package com.microsoft.identity.common.internal.broker;

import android.accounts.Account;
import android.content.Context;
import android.net.Uri;
import android.text.TextUtils;
import android.util.Base64;
import com.google.gson.Gson;
import com.microsoft.identity.client.BrokerUtils;
import com.microsoft.identity.common.adal.internal.AuthenticationConstants;
import com.microsoft.identity.common.adal.internal.util.StringExtensions;
import com.microsoft.identity.common.exception.ClientException;
import com.microsoft.identity.common.exception.ErrorStrings;
import com.microsoft.identity.common.exception.IntuneAppProtectionPolicyRequiredException;
import com.microsoft.identity.common.exception.ServiceException;
import com.microsoft.identity.common.exception.UiRequiredException;
import com.microsoft.identity.common.internal.authorities.Authority;
import com.microsoft.identity.common.internal.authorities.AzureActiveDirectoryAuthority;
import com.microsoft.identity.common.internal.cache.registry.BrokerApplicationRegistryData;
import com.microsoft.identity.common.internal.cache.registry.DefaultBrokerApplicationRegistry;
import com.microsoft.identity.common.internal.controllers.ExceptionAdapter;
import com.microsoft.identity.common.internal.logging.Logger;
import com.microsoft.identity.common.internal.net.HttpRequest;
import com.microsoft.identity.common.internal.net.HttpResponse;
import com.microsoft.identity.common.internal.platform.Device;
import com.microsoft.identity.common.internal.providers.microsoft.microsoftsts.MicrosoftStsTokenResponse;
import com.microsoft.identity.common.internal.providers.oauth2.TokenErrorResponse;
import com.microsoft.identity.common.internal.request.BrokerAcquireTokenSilentOperationParameters;
import com.microsoft.identity.common.internal.request.SdkType;
import com.microsoft.identity.common.internal.telemetry.CliTelemInfo;
import com.microsoft.identity.common.internal.util.HeaderSerializationUtil;
import com.microsoft.identity.common.internal.util.StringUtil;
import com.microsoft.omadm.apppolicy.data.SafetyNetCacheTable;
import com.microsoft.workaccount.authenticatorservice.KeyHandler;
import com.microsoft.workaccount.workplacejoin.AccountManagerStorageHelper;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.SocketTimeoutException;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.TreeMap;
import java.util.concurrent.TimeUnit;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes.dex */
public class PRTController {
    private static final String BROKER_CLIENT_ID = "29d9ed98-a469-4536-ade2-f981bc1d605e";
    private static final String CONTENT_TYPE_FORM_URL_ENCODED = "application/x-www-form-urlencoded";
    private static final String JWT_BEARER_REQUEST = "grant_type=urn%3aietf%3aparams%3aoauth%3agrant-type%3ajwt-bearer&request";
    private static final String MICROSOFT_ENROLLMENT_PARAM = "microsoft_enrollment_id";
    private static final String NONCE_REQUEST_MSG = "grant_type=srv_challenge";
    private static final String REQUEST_HEADER_CLIENT_REQUEST_ID = "client-request-id";
    private static final int SECONDS_EXPIRE = 300;
    private static final String TAG = "com.microsoft.identity.common.internal.broker.PRTController";
    private static final String WINDOWS_API_VERSIOM_PARAM = "windows_api_version";
    private static final String WINDOWS_API_VERSION = "2.0";
    private AccountManagerStorageHelper mAccountManagerStorageHelper;
    private Context mContext;
    private KeyHandler mKeyHandler;

    public PRTController(Context context) {
        this.mContext = context;
        this.mAccountManagerStorageHelper = new AccountManagerStorageHelper(context);
        this.mKeyHandler = new KeyHandler(this.mContext);
    }

