package net.juniper.junos.pulse.android;

import android.app.NotificationManager;
import android.app.PendingIntent;
import android.content.Context;
import android.content.Intent;
import android.net.http.SSLUtilities;
import android.os.Build;
import android.security.KeyChainException;
import android.support.v4.app.NotificationCompat;
import android.text.TextUtils;
import com.rsa.asn1.ASN1;
import java.net.CookieManager;
import java.net.CookiePolicy;
import java.net.HttpCookie;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import net.juniper.junos.pulse.android.mdm.wifi.WifiPolicyParser;
import net.juniper.junos.pulse.android.network.NetworkService;
import net.juniper.junos.pulse.android.network.RetryCallHelper;
import net.juniper.junos.pulse.android.network.interceptors.UserAgentInterceptor;
import net.juniper.junos.pulse.android.network.schedulers.NetworkTaskHelper;
import net.juniper.junos.pulse.android.sql.VpnProfile;
import net.juniper.junos.pulse.android.util.CertUtil;
import net.juniper.junos.pulse.android.util.ClientCertificate;
import net.juniper.junos.pulse.android.util.DeviceInfo;
import net.juniper.junos.pulse.android.util.Log;
import net.juniper.junos.pulse.android.util.NotificationUtil;
import net.juniper.junos.pulse.android.util.SMUtility;
import net.juniper.junos.pulse.android.vpn.UILessConnection;
import net.juniper.junos.pulse.android.vpnservice.VpnSamsungKnoxService;
import net.pulsesecure.pulsesecure.R;
import okhttp3.JavaNetCookieJar;
import retrofit2.Call;
import retrofit2.Callback;
import retrofit2.Response;
import retrofit2.Retrofit;

/* loaded from: classes2.dex */
public class ClientAuthentication {
    private static final String CERT_ALIAS = "PulseSecureCertAlias";
    private static final int CONNECT_TIMEOUT = 30;
    private static final String DSID = "DSID";
    private static final String KEY_IS_KNOX = "key_isKnox";
    public static final String PROFILE_CERTIFICATE_ALIAS = "profileCertificateAlias";
    public static final String PROFILE_NAME = "profileName";
    public static final String PROFILE_URL = "profileUrl";
    private static final int RETRY_COUNT = 5;
    private static final String TAG = "ClientAuthentication";
    private static final String USERAGENT = "User-Agent";
    private AuthenticationCallback mCallback;
    private Context mContext;
    private KeyStore mKeyStore = null;
    private VpnProfile mVpnProfile;

    /* loaded from: classes2.dex */
    public interface AuthenticationCallback {
        void onClientAuthenticationFailed(String str);

        void onClientAuthenticationSuccess(List<HttpCookie> list);
    }

    public ClientAuthentication(Context context, AuthenticationCallback authenticationCallback) {
        this.mContext = context;
        this.mCallback = authenticationCallback;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getErrorMessageFromUrl(URL url) {
        if (!url.toString().contains("welcome.cgi?p=")) {
            return VpnSamsungKnoxService.AUTH_FAIL_CREDENTIALS;
        }
        String query = url.getQuery();
        return query.contains("p=failed") ? VpnSamsungKnoxService.AUTH_FAIL_CREDENTIALS : (query.contains("p=not-allowed") || query.contains("p=admins-only")) ? VpnSamsungKnoxService.AUTH_FAIL_ACCESS_DENIED : query.contains("p=ip-denied") ? VpnSamsungKnoxService.AUTH_FAIL_ADDRESS_DENIED : query.contains("p=ua-denied") ? VpnSamsungKnoxService.AUTH_FAIL_BROWSER_DENIED : query.contains("p=no-auth") ? VpnSamsungKnoxService.AUTH_FAIL_AUTH_SERVER : query.contains("p=ip-blocked") ? VpnSamsungKnoxService.AUTH_FAIL_ADDRESS_BLOCKED : query.contains("p=short-passwd") ? VpnSamsungKnoxService.AUTH_FAIL_SHORT_PASSWORD : query.contains("p=ssl-v3") ? VpnSamsungKnoxService.AUTH_FAIL_SSL_V3_REQUIRED : query.contains("p=ssl-weak") ? VpnSamsungKnoxService.AUTH_FAIL_SSL_STRONG_REQUIRED : query.contains("p=admin-recovery") ? VpnSamsungKnoxService.AUTH_FAIL_ADMIN_DISABLED : query.contains("p=changed-password") ? VpnSamsungKnoxService.AUTH_FAIL_CHANGE_PASSWORD : query.contains("p=account-locked-out") ? VpnSamsungKnoxService.AUTH_FAIL_ACCOUNT_DISABLED : query.contains("p=account-expired") ? VpnSamsungKnoxService.AUTH_FAIL_ACCOUNT_EXPIRED : query.contains("p=no-access") ? VpnSamsungKnoxService.AUTH_FAIL_AUTH_DENIED : query.contains("p=max-sessions") ? "Too Many Sessions" : query.contains("p=feature-unlicensed") ? VpnSamsungKnoxService.AUTH_FAIL_UNLICENSED : query.contains("p=denied-checkhostname") ? VpnSamsungKnoxService.AUTH_FAIL_HOSTNAME : query.contains("p=no-roles") ? VpnSamsungKnoxService.AUTH_FAIL_NO_ROLE : query.contains("p=too-many") ? "Too Many Sessions" : query.contains("p=installfail") ? VpnSamsungKnoxService.AUTH_FAIL_CCFAIL : query.contains("p=revoked-cert") ? VpnSamsungKnoxService.AUTH_FAIL_REVOKED_CERT : query.contains("p=wrong-cert") ? VpnSamsungKnoxService.AUTH_FAIL_WRONG_CERT : query.contains("p=passwordExpiration") ? VpnSamsungKnoxService.AUTH_FAIL_PASSWORDEXPIRATION : VpnSamsungKnoxService.AUTH_FAIL_CREDENTIALS;
    }

