package com.zimbra.cs.service.admin;

import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.soap.Element;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.CalendarResource;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.AdminRight;
import com.zimbra.cs.account.accesscontrol.Rights;
import com.zimbra.soap.JaxbUtil;
import com.zimbra.soap.ZimbraSoapContext;
import com.zimbra.soap.admin.message.SetPasswordRequest;
import com.zimbra.soap.admin.message.SetPasswordResponse;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/zimbra/cs/service/admin/SetPassword.class */
public class SetPassword extends AdminDocumentHandler {
    private static final String[] TARGET_ACCOUNT_PATH = {"id"};

    @Override // com.zimbra.cs.service.admin.AdminDocumentHandler
    protected String[] getProxiedAccountPath() {
        return TARGET_ACCOUNT_PATH;
    }

    @Override // com.zimbra.soap.DocumentHandler
    public boolean domainAuthSufficient(Map map) {
        return true;
    }

    @Override // com.zimbra.soap.DocumentHandler
    public boolean defendsAgainstDelegateAdminAccountHarvesting() {
        return true;
    }

    @Override // com.zimbra.soap.DocumentHandler
    public Element handle(Element element, Map<String, Object> map) throws ServiceException {
        SetPasswordResponse setPasswordResponse = null;
        ZimbraSoapContext zimbraSoapContext = getZimbraSoapContext(map);
        Provisioning provisioning = Provisioning.getInstance();
        SetPasswordRequest setPasswordRequest = (SetPasswordRequest) JaxbUtil.elementToJaxb(element);
        String id = setPasswordRequest.getId();
        String newPassword = setPasswordRequest.getNewPassword();
        Account account = provisioning.get(Key.AccountBy.id, id, zimbraSoapContext.getAuthToken());
        if (account == null) {
            try {
                defendAgainstAccountOrCalendarResourceHarvestingWhenAbsent(Key.AccountBy.id, id, zimbraSoapContext, Rights.Admin.R_setAccountPassword, Rights.Admin.R_setCalendarResourcePassword);
            } catch (ServiceException e) {
                defendAgainstAccountOrCalendarResourceHarvestingWhenAbsent(Key.AccountBy.id, id, zimbraSoapContext, Rights.Admin.R_changeAccountPassword, Rights.Admin.R_changeCalendarResourcePassword);
            }
        } else {
            try {
                defendAgainstAccountOrCalendarResourceHarvesting(account, Key.AccountBy.id, id, zimbraSoapContext, Rights.Admin.R_setAccountPassword, Rights.Admin.R_setCalendarResourcePassword);
            } catch (ServiceException e2) {
                defendAgainstAccountOrCalendarResourceHarvesting(account, Key.AccountBy.id, id, zimbraSoapContext, Rights.Admin.R_changeAccountPassword, Rights.Admin.R_changeCalendarResourcePassword);
            }
            Provisioning.SetPasswordResult password = provisioning.setPassword(account, newPassword, account.isCalendarResource() ? checkCalendarResourceRights(zimbraSoapContext, provisioning.get(Key.CalendarResourceBy.id, id)) : checkAccountRights(zimbraSoapContext, account));
            ZimbraLog.security.info(ZimbraLog.encodeAttrs(new String[]{"cmd", "SetPassword", "name", account.getName()}));
            if (password.hasMessage()) {
                ZimbraLog.security.info(password.getMessage());
                setPasswordResponse = new SetPasswordResponse(password.getMessage());
            } else {
                setPasswordResponse = new SetPasswordResponse((String) null);
            }
        }
        return zimbraSoapContext.jaxbToElement(setPasswordResponse);
    }

    private boolean checkAccountRights(ZimbraSoapContext zimbraSoapContext, Account account) throws ServiceException {
        try {
            checkAccountRight(zimbraSoapContext, account, Rights.Admin.R_setAccountPassword);
            return false;
        } catch (ServiceException e) {
            if (!"service.PERM_DENIED".equals(e.getCode())) {
                throw e;
            }
            checkAccountRight(zimbraSoapContext, account, Rights.Admin.R_changeAccountPassword);
            return true;
        }
    }

    private boolean checkCalendarResourceRights(ZimbraSoapContext zimbraSoapContext, CalendarResource calendarResource) throws ServiceException {
        try {
            checkCalendarResourceRight(zimbraSoapContext, calendarResource, Rights.Admin.R_setCalendarResourcePassword);
            return false;
        } catch (ServiceException e) {
            if (!"service.PERM_DENIED".equals(e.getCode())) {
                throw e;
            }
            checkCalendarResourceRight(zimbraSoapContext, calendarResource, Rights.Admin.R_changeCalendarResourcePassword);
            return true;
        }
    }

    @Override // com.zimbra.cs.service.admin.AdminDocumentHandler, com.zimbra.cs.service.admin.AdminRightCheckPoint
    public void docRights(List<AdminRight> list, List<String> list2) {
        list.add(Rights.Admin.R_setAccountPassword);
        list.add(Rights.Admin.R_changeAccountPassword);
        list.add(Rights.Admin.R_setCalendarResourcePassword);
        list.add(Rights.Admin.R_changeCalendarResourcePassword);
    }
}
