package slack.services.accountmanager.impl.security;

import androidx.camera.video.Recorder$$ExternalSyntheticOutline0;
import haxe.root.TSF$$ExternalSyntheticOutline0;
import io.reactivex.rxjava3.core.MaybeOnSubscribe;
import io.reactivex.rxjava3.functions.Consumer;
import io.reactivex.rxjava3.internal.operators.maybe.MaybeCreate;
import io.reactivex.rxjava3.internal.operators.maybe.MaybeSubscribeOn;
import io.reactivex.rxjava3.internal.operators.maybe.MaybeTimeoutMaybe;
import io.reactivex.rxjava3.internal.operators.maybe.MaybeTimer;
import io.reactivex.rxjava3.schedulers.Schedulers;
import java.security.GeneralSecurityException;
import java.util.LinkedHashSet;
import java.util.concurrent.CancellationException;
import java.util.concurrent.TimeUnit;
import kotlin.NoWhenBranchMatchedException;
import kotlin.Unit;
import kotlin.collections.SlidingWindowKt;
import kotlin.collections.builders.ListBuilder;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import slack.crypto.security.CachedFail;
import slack.crypto.security.Decrypted;
import slack.crypto.security.DecryptedCache;
import slack.crypto.security.DecryptionResult;
import slack.crypto.security.TinkCryptoAtomic;
import slack.foundation.auth.AuthToken;
import slack.libraries.accountmanager.api.SecureAccountTokenProvider;
import slack.persistence.users.UsersQueries$$ExternalSyntheticLambda0;
import slack.telemetry.helper.NetworkCondition;
import slack.telemetry.metric.Metrics;
import slack.telemetry.tracing.EmptyTraceTime;
import slack.telemetry.tracing.SampleRate;
import slack.telemetry.tracing.Spannable;
import slack.telemetry.tracing.SpannableExtensionsKt;
import slack.telemetry.tracing.TraceContext;
import slack.telemetry.tracing.Tracer;
import slack.telemetry.tracing.TracingParameters;
import timber.log.Timber;

/* loaded from: classes4.dex */
public final class TokenDecryptHelperImpl {
    public final LinkedHashSet failedDecryptionsFromBadTag;
    public final LinkedHashSet failedSecureTokenStoreFetches;
    public final Metrics metrics;
    public final SecureAccountTokenProvider secureAccountTokenProvider;
    public final TinkCryptoAtomic tinkCrypto;
    public final TinkCryptoAtomic tinkCryptoSecondary;
    public final Tracer tracer;

    public TokenDecryptHelperImpl(TinkCryptoAtomic tinkCryptoAtomic, TinkCryptoAtomic tinkCryptoAtomic2, SecureAccountTokenProvider secureAccountTokenProvider, Tracer tracer, Metrics metrics) {
        Intrinsics.checkNotNullParameter(secureAccountTokenProvider, "secureAccountTokenProvider");
        Intrinsics.checkNotNullParameter(tracer, "tracer");
        Intrinsics.checkNotNullParameter(metrics, "metrics");
        this.tinkCrypto = tinkCryptoAtomic;
        this.tinkCryptoSecondary = tinkCryptoAtomic2;
        this.secureAccountTokenProvider = secureAccountTokenProvider;
        this.tracer = tracer;
        this.metrics = metrics;
        this.failedDecryptionsFromBadTag = new LinkedHashSet();
        this.failedSecureTokenStoreFetches = new LinkedHashSet();
    }

