package org.apache.ldap.server.authz;

import java.text.ParseException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.naming.Name;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import org.apache.ldap.common.aci.ACIItemParser;
import org.apache.ldap.common.aci.MicroOperation;
import org.apache.ldap.common.exception.LdapNamingException;
import org.apache.ldap.common.filter.ExprNode;
import org.apache.ldap.common.message.ResultCodeEnum;
import org.apache.ldap.common.name.DnParser;
import org.apache.ldap.server.DirectoryServiceConfiguration;
import org.apache.ldap.server.authn.LdapPrincipal;
import org.apache.ldap.server.authz.support.ACDFEngine;
import org.apache.ldap.server.configuration.InterceptorConfiguration;
import org.apache.ldap.server.enumeration.SearchResultFilter;
import org.apache.ldap.server.enumeration.SearchResultFilteringEnumeration;
import org.apache.ldap.server.interceptor.BaseInterceptor;
import org.apache.ldap.server.interceptor.InterceptorChain;
import org.apache.ldap.server.interceptor.NextInterceptor;
import org.apache.ldap.server.invocation.Invocation;
import org.apache.ldap.server.invocation.InvocationStack;
import org.apache.ldap.server.jndi.JavaLdapSupport;
import org.apache.ldap.server.jndi.ServerLdapContext;
import org.apache.ldap.server.partition.DirectoryPartitionNexus;
import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
import org.apache.ldap.server.schema.AttributeTypeRegistry;
import org.apache.ldap.server.schema.ConcreteNameComponentNormalizer;
import org.apache.ldap.server.subtree.SubentryService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ldap/server/authz/AuthorizationService.class */
public class AuthorizationService extends BaseInterceptor {
    private static final Logger log;
    private static final String ENTRYACI_ATTR = "entryACI";
    private static final String SUBENTRYACI_ATTR = "subentryACI";
    private static final String AC_SUBENTRY_ATTR = "accessControlSubentries";
    private static final Collection ADD_PERMS;
    private static final Collection READ_PERMS;
    private static final Collection COMPARE_PERMS;
    private static final Collection SEARCH_ENTRY_PERMS;
    private static final Collection SEARCH_ATTRVAL_PERMS;
    private static final Collection REMOVE_PERMS;
    private static final Collection MATCHEDNAME_PERMS;
    private static final Collection BROWSE_PERMS;
    private static final Collection LOOKUP_PERMS;
    private static final Collection REPLACE_PERMS;
    private static final Collection RENAME_PERMS;
    private static final Collection EXPORT_PERMS;
    private static final Collection IMPORT_PERMS;
    private static final Collection MOVERENAME_PERMS;
    private TupleCache tupleCache;
    private GroupCache groupCache;
    private ACIItemParser aciParser;
    private ACDFEngine engine;
    private InterceptorChain chain;
    private AttributeTypeRegistry attrRegistry;
    private boolean enabled = false;
    public static final SearchControls DEFUALT_SEARCH_CONTROLS;
    static Class class$org$apache$ldap$server$authz$AuthorizationService;

    /* loaded from: input_file:org/apache/ldap/server/authz/AuthorizationService$AuthorizationFilter.class */
    class AuthorizationFilter implements SearchResultFilter {
        final DnParser parser;
        private final AuthorizationService this$0;

        public AuthorizationFilter(AuthorizationService authorizationService) throws NamingException {
            this.this$0 = authorizationService;
            this.parser = new DnParser(new ConcreteNameComponentNormalizer(authorizationService.attrRegistry));
        }

        @Override // org.apache.ldap.server.enumeration.SearchResultFilter
        public boolean accept(Invocation invocation, SearchResult searchResult, SearchControls searchControls) throws NamingException {
            return this.this$0.filter(invocation, this.parser.parse(searchResult.getName()), searchResult);
        }
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void init(DirectoryServiceConfiguration directoryServiceConfiguration, InterceptorConfiguration interceptorConfiguration) throws NamingException {
        super.init(directoryServiceConfiguration, interceptorConfiguration);
        this.tupleCache = new TupleCache(directoryServiceConfiguration);
        this.groupCache = new GroupCache(directoryServiceConfiguration);
        this.attrRegistry = directoryServiceConfiguration.getGlobalRegistries().getAttributeTypeRegistry();
        this.aciParser = new ACIItemParser(new ConcreteNameComponentNormalizer(this.attrRegistry));
        this.engine = new ACDFEngine(directoryServiceConfiguration.getGlobalRegistries().getOidRegistry(), this.attrRegistry);
        this.chain = directoryServiceConfiguration.getInterceptorChain();
        this.enabled = directoryServiceConfiguration.getStartupConfiguration().isAccessControlEnabled();
    }

