package com.zimbra.cs.servlet;

import com.zimbra.common.httpclient.HttpClientUtil;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.soap.SoapProtocol;
import com.zimbra.common.util.ByteUtil;
import com.zimbra.common.util.HttpUtil;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.LogFactory;
import com.zimbra.common.util.RemoteIP;
import com.zimbra.common.util.ZimbraHttpConnectionManager;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.AuthTokenException;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.GuestAccount;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.Server;
import com.zimbra.cs.account.ZAttrProvisioning;
import com.zimbra.cs.account.auth.AuthContext;
import com.zimbra.cs.dav.DavProtocol;
import com.zimbra.cs.dav.service.method.Get;
import com.zimbra.cs.dav.service.method.Post;
import com.zimbra.cs.dav.service.method.Put;
import com.zimbra.cs.httpclient.URLUtil;
import com.zimbra.cs.service.AuthProvider;
import com.zimbra.cs.util.Zimbra;
import com.zimbra.cs.zclient.ZMailbox;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.httpclient.Cookie;
import org.apache.commons.httpclient.Header;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.HttpState;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.methods.InputStreamRequestEntity;
import org.apache.commons.httpclient.methods.PostMethod;

/* loaded from: input_file:com/zimbra/cs/servlet/ZimbraServlet.class */
public class ZimbraServlet extends HttpServlet {
    private static final long serialVersionUID = 5025244890767551679L;
    private static final String PARAM_ALLOWED_PORTS = "allowed.ports";
    protected static final String WWW_AUTHENTICATE_HEADER = "WWW-Authenticate";
    protected static final String ZIMBRA_FAULT_CODE_HEADER = "X-Zimbra-Fault-Code";
    protected static final String ZIMBRA_FAULT_MESSAGE_HEADER = "X-Zimbra-Fault-Message";
    private static final int MAX_PROXY_HOPCOUNT = 3;
    private int[] mAllowedPorts;
    private static Log mLog = LogFactory.getLog(ZimbraServlet.class);
    private static Map<String, ZimbraServlet> sServlets = new HashMap();

    protected String getRealmHeader(String str) {
        if (str == null) {
            str = "Zimbra";
        }
        return "BASIC realm=\"" + str + "\"";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getRealmHeader(HttpServletRequest httpServletRequest, Domain domain) {
        String virtualHost;
        String str = null;
        if (domain == null && (virtualHost = HttpUtil.getVirtualHost(httpServletRequest)) != null) {
            try {
                domain = Provisioning.getInstance().getDomain(Provisioning.DomainBy.virtualHostname, virtualHost.toLowerCase(), true);
            } catch (ServiceException e) {
                mLog.warn("caught exception while getting domain by virtual host: " + virtualHost, e);
            }
        }
        if (domain != null) {
            str = domain.getBasicAuthRealm();
        }
        return getRealmHeader(str);
    }

    public void init() throws ServletException {
        try {
            String initParameter = getInitParameter(PARAM_ALLOWED_PORTS);
            if (initParameter != null) {
                String[] split = initParameter.split("\\s*,\\s*");
                if (split == null || split.length == 0) {
                    throw new ServletException("Must specify comma-separated list of port numbers for allowed.ports parameter");
                }
                ArrayList arrayList = new ArrayList();
                for (int i = 0; i < split.length; i++) {
                    try {
                        int parseInt = Integer.parseInt(split[i]);
                        if (parseInt < 0) {
                            throw new ServletException("Invalid port number " + split[i] + " in " + PARAM_ALLOWED_PORTS + " parameter; port number must be greater than zero");
                        }
                        if (parseInt != 0) {
                            arrayList.add(Integer.valueOf(parseInt));
                        }
                    } catch (NumberFormatException e) {
                        throw new ServletException("Invalid port number \"" + split[i] + "\" in " + PARAM_ALLOWED_PORTS + " parameter");
                    }
                }
                this.mAllowedPorts = new int[arrayList.size()];
                for (int i2 = 0; i2 < arrayList.size(); i2++) {
                    this.mAllowedPorts[i2] = ((Integer) arrayList.get(i2)).intValue();
                }
            }
            synchronized (sServlets) {
                String servletName = getServletName();
                if (sServlets.containsKey(servletName)) {
                    Zimbra.halt("Attempted to instantiate a second instance of " + servletName);
                }
                sServlets.put(getServletName(), this);
                mLog.debug("Added " + getServletName() + " to the servlet list");
            }
        } catch (Throwable th) {
            Zimbra.halt("Unable to initialize servlet " + getServletName() + "; halting", th);
        }
    }

