagerStorageHelper.getAllBrokerAccounts()) {
            for (String str : BrokerCacheMigrationUtility.Convergence.getUidsForAccount(this.mContext, account)) {
                Logger.info("ReencryptionManager:reencryptBrokerV1TokenCache", "Migrating V1 TokenCache with UID:" + str + "for account:" + account.name);
                AccountManagerCache accountManagerCache = new AccountManagerCache(this.mContext, account, Integer.valueOf(str).intValue());
                Iterator<String> it = accountManagerCache.getKeysForAppUid(str).iterator();
                while (it.hasNext()) {
                    reencryptAccountDataIfNeeded(account, accountManagerCache.getBrokerCacheKey(it.next(), str), true);
                }
            }
        }
    }

    private void setHasPerformedKeyMigration() {
        this.mSharedPreferences.edit().putString(KEY_MIGRATION_VERSION_SHARED_PREFERENCE_KEY, "1").apply();
    }

    private void setHasPerformedReEncryption() {
        this.mSharedPreferences.edit().putString(REENCRYPTION_VERSION_SHARED_PREFERENCE_KEY, "1").apply();
    }

    private void wipeAccountDataIfNeeded(Account account, String str, Boolean bool) {
        Logger.info("ReencryptionManager:wipeAccountDataIfNeeded", "Wiping Data for key:" + (bool.booleanValue() ? str : "scrubbedKey") + ".");
        this.mAccountManagerStorageHelper.setAccountData(account, str, null);
    }

    public synchronized void execute(String str) {
        synchronized (ReencryptionManager.class) {
            reEncrypt(str);
        }
    }

    public boolean hasPerformedKeyMigration() {
        boolean equalsIgnoreCase;
        synchronized (ReencryptionManager.class) {
            equalsIgnoreCase = "1".equalsIgnoreCase(this.mSharedPreferences.getString(KEY_MIGRATION_VERSION_SHARED_PREFERENCE_KEY, ""));
        }
        return equalsIgnoreCase;
    }

    public boolean hasPerformedReEncryption() {
        boolean equalsIgnoreCase;
        synchronized (ReencryptionManager.class) {
            equalsIgnoreCase = "1".equalsIgnoreCase(this.mSharedPreferences.getString(REENCRYPTION_VERSION_SHARED_PREFERENCE_KEY, ""));
        }
        return equalsIgnoreCase;
    }

    public synchronized void migrateKeyIfNeeded(String str, String str2) {
        if (hasPerformedKeyMigration()) {
            return;
        }
        if (!isActiveBroker()) {
            Logger.info("ReencryptionManager:migrateKeyIfNeeded", "This is not invoked by broker app. Skip operation.");
            return;
        }
        try {
            Logger.info("ReencryptionManager:migrateKeyIfNeeded", "Key migration started. Invoked by:" + str);
        } catch (Exception e) {
            Logger.error("ReencryptionManager:migrateKeyIfNeeded", "Failed to migrate key:" + e.getMessage(), e);
        }
        if (this.mStorageHelper.loadSecretKey(StorageHelper.KeyType.KEYSTORE_ENCRYPTED_KEY) != null) {
            Logger.info("ReencryptionManager:migrateKeyIfNeeded", "This broker already owns a keystore-encrypted key.");
            setHasPerformedKeyMigration();
            return;
        }
        SecretKey symmetricKeyFromInactiveBroker = getSymmetricKeyFromInactiveBroker(str2);
        if (symmetricKeyFromInactiveBroker != null) {
            Logger.info("ReencryptionManager:migrateKeyIfNeeded", "Key obtained from another broker.");
            this.mStorageHelper.saveKeyStoreEncryptedKey(symmetricKeyFromInactiveBroker);
            setHasPerformedKeyMigration();
        } else {
            Logger.info("ReencryptionManager:migrateKeyIfNeeded", "Keystore-encrypted key doesn't exist on both sides. Generating new key.");
            this.mStorageHelper.generateKeyStoreEncryptedKey();
            setHasPerformedKeyMigration();
        }
    }

    public void reEncrypt(String str) {
        if (this.mReEncryptionEnabled && !hasPerformedReEncryption()) {
            if (!isActiveBroker()) {
                Logger.info("ReencryptionManager:reEncrypt", "This is not invoked by broker app. Skip operation.");
                return;
            }
            setHasPerformedReEncryption();
            try {
                Logger.info("ReencryptionManager:reEncrypt", "re-encrypt started. Invoked by:" + str);
                if (this.mStorageHelper.loadSecretKey(StorageHelper.KeyType.KEYSTORE_ENCRYPTED_KEY) == null) {
                    Logger.info("ReencryptionManager:reEncrypt", "Keystore-encrypted key doesn't exist. Generating new key.");
                    this.mStorageHelper.generateKeyStoreEncryptedKey();
                }
                reencryptAllAvailableAccountManagerAccounts();
                reencryptBrokerV1TokenCache();
                Logger.info("ReencryptionManager:reEncrypt", "re-encrypt finished.");
            } catch (Exception e) {
                Logger.error("ReencryptionManager:reEncrypt", "Failed to re-encrypt:" + e.getMessage(), e);
                deleteAllAccount();
            }
        }
    }
}