    private void addPerscriptiveAciTuples(DirectoryPartitionNexusProxy directoryPartitionNexusProxy, Collection collection, Name name, Attributes attributes) throws NamingException {
        if (attributes.get(JavaLdapSupport.OBJECTCLASS_ATTR).contains("subentry")) {
            Name name2 = (Name) name.clone();
            name2.remove(name.size() - 1);
            attributes = directoryPartitionNexusProxy.lookup(name2, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        }
        Attribute attribute = attributes.get("accessControlSubentries");
        if (attribute == null) {
            return;
        }
        for (int i = 0; i < attribute.size(); i++) {
            collection.addAll(this.tupleCache.getACITuples((String) attribute.get(i)));
        }
    }

    private void addEntryAciTuples(Collection collection, Attributes attributes) throws NamingException {
        Attribute attribute = attributes.get(ENTRYACI_ATTR);
        if (attribute == null) {
            return;
        }
        for (int i = 0; i < attribute.size(); i++) {
            String str = (String) attribute.get(i);
            try {
                collection.addAll(this.aciParser.parse(str).toTuples());
            } catch (ParseException e) {
                String stringBuffer = new StringBuffer().append("failed to parse entryACI: ").append(str).toString();
                log.error(stringBuffer, (Throwable) e);
                throw new LdapNamingException(stringBuffer, ResultCodeEnum.OPERATIONSERROR);
            }
        }
    }

    private void addSubentryAciTuples(DirectoryPartitionNexusProxy directoryPartitionNexusProxy, Collection collection, Name name, Attributes attributes) throws NamingException {
        if (attributes.get(JavaLdapSupport.OBJECTCLASS_ATTR).contains("subentry")) {
            Name name2 = (Name) name.clone();
            name2.remove(name.size() - 1);
            Attribute attribute = directoryPartitionNexusProxy.lookup(name2, new String[]{SUBENTRYACI_ATTR}, DirectoryPartitionNexusProxy.LOOKUP_BYPASS).get(SUBENTRYACI_ATTR);
            if (attribute == null) {
                return;
            }
            for (int i = 0; i < attribute.size(); i++) {
                String str = (String) attribute.get(i);
                try {
                    collection.addAll(this.aciParser.parse(str).toTuples());
                } catch (ParseException e) {
                    String stringBuffer = new StringBuffer().append("failed to parse subentryACI: ").append(str).toString();
                    log.error(stringBuffer, (Throwable) e);
                    throw new LdapNamingException(stringBuffer, ResultCodeEnum.OPERATIONSERROR);
                }
            }
        }
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void add(NextInterceptor nextInterceptor, String str, Name name, Attributes attributes) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (!this.enabled) {
            nextInterceptor.add(str, name, attributes);
            return;
        }
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL)) {
            nextInterceptor.add(str, name, attributes);
            this.tupleCache.subentryAdded(str, name, attributes);
            this.groupCache.groupAdded(str, name, attributes);
            return;
        }
        Attributes subentryAttributes = ((SubentryService) this.chain.get("subentryService")).getSubentryAttributes(name, attributes);
        NamingEnumeration all = attributes.getAll();
        while (all.hasMore()) {
            subentryAttributes.put((Attribute) all.next());
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(peek.getProxy(), hashSet, name, subentryAttributes);
        addSubentryAciTuples(peek.getProxy(), hashSet, name, subentryAttributes);
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, ADD_PERMS, hashSet, subentryAttributes);
        NamingEnumeration all2 = attributes.getAll();
        while (all2.hasMore()) {
            Attribute attribute = (Attribute) all2.next();
            for (int i = 0; i < attribute.size(); i++) {
                this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, attribute.getID(), attribute.get(i), ADD_PERMS, hashSet, attributes);
            }
        }
        nextInterceptor.add(str, name, attributes);
        this.tupleCache.subentryAdded(str, name, attributes);
