package org.apache.directory.server.core.authz;

import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.directory.SearchControls;
import org.apache.directory.server.core.api.CoreSession;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.InterceptorEnum;
import org.apache.directory.server.core.api.LdapPrincipal;
import org.apache.directory.server.core.api.entry.ClonedServerEntry;
import org.apache.directory.server.core.api.entry.ServerEntryUtils;
import org.apache.directory.server.core.api.filtering.EntryFilter;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
import org.apache.directory.server.core.api.interceptor.context.AddOperationContext;
import org.apache.directory.server.core.api.interceptor.context.CompareOperationContext;
import org.apache.directory.server.core.api.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.api.interceptor.context.GetRootDseOperationContext;
import org.apache.directory.server.core.api.interceptor.context.HasEntryOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ListOperationContext;
import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.api.interceptor.context.OperationContext;
import org.apache.directory.server.core.api.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchingOperationContext;
import org.apache.directory.server.core.api.partition.PartitionNexus;
import org.apache.directory.server.core.api.subtree.SubentryUtils;
import org.apache.directory.server.core.authz.support.ACDFEngine;
import org.apache.directory.server.core.authz.support.AciContext;
import org.apache.directory.server.core.shared.DefaultCoreSession;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.aci.ACIItemParser;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.model.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.model.constants.Loggers;
import org.apache.directory.shared.ldap.model.constants.SchemaConstants;
import org.apache.directory.shared.ldap.model.entry.Attribute;
import org.apache.directory.shared.ldap.model.entry.Entry;
import org.apache.directory.shared.ldap.model.entry.Modification;
import org.apache.directory.shared.ldap.model.entry.ModificationOperation;
import org.apache.directory.shared.ldap.model.entry.StringValue;
import org.apache.directory.shared.ldap.model.entry.Value;
import org.apache.directory.shared.ldap.model.exception.LdapException;
import org.apache.directory.shared.ldap.model.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.model.exception.LdapOperationErrorException;
import org.apache.directory.shared.ldap.model.exception.LdapOperationException;
import org.apache.directory.shared.ldap.model.filter.EqualityNode;
import org.apache.directory.shared.ldap.model.filter.ExprNode;
import org.apache.directory.shared.ldap.model.filter.OrNode;
import org.apache.directory.shared.ldap.model.message.AliasDerefMode;
import org.apache.directory.shared.ldap.model.name.Dn;
import org.apache.directory.shared.ldap.model.schema.AttributeType;
import org.apache.directory.shared.ldap.model.schema.normalizers.ConcreteNameComponentNormalizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/apacheds-interceptors-authz-2.0.0-M5.jar:org/apache/directory/server/core/authz/AciAuthorizationInterceptor.class */
public class AciAuthorizationInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(AciAuthorizationInterceptor.class);
    private static final Logger ACI_LOG = LoggerFactory.getLogger(Loggers.ACI_LOG.getName());
    private static final Collection<MicroOperation> ADD_PERMS;
    private static final Collection<MicroOperation> READ_PERMS;
    private static final Collection<MicroOperation> COMPARE_PERMS;
    private static final Collection<MicroOperation> SEARCH_ENTRY_PERMS;
    private static final Collection<MicroOperation> SEARCH_ATTRVAL_PERMS;
    private static final Collection<MicroOperation> REMOVE_PERMS;
    private static final Collection<MicroOperation> BROWSE_PERMS;
    private static final Collection<MicroOperation> LOOKUP_PERMS;
    private static final Collection<MicroOperation> REPLACE_PERMS;
    private static final Collection<MicroOperation> RENAME_PERMS;
    private static final Collection<MicroOperation> EXPORT_PERMS;
    private static final Collection<MicroOperation> IMPORT_PERMS;
    private static final Collection<MicroOperation> MOVERENAME_PERMS;
    private TupleCache tupleCache;
    private GroupCache groupCache;
    private ACIItemParser aciParser;
    private ACDFEngine engine;
    private String subschemaSubentryDn;
    private PartitionNexus nexus;
    public static final SearchControls DEFAULT_SEARCH_CONTROLS;
    private static SubentryUtils subentryUtils;

