package org.apache.directory.server.core.subtree;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.directory.SearchControls;
import org.apache.directory.api.ldap.codec.controls.search.subentries.SubentriesDecorator;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.entry.DefaultModification;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Modification;
import org.apache.directory.api.ldap.model.entry.ModificationOperation;
import org.apache.directory.api.ldap.model.entry.StringValue;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
import org.apache.directory.api.ldap.model.exception.LdapNoSuchAttributeException;
import org.apache.directory.api.ldap.model.exception.LdapOperationErrorException;
import org.apache.directory.api.ldap.model.exception.LdapOperationException;
import org.apache.directory.api.ldap.model.exception.LdapOtherException;
import org.apache.directory.api.ldap.model.exception.LdapSchemaViolationException;
import org.apache.directory.api.ldap.model.filter.EqualityNode;
import org.apache.directory.api.ldap.model.filter.ExprNode;
import org.apache.directory.api.ldap.model.filter.ObjectClassNode;
import org.apache.directory.api.ldap.model.filter.PresenceNode;
import org.apache.directory.api.ldap.model.message.AliasDerefMode;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.schema.AttributeType;
import org.apache.directory.api.ldap.model.subtree.AdministrativeRole;
import org.apache.directory.api.ldap.model.subtree.Subentry;
import org.apache.directory.api.ldap.model.subtree.SubtreeSpecification;
import org.apache.directory.api.ldap.model.subtree.SubtreeSpecificationParser;
import org.apache.directory.server.core.api.CoreSession;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.InterceptorEnum;
import org.apache.directory.server.core.api.entry.ClonedServerEntry;
import org.apache.directory.server.core.api.filtering.EntryFilter;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
import org.apache.directory.server.core.api.interceptor.context.AddOperationContext;
import org.apache.directory.server.core.api.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.api.interceptor.context.OperationContext;
import org.apache.directory.server.core.api.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.api.partition.PartitionNexus;
import org.apache.directory.server.core.api.subtree.SubentryCache;
import org.apache.directory.server.core.api.subtree.SubtreeEvaluator;
import org.apache.directory.server.i18n.I18n;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/subtree/SubentryInterceptor.class */
public class SubentryInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SubentryInterceptor.class);
    private static final String SUBENTRY_CONTROL = "1.3.6.1.4.1.4203.1.10.1";
    private Value<String> subentryOC;
    private SubtreeSpecificationParser ssParser;
    private PartitionNexus nexus;

    /* loaded from: input_file:org/apache/directory/server/core/subtree/SubentryInterceptor$HideEntriesFilter.class */
    private class HideEntriesFilter implements EntryFilter {
        private HideEntriesFilter() {
        }

        @Override // org.apache.directory.server.core.api.filtering.EntryFilter
        public boolean accept(SearchOperationContext searchOperationContext, Entry entry) throws LdapException {
            if (SubentryInterceptor.this.directoryService.getSubentryCache().hasSubentry(entry.getDn())) {
                return true;
            }
            return entry.contains(SubentryInterceptor.this.directoryService.getAtProvider().getObjectClass(), SchemaConstants.SUBENTRY_OC);
        }

        @Override // org.apache.directory.server.core.api.filtering.EntryFilter
        public String toString(String str) {
            return str + "HideEntriesFilter";
        }
    }

    /* loaded from: input_file:org/apache/directory/server/core/subtree/SubentryInterceptor$HideSubentriesFilter.class */
    private class HideSubentriesFilter implements EntryFilter {
        private HideSubentriesFilter() {
        }

        @Override // org.apache.directory.server.core.api.filtering.EntryFilter
        public boolean accept(SearchOperationContext searchOperationContext, Entry entry) throws LdapException {
            return (SubentryInterceptor.this.directoryService.getSubentryCache().hasSubentry(entry.getDn()) || entry.contains(SubentryInterceptor.this.directoryService.getAtProvider().getObjectClass(), SubentryInterceptor.this.subentryOC)) ? false : true;
        }

        @Override // org.apache.directory.server.core.api.filtering.EntryFilter
        public String toString(String str) {
            return str + "HideSubentriesFilter";
        }
    }

