package com.microsoft.intune.mam.client.identity;

import android.content.Context;
import android.net.Uri;
import android.os.ParcelFileDescriptor;
import com.microsoft.intune.mam.client.MAMInfo;
import com.microsoft.intune.mam.client.app.backup.BackupConfiguration;
import com.microsoft.intune.mam.client.database.MultiIdentityInfoTable;
import com.microsoft.intune.mam.client.fileencryption.FileEncryptionManager;
import com.microsoft.intune.mam.client.fileencryption.NativeErrcodes;
import com.microsoft.intune.mam.client.fileencryption.NativeFileIO;
import com.microsoft.intune.mam.client.strict.MAMStrictCheck;
import com.microsoft.intune.mam.client.strict.MAMStrictEnforcement;
import com.microsoft.intune.mam.client.strict.StrictScopedDisable;
import com.microsoft.intune.mam.client.telemetry.TelemetryLogger;
import com.microsoft.intune.mam.client.telemetry.events.MAMInternalError;
import com.microsoft.intune.mam.client.telemetry.events.MAMNativeError;
import com.microsoft.intune.mam.client.telemetry.events.TrackedOccurrence;
import com.microsoft.intune.mam.client.util.ContextUtils;
import com.microsoft.intune.mam.client.util.FileUtils;
import com.microsoft.intune.mam.client.util.IOUtils;
import com.microsoft.intune.mam.log.MAMLogPIIFactory;
import com.microsoft.intune.mam.log.MAMLogger;
import com.microsoft.intune.mam.log.MAMLoggerProvider;
import com.microsoft.intune.mam.log.PIIFile;
import com.microsoft.intune.mam.log.PIIObj;
import com.microsoft.intune.mam.policy.MAMUserInfoInternal;
import com.microsoft.intune.mam.policy.PolicyResolver;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.logging.Level;
import kotlin.HubConnectionExternalSyntheticLambda36;

/* loaded from: classes4.dex */
public class FileProtectionManagerBehaviorImpl implements FileProtectionManagerBehavior {
    private static final int FLAG_ENSURE_ACCESS_OVER_BINDER = 1;
    private static final MAMLogger LOGGER = MAMLoggerProvider.getLogger(FileProtectionManagerBehaviorImpl.class);
    private static final String WEBVIEW_DIRNAME = "app_webview";
    protected BackupConfiguration mBackupConfiguration;
    private final Context mContext;
    private final IdentityParamConverter mIdentityParamConverter;
    protected final MAMIdentityManager mMAMIdentityManager;
    private final MAMLogPIIFactory mMAMLogPIIFactory;
    private final MultiIdentityInfoTable mMultiIdentityInfo;
    private final PolicyResolver mPolicyResolver;
    private final MAMStrictEnforcement mStrict;
    private final TelemetryLogger mTelemetryLogger;
    private final MAMUserInfoInternal mUserInfo;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.microsoft.intune.mam.client.identity.FileProtectionManagerBehaviorImpl$1, reason: invalid class name */
    /* loaded from: classes4.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$microsoft$intune$mam$client$identity$MultiIdentityTransitionMode;

        static {
            int[] iArr = new int[MultiIdentityTransitionMode.values().length];
            $SwitchMap$com$microsoft$intune$mam$client$identity$MultiIdentityTransitionMode = iArr;
            try {
                iArr[MultiIdentityTransitionMode.MI_FROM_SINGLE_IDENTITY.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$com$microsoft$intune$mam$client$identity$MultiIdentityTransitionMode[MultiIdentityTransitionMode.MI_NOT_ENABLED.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                $SwitchMap$com$microsoft$intune$mam$client$identity$MultiIdentityTransitionMode[MultiIdentityTransitionMode.MI_FROM_UNMANAGED.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes4.dex */
    public static class IdentityResult {
        String mIdentity;
        long mRC;

        IdentityResult(long j, String str) {
            this.mRC = j;
            this.mIdentity = str;
        }
    }