    public final NetworkCondition decrypt(TinkCryptoAtomic tinkCryptoAtomic, Function1 function1, AuthToken authToken) {
        NetworkCondition networkCondition;
        Metrics metrics = this.metrics;
        TokenDecryptHelperImpl$DecryptResult$Failed tokenDecryptHelperImpl$DecryptResult$Failed = TokenDecryptHelperImpl$DecryptResult$Failed.INSTANCE;
        try {
            Spannable trace = this.tracer.trace(TokenDecryptHelperImpl$decrypt$decryptSpannable$1.INSTANCE);
            trace.appendTag("type", tinkCryptoAtomic.getType());
            trace.appendTag("encrypt_value", "TOKEN");
            trace.start();
            Object invoke = function1.invoke(authToken);
            if (invoke == null) {
                throw new IllegalStateException(("[" + tinkCryptoAtomic.getType() + "] encryptedToken for should not be null.").toString());
            }
            DecryptionResult decrypt = tinkCryptoAtomic.decrypt((String) invoke);
            if (decrypt instanceof Decrypted) {
                trace.complete(false);
            } else {
                trace.cancel();
            }
            if (decrypt instanceof DecryptedCache) {
                trace.cancel();
                networkCondition = new NetworkCondition(DecryptionResult.getClearText(decrypt));
            } else {
                if (!(decrypt instanceof Decrypted)) {
                    if (!(decrypt instanceof CachedFail)) {
                        throw new NoWhenBranchMatchedException();
                    }
                    trace.cancel();
                    return tokenDecryptHelperImpl$DecryptResult$Failed;
                }
                trace.complete(false);
                networkCondition = new NetworkCondition(DecryptionResult.getClearText(decrypt));
            }
            return networkCondition;
        } catch (GeneralSecurityException e) {
            String type = tinkCryptoAtomic.getType();
            LinkedHashSet linkedHashSet = this.failedDecryptionsFromBadTag;
            if (linkedHashSet.contains(authToken)) {
                return tokenDecryptHelperImpl$DecryptResult$Failed;
            }
            linkedHashSet.add(authToken);
            metrics.counter("token_decryption_error", "decrypt").increment(1L);
            Timber.w(e, Recorder$$ExternalSyntheticOutline0.m("[", type, "] Error during decryption"), new Object[0]);
            return tokenDecryptHelperImpl$DecryptResult$Failed;
        } catch (Throwable th) {
            metrics.counter("token_decryption_error", "decrypt_unknown").increment(1L);
            Timber.w(th, "Other error during decryption", new Object[0]);
            return tokenDecryptHelperImpl$DecryptResult$Failed;
        }
    }

    public final NetworkCondition decryptWithTink(AuthToken authToken, TraceContext traceContext) {
        Spannable subSpan = traceContext.getSubSpan("decrypt_with_tink_keystore");
        subSpan.start();
        try {
            try {
                NetworkCondition decrypt = decrypt(this.tinkCrypto, new UsersQueries$$ExternalSyntheticLambda0(authToken.encryptedToken(AuthToken.Crypto.TINK), 12), authToken);
                SpannableExtensionsKt.completeWithSuccess(subSpan);
                return decrypt;
            } catch (Throwable th) {
                SpannableExtensionsKt.completeWithSuccess(subSpan);
                throw th;
            }
        } catch (CancellationException e) {
            SpannableExtensionsKt.completeAsInterrupted(subSpan);
            throw e;
        } catch (Throwable th2) {
            SpannableExtensionsKt.completeWithFailure(subSpan, th2);
            throw th2;
        }
    }

    public final NetworkCondition decryptWithTinkSecondary(AuthToken authToken, TraceContext traceContext) {
        Spannable subSpan = traceContext.getSubSpan("decrypt_with_tink_keystore_secondary");
        subSpan.start();
        try {
            try {
                NetworkCondition decrypt = decrypt(this.tinkCryptoSecondary, new UsersQueries$$ExternalSyntheticLambda0(authToken.encryptedToken(AuthToken.Crypto.TINK_SECONDARY), 13), authToken);
                SpannableExtensionsKt.completeWithSuccess(subSpan);
                return decrypt;
            } catch (Throwable th) {
                SpannableExtensionsKt.completeWithSuccess(subSpan);
                throw th;
            }
        } catch (CancellationException e) {
            SpannableExtensionsKt.completeAsInterrupted(subSpan);
            throw e;
        } catch (Throwable th2) {
            SpannableExtensionsKt.completeWithFailure(subSpan, th2);
            throw th2;
        }
    }