    /* loaded from: input_file:org/apache/directory/server/core/subtree/SubentryInterceptor$OperationEnum.class */
    private enum OperationEnum {
        ADD,
        REMOVE,
        REPLACE
    }

    public SubentryInterceptor() {
        super(InterceptorEnum.SUBENTRY_INTERCEPTOR);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void init(DirectoryService directoryService) throws LdapException {
        super.init(directoryService);
        this.nexus = directoryService.getPartitionNexus();
        this.ssParser = new SubtreeSpecificationParser(this.schemaManager);
        Set<String> listSuffixes = this.nexus.listSuffixes();
        EqualityNode equalityNode = new EqualityNode(directoryService.getAtProvider().getObjectClass(), new StringValue(SchemaConstants.SUBENTRY_OC));
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{SchemaConstants.SUBTREE_SPECIFICATION_AT, SchemaConstants.OBJECT_CLASS_AT});
        this.subentryOC = new StringValue(directoryService.getAtProvider().getObjectClass(), SchemaConstants.SUBENTRY_OC);
        Iterator<String> it = listSuffixes.iterator();
        while (it.hasNext()) {
            SearchOperationContext searchOperationContext = new SearchOperationContext(directoryService.getAdminSession(), this.dnFactory.create(it.next()), equalityNode, searchControls);
            searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
            EntryFilteringCursor search = this.nexus.search(searchOperationContext);
            while (search.next()) {
                try {
                    try {
                        Entry entry = search.get();
                        Dn dn = entry.getDn();
                        try {
                            SubtreeSpecification parse = this.ssParser.parse(entry.get(directoryService.getAtProvider().getSubtreeSpecification()).getString());
                            Subentry subentry = new Subentry();
                            subentry.setAdministrativeRoles(getSubentryAdminRoles(entry));
                            subentry.setSubtreeSpecification(parse);
                            directoryService.getSubentryCache().addSubentry(dn, subentry);
                        } catch (Exception e) {
                            LOG.warn("Failed while parsing subtreeSpecification for " + dn);
                        }
                    } catch (Throwable th) {
                        try {
                            search.close();
                        } catch (Exception e2) {
                            LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e2);
                        }
                        throw th;
                    }
                } catch (Exception e3) {
                    throw new LdapOperationException(e3.getMessage(), e3);
                }
            }
            try {
                search.close();
            } catch (Exception e4) {
                LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e4);
            }
        }
    }

    private Set<AdministrativeRole> getSubentryAdminRoles(Entry entry) throws LdapException {
        HashSet hashSet = new HashSet();
        Attribute attribute = entry.get(this.directoryService.getAtProvider().getObjectClass());
        if (attribute == null) {
            throw new LdapSchemaViolationException(ResultCodeEnum.OBJECT_CLASS_VIOLATION, I18n.err(I18n.ERR_305, new Object[0]));
        }
        if (attribute.contains(SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC)) {
            hashSet.add(AdministrativeRole.AccessControlInnerArea);
        }
        if (attribute.contains(SchemaConstants.SUBSCHEMA_OC)) {
            hashSet.add(AdministrativeRole.SubSchemaSpecificArea);
        }
        if (attribute.contains(SchemaConstants.COLLECTIVE_ATTRIBUTE_SUBENTRY_OC)) {
            hashSet.add(AdministrativeRole.CollectiveAttributeSpecificArea);
        }
        if (attribute.contains("triggerExecutionSubentry")) {
            hashSet.add(AdministrativeRole.TriggerExecutionInnerArea);
        }
        return hashSet;
    }

    private boolean isSubentryVisible(OperationContext operationContext) throws LdapException {
        if (operationContext.hasRequestControls() && operationContext.hasRequestControl("1.3.6.1.4.1.4203.1.10.1")) {
            return ((SubentriesDecorator) operationContext.getRequestControl("1.3.6.1.4.1.4203.1.10.1")).getDecorated().isVisible();
        }
        return false;
    }

    private void updateEntries(OperationEnum operationEnum, CoreSession coreSession, Dn dn, Dn dn2, SubtreeSpecification subtreeSpecification, Dn dn3, List<Attribute> list) throws LdapException {
        ExprNode exprNode = ObjectClassNode.OBJECT_CLASS_NODE;
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"+", "*"});
        SearchOperationContext searchOperationContext = new SearchOperationContext(coreSession, dn3, exprNode, searchControls);
        searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
        EntryFilteringCursor search = this.nexus.search(searchOperationContext);
        while (search.next()) {
            try {
                try {
                    Entry entry = search.get();
                    Dn dn4 = entry.getDn();
                    if (this.directoryService.getEvaluator().evaluate(subtreeSpecification, dn2, dn4, entry)) {
                        List<Modification> list2 = null;
                        switch (operationEnum) {
                            case ADD:
                                list2 = getOperationalModsForAdd(entry, list);
                                break;
                            case REMOVE:
                                list2 = getOperationalModsForRemove(dn, entry);
                                break;
                            case REPLACE:
                                break;
                            default:
                                throw new IllegalArgumentException("Unexpected operation " + operationEnum);
                        }
                        LOG.debug("The entry {} has been evaluated to true for subentry {}", entry.getDn(), dn);
                        this.nexus.modify(new ModifyOperationContext(coreSession, dn4, list2));
                    }
                } catch (Throwable th) {
                    try {
                        search.close();
                    } catch (Exception e) {
                        LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e);
                    }
                    throw th;
                }
            } catch (Exception e2) {
                throw new LdapOtherException(e2.getMessage(), e2);
            }
        }
        search.close();
        try {
            search.close();
        } catch (Exception e3) {
            LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e3);
        }
    }