    @HubConnectionExternalSyntheticLambda36
    public FileProtectionManagerBehaviorImpl(MAMUserInfoInternal mAMUserInfoInternal, Context context, MultiIdentityInfoTable multiIdentityInfoTable, BackupConfiguration backupConfiguration, MAMLogPIIFactory mAMLogPIIFactory, MAMIdentityManager mAMIdentityManager, MAMStrictEnforcement mAMStrictEnforcement, IdentityParamConverter identityParamConverter, PolicyResolver policyResolver, TelemetryLogger telemetryLogger) {
        this.mUserInfo = mAMUserInfoInternal;
        this.mContext = context;
        this.mMultiIdentityInfo = multiIdentityInfoTable;
        this.mBackupConfiguration = backupConfiguration;
        this.mMAMLogPIIFactory = mAMLogPIIFactory;
        this.mMAMIdentityManager = mAMIdentityManager;
        this.mStrict = mAMStrictEnforcement;
        this.mIdentityParamConverter = identityParamConverter;
        this.mPolicyResolver = policyResolver;
        this.mTelemetryLogger = telemetryLogger;
    }

    private MAMIdentity getDefaultFileIdentity() {
        return getDefaultFileIdentity(this.mMultiIdentityInfo.getMultiIdentityTransitionMode());
    }

    private MAMIdentity getDefaultFileIdentity(MultiIdentityTransitionMode multiIdentityTransitionMode) {
        int i = AnonymousClass1.$SwitchMap$com$microsoft$intune$mam$client$identity$MultiIdentityTransitionMode[multiIdentityTransitionMode.ordinal()];
        if (i == 1 || i == 2) {
            return this.mUserInfo.getPrimaryIdentity();
        }
        if (i == 3) {
            return MAMIdentity.EMPTY;
        }
        throw new AssertionError("Unknown MultiIdentityTransitionMode");
    }

    private native IdentityResult getIdentity(String str);

    private native IdentityResult getIdentityFromFileDescriptor(int i);

    /* JADX WARN: Multi-variable type inference failed */
    private MAMIdentity getImplicitFileIdentity(File file, int i) throws IOException {
        if (file.isDirectory()) {
            return null;
        }
        String safeGetCanonicalPath = FileUtils.safeGetCanonicalPath(file);
        if (FileEncryptionManager.isCanonicalPathIgnored(safeGetCanonicalPath)) {
            return null;
        }
        try {
            i = i >= 0 ? FileEncryptionManager.isFileEncrypted(i) : FileEncryptionManager.isFileEncrypted(file);
            if (i != 0) {
                LOGGER.warning("assuming primary identity for encrypted file {0}", this.mMAMLogPIIFactory.getPIIFilePath(file));
                return this.mUserInfo.getPrimaryIdentity();
            }
        } catch (FileNotFoundException e) {
            if (i < 0) {
                LOGGER.warning("Cannot determine if file {0} is encrypted", e, this.mMAMLogPIIFactory.getPIIFilePath(file));
            } else {
                LOGGER.error(MAMInternalError.ENCRYPTED_FILE_CHECK_FAILED, "Cannot determine if file {0} is encrypted", e, this.mMAMLogPIIFactory.getPIIFilePath(file));
            }
        }
        MultiIdentityTransitionMode multiIdentityTransitionMode = this.mMultiIdentityInfo.getMultiIdentityTransitionMode();
        if (multiIdentityTransitionMode != MultiIdentityTransitionMode.MI_FROM_SINGLE_IDENTITY || isUnderAppData(safeGetCanonicalPath)) {
            return getDefaultFileIdentity(multiIdentityTransitionMode);
        }
        LOGGER.info("Treating file outside the app as personal for SI-MI transition", new Object[0]);
        return MAMIdentity.EMPTY;
    }

