package com.zimbra.cs.service;

import com.google.common.collect.Lists;
import com.zimbra.client.ZFolder;
import com.zimbra.client.ZMailbox;
import com.zimbra.client.ZMountpoint;
import com.zimbra.common.account.ZAttrProvisioning;
import com.zimbra.common.localconfig.DebugConfig;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.BlobMetaData;
import com.zimbra.common.util.L10nUtil;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.LogFactory;
import com.zimbra.common.util.StringUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.AuthTokenException;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.ExtAuthTokenKey;
import com.zimbra.cs.account.GuestAccount;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.SearchAccountsOptions;
import com.zimbra.cs.account.ShareInfoData;
import com.zimbra.cs.account.TokenUtil;
import com.zimbra.cs.account.ldap.SpecialAttrs;
import com.zimbra.cs.dav.DavElements;
import com.zimbra.cs.httpclient.URLUtil;
import com.zimbra.cs.ldap.LdapConstants;
import com.zimbra.cs.ldap.ZLdapFilterFactory;
import com.zimbra.cs.mailbox.Flag;
import com.zimbra.cs.mailbox.MailItem;
import com.zimbra.cs.mailbox.Mailbox;
import com.zimbra.cs.mailbox.MailboxManager;
import com.zimbra.cs.mailbox.Metadata;
import com.zimbra.cs.mailbox.Mountpoint;
import com.zimbra.cs.mailbox.OperationContext;
import com.zimbra.cs.mailbox.acl.AclPushSerializer;
import com.zimbra.cs.service.mail.FolderAction;
import com.zimbra.cs.servlet.ZimbraServlet;
import com.zimbra.cs.util.AccountUtil;
import com.zimbra.cs.util.WebClientServiceUtil;
import com.zimbra.soap.mail.message.FolderActionRequest;
import com.zimbra.soap.mail.type.FolderActionSelector;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:com/zimbra/cs/service/ExternalUserProvServlet.class */
public class ExternalUserProvServlet extends ZimbraServlet {
    private static final Log logger = LogFactory.getLog(ExternalUserProvServlet.class);
    private static final String EXT_USER_PROV_ON_UI_NODE = "/fromservice/extuserprov";
    private static final String PUBLIC_LOGIN_ON_UI_NODE = "/fromservice/publiclogin";
    public static final String PUBLIC_EXTUSERPROV_JSP = "/public/extuserprov.jsp";
    public static final String PUBLIC_LOGIN_JSP = "/public/login.jsp";

    @Override // com.zimbra.cs.servlet.ZimbraServlet
    public void init() throws ServletException {
        ZimbraLog.account.info("Servlet " + getServletName() + " starting up");
        super.init();
    }