    private boolean isNamingContext(Dn dn) throws LdapException {
        return dn.equals(this.nexus.getSuffixDn(dn));
    }

    private void checkAdministrativeRole(OperationContext operationContext, Dn dn) throws LdapException {
        Attribute attribute = this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(operationContext.getSession(), dn, SchemaConstants.ALL_ATTRIBUTES_ARRAY)).get(this.directoryService.getAtProvider().getAdministrativeRole());
        if (attribute == null || attribute.size() <= 0) {
            LOG.error("The entry on {} is not an AdministrativePoint", dn);
            throw new LdapNoSuchAttributeException(I18n.err(I18n.ERR_306, dn));
        }
    }

    private void setSubtreeSpecification(Subentry subentry, Entry entry) throws LdapException {
        try {
            subentry.setSubtreeSpecification(this.ssParser.parse(entry.get(this.directoryService.getAtProvider().getSubtreeSpecification()).getString()));
        } catch (Exception e) {
            String err = I18n.err(I18n.ERR_307, entry.getDn());
            LOG.warn(err);
            throw new LdapInvalidAttributeValueException(ResultCodeEnum.INVALID_ATTRIBUTE_SYNTAX, err);
        }
    }

    private boolean hasAdministrativeDescendant(OperationContext operationContext, Dn dn) throws LdapException {
        PresenceNode presenceNode = new PresenceNode(this.directoryService.getAtProvider().getAdministrativeRole());
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        SearchOperationContext searchOperationContext = new SearchOperationContext(operationContext.getSession(), dn, presenceNode, searchControls);
        searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
        EntryFilteringCursor search = this.nexus.search(searchOperationContext);
        try {
            try {
                if (search.next()) {
                    try {
                        search.close();
                    } catch (Exception e) {
                        LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e);
                    }
                    return true;
                }
                try {
                    search.close();
                    return false;
                } catch (Exception e2) {
                    LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e2);
                    return false;
                }
            } catch (Exception e3) {
                throw new LdapOperationException(e3.getMessage(), e3);
            }
        } catch (Throwable th) {
            try {
                search.close();
            } catch (Exception e4) {
                LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e4);
            }
            throw th;
        }
    }

    private List<Modification> getModsOnEntryRdnChange(Dn dn, Dn dn2, Entry entry) throws LdapException {
        ArrayList arrayList = new ArrayList();
        SubentryCache subentryCache = this.directoryService.getSubentryCache();
        SubtreeEvaluator evaluator = this.directoryService.getEvaluator();
        Iterator<Dn> it = subentryCache.iterator();
        while (it.hasNext()) {
            Dn next = it.next();
            Dn parent = next.getParent();
            SubtreeSpecification subtreeSpecification = subentryCache.getSubentry(next).getSubtreeSpecification();
            boolean evaluate = evaluator.evaluate(subtreeSpecification, parent, dn, entry);
            boolean evaluate2 = evaluator.evaluate(subtreeSpecification, parent, dn2, entry);
            if (evaluate != evaluate2) {
                if (evaluate && !evaluate2) {
                    for (AttributeType attributeType : this.directoryService.getAtProvider().getSubentryOperationalAttributes()) {
                        ModificationOperation modificationOperation = ModificationOperation.REPLACE_ATTRIBUTE;
                        Attribute attribute = entry.get(attributeType);
                        if (attribute != null) {
                            Attribute m998clone = attribute.m998clone();
                            m998clone.remove(next.getNormName());
                            if (m998clone.size() < 1) {
                                modificationOperation = ModificationOperation.REMOVE_ATTRIBUTE;
                            }
                            arrayList.add(new DefaultModification(modificationOperation, m998clone));
                        }
                    }
                } else if (evaluate2 && !evaluate) {
                    for (AttributeType attributeType2 : this.directoryService.getAtProvider().getSubentryOperationalAttributes()) {
                        ModificationOperation modificationOperation2 = ModificationOperation.ADD_ATTRIBUTE;
                        DefaultAttribute defaultAttribute = new DefaultAttribute(attributeType2);
                        defaultAttribute.add(next.getNormName());
                        arrayList.add(new DefaultModification(modificationOperation2, defaultAttribute));
                    }
                }
            }
        }
        return arrayList;
    }

