package androidx.security.app.authenticator;

import android.content.Context;
import android.content.pm.PackageManager;
import android.text.TextUtils;
import android.util.Log;
import androidx.annotation.NonNull;
import androidx.annotation.Nullable;
import androidx.annotation.VisibleForTesting;
import androidx.annotation.XmlRes;
import androidx.collection.ArrayMap;
import androidx.collection.ArraySet;
import com.google.auto.value.AutoValue;
import java.io.IOException;
import java.io.InputStream;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import org.xmlpull.v1.XmlPullParser;
import org.xmlpull.v1.XmlPullParserException;
import org.xmlpull.v1.XmlPullParserFactory;

/* loaded from: classes5.dex */
public class AppAuthenticator {
    static final String ALL_PACKAGES_TAG = "all-packages";
    private static final String CERT_DIGEST_TAG = "cert-digest";
    static final String DEFAULT_DIGEST_ALGORITHM = "SHA-256";
    private static final String EXPECTED_IDENTITY_TAG = "expected-identity";
    private static final String NAME_ATTRIBUTE = "name";
    private static final String PACKAGE_TAG = "package";
    public static final int PERMISSION_DENIED_NO_MATCH = -3;
    public static final int PERMISSION_DENIED_PACKAGE_UID_MISMATCH = -5;
    public static final int PERMISSION_DENIED_UNKNOWN_PACKAGE = -4;
    public static final int PERMISSION_GRANTED = 0;
    private static final String PERMISSION_TAG = "permission";
    private static final String ROOT_TAG = "app-authenticator";
    public static final int SIGNATURE_MATCH = 0;
    public static final int SIGNATURE_NO_MATCH = -1;
    private static final String TAG = "AppAuthenticator";
    private AppAuthenticatorUtils mAppAuthenticatorUtils;
    private AppSignatureVerifier mAppSignatureVerifier;

    /* JADX INFO: Access modifiers changed from: package-private */
    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class AppAuthenticatorConfig {
        static AppAuthenticatorConfig create(Map<String, Map<String, Set<String>>> map, Map<String, Set<String>> map2, String str) {
            return new AutoValue_AppAuthenticator_AppAuthenticatorConfig(map, map2, str);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract String getDigestAlgorithm();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract Map<String, Set<String>> getExpectedIdentities();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract Map<String, Map<String, Set<String>>> getPermissionAllowMap();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class AppAuthenticatorResult {
        static AppAuthenticatorResult create(int i2, String str) {
            return new AutoValue_AppAuthenticator_AppAuthenticatorResult(i2, str);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract int getResultCode();

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public abstract String getResultMessage();
    }

    AppAuthenticator(AppSignatureVerifier appSignatureVerifier, AppAuthenticatorUtils appAuthenticatorUtils) {
        this.mAppSignatureVerifier = appSignatureVerifier;
        this.mAppAuthenticatorUtils = appAuthenticatorUtils;
    }

    private static void assertExpectedAttribute(XmlPullParser xmlPullParser, String str, String str2, boolean z2) throws AppAuthenticatorXmlException, XmlPullParserException {
        int attributeCount = xmlPullParser.getAttributeCount();
        if (attributeCount == -1) {
            throw new AssertionError("parser#getAttributeCount called for event type " + xmlPullParser.getEventType() + " on line " + xmlPullParser.getLineNumber());
        }
        if (attributeCount == 0 && str2 != null && z2) {
            throw new AppAuthenticatorXmlException("The attribute " + str2 + " is required for tag " + str + " on line " + xmlPullParser.getLineNumber());
        }
        StringBuilder sb = null;
        for (int i2 = 0; i2 < attributeCount; i2++) {
            String attributeName = xmlPullParser.getAttributeName(i2);
            if (!attributeName.equalsIgnoreCase(str2)) {
                if (sb == null) {
                    sb = new StringBuilder();
                } else {
                    sb.append(", ");
                }
                sb.append(attributeName);
            }
        }
        if (sb != null) {
            throw new AppAuthenticatorXmlException((str2 == null ? "Tag " + str + " does not support any attributes" : "Tag " + str + " only supports attribute " + str2) + "; found the following unsupported attributes on line " + xmlPullParser.getLineNumber() + ": " + ((Object) sb));
        }
    }

    private AppAuthenticatorResult checkCallingAppIdentityInternal(String str, String str2, int i2, int i3) {
        try {
            int uidForPackage = this.mAppAuthenticatorUtils.getUidForPackage(str);
            if (uidForPackage == i3) {
                if (this.mAppSignatureVerifier.verifySigningIdentity(str, str2)) {
                    return AppAuthenticatorResult.create(0, null);
                }
                return AppAuthenticatorResult.create(-3, "The signing identity of app " + str + " does not match the expected identity");
            }
            return AppAuthenticatorResult.create(-5, "The expected UID, " + i3 + ", of the app " + str + " does not match the actual UID, " + uidForPackage);
        } catch (PackageManager.NameNotFoundException unused) {
            return AppAuthenticatorResult.create(-4, "The app " + str + " was not found on the device");
        }
    }

