package com.ca.mas.core.policy;

import android.content.Context;
import android.util.Log;
import com.ca.mas.core.MobileSsoConfig;
import com.ca.mas.core.auth.AuthenticationException;
import com.ca.mas.core.client.ServerClient;
import com.ca.mas.core.context.MssoContext;
import com.ca.mas.core.error.MAGException;
import com.ca.mas.core.error.MAGServerException;
import com.ca.mas.core.oauth.OAuthException;
import com.ca.mas.core.oauth.OAuthServerException;
import com.ca.mas.core.oauth.OAuthTokenClient;
import com.ca.mas.core.oauth.OAuthTokenResponse;
import com.ca.mas.core.policy.exceptions.CredentialRequiredException;
import com.ca.mas.core.policy.exceptions.RetryRequestException;
import com.ca.mas.core.request.MAGInternalRequest;
import com.ca.mas.core.token.IdToken;
import com.ca.mas.core.token.JWTValidation;
import com.ca.mas.core.token.JWTValidationException;
import com.ca.mas.foundation.MAS;
import com.ca.mas.foundation.MASAuthCredentials;
import com.ca.mas.foundation.MASGrantProvider;
import com.ca.mas.foundation.MASRequest;
import com.ca.mas.foundation.MASResponse;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes2.dex */
public class AccessTokenAssertion implements MssoAssertion {
    private static final int INVALID_CLIENT_CERTIFICATE = 3003206;
    private static final int INVALID_CLIENT_CREDENTIALS = 3003201;
    private static final int INVALID_MAG_IDENTIFIER = 3003107;
    private static final int INVALID_SCOPE = 3003115;
    private static final String TOKEN_EXPIRED_ERROR_CODE_SUFFIX = "990";
    private OAuthTokenClient oAuthTokenClient;

    private static void checkCredentials(MssoContext mssoContext, MAGInternalRequest mAGInternalRequest) throws CredentialRequiredException {
        MASAuthCredentials credentials = mAGInternalRequest.getGrantProvider().getCredentials(mssoContext);
        if (credentials == null || !credentials.isValid()) {
            throw new CredentialRequiredException();
        }
    }

    private String findAccessToken(MssoContext mssoContext, MAGInternalRequest mAGInternalRequest) throws CredentialRequiredException, OAuthException, OAuthServerException, AuthenticationException, JWTValidationException, RetryRequestException {
        IdToken idToken;
        String accessToken = mssoContext.getAccessToken();
        if (accessToken != null) {
            if (isAccessTokenStillValid(mssoContext)) {
                if (MAS.DEBUG) {
                    Log.d(MAS.TAG, "Access Token is still valid.");
                }
                if (!isSufficientScope(mssoContext, mAGInternalRequest)) {
                    if (MAS.DEBUG) {
                        Log.d(MAS.TAG, "Access Token does not have sufficient scope.");
                    }
                    mssoContext.clearAccessToken();
                } else {
                    if (mAGInternalRequest.getGrantProvider() != MASGrantProvider.PASSWORD || mssoContext.getRefreshToken() != null) {
                        return accessToken;
                    }
                    mssoContext.clearAccessToken();
                }
            }
            accessToken = null;
        }
        String refreshToken = mssoContext.getRefreshToken();
        if (refreshToken != null) {
            accessToken = obtainAccessTokenUsingRefreshToken(mssoContext, refreshToken);
        }
        if (accessToken != null) {
            return accessToken;
        }
        boolean booleanValue = ((Boolean) mssoContext.getConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSO_ENABLED)).booleanValue();
        return (!booleanValue || (idToken = mssoContext.getIdToken()) == null) ? obtainAccessTokenUsingCredential(mssoContext, mAGInternalRequest, booleanValue) : obtainAccessTokenUsingIdToken(mssoContext, idToken, mAGInternalRequest);
    }

    private boolean isAccessTokenStillValid(MssoContext mssoContext) {
        if (MAS.DEBUG) {
            Log.d(MAS.TAG, "Validating access token expiration");
        }
        long accessTokenExpiry = mssoContext.getAccessTokenExpiry();
        return accessTokenExpiry <= 0 || System.currentTimeMillis() <= accessTokenExpiry;
    }

    private boolean isSufficientScope(MssoContext mssoContext, MASRequest mASRequest) {
        String scope = mASRequest.getScope();
        String grantedScope = mssoContext.getGrantedScope();
        if (scope == null || scope.trim().length() == 0) {
            return true;
        }
        if (grantedScope == null || grantedScope.trim().length() == 0) {
            return false;
        }
        String[] split = scope.trim().split("\\s+");
        ArrayList arrayList = new ArrayList();
        Collections.addAll(arrayList, split);
        arrayList.remove(ServerClient.OPENID);
        arrayList.remove(ServerClient.MSSO);
        arrayList.remove("msso_register");
        arrayList.remove(ServerClient.MSSO_CLIENT_REGISTER);
        return Arrays.asList(grantedScope.split("\\s+")).containsAll(arrayList);
    }

    private String obtainAccessTokenUsingCredential(MssoContext mssoContext, MAGInternalRequest mAGInternalRequest, boolean z10) throws CredentialRequiredException, OAuthServerException, OAuthException, JWTValidationException {
        if (MAS.DEBUG) {
            Log.d(MAS.TAG, "Obtain access token using Credential");
        }
        mssoContext.clearUserProfile();
        checkCredentials(mssoContext, mAGInternalRequest);
        OAuthTokenResponse obtainTokensUsingCredentials = this.oAuthTokenClient.obtainTokensUsingCredentials(mAGInternalRequest, mssoContext.getClientId(), mssoContext.getClientSecret(), z10);
        IdToken idToken = obtainTokensUsingCredentials.getIdToken();
        if (idToken != null) {
            mssoContext.onIdTokenAvailable(idToken);
        }
        String accessToken = obtainTokensUsingCredentials.getAccessToken();
        mssoContext.onAccessTokenAvailable(accessToken, obtainTokensUsingCredentials.getRefreshToken(), obtainTokensUsingCredentials.getExpiresIn(), obtainTokensUsingCredentials.getGrantedScope());
        return accessToken;
    }