    private Set<AdministrativeRole> getSubentryTypes(Entry entry, List<Modification> list) throws LdapException {
        Attribute m998clone = entry.get(this.directoryService.getAtProvider().getObjectClass()).m998clone();
        for (Modification modification : list) {
            if (modification.getAttribute().getId().equalsIgnoreCase(SchemaConstants.OBJECT_CLASS_AT) || modification.getAttribute().getId().equalsIgnoreCase(SchemaConstants.OBJECT_CLASS_AT_OID)) {
                switch (modification.getOperation()) {
                    case ADD_ATTRIBUTE:
                        Iterator<Value<?>> it = modification.getAttribute().iterator();
                        while (it.hasNext()) {
                            m998clone.add(it.next().getString());
                        }
                        break;
                    case REMOVE_ATTRIBUTE:
                        Iterator<Value<?>> it2 = modification.getAttribute().iterator();
                        while (it2.hasNext()) {
                            m998clone.remove(it2.next().getString());
                        }
                        break;
                    case REPLACE_ATTRIBUTE:
                        m998clone = modification.getAttribute();
                        break;
                    default:
                        throw new IllegalArgumentException("Unexpected modify operatoin " + modification.getOperation());
                }
            }
        }
        DefaultEntry defaultEntry = new DefaultEntry(this.schemaManager, Dn.ROOT_DSE);
        defaultEntry.put(m998clone);
        return getSubentryAdminRoles(defaultEntry);
    }

    private void getOperationalModForReplace(boolean z, AttributeType attributeType, Entry entry, Dn dn, Dn dn2, List<Modification> list) throws LdapInvalidAttributeValueException {
        String normName = dn.getNormName();
        String normName2 = dn2.getNormName();
        if (z) {
            Attribute m998clone = entry.get(attributeType).m998clone();
            if (m998clone == null) {
                m998clone = new DefaultAttribute(attributeType, normName2);
            } else {
                m998clone.remove(normName);
                m998clone.add(normName2);
            }
            list.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, m998clone));
        }
    }

    private List<Modification> getOperationalModsForReplace(Dn dn, Dn dn2, Subentry subentry, Entry entry) throws Exception {
        ArrayList arrayList = new ArrayList();
        getOperationalModForReplace(subentry.isAccessControlAdminRole(), this.directoryService.getAtProvider().getAccessControlSubentries(), entry, dn, dn2, arrayList);
        getOperationalModForReplace(subentry.isSchemaAdminRole(), this.directoryService.getAtProvider().getSubschemaSubentry(), entry, dn, dn2, arrayList);
        getOperationalModForReplace(subentry.isCollectiveAdminRole(), this.directoryService.getAtProvider().getCollectiveAttributeSubentries(), entry, dn, dn2, arrayList);
        getOperationalModForReplace(subentry.isTriggersAdminRole(), this.directoryService.getAtProvider().getTriggerExecutionSubentries(), entry, dn, dn2, arrayList);
        return arrayList;
    }

    private List<Attribute> getSubentryOperationalAttributes(Dn dn, Subentry subentry) throws LdapException {
        ArrayList arrayList = new ArrayList();
        if (subentry.isAccessControlAdminRole()) {
            arrayList.add(new DefaultAttribute(this.directoryService.getAtProvider().getAccessControlSubentries(), dn.getNormName()));
        }
        if (subentry.isSchemaAdminRole()) {
            arrayList.add(new DefaultAttribute(this.directoryService.getAtProvider().getSubschemaSubentry(), dn.getNormName()));
        }
        if (subentry.isCollectiveAdminRole()) {
            arrayList.add(new DefaultAttribute(this.directoryService.getAtProvider().getCollectiveAttributeSubentries(), dn.getNormName()));
        }
        if (subentry.isTriggersAdminRole()) {
            arrayList.add(new DefaultAttribute(this.directoryService.getAtProvider().getTriggerExecutionSubentries(), dn.getNormName()));
        }
        return arrayList;
    }

    private List<Modification> getOperationalModsForRemove(Dn dn, Entry entry) throws LdapException {
        ArrayList arrayList = new ArrayList();
        String normName = dn.getNormName();
        for (AttributeType attributeType : this.directoryService.getAtProvider().getSubentryOperationalAttributes()) {
            Attribute attribute = entry.get(attributeType);
            if (attribute != null && attribute.contains(normName)) {
                arrayList.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, new DefaultAttribute(attributeType, normName)));
            }
        }
        return arrayList;
    }

    private List<Modification> getOperationalModsForAdd(Entry entry, List<Attribute> list) throws LdapException {
        ArrayList arrayList = new ArrayList();
        for (Attribute attribute : list) {
            Attribute attribute2 = entry.get(attribute.getAttributeType());
            if (attribute2 == null || attribute2.size() <= 0) {
                arrayList.add(new DefaultModification(ModificationOperation.ADD_ATTRIBUTE, attribute));
            } else {
                Attribute m998clone = attribute.m998clone();
                Iterator<Value<?>> it = attribute2.iterator();
                while (it.hasNext()) {
                    m998clone.add(it.next());
                }
                arrayList.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, m998clone));
            }
        }
        return arrayList;
    }