    static AppAuthenticatorConfig createConfigFromParser(XmlPullParser xmlPullParser) throws AppAuthenticatorXmlException, IOException {
        ArrayMap arrayMap = new ArrayMap();
        ArrayMap arrayMap2 = new ArrayMap();
        try {
            parseToNextStartTag(xmlPullParser);
            String name = xmlPullParser.getName();
            if (TextUtils.isEmpty(name) || !name.equalsIgnoreCase(ROOT_TAG)) {
                throw new AppAuthenticatorXmlException("Provided XML does not contain the expected root tag: app-authenticator");
            }
            assertExpectedAttribute(xmlPullParser, ROOT_TAG, null, false);
            int nextTag = xmlPullParser.nextTag();
            while (nextTag == 2) {
                String name2 = xmlPullParser.getName();
                if (name2.equalsIgnoreCase(PERMISSION_TAG)) {
                    assertExpectedAttribute(xmlPullParser, PERMISSION_TAG, "name", true);
                    String attributeValue = xmlPullParser.getAttributeValue(null, "name");
                    if (TextUtils.isEmpty(attributeValue)) {
                        throw new AppAuthenticatorXmlException("The permission tag requires a non-empty value for the name attribute");
                    }
                    Map<String, Set<String>> parsePackages = parsePackages(xmlPullParser, true);
                    if (arrayMap.containsKey(attributeValue)) {
                        ((Map) arrayMap.get(attributeValue)).putAll(parsePackages);
                    } else {
                        arrayMap.put(attributeValue, parsePackages);
                    }
                } else {
                    if (!name2.equalsIgnoreCase(EXPECTED_IDENTITY_TAG)) {
                        throw new AppAuthenticatorXmlException("Expected permission or expected-identity under root tag at line " + xmlPullParser.getLineNumber());
                    }
                    assertExpectedAttribute(xmlPullParser, EXPECTED_IDENTITY_TAG, null, true);
                    arrayMap2.putAll(parsePackages(xmlPullParser, false));
                }
                nextTag = xmlPullParser.nextTag();
            }
            return AppAuthenticatorConfig.create(arrayMap, arrayMap2, DEFAULT_DIGEST_ALGORITHM);
        } catch (XmlPullParserException e2) {
            throw new AppAuthenticatorXmlException("Caught an exception parsing the provided XML:", e2);
        }
    }

    static AppAuthenticator createFromConfig(Context context, @NonNull AppAuthenticatorConfig appAuthenticatorConfig) {
        return new AppAuthenticator(AppSignatureVerifier.builder(context).setPermissionAllowMap(appAuthenticatorConfig.getPermissionAllowMap()).setExpectedIdentities(appAuthenticatorConfig.getExpectedIdentities()).setDigestAlgorithm(appAuthenticatorConfig.getDigestAlgorithm()).build(), new AppAuthenticatorUtils(context));
    }

    @NonNull
    public static AppAuthenticator createFromInputStream(@NonNull Context context, @NonNull InputStream inputStream) throws AppAuthenticatorXmlException, IOException {
        try {
            XmlPullParser newPullParser = XmlPullParserFactory.newInstance().newPullParser();
            newPullParser.setInput(inputStream, null);
            return createFromParser(context, newPullParser);
        } catch (XmlPullParserException e2) {
            throw new AppAuthenticatorXmlException("Unable to create parser from provided InputStream", e2);
        }
    }

    private static AppAuthenticator createFromParser(Context context, XmlPullParser xmlPullParser) throws AppAuthenticatorXmlException, IOException {
        return createFromConfig(context, createConfigFromParser(xmlPullParser));
    }

    @NonNull
    public static AppAuthenticator createFromResource(@NonNull Context context, @XmlRes int i2) throws AppAuthenticatorXmlException, IOException {
        return createFromParser(context, context.getResources().getXml(i2));
    }

    static String normalizeCertDigest(String str) {
        return str.toLowerCase(Locale.US);
    }

    private static Set<String> parseCertDigests(XmlPullParser xmlPullParser) throws AppAuthenticatorXmlException, IOException, XmlPullParserException {
        ArraySet arraySet = new ArraySet();
        int nextTag = xmlPullParser.nextTag();
        while (nextTag == 2) {
            if (!xmlPullParser.getName().equalsIgnoreCase(CERT_DIGEST_TAG)) {
                throw new AppAuthenticatorXmlException("Expected cert-digest on line " + xmlPullParser.getLineNumber());
            }
            String trim = xmlPullParser.nextText().trim();
            if (TextUtils.isEmpty(trim)) {
                throw new AppAuthenticatorXmlException("The cert-digest element on line " + xmlPullParser.getLineNumber() + " must have non-empty text containing the certificate digest of the signer");
            }
            arraySet.add(normalizeCertDigest(trim));
            nextTag = xmlPullParser.nextTag();
        }
        return arraySet;
    }

