package com.android.server.sdksandbox.verifier;

import android.annotation.NonNull;
import android.annotation.Nullable;
import android.content.Context;
import android.os.Handler;
import android.os.HandlerThread;
import android.os.OutcomeReceiver;
import android.os.SystemClock;
import android.util.Log;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.sdksandbox.protobuf.InvalidProtocolBufferException;
import com.android.server.sdksandbox.proto.Verifier;
import com.android.server.sdksandbox.verifier.SerialDexLoader;
import com.android.tools.smali.dexlib2.Opcode;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/android/server/sdksandbox/verifier/SdkDexVerifier.class */
public class SdkDexVerifier {
    private static final String TAG = "SdkSandboxVerifier";
    private static final String WILDCARD = "*";
    private static final String EMPTY_STRING = "";
    private static final Verifier.AllowedApi[] DEFAULT_RULES = {Verifier.AllowedApi.newBuilder().setClassName("Landroid/*").setAllow(false).build(), Verifier.AllowedApi.newBuilder().setClassName("Ljava/*").setAllow(false).build(), Verifier.AllowedApi.newBuilder().setClassName("Lcom/google/android/*").setAllow(false).build(), Verifier.AllowedApi.newBuilder().setClassName("Lcom/android/*").setAllow(false).build(), Verifier.AllowedApi.newBuilder().setClassName("Landroidx/*").setAllow(false).build()};
    private static SdkDexVerifier sSdkDexVerifier;
    private ApiAllowlistProvider mApiAllowlistProvider;
    private SerialDexLoader mDexLoader;

    @GuardedBy({"mPlatformApiAllowlistsLock"})
    private Map<Long, Verifier.AllowedApisList> mPlatformApiAllowlists;
    private final Object mPlatformApiAllowlistsLock = new Object();
    private final Object mVerificationLock = new Object();

    @GuardedBy({"mPlatformApiAllowlistsLock"})
    private Map<Long, StringTrie> mPlatformApiAllowTries = new HashMap();

    @GuardedBy({"mVerificationLock"})
    private Map<String, Long> mVerificationTimes = new HashMap();

    /* loaded from: input_file:com/android/server/sdksandbox/verifier/SdkDexVerifier$Injector.class */
    static class Injector {
        private ApiAllowlistProvider mAllowlistProvider;
        private SerialDexLoader mDexLoader;

        Injector() {
            this.mAllowlistProvider = new ApiAllowlistProvider();
            HandlerThread handlerThread = new HandlerThread("DexParsingThread", 10);
            handlerThread.start();
            this.mDexLoader = new SerialDexLoader(new DexParserImpl(), new Handler(handlerThread.getLooper()));
        }

        Injector(ApiAllowlistProvider apiAllowlistProvider, SerialDexLoader serialDexLoader) {
            this.mAllowlistProvider = apiAllowlistProvider;
            this.mDexLoader = serialDexLoader;
        }

        ApiAllowlistProvider getApiAllowlistProvider() {
            return this.mAllowlistProvider;
        }

        SerialDexLoader getDexLoader() {
            return this.mDexLoader;
        }
    }

    /* loaded from: input_file:com/android/server/sdksandbox/verifier/SdkDexVerifier$VerificationResult.class */
    public static class VerificationResult {
        private boolean mPassed;
        private List<String> mRestrictedUsages;

        public VerificationResult(List<String> list) {
            this.mRestrictedUsages = list == null ? Collections.emptyList() : list;
            this.mPassed = this.mRestrictedUsages.size() == 0;
        }

        public boolean hasPassed() {
            return this.mPassed;
        }

        @VisibleForTesting
        List<String> getRestrictedUsages() {
            return this.mRestrictedUsages;
        }
    }

    @NonNull
    public static SdkDexVerifier getInstance() {
        synchronized (SdkDexVerifier.class) {
            if (sSdkDexVerifier == null) {
                sSdkDexVerifier = new SdkDexVerifier(new Injector());
            }
        }
        return sSdkDexVerifier;
    }