    private List<Modification> getModsOnEntryModification(Dn dn, Entry entry, Entry entry2) throws LdapException {
        ArrayList arrayList = new ArrayList();
        Iterator<Dn> it = this.directoryService.getSubentryCache().iterator();
        while (it.hasNext()) {
            Dn next = it.next();
            Dn parent = next.getParent();
            SubtreeSpecification subtreeSpecification = this.directoryService.getSubentryCache().getSubentry(next).getSubtreeSpecification();
            boolean evaluate = this.directoryService.getEvaluator().evaluate(subtreeSpecification, parent, dn, entry);
            boolean evaluate2 = this.directoryService.getEvaluator().evaluate(subtreeSpecification, parent, dn, entry2);
            if (evaluate != evaluate2) {
                if (evaluate && !evaluate2) {
                    for (AttributeType attributeType : this.directoryService.getAtProvider().getSubentryOperationalAttributes()) {
                        ModificationOperation modificationOperation = ModificationOperation.REPLACE_ATTRIBUTE;
                        Attribute attribute = entry.get(attributeType);
                        if (attribute != null) {
                            Attribute m998clone = attribute.m998clone();
                            m998clone.remove(next.getNormName());
                            if (m998clone.size() < 1) {
                                modificationOperation = ModificationOperation.REMOVE_ATTRIBUTE;
                            }
                            arrayList.add(new DefaultModification(modificationOperation, m998clone));
                        }
                    }
                } else if (evaluate2 && !evaluate) {
                    for (AttributeType attributeType2 : this.directoryService.getAtProvider().getSubentryOperationalAttributes()) {
                        ModificationOperation modificationOperation2 = ModificationOperation.ADD_ATTRIBUTE;
                        DefaultAttribute defaultAttribute = new DefaultAttribute(attributeType2);
                        defaultAttribute.add(next.getNormName());
                        arrayList.add(new DefaultModification(modificationOperation2, defaultAttribute));
                    }
                }
            }
        }
        return arrayList;
    }

