package org.apache.directory.server.core.authz;

import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.directory.SearchControls;
import org.apache.directory.server.core.DefaultCoreSession;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.LdapPrincipal;
import org.apache.directory.server.core.authz.support.ACDFEngine;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.entry.ServerEntryUtils;
import org.apache.directory.server.core.filtering.EntryFilter;
import org.apache.directory.server.core.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
import org.apache.directory.server.core.interceptor.InterceptorChain;
import org.apache.directory.server.core.interceptor.NextInterceptor;
import org.apache.directory.server.core.interceptor.context.AddOperationContext;
import org.apache.directory.server.core.interceptor.context.CompareOperationContext;
import org.apache.directory.server.core.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.interceptor.context.EntryOperationContext;
import org.apache.directory.server.core.interceptor.context.GetMatchedNameOperationContext;
import org.apache.directory.server.core.interceptor.context.GetRootDSEOperationContext;
import org.apache.directory.server.core.interceptor.context.ListOperationContext;
import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchingOperationContext;
import org.apache.directory.server.core.partition.ByPassConstants;
import org.apache.directory.server.core.subtree.SubentryInterceptor;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.aci.ACIItemParser;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Modification;
import org.apache.directory.shared.ldap.entry.ModificationOperation;
import org.apache.directory.shared.ldap.entry.ServerEntry;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.exception.LdapOperationErrorException;
import org.apache.directory.shared.ldap.name.DN;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.SchemaManager;
import org.apache.directory.shared.ldap.schema.normalizers.ConcreteNameComponentNormalizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/authz/AciAuthorizationInterceptor.class */
public class AciAuthorizationInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(AciAuthorizationInterceptor.class);
    private static final String AC_SUBENTRY_ATTR = "accessControlSubentries";
    private static final Collection<MicroOperation> ADD_PERMS;
    private static final Collection<MicroOperation> READ_PERMS;
    private static final Collection<MicroOperation> COMPARE_PERMS;
    private static final Collection<MicroOperation> SEARCH_ENTRY_PERMS;
    private static final Collection<MicroOperation> SEARCH_ATTRVAL_PERMS;
    private static final Collection<MicroOperation> REMOVE_PERMS;
    private static final Collection<MicroOperation> MATCHEDNAME_PERMS;
    private static final Collection<MicroOperation> BROWSE_PERMS;
    private static final Collection<MicroOperation> LOOKUP_PERMS;
    private static final Collection<MicroOperation> REPLACE_PERMS;
    private static final Collection<MicroOperation> RENAME_PERMS;
    private static final Collection<MicroOperation> EXPORT_PERMS;
    private static final Collection<MicroOperation> IMPORT_PERMS;
    private static final Collection<MicroOperation> MOVERENAME_PERMS;
    private TupleCache tupleCache;
    private GroupCache groupCache;
    private ACIItemParser aciParser;
    private ACDFEngine engine;
    private InterceptorChain chain;
    private SchemaManager schemaManager;
    private String subschemaSubentryDn;
    private AttributeType objectClassType;
    private AttributeType acSubentryType;
    private String subentryOid;
    private AttributeType entryAciType;
    private AttributeType subentryAciType;
    public static final SearchControls DEFAULT_SEARCH_CONTROLS;

    /* renamed from: org.apache.directory.server.core.authz.AciAuthorizationInterceptor$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/directory/server/core/authz/AciAuthorizationInterceptor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$directory$shared$ldap$entry$ModificationOperation = new int[ModificationOperation.values().length];

        static {
            try {
                $SwitchMap$org$apache$directory$shared$ldap$entry$ModificationOperation[ModificationOperation.ADD_ATTRIBUTE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$directory$shared$ldap$entry$ModificationOperation[ModificationOperation.REMOVE_ATTRIBUTE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$directory$shared$ldap$entry$ModificationOperation[ModificationOperation.REPLACE_ATTRIBUTE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/apache/directory/server/core/authz/AciAuthorizationInterceptor$AuthorizationFilter.class */
    class AuthorizationFilter implements EntryFilter {
        AuthorizationFilter() {
        }

