package slack.corelib.security;

import com.android.tools.r8.GeneratedOutlineSupport;
import com.google.android.gms.common.util.zzc;
import defpackage.$$LambdaGroup$js$0NpbkoAMdo7ifc1Ya6aYcPMm8o;
import defpackage.$$LambdaGroup$js$SVoSMaWKHDScEufGiMC9Ddp37MY;
import defpackage.$$LambdaGroup$ks$XLsnIEXdz_vw4U87xbzKc51ozVY;
import io.reactivex.rxjava3.internal.operators.maybe.MaybeCreate;
import io.reactivex.rxjava3.schedulers.Schedulers;
import java.security.GeneralSecurityException;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import kotlin.NoWhenBranchMatchedException;
import kotlin.Unit;
import kotlin.collections.builders.ListBuilder;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import slack.app.rtm.eventhandlers.helpers.EventLogHistoryExtensionsKt;
import slack.corelib.accountmanager.SecureAccountTokenStore;
import slack.corelib.accountmanager.SecureAccountTokenStoreImpl;
import slack.crypto.security.CachedFail;
import slack.crypto.security.Cryptographer;
import slack.crypto.security.Decrypted;
import slack.crypto.security.DecryptedCache;
import slack.crypto.security.DecryptionResult;
import slack.crypto.security.TinkCrypto;
import slack.model.account.AuthToken;
import slack.telemetry.TracerImpl;
import slack.telemetry.metric.Counter;
import slack.telemetry.metric.Metrics;
import slack.telemetry.metric.MetricsProviderImpl;
import slack.telemetry.tracing.MaxSampleRate;
import slack.telemetry.tracing.Spannable;
import slack.telemetry.tracing.TraceContext;
import slack.telemetry.tracing.Tracer;
import slack.telemetry.tracing.TracingParameters;
import timber.log.Timber;

/* compiled from: TokenDecryptHelper.kt */
/* loaded from: classes.dex */
public final class TokenDecryptHelper {
    public final Set<AuthToken> failedDecryptionsFromBadTag;
    public final Set<String> failedSecureTokenStoreFetches;
    public final Metrics metrics;
    public final SecureAccountTokenStore secureAccountTokenProvider;
    public final Cryptographer tinkCrypto;
    public final Cryptographer tinkCryptoSecondary;
    public final Tracer tracer;

    /* compiled from: TokenDecryptHelper.kt */
    /* loaded from: classes.dex */
    public abstract class DecryptResult {
        public final String authToken;

        /* compiled from: TokenDecryptHelper.kt */
        /* loaded from: classes.dex */
        public final class Decrypted extends DecryptResult {
            public Decrypted(String str) {
                super(str, null);
            }
        }

        /* compiled from: TokenDecryptHelper.kt */
        /* loaded from: classes.dex */
        public final class Failed extends DecryptResult {
            public static final Failed INSTANCE = new Failed();

            public Failed() {
                super(null, null);
            }
        }

        /* compiled from: TokenDecryptHelper.kt */
        /* loaded from: classes.dex */
        public final class Skipped extends DecryptResult {
            public static final Skipped INSTANCE = new Skipped();

            public Skipped() {
                super(null, null);
            }
        }

        public DecryptResult(String str, DefaultConstructorMarker defaultConstructorMarker) {
            this.authToken = str;
        }
    }

    /* compiled from: TokenDecryptHelper.kt */
    /* loaded from: classes.dex */
    public final class TokenDecryptResult {
        public final String authToken;
        public final List<TokenDecryptionMethod> failedDecryptMethods;
        public final List<TokenDecryptionMethod> skippedDecryptMethods;

        /* JADX WARN: Multi-variable type inference failed */
        public TokenDecryptResult(String authToken, List<? extends TokenDecryptionMethod> failedDecryptMethods, List<? extends TokenDecryptionMethod> skippedDecryptMethods) {
            Intrinsics.checkNotNullParameter(authToken, "authToken");
            Intrinsics.checkNotNullParameter(failedDecryptMethods, "failedDecryptMethods");
            Intrinsics.checkNotNullParameter(skippedDecryptMethods, "skippedDecryptMethods");
            this.authToken = authToken;
            this.failedDecryptMethods = failedDecryptMethods;
            this.skippedDecryptMethods = skippedDecryptMethods;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (!(obj instanceof TokenDecryptResult)) {
                return false;
            }
            TokenDecryptResult tokenDecryptResult = (TokenDecryptResult) obj;
            return Intrinsics.areEqual(this.authToken, tokenDecryptResult.authToken) && Intrinsics.areEqual(this.failedDecryptMethods, tokenDecryptResult.failedDecryptMethods) && Intrinsics.areEqual(this.skippedDecryptMethods, tokenDecryptResult.skippedDecryptMethods);
        }