    private void setOperationalAttribute(Entry entry, Dn dn, AttributeType attributeType) throws LdapException {
        Attribute attribute = entry.get(attributeType);
        if (attribute == null) {
            attribute = new DefaultAttribute(attributeType);
            entry.put(attribute);
        }
        attribute.add(dn.getNormName());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void add(AddOperationContext addOperationContext) throws LdapException {
        Dn dn = addOperationContext.getDn();
        Entry entry = addOperationContext.getEntry();
        if (entry.contains(this.directoryService.getAtProvider().getObjectClass(), SchemaConstants.SUBENTRY_OC)) {
            if (dn.isRootDse() || isNamingContext(dn)) {
                throw new LdapOtherException("Cannot find an AdministrativePoint for " + dn);
            }
            Dn parent = dn.getParent();
            checkAdministrativeRole(addOperationContext, parent);
            Subentry subentry = new Subentry();
            subentry.setAdministrativeRoles(getSubentryAdminRoles(entry));
            List<Attribute> subentryOperationalAttributes = getSubentryOperationalAttributes(dn, subentry);
            setSubtreeSpecification(subentry, entry);
            this.directoryService.getSubentryCache().addSubentry(dn, subentry);
            next(addOperationContext);
            updateEntries(OperationEnum.ADD, addOperationContext.getSession(), dn, parent, subentry.getSubtreeSpecification(), parent.add(subentry.getSubtreeSpecification().getBase()), subentryOperationalAttributes);
            addOperationContext.setEntry(entry);
            return;
        }
        Iterator<Dn> it = this.directoryService.getSubentryCache().iterator();
        while (it.hasNext()) {
            Dn next = it.next();
            Dn parent2 = next.getParent();
            if (dn.isDescendantOf(parent2)) {
                Subentry subentry2 = this.directoryService.getSubentryCache().getSubentry(next);
                if (this.directoryService.getEvaluator().evaluate(subentry2.getSubtreeSpecification(), parent2, dn, entry)) {
                    if (subentry2.isAccessControlAdminRole()) {
                        setOperationalAttribute(entry, next, this.directoryService.getAtProvider().getAccessControlSubentries());
                    }
                    if (subentry2.isSchemaAdminRole()) {
                        setOperationalAttribute(entry, next, this.directoryService.getAtProvider().getSubschemaSubentry());
                    }
                    if (subentry2.isCollectiveAdminRole()) {
                        setOperationalAttribute(entry, next, this.directoryService.getAtProvider().getCollectiveAttributeSubentries());
                    }
                    if (subentry2.isTriggersAdminRole()) {
                        setOperationalAttribute(entry, next, this.directoryService.getAtProvider().getTriggerExecutionSubentries());
                    }
                }
            }
        }
        addOperationContext.setEntry(entry);
        next(addOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void delete(DeleteOperationContext deleteOperationContext) throws LdapException {
        Dn dn = deleteOperationContext.getDn();
        if (!deleteOperationContext.getEntry().contains(this.directoryService.getAtProvider().getObjectClass(), SchemaConstants.SUBENTRY_OC)) {
            next(deleteOperationContext);
            return;
        }
        Subentry subentry = this.directoryService.getSubentryCache().getSubentry(dn);
        Dn parent = dn.getParent();
        updateEntries(OperationEnum.REMOVE, deleteOperationContext.getSession(), dn, parent, subentry.getSubtreeSpecification(), parent.add(subentry.getSubtreeSpecification().getBase()), null);
        this.directoryService.getSubentryCache().removeSubentry(dn);
        next(deleteOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void modify(ModifyOperationContext modifyOperationContext) throws LdapException {
        Dn dn = modifyOperationContext.getDn();
        List<Modification> modItems = modifyOperationContext.getModItems();
        Entry entry = modifyOperationContext.getEntry();
        boolean z = false;
        Modification modification = null;
        Iterator<Modification> it = modItems.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Modification next = it.next();
            if (next.getAttribute().getAttributeType().equals(this.directoryService.getAtProvider().getSubtreeSpecification())) {
                z = true;
                modification = next;
                break;
            }
        }
        boolean contains = entry.contains(this.directoryService.getAtProvider().getObjectClass(), SchemaConstants.SUBENTRY_OC);
        if (!contains || !z) {
            next(modifyOperationContext);
            if (contains) {
                return;
            }
            List<Modification> modsOnEntryModification = getModsOnEntryModification(dn, entry, modifyOperationContext.getAlteredEntry());
            if (modsOnEntryModification.size() > 0) {
                this.nexus.modify(new ModifyOperationContext(modifyOperationContext.getSession(), dn, modsOnEntryModification));
                return;
            }
            return;
        }
        Subentry removeSubentry = this.directoryService.getSubentryCache().removeSubentry(dn);
        SubtreeSpecification subtreeSpecification = removeSubentry.getSubtreeSpecification();
        try {
            SubtreeSpecification parse = this.ssParser.parse(modification.getAttribute().getString());
            removeSubentry.setSubtreeSpecification(parse);
            removeSubentry.setAdministrativeRoles(getSubentryTypes(entry, modItems));
            this.directoryService.getSubentryCache().addSubentry(dn, removeSubentry);
            next(modifyOperationContext);
            Dn parent = dn.getParent();
            Dn add = parent.add(subtreeSpecification.getBase());
            PresenceNode presenceNode = new PresenceNode(this.directoryService.getAtProvider().getObjectClass());
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            searchControls.setReturningAttributes(new String[]{"+", "*"});
            SearchOperationContext searchOperationContext = new SearchOperationContext(modifyOperationContext.getSession(), add, presenceNode, searchControls);
            searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
            EntryFilteringCursor search = this.nexus.search(searchOperationContext);
            while (search.next()) {
                try {
                    try {
                        Entry entry2 = search.get();
                        Dn dn2 = entry2.getDn();
                        if (this.directoryService.getEvaluator().evaluate(subtreeSpecification, parent, dn2, entry2)) {
