package com.facebook.secure.trustedapp;

import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.text.TextUtils;
import androidx.annotation.VisibleForTesting;
import com.facebook.secure.config.SecurityConfigsHolder;
import com.facebook.secure.logger.Reporter;
import com.facebook.secure.packagemanager.PackageInfoCompat;
import com.facebook.secure.packagemanager.PackageManagerCompat;
import com.facebook.secure.trustboundary.ExpectedAppIdentity;
import com.facebook.secure.trustboundary.TrustBoundariesBuilder;
import com.facebook.secure.trustboundary.TrustBoundariesException;
import com.facebook.secure.trustedapp.certificates.Certificates;
import com.facebook.secure.trustedapp.certificates.SigningCertificateNode;
import com.facebook.secure.trustedapp.exception.FbPermissionException;
import com.facebook.secure.trustedapp.exception.PackageNameNotFoundException;
import com.facebook.secure.trustedapp.generated.TrustedSignatures;
import com.facebook.secure.trustedapp.signatures.AppSignatureHash;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nullable;

/* loaded from: classes.dex */
public class TrustedCaller {

    @Nullable
    private final TrustedApp a;
    private final ArrayList<String> b;
    private final ArrayList<String> c;
    private final ArrayList<String> d;

    @Nullable
    private final AppIdentityRegistry e;
    private final long f;
    private final SigningCertificateNode g;

    /* loaded from: classes.dex */
    public static final class TrustedCallerBuilder {

        @Nullable
        private TrustedApp e;

        @Nullable
        private AppIdentityRegistry f;

        @Nullable
        private byte[] h;
        private long g = 0;
        private final ArrayList<String> a = new ArrayList<>();
        private final ArrayList<String> b = new ArrayList<>();
        private final ArrayList<String> c = new ArrayList<>();
        private final Map<AppSignatureHash, Set<String>> d = new HashMap();

        private void b() {
            if (this.e != null && !this.d.isEmpty()) {
                throw new IllegalArgumentException("TrustedCaller needs to be configured with either a TrustedApp or list of trusted packages");
            }
        }

        public final TrustedCallerBuilder a(TrustedApp trustedApp) {
            this.e = trustedApp;
            return this;
        }

        public final TrustedCallerBuilder a(String str) {
            if (TextUtils.isEmpty(str)) {
                throw new IllegalArgumentException();
            }
            this.b.add(str);
            return this;
        }

        public final TrustedCaller a() {
            b();
            if (!this.d.isEmpty()) {
                this.e = new TrustedApp(this.d);
            }
            return new TrustedCaller(this, (byte) 0);
        }
    }

    private TrustedCaller(TrustedCallerBuilder trustedCallerBuilder) {
        TrustedApp trustedApp = trustedCallerBuilder.e;
        this.a = trustedApp;
        this.b = trustedCallerBuilder.a;
        ArrayList<String> arrayList = trustedCallerBuilder.b;
        this.c = arrayList;
        ArrayList<String> arrayList2 = trustedCallerBuilder.c;
        this.d = arrayList2;
        this.e = trustedCallerBuilder.f;
        this.f = trustedCallerBuilder.g;
        this.g = new SigningCertificateNode(trustedCallerBuilder.h == null ? Certificates.b.getBytes() : trustedCallerBuilder.h);
        if (trustedApp == null && arrayList.isEmpty() && arrayList2.isEmpty() && !a(1L)) {
            throw new IllegalArgumentException("TrustedCaller needs to be configured with at least 1 security check");
        }
    }

    /* synthetic */ TrustedCaller(TrustedCallerBuilder trustedCallerBuilder, byte b) {
        this(trustedCallerBuilder);
    }

    private AppIdentityRegistry a(Context context) {
        AppIdentityRegistry appIdentityRegistry = this.e;
        return appIdentityRegistry != null ? appIdentityRegistry : LiveAppIdentityRegistry.a(context);
    }

    public static TrustedCallerBuilder a() {
        return new TrustedCallerBuilder();
    }

    public static TrustedCaller a(String str) {
        return a().a(str).a();
    }

    private static Set<String> a(Context context, String[] strArr) {
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            try {
                PackageInfoCompat a = PackageManagerCompat.a(context, str, 4096);
                String[] strArr2 = a.a().requestedPermissions;
                int[] iArr = a.a().requestedPermissionsFlags;
                if (strArr2 == null || iArr == null) {
                    throw new SecurityException("Invalid PackageInfo for " + str + ". Null requestedPermissions or requestedPermissionsFlags returned");
                }
                if (strArr2.length != iArr.length) {
                    throw new SecurityException("Invalid PackageInfo for " + str + ". Unequal requestedPermissions and requestedPermissionsFlags lengths.");
                }
                for (int i = 0; i < strArr2.length; i++) {
                    if ((iArr[i] & 2) != 0) {
                        hashSet.add(strArr2[i]);
                    }
                }
            } catch (PackageManager.NameNotFoundException e) {
                throw new PackageNameNotFoundException(e);
            }
        }
        return hashSet;
    }