    private String obtainAccessTokenUsingIdToken(MssoContext mssoContext, IdToken idToken, MAGInternalRequest mAGInternalRequest) throws CredentialRequiredException, OAuthException, JWTValidationException, OAuthServerException {
        if (MAS.DEBUG) {
            Log.d(MAS.TAG, "Try to use id token to get new Access Token");
        }
        try {
            OAuthTokenResponse obtainAccessTokenUsingIdToken = this.oAuthTokenClient.obtainAccessTokenUsingIdToken(idToken, mssoContext.getClientId(), mssoContext.getClientSecret(), mAGInternalRequest.getScope());
            IdToken idToken2 = obtainAccessTokenUsingIdToken.getIdToken();
            if (idToken2 != null) {
                mssoContext.onIdTokenAvailable(idToken2);
            }
            String accessToken = obtainAccessTokenUsingIdToken.getAccessToken();
            mssoContext.onAccessTokenAvailable(accessToken, obtainAccessTokenUsingIdToken.getRefreshToken(), obtainAccessTokenUsingIdToken.getExpiresIn(), obtainAccessTokenUsingIdToken.getGrantedScope());
            return accessToken;
        } catch (OAuthServerException e10) {
            rethrowOrIgnore(e10);
            mssoContext.clearIdToken();
            mssoContext.clearUserProfile();
            return obtainAccessTokenUsingCredential(mssoContext, mAGInternalRequest, true);
        }
    }

    private String obtainAccessTokenUsingRefreshToken(MssoContext mssoContext, String str) throws OAuthException, OAuthServerException, JWTValidationException {
        if (MAS.DEBUG) {
            Log.d(MAS.TAG, "Obtain Access Token using Refresh Token");
        }
        String clientId = mssoContext.getClientId();
        String clientSecret = mssoContext.getClientSecret();
        try {
            OAuthTokenResponse obtainTokenUsingRefreshToken = this.oAuthTokenClient.obtainTokenUsingRefreshToken(str, clientId, clientSecret);
            String accessToken = obtainTokenUsingRefreshToken.getAccessToken();
            mssoContext.onAccessTokenAvailable(accessToken, obtainTokenUsingRefreshToken.getRefreshToken(), obtainTokenUsingRefreshToken.getExpiresIn(), obtainTokenUsingRefreshToken.getGrantedScope());
            return accessToken;
        } catch (OAuthServerException e10) {
            rethrowOrIgnore(e10);
            if (mssoContext.getDonotLogoutTokenRenewalOnServerErrors() && e10.getStatus() == 500 && mssoContext.getIdToken() != null) {
                if (JWTValidation.validateIdToken(mssoContext, mssoContext.getIdToken(), mssoContext.getTokenManager().getMagIdentifier(), clientId, clientSecret)) {
                    throw e10;
                }
            }
            if (e10.getResponse() != null) {
                mssoContext.clearAccessAndRefreshTokens();
            }
            if (MAS.DEBUG) {
                Log.w(MAS.TAG, "Refresh token failed, will fall back to ID token or password: " + e10.getMessage(), e10);
            }
            return null;
        }
    }

    private void rethrowOrIgnore(OAuthServerException oAuthServerException) throws OAuthServerException {
        switch (oAuthServerException.getErrorCode()) {
            case INVALID_MAG_IDENTIFIER /* 3003107 */:
            case INVALID_SCOPE /* 3003115 */:
            case INVALID_CLIENT_CREDENTIALS /* 3003201 */:
            case INVALID_CLIENT_CERTIFICATE /* 3003206 */:
                throw oAuthServerException;
            default:
                return;
        }
    }

    @Override // com.ca.mas.core.policy.MssoAssertion
    public void close() {
    }

    @Override // com.ca.mas.core.policy.MssoAssertion
    public void init(MssoContext mssoContext, Context context) {
        this.oAuthTokenClient = new OAuthTokenClient(mssoContext);
    }

    @Override // com.ca.mas.core.policy.MssoAssertion
    public synchronized void processRequest(MssoContext mssoContext, RequestInfo requestInfo) throws MAGException, MAGServerException {
        if (requestInfo.getRequest().getURL() != null && requestInfo.getRequest().getURL().getHost() == null) {
            throw new IllegalArgumentException("Host is not provided");
        }
        String findAccessToken = findAccessToken(mssoContext, requestInfo.getRequest());
        if (findAccessToken != null) {
            requestInfo.getRequest().addHeader("Authorization", "Bearer " + findAccessToken);
        }
    }

    @Override // com.ca.mas.core.policy.MssoAssertion
    public void processResponse(MssoContext mssoContext, RequestInfo requestInfo, MASResponse mASResponse) throws MAGException {
        int findErrorCode = ServerClient.findErrorCode(mASResponse);
        if (findErrorCode != -1 && Integer.toString(findErrorCode).endsWith(TOKEN_EXPIRED_ERROR_CODE_SUFFIX)) {
            throw new RetryRequestException("Access token rejected by server") { // from class: com.ca.mas.core.policy.AccessTokenAssertion.1
                @Override // com.ca.mas.core.policy.exceptions.RetryRequestException
                public void recover(MssoContext mssoContext2) {
                    mssoContext2.clearAccessToken();
                }
            };
        }
    }
}