    private void addClientToBrokerAppRegistry(BrokerAcquireTokenSilentOperationParameters brokerAcquireTokenSilentOperationParameters) {
        DefaultBrokerApplicationRegistry defaultBrokerApplicationRegistry = new DefaultBrokerApplicationRegistry(this.mContext);
        BrokerApplicationRegistryData brokerApplicationRegistryData = new BrokerApplicationRegistryData();
        brokerApplicationRegistryData.setWpjAccountAccessAllowed(true);
        brokerApplicationRegistryData.setClientId(brokerAcquireTokenSilentOperationParameters.getClientId());
        brokerApplicationRegistryData.setUid(brokerAcquireTokenSilentOperationParameters.getCallerUId());
        String pRTAuthority = this.mAccountManagerStorageHelper.getPRTAuthority(brokerAcquireTokenSilentOperationParameters.getAccountManagerAccount());
        if (!TextUtils.isEmpty(pRTAuthority)) {
            brokerApplicationRegistryData.setEnvironment(BrokerUtils.getEnvironmentFromAuthority(pRTAuthority));
        }
        defaultBrokerApplicationRegistry.insert(brokerApplicationRegistryData);
    }

    private static String constructTokenEndpointForAcquiringAT(URL url) {
        return url + "/oauth2/v2.0/token";
    }

    private static String constructTokenEndpointForAcquiringPRT(URL url) {
        return new Uri.Builder().scheme("https").authority(url.getAuthority()).appendPath("common").appendPath("oauth2").appendPath("v2.0").appendPath("token").toString();
    }

    private String decryptTokenResponse(String str, IKeyHandler iKeyHandler) throws JSONException, UnsupportedEncodingException, ClientException {
        JweResponse parseJwe = JweResponse.parseJwe(str);
        if (!parseJwe.header.headerEncryptionAlgorithm.equalsIgnoreCase("A256GCM") && !parseJwe.header.headerEncryptionAlgorithm.equalsIgnoreCase("dir")) {
            throw new IllegalArgumentException("Invalid encryption algorithm");
        }
        byte[] decode = Base64.decode(parseJwe.iv, 8);
        byte[] decode2 = Base64.decode(parseJwe.payload, 8);
        byte[] decode3 = Base64.decode(parseJwe.header.headerContext, 0);
        Logger.verbose(TAG, "Decrypting the token response for using PRT. IV size:" + decode.length + " payload size:" + decode2.length + " ctx size:" + decode3.length);
        return new String(iKeyHandler.decryptUsingDerivedKey(decode, decode3, decode2), "UTF-8");
    }

    private static String generateJWT(JoinedAccountRequest joinedAccountRequest, JoinedAccountRequest joinedAccountRequest2) throws UnsupportedEncodingException {
        Logger.verbose(TAG, "Generating JWT.");
        return StringExtensions.encodeBase64URLSafeString(new Gson().toJson(joinedAccountRequest).getBytes("UTF-8")) + "." + StringExtensions.encodeBase64URLSafeString(new Gson().toJson(joinedAccountRequest2).getBytes("UTF-8"));
    }

    private static Map<String, String> getJsonResponse(String str) throws JSONException {
        HashMap hashMap = new HashMap();
        JSONObject jSONObject = new JSONObject(str);
        Iterator<String> keys = jSONObject.keys();
        while (keys.hasNext()) {
            String next = keys.next();
            hashMap.put(next, jSONObject.getString(next));
        }
        return hashMap;
    }

    private String getMicrosoftEnrollmentId(BrokerAcquireTokenSilentOperationParameters brokerAcquireTokenSilentOperationParameters) throws UnsupportedEncodingException {
        Logger.info(TAG + ":getMicrosoftEnrollmentId", "Attempting to get Microsoft Enrollment id ");
        String localAccountId = brokerAcquireTokenSilentOperationParameters.getLocalAccountId();
        if (TextUtils.isEmpty(localAccountId)) {
            Logger.info(TAG + ":getMicrosoftEnrollmentId", "Local account id is empty, attempting get user id from home account id");
            localAccountId = BrokerUtils.getUIdFromHomeAccountId(brokerAcquireTokenSilentOperationParameters.getHomeAccountId());
        }
        if (TextUtils.isEmpty(localAccountId)) {
            Logger.warn(TAG + ":getMicrosoftEnrollmentId", "uid is empty or null, cannot get enrollment id");
            return null;
        }
        String enrollmentId = IntuneMAMEnrollmentIdGateway.getInstance().getEnrollmentId(brokerAcquireTokenSilentOperationParameters.getAppContext(), localAccountId, brokerAcquireTokenSilentOperationParameters.getCallerPackageName());
        if (TextUtils.isEmpty(enrollmentId)) {
            Logger.info(TAG + ":getMicrosoftEnrollmentId", "Device not enrolled as IntuneMAMEnrollment returned an empty or null enrollment id");
            return null;
        }
        String urlFormEncode = StringExtensions.urlFormEncode(enrollmentId);
        Logger.info(TAG + ":getMicrosoftEnrollmentId", "Enrollment id successfully retrieved, adding to token request");
        return urlFormEncode;
    }

