package org.apache.directory.server.core.authz;

import java.text.ParseException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import org.apache.directory.server.core.DirectoryServiceConfiguration;
import org.apache.directory.server.core.ServerUtils;
import org.apache.directory.server.core.authn.LdapPrincipal;
import org.apache.directory.server.core.authz.support.ACDFEngine;
import org.apache.directory.server.core.configuration.InterceptorConfiguration;
import org.apache.directory.server.core.enumeration.SearchResultFilter;
import org.apache.directory.server.core.enumeration.SearchResultFilteringEnumeration;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
import org.apache.directory.server.core.interceptor.InterceptorChain;
import org.apache.directory.server.core.interceptor.NextInterceptor;
import org.apache.directory.server.core.invocation.Invocation;
import org.apache.directory.server.core.invocation.InvocationStack;
import org.apache.directory.server.core.jndi.JavaLdapSupport;
import org.apache.directory.server.core.jndi.ServerLdapContext;
import org.apache.directory.server.core.partition.PartitionNexusProxy;
import org.apache.directory.server.core.schema.AttributeTypeRegistry;
import org.apache.directory.server.core.schema.ConcreteNameComponentNormalizer;
import org.apache.directory.server.core.schema.OidRegistry;
import org.apache.directory.server.core.subtree.SubentryService;
import org.apache.directory.shared.ldap.aci.ACIItemParser;
import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.exception.LdapNamingException;
import org.apache.directory.shared.ldap.filter.ExprNode;
import org.apache.directory.shared.ldap.message.ModificationItemImpl;
import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.util.AttributeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/apacheds-core-1.0.2.jar:org/apache/directory/server/core/authz/AuthorizationService.class */
public class AuthorizationService extends BaseInterceptor {
    private static final Logger log;
    private static final String ENTRYACI_ATTR = "entryACI";
    private static final String SUBENTRYACI_ATTR = "subentryACI";
    private static final String AC_SUBENTRY_ATTR = "accessControlSubentries";
    private static final Collection ADD_PERMS;
    private static final Collection READ_PERMS;
    private static final Collection COMPARE_PERMS;
    private static final Collection SEARCH_ENTRY_PERMS;
    private static final Collection SEARCH_ATTRVAL_PERMS;
    private static final Collection REMOVE_PERMS;
    private static final Collection MATCHEDNAME_PERMS;
    private static final Collection BROWSE_PERMS;
    private static final Collection LOOKUP_PERMS;
    private static final Collection REPLACE_PERMS;
    private static final Collection RENAME_PERMS;
    private static final Collection EXPORT_PERMS;
    private static final Collection IMPORT_PERMS;
    private static final Collection MOVERENAME_PERMS;
    private TupleCache tupleCache;
    private GroupCache groupCache;
    private ACIItemParser aciParser;
    private ACDFEngine engine;
    private InterceptorChain chain;
    private AttributeTypeRegistry attrRegistry;
    private boolean enabled = false;
    private String subschemaSubentryDn;
    private AttributeType objectClassType;
    private AttributeType acSubentryType;
    private String objectClassOid;
    private String subentryOid;
    private String acSubentryOid;
    public static final SearchControls DEFAULT_SEARCH_CONTROLS;
    static Class class$org$apache$directory$server$core$authz$AuthorizationService;

    /* loaded from: input_file:BOOT-INF/lib/apacheds-core-1.0.2.jar:org/apache/directory/server/core/authz/AuthorizationService$AuthorizationFilter.class */
    class AuthorizationFilter implements SearchResultFilter {
        private final AuthorizationService this$0;

        AuthorizationFilter(AuthorizationService authorizationService) {
            this.this$0 = authorizationService;
        }

        @Override // org.apache.directory.server.core.enumeration.SearchResultFilter
        public boolean accept(Invocation invocation, SearchResult searchResult, SearchControls searchControls) throws NamingException {
            return this.this$0.filter(invocation, this.this$0.parseNormalized(searchResult.getName()), searchResult);
        }
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void init(DirectoryServiceConfiguration directoryServiceConfiguration, InterceptorConfiguration interceptorConfiguration) throws NamingException {
