package com.citrix.auth.impl;

import com.citrix.auth.AMUrl;
import com.citrix.auth.exceptions.AuthManException;
import com.citrix.auth.exceptions.TemporaryFailureException;
import com.citrix.auth.impl.LogonMutex;
import com.citrix.auth.impl.TokenCaches;
import com.citrix.auth.impl.TokenOperation;
import com.citrix.auth.impl.messages.AuthChallenge;
import com.citrix.auth.impl.messages.AuthChoice;
import com.citrix.auth.impl.messages.ChoicesResponse;
import java.util.List;
import org.apache.http.HttpResponse;

/* loaded from: classes.dex */
public class StorefrontAuth {
    private static final int s_maxChallengeChainDepth = 5;
    private int m_challengeChainDepth = 0;
    private final InternalRequestParams m_requestParams;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.citrix.auth.impl.StorefrontAuth$1HandleChoicesResponseTask, reason: invalid class name */
    /* loaded from: classes.dex */
    public class C1HandleChoicesResponseTask implements LogonMutex.AuthManRunnable {
        final AuthChallenge authChallenge;
        final AgSession choicesAgSession;
        public TokenData m_returnValue;
        final ProtocolSelector protocolSelector;

        public C1HandleChoicesResponseTask(AuthChallenge authChallenge, AgSession agSession, ProtocolSelector protocolSelector) {
            this.authChallenge = authChallenge;
            this.choicesAgSession = agSession;
            this.protocolSelector = protocolSelector;
        }

        @Override // com.citrix.auth.impl.LogonMutex.AuthManRunnable
        public InternalRequestParams getRequestParams() {
            return StorefrontAuth.this.m_requestParams;
        }

        @Override // com.citrix.auth.impl.LogonMutex.AuthManRunnable
        public void run() throws AuthManException {
            long epoch;
            TokenData doLogon;
            TokenData primaryTokenByTokenServiceUrl = StorefrontAuth.this.getTokenCaches().getPrimaryTokenByTokenServiceUrl(this.authChallenge.getServiceUrl());
            if (primaryTokenByTokenServiceUrl != null) {
                Utils.amLog("Found cached token; no need to logon; tokendata=(%s)", primaryTokenByTokenServiceUrl);
                this.m_returnValue = primaryTokenByTokenServiceUrl;
                return;
            }
            Utils.amLog("== PERFORMING AUTH SERVICE LOGON ==");
            while (true) {
                try {
                    epoch = StorefrontAuth.this.getTokenCaches().getEpoch();
                    doLogon = StorefrontAuth.this.getSFLogon().doLogon(this.protocolSelector.current(), this.authChallenge, this.choicesAgSession);
                    break;
                } catch (AuthManException e) {
                    this.protocolSelector.moveNextOrThrow(e);
                }
            }
            TokenCaches.TableAddResult addPrimaryToken = StorefrontAuth.this.getTokenCaches().addPrimaryToken(doLogon, epoch);
            if (addPrimaryToken == TokenCaches.TableAddResult.TABLE_ADD_SUCCESS) {
                Utils.amLog("Generated login token=(%s)", doLogon);
                this.m_returnValue = doLogon;
                return;
            }
            Utils.amLog("Generated primary was not added to the cache; destroying");
            new AuthorizationDestroyer(StorefrontAuth.this.m_requestParams.getDependencies()).destroyPrimaryToken(doLogon);
            if (addPrimaryToken != TokenCaches.TableAddResult.TABLE_ADD_FAILURE_EPOCH_CHANGED) {
                throw AuthManException.temporaryFailure("The primary generated could not be added to the caches");
            }
            Utils.amLog("The epoch changed while a logon was being performed; acting as if cancelled by the user");
            throw AuthManException.cancelledByUser("StoreFront authentication and auth man logoff happened concurrently");
        }
    }

    public StorefrontAuth(InternalRequestParams internalRequestParams) {
        this.m_requestParams = internalRequestParams;
    }