    private String getNonce(String str, String str2) throws IOException, JSONException {
        String str3;
        Logger.info(TAG, "Starting to request for nonce.");
        TreeMap treeMap = new TreeMap();
        treeMap.put("client-request-id", str2);
        HttpResponse sendPost = HttpRequest.sendPost(new URL(str), treeMap, NONCE_REQUEST_MSG.getBytes("UTF-8"), CONTENT_TYPE_FORM_URL_ENCODED);
        if (sendPost.getStatusCode() == 200) {
            Map<String, String> jsonResponse = getJsonResponse(sendPost.getBody());
            str3 = jsonResponse.get(AuthenticationConstants.Broker.PRT_NONCE);
            if (str3 == null) {
                str3 = jsonResponse.get(SafetyNetCacheTable.COLUMN_NONCE);
            }
        } else {
            str3 = null;
        }
        String str4 = TAG + ":getNonce";
        StringBuilder sb = new StringBuilder();
        sb.append("Nonce not null :");
        sb.append(str3 != null);
        sb.append(" response code: ");
        sb.append(sendPost.getStatusCode());
        Logger.info(str4, sb.toString());
        return str3;
    }

    private String getPrtAuthorityForHomeTenant(String str, Account account) {
        String pRTAuthority = this.mAccountManagerStorageHelper.getPRTAuthority(account);
        return (!Uri.parse(str).getPathSegments().get(0).equalsIgnoreCase("common") || TextUtils.isEmpty(pRTAuthority)) ? str : pRTAuthority;
    }

    private String getPrtRequestBody(IKeyHandler iKeyHandler, String str) throws IOException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, CertificateEncodingException {
        Logger.info(TAG, "Building request for acquiring PRT with RT.");
        JoinedAccountRequest joinedAccountRequest = new JoinedAccountRequest();
        joinedAccountRequest.setType();
        joinedAccountRequest.setAlg(JoinedAccountRequest.ALG_VALUE_RS256);
        joinedAccountRequest.setCert(iKeyHandler.getDeviceCertX5c());
        JoinedAccountRequest joinedAccountRequest2 = new JoinedAccountRequest();
        joinedAccountRequest2.setPrt(str);
        joinedAccountRequest2.setClientId("29d9ed98-a469-4536-ade2-f981bc1d605e");
        joinedAccountRequest2.setJwtScope(AuthenticationConstants.OAuth2Scopes.AZA_SCOPE);
        joinedAccountRequest2.setGrantType("refresh_token");
        String generateJWT = generateJWT(joinedAccountRequest, joinedAccountRequest2);
        return "grant_type=urn%3aietf%3aparams%3aoauth%3agrant-type%3ajwt-bearer&request=" + (generateJWT + "." + iKeyHandler.signWithDevice(generateJWT));
    }

