package org.apache.directory.server.core.authz.support;

import java.util.Collection;
import java.util.Iterator;
import javax.naming.directory.SearchControls;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.context.OperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.ProtectedItem;
import org.apache.directory.shared.ldap.aci.protectedItem.MaxImmSubItem;
import org.apache.directory.shared.ldap.model.entry.Entry;
import org.apache.directory.shared.ldap.model.exception.LdapException;
import org.apache.directory.shared.ldap.model.exception.LdapOperationException;
import org.apache.directory.shared.ldap.model.exception.LdapOtherException;
import org.apache.directory.shared.ldap.model.filter.ExprNode;
import org.apache.directory.shared.ldap.model.filter.PresenceNode;
import org.apache.directory.shared.ldap.model.message.AliasDerefMode;
import org.apache.directory.shared.ldap.model.name.Dn;
import org.apache.directory.shared.ldap.model.name.Rdn;
import org.apache.directory.shared.ldap.model.schema.AttributeType;
import org.apache.directory.shared.ldap.model.schema.SchemaManager;

/* loaded from: input_file:lib/apacheds-interceptors-authz-2.0.0-M5.jar:org/apache/directory/server/core/authz/support/MaxImmSubFilter.class */
public class MaxImmSubFilter implements ACITupleFilter {
    private final ExprNode childrenFilter;
    private final SearchControls childrenSearchControls;

    public MaxImmSubFilter(SchemaManager schemaManager) {
        AttributeType attributeType = null;
        try {
            attributeType = schemaManager.lookupAttributeTypeRegistry("objectClass");
        } catch (LdapException e) {
        }
        this.childrenFilter = new PresenceNode(attributeType);
        this.childrenSearchControls = new SearchControls();
        this.childrenSearchControls.setSearchScope(1);
    }

    @Override // org.apache.directory.server.core.authz.support.ACITupleFilter
    public Collection<ACITuple> filter(AciContext aciContext, OperationScope operationScope, Entry entry) throws LdapException {
        ACI_LOG.debug("Filtering MaxImmSub...");
        if (!aciContext.getEntryDn().isRootDse() && aciContext.getAciTuples().size() != 0 && operationScope == OperationScope.ENTRY) {
            int i = -1;
            Iterator<ACITuple> it = aciContext.getAciTuples().iterator();
            while (it.hasNext()) {
                ACITuple next = it.next();
                if (next.isGrant()) {
                    Iterator it2 = next.getProtectedItems().iterator();
                    while (true) {
                        if (it2.hasNext()) {
                            MaxImmSubItem maxImmSubItem = (ProtectedItem) it2.next();
                            if (maxImmSubItem instanceof MaxImmSubItem) {
                                if (i < 0) {
                                    i = getImmSubCount(aciContext.getOperationContext(), aciContext.getEntryDn());
                                }
                                if (i >= maxImmSubItem.getValue()) {
                                    it.remove();
                                    break;
                                }
                            }
                        }
                    }
                }
            }
            return aciContext.getAciTuples();
        }
        return aciContext.getAciTuples();
    }

    private int getImmSubCount(OperationContext operationContext, Dn dn) throws LdapException {
        int i = 0;
        EntryFilteringCursor entryFilteringCursor = null;
        try {
            SearchOperationContext searchOperationContext = new SearchOperationContext(operationContext.getSession(), new Dn(operationContext.getSession().getDirectoryService().getSchemaManager(), new Rdn[]{dn.getRdn(dn.size() - 1)}), this.childrenFilter, this.childrenSearchControls);
            searchOperationContext.setAliasDerefMode(AliasDerefMode.DEREF_ALWAYS);
            entryFilteringCursor = operationContext.getSession().getDirectoryService().getPartitionNexus().search(searchOperationContext);
            while (entryFilteringCursor.next()) {
                try {
                    entryFilteringCursor.get();
                    i++;
                } catch (Exception e) {
                    throw new LdapOtherException(e.getMessage(), e);
                }
            }
            if (entryFilteringCursor != null) {
                try {
                    entryFilteringCursor.close();
                } catch (Exception e2) {
                    throw new LdapOperationException(e2.getMessage(), e2);
                }
            }
            return i;
        } catch (Throwable th) {
            if (entryFilteringCursor != null) {
                try {
                    entryFilteringCursor.close();
                } catch (Exception e3) {
                    throw new LdapOperationException(e3.getMessage(), e3);
                }
            }
            throw th;
        }
    }
}