        public final boolean hasDecryptedAuthToken() {
            return (this.authToken.length() > 0) && (Intrinsics.areEqual(this.authToken, AuthToken.INVALID_TOKEN) ^ true);
        }

        public int hashCode() {
            String str = this.authToken;
            int hashCode = (str != null ? str.hashCode() : 0) * 31;
            List<TokenDecryptionMethod> list = this.failedDecryptMethods;
            int hashCode2 = (hashCode + (list != null ? list.hashCode() : 0)) * 31;
            List<TokenDecryptionMethod> list2 = this.skippedDecryptMethods;
            return hashCode2 + (list2 != null ? list2.hashCode() : 0);
        }

        public String toString() {
            StringBuilder outline97 = GeneratedOutlineSupport.outline97("TokenDecryptResult(authToken=");
            outline97.append(this.authToken);
            outline97.append(", failedDecryptMethods=");
            outline97.append(this.failedDecryptMethods);
            outline97.append(", skippedDecryptMethods=");
            return GeneratedOutlineSupport.outline79(outline97, this.skippedDecryptMethods, ")");
        }
    }

    /* compiled from: TokenDecryptHelper.kt */
    /* loaded from: classes.dex */
    public enum TokenDecryptionMethod {
        TINK_KEYSTORE,
        TINK_KEYSTORE_SECONDARY,
        SECURE_TOKEN_STORE
    }

    public TokenDecryptHelper(Cryptographer tinkCrypto, Cryptographer tinkCryptoSecondary, SecureAccountTokenStore secureAccountTokenProvider, Tracer tracer, Metrics metrics) {
        Intrinsics.checkNotNullParameter(tinkCrypto, "tinkCrypto");
        Intrinsics.checkNotNullParameter(tinkCryptoSecondary, "tinkCryptoSecondary");
        Intrinsics.checkNotNullParameter(secureAccountTokenProvider, "secureAccountTokenProvider");
        Intrinsics.checkNotNullParameter(tracer, "tracer");
        Intrinsics.checkNotNullParameter(metrics, "metrics");
        this.tinkCrypto = tinkCrypto;
        this.tinkCryptoSecondary = tinkCryptoSecondary;
        this.secureAccountTokenProvider = secureAccountTokenProvider;
        this.tracer = tracer;
        this.metrics = metrics;
        this.failedDecryptionsFromBadTag = new LinkedHashSet();
        this.failedSecureTokenStoreFetches = new LinkedHashSet();
    }

    public final DecryptResult decrypt(Cryptographer cryptographer, Function1<? super AuthToken, String> function1, AuthToken authToken) {
        try {
            Spannable trace = ((TracerImpl) this.tracer).trace(TokenDecryptHelper$decrypt$decryptSpannable$1.INSTANCE);
            trace.appendTag("type", ((TinkCrypto) cryptographer).type);
            trace.appendTag("encrypt_value", "TOKEN");
            trace.start();
            String invoke = function1.invoke(authToken);
            if (invoke == null) {
                throw new IllegalStateException(('[' + ((TinkCrypto) cryptographer).type + "] encryptedToken for should not be null.").toString());
            }
            DecryptionResult decrypt = ((TinkCrypto) cryptographer).decrypt(invoke);
            if (decrypt instanceof Decrypted) {
                trace.complete();
            } else {
                trace.cancel();
            }
            if (decrypt instanceof DecryptedCache) {
                trace.cancel();
                return new DecryptResult.Decrypted(EventLogHistoryExtensionsKt.getClearText(decrypt));
            }
            if (decrypt instanceof Decrypted) {
                trace.complete();
                return new DecryptResult.Decrypted(EventLogHistoryExtensionsKt.getClearText(decrypt));
            }
            if (!(decrypt instanceof CachedFail)) {
                throw new NoWhenBranchMatchedException();
            }
            trace.cancel();
            return DecryptResult.Failed.INSTANCE;
        } catch (GeneralSecurityException e) {
            logFailedAuthTokenComparedWithPreviousTokens(((TinkCrypto) cryptographer).type, authToken, e);
            return DecryptResult.Failed.INSTANCE;
        } catch (Throwable th) {
            Counter.CC.increment$default(((MetricsProviderImpl) this.metrics).counter("token_decryption_error", "decrypt_unknown"), 0L, 1, null);
            Timber.TREE_OF_SOULS.w(th, "Other error during decryption", new Object[0]);
            return DecryptResult.Failed.INSTANCE;
        }
    }