    private String getRequestBodyForTokenRequest(String str, BrokerAcquireTokenSilentOperationParameters brokerAcquireTokenSilentOperationParameters, URL url) throws IOException, JSONException, ClientException {
        JoinedAccountRequest joinedAccountRequest = new JoinedAccountRequest();
        joinedAccountRequest.setType();
        joinedAccountRequest.setAlg(JoinedAccountRequest.ALG_VALUE_HS256);
        joinedAccountRequest.setCtx(new String(Base64.encode(this.mKeyHandler.getDerivedKey().getCtx(), 3), "UTF-8"));
        JoinedAccountRequest joinedAccountRequest2 = new JoinedAccountRequest();
        joinedAccountRequest2.setAudience(url.toString());
        joinedAccountRequest2.setIssuer("29d9ed98-a469-4536-ade2-f981bc1d605e");
        Logger.info(TAG, brokerAcquireTokenSilentOperationParameters.getCorrelationId(), "Token request with PRT, constructing redirect with calling app package name and signature.is : " + brokerAcquireTokenSilentOperationParameters.getRedirectUri());
        long seconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
        joinedAccountRequest2.setIat(seconds);
        joinedAccountRequest2.setNBF(seconds);
        joinedAccountRequest2.setExp(seconds, 300L);
        joinedAccountRequest2.setJwtScope(TextUtils.join(" ", brokerAcquireTokenSilentOperationParameters.getScopes()));
        joinedAccountRequest2.setGrantType("refresh_token");
        joinedAccountRequest2.setClientId(brokerAcquireTokenSilentOperationParameters.getClientId());
        joinedAccountRequest2.setNonce(getNonce(constructTokenEndpointForAcquiringAT(url), brokerAcquireTokenSilentOperationParameters.getCorrelationId()));
        joinedAccountRequest2.setPrt(str);
        String generateJWT = generateJWT(joinedAccountRequest, joinedAccountRequest2);
        String str2 = generateJWT + "." + this.mKeyHandler.signWithDerivedKey(generateJWT);
        Uri.Builder builder = new Uri.Builder();
        builder.appendQueryParameter(WINDOWS_API_VERSIOM_PARAM, "2.0");
        builder.appendQueryParameter("redirect_uri", brokerAcquireTokenSilentOperationParameters.getRedirectUri());
        builder.appendQueryParameter("client_info", "1");
        builder.appendQueryParameter("client_id", brokerAcquireTokenSilentOperationParameters.getClientId());
        builder.appendQueryParameter(JWT_BEARER_REQUEST, str2);
        if (!TextUtils.isEmpty(brokerAcquireTokenSilentOperationParameters.getClaimsRequestJson())) {
            builder.appendQueryParameter("claims", brokerAcquireTokenSilentOperationParameters.getClaimsRequestJson());
        }
        if (brokerAcquireTokenSilentOperationParameters.getSdkType() == SdkType.ADAL) {
            builder.appendQueryParameter("itver", "1");
        }
        if (!TextUtils.isEmpty(brokerAcquireTokenSilentOperationParameters.getCallerPackageName())) {
            builder.appendQueryParameter("x-app-name", brokerAcquireTokenSilentOperationParameters.getCallerPackageName());
        }
        if (!TextUtils.isEmpty(brokerAcquireTokenSilentOperationParameters.getCallerAppVersion())) {
            builder.appendQueryParameter("x-app-ver", brokerAcquireTokenSilentOperationParameters.getCallerAppVersion());
        }
        String microsoftEnrollmentId = getMicrosoftEnrollmentId(brokerAcquireTokenSilentOperationParameters);
        if (!TextUtils.isEmpty(microsoftEnrollmentId)) {
            builder.appendQueryParameter(MICROSOFT_ENROLLMENT_PARAM, microsoftEnrollmentId);
        }
        return builder.build().getQuery();
    }

    public static String getResolveInterruptRefreshCredential(Account account, IKeyHandler iKeyHandler, Authority authority) throws ClientException {
        Logger.info(TAG, "Generating the the refresh credential to resolve interrupt.");
        try {
            PrimaryRefreshToken prt = iKeyHandler.getPRT(account, constructTokenEndpointForAcquiringPRT(authority.getAuthorityURL()));
            if (TextUtils.isEmpty(prt.getRefreshToken())) {
                return "";
            }
            JoinedAccountRequest joinedAccountRequest = new JoinedAccountRequest();
            joinedAccountRequest.setType();
            joinedAccountRequest.setAlg(JoinedAccountRequest.ALG_VALUE_HS256);
            joinedAccountRequest.setKId("session");
            joinedAccountRequest.setCtx(new String(Base64.encode(iKeyHandler.getDerivedKey().getCtx(), 3), "UTF-8"));
            JoinedAccountRequest joinedAccountRequest2 = new JoinedAccountRequest();
            long seconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
            joinedAccountRequest2.setIat(seconds);
            joinedAccountRequest2.setNBF(seconds);
            joinedAccountRequest2.setExp(seconds, 300L);
            joinedAccountRequest2.setJwtScope(AuthenticationConstants.OAuth2Scopes.OFFLINE_ACCESS_SCOPE + " openid profile " + AuthenticationConstants.OAuth2Scopes.AZA_SCOPE);
            joinedAccountRequest2.setPrt(prt.getRefreshToken());
            String generateJWT = generateJWT(joinedAccountRequest, joinedAccountRequest2);
            return generateJWT + "." + iKeyHandler.signWithDerivedKey(generateJWT);
        } catch (UnsupportedEncodingException e) {
            throw new ClientException("unsupported_encoding", e.getMessage());
        }
    }