        public boolean accept(SearchingOperationContext searchingOperationContext, ClonedServerEntry clonedServerEntry) throws Exception {
            return AciAuthorizationInterceptor.this.filter(searchingOperationContext, clonedServerEntry.getDn().normalize(AciAuthorizationInterceptor.this.schemaManager.getNormalizerMapping()), clonedServerEntry);
        }
    }

    public void init(DirectoryService directoryService) throws Exception {
        super.init(directoryService);
        DN dn = new DN("0.9.2342.19200300.100.1.1=admin,2.5.4.11=system");
        dn.normalize(directoryService.getSchemaManager().getNormalizerMapping());
        DefaultCoreSession defaultCoreSession = new DefaultCoreSession(new LdapPrincipal(dn, AuthenticationLevel.STRONG), directoryService);
        this.tupleCache = new TupleCache(defaultCoreSession);
        this.groupCache = new GroupCache(defaultCoreSession);
        this.schemaManager = directoryService.getSchemaManager();
        String oidByName = this.schemaManager.getAttributeTypeRegistry().getOidByName("objectClass");
        this.subentryOid = this.schemaManager.getObjectClassRegistry().getOidByName("subentry");
        String oidByName2 = this.schemaManager.getAttributeTypeRegistry().getOidByName(AC_SUBENTRY_ATTR);
        this.objectClassType = this.schemaManager.lookupAttributeTypeRegistry(oidByName);
        this.acSubentryType = this.schemaManager.lookupAttributeTypeRegistry(oidByName2);
        this.entryAciType = this.schemaManager.lookupAttributeTypeRegistry("2.5.24.5");
        this.subentryAciType = this.schemaManager.lookupAttributeTypeRegistry("2.5.24.6");
        this.aciParser = new ACIItemParser(new ConcreteNameComponentNormalizer(this.schemaManager), this.schemaManager.getNormalizerMapping());
        this.engine = new ACDFEngine(this.schemaManager.getGlobalOidRegistry(), this.schemaManager);
        this.chain = directoryService.getInterceptorChain();
        DN dn2 = new DN(directoryService.getPartitionNexus().getRootDSE((GetRootDSEOperationContext) null).get("subschemaSubentry").get().getString());
        dn2.normalize(this.schemaManager.getNormalizerMapping());
        this.subschemaSubentryDn = dn2.getNormName();
    }

    private void protectCriticalEntries(DN dn) throws Exception {
        DN clonedName = getPrincipal().getClonedName();
        if (dn.isEmpty()) {
            String err = I18n.err(I18n.ERR_8, new Object[0]);
            LOG.error(err);
            throw new LdapNoPermissionException(err);
        }
        if (isTheAdministrator(dn)) {
            String err2 = I18n.err(I18n.ERR_9, new Object[]{clonedName.getName(), dn.getName()});
            LOG.error(err2);
            throw new LdapNoPermissionException(err2);
        }
    }

    private void addPerscriptiveAciTuples(OperationContext operationContext, Collection<ACITuple> collection, DN dn, ServerEntry serverEntry) throws Exception {
        EntryAttribute entryAttribute = serverEntry instanceof ClonedServerEntry ? ((ClonedServerEntry) serverEntry).getOriginalEntry().get(this.objectClassType) : serverEntry.get(this.objectClassType);
        if (entryAttribute.contains(new String[]{"subentry"}) || entryAttribute.contains(new String[]{this.subentryOid})) {
            DN dn2 = (DN) dn.clone();
            dn2.remove(dn.size() - 1);
            serverEntry = operationContext.lookup(dn2, ByPassConstants.LOOKUP_BYPASS);
        }
        EntryAttribute entryAttribute2 = serverEntry.get(this.acSubentryType);
        if (entryAttribute2 == null) {
            return;
        }
        Iterator it = entryAttribute2.iterator();
        while (it.hasNext()) {
            collection.addAll(this.tupleCache.getACITuples(((Value) it.next()).getString()));
        }
    }

