package org.apache.directory.server.core.authz;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.directory.server.core.DefaultCoreSession;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.LdapPrincipal;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.filtering.EntryFilter;
import org.apache.directory.server.core.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
import org.apache.directory.server.core.interceptor.NextInterceptor;
import org.apache.directory.server.core.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.interceptor.context.ListOperationContext;
import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchingOperationContext;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.name.DN;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.SchemaManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:apacheds-core-1.5.7.jar:org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.class */
public class DefaultAuthorizationInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationInterceptor.class);
    private static DN USER_BASE_DN;
    private static DN GROUP_BASE_DN;
    private static DN ADMIN_GROUP_DN;
    private Set<String> administrators = new HashSet(2);
    private PartitionNexus nexus;
    private AttributeType uniqueMemberAT;

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void init(DirectoryService directoryService) throws Exception {
        this.nexus = directoryService.getPartitionNexus();
        SchemaManager schemaManager = directoryService.getSchemaManager();
        USER_BASE_DN = new DN(ServerDNConstants.ADMIN_SYSTEM_DN);
        USER_BASE_DN.normalize(schemaManager.getNormalizerMapping());
        GROUP_BASE_DN = new DN(ServerDNConstants.GROUPS_SYSTEM_DN);
        GROUP_BASE_DN.normalize(schemaManager.getNormalizerMapping());
        ADMIN_GROUP_DN = new DN(ServerDNConstants.ADMINISTRATORS_GROUP_DN);
        ADMIN_GROUP_DN.normalize(schemaManager.getNormalizerMapping());
        this.uniqueMemberAT = schemaManager.lookupAttributeTypeRegistry(SchemaConstants.UNIQUE_MEMBER_AT_OID);
        loadAdministrators(directoryService);
    }

    private void loadAdministrators(DirectoryService directoryService) throws Exception {
        HashSet hashSet = new HashSet(2);
        DN dn = new DN(ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED);
        dn.normalize(directoryService.getSchemaManager().getNormalizerMapping());
        ClonedServerEntry lookup = this.nexus.lookup(new LookupOperationContext(new DefaultCoreSession(new LdapPrincipal(dn, AuthenticationLevel.STRONG), directoryService), ADMIN_GROUP_DN));
        if (lookup == null) {
            return;
        }
        Iterator<Value<?>> it = lookup.get(this.uniqueMemberAT).iterator();
        while (it.hasNext()) {
            DN dn2 = new DN(it.next().getString());
            dn2.normalize(directoryService.getSchemaManager().getNormalizerMapping());
            hashSet.add(dn2.getNormName());
        }
        this.administrators = hashSet;
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void delete(NextInterceptor nextInterceptor, DeleteOperationContext deleteOperationContext) throws Exception {
        DN dn = deleteOperationContext.getDn();
        if (deleteOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            nextInterceptor.delete(deleteOperationContext);
            return;
        }
        DN clonedName = getPrincipal().getClonedName();
        if (dn.isEmpty()) {
            String err = I18n.err(I18n.ERR_12, new Object[0]);
            LOG.error(err);
            throw new LdapNoPermissionException(err);
        }
        if (dn.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            String err2 = I18n.err(I18n.ERR_13, new Object[0]);
            LOG.error(err2);
            throw new LdapNoPermissionException(err2);
        }
        if (isTheAdministrator(dn)) {
            String err3 = I18n.err(I18n.ERR_14, clonedName.getName());
            LOG.error(err3);
            throw new LdapNoPermissionException(err3);
        }
        if (dn.size() > 2 && !isAnAdministrator(clonedName)) {
            if (dn.isChildOf(USER_BASE_DN)) {
                String err4 = I18n.err(I18n.ERR_15, clonedName.getName(), dn.getName());
                LOG.error(err4);
                throw new LdapNoPermissionException(err4);
            }
            if (dn.isChildOf(GROUP_BASE_DN)) {
                String err5 = I18n.err(I18n.ERR_16, clonedName.getName(), dn.getName());
                LOG.error(err5);
                throw new LdapNoPermissionException(err5);
            }
        }
        nextInterceptor.delete(deleteOperationContext);
    }