    @VisibleForTesting
    SdkDexVerifier(Injector injector) {
        this.mApiAllowlistProvider = injector.getApiAllowlistProvider();
        this.mDexLoader = injector.getDexLoader();
    }

    public void startDexVerification(final String str, final String str2, final long j, Context context, final OutcomeReceiver<VerificationResult, Exception> outcomeReceiver) {
        long elapsedRealtime = SystemClock.elapsedRealtime();
        synchronized (this.mVerificationLock) {
            this.mVerificationTimes.put(str, Long.valueOf(elapsedRealtime));
        }
        try {
            initAllowlist(j);
            File file = new File(str);
            if (file.exists()) {
                this.mDexLoader.queueApkToLoad(file, str2, context, new SerialDexLoader.VerificationHandler() { // from class: com.android.server.sdksandbox.verifier.SdkDexVerifier.1
                    private VerificationResult mLastDexResult;

                    @Override // com.android.server.sdksandbox.verifier.SerialDexLoader.VerificationHandler
                    public boolean verify(SerialDexLoader.DexSymbols dexSymbols) {
                        StringTrie<Verifier.AllowedApi> stringTrie;
                        synchronized (SdkDexVerifier.this.mPlatformApiAllowlistsLock) {
                            stringTrie = SdkDexVerifier.this.mPlatformApiAllowTries.get(Long.valueOf(j));
                        }
                        try {
                            VerificationResult verifyDexSymbols = SdkDexVerifier.this.verifyDexSymbols(dexSymbols, stringTrie);
                            Log.d(SdkDexVerifier.TAG, "Verification result for " + dexSymbols.toString() + ": " + verifyDexSymbols.hasPassed());
                            this.mLastDexResult = verifyDexSymbols;
                            return verifyDexSymbols.hasPassed();
                        } catch (Exception e) {
                            outcomeReceiver.onError(e);
                            return false;
                        }
                    }

                    @Override // com.android.server.sdksandbox.verifier.SerialDexLoader.VerificationHandler
                    public void onVerificationCompleteForPackage(boolean z) {
                        if (z) {
                            Log.d(SdkDexVerifier.TAG, str2 + " verified.");
                        } else {
                            Log.d(SdkDexVerifier.TAG, str2 + " rejected");
                        }
                        SdkDexVerifier.this.logVerificationTime(str2, str);
                        outcomeReceiver.onResult(this.mLastDexResult);
                    }

                    @Override // com.android.server.sdksandbox.verifier.SerialDexLoader.VerificationHandler
                    public void onVerificationErrorForPackage(Exception exc) {
                        SdkDexVerifier.this.logVerificationTime(str2, str);
                        outcomeReceiver.onError(exc);
                    }
                });
            } else {
                outcomeReceiver.onError(new FileNotFoundException("Apk to verify not found: " + str));
            }
        } catch (Exception e) {
            outcomeReceiver.onError(e);
        }
    }

    private void logVerificationTime(String str, String str2) {
        synchronized (this.mVerificationLock) {
            if (this.mVerificationTimes.containsKey(str2)) {
                Log.d(TAG, "Verification time (ms) for package " + str + ": " + (SystemClock.elapsedRealtime() - this.mVerificationTimes.remove(str2).longValue()));
            }
        }
    }

    VerificationResult verifyDexSymbols(SerialDexLoader.DexSymbols dexSymbols, StringTrie<Verifier.AllowedApi> stringTrie) {
        ArrayList arrayList = new ArrayList(Opcode.STATIC_FIELD_ACCESSOR);
        ArrayList arrayList2 = new ArrayList();
        for (int i = 0; i < dexSymbols.getReferencedMethodCount(); i++) {
            arrayList.clear();
            arrayList.addAll(Arrays.asList(dexSymbols.getClassForMethodAtIndex(i).split("/")));
            arrayList.addAll(Arrays.asList(dexSymbols.getReferencedMethodAtIndex(i).split(";")));
            Verifier.AllowedApi retrieve = stringTrie.retrieve((String[]) arrayList.toArray(new String[arrayList.size()]));
            if (retrieve != null && !retrieve.getAllow()) {
                arrayList2.add(dexSymbols.getClassForMethodAtIndex(i) + "->" + dexSymbols.getReferencedMethodAtIndex(i));
            }
        }
        return new VerificationResult(arrayList2);
    }