    private void addEntryAciTuples(Collection<ACITuple> collection, ServerEntry serverEntry) throws Exception {
        EntryAttribute entryAttribute = serverEntry.get(this.entryAciType);
        if (entryAttribute == null) {
            return;
        }
        Iterator it = entryAttribute.iterator();
        while (it.hasNext()) {
            String string = ((Value) it.next()).getString();
            try {
                collection.addAll(this.aciParser.parse(string).toTuples());
            } catch (ParseException e) {
                String err = I18n.err(I18n.ERR_10, new Object[]{string});
                LOG.error(err, e);
                throw new LdapOperationErrorException(err);
            }
        }
    }

    private void addSubentryAciTuples(OperationContext operationContext, Collection<ACITuple> collection, DN dn, ServerEntry serverEntry) throws Exception {
        if (serverEntry.contains("objectClass", new String[]{"subentry"})) {
            DN dn2 = (DN) dn.clone();
            dn2.remove(dn.size() - 1);
            EntryAttribute entryAttribute = operationContext.lookup(dn2, ByPassConstants.LOOKUP_BYPASS).getOriginalEntry().get(this.subentryAciType);
            if (entryAttribute == null) {
                return;
            }
            Iterator it = entryAttribute.iterator();
            while (it.hasNext()) {
                String string = ((Value) it.next()).getString();
                try {
                    collection.addAll(this.aciParser.parse(string).toTuples());
                } catch (ParseException e) {
                    String err = I18n.err(I18n.ERR_11, new Object[]{string});
                    LOG.error(err, e);
                    throw new LdapOperationErrorException(err);
                }
            }
        }
    }

    public void add(NextInterceptor nextInterceptor, AddOperationContext addOperationContext) throws Exception {
        LdapPrincipal effectivePrincipal = addOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        ServerEntry<EntryAttribute> entry = addOperationContext.getEntry();
        DN dn = addOperationContext.getDn();
        if (!addOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            nextInterceptor.add(addOperationContext);
            return;
        }
        if (isPrincipalAnAdministrator(clonedName)) {
            nextInterceptor.add(addOperationContext);
            this.tupleCache.subentryAdded(dn, entry);
            this.groupCache.groupAdded(dn, entry);
            return;
        }
        ServerEntry subentryAttributes = this.chain.get(SubentryInterceptor.class.getName()).getSubentryAttributes(dn, entry);
        Iterator it = entry.iterator();
        while (it.hasNext()) {
            subentryAttributes.put(new EntryAttribute[]{(EntryAttribute) it.next()});
        }
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(addOperationContext, hashSet, dn, subentryAttributes);
        addSubentryAciTuples(addOperationContext, hashSet, dn, subentryAttributes);
        this.engine.checkPermission(this.schemaManager, addOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, ADD_PERMS, hashSet, subentryAttributes, null);
        for (EntryAttribute entryAttribute : entry) {
            Iterator it2 = entryAttribute.iterator();
            while (it2.hasNext()) {
                this.engine.checkPermission(this.schemaManager, addOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, entryAttribute.getUpId(), (Value) it2.next(), ADD_PERMS, hashSet, entry, null);
            }
        }
        nextInterceptor.add(addOperationContext);
        this.tupleCache.subentryAdded(dn, entry);
        this.groupCache.groupAdded(dn, entry);
    }

    private boolean isTheAdministrator(DN dn) {
        return dn.getNormName().equals("0.9.2342.19200300.100.1.1=admin,2.5.4.11=system");
    }