    public static ZimbraServlet getServlet(String str) {
        ZimbraServlet zimbraServlet;
        synchronized (sServlets) {
            zimbraServlet = sServlets.get(str);
        }
        return zimbraServlet;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isRequestOnAllowedPort(HttpServletRequest httpServletRequest) {
        if (this.mAllowedPorts == null || this.mAllowedPorts.length <= 0) {
            return true;
        }
        int localPort = httpServletRequest.getLocalPort();
        for (int i = 0; i < this.mAllowedPorts.length; i++) {
            if (this.mAllowedPorts[i] == localPort) {
                return true;
            }
        }
        return false;
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (isRequestOnAllowedPort(httpServletRequest)) {
            super.service(httpServletRequest, httpServletResponse);
            return;
        }
        SoapProtocol soapProtocol = SoapProtocol.Soap12;
        ServiceException FAILURE = ServiceException.FAILURE("Request not allowed on port " + httpServletRequest.getLocalPort(), (Throwable) null);
        ZimbraLog.soap.warn((Object) null, FAILURE);
        byte[] utf8 = SoapProtocol.Soap12.soapEnvelope(SoapProtocol.Soap12.soapFault(FAILURE)).toUTF8();
        httpServletResponse.setContentType(soapProtocol.getContentType());
        httpServletResponse.setBufferSize(utf8.length + 2048);
        httpServletResponse.setContentLength(utf8.length);
        httpServletResponse.setStatus(500);
        httpServletResponse.getOutputStream().write(utf8);
    }

    public static AuthToken getAuthTokenFromCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return getAuthTokenFromHttpReq(httpServletRequest, httpServletResponse, false, false);
    }

    public static AuthToken getAuthTokenFromCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException {
        return getAuthTokenFromHttpReq(httpServletRequest, httpServletResponse, false, z);
    }

    public static AuthToken getAdminAuthTokenFromCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return getAuthTokenFromHttpReq(httpServletRequest, httpServletResponse, true, false);
    }

    public static AuthToken getAdminAuthTokenFromCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException {
        return getAuthTokenFromHttpReq(httpServletRequest, httpServletResponse, true, z);
    }

    public static AuthToken getAdminAuthTokenFromCookie(HttpServletRequest httpServletRequest) {
        return getAuthTokenFromHttpReq(httpServletRequest, true);
    }

    public static AuthToken getAuthTokenFromHttpReq(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z, boolean z2) throws IOException {
        try {
            AuthToken authToken = AuthProvider.getAuthToken(httpServletRequest, z);
            if (authToken == null) {
                if (z2) {
                    return null;
                }
                httpServletResponse.sendError(401, "no authtoken cookie");
                return null;
            }
            if (!authToken.isExpired()) {
                return authToken;
            }
            if (z2) {
                return null;
            }
            httpServletResponse.sendError(401, "authtoken expired");
            return null;
        } catch (AuthTokenException e) {
            if (z2) {
                return null;
            }
            httpServletResponse.sendError(401, "unable to parse authtoken");
            return null;
        }
    }

    public static AuthToken getAuthTokenFromHttpReq(HttpServletRequest httpServletRequest, boolean z) {
        try {
            AuthToken authToken = AuthProvider.getAuthToken(httpServletRequest, z);
            if (authToken == null) {
                return null;
            }
            if (authToken.isExpired()) {
                return null;
            }
            return authToken;
        } catch (AuthTokenException e) {
            return null;
        }
    }