    /* renamed from: org.apache.directory.server.core.authz.AciAuthorizationInterceptor$1, reason: invalid class name */
    /* loaded from: input_file:lib/apacheds-interceptors-authz-2.0.0-M5.jar:org/apache/directory/server/core/authz/AciAuthorizationInterceptor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$directory$shared$ldap$model$entry$ModificationOperation = new int[ModificationOperation.values().length];

        static {
            try {
                $SwitchMap$org$apache$directory$shared$ldap$model$entry$ModificationOperation[ModificationOperation.ADD_ATTRIBUTE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$directory$shared$ldap$model$entry$ModificationOperation[ModificationOperation.REMOVE_ATTRIBUTE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$directory$shared$ldap$model$entry$ModificationOperation[ModificationOperation.REPLACE_ATTRIBUTE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:lib/apacheds-interceptors-authz-2.0.0-M5.jar:org/apache/directory/server/core/authz/AciAuthorizationInterceptor$AuthorizationFilter.class */
    private class AuthorizationFilter implements EntryFilter {
        private AuthorizationFilter() {
        }

        public boolean accept(SearchingOperationContext searchingOperationContext, Entry entry) throws Exception {
            return AciAuthorizationInterceptor.this.filter(searchingOperationContext, entry.getDn().apply(AciAuthorizationInterceptor.this.schemaManager), entry);
        }

        /* synthetic */ AuthorizationFilter(AciAuthorizationInterceptor aciAuthorizationInterceptor, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    public AciAuthorizationInterceptor() {
        super(InterceptorEnum.ACI_AUTHORIZATION_INTERCEPTOR);
    }

    private void initTupleCache() throws LdapException {
        Dn dn = new Dn(this.schemaManager, new String[]{"uid=admin,ou=system"});
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"prescriptiveACI"});
        SearchOperationContext searchOperationContext = new SearchOperationContext(new DefaultCoreSession(new LdapPrincipal(this.schemaManager, dn, AuthenticationLevel.STRONG), this.directoryService), Dn.ROOT_DSE, new EqualityNode(OBJECT_CLASS_AT, new StringValue("accessControlSubentry")), searchControls);
        searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
        EntryFilteringCursor search = this.nexus.search(searchOperationContext);
        while (search.next()) {
            try {
                Entry entry = (Entry) search.get();
                this.tupleCache.subentryAdded(entry.getDn(), entry);
            } catch (Exception e) {
                throw new LdapOperationException(e.getMessage(), e);
            }
        }
        search.close();
    }

    private void initGroupCache() throws LdapException {
        Dn dn = new Dn(this.schemaManager, new String[]{"uid=admin,ou=system"});
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"member", "uniqueMember"});
        SearchOperationContext searchOperationContext = new SearchOperationContext(new DefaultCoreSession(new LdapPrincipal(this.schemaManager, dn, AuthenticationLevel.STRONG), this.directoryService), Dn.ROOT_DSE, new OrNode(new ExprNode[]{new EqualityNode(OBJECT_CLASS_AT, new StringValue("groupOfNames")), new EqualityNode(OBJECT_CLASS_AT, new StringValue("groupOfUniqueNames"))}), searchControls);
        searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
        EntryFilteringCursor search = this.nexus.search(searchOperationContext);
        while (search.next()) {
            try {
                Entry entry = (Entry) search.get();
                this.groupCache.groupAdded(entry.getDn(), entry);
            } catch (Exception e) {
                throw new LdapOperationException(e.getMessage(), e);
            }
        }
        search.close();
    }

    public void init(DirectoryService directoryService) throws LdapException {
        LOG.debug("Initializing the AciAuthorizationInterceptor");
        super.init(directoryService);
        this.nexus = directoryService.getPartitionNexus();
        this.tupleCache = new TupleCache(new DefaultCoreSession(new LdapPrincipal(this.schemaManager, directoryService.getDnFactory().create("uid=admin,ou=system"), AuthenticationLevel.STRONG), directoryService));
        this.groupCache = new GroupCache(directoryService);
        this.aciParser = new ACIItemParser(new ConcreteNameComponentNormalizer(this.schemaManager), this.schemaManager);
        this.engine = new ACDFEngine(this.schemaManager);
        this.subschemaSubentryDn = directoryService.getDnFactory().create(directoryService.getPartitionNexus().getRootDse((GetRootDseOperationContext) null).get("subschemaSubentry").get().getString()).getNormName();
        initTupleCache();
        initGroupCache();
        subentryUtils = new SubentryUtils(directoryService);
    }

    private void protectCriticalEntries(OperationContext operationContext, Dn dn) throws LdapException {
        Dn dn2 = getPrincipal(operationContext).getDn();
        if (dn.isEmpty()) {
            String err = I18n.err(I18n.ERR_8, new Object[0]);
            LOG.error(err);
            throw new LdapNoPermissionException(err);
        }
        if (isTheAdministrator(dn)) {
            String err2 = I18n.err(I18n.ERR_9, new Object[]{dn2.getName(), dn.getName()});
            LOG.error(err2);
            throw new LdapNoPermissionException(err2);
        }
    }