    @VisibleForTesting
    @Nullable
    String[] getApiTokens(Verifier.AllowedApi allowedApi) {
        ArrayList arrayList = new ArrayList();
        if (allowedApi.getClassName().equals(EMPTY_STRING)) {
            arrayList.add(WILDCARD);
        } else {
            arrayList.addAll(Arrays.asList(allowedApi.getClassName().toString().split("/")));
        }
        if (!allowedApi.getMethodName().equals(EMPTY_STRING)) {
            arrayList.add(allowedApi.getMethodName());
        } else if (!WILDCARD.equals(arrayList.get(arrayList.size() - 1))) {
            arrayList.add(WILDCARD);
        }
        if (allowedApi.getParametersCount() != 0) {
            arrayList.addAll(allowedApi.getParametersList());
        } else if (!WILDCARD.equals(arrayList.get(arrayList.size() - 1))) {
            arrayList.add(WILDCARD);
        }
        if (!allowedApi.getReturnType().equals(EMPTY_STRING)) {
            arrayList.add(allowedApi.getReturnType());
        } else if (!WILDCARD.equals(arrayList.get(arrayList.size() - 1))) {
            arrayList.add(WILDCARD);
        }
        if (arrayList.contains(EMPTY_STRING)) {
            return null;
        }
        arrayList.replaceAll(str -> {
            if (str.equals(WILDCARD)) {
                return null;
            }
            return str;
        });
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    private void initAllowlist(long j) throws FileNotFoundException, InvalidProtocolBufferException, IOException {
        synchronized (this.mPlatformApiAllowlistsLock) {
            if (this.mPlatformApiAllowlists == null) {
                this.mPlatformApiAllowlists = this.mApiAllowlistProvider.loadPlatformApiAllowlist();
            }
            if (!this.mPlatformApiAllowTries.containsKey(Long.valueOf(j))) {
                buildAllowTrie(j, this.mPlatformApiAllowlists.get(Long.valueOf(j)));
            }
        }
    }

    @GuardedBy({"mPlatformApiAllowlistsLock"})
    private void buildAllowTrie(long j, Verifier.AllowedApisList allowedApisList) {
        if (allowedApisList == null) {
            Log.w(TAG, "No allowlist found for targetSdk " + j);
            return;
        }
        StringTrie<Verifier.AllowedApi> baseRuleTrie = getBaseRuleTrie();
        for (Verifier.AllowedApi allowedApi : allowedApisList.getAllowedApisList()) {
            String[] apiTokens = getApiTokens(allowedApi);
            if (apiTokens == null) {
                Log.w(TAG, "API Rule was malformed for rule with class " + allowedApi.getClassName());
                return;
            }
            Verifier.AllowedApi put = baseRuleTrie.put(allowedApi, apiTokens);
            if (put != null && put.getAllow() != allowedApi.getAllow()) {
                Log.w(TAG, "Rule was replaced for class " + put.getClassName() + ". New rule value is: " + allowedApi.getAllow());
            }
        }
        this.mPlatformApiAllowTries.put(Long.valueOf(j), baseRuleTrie);
    }

    private StringTrie<Verifier.AllowedApi> getBaseRuleTrie() {
        StringTrie<Verifier.AllowedApi> stringTrie = new StringTrie<>();
        for (int i = 0; i < DEFAULT_RULES.length; i++) {
            stringTrie.put(DEFAULT_RULES[i], getApiTokens(DEFAULT_RULES[i]));
        }
        return stringTrie;
    }
}