        this.groupCache.groupAdded(str, name, attributes);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void delete(NextInterceptor nextInterceptor, Name name) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (!this.enabled) {
            nextInterceptor.delete(name);
            return;
        }
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL)) {
            nextInterceptor.delete(name);
            this.tupleCache.subentryDeleted(name, lookup);
            this.groupCache.groupDeleted(name, lookup);
            return;
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, REMOVE_PERMS, hashSet, lookup);
        nextInterceptor.delete(name);
        this.tupleCache.subentryDeleted(name, lookup);
        this.groupCache.groupDeleted(name, lookup);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, Name name, int i, Attributes attributes) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (!this.enabled) {
            nextInterceptor.modify(name, i, attributes);
            return;
        }
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL)) {
            nextInterceptor.modify(name, i, attributes);
            this.tupleCache.subentryModified(name, i, attributes, lookup);
            this.groupCache.groupModified(name, i, attributes, lookup);
            return;
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, Collections.singleton(MicroOperation.MODIFY), hashSet, lookup);
        NamingEnumeration all = attributes.getAll();
        Collection collection = null;
        switch (i) {
            case 1:
                collection = ADD_PERMS;
                break;
            case 2:
                collection = REPLACE_PERMS;
                break;
            case 3:
                collection = REMOVE_PERMS;
                break;
        }
        while (all.hasMore()) {
            Attribute attribute = (Attribute) all.next();
            for (int i2 = 0; i2 < attribute.size(); i2++) {
                this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, attribute.getID(), attribute.get(i2), collection, hashSet, lookup);
            }
        }
        nextInterceptor.modify(name, i, attributes);
        this.tupleCache.subentryModified(name, i, attributes, lookup);
        this.groupCache.groupModified(name, i, attributes, lookup);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:14:0x00ce. Please report as an issue. */
    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, Name name, ModificationItem[] modificationItemArr) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (!this.enabled) {
            nextInterceptor.modify(name, modificationItemArr);
            return;
        }
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL)) {
            nextInterceptor.modify(name, modificationItemArr);
            this.tupleCache.subentryModified(name, modificationItemArr, lookup);
            this.groupCache.groupModified(name, modificationItemArr, lookup);
            return;
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, Collections.singleton(MicroOperation.MODIFY), hashSet, lookup);
        Collection collection = null;
        for (int i = 0; i < modificationItemArr.length; i++) {
            switch (modificationItemArr[i].getModificationOp()) {
                case 1:
                    collection = ADD_PERMS;
                    break;
                case 2:
                    collection = REPLACE_PERMS;
                    break;
                case 3:
                    collection = REMOVE_PERMS;
                    break;
            }
            Attribute attribute = modificationItemArr[i].getAttribute();
            for (int i2 = 0; i2 < attribute.size(); i2++) {
                this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, attribute.getID(), attribute.get(i2), collection, hashSet, lookup);
            }
        }
        nextInterceptor.modify(name, modificationItemArr);
        this.tupleCache.subentryModified(name, modificationItemArr, lookup);
        this.groupCache.groupModified(name, modificationItemArr, lookup);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public boolean hasEntry(NextInterceptor nextInterceptor, Name name) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL) || !this.enabled) {
            return nextInterceptor.hasEntry(name);
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, BROWSE_PERMS, hashSet, lookup);
        return nextInterceptor.hasEntry(name);
    }

