package com.zimbra.cs.account;

import com.google.common.base.Objects;
import com.zimbra.common.account.Key;
import com.zimbra.common.auth.ZAuthToken;
import com.zimbra.common.localconfig.LC;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.soap.Element;
import com.zimbra.common.util.BlobMetaData;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.LogFactory;
import com.zimbra.common.util.MapUtil;
import com.zimbra.common.util.ZimbraCookie;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.auth.AuthMechanism;
import com.zimbra.cs.ephemeral.EphemeralInput;
import com.zimbra.cs.ldap.LdapConstants;
import com.zimbra.cs.service.UserServlet;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Date;
import java.util.Map;
import java.util.Random;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.httpclient.Cookie;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.HttpState;

/* loaded from: input_file:com/zimbra/cs/account/ZimbraAuthToken.class */
public class ZimbraAuthToken extends AuthToken implements Cloneable {
    private static final String C_ID = "id";
    private static final String C_AID = "aid";
    private static final String C_EXP = "exp";
    private static final String C_ADMIN = "admin";
    private static final String C_DOMAIN = "domain";
    private static final String C_DLGADMIN = "dlgadmin";
    private static final String C_TYPE = "type";
    private static final String C_TYPE_ZIMBRA_USER = "zimbra";
    private static final String C_TYPE_EXTERNAL_USER = "external";
    private static final String C_TYPE_ZMG_APP = "zmgapp";
    private static final String C_EXTERNAL_USER_EMAIL = "email";
    private static final String C_DIGEST = "digest";
    private static final String C_VALIDITY_VALUE = "vv";
    private static final String C_AUTH_MECH = "am";
    private static final String C_USAGE = "u";
    private static final String C_TOKEN_ID = "tid";
    private static final String C_SERVER_VERSION = "version";
    private static final String C_CSRF = "csrf";
    private static final Map<String, ZimbraAuthToken> CACHE = MapUtil.newLruMap(LC.zimbra_authtoken_cache_size.intValue());
    private static final Log LOG = LogFactory.getLog(AuthToken.class);
    private String accountId;
    private String adminAccountId;
    private int validityValue;
    private long expires;
    private String encoded;
    private boolean isAdmin;
    private boolean isDomainAdmin;
    private boolean isDelegatedAdmin;
    private String type;
    private String externalUserEmail;
    private String digest;
    private String accessKey;
    private String proxyAuthToken;
    private AuthMechanism.AuthMech authMech;
    private Integer tokenID;
    private String server_version;
    private boolean csrfTokenEnabled;
    private AuthToken.Usage usage;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/account/ZimbraAuthToken$ByteKey.class */
    public static class ByteKey implements SecretKey {
        private static final long serialVersionUID = -7237091299729195624L;
        private final byte[] mKey;

        /* JADX INFO: Access modifiers changed from: package-private */
        public ByteKey(byte[] bArr) {
            this.mKey = (byte[]) bArr.clone();
        }

        @Override // java.security.Key
        public byte[] getEncoded() {
            return this.mKey;
        }

        @Override // java.security.Key
        public String getAlgorithm() {
            return "HmacSHA1";
        }

        @Override // java.security.Key
        public String getFormat() {
            return "RAW";
        }
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String toString() {
        return Objects.toStringHelper(this).add("acct", this.accountId).add("admin", this.adminAccountId).add(C_EXP, this.expires).add("isAdm", this.isAdmin).add("isDlgAd", this.isDelegatedAdmin).toString();
    }

    protected static AuthTokenKey getCurrentKey() throws AuthTokenException {
        try {
            return AuthTokenKey.getCurrentKey();
        } catch (ServiceException e) {
            LOG.fatal("unable to get latest AuthTokenKey", e);
            throw new AuthTokenException("unable to get AuthTokenKey", e);
        }
    }

    public static synchronized AuthToken getAuthToken(String str) throws AuthTokenException {
        ZimbraAuthToken zimbraAuthToken = CACHE.get(str);
        if (zimbraAuthToken == null) {
            zimbraAuthToken = new ZimbraAuthToken(str);
            if (!zimbraAuthToken.isExpired()) {
                CACHE.put(str, zimbraAuthToken);
            }
        } else if (zimbraAuthToken.isExpired()) {
            CACHE.remove(str);
        }
        return zimbraAuthToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ZimbraAuthToken() {
        this.validityValue = -1;
        this.tokenID = -1;
    }