    public final NetworkCondition fetchTokenFromSecureStore(String str) {
        TokenDecryptHelperImpl$DecryptResult$Failed tokenDecryptHelperImpl$DecryptResult$Failed = TokenDecryptHelperImpl$DecryptResult$Failed.INSTANCE;
        try {
            String token = this.secureAccountTokenProvider.getToken(str);
            return token != null ? new NetworkCondition(token) : tokenDecryptHelperImpl$DecryptResult$Failed;
        } catch (IllegalStateException e) {
            this.failedSecureTokenStoreFetches.add(str);
            this.metrics.counter("token_decryption_error", "decrypt").increment(1L);
            Timber.w(e, Recorder$$ExternalSyntheticOutline0.m("Failed to fetch from Secure Token Store for ", str), new Object[0]);
            return tokenDecryptHelperImpl$DecryptResult$Failed;
        }
    }

    public final TokenDecryptResult getToken(final AuthToken authToken, final Function0 onFailedTokenDecryptionDetected) {
        Intrinsics.checkNotNullParameter(authToken, "authToken");
        Intrinsics.checkNotNullParameter(onFailedTokenDecryptionDetected, "onFailedTokenDecryptionDetected");
        SampleRate.Companion.getClass();
        SampleRate.Companion.useDefault();
        EmptyTraceTime emptyTraceTime = EmptyTraceTime.INSTANCE;
        Spannable trace = this.tracer.trace(TokenDecryptHelperImpl$getToken$authTokenDecryptTrace$1.INSTANCE, new TracingParameters(SampleRate.Companion.ofExactly(0.001d), emptyTraceTime, emptyTraceTime, null, null, false));
        trace.start();
        TraceContext traceContext = trace.getTraceContext();
        NetworkCondition tokenFromSecureTokenStore = getTokenFromSecureTokenStore(authToken, traceContext);
        boolean z = tokenFromSecureTokenStore instanceof TokenDecryptHelperImpl$DecryptResult$Decrypted;
        NetworkCondition networkCondition = TokenDecryptHelperImpl$DecryptResult$Skipped.INSTANCE;
        NetworkCondition decryptWithTink = z ? networkCondition : decryptWithTink(authToken, traceContext);
        if (!z && !(decryptWithTink instanceof TokenDecryptHelperImpl$DecryptResult$Decrypted)) {
            networkCondition = decryptWithTinkSecondary(authToken, traceContext);
        }
        String str = tokenFromSecureTokenStore.value;
        if (str != null) {
            trace.appendTag("type", "secure_token_store");
        } else {
            str = decryptWithTink.value;
            if (str != null) {
                trace.appendTag("type", "Tink");
            } else {
                str = networkCondition.value;
                if (str != null) {
                    trace.appendTag("type", "TinkSecondary");
                } else {
                    trace.appendTag("type", "plaintext");
                    str = "INVALID_TOKEN";
                }
            }
        }
        trace.complete(false);
        ListBuilder createListBuilder = SlidingWindowKt.createListBuilder();
        if (tokenFromSecureTokenStore instanceof TokenDecryptHelperImpl$DecryptResult$Failed) {
            createListBuilder.add(TokenDecryptionMethod.SECURE_TOKEN_STORE);
        }
        if (decryptWithTink instanceof TokenDecryptHelperImpl$DecryptResult$Failed) {
            createListBuilder.add(TokenDecryptionMethod.TINK_KEYSTORE);
        }
        if (networkCondition instanceof TokenDecryptHelperImpl$DecryptResult$Failed) {
            createListBuilder.add(TokenDecryptionMethod.TINK_KEYSTORE_SECONDARY);
        }
        ListBuilder build = createListBuilder.build();
        ListBuilder createListBuilder2 = SlidingWindowKt.createListBuilder();
        if (tokenFromSecureTokenStore instanceof TokenDecryptHelperImpl$DecryptResult$Skipped) {
            createListBuilder2.add(TokenDecryptionMethod.SECURE_TOKEN_STORE);
        }
        if (decryptWithTink instanceof TokenDecryptHelperImpl$DecryptResult$Skipped) {
            createListBuilder2.add(TokenDecryptionMethod.TINK_KEYSTORE);
        }