    private void checkLookupAccess(LdapPrincipal ldapPrincipal, Name name, Attributes attributes) throws NamingException {
        DirectoryPartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
        Set groups = this.groupCache.getGroups(ldapPrincipal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, attributes);
        addEntryAciTuples(hashSet, attributes);
        addSubentryAciTuples(proxy, hashSet, name, attributes);
        this.engine.checkPermission(proxy, groups, ldapPrincipal.getJndiName(), ldapPrincipal.getAuthenticationLevel(), name, null, null, LOOKUP_PERMS, hashSet, attributes);
        NamingEnumeration all = attributes.getAll();
        while (all.hasMore()) {
            Attribute attribute = (Attribute) all.next();
            for (int i = 0; i < attribute.size(); i++) {
                this.engine.checkPermission(proxy, groups, ldapPrincipal.getJndiName(), ldapPrincipal.getAuthenticationLevel(), name, attribute.getID(), attribute.get(i), READ_PERMS, hashSet, attributes);
            }
        }
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, Name name, String[] strArr) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        Attributes lookup = peek.getProxy().lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL) || !this.enabled) {
            return nextInterceptor.lookup(name, strArr);
        }
        checkLookupAccess(principal, name, lookup);
        return nextInterceptor.lookup(name, strArr);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, Name name) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        Attributes lookup = peek.getProxy().lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL) || !this.enabled) {
            return nextInterceptor.lookup(name);
        }
        checkLookupAccess(principal, name, lookup);
        return nextInterceptor.lookup(name);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void modifyRn(NextInterceptor nextInterceptor, Name name, String str, boolean z) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        Name name2 = (Name) name.clone();
        name2.remove(name.size() - 1);
        name2.add(str);
        if (!this.enabled) {
            nextInterceptor.modifyRn(name, str, z);
            return;
        }
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL)) {
            nextInterceptor.modifyRn(name, str, z);
            this.tupleCache.subentryRenamed(name, name2);
            this.groupCache.groupRenamed(name, name2);
            return;
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, RENAME_PERMS, hashSet, lookup);
        nextInterceptor.modifyRn(name, str, z);
        this.tupleCache.subentryRenamed(name, name2);
        this.groupCache.groupRenamed(name, name2);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, Name name, Name name2, String str, boolean z) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        Name name3 = (Name) name2.clone();
        name3.add(str);
        if (!this.enabled) {
            nextInterceptor.move(name, name2, str, z);
            return;
        }
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL)) {
            nextInterceptor.move(name, name2, str, z);
            this.tupleCache.subentryRenamed(name, name3);
            this.groupCache.groupRenamed(name, name3);
            return;
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, MOVERENAME_PERMS, hashSet, lookup);
        HashSet hashSet2 = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet2, name, lookup);
        addEntryAciTuples(hashSet2, lookup);
        addSubentryAciTuples(proxy, hashSet2, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, IMPORT_PERMS, hashSet, lookup);
        nextInterceptor.move(name, name2, str, z);
        this.tupleCache.subentryRenamed(name, name3);
        this.groupCache.groupRenamed(name, name3);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, Name name, Name name2) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        Name name3 = (Name) name2.clone();
        name3.add(name.get(name.size() - 1));
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (!this.enabled) {
            nextInterceptor.move(name, name2);
            return;
        }
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL)) {
            nextInterceptor.move(name, name2);
            this.tupleCache.subentryRenamed(name, name3);
            this.groupCache.groupRenamed(name, name3);
            return;
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, EXPORT_PERMS, hashSet, lookup);
        HashSet hashSet2 = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet2, name, lookup);
        addEntryAciTuples(hashSet2, lookup);
        addSubentryAciTuples(proxy, hashSet2, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, IMPORT_PERMS, hashSet, lookup);
        nextInterceptor.move(name, name2);
        this.tupleCache.subentryRenamed(name, name3);
        this.groupCache.groupRenamed(name, name3);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public NamingEnumeration list(NextInterceptor nextInterceptor, Name name) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        NamingEnumeration list = nextInterceptor.list(name);
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL) || !this.enabled) {
            return list;
        }
        return new SearchResultFilteringEnumeration(list, DEFUALT_SEARCH_CONTROLS, peek, new AuthorizationFilter(this));
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public NamingEnumeration search(NextInterceptor nextInterceptor, Name name, Map map, ExprNode exprNode, SearchControls searchControls) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        NamingEnumeration search = nextInterceptor.search(name, map, exprNode, searchControls);
        return (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL) || !this.enabled) ? search : new SearchResultFilteringEnumeration(search, searchControls, peek, new AuthorizationFilter(this));
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public boolean compare(NextInterceptor nextInterceptor, Name name, String str, Object obj) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL) || !this.enabled) {
            return nextInterceptor.compare(name, str, obj);
        }
        Set groups = this.groupCache.getGroups(principal.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, name, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, null, null, READ_PERMS, hashSet, lookup);
        this.engine.checkPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), name, str, obj, COMPARE_PERMS, hashSet, lookup);
        return nextInterceptor.compare(name, str, obj);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public Name getMatchedName(NextInterceptor nextInterceptor, Name name, boolean z) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        DirectoryPartitionNexusProxy proxy = peek.getProxy();
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        if (principal.getName().equalsIgnoreCase(DirectoryPartitionNexus.ADMIN_PRINCIPAL) || !this.enabled) {
            return nextInterceptor.getMatchedName(name, z);
        }
        Name matchedName = nextInterceptor.getMatchedName(name, z);
        while (matchedName.size() > 0) {
            Attributes lookup = z ? proxy.lookup(matchedName, DirectoryPartitionNexusProxy.GETMATCHEDDN_BYPASS) : proxy.lookup(matchedName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
            Set groups = this.groupCache.getGroups(principal.getName());
            HashSet hashSet = new HashSet();
            addPerscriptiveAciTuples(proxy, hashSet, matchedName, lookup);
            addEntryAciTuples(hashSet, lookup);
            addSubentryAciTuples(proxy, hashSet, matchedName, lookup);
            if (this.engine.hasPermission(proxy, groups, principal.getJndiName(), principal.getAuthenticationLevel(), matchedName, null, null, MATCHEDNAME_PERMS, hashSet, lookup)) {
                return matchedName;
            }
            matchedName.remove(matchedName.size() - 1);
        }
        return matchedName;
    }

