package com.zimbra.cs.service;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.AuthTokenException;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.Server;
import com.zimbra.cs.account.ZAttrProvisioning;
import com.zimbra.cs.account.auth.AuthContext;
import com.zimbra.cs.dav.DavProtocol;
import com.zimbra.cs.httpclient.URLUtil;
import com.zimbra.cs.servlet.ZimbraServlet;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/zimbra/cs/service/PreAuthServlet.class */
public class PreAuthServlet extends ZimbraServlet {
    public static final String PARAM_PREAUTH = "preauth";
    public static final String PARAM_AUTHTOKEN = "authtoken";
    public static final String PARAM_ACCOUNT = "account";
    public static final String PARAM_ADMIN = "admin";
    public static final String PARAM_ISREDIRECT = "isredirect";
    public static final String PARAM_BY = "by";
    public static final String PARAM_REDIRECT_URL = "redirectURL";
    public static final String PARAM_TIMESTAMP = "timestamp";
    public static final String PARAM_EXPIRES = "expires";
    private static final HashSet<String> sPreAuthParams = new HashSet<>();
    private static final String DEFAULT_MAIL_URL = "/zimbra";
    private static final String DEFAULT_ADMIN_URL = "/zimbraAdmin";

    @Override // com.zimbra.cs.servlet.ZimbraServlet
    public void init() throws ServletException {
        ZimbraLog.account.info("Servlet " + getServletName() + " starting up");
        super.init();
    }

    public void destroy() {
        ZimbraLog.account.info("Servlet " + getServletName() + " shutting down");
        super.destroy();
    }

    private String getRequiredParam(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws ServiceException {
        String parameter = httpServletRequest.getParameter(str);
        if (parameter == null) {
            throw ServiceException.INVALID_REQUEST("missing required param: " + str, (Throwable) null);
        }
        return parameter;
    }

    private String getOptionalParam(HttpServletRequest httpServletRequest, String str, String str2) {
        String parameter = httpServletRequest.getParameter(str);
        return parameter == null ? str2 : parameter;
    }

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        AuthToken authToken;
        ZimbraLog.clearContext();
        try {
            Provisioning provisioning = Provisioning.getInstance();
            String attr = provisioning.getLocalServer().getAttr(ZAttrProvisioning.A_zimbraMailReferMode, Provisioning.MAIL_REFER_MODE_WRONGHOST);
            boolean equals = getOptionalParam(httpServletRequest, PARAM_ISREDIRECT, "0").equals("1");
            String optionalParam = getOptionalParam(httpServletRequest, PARAM_AUTHTOKEN, null);
            AuthToken authToken2 = null;
            if (optionalParam != null) {
                authToken2 = AuthProvider.getAuthToken(optionalParam);
                if (authToken2 == null) {
                    throw new AuthTokenException("unable to get auth token from authtoken");
                }
                if (authToken2.isExpired()) {
                    throw new AuthTokenException("auth token expired");
                }
            }
            if (optionalParam != null) {
                boolean z = authToken2 != null && AuthToken.isAnyAdmin(authToken2);
                Account account = provisioning.get(Provisioning.AccountBy.id, authToken2.getAccountId(), authToken2);
                if (z || !needReferral(account, attr, equals)) {
                    setCookieAndRedirect(httpServletRequest, httpServletResponse, authToken2);
                } else {
                    redirectToCorrectServer(httpServletRequest, httpServletResponse, account, optionalParam);
                }
            } else {
                String requiredParam = getRequiredParam(httpServletRequest, httpServletResponse, PARAM_PREAUTH);
                String requiredParam2 = getRequiredParam(httpServletRequest, httpServletResponse, "account");
                String optionalParam2 = getOptionalParam(httpServletRequest, PARAM_BY, Provisioning.AccountBy.name.name());
                boolean z2 = getOptionalParam(httpServletRequest, PARAM_ADMIN, "0").equals("1") && isAdminRequest(httpServletRequest);
                long parseLong = Long.parseLong(getRequiredParam(httpServletRequest, httpServletResponse, PARAM_TIMESTAMP));
                long parseLong2 = Long.parseLong(getRequiredParam(httpServletRequest, httpServletResponse, PARAM_EXPIRES));
                Account account2 = provisioning.get(Provisioning.AccountBy.fromString(optionalParam2), requiredParam2, authToken2);
                if (account2 == null) {
                    throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED(requiredParam2, requiredParam2, "account not found");
                }
                if (z2) {
                    if (!(account2.getBooleanAttr(ZAttrProvisioning.A_zimbraIsDomainAdminAccount, false) || account2.getBooleanAttr(ZAttrProvisioning.A_zimbraIsAdminAccount, false) || account2.getBooleanAttr(ZAttrProvisioning.A_zimbraIsDelegatedAdminAccount, false))) {
                        throw ServiceException.PERM_DENIED("not an admin account");
                    }
                }
                if (z2 || !needReferral(account2, attr, equals)) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(AuthContext.AC_ORIGINATING_CLIENT_IP, ZimbraServlet.getOrigIp(httpServletRequest));
                    hashMap.put(AuthContext.AC_ACCOUNT_NAME_PASSEDIN, requiredParam2);
                    hashMap.put(AuthContext.AC_USER_AGENT, httpServletRequest.getHeader(DavProtocol.HEADER_USER_AGENT));
                    provisioning.preAuthAccount(account2, requiredParam2, optionalParam2, parseLong, parseLong2, requiredParam, z2, hashMap);
                    if (z2) {
                        authToken = parseLong2 == 0 ? AuthProvider.getAuthToken(account2, z2) : AuthProvider.getAuthToken(account2, parseLong2, z2, null);
                    } else {
                        authToken = parseLong2 == 0 ? AuthProvider.getAuthToken(account2) : AuthProvider.getAuthToken(account2, parseLong2);
                    }
                    setCookieAndRedirect(httpServletRequest, httpServletResponse, authToken);
                } else {
                    redirectToCorrectServer(httpServletRequest, httpServletResponse, account2, null);
                }
            }
        } catch (AuthTokenException e) {
            httpServletResponse.sendError(400, e.getMessage());
        } catch (ServiceException e2) {
            httpServletResponse.sendError(400, e2.getMessage());
        }
    }