    public void destroy() {
        ZimbraLog.account.info("Servlet " + getServletName() + " shutting down");
        super.destroy();
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String parameter = httpServletRequest.getParameter(Metadata.FN_PREFIX);
        if (parameter == null) {
            throw new ServletException("request missing param");
        }
        Map<Object, Object> validatePrelimToken = validatePrelimToken(parameter);
        HashMap hashMap = new HashMap();
        String str = (String) validatePrelimToken.get(Metadata.FN_ACCOUNT_ID);
        String str2 = (String) validatePrelimToken.get("fid");
        String str3 = (String) validatePrelimToken.get("email");
        Provisioning provisioning = Provisioning.getInstance();
        try {
            Account accountById = provisioning.getAccountById(str);
            Domain domain = provisioning.getDomain(accountById);
            Account accountByName = provisioning.getAccountByName(mapExtEmailToAcctName(str3, domain));
            if (accountByName != null) {
                String[] sharedItem = accountById.getSharedItem();
                int intValue = Integer.valueOf(str2).intValue();
                String str4 = null;
                MailItem.Type type = null;
                int length = sharedItem.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    ShareInfoData deserialize = AclPushSerializer.deserialize(sharedItem[i]);
                    if (deserialize.getItemId() == intValue && str3.equalsIgnoreCase(deserialize.getGranteeId())) {
                        str4 = deserialize.getPath();
                        type = deserialize.getFolderDefaultViewCode();
                        break;
                    }
                    i++;
                }
                if (str4 == null) {
                    throw new ServletException("share not found");
                }
                String mountpointName = getMountpointName(accountById, accountByName, str4);
                ZMailbox.Options options = new ZMailbox.Options();
                options.setNoSession(true);
                options.setAuthToken(AuthProvider.getAuthToken(accountByName).toZAuthToken());
                options.setUri(AccountUtil.getSoapUri(accountByName));
                ZMailbox zMailbox = new ZMailbox(options);
                ZMountpoint zMountpoint = null;
                try {
                    zMountpoint = zMailbox.createMountpoint(String.valueOf(getMptParentFolderId(type, provisioning)), mountpointName, ZFolder.View.fromString(type.toString()), ZFolder.Color.DEFAULTCOLOR, (String) null, ZMailbox.OwnerBy.BY_ID, str, ZMailbox.SharedItemBy.BY_ID, str2, false);
                } catch (ServiceException e) {
                    logger.debug("Error in attempting to create mountpoint. Probably it already exists.", e);
                }
                if (zMountpoint != null) {
                    if (type == MailItem.Type.APPOINTMENT) {
                        try {
                            zMailbox.invokeJaxb(new FolderActionRequest(new FolderActionSelector(zMountpoint.getId(), FolderAction.OP_CHECK)));
                        } catch (ServiceException e2) {
                            logger.warn("Error in invoking check action on calendar mountpoint", e2);
                        }
                    }
                    HashSet hashSet = new HashSet();
                    hashSet.add(type);
                    enableAppFeatures(accountByName, hashSet);
                }
                String str5 = null;
                Cookie[] cookies = httpServletRequest.getCookies();
                if (cookies != null) {
                    int length2 = cookies.length;
                    int i2 = 0;
                    while (true) {
                        if (i2 >= length2) {
                            break;
                        }
                        Cookie cookie = cookies[i2];
                        if (cookie.getName().equals("ZM_AUTH_TOKEN")) {
                            str5 = cookie.getValue();
                            break;
                        }
                        i2++;
                    }
                }
                AuthToken authToken = null;
                if (str5 != null) {
                    try {
                        authToken = AuthProvider.getAuthToken(str5);
                    } catch (AuthTokenException e3) {
                    }
                }
                if (authToken != null && !authToken.isExpired() && authToken.isRegistered() && accountByName.getId().equals(authToken.getAccountId())) {
                    httpServletResponse.sendRedirect("/");
                } else if (provisioning.isOctopus() && !accountByName.isVirtualAccountInitialPasswordSet() && DebugConfig.skipVirtualAccountRegistrationPage) {
                    setCookieAndRedirect(httpServletRequest, httpServletResponse, accountByName);
                } else {
                    httpServletRequest.setAttribute("virtualacctdomain", domain.getName());
                    if (WebClientServiceUtil.isServerInSplitMode()) {
                        hashMap.put("virtualacctdomain", domain.getName());
                        httpServletResponse.getWriter().print(WebClientServiceUtil.sendServiceRequestToOneRandomUiNode(PUBLIC_LOGIN_ON_UI_NODE, hashMap));
                    } else {
                        getServletContext().getContext("/zimbra").getRequestDispatcher(PUBLIC_LOGIN_JSP).forward(httpServletRequest, httpServletResponse);
                    }
                }
            } else if (provisioning.isOctopus() && DebugConfig.skipVirtualAccountRegistrationPage) {
                provisionVirtualAccountAndRedirect(httpServletRequest, httpServletResponse, null, null, str, str3);
            } else {
                httpServletResponse.addCookie(new Cookie("ZM_PRELIM_AUTH_TOKEN", parameter));
                httpServletRequest.setAttribute("extuseremail", str3);
                if (WebClientServiceUtil.isServerInSplitMode()) {
                    hashMap.put("extuseremail", str3);
                    hashMap.put("ZM_PRELIM_AUTH_TOKEN", parameter);
                    httpServletResponse.getWriter().print(WebClientServiceUtil.sendServiceRequestToOneRandomUiNode(EXT_USER_PROV_ON_UI_NODE, hashMap));
                } else {
                    ServletContext context = getServletContext().getContext("/zimbra");
                    if (context == null) {
                        logger.warn("Could not access servlet context url /zimbra");
                        throw ServiceException.TEMPORARILY_UNAVAILABLE();
                    }
                    context.getRequestDispatcher(PUBLIC_EXTUSERPROV_JSP).forward(httpServletRequest, httpServletResponse);
                }
            }
        } catch (ServiceException e4) {
            throw new ServletException(e4);
        }
    }

