package com.zimbra.cs.service.admin;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.soap.AdminConstants;
import com.zimbra.common.soap.Element;
import com.zimbra.common.util.ZimbraCookie;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.AuthTokenException;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.ZAttrProvisioning;
import com.zimbra.cs.account.ZimbraAuthToken;
import com.zimbra.cs.account.accesscontrol.AdminRight;
import com.zimbra.cs.account.auth.AuthContext;
import com.zimbra.cs.dav.DavElements;
import com.zimbra.cs.index.LuceneViewer;
import com.zimbra.cs.mailbox.OperationContextData;
import com.zimbra.cs.service.AuthProvider;
import com.zimbra.cs.service.PreAuthServlet;
import com.zimbra.cs.service.UserServlet;
import com.zimbra.cs.service.admin.AdminRightCheckPoint;
import com.zimbra.cs.session.Session;
import com.zimbra.cs.util.AccountUtil;
import com.zimbra.soap.SoapEngine;
import com.zimbra.soap.SoapServlet;
import com.zimbra.soap.ZimbraSoapContext;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/zimbra/cs/service/admin/Auth.class */
public class Auth extends AdminDocumentHandler {
    @Override // com.zimbra.soap.DocumentHandler
    public Element handle(Element element, Map<String, Object> map) throws ServiceException {
        AuthToken authToken;
        String text;
        Provisioning.AccountBy fromString;
        Domain domain;
        ZimbraSoapContext zimbraSoapContext = getZimbraSoapContext(map);
        Account account = null;
        Provisioning provisioning = Provisioning.getInstance();
        if (element.getOptionalElement(UserServlet.QP_AUTHTOKEN) != null) {
            try {
                authToken = AuthProvider.getAuthToken(element, new HashMap());
                if (authToken == null) {
                    throw ServiceException.AUTH_EXPIRED();
                }
                com.zimbra.cs.service.account.Auth.addAccountToLogContextByAuthToken(provisioning, authToken);
                if (authToken.isExpired()) {
                    throw ServiceException.AUTH_EXPIRED();
                }
                account = provisioning.get(Provisioning.AccountBy.id, authToken.getAccountId(), authToken);
                if (account == null || !account.getAccountStatus(provisioning).equals("active")) {
                    throw ServiceException.AUTH_EXPIRED();
                }
                checkAdmin(account);
            } catch (AuthTokenException e) {
                throw ServiceException.AUTH_REQUIRED();
            }
        } else {
            String attribute = element.getAttribute("name", (String) null);
            Element optionalElement = element.getOptionalElement("account");
            if (attribute != null && optionalElement != null) {
                throw ServiceException.INVALID_REQUEST("only one of <name> or <account> can be specified", (Throwable) null);
            }
            if (attribute == null && optionalElement == null) {
                throw ServiceException.INVALID_REQUEST("missing <name> or <account>", (Throwable) null);
            }
            String attribute2 = element.getAttribute("password");
            Element optionalElement2 = element.getOptionalElement("virtualHost");
            String lowerCase = optionalElement2 == null ? null : optionalElement2.getText().toLowerCase();
            if (attribute != null) {
                text = attribute;
                fromString = Provisioning.AccountBy.name;
            } else {
                text = optionalElement.getText();
                fromString = Provisioning.AccountBy.fromString(optionalElement.getAttribute(PreAuthServlet.PARAM_BY, Provisioning.AccountBy.name.name()));
            }
            String str = text;
            try {
                if (fromString == Provisioning.AccountBy.name && str.indexOf("@") == -1) {
                    account = provisioning.get(Provisioning.AccountBy.adminName, str, zimbraSoapContext.getAuthToken());
                    if (account == null && lowerCase != null && (domain = provisioning.get(Provisioning.DomainBy.virtualHostname, lowerCase)) != null) {
                        str = str + "@" + domain.getName();
                    }
                }
                if (account == null) {
                    account = provisioning.get(fromString, str);
                }
                if (account == null) {
                    throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(str, text, "account not found");
                }
                AccountUtil.addAccountToLogContext(provisioning, account.getId(), "name", "id", null);
                ZimbraLog.security.info(ZimbraLog.encodeAttrs(new String[]{"cmd", "AdminAuth", "account", str}));
                HashMap hashMap = new HashMap();
                hashMap.put(AuthContext.AC_ORIGINATING_CLIENT_IP, map.get(SoapEngine.ORIG_REQUEST_IP));
                hashMap.put(AuthContext.AC_ACCOUNT_NAME_PASSEDIN, text);
                hashMap.put(AuthContext.AC_USER_AGENT, zimbraSoapContext.getUserAgent());
                provisioning.authAccount(account, attribute2, AuthContext.Protocol.soap, hashMap);
                checkAdmin(account);
                authToken = AuthProvider.getAuthToken(account, true);
            } catch (ServiceException e2) {
                ZimbraLog.security.warn(ZimbraLog.encodeAttrs(new String[]{"cmd", "AdminAuth", "account", str, DavElements.P_ERROR, e2.getMessage()}));
                throw e2;
            }
        }
        return doResponse(authToken, zimbraSoapContext, map, account);
    }