    public void cacheNewGroup(String str, Name name, Attributes attributes) throws NamingException {
        this.groupCache.groupAdded(str, name, attributes);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean filter(Invocation invocation, Name name, SearchResult searchResult) throws NamingException {
        Attributes lookup = invocation.getProxy().lookup(name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS);
        ServerLdapContext caller = invocation.getCaller();
        Name jndiName = caller.getPrincipal().getJndiName();
        Set groups = this.groupCache.getGroups(jndiName.toString());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(invocation.getProxy(), hashSet, name, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(invocation.getProxy(), hashSet, name, lookup);
        if (!this.engine.hasPermission(invocation.getProxy(), groups, jndiName, caller.getPrincipal().getAuthenticationLevel(), name, null, null, SEARCH_ENTRY_PERMS, hashSet, lookup)) {
            return false;
        }
        NamingEnumeration iDs = searchResult.getAttributes().getIDs();
        while (iDs.hasMore()) {
            Attribute attribute = searchResult.getAttributes().get((String) iDs.next());
            if (this.engine.hasPermission(invocation.getProxy(), groups, jndiName, caller.getPrincipal().getAuthenticationLevel(), name, attribute.getID(), null, SEARCH_ATTRVAL_PERMS, hashSet, lookup)) {
                int i = 0;
                while (i < attribute.size()) {
                    if (!this.engine.hasPermission(invocation.getProxy(), groups, jndiName, caller.getPrincipal().getAuthenticationLevel(), name, attribute.getID(), attribute.get(i), SEARCH_ATTRVAL_PERMS, hashSet, lookup)) {
                        attribute.remove(i);
                        if (i > 0) {
                            i--;
                        }
                    }
                    i++;
                }
            } else {
                searchResult.getAttributes().remove(attribute.getID());
                if (attribute.size() == 0) {
                    searchResult.getAttributes().remove(attribute.getID());
                }
            }
        }
        return true;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$apache$ldap$server$authz$AuthorizationService == null) {
            cls = class$("org.apache.ldap.server.authz.AuthorizationService");
            class$org$apache$ldap$server$authz$AuthorizationService = cls;
        } else {
            cls = class$org$apache$ldap$server$authz$AuthorizationService;
        }
        log = LoggerFactory.getLogger(cls);
        HashSet hashSet = new HashSet(2);
        hashSet.add(MicroOperation.BROWSE);
        hashSet.add(MicroOperation.RETURN_DN);
        SEARCH_ENTRY_PERMS = Collections.unmodifiableCollection(hashSet);
        HashSet hashSet2 = new HashSet(2);
        hashSet2.add(MicroOperation.READ);
        hashSet2.add(MicroOperation.BROWSE);
        LOOKUP_PERMS = Collections.unmodifiableCollection(hashSet2);
        HashSet hashSet3 = new HashSet(2);
        hashSet3.add(MicroOperation.ADD);
        hashSet3.add(MicroOperation.REMOVE);
        REPLACE_PERMS = Collections.unmodifiableCollection(hashSet3);
        HashSet hashSet4 = new HashSet(3);
        hashSet4.add(MicroOperation.IMPORT);
        hashSet4.add(MicroOperation.EXPORT);
        hashSet4.add(MicroOperation.RENAME);
        MOVERENAME_PERMS = Collections.unmodifiableCollection(hashSet4);
        SEARCH_ATTRVAL_PERMS = Collections.singleton(MicroOperation.READ);
        ADD_PERMS = Collections.singleton(MicroOperation.ADD);
        READ_PERMS = Collections.singleton(MicroOperation.READ);
        COMPARE_PERMS = Collections.singleton(MicroOperation.COMPARE);
        REMOVE_PERMS = Collections.singleton(MicroOperation.REMOVE);
        MATCHEDNAME_PERMS = Collections.singleton(MicroOperation.DISCLOSE_ON_ERROR);
        BROWSE_PERMS = Collections.singleton(MicroOperation.BROWSE);
        RENAME_PERMS = Collections.singleton(MicroOperation.RENAME);
        EXPORT_PERMS = Collections.singleton(MicroOperation.EXPORT);
        IMPORT_PERMS = Collections.singleton(MicroOperation.IMPORT);
        DEFUALT_SEARCH_CONTROLS = new SearchControls();
    }
}