    public void delete(NextInterceptor nextInterceptor, DeleteOperationContext deleteOperationContext) throws Exception {
        DN dn = deleteOperationContext.getDn();
        LdapPrincipal effectivePrincipal = deleteOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        if (!deleteOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            nextInterceptor.delete(deleteOperationContext);
            return;
        }
        ServerEntry lookup = deleteOperationContext.lookup(dn, ByPassConstants.LOOKUP_BYPASS);
        protectCriticalEntries(dn);
        if (isPrincipalAnAdministrator(clonedName)) {
            nextInterceptor.delete(deleteOperationContext);
            this.tupleCache.subentryDeleted(dn, lookup);
            this.groupCache.groupDeleted(dn, lookup);
            return;
        }
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(deleteOperationContext, hashSet, dn, lookup.getOriginalEntry());
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(deleteOperationContext, hashSet, dn, lookup);
        this.engine.checkPermission(this.schemaManager, deleteOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, REMOVE_PERMS, hashSet, lookup, null);
        nextInterceptor.delete(deleteOperationContext);
        this.tupleCache.subentryDeleted(dn, lookup);
        this.groupCache.groupDeleted(dn, lookup);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:14:0x0110. Please report as an issue. */
    public void modify(NextInterceptor nextInterceptor, ModifyOperationContext modifyOperationContext) throws Exception {
        DN dn = modifyOperationContext.getDn();
        ServerEntry lookup = modifyOperationContext.lookup(dn, ByPassConstants.LOOKUP_BYPASS);
        LdapPrincipal effectivePrincipal = modifyOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        if (!modifyOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            nextInterceptor.modify(modifyOperationContext);
            return;
        }
        List<Modification> modItems = modifyOperationContext.getModItems();
        if (isPrincipalAnAdministrator(clonedName)) {
            nextInterceptor.modify(modifyOperationContext);
            this.tupleCache.subentryModified(dn, modItems, modifyOperationContext.lookup(dn, ByPassConstants.LOOKUP_BYPASS));
            this.groupCache.groupModified(dn, modItems, lookup, this.schemaManager);
            return;
        }
        Set<DN> groups = this.groupCache.getGroups(clonedName.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(modifyOperationContext, hashSet, dn, lookup.getOriginalEntry());
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(modifyOperationContext, hashSet, dn, lookup);
        this.engine.checkPermission(this.schemaManager, modifyOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, Collections.singleton(MicroOperation.MODIFY), hashSet, lookup, null);
        Collection<MicroOperation> collection = null;
        ServerEntry clone = lookup.clone();
        for (Modification modification : modItems) {
            EntryAttribute attribute = modification.getAttribute();
            switch (AnonymousClass1.$SwitchMap$org$apache$directory$shared$ldap$entry$ModificationOperation[modification.getOperation().ordinal()]) {
                case 1:
                    collection = ADD_PERMS;
                    if (lookup.get(attribute.getId()) == null) {
                        this.engine.checkPermission(this.schemaManager, modifyOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, attribute.getId(), null, collection, hashSet, lookup, null);
                        break;
                    }
                    break;
                case 2:
                    collection = REMOVE_PERMS;
                    EntryAttribute entryAttribute = lookup.get(attribute.getId());
                    if (entryAttribute != null && entryAttribute.size() == 1) {
                        this.engine.checkPermission(this.schemaManager, modifyOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, attribute.getId(), null, collection, hashSet, lookup, null);
                        break;
                    }
                    break;
                case 3:
                    collection = REPLACE_PERMS;
                    break;
            }
            clone = ServerEntryUtils.getTargetEntry(modification, clone, this.schemaManager);
            Iterator it = attribute.iterator();
            while (it.hasNext()) {
                this.engine.checkPermission(this.schemaManager, modifyOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, attribute.getId(), (Value) it.next(), collection, hashSet, lookup, clone);
            }
        }
        nextInterceptor.modify(modifyOperationContext);
        this.tupleCache.subentryModified(dn, modItems, modifyOperationContext.lookup(dn, ByPassConstants.LOOKUP_BYPASS));
        this.groupCache.groupModified(dn, modItems, lookup, this.schemaManager);
    }