                            this.nexus.modify(new ModifyOperationContext(modifyOperationContext.getSession(), dn2, getOperationalModsForRemove(dn, entry2)));
                        }
                    } catch (Exception e) {
                        throw new LdapOperationErrorException(e.getMessage(), e);
                    }
                } catch (Throwable th) {
                    try {
                        search.close();
                    } catch (Exception e2) {
                        LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e2);
                    }
                    throw th;
                }
            }
            search.close();
            try {
                search.close();
            } catch (Exception e3) {
                LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e3);
            }
            List<Attribute> subentryOperationalAttributes = getSubentryOperationalAttributes(dn, this.directoryService.getSubentryCache().getSubentry(dn));
            SearchOperationContext searchOperationContext2 = new SearchOperationContext(modifyOperationContext.getSession(), parent.add(parse.getBase()), presenceNode, searchControls);
            searchOperationContext2.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
            EntryFilteringCursor search2 = this.nexus.search(searchOperationContext2);
            while (search2.next()) {
                try {
                    try {
                        Entry entry3 = search2.get();
                        Dn dn3 = entry3.getDn();
                        if (this.directoryService.getEvaluator().evaluate(parse, parent, dn3, entry3)) {
                            this.nexus.modify(new ModifyOperationContext(modifyOperationContext.getSession(), dn3, getOperationalModsForAdd(entry3, subentryOperationalAttributes)));
                        }
                    } catch (Throwable th2) {
                        try {
                            search2.close();
                        } catch (Exception e4) {
                            LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e4);
                        }
                        throw th2;
                    }
                } catch (Exception e5) {
                    throw new LdapOperationErrorException(e5.getMessage(), e5);
                }
            }
            search2.close();
            try {
                search2.close();
            } catch (Exception e6) {
                LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e6);
            }
        } catch (Exception e7) {
            String err = I18n.err(I18n.ERR_71, new Object[0]);
            LOG.error(err, (Throwable) e7);
            throw new LdapInvalidAttributeValueException(ResultCodeEnum.INVALID_ATTRIBUTE_SYNTAX, err);
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void move(MoveOperationContext moveOperationContext) throws LdapException {
        Dn dn = moveOperationContext.getDn();
        Dn newSuperior = moveOperationContext.getNewSuperior();
        Entry originalEntry = moveOperationContext.getOriginalEntry();
        if (!originalEntry.contains(this.directoryService.getAtProvider().getObjectClass(), SchemaConstants.SUBENTRY_OC)) {
            if (hasAdministrativeDescendant(moveOperationContext, dn)) {
                String err = I18n.err(I18n.ERR_308, new Object[0]);
                LOG.warn(err);
                throw new LdapSchemaViolationException(ResultCodeEnum.NOT_ALLOWED_ON_RDN, err);
            }
            next(moveOperationContext);
            Dn newDn = moveOperationContext.getNewDn();
            List<Modification> modsOnEntryRdnChange = getModsOnEntryRdnChange(dn, newDn, originalEntry);
            if (modsOnEntryRdnChange.size() > 0) {
                this.nexus.modify(new ModifyOperationContext(moveOperationContext.getSession(), newDn, modsOnEntryRdnChange));
                return;
            }
            return;
        }
        checkAdministrativeRole(moveOperationContext, newSuperior);
        Subentry removeSubentry = this.directoryService.getSubentryCache().removeSubentry(dn);
        SubtreeSpecification subtreeSpecification = removeSubentry.getSubtreeSpecification();
        Dn parent = dn.getParent();
        Dn add = parent.add(subtreeSpecification.getBase());
        Dn add2 = newSuperior.add(dn.getRdn());
        add2.apply(this.schemaManager);
        this.directoryService.getSubentryCache().addSubentry(add2, removeSubentry);
        next(moveOperationContext);
        Subentry subentry = this.directoryService.getSubentryCache().getSubentry(add2);
        PresenceNode presenceNode = new PresenceNode(this.directoryService.getAtProvider().getObjectClass());
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"+", "*"});
        SearchOperationContext searchOperationContext = new SearchOperationContext(moveOperationContext.getSession(), add, presenceNode, searchControls);
        searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
        EntryFilteringCursor search = this.nexus.search(searchOperationContext);
        while (search.next()) {
            try {
                try {
                    Entry entry = search.get();
                    Dn dn2 = entry.getDn();
                    dn2.apply(this.schemaManager);
                    if (this.directoryService.getEvaluator().evaluate(subtreeSpecification, parent, dn2, entry)) {
                        this.nexus.modify(new ModifyOperationContext(moveOperationContext.getSession(), dn2, getOperationalModsForReplace(dn, add2, subentry, entry)));
                    }
                } catch (Exception e) {
                    throw new LdapOperationException(e.getMessage(), e);
                }
            } catch (Throwable th) {
                try {
                    search.close();
                } catch (Exception e2) {
                    LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e2);
                }
                throw th;
            }
        }
        try {
            search.close();
        } catch (Exception e3) {
            LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e3);
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void moveAndRename(MoveAndRenameOperationContext moveAndRenameOperationContext) throws LdapException {
        Dn dn = moveAndRenameOperationContext.getDn();
        Dn newSuperiorDn = moveAndRenameOperationContext.getNewSuperiorDn();
        Entry originalEntry = moveAndRenameOperationContext.getOriginalEntry();
        if (!originalEntry.contains(this.directoryService.getAtProvider().getObjectClass(), SchemaConstants.SUBENTRY_OC)) {
            if (hasAdministrativeDescendant(moveAndRenameOperationContext, dn)) {
                String err = I18n.err(I18n.ERR_308, new Object[0]);