    public static AuthChallenge extractCitrixAuthChallengeIfPresent(HttpResponse httpResponse, AMUrl aMUrl) throws AuthManException {
        if (httpResponse == null || 401 != httpResponse.getStatusLine().getStatusCode()) {
            return null;
        }
        return AuthChallenge.extractAuthChallengeIfPresent(httpResponse.getAllHeaders(), aMUrl);
    }

    private CachePurger getCachePurger() {
        return new CachePurger(this.m_requestParams.getDependencies());
    }

    private SessionCreator getSessionCreator() {
        return new SessionCreator(this.m_requestParams);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public TokenCaches getTokenCaches() {
        return this.m_requestParams.getTokenCaches();
    }

    public void generateSecondaryTokenForChallenge(AuthChallenge authChallenge) throws AuthManException {
        try {
            TokenData tokenForChallengeLoop = getTokenForChallengeLoop(authChallenge);
            if (tokenForChallengeLoop.isPrimary()) {
                throw AuthManException.protocolError("A primary token was generated to access a service - this may indicate that a client application was incorrectly configured with a token service URL");
            }
            getTokenCaches().addSecondaryToken(tokenForChallengeLoop);
        } catch (TemporaryFailureException e) {
            Utils.amLog("Caught CTemporaryFailureException: %s", e.getMessage());
            Utils.amLog("Not adding a secondary token to the caches");
        }
    }

    protected SFLogon getSFLogon() {
        return new SFLogon(this.m_requestParams);
    }

