package com.android.server.pm.verify.domain;

import android.Manifest;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.content.Context;
import android.os.Binder;
import com.android.server.pm.verify.domain.proxy.DomainVerificationProxy;

/* loaded from: input_file:com/android/server/pm/verify/domain/DomainVerificationEnforcer.class */
public class DomainVerificationEnforcer {

    @NonNull
    private final Context mContext;

    @NonNull
    private Callback mCallback;

    /* loaded from: input_file:com/android/server/pm/verify/domain/DomainVerificationEnforcer$Callback.class */
    public interface Callback {
        boolean filterAppAccess(@NonNull String str, int i, int i2);

        boolean doesUserExist(int i);
    }

    public DomainVerificationEnforcer(@NonNull Context context) {
        this.mContext = context;
    }

    public void setCallback(@NonNull Callback callback) {
        this.mCallback = callback;
    }

    public void assertInternal(int i) {
        switch (i) {
            case 0:
            case 1000:
            case 2000:
                return;
            default:
                throw new SecurityException("Caller " + i + " is not allowed to change internal state");
        }
    }

    public void assertApprovedQuerent(int i, @NonNull DomainVerificationProxy domainVerificationProxy) {
        switch (i) {
            case 0:
            case 1000:
            case 2000:
                return;
            default:
                if (domainVerificationProxy.isCallerVerifier(i)) {
                    this.mContext.enforcePermission(Manifest.permission.QUERY_ALL_PACKAGES, Binder.getCallingPid(), i, "Caller " + i + " does not hold " + Manifest.permission.QUERY_ALL_PACKAGES);
                    return;
                } else {
                    this.mContext.enforcePermission(Manifest.permission.DUMP, Binder.getCallingPid(), i, "Caller " + i + " is not allowed to query domain verification state");
                    return;
                }
        }
    }

    public void assertApprovedVerifier(int i, @NonNull DomainVerificationProxy domainVerificationProxy) throws SecurityException {
        boolean isCallerVerifier;
        switch (i) {
            case 0:
            case 1000:
            case 2000:
                isCallerVerifier = true;
                break;
            default:
                int callingPid = Binder.getCallingPid();
                boolean z = false;
                if (this.mContext.checkPermission(Manifest.permission.DOMAIN_VERIFICATION_AGENT, callingPid, i) != 0) {
                    z = this.mContext.checkPermission(Manifest.permission.INTENT_FILTER_VERIFICATION_AGENT, callingPid, i) == 0;
                    if (!z) {
                        throw new SecurityException("Caller " + i + " does not hold " + Manifest.permission.DOMAIN_VERIFICATION_AGENT);
                    }
                }
                if (!z) {
                    this.mContext.enforcePermission(Manifest.permission.QUERY_ALL_PACKAGES, callingPid, i, "Caller " + i + " does not hold " + Manifest.permission.QUERY_ALL_PACKAGES);
                }
                isCallerVerifier = domainVerificationProxy.isCallerVerifier(i);
                break;
        }
        if (!isCallerVerifier) {
            throw new SecurityException("Caller " + i + " is not the approved domain verification agent");
        }
    }

    public boolean assertApprovedUserStateQuerent(int i, int i2, @NonNull String str, int i3) throws SecurityException {
        if (i2 != i3) {
            this.mContext.enforcePermission(Manifest.permission.INTERACT_ACROSS_USERS, Binder.getCallingPid(), i, "Caller is not allowed to edit other users");
        }
        if (!this.mCallback.doesUserExist(i2)) {
            throw new SecurityException("User " + i2 + " does not exist");
        }
        if (this.mCallback.doesUserExist(i3)) {
            return !this.mCallback.filterAppAccess(str, i, i3);
        }
        throw new SecurityException("User " + i3 + " does not exist");
    }

    public boolean assertApprovedUserSelector(int i, int i2, @Nullable String str, int i3) throws SecurityException {
        if (i2 != i3) {
            this.mContext.enforcePermission(Manifest.permission.INTERACT_ACROSS_USERS, Binder.getCallingPid(), i, "Caller is not allowed to edit other users");
        }
        this.mContext.enforcePermission(Manifest.permission.UPDATE_DOMAIN_VERIFICATION_USER_SELECTION, Binder.getCallingPid(), i, "Caller is not allowed to edit user selections");
        if (!this.mCallback.doesUserExist(i2)) {
            throw new SecurityException("User " + i2 + " does not exist");
        }
        if (this.mCallback.doesUserExist(i3)) {
            return str == null || !this.mCallback.filterAppAccess(str, i, i3);
        }
        throw new SecurityException("User " + i3 + " does not exist");
    }

    public boolean callerIsLegacyUserSelector(int i, int i2, @NonNull String str, int i3) {
        this.mContext.enforcePermission(Manifest.permission.SET_PREFERRED_APPLICATIONS, Binder.getCallingPid(), i, "Caller is not allowed to edit user state");
        if (i2 != i3 && this.mContext.checkPermission(Manifest.permission.INTERACT_ACROSS_USERS, Binder.getCallingPid(), i) != 0) {
            return false;
        }
        if (!this.mCallback.doesUserExist(i2)) {
            throw new SecurityException("User " + i2 + " does not exist");
        }
        if (this.mCallback.doesUserExist(i3)) {
            return !this.mCallback.filterAppAccess(str, i, i3);
        }
        throw new SecurityException("User " + i3 + " does not exist");
    }

    public boolean callerIsLegacyUserQuerent(int i, int i2, @NonNull String str, int i3) {
        if (i2 != i3) {
            this.mContext.enforcePermission(Manifest.permission.INTERACT_ACROSS_USERS_FULL, Binder.getCallingPid(), i, "Caller is not allowed to edit other users");
        }
        if (!this.mCallback.doesUserExist(i2)) {
            throw new SecurityException("User " + i2 + " does not exist");
        }
        if (this.mCallback.doesUserExist(i3)) {
            return !this.mCallback.filterAppAccess(str, i, i3);
        }
        throw new SecurityException("User " + i3 + " does not exist");
    }

    public void assertOwnerQuerent(int i, int i2, int i3) {
        int callingPid = Binder.getCallingPid();
        if (i2 != i3) {
            this.mContext.enforcePermission(Manifest.permission.INTERACT_ACROSS_USERS, callingPid, i, "Caller is not allowed to query other users");
        }
        this.mContext.enforcePermission(Manifest.permission.QUERY_ALL_PACKAGES, callingPid, i, "Caller " + i + " does not hold " + Manifest.permission.QUERY_ALL_PACKAGES);
        this.mContext.enforcePermission(Manifest.permission.UPDATE_DOMAIN_VERIFICATION_USER_SELECTION, callingPid, i, "Caller is not allowed to query user selections");
        if (!this.mCallback.doesUserExist(i2)) {
            throw new SecurityException("User " + i2 + " does not exist");
        }
        if (!this.mCallback.doesUserExist(i3)) {
            throw new SecurityException("User " + i3 + " does not exist");
        }
    }
}