    public static Map<?, ?> getInfo(String str) throws AuthTokenException {
        String[] split = str.split("_");
        if (split.length != 3) {
            throw new AuthTokenException("invalid authtoken format");
        }
        return TokenUtil.getAttrs(split[2]);
    }

    protected ZimbraAuthToken(String str) throws AuthTokenException {
        this.validityValue = -1;
        this.tokenID = -1;
        try {
            this.encoded = str;
            int indexOf = str.indexOf(95);
            if (indexOf == -1) {
                throw new AuthTokenException("invalid authtoken format");
            }
            String substring = str.substring(0, indexOf);
            int indexOf2 = str.indexOf(95, indexOf + 1);
            if (indexOf2 == -1) {
                throw new AuthTokenException("invalid authtoken format");
            }
            String substring2 = str.substring(indexOf + 1, indexOf2);
            String substring3 = str.substring(indexOf2 + 1);
            AuthTokenKey version = AuthTokenKey.getVersion(substring);
            if (version == null) {
                throw new AuthTokenException("unknown key version");
            }
            if (!TokenUtil.getHmac(substring3, version.getKey()).equals(substring2)) {
                throw new AuthTokenException("hmac failure");
            }
            Map<?, ?> attrs = TokenUtil.getAttrs(substring3);
            this.accountId = (String) attrs.get("id");
            this.adminAccountId = (String) attrs.get("aid");
            this.expires = Long.parseLong((String) attrs.get(C_EXP));
            this.isAdmin = "1".equals((String) attrs.get("admin"));
            this.isDomainAdmin = "1".equals((String) attrs.get(C_DOMAIN));
            this.isDelegatedAdmin = "1".equals((String) attrs.get(C_DLGADMIN));
            this.type = (String) attrs.get("type");
            this.authMech = AuthMechanism.AuthMech.fromString((String) attrs.get(C_AUTH_MECH));
            String str2 = (String) attrs.get("u");
            if (str2 != null) {
                this.usage = AuthToken.Usage.fromCode(str2);
            } else {
                this.usage = AuthToken.Usage.AUTH;
            }
            this.externalUserEmail = (String) attrs.get(C_EXTERNAL_USER_EMAIL);
            this.digest = (String) attrs.get(C_DIGEST);
            String str3 = (String) attrs.get(C_VALIDITY_VALUE);
            if (str3 != null) {
                try {
                    this.validityValue = Integer.parseInt(str3);
                } catch (NumberFormatException e) {
                    this.validityValue = -1;
                }
            } else {
                this.validityValue = -1;
            }
            String str4 = (String) attrs.get(C_TOKEN_ID);
            if (str4 != null) {
                try {
                    this.tokenID = Integer.valueOf(Integer.parseInt(str4));
                } catch (NumberFormatException e2) {
                    this.tokenID = -1;
                }
            } else {
                this.tokenID = -1;
            }
            this.server_version = (String) attrs.get("version");
            if (((String) attrs.get(C_CSRF)) != null) {
                this.csrfTokenEnabled = "1".equals(attrs.get(C_CSRF));
            }
        } catch (ServiceException e3) {
            throw new AuthTokenException("service exception", e3);
        }
    }

    public ZimbraAuthToken(Account account) {
        this(account, false, null);
    }

    public ZimbraAuthToken(Account account, AuthToken.Usage usage) {
        this(account, 0L, false, (Account) null, (AuthMechanism.AuthMech) null, usage);
    }

    public ZimbraAuthToken(Account account, boolean z, AuthMechanism.AuthMech authMech) {
        this(account, 0L, z, (Account) null, authMech);
    }

    public ZimbraAuthToken(Account account, long j) {
        this(account, j, false, (Account) null, (AuthMechanism.AuthMech) null);
    }

    public ZimbraAuthToken(Account account, long j, boolean z, Account account2, AuthMechanism.AuthMech authMech) {
        this(account, j, z, account2, authMech, AuthToken.Usage.AUTH);
    }