    private void handleNativeIdentityError(long j, File file, String str) throws IOException {
        String str2 = "Cannot " + str + " identity for file ";
        PIIObj pIIFilePath = this.mMAMLogPIIFactory.getPIIFilePath(file);
        if (NativeErrcodes.isSameError(j, NativeErrcodes.MDM_ERR_CANNOT_DECRYPT)) {
            LOGGER.warning(str2 + "{0} because it could not be decrypted, likely due to missing key", pIIFilePath);
            throw new IOException(str2 + "because it could not be decrypted, likely due to missing key");
        }
        if (NativeErrcodes.isSameError(j, NativeErrcodes.MDM_ERR_CANNOT_OPEN)) {
            LOGGER.warning(str2 + "{0} because it could not be opened. Either it does not exist or access is denied", pIIFilePath);
            throw new IOException(str2 + "because it could not be opened. Either it does not exist or access is denied");
        }
        if (NativeErrcodes.isSameError(j, NativeErrcodes.MDM_ERR_CANNOT_SET_IDENTITY_IGNORED_FILE)) {
            LOGGER.warning(str2 + "{0}  because it is ignored. Protection cannot be applied to ignored files.", pIIFilePath);
            return;
        }
        if (NativeErrcodes.isSameError(j, NativeErrcodes.NO_SUCH_FILE)) {
            LOGGER.warning(str2 + "{0}  because it could not be found", pIIFilePath);
            throw new FileNotFoundException(str2 + " because it could not be found");
        }
        if (NativeErrcodes.isSameError(j, NativeErrcodes.MDM_ERR_NOT_ENCRYPTED_FILE)) {
            LOGGER.warning(str2 + "{0} because it was not an encrypted file", pIIFilePath);
            throw new IOException(str2 + "because it was not an encrypted file");
        }
        if (!file.exists()) {
            LOGGER.warning(str2 + "{0}  because it can no longer be found", pIIFilePath);
            throw new FileNotFoundException(str2 + " because it can no longer be found");
        }
        String format = String.format(str2 + "{0} with error code 0x%x", Long.valueOf(j));
        if ("set".equals(str)) {
            LOGGER.error(MAMNativeError.NATIVE_SET_FILE_IDENTITY_FAILED.with(j), format, pIIFilePath);
        } else {
            LOGGER.error(MAMNativeError.NATIVE_GET_FILE_IDENTITY_FAILED.with(j), format, pIIFilePath);
        }
        throw new IOException("Unexpected error: " + format);
    }

    private void handleWipeForWebviewDirectory() {
        File file = new File(FileUtils.getNormalizedFilePath(this.mContext.getApplicationInfo().dataDir), WEBVIEW_DIRNAME);
        if (!file.exists() || FileUtils.deleteDir(file)) {
            return;
        }
        LOGGER.error(MAMInternalError.FILE_PROTECTION_CANNOT_DELETE_WEBVIEW_DIR, "Unable to delete app_webview directory", new Object[0]);
    }

    private native boolean isFileDescriptorTracked(int i);

    private boolean isUnderAppData(File file) throws IOException {
        return isUnderAppData(FileUtils.safeGetCanonicalPath(file));
    }

    private boolean isUnderAppData(String str) throws IOException {
        if (str.startsWith(new File(FileUtils.getNormalizedFilePath(this.mContext.getApplicationInfo().dataDir)).getCanonicalPath())) {
            return true;
        }
        File externalFilesDir = ContextUtils.getExternalFilesDir(this.mContext, null);
        return externalFilesDir != null && str.startsWith(FileUtils.safeGetCanonicalPath(externalFilesDir.getParentFile()));
    }

    private void protectWebviewDirectory() {
        MAMIdentity primaryIdentity;
        if (MAMInfo.isMultiIdentityEnabled() && (primaryIdentity = this.mUserInfo.getPrimaryIdentity()) != null) {
            File file = new File(FileUtils.getNormalizedFilePath(this.mContext.getApplicationInfo().dataDir), WEBVIEW_DIRNAME);
            if (!file.exists() && !file.mkdir()) {
                LOGGER.warning("Unable to create app_webview directory", new Object[0]);
                return;
            }
            try {
                MAMFileProtectionInfo protectionInfo = getProtectionInfo(file);
                if (protectionInfo != null) {
                    if (protectionInfo.getIdentity() != null) {
                        return;
                    }
                }
            } catch (IOException unused) {
                LOGGER.fine("Unable to get protection info from webview directory, will protect it", new Object[0]);
            }
            try {
                protect(file, primaryIdentity);
            } catch (IOException e) {
                LOGGER.error(MAMInternalError.WEBVIEW_SET_DIRECTORY_IDENTITY_FAILED, "Unable to change identity for webview directory", e);
            }
        }
    }

