package com.zimbra.cs.service.account;

import com.zimbra.common.account.Key;
import com.zimbra.common.account.ZAttrProvisioning;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.soap.AccountConstants;
import com.zimbra.common.soap.Element;
import com.zimbra.common.util.Pair;
import com.zimbra.common.util.UUIDUtil;
import com.zimbra.common.util.ZimbraCookie;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.AttributeFlag;
import com.zimbra.cs.account.AttributeManager;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.AuthTokenException;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.TrustedDevice;
import com.zimbra.cs.account.TrustedDeviceToken;
import com.zimbra.cs.account.auth.AuthContext;
import com.zimbra.cs.account.auth.twofactor.TrustedDevices;
import com.zimbra.cs.account.auth.twofactor.TwoFactorAuth;
import com.zimbra.cs.account.krb5.Krb5Principal;
import com.zimbra.cs.account.names.NameUtil;
import com.zimbra.cs.mailbox.Metadata;
import com.zimbra.cs.service.AuthProvider;
import com.zimbra.cs.service.PreAuthServlet;
import com.zimbra.cs.service.UserServlet;
import com.zimbra.cs.servlet.CsrfFilter;
import com.zimbra.cs.servlet.util.CsrfUtil;
import com.zimbra.cs.session.Session;
import com.zimbra.cs.util.AccountUtil;
import com.zimbra.cs.util.SkinUtil;
import com.zimbra.soap.SoapEngine;
import com.zimbra.soap.SoapServlet;
import com.zimbra.soap.ZimbraSoapContext;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/zimbra/cs/service/account/Auth.class */
public class Auth extends AccountDocumentHandler {
    @Override // com.zimbra.soap.DocumentHandler
    public Element handle(Element element, Map<String, Object> map) throws ServiceException {
        Domain domainByKrb5Principal;
        TrustedDevices trustedDevices;
        TrustedDevice trustedDeviceByTrustedToken;
        Domain domain;
        ZimbraSoapContext zimbraSoapContext = getZimbraSoapContext(map);
        Provisioning provisioning = Provisioning.getInstance();
        String str = null;
        String str2 = null;
        String str3 = null;
        Key.AccountBy accountBy = null;
        Account account = null;
        Element optionalElement = element.getOptionalElement("account");
        boolean attributeBool = element.getAttributeBool("csrfTokenSecured", false);
        if (optionalElement != null) {
            str = optionalElement.getText();
            str2 = str;
            str3 = optionalElement.getAttribute(PreAuthServlet.PARAM_BY, Key.AccountBy.name.name());
            accountBy = Key.AccountBy.fromString(str3);
            if (accountBy == Key.AccountBy.name) {
                Element optionalElement2 = element.getOptionalElement("virtualHost");
                String lowerCase = optionalElement2 == null ? null : optionalElement2.getText().toLowerCase();
                if (lowerCase != null && str2.indexOf(64) == -1 && (domain = provisioning.get(Key.DomainBy.virtualHostname, lowerCase)) != null) {
                    str2 = str2 + "@" + domain.getName();
                }
            }
            account = provisioning.get(accountBy, str2);
        }
        TrustedDeviceToken trustedDeviceToken = null;
        if (account != null && (trustedDevices = TwoFactorAuth.getFactory().getTrustedDevices(account)) != null) {
            trustedDeviceToken = trustedDevices.getTokenFromRequest(element, map);
            if (trustedDeviceToken != null && trustedDeviceToken.isExpired() && (trustedDeviceByTrustedToken = trustedDevices.getTrustedDeviceByTrustedToken(trustedDeviceToken)) != null) {
                trustedDeviceByTrustedToken.revoke();
            }
        }
        String attribute = element.getAttribute("password", (String) null);
        boolean attributeBool2 = element.getAttributeBool("generateDeviceId", false);
        String attribute2 = element.getAttribute("twoFactorCode", (String) null);
        String generateUUID = attributeBool2 ? UUIDUtil.generateUUID() : null;
        Element optionalElement3 = element.getOptionalElement(UserServlet.QP_AUTHTOKEN);
        if (optionalElement3 != null) {
            boolean attributeBool3 = optionalElement3.getAttributeBool("verifyAccount", false);
            if (attributeBool3 && optionalElement == null) {