    private void addPerscriptiveAciTuples(OperationContext operationContext, Collection<ACITuple> collection, Dn dn, Entry entry) throws LdapException {
        Entry originalEntry = entry instanceof ClonedServerEntry ? ((ClonedServerEntry) entry).getOriginalEntry() : entry;
        if (originalEntry.get(OBJECT_CLASS_AT).contains(new String[]{"subentry"})) {
            LookupOperationContext lookupOperationContext = new LookupOperationContext(operationContext.getSession(), dn.getParent());
            lookupOperationContext.setAttrsId(SchemaConstants.ALL_ATTRIBUTES_ARRAY);
            originalEntry = this.directoryService.getPartitionNexus().lookup(lookupOperationContext);
        }
        Attribute attribute = originalEntry.get(ACCESS_CONTROL_SUBENTRIES_AT);
        if (attribute == null) {
            return;
        }
        Iterator it = attribute.iterator();
        while (it.hasNext()) {
            collection.addAll(this.tupleCache.getACITuples(((Value) it.next()).getString()));
        }
    }

    private void addEntryAciTuples(Collection<ACITuple> collection, Entry entry) throws LdapException {
        Attribute attribute = entry.get(ENTRY_ACI_AT);
        if (attribute == null) {
            return;
        }
        Iterator it = attribute.iterator();
        while (it.hasNext()) {
            String string = ((Value) it.next()).getString();
            try {
                collection.addAll(this.aciParser.parse(string).toTuples());
            } catch (ParseException e) {
                String err = I18n.err(I18n.ERR_10, new Object[]{string});
                LOG.error(err, (Throwable) e);
                throw new LdapOperationErrorException(err);
            }
        }
    }

    private void addSubentryAciTuples(OperationContext operationContext, Collection<ACITuple> collection, Dn dn, Entry entry) throws LdapException {
        Attribute attribute;
        if (entry.contains("objectClass", new String[]{"subentry"}) && (attribute = this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(operationContext.getSession(), dn.getParent(), SchemaConstants.ALL_ATTRIBUTES_ARRAY)).getOriginalEntry().get(SUBENTRY_ACI_AT)) != null) {
            Iterator it = attribute.iterator();
            while (it.hasNext()) {
                String string = ((Value) it.next()).getString();
                try {
                    collection.addAll(this.aciParser.parse(string).toTuples());
                } catch (ParseException e) {
                    String err = I18n.err(I18n.ERR_11, new Object[]{string});
                    LOG.error(err, (Throwable) e);
                    throw new LdapOperationErrorException(err);
                }
            }
        }
    }

    public void add(AddOperationContext addOperationContext) throws LdapException {
        if (!this.directoryService.isAccessControlEnabled()) {
            ACI_LOG.debug("ACI interceptor disabled");
            next(addOperationContext);
            return;
        }
        ACI_LOG.debug("Adding the entry {}", addOperationContext.getEntry());
        LdapPrincipal effectivePrincipal = addOperationContext.getSession().getEffectivePrincipal();
        Dn dn = effectivePrincipal.getDn();
        Entry<Attribute> entry = addOperationContext.getEntry();
        Dn dn2 = addOperationContext.getDn();
        if (isPrincipalAnAdministrator(dn)) {
            ACI_LOG.debug("Addition done by the administartor : no check");
            next(addOperationContext);
            this.tupleCache.subentryAdded(dn2, entry);
            this.groupCache.groupAdded(dn2, entry);
            return;
        }
        Entry subentryAttributes = subentryUtils.getSubentryAttributes(dn2, entry);
        Iterator it = entry.iterator();
        while (it.hasNext()) {
            subentryAttributes.put(new Attribute[]{(Attribute) it.next()});
        }
        Set<Dn> groups = this.groupCache.getGroups(dn.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(addOperationContext, hashSet, dn2, subentryAttributes);
        addSubentryAciTuples(addOperationContext, hashSet, dn2, subentryAttributes);
        AciContext aciContext = new AciContext(this.schemaManager, addOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn2);
        aciContext.setMicroOperations(ADD_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(subentryAttributes);
        this.engine.checkPermission(aciContext);
        for (Attribute<Value<?>> attribute : entry) {
            for (Value<?> value : attribute) {
                AciContext aciContext2 = new AciContext(this.schemaManager, addOperationContext);
                aciContext2.setUserGroupNames(groups);
                aciContext2.setUserDn(dn);
                aciContext2.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
                aciContext2.setEntryDn(dn2);
                aciContext2.setAttributeType(attribute.getAttributeType());
                aciContext2.setAttrValue(value);
                aciContext2.setMicroOperations(ADD_PERMS);
                aciContext2.setAciTuples(hashSet);
                aciContext2.setEntry(entry);
                this.engine.checkPermission(aciContext2);
            }
        }
        next(addOperationContext);
        this.tupleCache.subentryAdded(dn2, entry);
        this.groupCache.groupAdded(dn2, entry);
    }

