package com.zimbra.cs.service;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.Server;
import com.zimbra.cs.account.auth.AuthContext;
import com.zimbra.cs.dav.DavProtocol;
import com.zimbra.cs.httpclient.URLUtil;
import com.zimbra.cs.service.authenticator.SSOAuthenticator;
import com.zimbra.cs.servlet.ZimbraServlet;
import com.zimbra.cs.servlet.util.AuthUtil;
import java.io.IOException;
import java.net.URL;
import java.util.HashMap;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/zimbra/cs/service/SSOServlet.class */
public abstract class SSOServlet extends ZimbraServlet {
    protected abstract boolean redirectToRelativeURL();

    @Override // com.zimbra.cs.servlet.ZimbraServlet
    public void init() throws ServletException {
        ZimbraLog.account.info("Servlet " + getServletName() + " starting up");
        super.init();
    }

    public void destroy() {
        ZimbraLog.account.info("Servlet " + getServletName() + " shutting down");
        super.destroy();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthToken authorize(HttpServletRequest httpServletRequest, AuthContext.Protocol protocol, SSOAuthenticator.ZimbraPrincipal zimbraPrincipal, boolean z) throws ServiceException {
        HashMap hashMap = new HashMap();
        hashMap.put(AuthContext.AC_ORIGINATING_CLIENT_IP, ZimbraServlet.getOrigIp(httpServletRequest));
        hashMap.put(AuthContext.AC_REMOTE_IP, ZimbraServlet.getClientIp(httpServletRequest));
        hashMap.put(AuthContext.AC_ACCOUNT_NAME_PASSEDIN, zimbraPrincipal.getName());
        hashMap.put("ua", httpServletRequest.getHeader(DavProtocol.HEADER_USER_AGENT));
        Provisioning provisioning = Provisioning.getInstance();
        Account account = zimbraPrincipal.getAccount();
        ZimbraLog.addAccountNameToContext(account.getName());
        provisioning.ssoAuthAccount(account, protocol, hashMap);
        if (!z || AccessManager.getInstance().isAdequateAdminAccount(account)) {
            return AuthProvider.getAuthToken(account, z);
        }
        throw ServiceException.PERM_DENIED("not an admin account");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isOnAdminPort(HttpServletRequest httpServletRequest) throws ServiceException {
        return httpServletRequest.getLocalPort() == Provisioning.getInstance().getLocalServer().getAdminPort();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isFromZCO(HttpServletRequest httpServletRequest) throws ServiceException {
        return httpServletRequest.getHeader(DavProtocol.HEADER_USER_AGENT).contains("Zimbra-ZCO");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setAuthTokenCookieAndReturn(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthToken authToken) throws IOException, ServiceException {
        authToken.encode(httpServletResponse, AuthToken.isAnyAdmin(authToken), isProtocolSecure(httpServletRequest.getScheme()));
        httpServletResponse.setContentLength(0);
    }

    private String appendIgnoreLoginURL(String str) {
        if (!str.endsWith("/")) {
            str = str + "/";
        }
        return str + AuthUtil.IGNORE_LOGIN_URL;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setAuthTokenCookieAndRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Account account, AuthToken authToken) throws IOException, ServiceException {
        boolean isAnyAdmin = AuthToken.isAnyAdmin(authToken);
        boolean isProtocolSecure = isProtocolSecure(httpServletRequest.getScheme());
        authToken.encode(httpServletResponse, isAnyAdmin, isProtocolSecure);
        Server server = Provisioning.getInstance().getServer(account);
        boolean redirectToRelativeURL = redirectToRelativeURL();
        String appendIgnoreLoginURL = appendIgnoreLoginURL(AuthUtil.getRedirectURL(httpServletRequest, server, isAnyAdmin, redirectToRelativeURL));
        if (!redirectToRelativeURL) {
            boolean isProtocolSecure2 = isProtocolSecure(new URL(appendIgnoreLoginURL).getProtocol());
            if (isProtocolSecure && !isProtocolSecure2) {
                throw ServiceException.INVALID_REQUEST("cannot redirect to non-secure protocol: " + appendIgnoreLoginURL, (Throwable) null);
            }
        }
        ZimbraLog.account.debug("SSOServlet - redirecting (with auth token) to: " + appendIgnoreLoginURL);
        httpServletResponse.sendRedirect(appendIgnoreLoginURL);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void redirectToErrorPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z, String str) throws IOException, ServiceException {
        String appendIgnoreLoginURL = str == null ? appendIgnoreLoginURL(AuthUtil.getRedirectURL(httpServletRequest, Provisioning.getInstance().getLocalServer(), z, redirectToRelativeURL())) : str;
        ZimbraLog.account.debug("SSOServlet - redirecting to: " + appendIgnoreLoginURL);
        httpServletResponse.sendRedirect(appendIgnoreLoginURL);
    }

    private boolean isProtocolSecure(String str) {
        return URLUtil.PROTO_HTTPS.equalsIgnoreCase(str);
    }
}