        super.init(directoryServiceConfiguration, interceptorConfiguration);
        this.tupleCache = new TupleCache(directoryServiceConfiguration);
        this.groupCache = new GroupCache(directoryServiceConfiguration);
        this.attrRegistry = directoryServiceConfiguration.getGlobalRegistries().getAttributeTypeRegistry();
        OidRegistry oidRegistry = directoryServiceConfiguration.getGlobalRegistries().getOidRegistry();
        this.objectClassOid = oidRegistry.getOid(JavaLdapSupport.OBJECTCLASS_ATTR);
        this.subentryOid = oidRegistry.getOid("subentry");
        this.acSubentryOid = oidRegistry.getOid("accessControlSubentries");
        this.objectClassType = this.attrRegistry.lookup(this.objectClassOid);
        this.acSubentryType = this.attrRegistry.lookup(this.acSubentryOid);
        this.aciParser = new ACIItemParser(new ConcreteNameComponentNormalizer(this.attrRegistry, oidRegistry), this.attrRegistry.getNormalizerMapping());
        this.engine = new ACDFEngine(directoryServiceConfiguration.getGlobalRegistries().getOidRegistry(), this.attrRegistry);
        this.chain = directoryServiceConfiguration.getInterceptorChain();
        this.enabled = directoryServiceConfiguration.getStartupConfiguration().isAccessControlEnabled();
        LdapDN ldapDN = new LdapDN((String) directoryServiceConfiguration.getPartitionNexus().getRootDSE().get(SubentryService.SCHEMA_SUBENTRY).get());
        ldapDN.normalize(this.attrRegistry.getNormalizerMapping());
        this.subschemaSubentryDn = ldapDN.toNormName();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public LdapDN parseNormalized(String str) throws NamingException {
        LdapDN ldapDN = new LdapDN(str);
        ldapDN.normalize(this.attrRegistry.getNormalizerMapping());
        return ldapDN;
    }

    private void addPerscriptiveAciTuples(PartitionNexusProxy partitionNexusProxy, Collection collection, LdapDN ldapDN, Attributes attributes) throws NamingException {
        Attribute attribute = ServerUtils.getAttribute(this.objectClassType, attributes);
        if (AttributeUtils.containsValue(attribute, "subentry", this.objectClassType) || AttributeUtils.containsValueCaseIgnore(attribute, this.subentryOid)) {
            LdapDN ldapDN2 = (LdapDN) ldapDN.clone();
            ldapDN2.remove(ldapDN.size() - 1);
            attributes = partitionNexusProxy.lookup(ldapDN2, PartitionNexusProxy.LOOKUP_BYPASS);
        }
        Attribute attribute2 = ServerUtils.getAttribute(this.acSubentryType, attributes);
        if (attribute2 == null) {
            return;
        }
        for (int i = 0; i < attribute2.size(); i++) {
            collection.addAll(this.tupleCache.getACITuples((String) attribute2.get(i)));
        }
    }

    private void addEntryAciTuples(Collection collection, Attributes attributes) throws NamingException {
        Attribute attribute = attributes.get(ENTRYACI_ATTR);
        if (attribute == null) {
            return;
        }
        for (int i = 0; i < attribute.size(); i++) {
            String str = (String) attribute.get(i);
            try {
                collection.addAll(this.aciParser.parse(str).toTuples());
            } catch (ParseException e) {
                String stringBuffer = new StringBuffer().append("failed to parse entryACI: ").append(str).toString();
                log.error(stringBuffer, (Throwable) e);
                throw new LdapNamingException(stringBuffer, ResultCodeEnum.OPERATIONSERROR);
            }
        }
    }

    private void addSubentryAciTuples(PartitionNexusProxy partitionNexusProxy, Collection collection, LdapDN ldapDN, Attributes attributes) throws NamingException {
        if (AttributeUtils.containsValueCaseIgnore(attributes.get(JavaLdapSupport.OBJECTCLASS_ATTR), "subentry")) {
            LdapDN ldapDN2 = (LdapDN) ldapDN.clone();
            ldapDN2.remove(ldapDN.size() - 1);
            Attribute attribute = partitionNexusProxy.lookup(ldapDN2, new String[]{SUBENTRYACI_ATTR}, PartitionNexusProxy.LOOKUP_BYPASS).get(SUBENTRYACI_ATTR);
            if (attribute == null) {
                return;
            }
            for (int i = 0; i < attribute.size(); i++) {
                String str = (String) attribute.get(i);
                try {
                    collection.addAll(this.aciParser.parse(str).toTuples());
                } catch (ParseException e) {
                    String stringBuffer = new StringBuffer().append("failed to parse subentryACI: ").append(str).toString();