    public boolean compare(CompareOperationContext compareOperationContext) throws LdapException {
        CoreSession session = compareOperationContext.getSession();
        Dn dn = compareOperationContext.getDn();
        String oid = compareOperationContext.getOid();
        Entry originalEntry = compareOperationContext.getOriginalEntry();
        LdapPrincipal effectivePrincipal = session.getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        if (isPrincipalAnAdministrator(dn2) || !this.directoryService.isAccessControlEnabled()) {
            return next(compareOperationContext);
        }
        Set<Dn> groups = this.groupCache.getGroups(dn2.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(compareOperationContext, hashSet, dn, originalEntry);
        addEntryAciTuples(hashSet, originalEntry);
        addSubentryAciTuples(compareOperationContext, hashSet, dn, originalEntry);
        AciContext aciContext = new AciContext(this.schemaManager, compareOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(READ_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(originalEntry);
        this.engine.checkPermission(aciContext);
        AttributeType lookupAttributeTypeRegistry = this.schemaManager.lookupAttributeTypeRegistry(oid);
        AciContext aciContext2 = new AciContext(this.schemaManager, compareOperationContext);
        aciContext2.setUserGroupNames(groups);
        aciContext2.setUserDn(dn2);
        aciContext2.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext2.setEntryDn(dn);
        aciContext2.setAttributeType(lookupAttributeTypeRegistry);
        aciContext2.setMicroOperations(COMPARE_PERMS);
        aciContext2.setAciTuples(hashSet);
        aciContext2.setEntry(originalEntry);
        this.engine.checkPermission(aciContext2);
        return next(compareOperationContext);
    }

    public void delete(DeleteOperationContext deleteOperationContext) throws LdapException {
        CoreSession session = deleteOperationContext.getSession();
        if (!this.directoryService.isAccessControlEnabled()) {
            next(deleteOperationContext);
            return;
        }
        Dn dn = deleteOperationContext.getDn();
        LdapPrincipal effectivePrincipal = session.getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        Entry entry = deleteOperationContext.getEntry();
        protectCriticalEntries(deleteOperationContext, dn);
        if (isPrincipalAnAdministrator(dn2)) {
            next(deleteOperationContext);
            this.tupleCache.subentryDeleted(dn, entry);
            this.groupCache.groupDeleted(dn, entry);
            return;
        }
        Set<Dn> groups = this.groupCache.getGroups(dn2.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(deleteOperationContext, hashSet, dn, entry);
        addEntryAciTuples(hashSet, entry);
        addSubentryAciTuples(deleteOperationContext, hashSet, dn, entry);
        AciContext aciContext = new AciContext(this.schemaManager, deleteOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(REMOVE_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(entry);
        this.engine.checkPermission(aciContext);
        next(deleteOperationContext);
        this.tupleCache.subentryDeleted(dn, entry);
        this.groupCache.groupDeleted(dn, entry);
    }

    public boolean hasEntry(HasEntryOperationContext hasEntryOperationContext) throws LdapException {
        Dn dn = hasEntryOperationContext.getDn();
        if (!this.directoryService.isAccessControlEnabled()) {
            return dn.isRootDse() || next(hasEntryOperationContext);
        }
        boolean next = next(hasEntryOperationContext);
        if (dn.isRootDse()) {
            return next;
        }
        CoreSession session = hasEntryOperationContext.getSession();
        LdapPrincipal effectivePrincipal = session.getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        if (isPrincipalAnAdministrator(dn2)) {
            return next;
        }
        ClonedServerEntry lookup = this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(session, dn, SchemaConstants.ALL_ATTRIBUTES_ARRAY));
        Set<Dn> groups = this.groupCache.getGroups(dn2.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(hasEntryOperationContext, hashSet, dn, lookup);
        addEntryAciTuples(hashSet, lookup.getOriginalEntry());
        addSubentryAciTuples(hasEntryOperationContext, hashSet, dn, lookup.getOriginalEntry());
        AciContext aciContext = new AciContext(this.schemaManager, hasEntryOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(BROWSE_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(lookup.getOriginalEntry());
        this.engine.checkPermission(aciContext);
        return next(hasEntryOperationContext);
    }

    public EntryFilteringCursor list(ListOperationContext listOperationContext) throws LdapException {
        LdapPrincipal effectivePrincipal = listOperationContext.getSession().getEffectivePrincipal();
        EntryFilteringCursor next = next(listOperationContext);
        if (isPrincipalAnAdministrator(effectivePrincipal.getDn()) || !this.directoryService.isAccessControlEnabled()) {
            return next;
        }
        next.addEntryFilter(new AuthorizationFilter(this, null));
        return next;
    }