    private native long setIdentity(String str, String str2, int i);

    private native long setIdentityForFileDescriptor(int i, String str, int i2);

    public void doInitialProtection() {
        protectWebviewDirectory();
    }

    public void ensureFileIdentityVisibleAfterTransfer(ParcelFileDescriptor parcelFileDescriptor) throws IOException {
        MAMLogger mAMLogger = LOGGER;
        mAMLogger.info("Ensuring identity visible for transferred file descriptor", new Object[0]);
        IdentityResult identityFromFileDescriptor = getIdentityFromFileDescriptor(parcelFileDescriptor.getFd());
        long j = identityFromFileDescriptor.mRC;
        if (j != 0) {
            mAMLogger.error(MAMNativeError.NATIVE_GET_FILE_IDENTITY_FAILED.with(j), String.format("Failed to get file identity with error code 0x%x", Long.valueOf(identityFromFileDescriptor.mRC)), new Object[0]);
            throw new IOException("Unexpected error retrieving file identity");
        }
        if (identityFromFileDescriptor.mIdentity == null) {
            return;
        }
        long identityForFileDescriptor = setIdentityForFileDescriptor(parcelFileDescriptor.getFd(), identityFromFileDescriptor.mIdentity, 1);
        if (identityForFileDescriptor == 0) {
            return;
        }
        String format = String.format("error code 0x%x", Long.valueOf(identityForFileDescriptor));
        mAMLogger.error(MAMNativeError.NATIVE_SET_FILE_IDENTITY_FAILED.with(identityForFileDescriptor), "Failed to set file identity with " + format + " on file {0}", this.mMAMLogPIIFactory.getPIIFilePath(NativeFileIO.getOpenedPathForFileDescriptor(parcelFileDescriptor.getFd())));
        throw new IOException("Unexpected error setting file identity, " + format);
    }

    public void ensureFileIdentityVisibleAfterTransfer(File file) throws IOException {
        ParcelFileDescriptor open = ParcelFileDescriptor.open(file, 805306368);
        try {
            ensureFileIdentityVisibleAfterTransfer(open);
        } finally {
            IOUtils.safeClose(open);
        }
    }

    public MAMIdentity getIdentity(int i) throws IOException {
        IdentityResult identityFromFileDescriptor = getIdentityFromFileDescriptor(i);
        long j = identityFromFileDescriptor.mRC;
        if (j != 0) {
            LOGGER.error(MAMNativeError.NATIVE_GET_FILE_IDENTITY_FAILED.with(j), String.format("Failed to get file identity with error code 0x%x", Long.valueOf(identityFromFileDescriptor.mRC)), new Object[0]);
            throw new IOException("Unexpected error retrieving file identity");
        }
        String str = identityFromFileDescriptor.mIdentity;
        if (str != null) {
            return this.mMAMIdentityManager.create(str, null);
        }
        if (FileEncryptionManager.isFileEncrypted(i)) {
            return this.mUserInfo.getPrimaryIdentity();
        }
        String openedPathForFileDescriptor = NativeFileIO.getOpenedPathForFileDescriptor(i);
        if (openedPathForFileDescriptor != null) {
            return getImplicitFileIdentity(new File(FileUtils.getNormalizedFilePath(openedPathForFileDescriptor)), i);
        }
        if (isFileDescriptorTracked(i)) {
            return getDefaultFileIdentity();
        }
        return null;
    }

    @Override // com.microsoft.intune.mam.client.identity.FileProtectionManagerBehavior
    public MAMFileProtectionInfo getProtectionInfo(Uri uri) throws IOException {
        try {
            ParcelFileDescriptor openFileDescriptor = this.mContext.getContentResolver().openFileDescriptor(uri, "r");
            if (openFileDescriptor == null) {
                throw new FileNotFoundException();
            }
            try {
                return getProtectionInfo(openFileDescriptor);
            } finally {
                IOUtils.safeCloseAndLog(openFileDescriptor);
            }
        } catch (SecurityException e) {
            throw new IOException(e);
        }
    }