    public ZimbraAuthToken(Account account, long j, boolean z, Account account2, AuthMechanism.AuthMech authMech, AuthToken.Usage usage) {
        long timeInterval;
        this.validityValue = -1;
        this.tokenID = -1;
        if (j == 0) {
            switch (usage) {
                case ENABLE_TWO_FACTOR_AUTH:
                    timeInterval = account.getTimeInterval("zimbraTwoFactorAuthTokenLifetime", 3600000L);
                    break;
                case TWO_FACTOR_AUTH:
                    timeInterval = account.getTimeInterval("zimbraTwoFactorAuthEnablementTokenLifetime", 3600000L);
                    break;
                case AUTH:
                default:
                    timeInterval = (z || this.isDomainAdmin || this.isDelegatedAdmin) ? account.getTimeInterval("zimbraAdminAuthTokenLifetime", 43200000L) : account.getTimeInterval("zimbraAuthTokenLifetime", 43200000L);
                    break;
            }
            j = System.currentTimeMillis() + timeInterval;
        }
        this.accountId = account.getId();
        this.adminAccountId = account2 != null ? account2.getId() : null;
        this.validityValue = account.getAuthTokenValidityValue();
        this.expires = j;
        this.isAdmin = z && LdapConstants.LDAP_TRUE.equals(account.getAttr("zimbraIsAdminAccount"));
        this.isDomainAdmin = z && LdapConstants.LDAP_TRUE.equals(account.getAttr("zimbraIsDomainAdminAccount"));
        this.isDelegatedAdmin = z && LdapConstants.LDAP_TRUE.equals(account.getAttr("zimbraIsDelegatedAdminAccount"));
        this.authMech = authMech;
        this.usage = usage;
        this.encoded = null;
        if (account instanceof GuestAccount) {
            this.type = C_TYPE_EXTERNAL_USER;
            GuestAccount guestAccount = (GuestAccount) account;
            this.digest = guestAccount.getDigest();
            this.accessKey = guestAccount.getAccessKey();
            this.externalUserEmail = guestAccount.getName();
        } else {
            this.type = "zimbra";
        }
        this.tokenID = Integer.valueOf(new Random().nextInt(2147483646) + 1);
        try {
            Server server = account.getServer();
            if (server != null) {
                this.server_version = server.getServerVersion();
            } else {
                this.server_version = Provisioning.getInstance().getLocalServer().getServerVersion();
            }
        } catch (ServiceException e) {
            LOG.error("Unable to fetch server version for the user account", e);
        }
        register();
    }

    public ZimbraAuthToken(String str, String str2, String str3, String str4, long j) {
        this(str, false, str2, str3, str4, j);
    }

    public ZimbraAuthToken(String str, boolean z, String str2, String str3, String str4, long j) {
        Server server;
        this.validityValue = -1;
        this.tokenID = -1;
        this.accountId = str;
        this.expires = j;
        this.externalUserEmail = (str2 != null || z) ? str2 : GuestAccount.EMAIL_ADDRESS_PUBLIC;
        this.digest = str4 != null ? str4 : generateDigest(str2, str3);
        this.type = z ? C_TYPE_ZMG_APP : C_TYPE_EXTERNAL_USER;
        this.tokenID = Integer.valueOf(new Random().nextInt(2147483646) + 1);
        try {
            Account accountById = Provisioning.getInstance().getAccountById(this.accountId);
            if (accountById != null && (server = accountById.getServer()) != null) {
                this.server_version = server.getAttr("zimbraServerVersion", "");
            }
        } catch (ServiceException e) {
            LOG.error("Unable to fetch server version for the user account", e);
        }
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String getAccountId() {
        return this.accountId;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String getAdminAccountId() {
        return this.adminAccountId;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public long getExpires() {
        return this.expires;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public int getValidityValue() {
        return this.validityValue;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public boolean isExpired() {
        return System.currentTimeMillis() > this.expires;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public boolean isAdmin() {
        return this.isAdmin;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public boolean isDomainAdmin() {
        return this.isDomainAdmin;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public boolean isDelegatedAdmin() {
        return this.isDelegatedAdmin;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public boolean isZimbraUser() {
        return this.type == null || "zimbra".equals(this.type) || C_TYPE_ZMG_APP.equals(this.type);
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String getExternalUserEmail() {
        return this.externalUserEmail;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String getDigest() {
        return this.digest;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String getAccessKey() {
        return this.accessKey;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public AuthMechanism.AuthMech getAuthMech() {
        return this.authMech;
    }

    private void register() {
        if (!isZimbraUser() || isZMGAppBootstrap()) {
            return;
        }
        try {
            Account account = Provisioning.getInstance().get(Key.AccountBy.id, this.accountId);
            if (Provisioning.getInstance().getLocalServer().getLowestSupportedAuthVersion() > 1) {
                try {
                    account.cleanExpiredTokens();
                } catch (ServiceException e) {
                    LOG.error("unable to de-register auth token", e);
                }
                account.addAuthTokens(String.valueOf(this.tokenID), this.server_version, new EphemeralInput.AbsoluteExpiration(this.expires));
            }
        } catch (ServiceException e2) {
            LOG.error("unable to register auth token", e2);
        }
    }

