package com.facebook.secure.trustedapp;

import android.content.Context;
import android.content.Intent;
import android.os.Message;
import android.text.TextUtils;
import com.facebook.secure.logger.Reporter;
import com.facebook.secure.trustedapp.signatures.AllFamilyTrustedSignatures;
import com.facebook.secure.trustedapp.signatures.AppSignatureHash;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nullable;

/* loaded from: classes.dex */
public class TrustedCaller {
    private static final long FLAG_CALLERIDENTITY_ALLOW_LONG_TTL = 8;
    private static final long FLAG_CALLERIDENTITY_DISABLE_TTL = 16;
    private static final long FLAG_FBPERMISSION_ALLOW_SINGLE_MATCH = 4;
    private static final long FLAG_FBPERMISSION_FAIL_OPEN = 2;
    private static final long FLAG_TRUSTEDAPP_ALLOW_SAME_APP = 1;
    private static final String TAG = "TrustedCaller";

    @Nullable
    private final AppIdentityRegistry mAppIdentityRegistry;
    private final ArrayList<String> mDomains;
    private final long mFlags;
    private final ArrayList<String> mPermissions;

    @Nullable
    private final TrustedApp mTrustedApp;

    /* loaded from: classes.dex */
    public static final class TrustedCallerBuilder {

        @Nullable
        private AppIdentityRegistry mAppIdentityRegistry;

        @Nullable
        private TrustedApp mTrustedApp;
        private long mFlags = 0;
        private ArrayList<String> mDomains = new ArrayList<>();
        private ArrayList<String> mPermissions = new ArrayList<>();
        private Map<AppSignatureHash, Set<String>> mTrustedPackages = new HashMap();

        private void throwIfInvalidBuilder() {
            if (this.mTrustedApp != null && !this.mTrustedPackages.isEmpty()) {
                throw new IllegalArgumentException("TrustedCaller needs to be configured with either a TrustedApp or list of trusted packages");
            }
        }

        public TrustedCallerBuilder addDomain(String str) {
            if (TextUtils.isEmpty(str)) {
                throw new IllegalArgumentException();
            }
            this.mDomains.add(str);
            return this;
        }

        public TrustedCallerBuilder addDomains(Collection<String> collection) {
            this.mDomains.addAll(collection);
            return this;
        }

        public TrustedCallerBuilder addFbPermission(String str) {
            if (TextUtils.isEmpty(str)) {
                throw new IllegalArgumentException();
            }
            this.mPermissions.add(str);
            return this;
        }

        public TrustedCallerBuilder addFbPermissions(Collection<String> collection) {
            if (collection == null || collection.isEmpty()) {
                throw new IllegalArgumentException();
            }
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                addFbPermission(it.next());
            }
            return this;
        }

        public TrustedCallerBuilder addTrustedPackage(AppSignatureHash appSignatureHash, String str) {
            Set<String> set;
            if (this.mTrustedPackages.containsKey(appSignatureHash) && (set = this.mTrustedPackages.get(appSignatureHash)) != null) {
                set.add(str);
                return this;
            }
            HashSet hashSet = new HashSet();
            hashSet.add(str);
            this.mTrustedPackages.put(appSignatureHash, hashSet);
            return this;
        }

        public TrustedCallerBuilder addTrustedPackages(AppSignatureHash appSignatureHash, Set<String> set) {
            Set<String> set2;
            if (!this.mTrustedPackages.containsKey(appSignatureHash) || (set2 = this.mTrustedPackages.get(appSignatureHash)) == null) {
                this.mTrustedPackages.put(appSignatureHash, set);
                return this;
            }
            set2.addAll(set);
            return this;
        }

        public TrustedCallerBuilder allowCallerIdentityLongTTL_UNSAFE() {
            this.mFlags |= TrustedCaller.FLAG_CALLERIDENTITY_ALLOW_LONG_TTL;
            return this;
        }

        public TrustedCallerBuilder allowSingleFbPermissionMatch() {
            this.mFlags |= TrustedCaller.FLAG_FBPERMISSION_ALLOW_SINGLE_MATCH;
            return this;
        }

        public TrustedCaller build() {
            throwIfInvalidBuilder();
            if (!this.mTrustedPackages.isEmpty()) {
                this.mTrustedApp = new TrustedApp(this.mTrustedPackages);
            }
            return new TrustedCaller(this);
        }

        public TrustedCallerBuilder disableTTLCheckCompletely_UNSAFE() {
            this.mFlags |= TrustedCaller.FLAG_CALLERIDENTITY_DISABLE_TTL;
            return this;
        }