    public final DecryptResult decryptWithTink(AuthToken authToken, TraceContext traceContext) {
        Spannable startSubSpan = traceContext.startSubSpan("decrypt_with_tink_keystore");
        try {
            return decrypt(this.tinkCrypto, new $$LambdaGroup$ks$XLsnIEXdz_vw4U87xbzKc51ozVY(0, authToken.encryptedToken(AuthToken.Crypto.TINK)), authToken);
        } finally {
            startSubSpan.complete();
        }
    }

    public final DecryptResult decryptWithTinkSecondary(AuthToken authToken, TraceContext traceContext) {
        Spannable startSubSpan = traceContext.startSubSpan("decrypt_with_tink_keystore_secondary");
        try {
            return decrypt(this.tinkCryptoSecondary, new $$LambdaGroup$ks$XLsnIEXdz_vw4U87xbzKc51ozVY(1, authToken.encryptedToken(AuthToken.Crypto.TINK_SECONDARY)), authToken);
        } finally {
            startSubSpan.complete();
        }
    }

    public final DecryptResult fetchTokenFromSecureStore(String str) {
        try {
            String token = ((SecureAccountTokenStoreImpl) this.secureAccountTokenProvider).getToken(str);
            return token != null ? new DecryptResult.Decrypted(token) : DecryptResult.Failed.INSTANCE;
        } catch (IllegalStateException e) {
            this.failedSecureTokenStoreFetches.add(str);
            Counter.CC.increment$default(((MetricsProviderImpl) this.metrics).counter("token_decryption_error", "decrypt"), 0L, 1, null);
            Timber.TREE_OF_SOULS.w(e, "Failed to fetch from Secure Token Store for " + str, new Object[0]);
            return DecryptResult.Failed.INSTANCE;
        }
    }