    private static Map<String, Set<String>> parsePackages(XmlPullParser xmlPullParser, boolean z2) throws AppAuthenticatorXmlException, IOException, XmlPullParserException {
        String str;
        ArrayMap arrayMap = new ArrayMap();
        int nextTag = xmlPullParser.nextTag();
        while (nextTag == 2) {
            String name = xmlPullParser.getName();
            if (name.equalsIgnoreCase(PACKAGE_TAG)) {
                assertExpectedAttribute(xmlPullParser, PACKAGE_TAG, "name", true);
                str = xmlPullParser.getAttributeValue(null, "name");
                if (TextUtils.isEmpty(str)) {
                    throw new AppAuthenticatorXmlException("The package tag requires a non-empty value for the name attribute");
                }
            } else {
                if (!name.equalsIgnoreCase(ALL_PACKAGES_TAG)) {
                    StringBuilder sb = new StringBuilder();
                    sb.append("Unexpected tag ");
                    sb.append(name);
                    sb.append(" on line ");
                    sb.append(xmlPullParser.getLineNumber());
                    sb.append("; expected ");
                    sb.append(PACKAGE_TAG);
                    sb.append("");
                    sb.append(z2 ? " or all-packages" : "");
                    throw new AppAuthenticatorXmlException(sb.toString());
                }
                if (!z2) {
                    throw new AppAuthenticatorXmlException("The all-packages tag is not allowed within this element on line " + xmlPullParser.getLineNumber());
                }
                str = ALL_PACKAGES_TAG;
            }
            Set<String> parseCertDigests = parseCertDigests(xmlPullParser);
            if (parseCertDigests.isEmpty()) {
                throw new AppAuthenticatorXmlException("No cert-digest tag found within " + name + " element on line " + xmlPullParser.getLineNumber());
            }
            if (arrayMap.containsKey(str)) {
                ((Set) arrayMap.get(str)).addAll(parseCertDigests);
            } else {
                arrayMap.put(str, parseCertDigests);
            }
            nextTag = xmlPullParser.nextTag();
        }
        return arrayMap;
    }

    private static int parseToNextStartTag(XmlPullParser xmlPullParser) throws IOException, XmlPullParserException {
        int next;
        do {
            next = xmlPullParser.next();
            if (next == 2) {
                break;
            }
        } while (next != 1);
        return next;
    }

    public int checkAppIdentity(@NonNull String str) {
        return this.mAppSignatureVerifier.verifyExpectedIdentity(str) ? 0 : -1;
    }

    public int checkCallingAppIdentity(@NonNull String str, @NonNull String str2) {
        return checkCallingAppIdentity(str, str2, this.mAppAuthenticatorUtils.getCallingPid(), this.mAppAuthenticatorUtils.getCallingUid());
    }

    public int checkCallingAppIdentity(@NonNull String str, @NonNull String str2, int i2, int i3) {
        AppAuthenticatorResult checkCallingAppIdentityInternal = checkCallingAppIdentityInternal(str, str2, i2, i3);
        if (checkCallingAppIdentityInternal.getResultCode() != 0) {
            Log.e(TAG, checkCallingAppIdentityInternal.getResultMessage());
        }
        return checkCallingAppIdentityInternal.getResultCode();
    }

    public void enforceAppIdentity(@NonNull String str) {
        if (checkAppIdentity(str) == 0) {
            return;
        }
        throw new SecurityException("The app " + str + " does not match the expected signing identity");
    }

    public void enforceCallingAppIdentity(@NonNull String str, @NonNull String str2) {
        enforceCallingAppIdentity(str, str2, this.mAppAuthenticatorUtils.getCallingPid(), this.mAppAuthenticatorUtils.getCallingUid());
    }

    public void enforceCallingAppIdentity(@NonNull String str, @NonNull String str2, int i2, int i3) {
        AppAuthenticatorResult checkCallingAppIdentityInternal = checkCallingAppIdentityInternal(str, str2, i2, i3);
        if (checkCallingAppIdentityInternal.getResultCode() != 0) {
            throw new SecurityException(checkCallingAppIdentityInternal.getResultMessage());
        }
    }

    @VisibleForTesting(otherwise = 5)
    void setAppAuthenticatorUtils(AppAuthenticatorUtils appAuthenticatorUtils) {
        this.mAppAuthenticatorUtils = appAuthenticatorUtils;
    }

    @VisibleForTesting(otherwise = 5)
    void setAppSignatureVerifier(AppSignatureVerifier appSignatureVerifier) {
        this.mAppSignatureVerifier = appSignatureVerifier;
    }
}