        if (networkCondition instanceof TokenDecryptHelperImpl$DecryptResult$Skipped) {
            createListBuilder2.add(TokenDecryptionMethod.TINK_KEYSTORE_SECONDARY);
        }
        final TokenDecryptResult tokenDecryptResult = new TokenDecryptResult(str, build, createListBuilder2.build());
        if (tokenDecryptResult.hasDecryptedAuthToken()) {
            MaybeSubscribeOn subscribeOn = new MaybeCreate(new MaybeOnSubscribe() { // from class: slack.services.accountmanager.impl.security.TokenDecryptHelperImpl$$ExternalSyntheticLambda2
                /* JADX WARN: Removed duplicated region for block: B:13:0x008c  */
                /* JADX WARN: Removed duplicated region for block: B:15:0x0090  */
                @Override // io.reactivex.rxjava3.core.MaybeOnSubscribe
                /*
                    Code decompiled incorrectly, please refer to instructions dump.
                    To view partially-correct add '--show-bad-code' argument
                */
                public final void subscribe(io.reactivex.rxjava3.core.MaybeEmitter r11) {
                    /*
                        r10 = this;
                        java.lang.String r0 = "emitter"
                        kotlin.jvm.internal.Intrinsics.checkNotNullParameter(r11, r0)
                        slack.services.accountmanager.impl.security.TokenDecryptResult r0 = slack.services.accountmanager.impl.security.TokenDecryptResult.this
                        kotlin.collections.builders.ListBuilder r1 = r0.failedDecryptMethods
                        boolean r1 = r1.isEmpty()
                        kotlin.Unit r2 = kotlin.Unit.INSTANCE
                        if (r1 != 0) goto L16
                        r11.onSuccess(r2)
                        goto L93
                    L16:
                        slack.telemetry.tracing.SampleRate$Companion r1 = slack.telemetry.tracing.SampleRate.Companion
                        r1.getClass()
                        slack.telemetry.tracing.SampleRate.Companion.useDefault()
                        slack.telemetry.tracing.EmptyTraceTime r6 = slack.telemetry.tracing.EmptyTraceTime.INSTANCE
                        r3 = 4562254508917369340(0x3f50624dd2f1a9fc, double:0.001)
                        slack.telemetry.tracing.SampleRateImpl r4 = slack.telemetry.tracing.SampleRate.Companion.ofExactly(r3)
                        slack.telemetry.tracing.TracingParameters r1 = new slack.telemetry.tracing.TracingParameters
                        r7 = 0
                        r8 = 0
                        r9 = 0
                        r3 = r1
                        r5 = r6
                        r3.<init>(r4, r5, r6, r7, r8, r9)
                        slack.services.accountmanager.impl.security.TokenDecryptHelperImpl r3 = r2
                        slack.telemetry.tracing.Tracer r4 = r3.tracer
                        slack.services.accountmanager.impl.security.TokenDecryptHelperImpl$checkForFailedAuthTokenDecryption$1$rootSpannable$1 r5 = slack.services.accountmanager.impl.security.TokenDecryptHelperImpl$checkForFailedAuthTokenDecryption$1$rootSpannable$1.INSTANCE
                        slack.telemetry.tracing.Spannable r1 = r4.trace(r5, r1)
                        r4 = 0
                        kotlin.collections.builders.ListBuilder r0 = r0.skippedDecryptMethods
                        if (r0 == 0) goto L4a
                        boolean r5 = r0.isEmpty()
                        if (r5 == 0) goto L4a
                    L48:
                        r7 = r4
                        goto L87
                    L4a:
                        java.util.ListIterator r0 = r0.listIterator(r4)
                    L4e:
                        r5 = r0
                        kotlin.collections.builders.ListBuilder$Itr r5 = (kotlin.collections.builders.ListBuilder.Itr) r5
                        boolean r6 = r5.hasNext()
                        if (r6 == 0) goto L48