                throw ServiceException.INVALID_REQUEST("missing required element: account", (Throwable) null);
            }
            try {
                AuthToken authToken = AuthProvider.getAuthToken(optionalElement3, account);
                addAccountToLogContextByAuthToken(provisioning, authToken);
                if (!checkPasswordSecurity(map)) {
                    throw ServiceException.INVALID_REQUEST("clear text password is not allowed", (Throwable) null);
                }
                AuthToken.Usage usage = authToken.getUsage();
                if (usage != AuthToken.Usage.AUTH && usage != AuthToken.Usage.TWO_FACTOR_AUTH) {
                    throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("invalid auth token");
                }
                Account validateAuthToken = AuthProvider.validateAuthToken(provisioning, authToken, false, usage);
                if (attributeBool3 && (account == null || !account.getId().equalsIgnoreCase(validateAuthToken.getId()))) {
                    throw new AuthTokenException("auth token doesn't match the named account");
                }
                if (usage == AuthToken.Usage.AUTH) {
                    ((ServletRequest) map.get(SoapServlet.SERVLET_REQUEST)).setAttribute(CsrfFilter.AUTH_TOKEN, authToken);
                    if (attributeBool && !authToken.isCsrfTokenEnabled()) {
                        authToken.setCsrfTokenEnabled(attributeBool);
                    }
                    return doResponse(element, authToken, zimbraSoapContext, map, validateAuthToken, attributeBool, trustedDeviceToken, generateUUID);
                }
                account = validateAuthToken;
            } catch (AuthTokenException e) {
                throw ServiceException.AUTH_REQUIRED();
            }
        }
        if (!checkPasswordSecurity(map)) {
            throw ServiceException.INVALID_REQUEST("clear text password is not allowed", (Throwable) null);
        }
        Element optionalElement4 = element.getOptionalElement(PreAuthServlet.PARAM_PREAUTH);
        String attribute3 = element.getAttribute("deviceId", (String) null);
        long j = 0;
        HashMap hashMap = new HashMap();
        hashMap.put(AuthContext.AC_ORIGINATING_CLIENT_IP, map.get(SoapEngine.ORIG_REQUEST_IP));
        hashMap.put(AuthContext.AC_REMOTE_IP, map.get(SoapEngine.SOAP_REQUEST_IP));
        hashMap.put(AuthContext.AC_ACCOUNT_NAME_PASSEDIN, str);
        hashMap.put("ua", zimbraSoapContext.getUserAgent());
        boolean z = false;
        if (account == null && (accountBy == Key.AccountBy.name || accountBy == Key.AccountBy.krb5Principal)) {
            try {
                if (accountBy == Key.AccountBy.name) {
                    String domain2 = new NameUtil.EmailAddress(str2, false).getDomain();
                    Domain domain3 = domain2 == null ? null : provisioning.get(Key.DomainBy.name, domain2);
                    if (attribute != null) {
                        account = provisioning.autoProvAccountLazy(domain3, str, attribute, null);
                    } else if (optionalElement4 != null) {
                        long attributeLong = optionalElement4.getAttributeLong(PreAuthServlet.PARAM_TIMESTAMP);
                        j = optionalElement4.getAttributeLong(PreAuthServlet.PARAM_EXPIRES, 0L);
                        provisioning.preAuthAccount(domain3, str2, str3, attributeLong, j, optionalElement4.getTextTrim(), hashMap);
                        account = provisioning.autoProvAccountLazy(domain3, str, null, ZAttrProvisioning.AutoProvAuthMech.PREAUTH);
                    }
                } else if (attribute != null && (domainByKrb5Principal = Krb5Principal.getDomainByKrb5Principal(str)) != null) {
                    account = provisioning.autoProvAccountLazy(domainByKrb5Principal, str, attribute, null);
                }
                if (account != null) {
                    z = true;
                }
            } catch (AccountServiceException.AuthFailedServiceException e2) {
                ZimbraLog.account.debug("auth failed, unable to auto provisioing acct " + str2, e2);
            } catch (ServiceException e3) {
                ZimbraLog.account.info("unable to auto provisioing acct " + str2, e3);
