package com.zimbra.cs.account.ldap;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.zimbra.common.localconfig.DebugConfig;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.StringUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.auth.PasswordUtil;
import com.zimbra.cs.account.auth.twofactor.TwoFactorAuth;
import com.zimbra.cs.dav.DavElements;
import com.zimbra.cs.ldap.LdapDateUtil;
import com.zimbra.cs.mailclient.imap.ImapResponse;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:com/zimbra/cs/account/ldap/LdapLockoutPolicy.class */
public class LdapLockoutPolicy {
    private Provisioning mProv;
    private Account mAccount;
    private boolean mEnabled;
    private boolean mLockoutExpired;
    private boolean mIsLockedOut;
    private String mAccountStatus;
    private FailedLoginState failedLogins;
    private FailedLoginState twoFactorFailedLogins;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/zimbra/cs/account/ldap/LdapLockoutPolicy$FailedLoginState.class */
    public static class FailedLoginState {
        private Account mAccount;
        private String[] mFailures;
        private List<String> mFailuresToRemove;
        private long mMaxFailures;
        private String failuresAttrName;
        private boolean mEnabled;

        FailedLoginState(Account account, String str, String str2) {
            this.mAccount = account;
            this.mMaxFailures = this.mAccount.getLongAttr(str2, 0L);
            this.mEnabled = this.mMaxFailures > 0 && this.mAccount.getBooleanAttr("zimbraPasswordLockoutEnabled", false);
            this.mFailures = this.mAccount.getMultiAttr(str);
            this.failuresAttrName = str;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public int updateFailureTimes(Map<String, Object> map) {
            long timeInterval = this.mAccount.getTimeInterval("zimbraPasswordLockoutFailureLifetime", 0L);
            if (timeInterval != 0) {
                String generalizedTime = LdapDateUtil.toGeneralizedTime(new Date(System.currentTimeMillis() - timeInterval));
                for (String str : this.mFailures) {
                    if (str.compareTo(generalizedTime) < 0) {
                        if (this.mFailuresToRemove == null) {
                            this.mFailuresToRemove = new ArrayList();
                        }
                        this.mFailuresToRemove.add(str);
                    }
                }
            }
            String generalizedTime2 = LdapDateUtil.toGeneralizedTime(new Date());
            boolean z = ((long) this.mFailures.length) >= this.mMaxFailures && this.mFailuresToRemove == null;
            if (z) {
                int i = 0;
                int i2 = 0;
                while (true) {
                    if (i2 >= this.mFailures.length) {
                        break;
                    }
                    if (this.mFailures[i2].equalsIgnoreCase(generalizedTime2)) {
                        z = false;
                        break;
                    }
                    if (i2 > 0 && this.mFailures[i2].compareTo(this.mFailures[i]) < 0) {
                        i = i2;
                    }
                    i2++;
                }
                if (z) {
                    map.put("-" + this.failuresAttrName, this.mFailures[i]);
                }
            } else if (this.mFailuresToRemove != null) {
                map.put("-" + this.failuresAttrName, this.mFailuresToRemove);
            }
            map.put(ImapResponse.CONTINUATION + this.failuresAttrName, generalizedTime2);
            return ((1 + this.mFailures.length) - (z ? 1 : 0)) - (this.mFailuresToRemove == null ? 0 : this.mFailuresToRemove.size());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/zimbra/cs/account/ldap/LdapLockoutPolicy$PasswordLockoutCache.class */
    public static class PasswordLockoutCache {
        private static long maxCacheSize = DebugConfig.invalidPasswordMaxCacheSize;
        private static int cacheExpiryInMinute = DebugConfig.invalidPasswordCacheExpirationInMinutes;
        private static Cache<String, List<String>> cache = CacheBuilder.newBuilder().maximumSize(maxCacheSize).expireAfterWrite(cacheExpiryInMinute, TimeUnit.MINUTES).build();

        private PasswordLockoutCache() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static boolean suppressPasswordLockOut(Account account, String str, String str2) throws ServiceException {
            if (StringUtil.isNullOrEmpty(str2) || StringUtil.isNullOrEmpty(str) || !account.isPasswordLockoutSuppressionEnabled()) {
                return false;
            }
            for (String str3 : account.getPasswordLockoutSuppressionProtocolsAsString()) {
                if (str.equalsIgnoreCase(str3)) {
                    try {
                        List list = (List) cache.get(account.getId(), new Callable<List<String>>() { // from class: com.zimbra.cs.account.ldap.LdapLockoutPolicy.PasswordLockoutCache.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.util.concurrent.Callable
                            public List<String> call() throws Exception {
                                return new ArrayList();
                            }
                        });
                        synchronized (list) {
                            int size = list.size();
                            if (size == 0) {
                                list.add(PasswordUtil.SSHA512.generateSSHA512(str2, null));
                                ZimbraLog.account.debug("Created entry in password lockout cache");
                            } else {
                                Iterator it = list.iterator();
                                while (it.hasNext()) {
                                    if (PasswordUtil.SSHA512.verifySSHA512((String) it.next(), str2)) {
                                        return true;
                                    }
                                }
                                int passwordLockoutSuppressionCacheSize = account.getPasswordLockoutSuppressionCacheSize();
                                if (account.isTwoFactorAuthEnabled() && account.isFeatureAppSpecificPasswordsEnabled() && account.getAppSpecificPassword() != null) {
                                    passwordLockoutSuppressionCacheSize += account.getAppSpecificPassword().length;
                                }
                                ZimbraLog.account.debug("Password lockout suppression cache size = %s (max = %s)", new Object[]{Integer.valueOf(size), Integer.valueOf(passwordLockoutSuppressionCacheSize)});
                                if (size < passwordLockoutSuppressionCacheSize) {
                                    list.add(PasswordUtil.SSHA512.generateSSHA512(str2, null));
                                    ZimbraLog.account.debug("Added entry in password lockout cache");
                                }
                            }
                        }
                    } catch (ExecutionException e) {
                        ZimbraLog.account.warn("Error while retrieving invalid password cache entry", e);
                        return false;
                    }
                }
            }
            return false;
        }
    }