                    log.error(stringBuffer, (Throwable) e);
                    throw new LdapNamingException(stringBuffer, ResultCodeEnum.OPERATIONSERROR);
                }
            }
        }
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void add(NextInterceptor nextInterceptor, LdapDN ldapDN, Attributes attributes) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        if (!this.enabled) {
            nextInterceptor.add(ldapDN, attributes);
            return;
        }
        if (isPrincipalAnAdministrator(jndiName)) {
            nextInterceptor.add(ldapDN, attributes);
            this.tupleCache.subentryAdded(ldapDN.toNormName(), ldapDN, attributes);
            this.groupCache.groupAdded(ldapDN.toNormName(), ldapDN, attributes);
            return;
        }
        Attributes subentryAttributes = ((SubentryService) this.chain.get("subentryService")).getSubentryAttributes(ldapDN, attributes);
        NamingEnumeration all = attributes.getAll();
        while (all.hasMore()) {
            subentryAttributes.put((Attribute) all.next());
        }
        Set groups = this.groupCache.getGroups(jndiName.toNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(peek.getProxy(), hashSet, ldapDN, subentryAttributes);
        addSubentryAciTuples(peek.getProxy(), hashSet, ldapDN, subentryAttributes);
        PartitionNexusProxy proxy = peek.getProxy();
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, ADD_PERMS, hashSet, subentryAttributes);
        NamingEnumeration all2 = attributes.getAll();
        while (all2.hasMore()) {
            Attribute attribute = (Attribute) all2.next();
            for (int i = 0; i < attribute.size(); i++) {
                this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, attribute.getID(), attribute.get(i), ADD_PERMS, hashSet, attributes);
            }
        }
        nextInterceptor.add(ldapDN, attributes);
        this.tupleCache.subentryAdded(ldapDN.toNormName(), ldapDN, attributes);
        this.groupCache.groupAdded(ldapDN.toNormName(), ldapDN, attributes);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void delete(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        if (!this.enabled) {
            nextInterceptor.delete(ldapDN);
            return;
        }
        if (isPrincipalAnAdministrator(jndiName)) {
            nextInterceptor.delete(ldapDN);
            this.tupleCache.subentryDeleted(ldapDN, lookup);
            this.groupCache.groupDeleted(ldapDN, lookup);
            return;
        }
        Set groups = this.groupCache.getGroups(jndiName.toString());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, ldapDN, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, REMOVE_PERMS, hashSet, lookup);
        nextInterceptor.delete(ldapDN);
        this.tupleCache.subentryDeleted(ldapDN, lookup);
        this.groupCache.groupDeleted(ldapDN, lookup);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, LdapDN ldapDN, int i, Attributes attributes) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        if (!this.enabled) {
            nextInterceptor.modify(ldapDN, i, attributes);
            return;
        }
        if (isPrincipalAnAdministrator(jndiName)) {
            nextInterceptor.modify(ldapDN, i, attributes);
            this.tupleCache.subentryModified(ldapDN, i, attributes, lookup);
            this.groupCache.groupModified(ldapDN, i, attributes, lookup);
            return;
        }
        Set groups = this.groupCache.getGroups(jndiName.toString());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, ldapDN, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, Collections.singleton(MicroOperation.MODIFY), hashSet, lookup);
        NamingEnumeration all = attributes.getAll();
        Collection collection = null;
        switch (i) {
            case 1:
                collection = ADD_PERMS;
                break;
            case 2:
                collection = REPLACE_PERMS;
                break;
            case 3:
                collection = REMOVE_PERMS;
                break;
        }
        while (all.hasMore()) {
            Attribute attribute = (Attribute) all.next();
            for (int i2 = 0; i2 < attribute.size(); i2++) {
                this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, attribute.getID(), attribute.get(i2), collection, hashSet, lookup);
            }
        }
        nextInterceptor.modify(ldapDN, i, attributes);
        this.tupleCache.subentryModified(ldapDN, i, attributes, lookup);