    private AuthToken dummyYCCTokenTestNeverCallMe(Element element) throws ServiceException, AuthTokenException {
        if (!"YAHOO_CALENDAR_AUTH_PROVIDER".equals(element.getAttribute("type"))) {
            return null;
        }
        for (Element element2 : element.listElements(LuceneViewer.CLI.O_ACTION)) {
            String attribute = element2.getAttribute("n");
            String text = element2.getText();
            if ("ADMIN_AUTH_KEY".equals(attribute) && "1210713456+dDedin1lO8d1_j8Kl.vl".equals(text)) {
                return new ZimbraAuthToken(Provisioning.getInstance().get(Provisioning.AccountBy.name, "admin@phoebe.mac"), true);
            }
        }
        return null;
    }

    private void checkAdmin(Account account) throws ServiceException {
        if (!(account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsDomainAdminAccount, false) || account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsAdminAccount, false) || account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsDelegatedAdminAccount, false))) {
            throw ServiceException.PERM_DENIED("not an admin account");
        }
    }

    private Element doResponse(AuthToken authToken, ZimbraSoapContext zimbraSoapContext, Map<String, Object> map, Account account) throws ServiceException {
        Element createElement = zimbraSoapContext.createElement(AdminConstants.AUTH_RESPONSE);
        authToken.encodeAuthResp(createElement, true);
        authToken.encode((HttpServletResponse) map.get(SoapServlet.SERVLET_RESPONSE), true, ZimbraCookie.secureCookie((HttpServletRequest) map.get(SoapServlet.SERVLET_REQUEST)));
        createElement.addAttribute("lifetime", authToken.getExpires() - System.currentTimeMillis(), Element.Disposition.CONTENT);
        createElement.addElement(LuceneViewer.CLI.O_ACTION).addAttribute("n", ZAttrProvisioning.A_zimbraIsDomainAdminAccount).setText(account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsDomainAdminAccount, false) + OperationContextData.GranteeNames.EMPTY_NAME);
        Session updateAuthenticatedAccount = updateAuthenticatedAccount(zimbraSoapContext, authToken, map, true);
        if (updateAuthenticatedAccount != null) {
            ZimbraSoapContext.encodeSession(createElement, updateAuthenticatedAccount.getSessionId(), updateAuthenticatedAccount.getSessionType());
        }
        return createElement;
    }

    @Override // com.zimbra.cs.service.admin.AdminDocumentHandler, com.zimbra.soap.DocumentHandler
    public boolean needsAuth(Map<String, Object> map) {
        return false;
    }

    @Override // com.zimbra.cs.service.admin.AdminDocumentHandler, com.zimbra.soap.DocumentHandler
    public boolean needsAdminAuth(Map<String, Object> map) {
        return false;
    }

    @Override // com.zimbra.cs.service.admin.AdminDocumentHandler, com.zimbra.cs.service.admin.AdminRightCheckPoint
    public void docRights(List<AdminRight> list, List<String> list2) {
        list2.add(AdminRightCheckPoint.Notes.ALLOW_ALL_ADMINS);
    }
}