    public boolean hasEntry(NextInterceptor nextInterceptor, EntryOperationContext entryOperationContext) throws Exception {
        DN dn = entryOperationContext.getDn();
        if (!entryOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return dn.size() == 0 || nextInterceptor.hasEntry(entryOperationContext);
        }
        boolean hasEntry = nextInterceptor.hasEntry(entryOperationContext);
        if (dn.size() == 0) {
            return hasEntry;
        }
        LdapPrincipal effectivePrincipal = entryOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        if (isPrincipalAnAdministrator(clonedName)) {
            return hasEntry;
        }
        ClonedServerEntry lookup = entryOperationContext.lookup(dn, ByPassConstants.HAS_ENTRY_BYPASS);
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(entryOperationContext, hashSet, dn, lookup.getOriginalEntry());
        addEntryAciTuples(hashSet, lookup.getOriginalEntry());
        addSubentryAciTuples(entryOperationContext, hashSet, dn, lookup.getOriginalEntry());
        this.engine.checkPermission(this.schemaManager, entryOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, BROWSE_PERMS, hashSet, lookup.getOriginalEntry(), null);
        return nextInterceptor.hasEntry(entryOperationContext);
    }

    private void checkLookupAccess(LookupOperationContext lookupOperationContext, ServerEntry serverEntry) throws Exception {
        if (lookupOperationContext.getDn().getNormName().trim().equals("")) {
            return;
        }
        LdapPrincipal effectivePrincipal = lookupOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(lookupOperationContext, hashSet, lookupOperationContext.getDn(), serverEntry);
        addEntryAciTuples(hashSet, serverEntry);
        addSubentryAciTuples(lookupOperationContext, hashSet, lookupOperationContext.getDn(), serverEntry);
        this.engine.checkPermission(this.schemaManager, lookupOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), lookupOperationContext.getDn(), null, null, LOOKUP_PERMS, hashSet, serverEntry, null);
        Iterator it = serverEntry.iterator();
        while (it.hasNext()) {
            EntryAttribute entryAttribute = (EntryAttribute) it.next();
            Iterator it2 = entryAttribute.iterator();
            while (it2.hasNext()) {
                this.engine.checkPermission(this.schemaManager, lookupOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), lookupOperationContext.getDn(), entryAttribute.getUpId(), (Value) it2.next(), READ_PERMS, hashSet, serverEntry, null);
            }
        }
    }

    public ClonedServerEntry lookup(NextInterceptor nextInterceptor, LookupOperationContext lookupOperationContext) throws Exception {
        DN clonedName = lookupOperationContext.getSession().getEffectivePrincipal().getClonedName();
        if (!clonedName.isNormalized()) {
            clonedName.normalize(this.schemaManager.getNormalizerMapping());
        }
        if (isPrincipalAnAdministrator(clonedName) || !lookupOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return nextInterceptor.lookup(lookupOperationContext);
        }
        lookupOperationContext.setByPassed(ByPassConstants.LOOKUP_BYPASS);
        checkLookupAccess(lookupOperationContext, lookupOperationContext.getSession().getDirectoryService().getOperationManager().lookup(lookupOperationContext));
        return nextInterceptor.lookup(lookupOperationContext);
    }

    public void rename(NextInterceptor nextInterceptor, RenameOperationContext renameOperationContext) throws Exception {
        DN dn = renameOperationContext.getDn();
        ServerEntry serverEntry = null;
        if (renameOperationContext.getEntry() != null) {
            serverEntry = renameOperationContext.getEntry().getOriginalEntry();
        }
        LdapPrincipal effectivePrincipal = renameOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        DN newDn = renameOperationContext.getNewDn();
        if (!renameOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            nextInterceptor.rename(renameOperationContext);
            return;
        }
        protectCriticalEntries(dn);
        if (isPrincipalAnAdministrator(clonedName)) {
            nextInterceptor.rename(renameOperationContext);
            this.tupleCache.subentryRenamed(dn, newDn);
            this.groupCache.groupRenamed(dn, newDn);
            return;
        }
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(renameOperationContext, hashSet, dn, serverEntry);
        addEntryAciTuples(hashSet, serverEntry);
        addSubentryAciTuples(renameOperationContext, hashSet, dn, serverEntry);
        this.engine.checkPermission(this.schemaManager, renameOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, RENAME_PERMS, hashSet, serverEntry, null);
        nextInterceptor.rename(renameOperationContext);
        this.tupleCache.subentryRenamed(dn, newDn);
        this.groupCache.groupRenamed(dn, newDn);
    }