    public LdapLockoutPolicy(Provisioning provisioning, Account account) throws ServiceException {
        this.failedLogins = null;
        this.twoFactorFailedLogins = null;
        this.mAccount = account;
        this.mProv = provisioning;
        this.mAccountStatus = account.getAccountStatus(provisioning);
        this.mEnabled = (this.mAccount.getLongAttr("zimbraPasswordLockoutMaxFailures", 0L) > 0 || this.mAccount.getLongAttr("zimbraTwoFactorAuthLockoutMaxFailures", 0L) > 0) && this.mAccount.getBooleanAttr("zimbraPasswordLockoutEnabled", false);
        this.mIsLockedOut = computeIsLockedOut();
        this.failedLogins = getFailedLoginState();
        if (TwoFactorAuth.getFactory().getTwoFactorAuth(account).twoFactorAuthEnabled()) {
            this.twoFactorFailedLogins = getTwoFactorAuthFailedLoginState();
        }
    }

    private FailedLoginState getFailedLoginState() {
        return new FailedLoginState(this.mAccount, "zimbraPasswordLockoutFailureTime", "zimbraPasswordLockoutMaxFailures");
    }

    private FailedLoginState getTwoFactorAuthFailedLoginState() {
        return new FailedLoginState(this.mAccount, "zimbraTwoFactorAuthLockoutFailureTime", "zimbraTwoFactorAuthLockoutMaxFailures");
    }

    private boolean computeIsLockedOut() throws ServiceException {
        Date generalizedTimeAttr;
        if (!this.mEnabled || (generalizedTimeAttr = this.mAccount.getGeneralizedTimeAttr("zimbraPasswordLockoutLockedTime", null)) == null) {
            return false;
        }
        long timeInterval = this.mAccount.getTimeInterval("zimbraPasswordLockoutDuration", 0L);
        if (timeInterval == 0 || System.currentTimeMillis() <= generalizedTimeAttr.getTime() + timeInterval) {
            return this.mAccountStatus.equalsIgnoreCase(Provisioning.ACCOUNT_STATUS_LOCKOUT);
        }
        this.mLockoutExpired = true;
        return false;
    }

    public boolean isLockedOut() {
        return this.mIsLockedOut;
    }

    public void successfulLogin() {
        if (this.mEnabled) {
            HashMap hashMap = new HashMap();
            if (this.failedLogins.mEnabled && this.failedLogins.mFailures.length > 0) {
                hashMap.put(this.failedLogins.failuresAttrName, "");
            }
            if (this.twoFactorFailedLogins != null && this.twoFactorFailedLogins.mEnabled && this.twoFactorFailedLogins.mFailures.length > 0) {
                hashMap.put(this.twoFactorFailedLogins.failuresAttrName, "");
            }
            if (this.mLockoutExpired) {
                if (this.mAccountStatus.equalsIgnoreCase(Provisioning.ACCOUNT_STATUS_LOCKOUT)) {
                    ZimbraLog.security.info(ZimbraLog.encodeAttrs(new String[]{"cmd", "Auth", "account", this.mAccount.getName(), "info", "account re-activated from lockout status upon successful login"}));
                    hashMap.put("zimbraAccountStatus", "active");
                }
                hashMap.put("zimbraPasswordLockoutLockedTime", "");
            }
            try {
                if (hashMap.size() > 0) {
                    this.mProv.modifyAttrs(this.mAccount, hashMap);
                }
            } catch (Exception e) {
                ZimbraLog.account.warn("Unable to update account password lockout attrs: " + this.mAccount.getName(), e);
            }
        }
    }

    public void failedLogin() throws ServiceException {
        failedLogin(this.failedLogins, null, null);
    }

    public void failedSecondFactorLogin() throws ServiceException {
        failedLogin(this.twoFactorFailedLogins, null, null);
    }

    public void failedLogin(String str, String str2) throws ServiceException {
        failedLogin(this.failedLogins, str, str2);
    }

    private void failedLogin(FailedLoginState failedLoginState, String str, String str2) throws ServiceException {
        if (this.mEnabled && failedLoginState.mEnabled) {
            if (PasswordLockoutCache.suppressPasswordLockOut(this.mAccount, str, str2)) {
                ZimbraLog.security.info("Suppressed password lockout.");
                return;
            }
            HashMap hashMap = new HashMap();
            if (failedLoginState.updateFailureTimes(hashMap) >= failedLoginState.mMaxFailures && !this.mIsLockedOut) {
                ZimbraLog.security.info(ZimbraLog.encodeAttrs(new String[]{"cmd", "Auth", "account", this.mAccount.getName(), DavElements.P_ERROR, "account lockout due to too many failed logins"}));
                hashMap.put("zimbraPasswordLockoutLockedTime", LdapDateUtil.toGeneralizedTime(new Date()));
                hashMap.put("zimbraAccountStatus", Provisioning.ACCOUNT_STATUS_LOCKOUT);
            }
            try {
                this.mProv.modifyAttrs(this.mAccount, hashMap);
            } catch (Exception e) {
                ZimbraLog.account.warn("Unable to update account password lockout attrs: " + this.mAccount.getName(), e);
            }
        }
    }
}