    @Override // com.zimbra.cs.account.AuthToken
    public void deRegister() throws AuthTokenException {
        try {
            Account accountById = Provisioning.getInstance().getAccountById(this.accountId);
            if (accountById != null) {
                accountById.removeAuthTokens(String.valueOf(this.tokenID), this.server_version);
            }
            if (accountById.getBooleanAttr("zimbraLogOutFromAllServers", false)) {
                AuthTokenRegistry.addTokenToQueue(this);
            }
        } catch (ServiceException e) {
            throw new AuthTokenException("unable to de-register auth token", e);
        }
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String getEncoded() throws AuthTokenException {
        if (this.encoded == null) {
            StringBuilder sb = new StringBuilder(64);
            BlobMetaData.encodeMetaData("id", this.accountId, sb);
            BlobMetaData.encodeMetaData(C_EXP, Long.toString(this.expires), sb);
            if (this.adminAccountId != null) {
                BlobMetaData.encodeMetaData("aid", this.adminAccountId, sb);
            }
            if (this.isAdmin) {
                BlobMetaData.encodeMetaData("admin", "1", sb);
            }
            if (this.isDomainAdmin) {
                BlobMetaData.encodeMetaData(C_DOMAIN, "1", sb);
            }
            if (this.isDelegatedAdmin) {
                BlobMetaData.encodeMetaData(C_DLGADMIN, "1", sb);
            }
            if (this.validityValue != -1) {
                BlobMetaData.encodeMetaData(C_VALIDITY_VALUE, this.validityValue, sb);
            }
            BlobMetaData.encodeMetaData("type", this.type, sb);
            if (this.authMech != null) {
                BlobMetaData.encodeMetaData(C_AUTH_MECH, this.authMech.name(), sb);
            }
            if (this.usage != null) {
                BlobMetaData.encodeMetaData("u", this.usage.getCode(), sb);
            }
            BlobMetaData.encodeMetaData(C_TOKEN_ID, this.tokenID.intValue(), sb);
            BlobMetaData.encodeMetaData(C_EXTERNAL_USER_EMAIL, this.externalUserEmail, sb);
            BlobMetaData.encodeMetaData(C_DIGEST, this.digest, sb);
            BlobMetaData.encodeMetaData("version", this.server_version, sb);
            if (this.csrfTokenEnabled) {
                BlobMetaData.encodeMetaData(C_CSRF, "1", sb);
            }
            String str = new String(Hex.encodeHex(sb.toString().getBytes()));
            AuthTokenKey currentKey = getCurrentKey();
            this.encoded = currentKey.getVersion() + "_" + TokenUtil.getHmac(str, currentKey.getKey()) + "_" + str;
        }
        return this.encoded;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String getCrumb() throws AuthTokenException {
        String encoded = getEncoded();
        try {
            ByteKey byteKey = new ByteKey(getCurrentKey().getKey());
            Mac mac = Mac.getInstance("HmacMD5");
            mac.init(byteKey);
            return new String(Hex.encodeHex(mac.doFinal(encoded.getBytes())));
        } catch (InvalidKeyException e) {
            throw new RuntimeException("fatal error", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException("fatal error", e2);
        }
    }

    private String getOrigAuthData() throws ServiceException {
        try {
            String encoded = getEncoded();
            if (encoded == null) {
                throw ServiceException.FAILURE("unable to get encoded auth token", (Throwable) null);
            }
            return encoded;
        } catch (AuthTokenException e) {
            throw ServiceException.FAILURE("unable to get encoded auth token", e);
        }
    }

    @Override // com.zimbra.cs.account.AuthToken
    public boolean isRegistered() {
        if (!isZimbraUser() || isZMGAppBootstrap()) {
            return true;
        }
        try {
            Provisioning provisioning = Provisioning.getInstance();
            if (Provisioning.getInstance().getLocalServer().getLowestSupportedAuthVersion() < 2) {
                return true;
            }
            Account accountById = provisioning.getAccountById(this.accountId);
            if (accountById == null) {
                return false;
            }
            if (isRegisteredInternal(accountById)) {
                return true;
            }
            provisioning.reload(accountById);
            return isRegisteredInternal(accountById);
        } catch (ServiceException e) {
            LOG.fatal("Unable to verify auth token registration in ephemeral store", e);
            return false;
        }
    }

    private boolean isRegisteredInternal(Account account) throws ServiceException {
        return account.hasAuthTokens(String.valueOf(this.tokenID));
    }