    private void startAuthentication(String str, SSLContext sSLContext, X509TrustManager x509TrustManager) {
        Log.d(TAG, "Stealth Mode Authentication: authenticating for VPN with url " + str);
        new ArrayList();
        final CookieManager cookieManager = new CookieManager();
        cookieManager.setCookiePolicy(CookiePolicy.ACCEPT_ALL);
        NetworkService networkService = (NetworkService) new Retrofit.Builder().baseUrl(RetryCallHelper.getBaseUrl(str)).client(JunosApplication.getsBaseOkHttpClient().newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).sslSocketFactory(sSLContext.getSocketFactory(), x509TrustManager).connectTimeout(30L, TimeUnit.SECONDS).addInterceptor(new UserAgentInterceptor("User-Agent")).build()).build().create(NetworkService.class);
        Map<String, String> queryParameterMap = RetryCallHelper.getQueryParameterMap(str);
        RetryCallHelper.enqueue(queryParameterMap != null ? networkService.getURLConnection(str, queryParameterMap) : networkService.getURLConnection(str), 5, this.mVpnProfile, new Callback<Void>() { // from class: net.juniper.junos.pulse.android.ClientAuthentication.1
            @Override // retrofit2.Callback
            public void onFailure(Call<Void> call, Throwable th) {
                ClientAuthentication.this.mCallback.onClientAuthenticationFailed(NotificationUtil.getMessage(th));
            }

            @Override // retrofit2.Callback
            public void onResponse(Call<Void> call, Response<Void> response) {
                new ArrayList();
                HashMap hashMap = new HashMap();
                List<HttpCookie> cookies = cookieManager.getCookieStore().getCookies();
                for (HttpCookie httpCookie : cookies) {
                    hashMap.put(httpCookie.getName(), httpCookie.getValue());
                }
                if (hashMap.containsKey("DSID")) {
                    ClientAuthentication.this.mCallback.onClientAuthenticationSuccess(cookies);
                    return;
                }
                URL url = null;
                try {
                    url = new URL(response.raw().request().url().toString());
                } catch (MalformedURLException e) {
                    e.printStackTrace();
                }
                Log.d(ClientAuthentication.TAG, "Stealth Mode Authentication: Final Url(redirected) - " + url);
                ClientAuthentication.this.mCallback.onClientAuthenticationFailed(ClientAuthentication.this.getErrorMessageFromUrl(url));
            }
        });
    }