    public Entry lookup(LookupOperationContext lookupOperationContext) throws LdapException {
        Dn dn = lookupOperationContext.getSession().getEffectivePrincipal().getDn();
        if (!dn.isSchemaAware()) {
            dn.apply(this.schemaManager);
        }
        if (isPrincipalAnAdministrator(dn) || !this.directoryService.isAccessControlEnabled()) {
            return next(lookupOperationContext);
        }
        Entry lookup = this.directoryService.getPartitionNexus().lookup(lookupOperationContext);
        checkLookupAccess(lookupOperationContext, lookup);
        return lookup;
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:14:0x0143. Please report as an issue. */
    public void modify(ModifyOperationContext modifyOperationContext) throws LdapException {
        Dn dn = modifyOperationContext.getDn();
        Entry entry = modifyOperationContext.getEntry();
        LdapPrincipal effectivePrincipal = modifyOperationContext.getSession().getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        if (!this.directoryService.isAccessControlEnabled()) {
            next(modifyOperationContext);
            return;
        }
        List<Modification> modItems = modifyOperationContext.getModItems();
        if (isPrincipalAnAdministrator(dn2)) {
            next(modifyOperationContext);
            this.tupleCache.subentryModified(dn, modItems, this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(modifyOperationContext.getSession(), dn, SchemaConstants.ALL_ATTRIBUTES_ARRAY)));
            this.groupCache.groupModified(dn, modItems, entry, this.schemaManager);
            return;
        }
        Set<Dn> groups = this.groupCache.getGroups(dn2.getName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(modifyOperationContext, hashSet, dn, entry);
        addEntryAciTuples(hashSet, entry);
        addSubentryAciTuples(modifyOperationContext, hashSet, dn, entry);
        AciContext aciContext = new AciContext(this.schemaManager, modifyOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(Collections.singleton(MicroOperation.MODIFY));
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(entry);
        this.engine.checkPermission(aciContext);
        Collection<MicroOperation> collection = null;
        Entry clone = entry.clone();
        for (Modification modification : modItems) {
            Attribute<Value<?>> attribute = modification.getAttribute();
            switch (AnonymousClass1.$SwitchMap$org$apache$directory$shared$ldap$model$entry$ModificationOperation[modification.getOperation().ordinal()]) {
                case 1:
                    collection = ADD_PERMS;
                    if (entry.get(attribute.getId()) == null) {
                        AciContext aciContext2 = new AciContext(this.schemaManager, modifyOperationContext);
                        aciContext2.setUserGroupNames(groups);
                        aciContext2.setUserDn(dn2);
                        aciContext2.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
                        aciContext2.setEntryDn(dn);
                        aciContext2.setAttributeType(attribute.getAttributeType());
                        aciContext2.setMicroOperations(collection);
                        aciContext2.setAciTuples(hashSet);
                        aciContext2.setEntry(entry);
                        this.engine.checkPermission(aciContext2);
                        break;
                    }
                    break;
                case 2:
                    collection = REMOVE_PERMS;
                    Attribute attribute2 = entry.get(attribute.getId());
                    if (attribute2 != null && attribute2.size() == 1) {
                        AciContext aciContext3 = new AciContext(this.schemaManager, modifyOperationContext);
                        aciContext3.setUserGroupNames(groups);
                        aciContext3.setUserDn(dn2);
                        aciContext3.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
                        aciContext3.setEntryDn(dn);
                        aciContext3.setAttributeType(attribute.getAttributeType());
                        aciContext3.setMicroOperations(collection);
                        aciContext3.setAciTuples(hashSet);
                        aciContext3.setEntry(entry);
                        this.engine.checkPermission(aciContext3);
                        break;
                    }
                    break;
                case 3:
                    collection = REPLACE_PERMS;
                    break;
            }
            clone = ServerEntryUtils.getTargetEntry(modification, clone, this.schemaManager);
            for (Value<?> value : attribute) {
                AciContext aciContext4 = new AciContext(this.schemaManager, modifyOperationContext);
                aciContext4.setUserGroupNames(groups);
                aciContext4.setUserDn(dn2);
                aciContext4.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
                aciContext4.setEntryDn(dn);
                aciContext4.setAttributeType(attribute.getAttributeType());
                aciContext4.setAttrValue(value);
                aciContext4.setMicroOperations(collection);
                aciContext4.setAciTuples(hashSet);
                aciContext4.setEntry(entry);
                aciContext4.setEntryView(clone);
                this.engine.checkPermission(aciContext4);
            }
        }
        next(modifyOperationContext);
        this.tupleCache.subentryModified(dn, modItems, this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(modifyOperationContext.getSession(), dn, SchemaConstants.ALL_ATTRIBUTES_ARRAY)));
        this.groupCache.groupModified(dn, modItems, entry, this.schemaManager);
    }