    public final TokenDecryptResult getToken(AuthToken authToken, Function0<Unit> onFailedTokenDecryptionDetected) {
        String str;
        Intrinsics.checkNotNullParameter(authToken, "authToken");
        Intrinsics.checkNotNullParameter(onFailedTokenDecryptionDetected, "onFailedTokenDecryptionDetected");
        TokenDecryptionMethod tokenDecryptionMethod = TokenDecryptionMethod.TINK_KEYSTORE_SECONDARY;
        TokenDecryptionMethod tokenDecryptionMethod2 = TokenDecryptionMethod.TINK_KEYSTORE;
        TokenDecryptionMethod tokenDecryptionMethod3 = TokenDecryptionMethod.SECURE_TOKEN_STORE;
        MaxSampleRate maxSampleRate = MaxSampleRate.POINT_ONE_PERCENT;
        Intrinsics.checkNotNullParameter(maxSampleRate, "maxSampleRate");
        Spannable trace = ((TracerImpl) this.tracer).trace(TokenDecryptHelper$getToken$authTokenDecryptTrace$1.INSTANCE, new TracingParameters(maxSampleRate, null, null, null, null, null));
        trace.start();
        TraceContext traceContext = trace.getTraceContext();
        DecryptResult tokenFromSecureTokenStore = getTokenFromSecureTokenStore(authToken, traceContext);
        boolean z = tokenFromSecureTokenStore instanceof DecryptResult.Decrypted;
        DecryptResult tokenFromTinkKeyStore = z ? DecryptResult.Skipped.INSTANCE : decryptWithTink(authToken, traceContext);
        DecryptResult tokenFromTinkKeyStoreSecondary = (z || (tokenFromTinkKeyStore instanceof DecryptResult.Decrypted)) ? DecryptResult.Skipped.INSTANCE : decryptWithTinkSecondary(authToken, traceContext);
        Intrinsics.checkNotNullParameter(tokenFromSecureTokenStore, "tokenFromSecureTokenStore");
        Intrinsics.checkNotNullParameter(tokenFromTinkKeyStore, "tokenFromTinkKeyStore");
        Intrinsics.checkNotNullParameter(tokenFromTinkKeyStoreSecondary, "tokenFromTinkKeyStoreSecondary");
        if (tokenFromSecureTokenStore.authToken != null) {
            trace.appendTag("type", "secure_token_store");
            str = tokenFromSecureTokenStore.authToken;
        } else if (tokenFromTinkKeyStore.authToken != null) {
            trace.appendTag("type", "Tink");
            str = tokenFromTinkKeyStore.authToken;
        } else if (tokenFromTinkKeyStoreSecondary.authToken != null) {
            trace.appendTag("type", "TinkSecondary");
            str = tokenFromTinkKeyStoreSecondary.authToken;
        } else {
            trace.appendTag("type", "plaintext");
            str = AuthToken.INVALID_TOKEN;
        }
        trace.complete();
        List createListBuilder = zzc.createListBuilder();
        if (tokenFromSecureTokenStore instanceof DecryptResult.Failed) {
            ListBuilder listBuilder = (ListBuilder) createListBuilder;
            listBuilder.checkIsMutable();
            listBuilder.addAtInternal(listBuilder.offset + listBuilder.length, tokenDecryptionMethod3);
        }
        if (tokenFromTinkKeyStore instanceof DecryptResult.Failed) {
            ListBuilder listBuilder2 = (ListBuilder) createListBuilder;
            listBuilder2.checkIsMutable();
            listBuilder2.addAtInternal(listBuilder2.offset + listBuilder2.length, tokenDecryptionMethod2);
        }
        if (tokenFromTinkKeyStoreSecondary instanceof DecryptResult.Failed) {
            ListBuilder listBuilder3 = (ListBuilder) createListBuilder;
            listBuilder3.checkIsMutable();
            listBuilder3.addAtInternal(listBuilder3.offset + listBuilder3.length, tokenDecryptionMethod);
        }
        List build = zzc.build(createListBuilder);
        List createListBuilder2 = zzc.createListBuilder();
        if (tokenFromSecureTokenStore instanceof DecryptResult.Skipped) {
            ListBuilder listBuilder4 = (ListBuilder) createListBuilder2;
            listBuilder4.checkIsMutable();
            listBuilder4.addAtInternal(listBuilder4.offset + listBuilder4.length, tokenDecryptionMethod3);
        }
        if (tokenFromTinkKeyStore instanceof DecryptResult.Skipped) {
            ListBuilder listBuilder5 = (ListBuilder) createListBuilder2;
            listBuilder5.checkIsMutable();
            listBuilder5.addAtInternal(listBuilder5.offset + listBuilder5.length, tokenDecryptionMethod2);
        }
        if (tokenFromTinkKeyStoreSecondary instanceof DecryptResult.Skipped) {
            ListBuilder listBuilder6 = (ListBuilder) createListBuilder2;
            listBuilder6.checkIsMutable();
            listBuilder6.addAtInternal(listBuilder6.offset + listBuilder6.length, tokenDecryptionMethod);
        }
        TokenDecryptResult tokenDecryptResult = new TokenDecryptResult(str, build, zzc.build(createListBuilder2));
        if (tokenDecryptResult.hasDecryptedAuthToken()) {
            MaybeCreate maybeCreate = new MaybeCreate(new TokenDecryptHelper$checkForFailedAuthTokenDecryption$1(this, tokenDecryptResult, authToken));
            Intrinsics.checkNotNullExpressionValue(maybeCreate, "Maybe.create { emitter -…)\n        }\n      }\n    }");
            maybeCreate.subscribeOn(Schedulers.io()).timeout(15L, TimeUnit.SECONDS).subscribe(new $$LambdaGroup$js$0NpbkoAMdo7ifc1Ya6aYcPMm8o(26, onFailedTokenDecryptionDetected), $$LambdaGroup$js$SVoSMaWKHDScEufGiMC9Ddp37MY.INSTANCE$174);
        }
        return tokenDecryptResult;
    }

    public final DecryptResult getTokenFromSecureTokenStore(AuthToken authToken, TraceContext traceContext) {
        String identifier = authToken.getIdentifier();
        Spannable startSubSpan = traceContext.startSubSpan("decrypt_with_secure_token_store");
        try {
            return !this.failedSecureTokenStoreFetches.contains(identifier) ? fetchTokenFromSecureStore(identifier) : DecryptResult.Failed.INSTANCE;
        } finally {
            startSubSpan.complete();
        }
    }

    public final void logFailedAuthTokenComparedWithPreviousTokens(String str, AuthToken authToken, GeneralSecurityException generalSecurityException) {
        if (this.failedDecryptionsFromBadTag.contains(authToken)) {
            return;
        }
        this.failedDecryptionsFromBadTag.add(authToken);
        Counter.CC.increment$default(((MetricsProviderImpl) this.metrics).counter("token_decryption_error", "decrypt"), 0L, 1, null);
        Timber.TREE_OF_SOULS.w(generalSecurityException, '[' + str + "] Error during decryption", new Object[0]);
    }
}