    TokenData getTokenForChallengeLoop(AuthChallenge authChallenge) throws AuthManException {
        String athenaAuthDomain;
        try {
            try {
                this.m_challengeChainDepth++;
                Utils.amLog("getTokenForChallengeLoop authChallenge=(%s)", authChallenge);
                Utils.amLog("m_challengeChainDepth=%d", Integer.valueOf(this.m_challengeChainDepth));
                if (this.m_challengeChainDepth > 5) {
                    throw AuthManException.protocolError("Challenge chain too deep (depth=%d)", Integer.valueOf(this.m_challengeChainDepth));
                }
                TokenData primaryTokenByTokenServiceUrl = getTokenCaches().getPrimaryTokenByTokenServiceUrl(authChallenge.getTokenServiceLocation());
                boolean z = primaryTokenByTokenServiceUrl != null;
                if (z) {
                    Utils.amLog("Found cached primary token=(%s)", primaryTokenByTokenServiceUrl);
                }
                int i = 0;
                while (true) {
                    i++;
                    if (i > 5) {
                        throw AuthManException.systemError("getTokenForChallengeLoop looped an unexpected number of times (count=%s)", Integer.valueOf(i));
                    }
                    this.m_requestParams.throwIfRequestAborted();
                    RequestTokenOperation requestTokenOperation = new RequestTokenOperation(authChallenge, this.m_requestParams.getDependencies().getRequestTokenLifespan());
                    requestTokenOperation.setHttpClienResolver(this.m_requestParams);
                    if (primaryTokenByTokenServiceUrl != null) {
                        requestTokenOperation.setAuthorizationToken(primaryTokenByTokenServiceUrl);
                    }
                    requestTokenOperation.setExtraHeaders(this.m_requestParams.getExtraHeadersForAuthRequests());
                    AgSession retrieveOrCreateAgSessionIfNeededForTokenOperation = getSessionCreator().retrieveOrCreateAgSessionIfNeededForTokenOperation(requestTokenOperation);
                    TokenOperation.Result perform = requestTokenOperation.perform();
                    Utils.amLog("Token operation result type: %s", perform);
                    switch (perform) {
                        case Token:
                            if (primaryTokenByTokenServiceUrl == null) {
                                throw AuthManException.protocolError("getTokenForChallange - RequestTokenOperation generated a token when no authorization was supplied");
                            }
                            TokenData tokenResult = requestTokenOperation.getTokenResult();
                            Utils.amLog("Generated secondary token=(%s)", tokenResult);
                            Utils.amAssert(tokenResult.isValid(), "Invalid token generated");
                            Utils.amAssert(!tokenResult.isPrimary(), "Generated token should be secondary");
                            String storeId = primaryTokenByTokenServiceUrl.getStoreId();
                            if (storeId != null) {
                                String trim = storeId.trim();
                                if (!trim.isEmpty()) {
                                    tokenResult.setStoreId(trim);
                                }
                            }
                            return tokenResult;
                        case Choices:
                            if (primaryTokenByTokenServiceUrl != null) {
                                throw AuthManException.protocolError("Choices response generated when an authorization token was supplied");
                            }
                            if (this.m_challengeChainDepth < 2) {
                                throw AuthManException.protocolError("The token service URL generated a choices response - this is not supported and may indicate a configuration error");
                            }
                            return handleChoicesResponse(requestTokenOperation.getChoicesResult(), authChallenge, retrieveOrCreateAgSessionIfNeededForTokenOperation);
                        case Challenge:
                            AuthChallenge challengeResult = requestTokenOperation.getChallengeResult();
                            if (challengeResult != null && (athenaAuthDomain = this.m_requestParams.getCallerParams().getAthenaAuthDomain()) != null) {
                                challengeResult.patchRealmWithAthenaAuthDomain(athenaAuthDomain);
                            }
                            Utils.amLog("Received challenge=(%s)", challengeResult);
                            if (primaryTokenByTokenServiceUrl == null) {
                                Utils.amLog("No authorization was supplied");
                            } else {
                                purgeCachesForChallenge(primaryTokenByTokenServiceUrl, challengeResult);
                                if (!primaryTokenByTokenServiceUrl.isPrimary()) {
                                    if (StorefrontChallengeReasons.TokenExpired.equals(challengeResult.getReason())) {
                                        throw AuthManException.temporaryFailure("An intermediate authorization token expired");
                                    }
                                    throw AuthManException.protocolError("Access failed with a newly generated secondary authorization token");
                                }
                                if (!z) {
                                    throw AuthManException.protocolError("Access failed with a newly generated primary authorization token");
                                }
                                Utils.amLog("A cached primary token was used");
                            }
                            Utils.amLog("Generate a new authorization token for a retry");
                            z = false;
                            primaryTokenByTokenServiceUrl = getTokenForChallengeLoop(challengeResult);
                            Utils.amAssert(primaryTokenByTokenServiceUrl != null, "getTokenForChallengeLoop generated an empty token");
                            Utils.amLog("Retry with new authorization token");
                            break;
                        case InvalidAgSession:
                            Utils.amAssert(retrieveOrCreateAgSessionIfNeededForTokenOperation != null, "InvalidAgSession reported for an empty session");
                            getCachePurger().purgeInvalidSession(retrieveOrCreateAgSessionIfNeededForTokenOperation);
                            throw AuthManException.temporaryFailure("The session used for the token operation was no longer valid");
                        default:
                            throw AuthManException.protocolError("getTokenForChallange - unexpected result from CRequestTokenOperation: %s", perform);
                    }
                }
            } catch (AuthManException e) {
                e.addInfo("During getTokenForChallengeLoop challenge='%s'", authChallenge);
                throw e;
            }
        } finally {
            this.m_challengeChainDepth--;
        }
    }