            }
        }
        if (account == null && accountBy == Key.AccountBy.name && attribute != null) {
            Pair<Account, Boolean> pair = null;
            try {
                pair = provisioning.autoProvZMGProxyAccount(str, attribute);
            } catch (AccountServiceException.AuthFailedServiceException e4) {
            } catch (ServiceException e5) {
                ZimbraLog.account.info("unable to auto provision acct " + str, e5);
            }
            if (pair != null) {
                account = (Account) pair.getFirst();
                z = ((Boolean) pair.getSecond()).booleanValue();
            }
        }
        if (account == null) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str2, str, "account not found");
        }
        AccountUtil.addAccountToLogContext(provisioning, account.getId(), "name", "id", null);
        Boolean bool = false;
        TwoFactorAuth twoFactorAuth = TwoFactorAuth.getFactory().getTwoFactorAuth(account);
        if (twoFactorAuth.twoFactorAuthEnabled()) {
            bool = Boolean.valueOf(trustedDeviceToken == null && element.getAttributeBool("deviceTrusted", false));
        }
        if (!z) {
            boolean z2 = false;
            if (trustedDeviceToken != null && account.isFeatureTrustedDevicesEnabled()) {
                if (trustedDeviceToken.isExpired()) {
                    ZimbraLog.account.debug("trusted token is expired");
                    bool = false;
                } else {
                    try {
                        verifyTrustedDevice(account, trustedDeviceToken, getTrustedDeviceAttrs(zimbraSoapContext, attribute3));
                        z2 = true;
                    } catch (AccountServiceException.AuthFailedServiceException e6) {
                        ZimbraLog.account.info("trusted device not verified");
                    }
                }
            }
            boolean z3 = (account == null || !twoFactorAuth.twoFactorAuthRequired() || z2) ? false : true;
            boolean z4 = z3 && optionalElement3 != null;
            if (attribute != null || z4) {
                if (z3 && attribute2 == null && attribute != null) {
                    if (!(account.isFeatureAppSpecificPasswordsEnabled() && zimbraSoapContext.getPort().intValue() == account.getServer().getMtaAuthPort()) || attribute == null) {
                        provisioning.authAccount(account, attribute, AuthContext.Protocol.soap, hashMap);
                        return needTwoFactorAuth(account, twoFactorAuth, zimbraSoapContext);
                    }
                    TwoFactorAuth.getFactory().getAppSpecificPasswords(account, str).authenticate(attribute);
                } else {
                    if (attribute != null) {
                        provisioning.authAccount(account, attribute, AuthContext.Protocol.soap, hashMap);
                    } else if (!z4) {
                        throw ServiceException.AUTH_REQUIRED();
                    }
                    if (z3) {
                        if (!twoFactorAuth.twoFactorAuthEnabled()) {
                            throw AccountServiceException.TWO_FACTOR_SETUP_REQUIRED();
                        }
                        AuthToken authToken2 = null;
                        if (attribute == null) {
                            try {
                                authToken2 = AuthProvider.getAuthToken(optionalElement3, account);
                                Account validateAuthToken2 = AuthProvider.validateAuthToken(provisioning, authToken2, false, AuthToken.Usage.TWO_FACTOR_AUTH);
                                if (optionalElement3.getAttributeBool("verifyAccount", false) && !validateAuthToken2.getId().equalsIgnoreCase(account.getId())) {
                                    throw new AuthTokenException("two-factor auth token doesn't match the named account");
                                }
                            } catch (AuthTokenException e7) {
                                throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("bad auth token");
                            }
                        }
                        TwoFactorAuth twoFactorAuth2 = TwoFactorAuth.getFactory().getTwoFactorAuth(account);
