package com.zimbra.cs.service.authenticator;

import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.HttpUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.SearchAccountsOptions;
import com.zimbra.cs.ldap.ZLdapFilterFactory;
import com.zimbra.cs.service.authenticator.SSOAuthenticator;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap.class */
public class ClientCertPrincipalMap {
    static final String LOG_PREFIX = "certauth - ";
    private static final String RULE_DELIMITER = ",";
    private static final char LDAP_FILTER_LEADING_CHAR = '(';
    private static final String MAP_DELIMITER = "=";
    private List<Rule> rules;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap$CertField.class */
    public static abstract class CertField {
        CertField() {
        }

        abstract String getName();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap$FieldMapRule.class */
    public static class FieldMapRule extends Rule {
        private CertField certField;
        private ZimbraKey zimbraKey;

        private FieldMapRule(CertField certField, ZimbraKey zimbraKey) {
            this.certField = certField;
            this.zimbraKey = zimbraKey;
        }

        CertField getCertField() {
            return this.certField;
        }

        ZimbraKey getZimbraKey() {
            return this.zimbraKey;
        }

        @Override // com.zimbra.cs.service.authenticator.ClientCertPrincipalMap.Rule
        String getName() {
            return this.certField.getName() + "=" + this.zimbraKey.name();
        }

        @Override // com.zimbra.cs.service.authenticator.ClientCertPrincipalMap.Rule
        SSOAuthenticator.ZimbraPrincipal apply(X509Certificate x509Certificate) throws ServiceException {
            Account zimbraAccount;
            String certField = new CertUtil(x509Certificate).getCertField(getCertField());
            if (certField == null || (zimbraAccount = getZimbraAccount(getZimbraKey(), getCertField(), certField)) == null) {
                return null;
            }
            return new SSOAuthenticator.ZimbraPrincipal(certField, zimbraAccount);
        }

        private Account getZimbraAccount(ZimbraKey zimbraKey, CertField certField, String str) {
            ZimbraLog.account.debug("certauth - get account by " + zimbraKey.name() + ", " + certField.getName() + "=" + str);
            Provisioning provisioning = Provisioning.getInstance();
            Account account = null;
            try {
                switch (zimbraKey) {
                    case name:
                        account = provisioning.get(Key.AccountBy.name, str);
                        break;
                    case zimbraId:
                        account = provisioning.get(Key.AccountBy.id, str);
                        break;
                    case zimbraForeignPrincipal:
                        account = provisioning.get(Key.AccountBy.foreignPrincipal, String.format(Provisioning.FP_PREFIX_CERT, certField.getName(), str));
                        break;
                }
            } catch (ServiceException e) {
                ZimbraLog.account.debug("certauth - no matching account by " + zimbraKey.name() + ", " + certField.getName() + "=" + str, e);
            }
            return account;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap$KnownCertField.class */
    public static class KnownCertField extends CertField {
        private Field field;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap$KnownCertField$Field.class */
        public enum Field {
            SUBJECT_DN,
            SUBJECTALTNAME_OTHERNAME_UPN,
            SUBJECTALTNAME_RFC822NAME;

            private KnownCertField knownCertField = new KnownCertField(this);

            Field() {
            }

            /* JADX INFO: Access modifiers changed from: private */
            public KnownCertField getKnownCertField() {
                return this.knownCertField;
            }

            private static String names() {
                StringBuilder sb = new StringBuilder();
                int i = 0;
                for (Field field : values()) {
                    int i2 = i;
                    i++;
                    if (i2 > 0) {
                        sb.append('|');
                    }
                    sb.append(field.name());
                }
                return sb.toString();
            }

            static /* synthetic */ String access$200() {
                return names();
            }
        }

        private KnownCertField(Field field) {
            this.field = field;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static KnownCertField parse(String str) {
            try {
                return Field.valueOf(str).getKnownCertField();
            } catch (IllegalArgumentException e) {
                return null;
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static String names() {
            return Field.access$200();
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Field getField() {
            return this.field;
        }

        @Override // com.zimbra.cs.service.authenticator.ClientCertPrincipalMap.CertField
        String getName() {
            return this.field.name();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap$LdapFilterRule.class */
    public static class LdapFilterRule extends Rule {
        private static Pattern pattern = Pattern.compile("\\%\\{([^\\}]*)\\}");
        private String filter;

        private LdapFilterRule(String str) {
            this.filter = str;
        }

        String getFilter() {
            return this.filter;
        }

        @Override // com.zimbra.cs.service.authenticator.ClientCertPrincipalMap.Rule
        String getName() {
            return this.filter;
        }

