private static Account validateAuthTokenInternal( Provisioning prov, AuthToken at, boolean addToLoggingContext) throws ServiceException { if (prov == null) { prov = Provisioning.getInstance(); } if (at.isExpired()) { throw ServiceException.AUTH_EXPIRED(); } // make sure that the authenticated account is still active and has not been deleted since the // last request String acctId = at.getAccountId(); Account acct = prov.get(AccountBy.id, acctId, at); if (acct == null) { throw ServiceException.AUTH_EXPIRED("account " + acctId + " not found"); } if (addToLoggingContext) { ZimbraLog.addAccountNameToContext(acct.getName()); } if (!acct.checkAuthTokenValidityValue(at)) { throw ServiceException.AUTH_EXPIRED("invalid validity value"); } boolean delegatedAuth = at.isDelegatedAuth(); String acctStatus = acct.getAccountStatus(prov); if (!delegatedAuth && !Provisioning.ACCOUNT_STATUS_ACTIVE.equals(acctStatus)) { throw ServiceException.AUTH_EXPIRED("account not active"); } // if using delegated auth, make sure the "admin" is really an active admin account if (delegatedAuth) { // note that delegated auth allows access unless the account's in maintenance mode if (Provisioning.ACCOUNT_STATUS_MAINTENANCE.equals(acctStatus)) { throw ServiceException.AUTH_EXPIRED("delegated account in MAINTENANCE mode"); } Account admin = prov.get(AccountBy.id, at.getAdminAccountId()); if (admin == null) { throw ServiceException.AUTH_EXPIRED( "delegating account " + at.getAdminAccountId() + " not found"); } boolean isAdmin = AdminAccessControl.isAdequateAdminAccount(admin); if (!isAdmin) { throw ServiceException.PERM_DENIED("not an admin for delegated auth"); } if (!Provisioning.ACCOUNT_STATUS_ACTIVE.equals(admin.getAccountStatus(prov))) { throw ServiceException.AUTH_EXPIRED("delegating account is not active"); } } return acct; }