package com.google.android.apps.authenticator.seedrotation.reseeder;

import android.os.Build;
import android.text.TextUtils;
import android.util.Log;
import com.google.android.apps.authenticator.HexEncoding;
import com.google.android.apps.authenticator.Utilities;
import com.google.android.apps.authenticator.seedrotation.RetryPolicy;
import com.google.android.apps.authenticator.seedrotation.backend.Backend;
import com.google.android.apps.authenticator.seedrotation.backend.BackendException;
import com.google.android.apps.authenticator.seedrotation.backend.ConfirmRequest;
import com.google.android.apps.authenticator.seedrotation.backend.RequestBase;
import com.google.android.apps.authenticator.seedrotation.backend.ReseedRequest;
import com.google.android.apps.authenticator.seedrotation.backend.ReseedResponse;
import com.google.android.apps.authenticator.seedrotation.backend.StatusRequest;
import com.google.android.apps.authenticator.seedrotation.backend.StatusResponse;
import com.google.android.apps.authenticator.seedrotation.reseeder.ProtocolCryptoOperations;
import com.google.android.apps.authenticator.seedrotation.reseeder.Reseeder;
import com.google.android.apps.authenticator.testability.accounts.GoogleAccountManager;
import com.google.android.apps.authenticator2.R;
import com.google.common.annotations.VisibleForTesting;
import java.math.BigInteger;
import java.util.Calendar;
import java.util.Locale;

/* loaded from: classes.dex */
public class BackendBasedReseeder implements Reseeder {

    @VisibleForTesting
    static final long CONFIRM_NEW_SEED_TO_BACKEND_DELAY_MILLIS = 10000;
    private static final String LOG_TAG = BackendBasedReseeder.class.getSimpleName();

    @VisibleForTesting
    static final long OTP_USE_AFTER_GENERATION_DEADLINE_MILLIS = 120000;
    private final GoogleAccountManager mAccountManager;
    private final String mAndroidId;
    private final String mApplicationVersion;
    private final Backend mBackend;
    private final ProtocolCryptoOperations mCryptoOperations;
    private final RetryPolicy mRetryPolicy;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.google.android.apps.authenticator.seedrotation.reseeder.BackendBasedReseeder$1, reason: invalid class name */
    /* loaded from: classes.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$google$android$apps$authenticator$seedrotation$backend$Backend$Error = new int[Backend.Error.values().length];

        static {
            try {
                $SwitchMap$com$google$android$apps$authenticator$seedrotation$backend$Backend$Error[Backend.Error.BAD_USERNAME.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$google$android$apps$authenticator$seedrotation$backend$Backend$Error[Backend.Error.SEED_ALREADY_CONFIRMED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class GetNewSeedResponse {
        private String backendUrl;
        private byte[] seed;

        private GetNewSeedResponse() {
        }

        /* synthetic */ GetNewSeedResponse(AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class GetSeedStatusRpcResult {
        private long reseedRequestTimestampSeconds;
        private StatusResponse response;

        private GetSeedStatusRpcResult() {
        }

        /* synthetic */ GetSeedStatusRpcResult(AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class NextInvocationTimeAccumulator {
        private long mMillisTillNextInvocation;

        private NextInvocationTimeAccumulator() {
            this.mMillisTillNextInvocation = Long.MAX_VALUE;
        }

        /* synthetic */ NextInvocationTimeAccumulator(AnonymousClass1 anonymousClass1) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public long getMillisTillNextInvocation() {
            if (this.mMillisTillNextInvocation != Long.MAX_VALUE) {
                return this.mMillisTillNextInvocation;
            }
            return -1L;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void scheduleNextInvocationIn(long j) {
            if (j != -1) {
                this.mMillisTillNextInvocation = Math.min(this.mMillisTillNextInvocation, j);
            }
        }
    }

    public BackendBasedReseeder(Backend backend, ProtocolCryptoOperations protocolCryptoOperations, RetryPolicy retryPolicy, String str, String str2, GoogleAccountManager googleAccountManager) {
        this.mBackend = backend;
        this.mCryptoOperations = protocolCryptoOperations;
        this.mRetryPolicy = retryPolicy;
        this.mApplicationVersion = str;
        this.mAndroidId = str2;
        this.mAccountManager = googleAccountManager;
    }