        @Override // com.zimbra.cs.service.authenticator.ClientCertPrincipalMap.Rule
        SSOAuthenticator.ZimbraPrincipal apply(X509Certificate x509Certificate) throws ServiceException {
            String expandFilter = expandFilter(x509Certificate);
            ZimbraLog.account.debug("certauth - search account by expanded filter(prepended with account objectClass filter): " + expandFilter);
            SearchAccountsOptions searchAccountsOptions = new SearchAccountsOptions();
            searchAccountsOptions.setMaxResults(1);
            searchAccountsOptions.setFilterString(ZLdapFilterFactory.FilterId.ACCOUNT_BY_SSL_CLENT_CERT_PRINCIPAL_MAP, expandFilter);
            List<NamedEntry> searchDirectory = Provisioning.getInstance().searchDirectory(searchAccountsOptions);
            if (searchDirectory.size() == 1) {
                return new SSOAuthenticator.ZimbraPrincipal(expandFilter, (Account) searchDirectory.get(0));
            }
            return null;
        }

        private String expandFilter(X509Certificate x509Certificate) throws ServiceException {
            CertUtil certUtil = new CertUtil(x509Certificate);
            Matcher matcher = pattern.matcher(getFilter());
            StringBuffer stringBuffer = new StringBuffer();
            while (matcher.find()) {
                matcher.appendReplacement(stringBuffer, certUtil.getCertField(ClientCertPrincipalMap.parseCertField(matcher.group(1))));
            }
            matcher.appendTail(stringBuffer);
            return stringBuffer.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap$Rule.class */
    public static abstract class Rule {
        Rule() {
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract String getName();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract SSOAuthenticator.ZimbraPrincipal apply(X509Certificate x509Certificate) throws ServiceException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap$SubjectCertField.class */
    public static class SubjectCertField extends CertField {
        private static final String PREFIX = "SUBJECT_";
        private static final int PREFIX_LEN = PREFIX.length();
        private static final SubjectCertField EMAILADDRESS = new SubjectCertField("EMAILADDRESS");
        String rdnAttrType;

        private SubjectCertField(String str) {
            this.rdnAttrType = str;
        }

        static SubjectCertField parse(String str) {
            if (!str.startsWith(PREFIX) || str.length() <= PREFIX_LEN) {
                return null;
            }
            return new SubjectCertField(str.substring(PREFIX_LEN));
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static String names() {
            return "SUBJECT_{an RDN attr, e.g. CN}";
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getRDNAttrType() {
            return this.rdnAttrType;
        }

        @Override // com.zimbra.cs.service.authenticator.ClientCertPrincipalMap.CertField
        String getName() {
            return PREFIX + this.rdnAttrType;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/service/authenticator/ClientCertPrincipalMap$ZimbraKey.class */
    public enum ZimbraKey {
        name,
        zimbraId,
        zimbraForeignPrincipal
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientCertPrincipalMap(HttpServletRequest httpServletRequest) throws ServiceException {
        this.rules = parse(getMappingConfig(httpServletRequest));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<Rule> getRules() {
        return this.rules;
    }

    private String getMappingConfig(HttpServletRequest httpServletRequest) throws ServiceException {
        Provisioning provisioning = Provisioning.getInstance();
        Domain domain = provisioning.get(Key.DomainBy.virtualHostname, HttpUtil.getVirtualHost(httpServletRequest));
        if (domain == null) {
            domain = provisioning.getConfig();
        }
        return domain.getAttr("zimbraMailSSLClientCertPrincipalMap");
    }

    private List<Rule> parse(String str) throws ServiceException {
        Rule parseFieldMapRule;
        ArrayList arrayList = new ArrayList();
        if (str == null) {
            FieldMapRule fieldMapRule = new FieldMapRule(SubjectCertField.EMAILADDRESS, ZimbraKey.name);
            ZimbraLog.account.warn("certauth - No zimbraMailSSLClientCertPrincipalMap configured, default to " + fieldMapRule.getName());
            arrayList.add(fieldMapRule);
        } else {
            boolean isMailSSLClientCertPrincipalMapLdapFilterEnabled = Provisioning.getInstance().getConfig().isMailSSLClientCertPrincipalMapLdapFilterEnabled();
            for (String str2 : str.split(",")) {
                if ('(' != str2.charAt(0)) {
                    parseFieldMapRule = parseFieldMapRule(str2);
                } else {
                    if (!isMailSSLClientCertPrincipalMapLdapFilterEnabled) {
                        throw ServiceException.FAILURE("LDAP filter is not allowed: " + str2, (Throwable) null);
                    }
                    parseFieldMapRule = new LdapFilterRule(str2);
                }
                arrayList.add(parseFieldMapRule);
            }
        }
        return arrayList;
    }

    private Rule parseFieldMapRule(String str) throws ServiceException {
        String[] split = str.split("=");
        if (split.length != 2) {
            throw ServiceException.FAILURE("Invalid config:" + str + " in zimbraMailSSLClientCertPrincipalMap", (Throwable) null);
        }
        try {
            return new FieldMapRule(parseCertField(split[0].trim()), ZimbraKey.valueOf(split[1].trim()));
        } catch (ServiceException e) {
            throw ServiceException.FAILURE("Invalid config:" + str + " in zimbraMailSSLClientCertPrincipalMap", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static CertField parseCertField(String str) throws ServiceException {
        CertField parse = KnownCertField.parse(str);
        if (parse == null) {
            parse = SubjectCertField.parse(str);
        }
        if (parse == null) {
            throw ServiceException.FAILURE("Invalid cert field:" + str, (Throwable) null);
        }
        return parse;
    }
}