    public void moveAndRename(NextInterceptor nextInterceptor, MoveAndRenameOperationContext moveAndRenameOperationContext) throws Exception {
        DN dn = moveAndRenameOperationContext.getDn();
        DN parent = moveAndRenameOperationContext.getParent();
        ServerEntry lookup = moveAndRenameOperationContext.lookup(dn, ByPassConstants.LOOKUP_BYPASS);
        LdapPrincipal effectivePrincipal = moveAndRenameOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        DN dn2 = (DN) parent.clone();
        dn2.add(moveAndRenameOperationContext.getNewRdn().getName());
        if (!moveAndRenameOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            nextInterceptor.moveAndRename(moveAndRenameOperationContext);
            return;
        }
        protectCriticalEntries(dn);
        if (isPrincipalAnAdministrator(clonedName)) {
            nextInterceptor.moveAndRename(moveAndRenameOperationContext);
            this.tupleCache.subentryRenamed(dn, dn2);
            this.groupCache.groupRenamed(dn, dn2);
            return;
        }
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(moveAndRenameOperationContext, hashSet, dn, lookup.getOriginalEntry());
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(moveAndRenameOperationContext, hashSet, dn, lookup);
        this.engine.checkPermission(this.schemaManager, moveAndRenameOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, MOVERENAME_PERMS, hashSet, lookup, null);
        ServerEntry lookup2 = moveAndRenameOperationContext.lookup(dn, ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS);
        ServerEntry subentryAttributes = this.chain.get(SubentryInterceptor.class.getName()).getSubentryAttributes(dn2, lookup2);
        Iterator it = lookup2.iterator();
        while (it.hasNext()) {
            subentryAttributes.put(new EntryAttribute[]{(EntryAttribute) it.next()});
        }
        HashSet hashSet2 = new HashSet();
        addPerscriptiveAciTuples(moveAndRenameOperationContext, hashSet2, dn2, subentryAttributes);
        this.engine.checkPermission(this.schemaManager, moveAndRenameOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn2, null, null, IMPORT_PERMS, hashSet2, subentryAttributes, null);
        nextInterceptor.moveAndRename(moveAndRenameOperationContext);
        this.tupleCache.subentryRenamed(dn, dn2);
        this.groupCache.groupRenamed(dn, dn2);
    }

    public void move(NextInterceptor nextInterceptor, MoveOperationContext moveOperationContext) throws Exception {
        DN dn = moveOperationContext.getDn();
        DN parent = moveOperationContext.getParent();
        ServerEntry lookup = moveOperationContext.lookup(dn, ByPassConstants.LOOKUP_BYPASS);
        DN dn2 = (DN) parent.clone();
        dn2.add(dn.get(dn.size() - 1));
        LdapPrincipal effectivePrincipal = moveOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        if (!moveOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            nextInterceptor.move(moveOperationContext);
            return;
        }
        protectCriticalEntries(dn);
        if (isPrincipalAnAdministrator(clonedName)) {
            nextInterceptor.move(moveOperationContext);
            this.tupleCache.subentryRenamed(dn, dn2);
            this.groupCache.groupRenamed(dn, dn2);
            return;
        }
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(moveOperationContext, hashSet, dn, lookup.getOriginalEntry());
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(moveOperationContext, hashSet, dn, lookup);
        this.engine.checkPermission(this.schemaManager, moveOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, EXPORT_PERMS, hashSet, lookup, null);
        ServerEntry lookup2 = moveOperationContext.lookup(dn, ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS);
        ServerEntry subentryAttributes = this.chain.get(SubentryInterceptor.class.getName()).getSubentryAttributes(dn2, lookup2);
        Iterator it = lookup2.iterator();
        while (it.hasNext()) {
            subentryAttributes.put(new EntryAttribute[]{(EntryAttribute) it.next()});
        }
        HashSet hashSet2 = new HashSet();
        addPerscriptiveAciTuples(moveOperationContext, hashSet2, dn2, subentryAttributes);
        this.engine.checkPermission(this.schemaManager, moveOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn2, null, null, IMPORT_PERMS, hashSet2, subentryAttributes, null);
        nextInterceptor.move(moveOperationContext);
        this.tupleCache.subentryRenamed(dn, dn2);
        this.groupCache.groupRenamed(dn, dn2);
    }