    @Override // com.microsoft.intune.mam.client.identity.FileProtectionManagerBehavior
    public MAMFileProtectionInfo getProtectionInfo(ParcelFileDescriptor parcelFileDescriptor) throws IOException {
        MAMIdentity identity = getIdentity(parcelFileDescriptor.getFd());
        if (identity == null) {
            return null;
        }
        return new MAMFileProtectionInfoImpl(identity);
    }

    @Override // com.microsoft.intune.mam.client.identity.FileProtectionManagerBehavior
    public MAMFileProtectionInfo getProtectionInfo(File file) throws IOException {
        if (!file.canRead()) {
            throw new FileNotFoundException(file.toString());
        }
        IdentityResult identity = getIdentity(file.getAbsolutePath());
        long j = identity.mRC;
        if (j != 0) {
            handleNativeIdentityError(j, file, "get");
        }
        String str = identity.mIdentity;
        if (str != null) {
            return new MAMFileProtectionInfoImpl(this.mMAMIdentityManager.create(str, null));
        }
        MAMIdentity implicitFileIdentity = getImplicitFileIdentity(file, -1);
        if (implicitFileIdentity == null) {
            return null;
        }
        LOGGER.log(Level.FINE, "using implicit identity for {0}", new PIIFile(file));
        if (isUnderAppData(file)) {
            try {
                StrictScopedDisable disableScoped = this.mStrict.getThreadSettings().disableScoped(MAMStrictCheck.IDENTITY_NO_SUCH_FILE);
                try {
                    protect(file, implicitFileIdentity);
                    if (disableScoped != null) {
                        disableScoped.close();
                    }
                } finally {
                }
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Unable to protect {0} with implicit identity {1}", (Throwable) e, this.mMAMLogPIIFactory.getPIIUPN(implicitFileIdentity), this.mMAMLogPIIFactory.getPIIFilePath(file));
            }
        }
        return new MAMFileProtectionInfoImpl(implicitFileIdentity);
    }

    public void handleWipeForSpeciallyProtectedFiles() {
        handleWipeForWebviewDirectory();
    }

    @Override // com.microsoft.intune.mam.client.identity.FileProtectionManagerBehavior
    public boolean isBackupAllowed(File file) throws IOException {
        MAMIdentity create;
        boolean isBlocked;
        if (MAMInfo.isMultiIdentityEnabled()) {
            MAMFileProtectionInfo protectionInfo = getProtectionInfo(file);
            if (protectionInfo == null || (create = this.mMAMIdentityManager.create(protectionInfo.getIdentity(), protectionInfo.getIdentityOID())) == null) {
                return true;
            }
            isBlocked = this.mBackupConfiguration.isBlocked(create);
        } else {
            isBlocked = this.mBackupConfiguration.isBlocked();
        }
        return !isBlocked;
    }

