private static Account validateAuthTokenInternal(
Provisioning prov, AuthToken at, boolean addToLoggingContext) throws ServiceException {
if (prov == null) {
prov = Provisioning.getInstance();
}
if (at.isExpired()) {
throw ServiceException.AUTH_EXPIRED();
}
// make sure that the authenticated account is still active and has not been deleted since the
// last request
String acctId = at.getAccountId();
Account acct = prov.get(AccountBy.id, acctId, at);
if (acct == null) {
throw ServiceException.AUTH_EXPIRED("account " + acctId + " not found");
}
if (addToLoggingContext) {
ZimbraLog.addAccountNameToContext(acct.getName());
}
if (!acct.checkAuthTokenValidityValue(at)) {
throw ServiceException.AUTH_EXPIRED("invalid validity value");
}
boolean delegatedAuth = at.isDelegatedAuth();
String acctStatus = acct.getAccountStatus(prov);
if (!delegatedAuth && !Provisioning.ACCOUNT_STATUS_ACTIVE.equals(acctStatus)) {
throw ServiceException.AUTH_EXPIRED("account not active");
}
// if using delegated auth, make sure the "admin" is really an active admin account
if (delegatedAuth) {
// note that delegated auth allows access unless the account's in maintenance mode
if (Provisioning.ACCOUNT_STATUS_MAINTENANCE.equals(acctStatus)) {
throw ServiceException.AUTH_EXPIRED("delegated account in MAINTENANCE mode");
}
Account admin = prov.get(AccountBy.id, at.getAdminAccountId());
if (admin == null) {
throw ServiceException.AUTH_EXPIRED(
"delegating account " + at.getAdminAccountId() + " not found");
}
boolean isAdmin = AdminAccessControl.isAdequateAdminAccount(admin);
if (!isAdmin) {
throw ServiceException.PERM_DENIED("not an admin for delegated auth");
}
if (!Provisioning.ACCOUNT_STATUS_ACTIVE.equals(admin.getAccountStatus(prov))) {
throw ServiceException.AUTH_EXPIRED("delegating account is not active");
}
}
return acct;
}