                        if (attribute2 == null) {
                            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("no two-factor code provided");
                        }
                        twoFactorAuth2.authenticate(attribute2);
                        if (authToken2 != null) {
                            try {
                                authToken2.deRegister();
                            } catch (AuthTokenException e8) {
                                throw ServiceException.FAILURE("cannot de-register two-factor auth token", e8);
                            }
                        }
                    }
                }
            } else {
                if (optionalElement4 == null) {
                    throw ServiceException.INVALID_REQUEST("must specify password", (Throwable) null);
                }
                long attributeLong2 = optionalElement4.getAttributeLong(PreAuthServlet.PARAM_TIMESTAMP);
                j = optionalElement4.getAttributeLong(PreAuthServlet.PARAM_EXPIRES, 0L);
                provisioning.preAuthAccount(account, str2, str3, attributeLong2, j, optionalElement4.getTextTrim(), hashMap);
            }
        }
        AuthToken authToken3 = j == 0 ? AuthProvider.getAuthToken(account) : AuthProvider.getAuthToken(account, j);
        if (bool.booleanValue() && (trustedDeviceToken == null || trustedDeviceToken.isExpired())) {
            trustedDeviceToken = TwoFactorAuth.getFactory().getTrustedDevices(account).registerTrustedDevice(getTrustedDeviceAttrs(zimbraSoapContext, generateUUID == null ? attribute3 : generateUUID));
        }
        ServletRequest servletRequest = (ServletRequest) map.get(SoapServlet.SERVLET_REQUEST);
        if (attributeBool && !authToken3.isCsrfTokenEnabled()) {
            authToken3.setCsrfTokenEnabled(attributeBool);
        }
        servletRequest.setAttribute(CsrfFilter.AUTH_TOKEN, authToken3);
        return doResponse(element, authToken3, zimbraSoapContext, map, account, attributeBool, trustedDeviceToken, generateUUID);
    }

    private Map<String, Object> getTrustedDeviceAttrs(ZimbraSoapContext zimbraSoapContext, String str) {
        HashMap hashMap = new HashMap();
        hashMap.put(AuthContext.AC_DEVICE_ID, str);
        hashMap.put("ua", zimbraSoapContext.getUserAgent());
        return hashMap;
    }

    private void verifyTrustedDevice(Account account, TrustedDeviceToken trustedDeviceToken, Map<String, Object> map) throws ServiceException {
        TwoFactorAuth.getFactory().getTrustedDevices(account).verifyTrustedDevice(trustedDeviceToken, map);
    }

    private Element needTwoFactorAuth(Account account, TwoFactorAuth twoFactorAuth, ZimbraSoapContext zimbraSoapContext) throws ServiceException {
        if (!twoFactorAuth.twoFactorAuthEnabled()) {
            throw AccountServiceException.TWO_FACTOR_SETUP_REQUIRED();
        }
        Element createElement = zimbraSoapContext.createElement(AccountConstants.AUTH_RESPONSE);
        AuthToken authToken = AuthProvider.getAuthToken(account, AuthToken.Usage.TWO_FACTOR_AUTH);
        createElement.addUniqueElement("twoFactorAuthRequired").setText("true");
        createElement.addAttribute("lifetime", authToken.getExpires() - System.currentTimeMillis(), Element.Disposition.CONTENT);
        authToken.encodeAuthResp(createElement, false);
        createElement.addUniqueElement("trustedDevicesEnabled").setText(account.isFeatureTrustedDevicesEnabled() ? "true" : "false");
        return createElement;
    }

    private Element doResponse(Element element, AuthToken authToken, ZimbraSoapContext zimbraSoapContext, Map<String, Object> map, Account account, boolean z, TrustedDeviceToken trustedDeviceToken, String str) throws ServiceException {
        String[] unicodeMultiAttr;
        Session updateAuthenticatedAccount;
        Element createElement = zimbraSoapContext.createElement(AccountConstants.AUTH_RESPONSE);
        authToken.encodeAuthResp(createElement, false);
        HttpServletRequest httpServletRequest = (HttpServletRequest) map.get(SoapServlet.SERVLET_REQUEST);
        HttpServletResponse httpServletResponse = (HttpServletResponse) map.get(SoapServlet.SERVLET_RESPONSE);