    @Override // com.microsoft.intune.mam.client.identity.FileProtectionManagerBehavior
    public void protect(ParcelFileDescriptor parcelFileDescriptor, MAMIdentity mAMIdentity) throws IOException {
        if (mAMIdentity == null) {
            throw new IOException("identity must not be null");
        }
        try {
            MAMIdentity identity = getIdentity(parcelFileDescriptor.getFd());
            if (!MAMIdentity.isNullOrEmpty(mAMIdentity) && !MAMIdentity.isNullOrEmpty(identity) && !mAMIdentity.equals(identity)) {
                if (this.mPolicyResolver.isIdentityManaged(identity)) {
                    this.mTelemetryLogger.logTrackedOccurrenceForCurrentApp(TrackedOccurrence.PROTECT_CALLED_ON_MANAGED_FILE_TO_UNMANAGED, "");
                }
                if (this.mPolicyResolver.isIdentityManaged(mAMIdentity)) {
                    this.mTelemetryLogger.logTrackedOccurrenceForCurrentApp(TrackedOccurrence.PROTECT_CALLED_ON_UNMANAGED_FILE_TO_MANAGED, "");
                }
            }
        } catch (Exception e) {
            LOGGER.warning("Failed to collect telemetry on file identity change. Continue execution.", e);
        }
        long identityForFileDescriptor = setIdentityForFileDescriptor(parcelFileDescriptor.getFd(), mAMIdentity.rawUPN(), 0);
        if (identityForFileDescriptor != 0) {
            String format = String.format("Failed to set identity on %s with error code 0x%x.", Integer.valueOf(parcelFileDescriptor.getFd()), Long.valueOf(identityForFileDescriptor));
            if (NativeErrcodes.isSameError(identityForFileDescriptor, NativeErrcodes.MDM_ERR_FD_OPEN_WITH_W_ONLY)) {
                format = format + " The app is likely holding other file descriptors on the same file which are open for write-only. To fix this issue, please either open all file descriptors on the same file with read and write permission, or close other file descriptors opened with write-only before calling protect.";
            }
            LOGGER.error(MAMNativeError.NATIVE_SET_FILE_IDENTITY_FAILED.with(identityForFileDescriptor), format, new Object[0]);
            throw new IOException(format);
        }
    }

    @Override // com.microsoft.intune.mam.client.identity.FileProtectionManagerBehavior
    @Deprecated
    public void protect(ParcelFileDescriptor parcelFileDescriptor, String str) throws IOException {
        protect(parcelFileDescriptor, this.mIdentityParamConverter.fromUpnParam(str));
    }

    @Override // com.microsoft.intune.mam.client.identity.FileProtectionManagerBehavior
    public void protect(File file, MAMIdentity mAMIdentity) throws IOException {
        if (!file.canWrite()) {
            if (file.exists()) {
                LOGGER.warning("protect called on file that is not writable: {0}", this.mMAMLogPIIFactory.getPIIFilePath(file));
                throw new IOException("Cannot set file identity due to access restrictions");
            }
            LOGGER.warning("protect called on file that does not exist: {0}", this.mMAMLogPIIFactory.getPIIFilePath(file));
            this.mStrict.checkFailProtectNonExistentFile(file);
            throw new FileNotFoundException("Cannot set file identity because the file doesn't exist");
        }
        if (mAMIdentity == null) {
            throw new IOException("identity must not be null");
        }
        try {
            IdentityResult identity = getIdentity(file.getAbsolutePath());
            if (identity != null && identity.mRC == 0) {
                MAMIdentity fromUpnParam = this.mIdentityParamConverter.fromUpnParam(identity.mIdentity);
                if (!MAMIdentity.isNullOrEmpty(mAMIdentity) && !MAMIdentity.isNullOrEmpty(fromUpnParam) && !mAMIdentity.equals(fromUpnParam)) {
                    if (this.mPolicyResolver.isIdentityManaged(fromUpnParam)) {
                        this.mTelemetryLogger.logTrackedOccurrenceForCurrentApp(TrackedOccurrence.PROTECT_CALLED_ON_MANAGED_FILE_TO_UNMANAGED, "");
                    }
                    if (this.mPolicyResolver.isIdentityManaged(mAMIdentity)) {
                        this.mTelemetryLogger.logTrackedOccurrenceForCurrentApp(TrackedOccurrence.PROTECT_CALLED_ON_UNMANAGED_FILE_TO_MANAGED, "");
                    }
                }
            }
        } catch (Exception e) {
            LOGGER.warning("Failed to collect telemetry on file identity change. Continue execution.", e);
        }
        long identity2 = setIdentity(file.getAbsolutePath(), mAMIdentity.rawUPN(), 0);
        if (identity2 != 0) {
            handleNativeIdentityError(identity2, file, "set");
        }
    }

    @Override // com.microsoft.intune.mam.client.identity.FileProtectionManagerBehavior
    @Deprecated
    public void protect(File file, String str) throws IOException {
        protect(file, this.mIdentityParamConverter.fromUpnParam(str));
    }
}