                LOG.warn(err);
                throw new LdapSchemaViolationException(ResultCodeEnum.NOT_ALLOWED_ON_RDN, err);
            }
            next(moveAndRenameOperationContext);
            Dn newDn = moveAndRenameOperationContext.getNewDn();
            List<Modification> modsOnEntryRdnChange = getModsOnEntryRdnChange(dn, newDn, originalEntry);
            if (modsOnEntryRdnChange.size() > 0) {
                this.nexus.modify(new ModifyOperationContext(moveAndRenameOperationContext.getSession(), newDn, modsOnEntryRdnChange));
                return;
            }
            return;
        }
        Subentry removeSubentry = this.directoryService.getSubentryCache().removeSubentry(dn);
        SubtreeSpecification subtreeSpecification = removeSubentry.getSubtreeSpecification();
        Dn parent = dn.getParent();
        Dn add = parent.add(subtreeSpecification.getBase());
        Dn add2 = newSuperiorDn.getParent().add(moveAndRenameOperationContext.getNewRdn());
        add2.apply(this.schemaManager);
        this.directoryService.getSubentryCache().addSubentry(add2, removeSubentry);
        next(moveAndRenameOperationContext);
        Subentry subentry = this.directoryService.getSubentryCache().getSubentry(add2);
        PresenceNode presenceNode = new PresenceNode(this.directoryService.getAtProvider().getObjectClass());
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"+", "*"});
        SearchOperationContext searchOperationContext = new SearchOperationContext(moveAndRenameOperationContext.getSession(), add, presenceNode, searchControls);
        searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
        EntryFilteringCursor search = this.nexus.search(searchOperationContext);
        while (search.next()) {
            try {
                try {
                    Entry entry = search.get();
                    Dn dn2 = entry.getDn();
                    dn2.apply(this.schemaManager);
                    if (this.directoryService.getEvaluator().evaluate(subtreeSpecification, parent, dn2, entry)) {
                        this.nexus.modify(new ModifyOperationContext(moveAndRenameOperationContext.getSession(), dn2, getOperationalModsForReplace(dn, add2, subentry, entry)));
                    }
                } catch (Exception e) {
                    throw new LdapOperationException(e.getMessage(), e);
                }
            } catch (Throwable th) {
                try {
                    search.close();
                } catch (Exception e2) {
                    LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e2);
                }
                throw th;
            }
        }
        try {
            search.close();
        } catch (Exception e3) {
            LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e3);
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void rename(RenameOperationContext renameOperationContext) throws LdapException {
        Dn dn = renameOperationContext.getDn();
        Entry clonedEntry = ((ClonedServerEntry) renameOperationContext.getEntry()).getClonedEntry();
        if (!clonedEntry.contains(this.directoryService.getAtProvider().getObjectClass(), SchemaConstants.SUBENTRY_OC)) {
            if (hasAdministrativeDescendant(renameOperationContext, dn)) {
                String err = I18n.err(I18n.ERR_308, new Object[0]);
                LOG.warn(err);
                throw new LdapSchemaViolationException(ResultCodeEnum.NOT_ALLOWED_ON_RDN, err);
            }
            next(renameOperationContext);
            Dn newDn = renameOperationContext.getNewDn();
            List<Modification> modsOnEntryRdnChange = getModsOnEntryRdnChange(dn, newDn, clonedEntry);
            if (modsOnEntryRdnChange.size() > 0) {
                this.nexus.modify(new ModifyOperationContext(renameOperationContext.getSession(), newDn, modsOnEntryRdnChange));
                return;
            }
            return;
        }
        Subentry removeSubentry = this.directoryService.getSubentryCache().removeSubentry(dn);
        SubtreeSpecification subtreeSpecification = removeSubentry.getSubtreeSpecification();
        Dn parent = dn.getParent();
        Dn add = parent.add(subtreeSpecification.getBase());
        Dn add2 = dn.getParent().add(renameOperationContext.getNewRdn());
        add2.apply(this.schemaManager);
        this.directoryService.getSubentryCache().addSubentry(add2, removeSubentry);
        next(renameOperationContext);
        Subentry subentry = this.directoryService.getSubentryCache().getSubentry(add2);
        PresenceNode presenceNode = new PresenceNode(this.directoryService.getAtProvider().getObjectClass());
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"+", "*"});
        SearchOperationContext searchOperationContext = new SearchOperationContext(renameOperationContext.getSession(), add, presenceNode, searchControls);
        searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
        EntryFilteringCursor search = this.nexus.search(searchOperationContext);
        while (search.next()) {
            try {
                try {
                    Entry entry = search.get();
                    Dn dn2 = entry.getDn();
                    dn2.apply(this.schemaManager);
                    if (this.directoryService.getEvaluator().evaluate(subtreeSpecification, parent, dn2, entry)) {
                        this.nexus.modify(new ModifyOperationContext(renameOperationContext.getSession(), dn2, getOperationalModsForReplace(dn, add2, subentry, entry)));
                    }
                } catch (Throwable th) {
                    try {
                        search.close();
                    } catch (Exception e) {
                        LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e);
                    }
                    throw th;
                }
            } catch (Exception e2) {
                throw new LdapOperationException(e2.getMessage(), e2);
            }
        }
        try {
            search.close();
        } catch (Exception e3) {
            LOG.error(I18n.err(I18n.ERR_168, new Object[0]), (Throwable) e3);
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public EntryFilteringCursor search(SearchOperationContext searchOperationContext) throws LdapException {
        EntryFilteringCursor next = next(searchOperationContext);
        if (searchOperationContext.getScope() != SearchScope.OBJECT && !searchOperationContext.isSyncreplSearch()) {
            if (isSubentryVisible(searchOperationContext)) {
                next.addEntryFilter(new HideEntriesFilter());
            } else {
                next.addEntryFilter(new HideSubentriesFilter());
            }
            return next;
        }
        return next;
    }
}