    private boolean isTheAdministrator(DN dn) {
        return dn.getNormName().equals(ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED);
    }

    private boolean isAnAdministrator(DN dn) {
        return isTheAdministrator(dn) || this.administrators.contains(dn.getNormName());
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, ModifyOperationContext modifyOperationContext) throws Exception {
        if (modifyOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            nextInterceptor.modify(modifyOperationContext);
            return;
        }
        DN dn = modifyOperationContext.getDn();
        protectModifyAlterations(dn);
        nextInterceptor.modify(modifyOperationContext);
        if (dn.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            loadAdministrators(modifyOperationContext.getSession().getDirectoryService());
        }
    }

    private void protectModifyAlterations(DN dn) throws Exception {
        DN clonedName = getPrincipal().getClonedName();
        if (dn.isEmpty()) {
            String err = I18n.err(I18n.ERR_17, new Object[0]);
            LOG.error(err);
            throw new LdapNoPermissionException(err);
        }
        if (isAnAdministrator(clonedName) || dn.getNormName().equals(getPrincipal().getName())) {
            return;
        }
        if (dn.getNormName().equals(ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED)) {
            String err2 = I18n.err(I18n.ERR_18, clonedName.getName());
            LOG.error(err2);
            throw new LdapNoPermissionException(err2);
        }
        if (dn.size() > 2) {
            if (dn.isChildOf(USER_BASE_DN)) {
                String err3 = I18n.err(I18n.ERR_19, clonedName.getName(), dn.getName());
                LOG.error(err3);
                throw new LdapNoPermissionException(err3);
            }
            if (dn.isChildOf(GROUP_BASE_DN)) {
                String err4 = I18n.err(I18n.ERR_20, clonedName.getName(), dn.getName());
                LOG.error(err4);
                throw new LdapNoPermissionException(err4);
            }
        }
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void rename(NextInterceptor nextInterceptor, RenameOperationContext renameOperationContext) throws Exception {
        if (!renameOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            protectDnAlterations(renameOperationContext.getDn());
        }
        nextInterceptor.rename(renameOperationContext);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, MoveOperationContext moveOperationContext) throws Exception {
        if (!moveOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            protectDnAlterations(moveOperationContext.getDn());
        }
        nextInterceptor.move(moveOperationContext);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void moveAndRename(NextInterceptor nextInterceptor, MoveAndRenameOperationContext moveAndRenameOperationContext) throws Exception {
        if (!moveAndRenameOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            protectDnAlterations(moveAndRenameOperationContext.getDn());
        }
        nextInterceptor.moveAndRename(moveAndRenameOperationContext);
    }

    private void protectDnAlterations(DN dn) throws Exception {
        DN clonedName = getPrincipal().getClonedName();
        if (dn.isEmpty()) {
            String err = I18n.err(I18n.ERR_234, new Object[0]);
            LOG.error(err);
            throw new LdapNoPermissionException(err);
        }
        if (dn.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            String err2 = I18n.err(I18n.ERR_21, new Object[0]);
            LOG.error(err2);
            throw new LdapNoPermissionException(err2);
        }
        if (isTheAdministrator(dn)) {
            String err3 = I18n.err(I18n.ERR_22, clonedName.getName(), dn.getName());
            LOG.error(err3);
            throw new LdapNoPermissionException(err3);
        }
        if (dn.size() > 2 && dn.isChildOf(USER_BASE_DN) && !isAnAdministrator(clonedName)) {
            String err4 = I18n.err(I18n.ERR_23, clonedName.getName(), dn.getName());
            LOG.error(err4);
            throw new LdapNoPermissionException(err4);
        }
        if (dn.size() <= 2 || !dn.isChildOf(GROUP_BASE_DN) || isAnAdministrator(clonedName)) {
            return;
        }
        String err5 = I18n.err(I18n.ERR_24, clonedName.getName(), dn.getName());
        LOG.error(err5);
        throw new LdapNoPermissionException(err5);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public ClonedServerEntry lookup(NextInterceptor nextInterceptor, LookupOperationContext lookupOperationContext) throws Exception {
        ClonedServerEntry lookup = nextInterceptor.lookup(lookupOperationContext);
        if (lookupOperationContext.getSession().getDirectoryService().isAccessControlEnabled() || lookup == null) {
            return lookup;
        }
        protectLookUp(lookupOperationContext.getSession().getEffectivePrincipal().getClonedName(), lookupOperationContext.getDn());
        return lookup;
    }