        this.groupCache.groupModified(ldapDN, i, attributes, lookup);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:14:0x00ce. Please report as an issue. */
    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, LdapDN ldapDN, ModificationItemImpl[] modificationItemImplArr) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        if (!this.enabled) {
            nextInterceptor.modify(ldapDN, modificationItemImplArr);
            return;
        }
        if (isPrincipalAnAdministrator(jndiName)) {
            nextInterceptor.modify(ldapDN, modificationItemImplArr);
            this.tupleCache.subentryModified(ldapDN, modificationItemImplArr, lookup);
            this.groupCache.groupModified(ldapDN, modificationItemImplArr, lookup);
            return;
        }
        Set groups = this.groupCache.getGroups(jndiName.toString());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, ldapDN, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, Collections.singleton(MicroOperation.MODIFY), hashSet, lookup);
        Collection collection = null;
        for (int i = 0; i < modificationItemImplArr.length; i++) {
            switch (modificationItemImplArr[i].getModificationOp()) {
                case 1:
                    collection = ADD_PERMS;
                    break;
                case 2:
                    collection = REPLACE_PERMS;
                    break;
                case 3:
                    collection = REMOVE_PERMS;
                    break;
            }
            Attribute attribute = modificationItemImplArr[i].getAttribute();
            for (int i2 = 0; i2 < attribute.size(); i2++) {
                this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, attribute.getID(), attribute.get(i2), collection, hashSet, lookup);
            }
        }
        nextInterceptor.modify(ldapDN, modificationItemImplArr);
        this.tupleCache.subentryModified(ldapDN, modificationItemImplArr, lookup);
        this.groupCache.groupModified(ldapDN, modificationItemImplArr, lookup);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public boolean hasEntry(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        if (isPrincipalAnAdministrator(jndiName) || !this.enabled || ldapDN.toString().trim().equals("")) {
            return nextInterceptor.hasEntry(ldapDN);
        }
        Set groups = this.groupCache.getGroups(jndiName.toNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, ldapDN, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, BROWSE_PERMS, hashSet, lookup);
        return nextInterceptor.hasEntry(ldapDN);
    }

    private void checkLookupAccess(LdapPrincipal ldapPrincipal, LdapDN ldapDN, Attributes attributes) throws NamingException {
        if (ldapDN.toString().trim().equals("")) {
            return;
        }
        PartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
        LdapDN jndiName = ldapPrincipal.getJndiName();
        Set groups = this.groupCache.getGroups(jndiName.toNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, attributes);
        addEntryAciTuples(hashSet, attributes);
        addSubentryAciTuples(proxy, hashSet, ldapDN, attributes);
        this.engine.checkPermission(proxy, groups, jndiName, ldapPrincipal.getAuthenticationLevel(), ldapDN, null, null, LOOKUP_PERMS, hashSet, attributes);
        NamingEnumeration all = attributes.getAll();
        while (all.hasMore()) {
            Attribute attribute = (Attribute) all.next();
            for (int i = 0; i < attribute.size(); i++) {
                this.engine.checkPermission(proxy, groups, jndiName, ldapPrincipal.getAuthenticationLevel(), ldapDN, attribute.getID(), attribute.get(i), READ_PERMS, hashSet, attributes);
            }
        }
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, LdapDN ldapDN, String[] strArr) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN ldapDN2 = new LdapDN(principal.getName());
        ldapDN2.normalize(this.attrRegistry.getNormalizerMapping());
        if (isPrincipalAnAdministrator(ldapDN2) || !this.enabled) {
            return nextInterceptor.lookup(ldapDN, strArr);
        }
        checkLookupAccess(principal, ldapDN, peek.getProxy().lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS));
        return nextInterceptor.lookup(ldapDN, strArr);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        Attributes lookup = peek.getProxy().lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        jndiName.normalize(this.attrRegistry.getNormalizerMapping());