    public void move(MoveOperationContext moveOperationContext) throws LdapException {
        Dn dn = moveOperationContext.getDn();
        Entry originalEntry = moveOperationContext.getOriginalEntry();
        CoreSession session = moveOperationContext.getSession();
        Dn newDn = moveOperationContext.getNewDn();
        LdapPrincipal effectivePrincipal = session.getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        if (!this.directoryService.isAccessControlEnabled()) {
            next(moveOperationContext);
            return;
        }
        protectCriticalEntries(moveOperationContext, dn);
        if (isPrincipalAnAdministrator(dn2)) {
            next(moveOperationContext);
            this.tupleCache.subentryRenamed(dn, newDn);
            this.groupCache.groupRenamed(dn, newDn);
            return;
        }
        Set<Dn> groups = this.groupCache.getGroups(dn2.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(moveOperationContext, hashSet, dn, originalEntry);
        addEntryAciTuples(hashSet, originalEntry);
        addSubentryAciTuples(moveOperationContext, hashSet, dn, originalEntry);
        AciContext aciContext = new AciContext(this.schemaManager, moveOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(EXPORT_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(originalEntry);
        this.engine.checkPermission(aciContext);
        Entry lookup = this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(session, dn, SchemaConstants.ALL_USER_ATTRIBUTES_ARRAY));
        Entry subentryAttributes = subentryUtils.getSubentryAttributes(newDn, lookup);
        Iterator it = lookup.iterator();
        while (it.hasNext()) {
            subentryAttributes.put(new Attribute[]{(Attribute) it.next()});
        }
        HashSet hashSet2 = new HashSet();
        addPerscriptiveAciTuples(moveOperationContext, hashSet2, newDn, subentryAttributes);
        AciContext aciContext2 = new AciContext(this.schemaManager, moveOperationContext);
        aciContext2.setUserGroupNames(groups);
        aciContext2.setUserDn(dn2);
        aciContext2.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext2.setEntryDn(newDn);
        aciContext2.setMicroOperations(IMPORT_PERMS);
        aciContext2.setAciTuples(hashSet2);
        aciContext2.setEntry(subentryAttributes);
        this.engine.checkPermission(aciContext2);
        next(moveOperationContext);
        this.tupleCache.subentryRenamed(dn, newDn);
        this.groupCache.groupRenamed(dn, newDn);
    }

    public void moveAndRename(MoveAndRenameOperationContext moveAndRenameOperationContext) throws LdapException {
        Dn dn = moveAndRenameOperationContext.getDn();
        CoreSession session = moveAndRenameOperationContext.getSession();
        Entry originalEntry = moveAndRenameOperationContext.getOriginalEntry();
        LdapPrincipal effectivePrincipal = session.getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        Dn newDn = moveAndRenameOperationContext.getNewDn();
        if (!this.directoryService.isAccessControlEnabled()) {
            next(moveAndRenameOperationContext);
            return;
        }
        protectCriticalEntries(moveAndRenameOperationContext, dn);
        if (isPrincipalAnAdministrator(dn2)) {
            next(moveAndRenameOperationContext);
            this.tupleCache.subentryRenamed(dn, newDn);
            this.groupCache.groupRenamed(dn, newDn);
            return;
        }
        Set<Dn> groups = this.groupCache.getGroups(dn2.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(moveAndRenameOperationContext, hashSet, dn, originalEntry);
        addEntryAciTuples(hashSet, originalEntry);
        addSubentryAciTuples(moveAndRenameOperationContext, hashSet, dn, originalEntry);
        AciContext aciContext = new AciContext(this.schemaManager, moveAndRenameOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(MOVERENAME_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(originalEntry);
        this.engine.checkPermission(aciContext);
        Entry lookup = this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(session, dn, SchemaConstants.ALL_USER_ATTRIBUTES_ARRAY));
        Entry subentryAttributes = subentryUtils.getSubentryAttributes(newDn, lookup);
        Iterator it = lookup.iterator();
        while (it.hasNext()) {
            subentryAttributes.put(new Attribute[]{(Attribute) it.next()});
        }
        HashSet hashSet2 = new HashSet();
        addPerscriptiveAciTuples(moveAndRenameOperationContext, hashSet2, newDn, subentryAttributes);
        AciContext aciContext2 = new AciContext(this.schemaManager, moveAndRenameOperationContext);
        aciContext2.setUserGroupNames(groups);
        aciContext2.setUserDn(dn2);
        aciContext2.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext2.setEntryDn(newDn);
        aciContext2.setMicroOperations(IMPORT_PERMS);
        aciContext2.setAciTuples(hashSet2);
        aciContext2.setEntry(subentryAttributes);
        this.engine.checkPermission(aciContext2);
        next(moveAndRenameOperationContext);
        this.tupleCache.subentryRenamed(dn, newDn);
        this.groupCache.groupRenamed(dn, newDn);
    }