    private void protectLookUp(DN dn, DN dn2) throws Exception {
        if (isAnAdministrator(dn)) {
            return;
        }
        if (dn2.size() > 2) {
            if (dn2.isChildOf(USER_BASE_DN)) {
                if (dn2.getNormName().equals(dn.getNormName())) {
                    return;
                }
                String err = I18n.err(I18n.ERR_25, dn2.getName(), dn.getName());
                LOG.error(err);
                throw new LdapNoPermissionException(err);
            }
            if (dn2.isChildOf(GROUP_BASE_DN)) {
                if (dn2.getNormName().equals(dn.getNormName())) {
                    return;
                }
                String err2 = I18n.err(I18n.ERR_26, dn2.getName(), dn.getName());
                LOG.error(err2);
                throw new LdapNoPermissionException(err2);
            }
        }
        if (!isTheAdministrator(dn2) || dn2.getNormName().equals(dn.getNormName())) {
            return;
        }
        String err3 = I18n.err(I18n.ERR_27, dn.getName());
        LOG.error(err3);
        throw new LdapNoPermissionException(err3);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public EntryFilteringCursor search(NextInterceptor nextInterceptor, SearchOperationContext searchOperationContext) throws Exception {
        EntryFilteringCursor search = nextInterceptor.search(searchOperationContext);
        if (searchOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return search;
        }
        search.addEntryFilter(new EntryFilter() { // from class: org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.1
            @Override // org.apache.directory.server.core.filtering.EntryFilter
            public boolean accept(SearchingOperationContext searchingOperationContext, ClonedServerEntry clonedServerEntry) throws Exception {
                return DefaultAuthorizationInterceptor.this.isSearchable(searchingOperationContext, clonedServerEntry);
            }
        });
        return search;
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public EntryFilteringCursor list(NextInterceptor nextInterceptor, ListOperationContext listOperationContext) throws Exception {
        EntryFilteringCursor list = nextInterceptor.list(listOperationContext);
        if (listOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return list;
        }
        list.addEntryFilter(new EntryFilter() { // from class: org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.2
            @Override // org.apache.directory.server.core.filtering.EntryFilter
            public boolean accept(SearchingOperationContext searchingOperationContext, ClonedServerEntry clonedServerEntry) throws Exception {
                return DefaultAuthorizationInterceptor.this.isSearchable(searchingOperationContext, clonedServerEntry);
            }
        });
        return list;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSearchable(OperationContext operationContext, ClonedServerEntry clonedServerEntry) throws Exception {
        DN clonedName = operationContext.getSession().getEffectivePrincipal().getClonedName();
        DN dn = clonedServerEntry.getDn();
        if (!dn.isNormalized()) {
            dn.normalize(operationContext.getSession().getDirectoryService().getSchemaManager().getNormalizerMapping());
        }
        if (isAnAdministrator(clonedName) || dn.getNormName().equals(clonedName.getNormName())) {
            return true;
        }
        return (dn.size() <= 2 || !(dn.getNormName().endsWith(USER_BASE_DN.getNormName()) || dn.getNormName().endsWith(GROUP_BASE_DN.getNormName()))) && !isTheAdministrator(dn);
    }
}