        if (isPrincipalAnAdministrator(jndiName) || !this.enabled) {
            return nextInterceptor.lookup(ldapDN);
        }
        checkLookupAccess(principal, ldapDN, lookup);
        return nextInterceptor.lookup(ldapDN);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modifyRn(NextInterceptor nextInterceptor, LdapDN ldapDN, String str, boolean z) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        LdapDN ldapDN2 = (LdapDN) ldapDN.clone();
        ldapDN2.remove(ldapDN.size() - 1);
        ldapDN2.add(parseNormalized(str).get(0));
        if (!this.enabled) {
            nextInterceptor.modifyRn(ldapDN, str, z);
            return;
        }
        if (isPrincipalAnAdministrator(jndiName)) {
            nextInterceptor.modifyRn(ldapDN, str, z);
            this.tupleCache.subentryRenamed(ldapDN, ldapDN2);
            if (this.groupCache.groupRenamed(ldapDN, ldapDN2)) {
            }
            return;
        }
        Set groups = this.groupCache.getGroups(jndiName.toString());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, ldapDN, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, RENAME_PERMS, hashSet, lookup);
        nextInterceptor.modifyRn(ldapDN, str, z);
        this.tupleCache.subentryRenamed(ldapDN, ldapDN2);
        this.groupCache.groupRenamed(ldapDN, ldapDN2);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, LdapDN ldapDN, LdapDN ldapDN2, String str, boolean z) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        LdapDN ldapDN3 = (LdapDN) ldapDN2.clone();
        ldapDN3.add(str);
        if (!this.enabled) {
            nextInterceptor.move(ldapDN, ldapDN2, str, z);
            return;
        }
        if (isPrincipalAnAdministrator(jndiName)) {
            nextInterceptor.move(ldapDN, ldapDN2, str, z);
            this.tupleCache.subentryRenamed(ldapDN, ldapDN3);
            this.groupCache.groupRenamed(ldapDN, ldapDN3);
            return;
        }
        Set groups = this.groupCache.getGroups(jndiName.toString());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, ldapDN, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, MOVERENAME_PERMS, hashSet, lookup);
        Attributes lookup2 = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS);
        Attributes subentryAttributes = ((SubentryService) this.chain.get("subentryService")).getSubentryAttributes(ldapDN3, lookup2);
        NamingEnumeration all = lookup2.getAll();
        while (all.hasMore()) {
            subentryAttributes.put((Attribute) all.next());
        }
        HashSet hashSet2 = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet2, ldapDN3, subentryAttributes);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN3, null, null, IMPORT_PERMS, hashSet2, subentryAttributes);
        nextInterceptor.move(ldapDN, ldapDN2, str, z);
        this.tupleCache.subentryRenamed(ldapDN, ldapDN3);
        this.groupCache.groupRenamed(ldapDN, ldapDN3);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, LdapDN ldapDN, LdapDN ldapDN2) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapDN ldapDN3 = (LdapDN) ldapDN2.clone();
        ldapDN3.add(ldapDN.get(ldapDN.size() - 1));
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        if (!this.enabled) {
            nextInterceptor.move(ldapDN, ldapDN2);
            return;
        }
        if (isPrincipalAnAdministrator(jndiName)) {
            nextInterceptor.move(ldapDN, ldapDN2);
            this.tupleCache.subentryRenamed(ldapDN, ldapDN3);
            this.groupCache.groupRenamed(ldapDN, ldapDN3);
            return;
        }
        Set groups = this.groupCache.getGroups(jndiName.toString());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, ldapDN, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, EXPORT_PERMS, hashSet, lookup);
        Attributes lookup2 = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS);
        Attributes subentryAttributes = ((SubentryService) this.chain.get("subentryService")).getSubentryAttributes(ldapDN3, lookup2);
        NamingEnumeration all = lookup2.getAll();
        while (all.hasMore()) {
            subentryAttributes.put((Attribute) all.next());
        }
        HashSet hashSet2 = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet2, ldapDN3, subentryAttributes);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN3, null, null, IMPORT_PERMS, hashSet2, subentryAttributes);
        nextInterceptor.move(ldapDN, ldapDN2);
        this.tupleCache.subentryRenamed(ldapDN, ldapDN3);