    protected TokenData handleChoicesResponse(ChoicesResponse choicesResponse, AuthChallenge authChallenge, AgSession agSession) throws AuthManException {
        Utils.amLog("handleChoicesResponse");
        List<AuthChoice> list = choicesResponse.m_choices;
        Utils.amLog("Choices are:");
        for (AuthChoice authChoice : list) {
            Utils.amLog("\t%s: %s", authChoice.m_protocol, authChoice.m_location);
        }
        boolean allowLogon = this.m_requestParams.allowLogon();
        boolean alwaysAllowGatewayToStoreSSOn = this.m_requestParams.getCallerParams().getAlwaysAllowGatewayToStoreSSOn();
        boolean z = agSession != null;
        boolean hasPassword = z ? agSession.hasPassword() : false;
        boolean anonymousLogon = z ? agSession.anonymousLogon() : false;
        boolean hasAKeyManager = this.m_requestParams.hasAKeyManager();
        Utils.amLog("Protocol logon info: allowLogonFlag(%s)  alwaysAllowAGSSO(%s)  throughGateway(%s)  gatewaySessionHasPassword(%s)", Boolean.valueOf(allowLogon), Boolean.valueOf(alwaysAllowGatewayToStoreSSOn), Boolean.valueOf(z), Boolean.valueOf(hasPassword));
        if (allowLogon) {
            Utils.amLog("Logon of any protocol is allowed by logon flags.");
        } else {
            if (!alwaysAllowGatewayToStoreSSOn || !z) {
                Utils.amLog("Logon of any protocol is not allowed by logon flags.");
                throw AuthManException.logonNotAllowed();
            }
            Utils.amLog("Logon via AG SSOn allowed by logon flags.");
        }
        C1HandleChoicesResponseTask c1HandleChoicesResponseTask = new C1HandleChoicesResponseTask(authChallenge, agSession, new ProtocolSelector(this.m_requestParams.getDependencies(), list, z, hasPassword, anonymousLogon, hasAKeyManager));
        getTokenCaches().getLogonMutex().runTaskOnLock(c1HandleChoicesResponseTask);
        return c1HandleChoicesResponseTask.m_returnValue;
    }

    void purgeCachesForChallenge(TokenData tokenData, AuthChallenge authChallenge) {
        Utils.amLog("StorefontAuth.purgeCachesForChallenge authToken=(%s) challenge=(%s)", tokenData, authChallenge);
        Utils.amAssert(tokenData != null, "purgeCachesForChallenge should not be empty");
        switch (ChallengeAction.get(authChallenge.getReason())) {
            case DiscardToken:
                Utils.amLog("ChallengeAction.DiscardToken");
                getCachePurger().purgeInvalidToken(tokenData);
                return;
            case DestroyTokenFamily:
                Utils.amLog("ChallengeAction.DestroyTokenFamily");
                getCachePurger().purgeTokenFamily(tokenData.getTokenFamily());
                return;
            case DestroyCredsFamily:
                Utils.amLog("ChallengeAction.DestroyCredsFamily");
                try {
                    getCachePurger().purgeCredsFamily(tokenData.getCredsFamily(), true, this.m_requestParams.getAuthRequirementsFulfiller());
                    return;
                } catch (AuthManException e) {
                    Utils.amLog("purgeCachesForChallenge failed because the getAuthRequirementsFulfiller threw an exception");
                    return;
                }
            default:
                Utils.amAssert(false, "Unexpected CChallengeAction");
                return;
        }
    }

    public void reportChallenge(TokenData tokenData, AuthChallenge authChallenge) {
        Utils.amLog("StorefrontAuth.reportChallenge");
        Utils.amAssert(tokenData == null || !tokenData.isPrimary(), "reportChallenge cannot be called with a primary token");
        if (tokenData == null) {
            Utils.amLog("Empty authorization token - nothing to do");
            if (StorefrontChallengeReasons.TokenNoToken.equals(authChallenge.getReason())) {
                return;
            }
            Utils.amWarn("Empty authorization token caused unexpected challenge reason=%s", authChallenge.getReason());
            return;
        }
        if (StorefrontChallengeReasons.TokenNoToken.equals(authChallenge.getReason())) {
            Utils.amWarn("An authorization token was used, but the challenge reason is 'notoken'");
        }
        if (tokenData.getServiceRealm().equals(authChallenge.getServiceRealm())) {
            purgeCachesForChallenge(tokenData, authChallenge);
            return;
        }
        Utils.amLog("The guessed authorization token had the wrong realm - nothing to do");
        if (StorefrontChallengeReasons.TokenNotForThisService.equals(authChallenge.getReason())) {
            return;
        }
        Utils.amWarn("Expected notforthisservice but got a different reason");
    }
}
