package org.apache.directory.server.core.authz.support;

import java.util.Collection;
import java.util.Iterator;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import org.apache.directory.server.core.partition.PartitionNexusProxy;
import org.apache.directory.server.core.subtree.SubtreeEvaluator;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
import org.apache.directory.shared.ldap.aci.UserClass;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.subtree.SubtreeSpecification;

/* loaded from: input_file:BOOT-INF/lib/apacheds-core-1.0.2.jar:org/apache/directory/server/core/authz/support/RelatedUserClassFilter.class */
public class RelatedUserClassFilter implements ACITupleFilter {
    private static final LdapDN ROOTDSE_NAME = LdapDN.EMPTY_LDAPDN;
    private final SubtreeEvaluator subtreeEvaluator;

    public RelatedUserClassFilter(SubtreeEvaluator subtreeEvaluator) {
        this.subtreeEvaluator = subtreeEvaluator;
    }

    @Override // org.apache.directory.server.core.authz.support.ACITupleFilter
    public Collection filter(Collection collection, OperationScope operationScope, PartitionNexusProxy partitionNexusProxy, Collection collection2, LdapDN ldapDN, Attributes attributes, AuthenticationLevel authenticationLevel, LdapDN ldapDN2, String str, Object obj, Attributes attributes2, Collection collection3) throws NamingException {
        if (collection.size() == 0) {
            return collection;
        }
        Iterator it2 = collection.iterator();
        while (it2.hasNext()) {
            ACITuple aCITuple = (ACITuple) it2.next();
            if (aCITuple.isGrant()) {
                if (!isRelated(collection2, ldapDN, attributes, ldapDN2, aCITuple.getUserClasses()) || authenticationLevel.compareTo(aCITuple.getAuthenticationLevel()) < 0) {
                    it2.remove();
                }
            } else if (!isRelated(collection2, ldapDN, attributes, ldapDN2, aCITuple.getUserClasses()) && authenticationLevel.compareTo(aCITuple.getAuthenticationLevel()) >= 0) {
                it2.remove();
            }
        }
        return collection;
    }

    private boolean isRelated(Collection collection, LdapDN ldapDN, Attributes attributes, LdapDN ldapDN2, Collection collection2) throws NamingException {
        Iterator it2 = collection2.iterator();
        while (it2.hasNext()) {
            UserClass userClass = (UserClass) it2.next();
            if (userClass == UserClass.ALL_USERS) {
                return true;
            }
            if (userClass == UserClass.THIS_ENTRY) {
                if (ldapDN.equals(ldapDN2)) {
                    return true;
                }
            } else if (userClass instanceof UserClass.Name) {
                if (((UserClass.Name) userClass).getNames().contains(ldapDN)) {
                    return true;
                }
            } else if (userClass instanceof UserClass.UserGroup) {
                UserClass.UserGroup userGroup = (UserClass.UserGroup) userClass;
                Iterator it3 = collection.iterator();
                while (it3.hasNext()) {
                    LdapDN ldapDN3 = (LdapDN) it3.next();
                    if (ldapDN3 != null && userGroup.getNames().contains(ldapDN3)) {
                        return true;
                    }
                }
            } else {
                if (!(userClass instanceof UserClass.Subtree)) {
                    throw new InternalError(new StringBuffer().append("Unexpected userClass: ").append(userClass.getClass().getName()).toString());
                }
                if (matchUserClassSubtree(ldapDN, attributes, (UserClass.Subtree) userClass)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean matchUserClassSubtree(LdapDN ldapDN, Attributes attributes, UserClass.Subtree subtree) throws NamingException {
        Iterator it2 = subtree.getSubtreeSpecifications().iterator();
        while (it2.hasNext()) {
            if (this.subtreeEvaluator.evaluate((SubtreeSpecification) it2.next(), ROOTDSE_NAME, ldapDN, attributes.get("userClass"))) {
                return true;
            }
        }
        return false;
    }
}
