package com.zimbra.cs.account.auth;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.QuotedStringParser;
import com.zimbra.common.util.StringUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.auth.AuthContext;
import com.zimbra.cs.account.auth.PasswordUtil;
import com.zimbra.cs.account.auth.twofactor.AppSpecificPasswords;
import com.zimbra.cs.account.auth.twofactor.TwoFactorAuth;
import com.zimbra.cs.account.krb5.Krb5Login;
import com.zimbra.cs.account.krb5.Krb5Principal;
import com.zimbra.cs.account.ldap.LdapProv;
import com.zimbra.cs.account.ldap.entry.LdapEntry;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:com/zimbra/cs/account/auth/AuthMechanism.class */
public abstract class AuthMechanism {
    protected AuthMech authMech;

    /* loaded from: input_file:com/zimbra/cs/account/auth/AuthMechanism$AuthMech.class */
    public enum AuthMech {
        zimbra,
        ldap,
        ad,
        kerberos5,
        custom;

        public static AuthMech fromString(String str) throws ServiceException {
            if (str == null) {
                return null;
            }
            try {
                return valueOf(str);
            } catch (IllegalArgumentException e) {
                throw ServiceException.INVALID_REQUEST("unknown auth mech: " + str, e);
            }
        }
    }

    /* loaded from: input_file:com/zimbra/cs/account/auth/AuthMechanism$CustomAuth.class */
    static class CustomAuth extends AuthMechanism {
        private String authMechStr;
        private String mHandlerName;
        private ZimbraCustomAuth mHandler;
        List<String> mArgs;

        CustomAuth(AuthMech authMech, String str) {
            super(authMech);
            this.mHandlerName = "";
            this.authMechStr = str;
            int indexOf = str.indexOf(58);
            if (indexOf != -1) {
                int indexOf2 = str.indexOf(32);
                if (indexOf2 != -1) {
                    this.mHandlerName = str.substring(indexOf + 1, indexOf2);
                    this.mArgs = new QuotedStringParser(str.substring(indexOf2 + 1)).parse();
                    if (this.mArgs.size() == 0) {
                        this.mArgs = null;
                    }
                } else {
                    this.mHandlerName = str.substring(indexOf + 1);
                }
                if (!StringUtil.isNullOrEmpty(this.mHandlerName)) {
                    this.mHandler = ZimbraCustomAuth.getHandler(this.mHandlerName);
                }
            }
            if (ZimbraLog.account.isDebugEnabled()) {
                StringBuffer stringBuffer = null;
                if (this.mArgs != null) {
                    stringBuffer = new StringBuffer();
                    Iterator<String> it = this.mArgs.iterator();
                    while (it.hasNext()) {
                        stringBuffer.append("[" + it.next() + "] ");
                    }
                }
                ZimbraLog.account.debug("CustomAuth: handlerName=" + this.mHandlerName + ", args=" + ((Object) stringBuffer));
            }
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public void doAuth(LdapProv ldapProv, Domain domain, Account account, String str, Map<String, Object> map) throws ServiceException {
            if (this.mHandler == null) {
                throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map), "handler " + this.mHandlerName + " for custom auth for domain " + domain.getName() + " not found");
            }
            try {
                this.mHandler.authenticate(account, str, map, this.mArgs);
            } catch (Exception e) {
                if (e instanceof ServiceException) {
                    throw e;
                }
                String message = e.getMessage();
                String str2 = StringUtil.isNullOrEmpty(message) ? "" : " (" + message + ")";
                throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map) + str2, str2, e);
            }
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public boolean checkPasswordAging() throws ServiceException {
            if (this.mHandler == null) {
                throw ServiceException.FAILURE("custom auth handler " + this.mHandlerName + " not found", (Throwable) null);
            }
            return this.mHandler.checkPasswordAging();
        }
    }

    /* loaded from: input_file:com/zimbra/cs/account/auth/AuthMechanism$Kerberos5Auth.class */
    static class Kerberos5Auth extends AuthMechanism {
        Kerberos5Auth(AuthMech authMech) {
            super(authMech);
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public void doAuth(LdapProv ldapProv, Domain domain, Account account, String str, Map<String, Object> map) throws ServiceException {
            String krb5Principal = Krb5Principal.getKrb5Principal(domain, account);
            if (krb5Principal == null) {
                throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map), "cannot obtain principal for " + this.authMech.name() + " auth");
            }
            if (krb5Principal != null) {
                try {
                    Krb5Login.verifyPassword(krb5Principal, str);
                } catch (LoginException e) {
                    throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map) + "(kerberos5 principal: " + krb5Principal + ")", e.getMessage(), e);
                }
            }
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public boolean checkPasswordAging() throws ServiceException {
            return false;
        }
    }

    /* loaded from: input_file:com/zimbra/cs/account/auth/AuthMechanism$LdapAuth.class */
    static class LdapAuth extends AuthMechanism {
        LdapAuth(AuthMech authMech) {
            super(authMech);
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public void doAuth(LdapProv ldapProv, Domain domain, Account account, String str, Map<String, Object> map) throws ServiceException {
            if (AuthMechanism.doTwoFactorAuth(account, str, map)) {
                return;
            }
            ldapProv.externalLdapAuth(domain, this.authMech, account, str, map);
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public boolean checkPasswordAging() throws ServiceException {
            return false;
        }
    }