    private static String getMountpointName(Account account, Account account2, String str) throws ServiceException {
        if (str.startsWith("/")) {
            str = str.substring(1);
        }
        int indexOf = str.indexOf(47);
        if (indexOf != -1) {
            str = str.substring(indexOf + 1);
        }
        return L10nUtil.getMessage(L10nUtil.MsgKey.shareNameDefault, account2.getLocale(), new Object[]{getDisplayName(account), str.replace("/", " ")});
    }

    private static String getDisplayName(Account account) {
        return account.getDisplayName() != null ? account.getDisplayName() : account.getName();
    }

    private static String mapExtEmailToAcctName(String str, Domain domain) {
        return str.replace("@", ".") + "@" + domain.getName();
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String parameter = httpServletRequest.getParameter(DavElements.P_DISPLAYNAME);
        String parameter2 = httpServletRequest.getParameter("password");
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (cookie.getName().equals("ZM_PRELIM_AUTH_TOKEN")) {
                    str = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        if (str == null) {
            throw new ServletException("unauthorized request");
        }
        Map<Object, Object> validatePrelimToken = validatePrelimToken(str);
        provisionVirtualAccountAndRedirect(httpServletRequest, httpServletResponse, parameter, parameter2, (String) validatePrelimToken.get(Metadata.FN_ACCOUNT_ID), (String) validatePrelimToken.get("email"));
    }

    private static void provisionVirtualAccountAndRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4) throws ServletException {
        Provisioning provisioning = Provisioning.getInstance();
        try {
            Domain domain = provisioning.getDomain(provisioning.getAccountById(str3));
            if (provisioning.getAccountByName(mapExtEmailToAcctName(str4, domain)) != null) {
                throw new ServletException("invalid request: account already exists");
            }
            SearchAccountsOptions searchAccountsOptions = new SearchAccountsOptions(domain, new String[]{SpecialAttrs.SA_zimbraId, "displayName", "zimbraSharedItem"});
            List<String> groupIds = provisioning.getGroupMembership((Account) new GuestAccount(str4, null), false).groupIds();
            ArrayList newArrayList = Lists.newArrayList(new String[]{str4});
            newArrayList.addAll(groupIds);
            searchAccountsOptions.setFilter(ZLdapFilterFactory.getInstance().accountsByGrants(newArrayList, false, false));
            List<NamedEntry> searchDirectory = provisioning.searchDirectory(searchAccountsOptions);
            if (searchDirectory.isEmpty()) {
                throw new ServletException("no shares discovered");
            }
            HashMap hashMap = new HashMap();
            hashMap.put("zimbraIsExternalVirtualAccount", LdapConstants.LDAP_TRUE);
            hashMap.put("zimbraExternalUserMailAddress", str4);
            hashMap.put("zimbraMailHost", provisioning.getLocalServer().getServiceHostname());
            if (!StringUtil.isNullOrEmpty(str)) {
                hashMap.put("displayName", str);
            }
            hashMap.put("zimbraHideInGal", LdapConstants.LDAP_TRUE);
            hashMap.put("zimbraMailStatus", ZAttrProvisioning.MailStatus.disabled.toString());
            if (!StringUtil.isNullOrEmpty(str2)) {
                hashMap.put("zimbraVirtualAccountInitialPasswordSet", LdapConstants.LDAP_TRUE);
            }
            Account createAccount = provisioning.createAccount(mapExtEmailToAcctName(str4, domain), str2, hashMap);
            try {
                Mailbox mailboxByAccount = MailboxManager.getInstance().getMailboxByAccount(createAccount);
                HashSet hashSet = new HashSet();
                Iterator<NamedEntry> it = searchDirectory.iterator();
                while (it.hasNext()) {
                    Account account = (Account) it.next();
                    for (String str5 : account.getSharedItem()) {
                        ShareInfoData deserialize = AclPushSerializer.deserialize(str5);
                        if (granteeMatchesShare(deserialize, createAccount)) {
                            String mountpointName = getMountpointName(account, createAccount, deserialize.getPath());
                            MailItem.Type folderDefaultViewCode = deserialize.getFolderDefaultViewCode();
                            Mountpoint createMountpoint = mailboxByAccount.createMountpoint((OperationContext) null, getMptParentFolderId(folderDefaultViewCode, provisioning), mountpointName, account.getId(), deserialize.getItemId(), deserialize.getItemUuid(), folderDefaultViewCode, 0, (byte) 0, false);
                            if (folderDefaultViewCode == MailItem.Type.APPOINTMENT) {
                                mailboxByAccount.alterTag((OperationContext) null, createMountpoint.getId(), createMountpoint.getType(), Flag.FlagInfo.CHECKED, true, (MailItem.TargetConstraint) null);
                            }
                            hashSet.add(folderDefaultViewCode);
                        }
                    }
                }
                enableAppFeatures(createAccount, hashSet);
                setCookieAndRedirect(httpServletRequest, httpServletResponse, createAccount);
            } catch (ServiceException e) {
                provisioning.deleteAccount(createAccount.getId());
                throw e;
            }
        } catch (Exception e2) {
            throw new ServletException(e2);
        }
    }