    public void rename(RenameOperationContext renameOperationContext) throws LdapException {
        Dn dn = renameOperationContext.getDn();
        Entry entry = null;
        if (renameOperationContext.getEntry() != null) {
            entry = renameOperationContext.getEntry().getOriginalEntry();
        }
        LdapPrincipal effectivePrincipal = renameOperationContext.getSession().getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        Dn newDn = renameOperationContext.getNewDn();
        if (!this.directoryService.isAccessControlEnabled()) {
            next(renameOperationContext);
            return;
        }
        protectCriticalEntries(renameOperationContext, dn);
        if (isPrincipalAnAdministrator(dn2)) {
            next(renameOperationContext);
            this.tupleCache.subentryRenamed(dn, newDn);
            this.groupCache.groupRenamed(dn, newDn);
            return;
        }
        Set<Dn> groups = this.groupCache.getGroups(dn2.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(renameOperationContext, hashSet, dn, entry);
        addEntryAciTuples(hashSet, entry);
        addSubentryAciTuples(renameOperationContext, hashSet, dn, entry);
        AciContext aciContext = new AciContext(this.schemaManager, renameOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(RENAME_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(entry);
        this.engine.checkPermission(aciContext);
        next(renameOperationContext);
        this.tupleCache.subentryRenamed(dn, newDn);
        this.groupCache.groupRenamed(dn, newDn);
    }

    public EntryFilteringCursor search(SearchOperationContext searchOperationContext) throws LdapException {
        Dn dn = searchOperationContext.getSession().getEffectivePrincipal().getDn();
        EntryFilteringCursor next = next(searchOperationContext);
        boolean equals = this.subschemaSubentryDn.equals(searchOperationContext.getDn().getNormName());
        boolean z = searchOperationContext.getDn().size() == 0 && searchOperationContext.getSearchControls().getSearchScope() == 0;
        if (isPrincipalAnAdministrator(dn) || !this.directoryService.isAccessControlEnabled() || z || equals) {
            return next;
        }
        next.addEntryFilter(new AuthorizationFilter(this, null));
        return next;
    }

    private void checkLookupAccess(LookupOperationContext lookupOperationContext, Entry entry) throws LdapException {
        Dn dn = lookupOperationContext.getDn();
        if (dn.isRootDse()) {
            return;
        }
        LdapPrincipal effectivePrincipal = lookupOperationContext.getSession().getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        Set<Dn> groups = this.groupCache.getGroups(dn2.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(lookupOperationContext, hashSet, dn, entry);
        addEntryAciTuples(hashSet, entry);
        addSubentryAciTuples(lookupOperationContext, hashSet, dn, entry);
        AciContext aciContext = new AciContext(this.schemaManager, lookupOperationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(LOOKUP_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(entry);
        this.engine.checkPermission(aciContext);
        Iterator it = entry.iterator();
        while (it.hasNext()) {
            Attribute<Value<?>> attribute = (Attribute) it.next();
            for (Value<?> value : attribute) {
                AciContext aciContext2 = new AciContext(this.schemaManager, lookupOperationContext);
                aciContext2.setUserGroupNames(groups);
                aciContext2.setUserDn(dn2);
                aciContext2.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
                aciContext2.setEntryDn(dn);
                aciContext2.setAttributeType(attribute.getAttributeType());
                aciContext2.setAttrValue(value);
                aciContext2.setMicroOperations(READ_PERMS);
                aciContext2.setAciTuples(hashSet);
                aciContext2.setEntry(entry);
                this.engine.checkPermission(aciContext2);
            }
        }
    }

    public final boolean isPrincipalAnAdministrator(Dn dn) {
        return this.groupCache.isPrincipalAnAdministrator(dn);
    }