    public static void proxyServletRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException, ServiceException {
        Provisioning provisioning = Provisioning.getInstance();
        Account account = provisioning.get(Provisioning.AccountBy.id, str);
        if (account == null) {
            httpServletResponse.sendError(400, "no such user");
        } else {
            proxyServletRequest(httpServletRequest, httpServletResponse, provisioning.getServer(account), (AuthToken) null);
        }
    }

    public static void proxyServletRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Server server, AuthToken authToken) throws IOException, ServiceException {
        proxyServletRequest(httpServletRequest, httpServletResponse, server, HttpUtil.getFullRequestURL(httpServletRequest), authToken);
    }

    public static void proxyServletRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Server server, String str, AuthToken authToken) throws IOException, ServiceException {
        GetMethod getMethod;
        if (server == null) {
            httpServletResponse.sendError(400, "cannot find remote server");
            return;
        }
        String proxyUrl = getProxyUrl(httpServletRequest, server, str);
        if (httpServletRequest.getMethod().equalsIgnoreCase(Get.GET)) {
            getMethod = new GetMethod(proxyUrl.toString());
        } else if (!httpServletRequest.getMethod().equalsIgnoreCase(Post.POST) && !httpServletRequest.getMethod().equalsIgnoreCase(Put.PUT)) {
            httpServletResponse.sendError(500, "cannot proxy method: " + httpServletRequest.getMethod());
            return;
        } else {
            GetMethod postMethod = new PostMethod(proxyUrl.toString());
            postMethod.setRequestEntity(new InputStreamRequestEntity(httpServletRequest.getInputStream()));
            getMethod = postMethod;
        }
        HttpState httpState = new HttpState();
        String host = getMethod.getURI().getHost();
        if (authToken != null) {
            authToken.encode(httpState, false, host);
        }
        try {
            proxyServletRequest(httpServletRequest, httpServletResponse, (HttpMethod) getMethod, httpState);
            getMethod.releaseConnection();
        } catch (Throwable th) {
            getMethod.releaseConnection();
            throw th;
        }
    }

    private static boolean hasZimbraAuthCookie(HttpState httpState) {
        Cookie[] cookies = httpState.getCookies();
        if (cookies == null) {
            return false;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals("ZM_AUTH_TOKEN")) {
                return true;
            }
        }
        return false;
    }