        authToken.encode(httpServletResponse, false, ZimbraCookie.secureCookie(httpServletRequest), element.getAttributeBool("persistAuthTokenCookie", false));
        createElement.addAttribute("lifetime", authToken.getExpires() - System.currentTimeMillis(), Element.Disposition.CONTENT);
        boolean onLocalServer = Provisioning.onLocalServer(account);
        if (onLocalServer && (updateAuthenticatedAccount = updateAuthenticatedAccount(zimbraSoapContext, authToken, map, true)) != null) {
            ZimbraSoapContext.encodeSession(createElement, updateAuthenticatedAccount.getSessionId(), updateAuthenticatedAccount.getSessionType());
        }
        String attr = Provisioning.getInstance().getLocalServer().getAttr("zimbraMailReferMode", Provisioning.MAIL_REFER_MODE_WRONGHOST);
        if (Provisioning.MAIL_REFER_MODE_ALWAYS.equals(attr) || (Provisioning.MAIL_REFER_MODE_WRONGHOST.equals(attr) && !onLocalServer)) {
            createElement.addAttribute("refer", account.getAttr("zimbraMailHost"), Element.Disposition.CONTENT);
        }
        Element optionalElement = element.getOptionalElement("prefs");
        if (optionalElement != null) {
            GetPrefs.handle(optionalElement, createElement.addUniqueElement("prefs"), account);
        }
        Element optionalElement2 = element.getOptionalElement("attrs");
        if (optionalElement2 != null) {
            Element addUniqueElement = createElement.addUniqueElement("attrs");
            Set<String> attrsWithFlag = AttributeManager.getInstance().getAttrsWithFlag(AttributeFlag.accountInfo);
            Iterator elementIterator = optionalElement2.elementIterator("attr");
            while (elementIterator.hasNext()) {
                String attribute = ((Element) elementIterator.next()).getAttribute("name");
                if (attribute != null && attrsWithFlag.contains(attribute) && (unicodeMultiAttr = account.getUnicodeMultiAttr(attribute)) != null) {
                    ToXML.encodeAttr(addUniqueElement, attribute, unicodeMultiAttr);
                }
            }
        }
        Element optionalElement3 = element.getOptionalElement("requestedSkin");
        String chooseSkin = SkinUtil.chooseSkin(account, optionalElement3 != null ? optionalElement3.getText() : null);
        ZimbraLog.webclient.debug("chooseSkin() returned " + chooseSkin);
        if (chooseSkin != null) {
            createElement.addElement("skin").setText(chooseSkin);
        }
        boolean z2 = false;
        if (httpServletRequest.getAttribute("zimbraCsrfTokenCheckEnabled") != null) {
            z2 = ((Boolean) httpServletRequest.getAttribute("zimbraCsrfTokenCheckEnabled")).booleanValue();
        }
        if (z && z2) {
            String generateCsrfToken = CsrfUtil.generateCsrfToken(authToken.getAccountId(), authToken.getExpires(), ((Integer) httpServletRequest.getAttribute(CsrfFilter.CSRF_SALT)).intValue(), authToken);
            createElement.addUniqueElement("csrfToken").addText(generateCsrfToken);
            httpServletResponse.setHeader("X-Zimbra-Csrf-Token", generateCsrfToken);
        }
        if (trustedDeviceToken != null) {
            trustedDeviceToken.encode(httpServletResponse, createElement, ZimbraCookie.secureCookie(httpServletRequest));
        }
        if (str != null) {
            createElement.addUniqueElement("deviceId").setText(str);
        }
        if (account.isIsMobileGatewayProxyAccount()) {
            createElement.addAttribute("zmgProxy", true);
        }
        return createElement;
    }

    @Override // com.zimbra.soap.DocumentHandler
    public boolean needsAuth(Map<String, Object> map) {
        return false;
    }

    public static void addAccountToLogContextByAuthToken(Provisioning provisioning, AuthToken authToken) {
        String accountId = authToken.getAccountId();
        if (accountId != null) {
            AccountUtil.addAccountToLogContext(provisioning, accountId, "name", "id", null);
        }
        String adminAccountId = authToken.getAdminAccountId();
        if (adminAccountId == null || adminAccountId.equals(accountId)) {
            return;
        }
        AccountUtil.addAccountToLogContext(provisioning, adminAccountId, "aname", Metadata.FN_ACCOUNT_ID, null);
    }
}