    private long checkSeedStatusAndReseedIfNecessary(Reseeder.Collaborator collaborator) {
        Log.i(LOG_TAG, "Checking when to reseed");
        try {
            GetSeedStatusRpcResult seedStatusRpc = getSeedStatusRpc(collaborator.getCurrentSeed());
            StatusResponse statusResponse = seedStatusRpc.response;
            long j = seedStatusRpc.reseedRequestTimestampSeconds;
            long millisTillReseed = getMillisTillReseed(statusResponse);
            if (millisTillReseed <= 0) {
                Log.i(LOG_TAG, "Reseeding must happen now");
                return getNewSeedFromBackend(collaborator, j);
            }
            collaborator.setOtpGenerationPermittedFromSeed(true);
            Log.i(LOG_TAG, "Scheduling a reseed in " + (millisTillReseed / 60000.0d) + " minutes");
            return millisTillReseed;
        } catch (BackendException e) {
            switch (AnonymousClass1.$SwitchMap$com$google$android$apps$authenticator$seedrotation$backend$Backend$Error[e.getError().ordinal()]) {
                case R.styleable.Theme_accountListWithVerificationCodesRow /* 1 */:
                    Log.w(LOG_TAG, "Failed to check seed status: seed not recognized by backend");
                    collaborator.setOtpGenerationPermittedFromSeed(false);
                    return this.mRetryPolicy.getRetryDelayMillisAfterUnrecoverableError();
                default:
                    Log.w(LOG_TAG, "Failed to check seed status: " + e.getError(), e);
                    return this.mRetryPolicy.getRetryDelayMillisAfterRecoverableError();
            }
        }
    }

    private void checkSeedStatusAndReseedIfNecessary(Reseeder.Collaborator collaborator, NextInvocationTimeAccumulator nextInvocationTimeAccumulator) {
        long checkSeedStatusAndReseedIfNecessary = checkSeedStatusAndReseedIfNecessary(collaborator);
        if (checkSeedStatusAndReseedIfNecessary != -1) {
            nextInvocationTimeAccumulator.scheduleNextInvocationIn(checkSeedStatusAndReseedIfNecessary);
        }
    }

    private void confirmSeedRpc(byte[] bArr) throws BackendException {
        ConfirmRequest confirmRequest = new ConfirmRequest();
        confirmRequest.seedId = getSeedId(bArr);
        populateRequestWithTrackingInformation(confirmRequest);
        confirmRequest.authCode = this.mCryptoOperations.generateConfirmRequestMac(bArr);
        this.mBackend.confirmSeed(confirmRequest);
    }

    private long confirmSeedToBackend(Reseeder.Collaborator collaborator) {
        Log.i(LOG_TAG, "Confirming seed to backend");
        try {
            confirmSeedRpc(collaborator.getCurrentSeed());
            collaborator.setSeedConfirmedToBackend(true);
            Log.i(LOG_TAG, "Seed confirmed to backend");
            return -1L;
        } catch (BackendException e) {
            switch (AnonymousClass1.$SwitchMap$com$google$android$apps$authenticator$seedrotation$backend$Backend$Error[e.getError().ordinal()]) {
                case R.styleable.Theme_accountListWithVerificationCodesRow /* 1 */:
                    Log.w(LOG_TAG, "Failed to confirm seed: seed not recognized by backend");
                    collaborator.setOtpGenerationPermittedFromSeed(false);
                    return this.mRetryPolicy.getRetryDelayMillisAfterUnrecoverableError();
                case 2:
                    Log.i(LOG_TAG, "Seed already confirmed -- marking as such");
                    collaborator.setSeedConfirmedToBackend(true);
                    return -1L;
                default:
                    Log.w(LOG_TAG, "Failed to confirm seed: " + e.getError(), e);
                    return this.mRetryPolicy.getRetryDelayMillisAfterRecoverableError();
            }
        }
    }