    /* loaded from: input_file:com/zimbra/cs/account/auth/AuthMechanism$ZimbraAuth.class */
    public static class ZimbraAuth extends AuthMechanism {
        ZimbraAuth(AuthMech authMech) {
            super(authMech);
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public boolean isZimbraAuth() {
            return true;
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public void doAuth(LdapProv ldapProv, Domain domain, Account account, String str, Map<String, Object> map) throws ServiceException {
            String attr = account.getAttr("userPassword");
            if (AuthMechanism.doTwoFactorAuth(account, str, map)) {
                return;
            }
            if (attr == null) {
                throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map), "missing userPassword");
            }
            if (PasswordUtil.SSHA512.isSSHA512(attr)) {
                if (!PasswordUtil.SSHA512.verifySSHA512(attr, str)) {
                    throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map), "invalid password");
                }
            } else if (PasswordUtil.SSHA.isSSHA(attr)) {
                if (!PasswordUtil.SSHA.verifySSHA(attr, str)) {
                    throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map), "invalid password");
                }
            } else {
                if (!(account instanceof LdapEntry)) {
                    throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map));
                }
                ldapProv.zimbraLdapAuthenticate(account, str, map);
            }
        }

        @Override // com.zimbra.cs.account.auth.AuthMechanism
        public boolean checkPasswordAging() throws ServiceException {
            return true;
        }
    }

    protected AuthMechanism(AuthMech authMech) {
        this.authMech = authMech;
    }

    public static AuthMechanism newInstance(Account account, Map<String, Object> map) throws ServiceException {
        AuthMech fromString;
        Domain domain;
        String authMech;
        String name = AuthMech.zimbra.name();
        if (!account.isIsExternalVirtualAccount() && (domain = Provisioning.getInstance().getDomain(account)) != null) {
            Boolean bool = map == null ? null : (Boolean) map.get(AuthContext.AC_AS_ADMIN);
            if (bool == null || !bool.booleanValue()) {
                authMech = domain.getAuthMech();
            } else {
                authMech = domain.getAuthMechAdmin();
                if (authMech == null) {
                    authMech = domain.getAuthMech();
                }
            }
            if (authMech != null) {
                name = authMech;
            }
        }
        if (name.startsWith(AuthMech.custom.name() + ":")) {
            return new CustomAuth(AuthMech.custom, name);
        }
        try {
            fromString = AuthMech.fromString(name);
        } catch (ServiceException e) {
            ZimbraLog.account.warn("invalid auth mech", e);
        }
        switch (fromString) {
            case zimbra:
                return new ZimbraAuth(fromString);
            case ldap:
            case ad:
                return new LdapAuth(fromString);
            case kerberos5:
                return new Kerberos5Auth(fromString);
            default:
                ZimbraLog.account.warn("unknown value for zimbraAuthMech: " + name + ", falling back to default mech");
                return new ZimbraAuth(AuthMech.zimbra);
        }
    }

    public static void doZimbraAuth(LdapProv ldapProv, Domain domain, Account account, String str, Map<String, Object> map) throws ServiceException {
        new ZimbraAuth(AuthMech.zimbra).doAuth(ldapProv, domain, account, str, map);
    }

    public boolean isZimbraAuth() {
        return false;
    }

    public abstract boolean checkPasswordAging() throws ServiceException;

    public abstract void doAuth(LdapProv ldapProv, Domain domain, Account account, String str, Map<String, Object> map) throws ServiceException;

    public AuthMech getMechanism() {
        return this.authMech;
    }

    public static String namePassedIn(Map<String, Object> map) {
        String str;
        if (map != null) {
            str = (String) map.get(AuthContext.AC_ACCOUNT_NAME_PASSEDIN);
            if (str == null) {
                str = "";
            }
        } else {
            str = "";
        }
        return str;
    }

    public static boolean doTwoFactorAuth(Account account, String str, Map<String, Object> map) throws ServiceException, AccountServiceException.AuthFailedServiceException {
        TwoFactorAuth twoFactorAuth = TwoFactorAuth.getFactory().getTwoFactorAuth(account);
        AppSpecificPasswords appSpecificPasswords = TwoFactorAuth.getFactory().getAppSpecificPasswords(account);
        boolean z = false;
        if (twoFactorAuth.twoFactorAuthRequired() && map != null) {
            switch ((AuthContext.Protocol) map.get(AuthContext.AC_PROTOCOL)) {
                case soap:
                case http_basic:
                    break;
                default:
                    if (!appSpecificPasswords.isEnabled()) {
                        throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(account.getName(), namePassedIn(map), "invalid password");
                    }
                    appSpecificPasswords.authenticate(str);
                    z = true;
                    break;
            }
        }
        return z;
    }

    public static void main(String[] strArr) {
        int i = 0;
        Iterator it = new QuotedStringParser("http://blah.com:123    green \" ocean blue   \"  \"\" yelllow \"\"").parse().iterator();
        while (it.hasNext()) {
            i++;
            System.out.format("%d [%s]\n", Integer.valueOf(i), (String) it.next());
        }
        new CustomAuth(AuthMech.custom, "custom:sample http://blah.com:123    green \" ocean blue   \"  \"\" yelllow \"\"");
    }
}