    private static boolean granteeMatchesShare(ShareInfoData shareInfoData, Account account) throws ServiceException {
        Provisioning provisioning = Provisioning.getInstance();
        String granteeId = shareInfoData.getGranteeId();
        switch (shareInfoData.getGranteeTypeCode()) {
            case 2:
                return provisioning.inACLGroup(account, granteeId);
            case 7:
                return granteeId.equalsIgnoreCase(account.getExternalUserMailAddress());
            default:
                return false;
        }
    }

    private static void setCookieAndRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Account account) throws ServiceException, IOException {
        AuthProvider.getAuthToken(account).encode(httpServletResponse, false, httpServletRequest.getScheme().equals(URLUtil.PROTO_HTTPS));
        httpServletResponse.sendRedirect("/");
    }

    private static int getMptParentFolderId(MailItem.Type type, Provisioning provisioning) throws ServiceException {
        switch (type) {
            case DOCUMENT:
                return provisioning.isOctopus() ? 16 : 1;
            default:
                return 1;
        }
    }

    private static void enableAppFeatures(Account account, Set<MailItem.Type> set) throws ServiceException {
        HashMap hashMap = new HashMap();
        Iterator<MailItem.Type> it = set.iterator();
        while (it.hasNext()) {
            switch (it.next()) {
                case DOCUMENT:
                    hashMap.put("zimbraFeatureBriefcasesEnabled", LdapConstants.LDAP_TRUE);
                    break;
                case APPOINTMENT:
                    hashMap.put("zimbraFeatureCalendarEnabled", LdapConstants.LDAP_TRUE);
                    break;
                case CONTACT:
                    hashMap.put("zimbraFeatureContactsEnabled", LdapConstants.LDAP_TRUE);
                    break;
                case TASK:
                    hashMap.put("zimbraFeatureTasksEnabled", LdapConstants.LDAP_TRUE);
                    break;
                case MESSAGE:
                    hashMap.put("zimbraFeatureMailEnabled", LdapConstants.LDAP_TRUE);
                    break;
            }
        }
        account.modify(hashMap);
    }

    public static Map<Object, Object> validatePrelimToken(String str) throws ServletException {
        int indexOf = str.indexOf(95);
        if (indexOf == -1) {
            throw new ServletException("invalid token param");
        }
        String substring = str.substring(0, indexOf);
        int indexOf2 = str.indexOf(95, indexOf + 1);
        if (indexOf2 == -1) {
            throw new ServletException("invalid token param");
        }
        String substring2 = str.substring(indexOf + 1, indexOf2);
        String substring3 = str.substring(indexOf2 + 1);
        try {
            ExtAuthTokenKey version = ExtAuthTokenKey.getVersion(substring);
            if (version == null) {
                throw new ServletException("unknown key version");
            }
            if (!TokenUtil.getHmac(substring3, version.getKey()).equals(substring2)) {
                throw new ServletException("hmac failure");
            }
            Map<Object, Object> decode = BlobMetaData.decode(new String(Hex.decodeHex(substring3.toCharArray())));
            Object obj = decode.get("exp");
            if (obj == null || System.currentTimeMillis() <= Long.parseLong((String) obj)) {
                return decode;
            }
            throw new ServletException("url no longer valid");
        } catch (Exception e) {
            throw new ServletException(e);
        }
    }
}