    private void confirmSeedToBackendIfNecessary(Reseeder.Collaborator collaborator, NextInvocationTimeAccumulator nextInvocationTimeAccumulator) {
        long confirmSeedToBackend;
        if (collaborator.isSeedConfirmedToBackend()) {
            return;
        }
        long elapsedMillisSinceLastOtpGenerated = OTP_USE_AFTER_GENERATION_DEADLINE_MILLIS - collaborator.getElapsedMillisSinceLastOtpGenerated();
        if (elapsedMillisSinceLastOtpGenerated <= 0 || elapsedMillisSinceLastOtpGenerated > OTP_USE_AFTER_GENERATION_DEADLINE_MILLIS) {
            confirmSeedToBackend = confirmSeedToBackend(collaborator);
        } else {
            confirmSeedToBackend = elapsedMillisSinceLastOtpGenerated;
            Log.i(LOG_TAG, "Need to confirm seed but not yet permitted: an OTP was generated recently");
        }
        if (confirmSeedToBackend != -1) {
            nextInvocationTimeAccumulator.scheduleNextInvocationIn(confirmSeedToBackend);
        }
    }

    @VisibleForTesting
    static String getLocalTimeForBackend(long j) {
        Calendar calendar = Calendar.getInstance();
        calendar.setTimeInMillis(j);
        return String.format(Locale.US, "%02d%02d", Integer.valueOf(calendar.get(11)), Integer.valueOf(calendar.get(12)));
    }

    private long getMillisTillReseed(StatusResponse statusResponse) {
        return Long.parseLong(statusResponse.minSecondsTillNextCheck) * 1000;
    }

    private long getNewSeedFromBackend(Reseeder.Collaborator collaborator, long j) {
        Log.i(LOG_TAG, "Getting new seed from backend");
        try {
            GetNewSeedResponse newSeedRpc = getNewSeedRpc(collaborator.getCurrentSeed(), j);
            if (!TextUtils.isEmpty(newSeedRpc.backendUrl)) {
                this.mBackend.setUrl(newSeedRpc.backendUrl);
            }
            Log.i(LOG_TAG, "Got new seed from backend.");
            collaborator.storeNewSeed(newSeedRpc.seed);
            collaborator.setSeedConfirmedToBackend(false);
            collaborator.setOtpGenerationPermittedFromSeed(true);
            return CONFIRM_NEW_SEED_TO_BACKEND_DELAY_MILLIS;
        } catch (BackendException e) {
            switch (AnonymousClass1.$SwitchMap$com$google$android$apps$authenticator$seedrotation$backend$Backend$Error[e.getError().ordinal()]) {
                case R.styleable.Theme_accountListWithVerificationCodesRow /* 1 */:
                    Log.w(LOG_TAG, "Failed to get new seed: current seed not recognized by backend");
                    collaborator.setOtpGenerationPermittedFromSeed(false);
                    return this.mRetryPolicy.getRetryDelayMillisAfterUnrecoverableError();
                default:
                    Log.w(LOG_TAG, "Failed to get new seed: " + e.getError(), e);
                    return this.mRetryPolicy.getRetryDelayMillisAfterRecoverableError();
            }
        }
    }

    private GetNewSeedResponse getNewSeedRpc(byte[] bArr, long j) throws BackendException {
        ReseedRequest reseedRequest = new ReseedRequest();
        reseedRequest.seedId = getSeedId(bArr);
        reseedRequest.timestampSeconds = Long.toString(j);
        ProtocolCryptoOperations.SeedDerivation startNewSeedDerivation = this.mCryptoOperations.startNewSeedDerivation(bArr);
        reseedRequest.clientDhPublicKey = HexEncoding.encode(startNewSeedDerivation.getMyPublicKey().toByteArray());
        populateRequestWithTrackingInformation(reseedRequest);
        reseedRequest.localTime = getLocalTimeForBackend(System.currentTimeMillis());
        reseedRequest.authCode = this.mCryptoOperations.generateReseedRequestMac(bArr, reseedRequest);
        ReseedResponse reseed = this.mBackend.reseed(reseedRequest);
        if (!this.mCryptoOperations.verifyReseedResponseMac(bArr, reseedRequest, reseed)) {
            throw new BackendException(Backend.Error.GENERIC_ERROR, "Response MAC did not verify");
        }
        byte[] completeNewSeedDerivation = this.mCryptoOperations.completeNewSeedDerivation(startNewSeedDerivation, new BigInteger(HexEncoding.decode(reseed.backendDhPublicKey)));
        if (!this.mCryptoOperations.verifyReseedResponseMac2(completeNewSeedDerivation, reseedRequest, reseed)) {
            throw new BackendException(Backend.Error.GENERIC_ERROR, "Response MAC2 did not verify");
        }
        GetNewSeedResponse getNewSeedResponse = new GetNewSeedResponse(null);
        getNewSeedResponse.seed = completeNewSeedDerivation;
        getNewSeedResponse.backendUrl = reseed.reseedUrl;
        return getNewSeedResponse;
    }