    private static boolean isIntunePolicyRequiredError(TokenErrorResponse tokenErrorResponse) {
        return !TextUtils.isEmpty(tokenErrorResponse.getError()) && !TextUtils.isEmpty(tokenErrorResponse.getSubError()) && tokenErrorResponse.getError().equalsIgnoreCase("unauthorized_client") && tokenErrorResponse.getSubError().equalsIgnoreCase(AuthenticationConstants.OAuth2SubErrorCode.PROTECTION_POLICY_REQUIRED);
    }

    private void parseAndThrowException(String str, String str2, String str3, BrokerAcquireTokenSilentOperationParameters brokerAcquireTokenSilentOperationParameters, HttpResponse httpResponse) throws ServiceException {
        ServiceException serviceException;
        List<String> list;
        try {
            if (TextUtils.isEmpty(httpResponse.getBody())) {
                Logger.warn(TAG + ":parseAndThrowException", str3, "Json Parse error: Http Request body null or empty");
                serviceException = new ServiceException("json_parse_failure", "Http Request body null or empty", httpResponse.getStatusCode(), null);
            } else {
                Map<String, String> jsonResponse = getJsonResponse(httpResponse.getBody());
                String valueOf = TextUtils.isEmpty(jsonResponse.get("error")) ? String.valueOf(httpResponse.getStatusCode()) : jsonResponse.get("error");
                String str4 = jsonResponse.get(AuthenticationConstants.OAuth2.SUBERROR);
                String str5 = TextUtils.isEmpty(jsonResponse.get("error_description")) ? str : jsonResponse.get("error_description");
                Logger.warn(TAG + ":parseAndThrowException", str3, "Error from the server ." + str + ", " + str2 + ", " + httpResponse.getStatusCode());
                TokenErrorResponse tokenErrorResponse = new TokenErrorResponse();
                tokenErrorResponse.setError(valueOf);
                tokenErrorResponse.setSubError(str4);
                tokenErrorResponse.setErrorDescription(str5);
                tokenErrorResponse.setStatusCode(httpResponse.getStatusCode());
                tokenErrorResponse.setResponseBody(httpResponse.getBody());
                tokenErrorResponse.setResponseHeadersJson(HeaderSerializationUtil.toJson(httpResponse.getHeaders()));
                if (!isIntunePolicyRequiredError(tokenErrorResponse) || brokerAcquireTokenSilentOperationParameters == null) {
                    serviceException = ExceptionAdapter.getExceptionFromTokenErrorResponse(tokenErrorResponse);
                } else {
                    serviceException = new IntuneAppProtectionPolicyRequiredException(tokenErrorResponse.getError(), tokenErrorResponse.getErrorDescription());
                    serviceException.setOauthSubErrorCode(tokenErrorResponse.getSubError());
                    serviceException.setHttpResponse(httpResponse);
                    setIntuneExceptionProperties((IntuneAppProtectionPolicyRequiredException) serviceException, brokerAcquireTokenSilentOperationParameters);
                    addClientToBrokerAppRegistry(brokerAcquireTokenSilentOperationParameters);
                }
            }
        } catch (JSONException e) {
            Logger.error(TAG + ":parseAndThrowException", str3, "Json Parse error: Unable to parse Request body", e);
            serviceException = new ServiceException("json_parse_failure", "Unable to parse Request body ", httpResponse.getStatusCode(), e);
        }
        if (httpResponse.getHeaders() != null && (list = httpResponse.getHeaders().get(AuthenticationConstants.HeaderField.X_MS_CLITELEM)) != null && !list.isEmpty()) {
            ExceptionAdapter.applyCliTelemInfo(CliTelemInfo.fromXMsCliTelemHeader(list.get(0)), serviceException);
        }
        serviceException.setCorrelationId(str3);
        throw serviceException;
    }