    public EntryFilteringCursor list(NextInterceptor nextInterceptor, ListOperationContext listOperationContext) throws Exception {
        LdapPrincipal effectivePrincipal = listOperationContext.getSession().getEffectivePrincipal();
        EntryFilteringCursor list = nextInterceptor.list(listOperationContext);
        if (isPrincipalAnAdministrator(effectivePrincipal.getClonedName()) || !listOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return list;
        }
        list.addEntryFilter(new AuthorizationFilter());
        return list;
    }

    public EntryFilteringCursor search(NextInterceptor nextInterceptor, SearchOperationContext searchOperationContext) throws Exception {
        DN clonedName = searchOperationContext.getSession().getEffectivePrincipal().getClonedName();
        EntryFilteringCursor search = nextInterceptor.search(searchOperationContext);
        boolean equals = this.subschemaSubentryDn.equals(searchOperationContext.getDn().getNormName());
        boolean z = searchOperationContext.getDn().size() == 0 && searchOperationContext.getSearchControls().getSearchScope() == 0;
        if (isPrincipalAnAdministrator(clonedName) || !searchOperationContext.getSession().getDirectoryService().isAccessControlEnabled() || z || equals) {
            return search;
        }
        search.addEntryFilter(new AuthorizationFilter());
        return search;
    }

    public final boolean isPrincipalAnAdministrator(DN dn) {
        return this.groupCache.isPrincipalAnAdministrator(dn);
    }

    public boolean compare(NextInterceptor nextInterceptor, CompareOperationContext compareOperationContext) throws Exception {
        DN dn = compareOperationContext.getDn();
        String oid = compareOperationContext.getOid();
        Value<?> value = compareOperationContext.getValue();
        ServerEntry lookup = compareOperationContext.lookup(dn, ByPassConstants.LOOKUP_BYPASS);
        LdapPrincipal effectivePrincipal = compareOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        if (isPrincipalAnAdministrator(clonedName) || !compareOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return nextInterceptor.compare(compareOperationContext);
        }
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(compareOperationContext, hashSet, dn, lookup.getOriginalEntry());
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(compareOperationContext, hashSet, dn, lookup);
        this.engine.checkPermission(this.schemaManager, compareOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, READ_PERMS, hashSet, lookup, null);
        this.engine.checkPermission(this.schemaManager, compareOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, oid, value, COMPARE_PERMS, hashSet, lookup, null);
        return nextInterceptor.compare(compareOperationContext);
    }

    public DN getMatchedName(NextInterceptor nextInterceptor, GetMatchedNameOperationContext getMatchedNameOperationContext) throws Exception {
        LdapPrincipal effectivePrincipal = getMatchedNameOperationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        if (isPrincipalAnAdministrator(clonedName) || !getMatchedNameOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return nextInterceptor.getMatchedName(getMatchedNameOperationContext);
        }
        DN matchedName = nextInterceptor.getMatchedName(getMatchedNameOperationContext);
        while (matchedName.size() > 0) {
            ServerEntry lookup = getMatchedNameOperationContext.lookup(matchedName, ByPassConstants.GETMATCHEDDN_BYPASS);
            Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
            HashSet hashSet = new HashSet();
            addPerscriptiveAciTuples(getMatchedNameOperationContext, hashSet, matchedName, lookup.getOriginalEntry());
            addEntryAciTuples(hashSet, lookup);
            addSubentryAciTuples(getMatchedNameOperationContext, hashSet, matchedName, lookup);
            if (this.engine.hasPermission(this.schemaManager, getMatchedNameOperationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), matchedName, null, null, MATCHEDNAME_PERMS, hashSet, lookup, null)) {
                return matchedName;
            }
            matchedName.remove(matchedName.size() - 1);
        }
        return matchedName;
    }

