package com.microsoft.intune.mam.policy;

import android.content.Context;
import com.google.gson.Gson;
import com.google.gson.JsonSyntaxException;
import com.microsoft.intune.mam.client.identity.MAMIdentity;
import com.microsoft.intune.mam.client.identity.MAMIdentityManager;
import com.microsoft.intune.mam.client.telemetry.TelemetryLogger;
import com.microsoft.intune.mam.client.telemetry.events.MAMInternalError;
import com.microsoft.intune.mam.client.telemetry.events.TrackedOccurrence;
import com.microsoft.intune.mam.log.MAMLogger;
import com.microsoft.intune.mam.log.MAMLoggerProvider;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Map;
import okio.serialize;

/* loaded from: classes4.dex */
public class MAMServiceTokenValidator {
    private static final int JWT_PAYLOAD_INDEX = 1;
    private static final MAMLogger LOGGER = MAMLoggerProvider.getLogger(MAMServiceTokenValidator.class);
    private final MAMIdentityManager mIdentityManager;
    private final String mPackageName;
    private final TelemetryLogger mTelemetryLogger;

    /* loaded from: classes4.dex */
    public static class Result {
        private static final long INVALID_AADID = 1;
        private static final long INVALID_RESOURCEID = 4;
        private static final long INVALID_TENANTID = 2;
        private int mResult = 0;

        public String description() {
            if (isValid()) {
                return "valid";
            }
            ArrayList arrayList = new ArrayList();
            if (!isAadIdValid()) {
                arrayList.add("AAD Id");
            }
            if (!isTenantIdValid()) {
                arrayList.add("Tenant Id");
            }
            if (!isResourceIdValid()) {
                arrayList.add("Resource Id");
            }
            return "mismatched: " + String.join(", ", arrayList);
        }

        public boolean isAadIdValid() {
            return (((long) this.mResult) & 1) == 0;
        }

        public boolean isResourceIdValid() {
            return (((long) this.mResult) & 4) == 0;
        }

        public boolean isTenantIdValid() {
            return (((long) this.mResult) & 2) == 0;
        }

        public boolean isValid() {
            return this.mResult == 0;
        }

        public void setInvalidAadId() {
            this.mResult = (int) (this.mResult | 1);
        }

        public void setInvalidResourceId() {
            this.mResult = (int) (this.mResult | 4);
        }

        public void setInvalidTenantId() {
            this.mResult = (int) (this.mResult | 2);
        }
    }

    @serialize
    public MAMServiceTokenValidator(Context context, MAMIdentityManager mAMIdentityManager, TelemetryLogger telemetryLogger) {
        this.mPackageName = context.getPackageName();
        this.mIdentityManager = mAMIdentityManager;
        this.mTelemetryLogger = telemetryLogger;
    }

    private Map<?, ?> extractTokenPayload(String str) {
        try {
            try {
                try {
                    return (Map) new Gson().asInterface(new String(Base64.getDecoder().decode(str.split("\\.")[1]), StandardCharsets.UTF_8), Map.class);
                } catch (JsonSyntaxException unused) {
                    LOGGER.warning("Unable to parse MAMServiceToken, payload is not valid JSON object (continue operation).", new Object[0]);
                    return null;
                }
            } catch (IllegalArgumentException unused2) {
                LOGGER.warning("Unable to parse MAMServiceToken, not in valid Base64 scheme (continue operation).", new Object[0]);
                return null;
            }
        } catch (ArrayIndexOutOfBoundsException unused3) {
            LOGGER.warning("Unable to parse MAMServiceToken, missing jwt separators (continue operation).", new Object[0]);
            return null;
        }
    }

    private boolean isInvalid(String str, String str2) {
        if (str2 == null || str2.isEmpty()) {
            return false;
        }
        return !str2.equalsIgnoreCase(str);
    }

    public Result validateToken(String str, MAMIdentity mAMIdentity, String str2, String str3) {
        Result result = new Result();
        String tenantId = mAMIdentity == null ? null : mAMIdentity.tenantId();
        Map<?, ?> extractTokenPayload = extractTokenPayload(str);
        if (extractTokenPayload == null) {
            return result;
        }
        String str4 = (String) extractTokenPayload.get("aud");
        if (isInvalid(str4, str2)) {
            result.setInvalidResourceId();
            if (str4 == null || str4.isEmpty()) {
                LOGGER.warning("MAMService token is missing resource id", new Object[0]);
            } else {
                LOGGER.warning("MAMService token has wrong resource id: " + str4, new Object[0]);
            }
            this.mTelemetryLogger.logTrackedOccurrence(this.mPackageName, tenantId, TrackedOccurrence.MAMSERVICE_TOKEN_WRONG_RESOURCE, str3 + ": " + str4);
        }
        if (MAMIdentity.isNullOrEmpty(mAMIdentity)) {
            LOGGER.error(MAMInternalError.TOKEN_VALIDATION_WITH_INVALID_IDENTITY, "unexpected request to validate a token for unknown identity", new Object[0]);
            return result;
        }
        if (isInvalid((String) extractTokenPayload.get("oid"), mAMIdentity.aadId())) {
            result.setInvalidAadId();
            LOGGER.warning("MAMService token has wrong user id", new Object[0]);
            this.mTelemetryLogger.logTrackedOccurrence(this.mPackageName, tenantId, TrackedOccurrence.MAMSERVICE_TOKEN_WRONG_USER_ID, str3);
        }
        if (isInvalid((String) extractTokenPayload.get("tid"), mAMIdentity.tenantId())) {
            result.setInvalidTenantId();
            LOGGER.warning("MAMService token has wrong tenant id", new Object[0]);
            this.mTelemetryLogger.logTrackedOccurrence(this.mPackageName, tenantId, TrackedOccurrence.MAMSERVICE_TOKEN_WRONG_TENANT_ID, str3);
        }
        return result;
    }

    public Result validateToken(String str, String str2, String str3, String str4) {
        return validateToken(str, this.mIdentityManager.fromString(str2), str3, str4);
    }
}