    private PrimaryRefreshToken parsePrtResponse(Map<String, String> map, Authority authority) {
        PrimaryRefreshToken primaryRefreshToken = new PrimaryRefreshToken();
        primaryRefreshToken.setIdToken(map.get("id_token"));
        primaryRefreshToken.setSessionKeyJwe(map.get(AuthenticationConstants.OAuth2.SESSION_KEY_JWE));
        primaryRefreshToken.setRefreshToken(map.get("refresh_token"));
        String str = map.get("cloud_instance_host_name");
        if (StringExtensions.isNullOrBlank(str)) {
            primaryRefreshToken.setAuthority(authority.getAuthorityURL().toString());
        } else {
            primaryRefreshToken.setAuthority(new Uri.Builder().scheme("https").authority(str).path(authority.getAuthorityURL().getPath()).build().toString().toLowerCase(Locale.US));
        }
        String str2 = map.get("expires_in");
        if (str2 != null) {
            primaryRefreshToken.setExpiresIn(Integer.parseInt(str2));
        }
        return primaryRefreshToken;
    }

    private PrimaryRefreshToken sendRequestToGetPrt(String str, Authority authority, String str2) throws JSONException, IOException, ServiceException {
        Logger.info(TAG, "Sending request to get PRT with broker RT.");
        PrimaryRefreshToken primaryRefreshToken = new PrimaryRefreshToken();
        TreeMap treeMap = new TreeMap();
        treeMap.put("client-request-id", str2);
        treeMap.putAll(Device.getPlatformIdParameters());
        treeMap.put("x-client-brkrver", "3.1.3");
        HttpResponse sendPost = HttpRequest.sendPost(new URL(constructTokenEndpointForAcquiringPRT(authority.getAuthorityURL())), treeMap, str.getBytes("UTF-8"), CONTENT_TYPE_FORM_URL_ENCODED);
        if (sendPost.getStatusCode() == 200) {
            return parsePrtResponse(getJsonResponse(sendPost.getBody()), authority);
        }
        parseAndThrowException(ErrorStrings.BROKER_PRT_REFRESH_FAILED, "Request to refresh PRT with BRT failed", str2, null, sendPost);
        return primaryRefreshToken;
    }

    private void setClientTelemetryToBrokerTokenResponse(MicrosoftStsTokenResponse microsoftStsTokenResponse, HttpResponse httpResponse) {
        List<String> list;
        CliTelemInfo fromXMsCliTelemHeader;
        if (httpResponse.getHeaders() == null || (list = httpResponse.getHeaders().get(AuthenticationConstants.HeaderField.X_MS_CLITELEM)) == null || list.isEmpty() || (fromXMsCliTelemHeader = CliTelemInfo.fromXMsCliTelemHeader(list.get(0))) == null) {
            return;
        }
        microsoftStsTokenResponse.setSpeRing(fromXMsCliTelemHeader.getSpeRing());
        microsoftStsTokenResponse.setRefreshTokenAge(fromXMsCliTelemHeader.getRefreshTokenAge());
        microsoftStsTokenResponse.setCliTelemErrorCode(fromXMsCliTelemHeader.getServerErrorCode());
        microsoftStsTokenResponse.setCliTelemSubErrorCode(fromXMsCliTelemHeader.getServerSubErrorCode());
    }

    private void setIntuneExceptionProperties(IntuneAppProtectionPolicyRequiredException intuneAppProtectionPolicyRequiredException, BrokerAcquireTokenSilentOperationParameters brokerAcquireTokenSilentOperationParameters) {
        Logger.info(TAG, "Setting propeties to IntuneAppProtectionPolicyRequiredException ");
        intuneAppProtectionPolicyRequiredException.setAccountUpn(brokerAcquireTokenSilentOperationParameters.getAccountManagerAccount() != null ? brokerAcquireTokenSilentOperationParameters.getAccountManagerAccount().name : brokerAcquireTokenSilentOperationParameters.getLoginHint());
        String localAccountId = brokerAcquireTokenSilentOperationParameters.getLocalAccountId();
        if (TextUtils.isEmpty(localAccountId)) {
            Logger.info(TAG, "Local account id is empty, attempting get user id from home account id");
            localAccountId = BrokerUtils.getUIdFromHomeAccountId(brokerAcquireTokenSilentOperationParameters.getHomeAccountId());
        }
        intuneAppProtectionPolicyRequiredException.setAccountUserId(localAccountId);
        Authority authority = brokerAcquireTokenSilentOperationParameters.getAuthority();
        intuneAppProtectionPolicyRequiredException.setAuthorityUrl(authority.getAuthorityURL().toString());
        String homeAccountId = brokerAcquireTokenSilentOperationParameters.getHomeAccountId();
        String str = homeAccountId != null ? (String) StringUtil.getTenantInfo(homeAccountId).second : null;
        if (TextUtils.isEmpty(str) && (authority instanceof AzureActiveDirectoryAuthority)) {
            str = ((AzureActiveDirectoryAuthority) authority).mAudience.getTenantId();
        }
        intuneAppProtectionPolicyRequiredException.setTenantId(str);
    }

