package com.zimbra.cs.service;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.ZAttrProvisioning;
import com.zimbra.cs.account.auth.AuthContext;
import com.zimbra.cs.mailbox.OperationContextData;
import com.zimbra.cs.service.authenticator.ClientCertAuthenticator;
import com.zimbra.cs.service.authenticator.SSOAuthenticator;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/zimbra/cs/service/CertAuthServlet.class */
public class CertAuthServlet extends SSOServlet {
    private static final Pattern allowedUrl = Pattern.compile("^(/service/certauth)(/|/(admin)(/)?)?$");
    private static final String MSGPAGE_FORBIDDEN = "errorpage.forbidden";
    private String forbiddenPage = null;

    @Override // com.zimbra.cs.service.SSOServlet, com.zimbra.cs.servlet.ZimbraServlet
    public void init() throws ServletException {
        super.init();
        this.forbiddenPage = getInitParameter(MSGPAGE_FORBIDDEN);
    }

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        ZimbraLog.clearContext();
        addRemoteIpToLoggingContext(httpServletRequest);
        addUAToLoggingContext(httpServletRequest);
        String requestURI = httpServletRequest.getRequestURI();
        Matcher matcher = allowedUrl.matcher(requestURI);
        boolean z = false;
        if (!matcher.matches()) {
            String str = "resource not allowed on the certauth servlet: " + requestURI;
            ZimbraLog.account.error(str);
            sendback403Message(httpServletRequest, httpServletResponse, str);
            return;
        }
        if (matcher.groupCount() > 3 && PreAuthServlet.PARAM_ADMIN.equals(matcher.group(3))) {
            z = true;
        }
        try {
            SSOAuthenticator.ZimbraPrincipal authenticate = new ClientCertAuthenticator(httpServletRequest, httpServletResponse).authenticate();
            setAuthTokenCookieAndRedirect(httpServletRequest, httpServletResponse, authenticate.getAccount(), authorize(httpServletRequest, AuthContext.Protocol.client_certificate, authenticate, z));
        } catch (ServiceException e) {
            String str2 = OperationContextData.GranteeNames.EMPTY_NAME;
            if (e instanceof AccountServiceException.AuthFailedServiceException) {
                str2 = ((AccountServiceException.AuthFailedServiceException) e).getReason(", %s");
            }
            ZimbraLog.account.debug("client certificate auth failed: " + e.getMessage() + str2, e);
            dispatchOnError(httpServletRequest, httpServletResponse, z, e.getMessage());
        }
    }

    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        doGet(httpServletRequest, httpServletResponse);
    }

    private void dispatchOnError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z, String str) throws ServletException, IOException {
        if (!missingClientCertOK()) {
            sendback403Message(httpServletRequest, httpServletResponse, str);
            return;
        }
        try {
            redirectToErrorPage(httpServletRequest, httpServletResponse, z, null);
        } catch (ServiceException e) {
            ZimbraLog.account.error("failed to redirect to error page (" + str + ")", e);
            sendback403Message(httpServletRequest, httpServletResponse, str);
        }
    }

    private void sendback403Message(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws ServletException, IOException {
        if (this.forbiddenPage != null) {
            try {
                RequestDispatcher requestDispatcher = getServletContext().getRequestDispatcher(this.forbiddenPage);
                if (requestDispatcher != null) {
                    requestDispatcher.forward(httpServletRequest, httpServletResponse);
                    return;
                }
            } catch (IOException e) {
                ZimbraLog.account.warn("unable to forward to forbidden page" + this.forbiddenPage, e);
            } catch (ServletException e2) {
                ZimbraLog.account.warn("unable to forward to forbidden page" + this.forbiddenPage, e2);
            }
        }
        httpServletResponse.sendError(403, str);
    }

    private boolean missingClientCertOK() {
        try {
            return Provisioning.getInstance().getLocalServer().getMailSSLClientCertMode() == ZAttrProvisioning.MailSSLClientCertMode.WantClientAuth;
        } catch (ServiceException e) {
            ZimbraLog.account.debug("unable to get local server", e);
            return false;
        }
    }

    @Override // com.zimbra.cs.service.SSOServlet
    protected boolean redirectToRelativeURL() {
        return false;
    }
}