        public TrustedCallerBuilder enableFbPermissionFailOpen() {
            this.mFlags |= TrustedCaller.FLAG_FBPERMISSION_FAIL_OPEN;
            return this;
        }

        public TrustedCallerBuilder enableTrustedAppSamePackage() {
            this.mFlags |= TrustedCaller.FLAG_TRUSTEDAPP_ALLOW_SAME_APP;
            return this;
        }

        public TrustedCallerBuilder setTrustedApp(TrustedApp trustedApp) {
            this.mTrustedApp = trustedApp;
            return this;
        }

        public TrustedCallerBuilder withAppIdentityRegistry_EXPERIMENTAL(AppIdentityRegistry appIdentityRegistry) {
            this.mAppIdentityRegistry = appIdentityRegistry;
            return this;
        }

        public TrustedCallerBuilder withTrustedAppSameKey(Context context) {
            HashSet hashSet = new HashSet();
            hashSet.add(AppVerifier.getSignatureFromPackageName(context, context.getPackageName()));
            return setTrustedApp(TrustedAppHelper.createTrustedApp(Collections.unmodifiableSet(hashSet)));
        }
    }

    private TrustedCaller(TrustedCallerBuilder trustedCallerBuilder) {
        TrustedApp trustedApp = trustedCallerBuilder.mTrustedApp;
        this.mTrustedApp = trustedApp;
        this.mDomains = trustedCallerBuilder.mDomains;
        ArrayList<String> arrayList = trustedCallerBuilder.mPermissions;
        this.mPermissions = arrayList;
        this.mAppIdentityRegistry = trustedCallerBuilder.mAppIdentityRegistry;
        this.mFlags = trustedCallerBuilder.mFlags;
        if (trustedApp == null && arrayList.isEmpty() && !hasFlag(FLAG_TRUSTEDAPP_ALLOW_SAME_APP)) {
            throw new IllegalArgumentException("TrustedCaller needs to be configured with at least 1 security check");
        }
    }

    public static TrustedCallerBuilder builder() {
        return new TrustedCallerBuilder();
    }

    public static TrustedCaller createWithFbPermission(String str) {
        return builder().addFbPermission(str).build();
    }

    public static TrustedCaller createWithFbPermission(String str, boolean z) {
        TrustedCallerBuilder addFbPermission = builder().addFbPermission(str);
        if (z) {
            addFbPermission = addFbPermission.enableFbPermissionFailOpen();
        }
        return addFbPermission.build();
    }

    private void enforceTrustedCallerApp(Context context, @Nullable AppIdentity appIdentity, @Nullable Reporter reporter) {
        if (appIdentity == null) {
            throw new SecurityException("Invalid Caller Identity (null)");
        }
        throwIfInvalidDomain(appIdentity);
        boolean z = hasFlag(FLAG_TRUSTEDAPP_ALLOW_SAME_APP) && context.getPackageName().equals(appIdentity.getPackageName());
        if (z) {
            return;
        }
        boolean isDebugSignatureHash = AllFamilyTrustedSignatures.isDebugSignatureHash(getRegistry(context).getAppIdentityForPackage(context.getPackageName()).getIdentity().getSignatureHash());
        throwIfTrustedAppMismatch(appIdentity, isDebugSignatureHash);
        throwIfMissingFbPermission(appIdentity, context, reporter, isDebugSignatureHash);
        throwIfCallerAppIsNotSameSamePackageAndNoOtherIdentityChecksRan(z);
    }

    private AppIdentityRegistry getRegistry(Context context) {
        AppIdentityRegistry appIdentityRegistry = this.mAppIdentityRegistry;
        return appIdentityRegistry != null ? appIdentityRegistry : LiveAppIdentityRegistry.get(context);
    }

    private boolean hasFlag(long j) {
        return (this.mFlags & j) != 0;
    }

    public void enforceTrustedCallerApp(Context context) {
        enforceTrustedCallerApp(context, (Reporter) null);
    }

    public void enforceTrustedCallerApp(Context context, Intent intent) {
        enforceTrustedCallerApp(context, intent, (Reporter) null);
    }

    public void enforceTrustedCallerApp(Context context, @Nullable Intent intent, @Nullable Reporter reporter) {
        enforceTrustedCallerApp(context, CallerIdentityUtil.getCallerAppIdentity(context, intent, reporter, hasFlag(FLAG_CALLERIDENTITY_DISABLE_TTL) ? Integer.MAX_VALUE : hasFlag(FLAG_CALLERIDENTITY_ALLOW_LONG_TTL) ? 86400000 : 60000), reporter);
    }