    private void updateAuthorityWithCloudInstanceHostName(MicrosoftStsTokenResponse microsoftStsTokenResponse, Authority authority) {
        String cloudInstanceHostName = microsoftStsTokenResponse.getCloudInstanceHostName();
        if (TextUtils.isEmpty(cloudInstanceHostName)) {
            return;
        }
        microsoftStsTokenResponse.setAuthority(new Uri.Builder().scheme("https").authority(cloudInstanceHostName).path(authority.getAuthorityURL().getPath()).build().toString().toLowerCase(Locale.US));
    }

    public PrimaryRefreshToken getPrimaryRefreshToken(Account account, Authority authority, String str, int i) throws ClientException, ServiceException {
        try {
            this.mAccountManagerStorageHelper.restoreWPJAccount();
            PrimaryRefreshToken prt = this.mKeyHandler.getPRT(account, constructTokenEndpointForAcquiringPRT(authority.getAuthorityURL()));
            if (TextUtils.isEmpty(prt.getRefreshToken())) {
                Logger.info(TAG + ":getPrimaryRefreshToken", str, "PRT doesn't exist in AccountManager, checking for Broker RT");
                String brokerRT = BrokerUtils.getBrokerRT(account, this.mContext);
                if (TextUtils.isEmpty(brokerRT)) {
                    Logger.error(TAG + ":getPrimaryRefreshToken", str, " Broker RT is null or empty", null);
                    throw new UiRequiredException(ErrorStrings.INVALID_BROKER_REFRESH_TOKEN, "Broker RT is null or empty");
                }
                Logger.info(TAG + ":getPrimaryRefreshToken", str, "Broker Rt available, Requesting PRT with Broker RT");
                if (i > 0) {
                    try {
                        Thread.sleep(i);
                    } catch (InterruptedException unused) {
                        Logger.info(TAG + ":getPrimaryRefreshToken", "Failed to sleep before PRT acquisition");
                    }
                }
                prt = sendRequestToGetPrt(getPrtRequestBody(this.mKeyHandler, brokerRT), authority, str);
                if (!TextUtils.isEmpty(prt.getRefreshToken())) {
                    this.mKeyHandler.savePRT(account, prt);
                }
            } else {
                Logger.info(TAG + ":getPrimaryRefreshToken", str, " PRT exists in AccountManager");
            }
            return prt;
        } catch (MalformedURLException e) {
            throw new ClientException(ErrorStrings.AUTHORITY_URL_NOT_VALID, e.getMessage());
        } catch (SocketTimeoutException e2) {
            throw new ClientException("device_network_not_available", e2.getMessage());
        } catch (IOException e3) {
            throw new ClientException("io_error", e3.getMessage());
        } catch (InvalidKeyException e4) {
            e = e4;
            throw new ClientException(ErrorStrings.SIGNATURE_EXCEPTION, "Signing with device certificate failed, unable to create a valid signed JWT body for PRT request", e);
        } catch (NoSuchAlgorithmException e5) {
            e = e5;
            throw new ClientException(ErrorStrings.SIGNATURE_EXCEPTION, "Signing with device certificate failed, unable to create a valid signed JWT body for PRT request", e);
        } catch (SignatureException e6) {
            e = e6;
            throw new ClientException(ErrorStrings.SIGNATURE_EXCEPTION, "Signing with device certificate failed, unable to create a valid signed JWT body for PRT request", e);
        } catch (CertificateEncodingException e7) {
            throw new ClientException(ErrorStrings.CERTIFICATE_ENCODING_ERROR, "Unable to retrieve encoded certificate to sign the JWT", e7);
        } catch (JSONException e8) {
            throw new ServiceException("invalid_jwt", e8.getMessage(), e8);
        }
    }