    public static void proxyServletRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMethod httpMethod, HttpState httpState) throws IOException, ServiceException {
        javax.servlet.http.Cookie[] cookies = httpServletRequest.getCookies();
        String host = httpMethod.getURI().getHost();
        boolean hasZimbraAuthCookie = hasZimbraAuthCookie(httpState);
        if (cookies != null) {
            for (int i = 0; i < cookies.length; i++) {
                if (!cookies[i].getName().equals("ZM_AUTH_TOKEN") || !hasZimbraAuthCookie) {
                    httpState.addCookie(new Cookie(host, cookies[i].getName(), cookies[i].getValue(), ZMailbox.PATH_SEPARATOR, (Date) null, false));
                }
            }
        }
        HttpClient newHttpClient = ZimbraHttpConnectionManager.getInternalHttpConnMgr().newHttpClient();
        if (httpState != null) {
            newHttpClient.setState(httpState);
        }
        int i2 = 0;
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            String lowerCase = str.toLowerCase();
            if (lowerCase.equals("x-zimbra-hopcount")) {
                try {
                    i2 = Math.max(Integer.parseInt(httpServletRequest.getHeader(str)), 0);
                } catch (NumberFormatException e) {
                }
            } else if (lowerCase.startsWith("x-") || lowerCase.startsWith("content-") || lowerCase.equals("authorization")) {
                httpMethod.addRequestHeader(str, httpServletRequest.getHeader(str));
            }
        }
        if (i2 >= 3) {
            throw ServiceException.TOO_MANY_HOPS(HttpUtil.getFullRequestURL(httpServletRequest));
        }
        httpMethod.addRequestHeader("X-Zimbra-Hopcount", Integer.toString(i2 + 1));
        if (httpMethod.getRequestHeader("X-Zimbra-Orig-Url") == null) {
            httpMethod.addRequestHeader("X-Zimbra-Orig-Url", httpServletRequest.getRequestURL().toString());
        }
        String header = httpServletRequest.getHeader(DavProtocol.HEADER_USER_AGENT);
        if (header != null) {
            httpMethod.setRequestHeader(DavProtocol.HEADER_USER_AGENT, header);
        }
        int i3 = -1;
        for (int i4 = 3; i3 == -1 && i4 > 0; i4--) {
            i3 = HttpClientUtil.executeMethod(newHttpClient, httpMethod);
        }
        if (i3 == -1) {
            httpServletResponse.sendError(503, "retry limit reached");
            return;
        }
        if (i3 >= 300) {
            httpServletResponse.sendError(i3, httpMethod.getStatusText());
            return;
        }
        Header[] responseHeaders = httpMethod.getResponseHeaders();
        for (int i5 = 0; i5 < responseHeaders.length; i5++) {
            String name = responseHeaders[i5].getName();
            String lowerCase2 = name.toLowerCase();
            if (lowerCase2.startsWith("x-") || ((lowerCase2.startsWith("content-") && !lowerCase2.equals("content-length")) || lowerCase2.startsWith("www-"))) {
                httpServletResponse.addHeader(name, responseHeaders[i5].getValue());
            }
        }
        if (httpMethod.getResponseBodyAsStream() == null || httpServletResponse.getOutputStream() == null) {
            return;
        }
        ByteUtil.copy(httpMethod.getResponseBodyAsStream(), false, httpServletResponse.getOutputStream(), false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAdminRequest(HttpServletRequest httpServletRequest) throws ServiceException {
        int intAttr = Provisioning.getInstance().getLocalServer().getIntAttr(ZAttrProvisioning.A_zimbraAdminPort, -1);
        if (httpServletRequest.getLocalPort() == intAttr) {
            return (Provisioning.getInstance().getLocalServer().getIntAttr(ZAttrProvisioning.A_zimbraMailPort, -1) == intAttr && getAdminAuthTokenFromCookie(httpServletRequest) == null) ? false : true;
        }
        return false;
    }

    public AuthToken cookieAuthRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServiceException {
        return isAdminRequest(httpServletRequest) ? getAdminAuthTokenFromCookie(httpServletRequest, httpServletResponse, true) : getAuthTokenFromCookie(httpServletRequest, httpServletResponse, true);
    }

    public Account basicAuthRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException, ServiceException {
        String virtualHost;
        Domain domain;
        if (!AuthProvider.allowBasicAuth(httpServletRequest, this)) {
            return null;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Basic ")) {
            if (!z) {
                return null;
            }
            httpServletResponse.addHeader("WWW-Authenticate", getRealmHeader(httpServletRequest, null));
            httpServletResponse.sendError(401, "must authenticate");
            return null;
        }
        String str = new String(Base64.decodeBase64(header.substring(6).getBytes()), "UTF-8");
        int indexOf = str.indexOf(":");
        if (indexOf == -1) {
            httpServletResponse.sendError(400, "invalid basic auth credentials");
            return null;
        }
        String substring = str.substring(0, indexOf);
        String str2 = substring;
        String substring2 = str.substring(indexOf + 1);
        Provisioning provisioning = Provisioning.getInstance();
        if (str2.indexOf(64) == -1 && (virtualHost = HttpUtil.getVirtualHost(httpServletRequest)) != null && (domain = provisioning.get(Provisioning.DomainBy.virtualHostname, virtualHost.toLowerCase())) != null) {
            str2 = str2 + "@" + domain.getName();
        }
        Account account = provisioning.get(Provisioning.AccountBy.name, str2);
        if (account == null) {
            if (z) {
                httpServletResponse.addHeader("WWW-Authenticate", getRealmHeader(httpServletRequest, null));
                httpServletResponse.sendError(401, "invalid username/password");
            }
            return new GuestAccount(str2, substring2);
        }
        try {
            HashMap hashMap = new HashMap();
            hashMap.put(AuthContext.AC_ORIGINATING_CLIENT_IP, getOrigIp(httpServletRequest));
            hashMap.put(AuthContext.AC_ACCOUNT_NAME_PASSEDIN, substring);
            hashMap.put(AuthContext.AC_USER_AGENT, httpServletRequest.getHeader(DavProtocol.HEADER_USER_AGENT));
            provisioning.authAccount(account, substring2, AuthContext.Protocol.http_basic, hashMap);
            return account;
        } catch (ServiceException e) {
            if (!z) {
                return null;
            }
            httpServletResponse.addHeader("WWW-Authenticate", getRealmHeader(httpServletRequest, provisioning.getDomain(account)));
            httpServletResponse.sendError(401, "invalid username/password");
            return null;
        }
    }