    private void a(Context context, @Nullable AppIdentity appIdentity, @Nullable Reporter reporter) {
        if (appIdentity == null) {
            throw new SecurityException("Invalid Caller Identity (null)");
        }
        a(appIdentity);
        if (a(1L) && context.getPackageName().equals(appIdentity.d())) {
            return;
        }
        boolean b = TrustedSignatures.b(a(context).a(context.getPackageName()).a().e());
        if (SecurityConfigsHolder.a().a().b()) {
            a(context, appIdentity, b);
        } else {
            a(appIdentity, b);
        }
        a(appIdentity, context, reporter);
        a(appIdentity, context);
        b();
    }

    private void a(Context context, AppIdentity appIdentity, boolean z) {
        TrustedApp trustedApp = this.a;
        if (trustedApp == null) {
            return;
        }
        Set<ExpectedAppIdentity> a = trustedApp.a(this.b);
        try {
            TrustBoundariesBuilder trustBoundariesBuilder = new TrustBoundariesBuilder();
            trustBoundariesBuilder.a((ExpectedAppIdentity[]) a.toArray(new ExpectedAppIdentity[0]));
            if (z) {
                trustBoundariesBuilder.a();
            }
            trustBoundariesBuilder.b().a(context, appIdentity);
        } catch (TrustBoundariesException e) {
            throw new SecurityException("[TrustBoundary] Caller Identity '" + appIdentity + "' is not trusted", e);
        }
    }

    @VisibleForTesting
    private void a(AppIdentity appIdentity) {
        if (this.b.isEmpty() || this.b.contains(appIdentity.g())) {
            return;
        }
        throw new SecurityException("Missing required Caller Domains " + this.b + " from caller " + appIdentity);
    }

    @VisibleForTesting
    private void a(AppIdentity appIdentity, Context context) {
        if (this.d.isEmpty()) {
            return;
        }
        try {
            Set<String> a = a(context, PackageManagerCompat.a(context, appIdentity.a()));
            Iterator<String> it = this.d.iterator();
            while (it.hasNext()) {
                if (a.contains(it.next())) {
                    return;
                }
            }
            throw new SecurityException("Caller " + appIdentity + " has none of these permissions granted " + this.d);
        } catch (PackageManager.NameNotFoundException e) {
            throw new PackageNameNotFoundException(e);
        }
    }

    @VisibleForTesting
    private void a(AppIdentity appIdentity, Context context, @Nullable Reporter reporter) {
        if (this.c.isEmpty()) {
            return;
        }
        FbPermission a = reporter != null ? FbPermission.a(context, reporter) : FbPermission.a(context);
        if (this.c.size() == 1) {
            String str = this.c.get(0);
            try {
                a.b(context, appIdentity, str);
                return;
            } catch (FbPermissionException e) {
                throw new SecurityException("Missing or unable to evaluate FbPermission '" + str + "' from caller " + appIdentity, e);
            }
        }
        Iterator<String> it = this.c.iterator();
        while (it.hasNext()) {
            if (a.a(context, appIdentity, it.next())) {
                return;
            }
        }
        throw new SecurityException("Missing at least one required FBPermission (of multiple defined) " + this.c + " from caller " + appIdentity);
    }

    @VisibleForTesting
    private void a(AppIdentity appIdentity, boolean z) {
        TrustedApp trustedApp = this.a;
        if (trustedApp == null || trustedApp.a(appIdentity, z)) {
            return;
        }
        if (SecurityConfigsHolder.a().a().c()) {
            b(appIdentity);
            return;
        }
        throw new SecurityException("Caller Identity '" + appIdentity + "' is not trusted");
    }

    @VisibleForTesting
    private boolean a(long j) {
        return (j & this.f) != 0;
    }

    private void b() {
        if (this.c.isEmpty() && this.a == null && this.d.isEmpty()) {
            throw new SecurityException("Calling app is not the same package, and no other identity checks were performed.");
        }
    }

    private void b(Context context, @Nullable Intent intent, @Nullable Reporter reporter) {
        a(context, CallerIdentityUtil.a(context, intent, reporter, a(16L) ? Integer.MAX_VALUE : 86400000, this.f), reporter);
    }

    private void b(AppIdentity appIdentity) {
        if (this.a == null) {
            return;
        }
        Iterator<Signature> it = appIdentity.f().iterator();
        while (it.hasNext()) {
            if (new SigningCertificateNode(it.next().toByteArray(), this.g).a()) {
                return;
            }
        }
        throw new SecurityException("Caller Identity '" + appIdentity + "' is not trusted");
    }

    public final boolean a(Context context, @Nullable Intent intent, @Nullable Reporter reporter) {
        try {
            b(context, intent, reporter);
            return true;
        } catch (SecurityException e) {
            if (reporter == null) {
                return false;
            }
            String message = e.getMessage();
            if (message == null) {
                message = "Cannot trust caller";
            }
            reporter.a("TrustedCaller", message, e.getCause());
            return false;
        }
    }
}