    public void certAuthenticate(VpnProfile vpnProfile) {
        this.mVpnProfile = vpnProfile;
        DeviceInfo deviceInfo = new DeviceInfo();
        try {
            ClientCertificate certificate = CertUtil.getCertificate(vpnProfile);
            try {
                this.mKeyStore = KeyStore.getInstance("PKCS12");
            } catch (KeyStoreException e) {
                Log.e(TAG, e.getMessage());
            }
            if (certificate == null || certificate.getCertArray() == null || certificate.getPrivateKey() == null) {
                Log.d(TAG, "error cert not found ");
                this.mCallback.onClientAuthenticationFailed(VpnSamsungKnoxService.AUTH_FAIL_MISSING_OR_INVALID_CERT);
                return;
            }
            PrivateKey privateKey = certificate.getPrivateKey();
            X509Certificate[] certArray = certificate.getCertArray();
            try {
                String deviceUuidString = deviceInfo.getDeviceUuidString();
                this.mKeyStore = KeyStore.getInstance("PKCS12");
                this.mKeyStore.load(null, deviceUuidString.toCharArray());
                this.mKeyStore.setKeyEntry(CERT_ALIAS, privateKey, deviceUuidString.toCharArray(), certArray);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(this.mKeyStore, deviceUuidString.toCharArray());
                KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
                SSLContext sSLContext = SSLContext.getInstance(WifiPolicyParser.sEapMethodTls);
                SSLUtilities.setConnectionType((byte) 1);
                TrustManager[] trustManagerArr = {SSLUtilities.getSystemX509TrustManager()};
                sSLContext.init(keyManagers, trustManagerArr, new SecureRandom());
                if (SMUtility.isConnectionAvailable() && !JunosApplication.getApplication().isVpnConnected()) {
                    Log.d(TAG, "Stealth Mode: start authentication!");
                    startAuthentication(vpnProfile.getUrl(), sSLContext, (X509TrustManager) trustManagerArr[0]);
                } else if (JunosApplication.getApplication().isVpnConnected()) {
                    Log.d(TAG, "Stealth Mode: VPN already connected!");
                } else {
                    Log.d(TAG, "Stealth Mode: No network!");
                    NotificationUtil.showVpnErrorNotification(JunosApplication.getApplication(), VpnSamsungKnoxService.AUTH_FAIL_NETWORK_ISSUE);
                    if (this.mVpnProfile != null) {
                        NetworkTaskHelper.scheduleNetworkTaskService(this.mVpnProfile.getName());
                    }
                }
            } catch (Exception e2) {
                Log.e(TAG, "uncaught generic exception " + e2.getMessage());
            }
        } catch (KeyChainException e3) {
            VpnSamsungKnoxService.setVpnStatus(VpnSamsungKnoxService.PulseVpnStatus.AUTH_FAILED);
            Log.e(TAG, "executeCertClient KeyChain exception: " + e3);
            Log.d(TAG, "Credential storage permission needs to be asked to user");
            try {
                String certAlias = vpnProfile.getCertAlias();
                String url = vpnProfile.getUrl();
                String name = vpnProfile.getName();
                if (!TextUtils.isEmpty(certAlias) && !TextUtils.isEmpty(url) && !TextUtils.isEmpty(name)) {
                    Intent intent = new Intent(this.mContext, Class.forName("net.pulsesecure.pws.ui.TransparentPermissionActivity"));
                    intent.putExtra(UILessConnection.UI_LESS_VPN_INTENT_EXTRA, VpnSamsungKnoxService.AUTH_FAIL_CERT_STORE);
                    intent.putExtra(PROFILE_CERTIFICATE_ALIAS, certAlias);
                    intent.putExtra(PROFILE_URL, url);
                    intent.putExtra(PROFILE_NAME, name);
                    intent.addFlags(268468224);
                    if (Build.VERSION.SDK_INT < 29 || !NotificationUtil.isApplicationInTheBackground()) {
                        this.mContext.startActivity(intent);
                        return;
                    }
                    String string = this.mContext.getResources().getString(R.string.cert_alias_AIDL_message, this.mContext.getResources().getString(R.string.app_name));
                    String string2 = this.mContext.getResources().getString(R.string.cert_alias_AIDL_title);
                    NotificationCompat.Builder contentText = new NotificationCompat.Builder(this.mContext, NotificationUtil.VPN_NOTIFICATION_CHANNEL_ID).setContentTitle(string2).setSmallIcon(R.drawable.alert_small).setAutoCancel(true).setContentText(string);
                    NotificationCompat.BigTextStyle bigTextStyle = new NotificationCompat.BigTextStyle();
                    bigTextStyle.setBigContentTitle(string2);
                    bigTextStyle.bigText(string);
                    contentText.setStyle(bigTextStyle);
                    contentText.setOngoing(true);
                    contentText.setContentIntent(PendingIntent.getActivity(this.mContext, 0, intent, ASN1.RELAXED_CONSTRAINTS));
                    ((NotificationManager) this.mContext.getSystemService("notification")).notify(NotificationUtil.PULSE_NOTIFICATION_ID, contentText.build());
                    return;
                }
                Log.e(TAG, "Incomplete profile :");
                Log.e(TAG, "Alias :" + certAlias);
                Log.e(TAG, "Url :" + url);
                Log.e(TAG, "Profile name :" + name);
            } catch (ClassNotFoundException unused) {
                Log.e("TransparentPermissionActivity not found");
            }
        }
    }

    protected IJunosApplication getApplicationReference() {
        return JunosApplication.getApplication();
    }
}