    public MicrosoftStsTokenResponse renewAccessTokenWithPRT(PrimaryRefreshToken primaryRefreshToken, BrokerAcquireTokenSilentOperationParameters brokerAcquireTokenSilentOperationParameters) throws ClientException, ServiceException {
        Logger.info(TAG, ":renewAccessTokenWithPRT Sending request to get access token using PRT");
        if (TextUtils.isEmpty(primaryRefreshToken.getRefreshToken())) {
            Logger.error(TAG, ":renewAccessTokenWithPRT PRT is null or empty", null);
            throw new ClientException(ErrorStrings.NO_TOKENS_FOUND, "PRT is null or empty");
        }
        try {
            TreeMap treeMap = new TreeMap();
            treeMap.put("client-request-id", brokerAcquireTokenSilentOperationParameters.getCorrelationId());
            treeMap.putAll(Device.getPlatformIdParameters());
            treeMap.put("x-client-brkrver", "3.1.3");
            String prtAuthorityForHomeTenant = getPrtAuthorityForHomeTenant(brokerAcquireTokenSilentOperationParameters.getAuthority().getAuthorityURL().toString(), brokerAcquireTokenSilentOperationParameters.getAccountManagerAccount());
            URL url = new URL(prtAuthorityForHomeTenant);
            HttpResponse sendPost = HttpRequest.sendPost(new URL(constructTokenEndpointForAcquiringAT(url)), treeMap, getRequestBodyForTokenRequest(primaryRefreshToken.getRefreshToken(), brokerAcquireTokenSilentOperationParameters, url).getBytes("UTF-8"), CONTENT_TYPE_FORM_URL_ENCODED);
            if (sendPost.getStatusCode() != 200) {
                Logger.info(TAG + ":renewAccessTokenWithPRT", brokerAcquireTokenSilentOperationParameters.getCorrelationId(), "Server Http error, Received refresh_token with PRT response with status code " + sendPost.getStatusCode());
                parseAndThrowException(ErrorStrings.AUTH_REFRESH_FAILED, "Refresh Token request with PRT failed", brokerAcquireTokenSilentOperationParameters.getCorrelationId(), brokerAcquireTokenSilentOperationParameters, sendPost);
                return null;
            }
            Logger.info(TAG + ":renewAccessTokenWithPRT", "Successful response for from Token endpoint for refresh_token using PRT ");
            MicrosoftStsTokenResponse microsoftStsTokenResponse = (MicrosoftStsTokenResponse) new Gson().fromJson(decryptTokenResponse(sendPost.getBody(), this.mKeyHandler), MicrosoftStsTokenResponse.class);
            updateAuthorityWithCloudInstanceHostName(microsoftStsTokenResponse, brokerAcquireTokenSilentOperationParameters.getAuthority());
            if (TextUtils.isEmpty(microsoftStsTokenResponse.getAuthority())) {
                microsoftStsTokenResponse.setAuthority(prtAuthorityForHomeTenant);
            }
            if (TextUtils.isEmpty(microsoftStsTokenResponse.getIdToken()) && !TextUtils.isEmpty(primaryRefreshToken.getIdToken())) {
                microsoftStsTokenResponse.setIdToken(primaryRefreshToken.getIdToken());
            }
            setClientTelemetryToBrokerTokenResponse(microsoftStsTokenResponse, sendPost);
            return microsoftStsTokenResponse;
        } catch (UnsupportedEncodingException e) {
            throw new ClientException("unsupported_encoding", e.getMessage());
        } catch (MalformedURLException e2) {
            throw new ClientException(ErrorStrings.AUTHORITY_URL_NOT_VALID, e2.getMessage());
        } catch (SocketTimeoutException e3) {
            throw new ClientException("device_network_not_available", e3.getMessage());
        } catch (IOException e4) {
            throw new ClientException("io_error", e4.getMessage());
        } catch (JSONException e5) {
            throw new ServiceException("invalid_jwt", e5.getMessage(), e5);
        }
    }
}