                        java.lang.Object r5 = r5.next()
                        slack.services.accountmanager.impl.security.TokenDecryptionMethod r5 = (slack.services.accountmanager.impl.security.TokenDecryptionMethod) r5
                        slack.telemetry.tracing.TraceContext r6 = r1.getTraceContext()
                        int r5 = r5.ordinal()
                        r7 = 1
                        slack.foundation.auth.AuthToken r8 = r3
                        if (r5 == 0) goto L7f
                        if (r5 == r7) goto L7a
                        r9 = 2
                        if (r5 != r9) goto L74
                        slack.telemetry.helper.NetworkCondition r5 = r3.getTokenFromSecureTokenStore(r8, r6)
                        goto L83
                    L74:
                        kotlin.NoWhenBranchMatchedException r10 = new kotlin.NoWhenBranchMatchedException
                        r10.<init>()
                        throw r10
                    L7a:
                        slack.telemetry.helper.NetworkCondition r5 = r3.decryptWithTinkSecondary(r8, r6)
                        goto L83
                    L7f:
                        slack.telemetry.helper.NetworkCondition r5 = r3.decryptWithTink(r8, r6)
                    L83:
                        boolean r5 = r5 instanceof slack.services.accountmanager.impl.security.TokenDecryptHelperImpl$DecryptResult$Failed
                        if (r5 == 0) goto L4e
                    L87:
                        r1.complete(r4)
                        if (r7 == 0) goto L90
                        r11.onSuccess(r2)
                        goto L93
                    L90:
                        r11.onComplete()
                    L93:
                        return
                    */
                    throw new UnsupportedOperationException("Method not decompiled: slack.services.accountmanager.impl.security.TokenDecryptHelperImpl$$ExternalSyntheticLambda2.subscribe(io.reactivex.rxjava3.core.MaybeEmitter):void");
                }
            }).subscribeOn(Schedulers.io());
            TimeUnit timeUnit = TimeUnit.SECONDS;
            new MaybeTimeoutMaybe(subscribeOn, new MaybeTimer(Math.max(0L, 15L), timeUnit, TSF$$ExternalSyntheticOutline0.m(timeUnit, "unit is null", "scheduler is null")), null).subscribe(new Consumer() { // from class: slack.services.accountmanager.impl.security.TokenDecryptHelperImpl$getToken$1
                @Override // io.reactivex.rxjava3.functions.Consumer
                public final void accept(Object obj) {
                    Unit it = (Unit) obj;
                    Intrinsics.checkNotNullParameter(it, "it");
                    Function0.this.invoke();
                }
            }, TokenDecryptHelperImpl$getToken$2.INSTANCE);
        }
        return tokenDecryptResult;
    }

    public final NetworkCondition getTokenFromSecureTokenStore(AuthToken authToken, TraceContext traceContext) {
        String str = authToken.identifier;
        Spannable subSpan = traceContext.getSubSpan("decrypt_with_secure_token_store");
        subSpan.start();
        try {
            try {
                try {
                    NetworkCondition fetchTokenFromSecureStore = !this.failedSecureTokenStoreFetches.contains(str) ? fetchTokenFromSecureStore(str) : TokenDecryptHelperImpl$DecryptResult$Failed.INSTANCE;
                    SpannableExtensionsKt.completeWithSuccess(subSpan);
                    return fetchTokenFromSecureStore;
                } catch (Throwable th) {
                    SpannableExtensionsKt.completeWithFailure(subSpan, th);
                    throw th;
                }
            } catch (CancellationException e) {
                SpannableExtensionsKt.completeAsInterrupted(subSpan);
                throw e;
            }
        } catch (Throwable th2) {
            SpannableExtensionsKt.completeWithSuccess(subSpan);
            throw th2;
        }
    }
}