    @Override // com.zimbra.cs.account.AuthToken
    public void encode(HttpClient httpClient, HttpMethod httpMethod, boolean z, String str) throws ServiceException {
        String origAuthData = getOrigAuthData();
        HttpState httpState = new HttpState();
        httpClient.setState(httpState);
        httpState.addCookie(new Cookie(str, ZimbraCookie.authTokenCookieName(z), origAuthData, "/", (Date) null, false));
        httpClient.getParams().setCookiePolicy("compatibility");
    }

    @Override // com.zimbra.cs.account.AuthToken
    public void encode(HttpState httpState, boolean z, String str) throws ServiceException {
        httpState.addCookie(new Cookie(str, ZimbraCookie.authTokenCookieName(z), getOrigAuthData(), "/", (Date) null, false));
    }

    @Override // com.zimbra.cs.account.AuthToken
    public void encode(HttpServletResponse httpServletResponse, boolean z, boolean z2, boolean z3) throws ServiceException {
        ZimbraCookie.addHttpOnlyCookie(httpServletResponse, ZimbraCookie.authTokenCookieName(z), getOrigAuthData(), ZimbraCookie.PATH_ROOT, z3 ? Integer.valueOf((int) ((this.expires - System.currentTimeMillis()) / 1000)) : -1, z2);
    }

    @Override // com.zimbra.cs.account.AuthToken
    public void encodeAuthResp(Element element, boolean z) throws ServiceException {
        if (z) {
            element.addElement(UserServlet.QP_AUTHTOKEN).setText(getOrigAuthData());
        } else {
            element.addElement(UserServlet.QP_AUTHTOKEN).setText(getOrigAuthData());
        }
    }

    @Override // com.zimbra.cs.account.AuthToken
    public ZAuthToken toZAuthToken() throws ServiceException {
        return new ZAuthToken(getOrigAuthData(), this.proxyAuthToken);
    }

    @Override // com.zimbra.cs.account.AuthToken
    public void setProxyAuthToken(String str) {
        this.proxyAuthToken = str;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public String getProxyAuthToken() {
        return this.proxyAuthToken;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public void resetProxyAuthToken() {
        this.proxyAuthToken = null;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public boolean isCsrfTokenEnabled() {
        return this.csrfTokenEnabled;
    }

    @Override // com.zimbra.cs.account.AuthToken
    public void setCsrfTokenEnabled(boolean z) {
        if (z != this.csrfTokenEnabled) {
            synchronized (ZimbraAuthToken.class) {
                if (this.encoded != null) {
                    CACHE.remove(this.encoded);
                }
            }
            this.csrfTokenEnabled = z;
            this.encoded = null;
        }
    }

    @Override // com.zimbra.cs.account.AuthToken
    public AuthToken.Usage getUsage() {
        return this.usage;
    }

    public void resetTokenId() {
        this.tokenID = Integer.valueOf(new Random().nextInt(2147483646) + 1);
        this.encoded = null;
        register();
    }

    @Override // com.zimbra.cs.account.AuthToken
    public boolean isZMGAppBootstrap() {
        return C_TYPE_ZMG_APP.equals(this.type);
    }

    /* renamed from: clone, reason: merged with bridge method [inline-methods] */
    public ZimbraAuthToken m66clone() throws CloneNotSupportedException {
        return (ZimbraAuthToken) super.clone();
    }

    public static void main(String[] strArr) throws ServiceException, AuthTokenException {
        ZimbraAuthToken zimbraAuthToken = new ZimbraAuthToken(Provisioning.getInstance().get(Key.AccountBy.name, "user1@example.zimbra.com"));
        long currentTimeMillis = System.currentTimeMillis();
        String encoded = zimbraAuthToken.getEncoded();
        for (int i = 0; i < 1000; i++) {
            new ZimbraAuthToken(encoded);
        }
        System.out.println(System.currentTimeMillis() - currentTimeMillis);
        long currentTimeMillis2 = System.currentTimeMillis();
        for (int i2 = 0; i2 < 1000; i2++) {
            getAuthToken(encoded);
        }
        System.out.println(System.currentTimeMillis() - currentTimeMillis2);
    }
}