    private String getSeedId(byte[] bArr) {
        return HexEncoding.encode(this.mCryptoOperations.getSeedId(bArr));
    }

    private GetSeedStatusRpcResult getSeedStatusRpc(byte[] bArr) throws BackendException {
        return getSeedStatusRpc(bArr, System.currentTimeMillis() / 1000, false);
    }

    private GetSeedStatusRpcResult getSeedStatusRpc(byte[] bArr, long j, boolean z) throws BackendException {
        StatusRequest statusRequest = new StatusRequest();
        statusRequest.seedId = getSeedId(bArr);
        statusRequest.timestampSeconds = Long.toString(j);
        populateRequestWithTrackingInformation(statusRequest);
        statusRequest.localTime = getLocalTimeForBackend(System.currentTimeMillis());
        statusRequest.authCode = this.mCryptoOperations.generateStatusRequestMac(bArr, statusRequest);
        StatusResponse status = this.mBackend.getStatus(statusRequest);
        if (status.timestampSeconds != null) {
            if (z) {
                throw new BackendException(Backend.Error.GENERIC_ERROR, "Failed to check seed status: backend rejected the timestamp it previosly provided");
            }
            return getSeedStatusRpc(bArr, Long.parseLong(status.timestampSeconds), true);
        }
        GetSeedStatusRpcResult getSeedStatusRpcResult = new GetSeedStatusRpcResult(null);
        getSeedStatusRpcResult.response = status;
        getSeedStatusRpcResult.reseedRequestTimestampSeconds = j;
        return getSeedStatusRpcResult;
    }

    private void populateRequestWithTrackingInformation(RequestBase requestBase) {
        requestBase.appName = "Google Authenticator";
        requestBase.appVersion = this.mApplicationVersion;
        requestBase.os = "Android-" + Build.VERSION.RELEASE;
        requestBase.androidId = this.mAndroidId;
        requestBase.username = Utilities.getCorpAccountUsername(this.mAccountManager);
    }

    @Override // com.google.android.apps.authenticator.seedrotation.reseeder.Reseeder
    public void tryReseedIfNecessary(Reseeder.Collaborator collaborator) {
        Log.i(LOG_TAG, "tryReseedIfNecessary");
        NextInvocationTimeAccumulator nextInvocationTimeAccumulator = new NextInvocationTimeAccumulator(null);
        confirmSeedToBackendIfNecessary(collaborator, nextInvocationTimeAccumulator);
        checkSeedStatusAndReseedIfNecessary(collaborator, nextInvocationTimeAccumulator);
        long millisTillNextInvocation = nextInvocationTimeAccumulator.getMillisTillNextInvocation();
        if (millisTillNextInvocation == -1) {
            Log.i(LOG_TAG, "tryReseedIfNecessary DONE. No next invocation scheduled");
            return;
        }
        long min = Math.min(millisTillNextInvocation, RetryPolicy.MAX_TIME_BETWEEN_CONTACTING_BACKEND_MILLIS);
        Log.i(LOG_TAG, "tryReseedIfNecessary DONE. Next invocation in  " + (min / Utilities.MINUTE_IN_MILLIS) + " min");
        collaborator.scheduleNextAttemptIn(min);
    }
}