    public void enforceTrustedCallerApp(Context context, Message message) {
        enforceTrustedCallerApp(context, message, (Reporter) null);
    }

    public void enforceTrustedCallerApp(Context context, Message message, @Nullable Reporter reporter) {
        enforceTrustedCallerApp(context, CallerIdentityUtil.getCallerAppIdentity(context, message, reporter), reporter);
    }

    public void enforceTrustedCallerApp(Context context, @Nullable Reporter reporter) {
        enforceTrustedCallerApp(context, (Intent) null, reporter);
    }

    public void enforceTrustedCallerApp(Context context, BinderIdentity binderIdentity, @Nullable Reporter reporter) {
        enforceTrustedCallerApp(context, getRegistry(context).getAppIdentityForUid(binderIdentity).getIdentity(), reporter);
    }

    public boolean isCallerAppTrusted(Context context) {
        return isCallerAppTrusted(context, (Reporter) null);
    }

    public boolean isCallerAppTrusted(Context context, @Nullable Intent intent) {
        return isCallerAppTrusted(context, intent, (Reporter) null);
    }

    public boolean isCallerAppTrusted(Context context, @Nullable Intent intent, @Nullable Reporter reporter) {
        try {
            enforceTrustedCallerApp(context, intent, reporter);
            return true;
        } catch (SecurityException e) {
            if (reporter == null) {
                return false;
            }
            String message = e.getMessage();
            if (message == null) {
                message = "Cannot trust caller";
            }
            reporter.report(TAG, message, e.getCause());
            return false;
        }
    }

    public boolean isCallerAppTrusted(Context context, Message message) {
        return isCallerAppTrusted(context, message, (Reporter) null);
    }

    public boolean isCallerAppTrusted(Context context, Message message, @Nullable Reporter reporter) {
        try {
            enforceTrustedCallerApp(context, message, reporter);
            return true;
        } catch (SecurityException e) {
            if (reporter == null) {
                return false;
            }
            reporter.report(TAG, e.getMessage(), e.getCause());
            return false;
        }
    }

    public boolean isCallerAppTrusted(Context context, @Nullable Reporter reporter) {
        return isCallerAppTrusted(context, (Intent) null, reporter);
    }

    protected void throwIfCallerAppIsNotSameSamePackageAndNoOtherIdentityChecksRan(boolean z) {
        if (!z && this.mPermissions.isEmpty() && this.mTrustedApp == null) {
            throw new SecurityException("Calling app is not the same package, and no other identity checks were performed.");
        }
    }

    protected void throwIfInvalidDomain(AppIdentity appIdentity) {
        if (!this.mDomains.isEmpty() && !this.mDomains.contains(appIdentity.getDomainName())) {
            throw new SecurityException(String.format("Missing required Caller Domains %s from caller %s", this.mDomains, appIdentity));
        }
    }

    protected void throwIfMissingFbPermission(AppIdentity appIdentity, Context context, @Nullable Reporter reporter, boolean z) {
        if (this.mPermissions.isEmpty()) {
            return;
        }
        boolean hasFlag = hasFlag(FLAG_FBPERMISSION_ALLOW_SINGLE_MATCH);
        List<String> appFbPermissionsFromManifest = z ? FbPermission.getAppFbPermissionsFromManifest(context, appIdentity) : Collections.emptyList();
        FbPermission fbPermission = reporter != null ? FbPermission.get(reporter) : FbPermission.get();
        Iterator<String> it = this.mPermissions.iterator();
        boolean z2 = false;
        while (it.hasNext()) {
            String next = it.next();
            z2 = (z && appFbPermissionsFromManifest.contains(next)) || fbPermission.checkFbPermission(context, appIdentity, next, hasFlag(FLAG_FBPERMISSION_FAIL_OPEN));
            if ((z2 && hasFlag) || (!z2 && !hasFlag)) {
                break;
            }
        }
        if (!z2) {
            throw new SecurityException(String.format("Missing at least one required FBPermission %s from caller %s", this.mPermissions, appIdentity));
        }
    }

    protected void throwIfTrustedAppMismatch(AppIdentity appIdentity, boolean z) {
        TrustedApp trustedApp = this.mTrustedApp;
        if (trustedApp != null && !trustedApp.isAppIdentityTrusted(appIdentity, z)) {
            throw new SecurityException(String.format("Caller Identity '%s' is not trusted", appIdentity));
        }
    }
}