    public void cacheNewGroup(DN dn, ServerEntry serverEntry) throws Exception {
        this.groupCache.groupAdded(dn, serverEntry);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean filter(OperationContext operationContext, DN dn, ClonedServerEntry clonedServerEntry) throws Exception {
        LdapPrincipal effectivePrincipal = operationContext.getSession().getEffectivePrincipal();
        DN clonedName = effectivePrincipal.getClonedName();
        Set<DN> groups = this.groupCache.getGroups(clonedName.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(operationContext, hashSet, dn, clonedServerEntry.getOriginalEntry());
        addEntryAciTuples(hashSet, clonedServerEntry.getOriginalEntry());
        addSubentryAciTuples(operationContext, hashSet, dn, clonedServerEntry.getOriginalEntry());
        if (!this.engine.hasPermission(this.schemaManager, operationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, null, null, SEARCH_ENTRY_PERMS, hashSet, clonedServerEntry.getOriginalEntry(), null)) {
            return false;
        }
        ArrayList arrayList = new ArrayList();
        for (AttributeType attributeType : clonedServerEntry.getAttributeTypes()) {
            String name = attributeType.getName();
            EntryAttribute<Value<?>> entryAttribute = clonedServerEntry.get(attributeType);
            if (this.engine.hasPermission(this.schemaManager, operationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, name, null, SEARCH_ATTRVAL_PERMS, hashSet, clonedServerEntry, null)) {
                ArrayList arrayList2 = new ArrayList();
                for (Value<?> value : entryAttribute) {
                    if (!this.engine.hasPermission(this.schemaManager, operationContext, groups, clonedName, effectivePrincipal.getAuthenticationLevel(), dn, entryAttribute.getUpId(), value, SEARCH_ATTRVAL_PERMS, hashSet, clonedServerEntry, null)) {
                        arrayList2.add(value);
                    }
                }
                Iterator it = arrayList2.iterator();
                while (it.hasNext()) {
                    entryAttribute.remove(new Value[]{(Value) it.next()});
                }
                if (entryAttribute.size() == 0) {
                    arrayList.add(attributeType);
                }
            } else {
                arrayList.add(attributeType);
            }
        }
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            clonedServerEntry.removeAttributes(new AttributeType[]{(AttributeType) it2.next()});
        }
        return true;
    }

    static {
        HashSet hashSet = new HashSet(2);
        hashSet.add(MicroOperation.BROWSE);
        hashSet.add(MicroOperation.RETURN_DN);
        SEARCH_ENTRY_PERMS = Collections.unmodifiableCollection(hashSet);
        HashSet hashSet2 = new HashSet(2);
        hashSet2.add(MicroOperation.READ);
        hashSet2.add(MicroOperation.BROWSE);
        LOOKUP_PERMS = Collections.unmodifiableCollection(hashSet2);
        HashSet hashSet3 = new HashSet(2);
        hashSet3.add(MicroOperation.ADD);
        hashSet3.add(MicroOperation.REMOVE);
        REPLACE_PERMS = Collections.unmodifiableCollection(hashSet3);
        HashSet hashSet4 = new HashSet(2);
        hashSet4.add(MicroOperation.EXPORT);
        hashSet4.add(MicroOperation.RENAME);
        MOVERENAME_PERMS = Collections.unmodifiableCollection(hashSet4);
        SEARCH_ATTRVAL_PERMS = Collections.singleton(MicroOperation.READ);
        ADD_PERMS = Collections.singleton(MicroOperation.ADD);
        READ_PERMS = Collections.singleton(MicroOperation.READ);
        COMPARE_PERMS = Collections.singleton(MicroOperation.COMPARE);
        REMOVE_PERMS = Collections.singleton(MicroOperation.REMOVE);
        MATCHEDNAME_PERMS = Collections.singleton(MicroOperation.DISCLOSE_ON_ERROR);
        BROWSE_PERMS = Collections.singleton(MicroOperation.BROWSE);
        RENAME_PERMS = Collections.singleton(MicroOperation.RENAME);
        EXPORT_PERMS = Collections.singleton(MicroOperation.EXPORT);
        IMPORT_PERMS = Collections.singleton(MicroOperation.IMPORT);
        DEFAULT_SEARCH_CONTROLS = new SearchControls();
    }
}