    public static String getAccountPath(Account account) {
        return ZMailbox.PATH_SEPARATOR + account.getName();
    }

    public static String getServiceUrl(Account account, String str) throws ServiceException {
        Provisioning provisioning = Provisioning.getInstance();
        Server server = provisioning.getServer(account);
        if (server == null) {
            throw ServiceException.FAILURE("unable to retrieve server for account" + account.getName(), (Throwable) null);
        }
        return getServiceUrl(server, provisioning.getDomain(account), str + getAccountPath(account));
    }

    public static String getServiceUrl(Server server, Domain domain, String str) throws ServiceException {
        return URLUtil.getPublicURLForDomain(server, domain, str, true);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String getProxyUrl(HttpServletRequest httpServletRequest, Server server, String str) throws ServiceException {
        int localPort = httpServletRequest == null ? -1 : httpServletRequest.getLocalPort();
        Provisioning provisioning = Provisioning.getInstance();
        Server localServer = provisioning.getLocalServer();
        if (provisioning.isOfflineProxyServer(server) || localPort != localServer.getIntAttr(ZAttrProvisioning.A_zimbraAdminPort, 0)) {
            return URLUtil.getServiceURL(server, str, localPort == localServer.getIntAttr(ZAttrProvisioning.A_zimbraMailSSLPort, 0));
        }
        return URLUtil.getAdminURL(server, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void returnError(HttpServletResponse httpServletResponse, ServiceException serviceException) {
        httpServletResponse.setHeader(ZIMBRA_FAULT_CODE_HEADER, serviceException.getCode());
        httpServletResponse.setHeader(ZIMBRA_FAULT_MESSAGE_HEADER, serviceException.getMessage());
        httpServletResponse.setStatus(500);
    }

    public static String getOrigIp(HttpServletRequest httpServletRequest) {
        return new RemoteIP(httpServletRequest, getTrustedIPs()).getOrigIP();
    }

    public static void addRemoteIpToLoggingContext(HttpServletRequest httpServletRequest) {
        new RemoteIP(httpServletRequest, getTrustedIPs()).addToLoggingContext();
    }

    public static RemoteIP.TrustedIPs getTrustedIPs() {
        try {
            return new RemoteIP.TrustedIPs(Provisioning.getInstance().getLocalServer().getMultiAttr(ZAttrProvisioning.A_zimbraMailTrustedIP));
        } catch (ServiceException e) {
            ZimbraLog.misc.warn("failed to get trusted IPs, only localhost will be trusted", e);
            return new RemoteIP.TrustedIPs((String[]) null);
        }
    }

    public static void addUAToLoggingContext(HttpServletRequest httpServletRequest) {
        ZimbraLog.addUserAgentToContext(httpServletRequest.getHeader(DavProtocol.HEADER_USER_AGENT));
    }
}