    public void cacheNewGroup(Dn dn, Entry entry) throws Exception {
        this.groupCache.groupAdded(dn, entry);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean filter(OperationContext operationContext, Dn dn, Entry entry) throws Exception {
        LdapPrincipal effectivePrincipal = operationContext.getSession().getEffectivePrincipal();
        Dn dn2 = effectivePrincipal.getDn();
        Set<Dn> groups = this.groupCache.getGroups(dn2.getNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(operationContext, hashSet, dn, entry);
        addEntryAciTuples(hashSet, ((ClonedServerEntry) entry).getOriginalEntry());
        addSubentryAciTuples(operationContext, hashSet, dn, ((ClonedServerEntry) entry).getOriginalEntry());
        AciContext aciContext = new AciContext(this.schemaManager, operationContext);
        aciContext.setUserGroupNames(groups);
        aciContext.setUserDn(dn2);
        aciContext.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
        aciContext.setEntryDn(dn);
        aciContext.setMicroOperations(SEARCH_ENTRY_PERMS);
        aciContext.setAciTuples(hashSet);
        aciContext.setEntry(((ClonedServerEntry) entry).getOriginalEntry());
        if (!this.engine.hasPermission(aciContext)) {
            return false;
        }
        ArrayList arrayList = new ArrayList();
        Iterator it = entry.getAttributes().iterator();
        while (it.hasNext()) {
            AttributeType attributeType = ((Attribute) it.next()).getAttributeType();
            Attribute<Value<?>> attribute = entry.get(attributeType);
            AciContext aciContext2 = new AciContext(this.schemaManager, operationContext);
            aciContext2.setUserGroupNames(groups);
            aciContext2.setUserDn(dn2);
            aciContext2.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
            aciContext2.setEntryDn(dn);
            aciContext2.setAttributeType(attributeType);
            aciContext2.setMicroOperations(SEARCH_ATTRVAL_PERMS);
            aciContext2.setAciTuples(hashSet);
            aciContext2.setEntry(entry);
            if (this.engine.hasPermission(aciContext2)) {
                ArrayList arrayList2 = new ArrayList();
                for (Value<?> value : attribute) {
                    AciContext aciContext3 = new AciContext(this.schemaManager, operationContext);
                    aciContext3.setUserGroupNames(groups);
                    aciContext3.setUserDn(dn2);
                    aciContext3.setAuthenticationLevel(effectivePrincipal.getAuthenticationLevel());
                    aciContext3.setEntryDn(dn);
                    aciContext3.setAttributeType(attribute.getAttributeType());
                    aciContext3.setAttrValue(value);
                    aciContext3.setMicroOperations(SEARCH_ATTRVAL_PERMS);
                    aciContext3.setAciTuples(hashSet);
                    aciContext3.setEntry(entry);
                    if (!this.engine.hasPermission(aciContext3)) {
                        arrayList2.add(value);
                    }
                }
                Iterator it2 = arrayList2.iterator();
                while (it2.hasNext()) {
                    attribute.remove(new Value[]{(Value) it2.next()});
                }
                if (attribute.size() == 0) {
                    arrayList.add(attributeType);
                }
            } else {
                arrayList.add(attributeType);
            }
        }
        Iterator it3 = arrayList.iterator();
        while (it3.hasNext()) {
            entry.removeAttributes(new AttributeType[]{(AttributeType) it3.next()});
        }
        return true;
    }

    private boolean isTheAdministrator(Dn dn) {
        return dn.getNormName().equals("0.9.2342.19200300.100.1.1=admin,2.5.4.11=system");
    }

    static {
        HashSet hashSet = new HashSet(2);
        hashSet.add(MicroOperation.BROWSE);
        hashSet.add(MicroOperation.RETURN_DN);
        SEARCH_ENTRY_PERMS = Collections.unmodifiableCollection(hashSet);
        HashSet hashSet2 = new HashSet(2);
        hashSet2.add(MicroOperation.READ);
        hashSet2.add(MicroOperation.BROWSE);
        LOOKUP_PERMS = Collections.unmodifiableCollection(hashSet2);
        HashSet hashSet3 = new HashSet(2);
        hashSet3.add(MicroOperation.ADD);
        hashSet3.add(MicroOperation.REMOVE);
        REPLACE_PERMS = Collections.unmodifiableCollection(hashSet3);
        HashSet hashSet4 = new HashSet(2);
        hashSet4.add(MicroOperation.EXPORT);
        hashSet4.add(MicroOperation.RENAME);
        MOVERENAME_PERMS = Collections.unmodifiableCollection(hashSet4);
        SEARCH_ATTRVAL_PERMS = Collections.singleton(MicroOperation.READ);
        ADD_PERMS = Collections.singleton(MicroOperation.ADD);
        READ_PERMS = Collections.singleton(MicroOperation.READ);
        COMPARE_PERMS = Collections.singleton(MicroOperation.COMPARE);
        REMOVE_PERMS = Collections.singleton(MicroOperation.REMOVE);
        BROWSE_PERMS = Collections.singleton(MicroOperation.BROWSE);
        RENAME_PERMS = Collections.singleton(MicroOperation.RENAME);
        EXPORT_PERMS = Collections.singleton(MicroOperation.EXPORT);
        IMPORT_PERMS = Collections.singleton(MicroOperation.IMPORT);
        DEFAULT_SEARCH_CONTROLS = new SearchControls();
    }
}