    private boolean needReferral(Account account, String str, boolean z) throws ServiceException {
        if (z) {
            return false;
        }
        return Provisioning.MAIL_REFER_MODE_ALWAYS.equals(str) || (Provisioning.MAIL_REFER_MODE_WRONGHOST.equals(str) && !Provisioning.onLocalServer(account));
    }

    private void addQueryParams(HttpServletRequest httpServletRequest, StringBuilder sb, boolean z, boolean z2) {
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            if (!z2 || !sPreAuthParams.contains(str)) {
                String[] parameterValues = httpServletRequest.getParameterValues(str);
                if (parameterValues != null) {
                    for (String str2 : parameterValues) {
                        if (z) {
                            z = false;
                        } else {
                            sb.append('&');
                        }
                        try {
                            sb.append(str).append("=").append(URLEncoder.encode(str2, "utf-8"));
                        } catch (UnsupportedEncodingException e) {
                            sb.append(str).append("=").append(URLEncoder.encode(str2));
                        }
                    }
                }
            }
        }
    }

    private void redirectToCorrectServer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Account account, String str) throws ServiceException, IOException {
        StringBuilder sb = new StringBuilder();
        sb.append(URLUtil.getServiceURL(Provisioning.getInstance().getServer(account), httpServletRequest.getRequestURI(), true));
        sb.append('?').append(PARAM_ISREDIRECT).append('=').append('1');
        if (str != null) {
            sb.append('&').append(PARAM_AUTHTOKEN).append('=').append(str);
            addQueryParams(httpServletRequest, sb, false, true);
        } else {
            addQueryParams(httpServletRequest, sb, false, false);
        }
        httpServletResponse.sendRedirect(sb.toString());
    }

    private void setCookieAndRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthToken authToken) throws IOException, ServiceException {
        String str;
        boolean isAnyAdmin = AuthToken.isAnyAdmin(authToken);
        authToken.encode(httpServletResponse, isAnyAdmin, httpServletRequest.getScheme().equals(URLUtil.PROTO_HTTPS));
        String optionalParam = getOptionalParam(httpServletRequest, PARAM_REDIRECT_URL, null);
        if (optionalParam != null) {
            httpServletResponse.sendRedirect(optionalParam);
            return;
        }
        StringBuilder sb = new StringBuilder();
        addQueryParams(httpServletRequest, sb, true, true);
        Server server = Provisioning.getInstance().getServer(authToken.getAccount());
        if (isAnyAdmin) {
            str = server.getAttr(ZAttrProvisioning.A_zimbraAdminURL, DEFAULT_ADMIN_URL);
        } else {
            String attr = server.getAttr(ZAttrProvisioning.A_zimbraMailURL, DEFAULT_MAIL_URL);
            str = attr.charAt(attr.length() - 1) == '/' ? attr + ZAttrProvisioning.A_mail : attr + "/mail";
        }
        if (sb.length() > 0) {
            httpServletResponse.sendRedirect(str + "?" + sb.toString());
        } else {
            httpServletResponse.sendRedirect(str);
        }
    }

    static {
        sPreAuthParams.add(PARAM_PREAUTH);
        sPreAuthParams.add(PARAM_AUTHTOKEN);
        sPreAuthParams.add("account");
        sPreAuthParams.add(PARAM_ADMIN);
        sPreAuthParams.add(PARAM_ISREDIRECT);
        sPreAuthParams.add(PARAM_BY);
        sPreAuthParams.add(PARAM_TIMESTAMP);
        sPreAuthParams.add(PARAM_EXPIRES);
    }
}