        this.groupCache.groupRenamed(ldapDN, ldapDN3);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public NamingEnumeration list(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        NamingEnumeration list = nextInterceptor.list(ldapDN);
        if (isPrincipalAnAdministrator(principal.getJndiName()) || !this.enabled) {
            return list;
        }
        return new SearchResultFilteringEnumeration(list, DEFAULT_SEARCH_CONTROLS, peek, new AuthorizationFilter(this));
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public NamingEnumeration search(NextInterceptor nextInterceptor, LdapDN ldapDN, Map map, ExprNode exprNode, SearchControls searchControls) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        LdapDN jndiName = peek.getCaller().getPrincipal().getJndiName();
        NamingEnumeration search = nextInterceptor.search(ldapDN, map, exprNode, searchControls);
        return (isPrincipalAnAdministrator(jndiName) || !this.enabled || (ldapDN.size() == 0 && searchControls.getSearchScope() == 0) || this.subschemaSubentryDn.equals(ldapDN.toNormName())) ? search : new SearchResultFilteringEnumeration(search, searchControls, peek, new AuthorizationFilter(this));
    }

    public final boolean isPrincipalAnAdministrator(LdapDN ldapDN) throws NamingException {
        return this.groupCache.isPrincipalAnAdministrator(ldapDN);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public boolean compare(NextInterceptor nextInterceptor, LdapDN ldapDN, String str, Object obj) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        Attributes lookup = proxy.lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        if (isPrincipalAnAdministrator(jndiName) || !this.enabled) {
            return nextInterceptor.compare(ldapDN, str, obj);
        }
        Set groups = this.groupCache.getGroups(jndiName.toNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(proxy, hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(proxy, hashSet, ldapDN, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, null, null, READ_PERMS, hashSet, lookup);
        this.engine.checkPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), ldapDN, str, obj, COMPARE_PERMS, hashSet, lookup);
        return nextInterceptor.compare(ldapDN, str, obj);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public LdapDN getMatchedName(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        Invocation peek = InvocationStack.getInstance().peek();
        PartitionNexusProxy proxy = peek.getProxy();
        LdapPrincipal principal = peek.getCaller().getPrincipal();
        LdapDN jndiName = principal.getJndiName();
        if (isPrincipalAnAdministrator(jndiName) || !this.enabled) {
            return nextInterceptor.getMatchedName(ldapDN);
        }
        LdapDN matchedName = nextInterceptor.getMatchedName(ldapDN);
        while (matchedName.size() > 0) {
            Attributes lookup = proxy.lookup(matchedName, PartitionNexusProxy.GETMATCHEDDN_BYPASS);
            Set groups = this.groupCache.getGroups(jndiName.toString());
            HashSet hashSet = new HashSet();
            addPerscriptiveAciTuples(proxy, hashSet, matchedName, lookup);
            addEntryAciTuples(hashSet, lookup);
            addSubentryAciTuples(proxy, hashSet, matchedName, lookup);
            if (this.engine.hasPermission(proxy, groups, jndiName, principal.getAuthenticationLevel(), matchedName, null, null, MATCHEDNAME_PERMS, hashSet, lookup)) {
                return matchedName;
            }
            matchedName.remove(matchedName.size() - 1);
        }
        return matchedName;
    }

    public void cacheNewGroup(String str, LdapDN ldapDN, Attributes attributes) throws NamingException {
        this.groupCache.groupAdded(str, ldapDN, attributes);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean filter(Invocation invocation, LdapDN ldapDN, SearchResult searchResult) throws NamingException {
        Attributes lookup = invocation.getProxy().lookup(ldapDN, PartitionNexusProxy.LOOKUP_BYPASS);
        ServerLdapContext caller = invocation.getCaller();
        LdapDN jndiName = caller.getPrincipal().getJndiName();
        Set groups = this.groupCache.getGroups(jndiName.toNormName());
        HashSet hashSet = new HashSet();
        addPerscriptiveAciTuples(invocation.getProxy(), hashSet, ldapDN, lookup);
        addEntryAciTuples(hashSet, lookup);
        addSubentryAciTuples(invocation.getProxy(), hashSet, ldapDN, lookup);
        if (!this.engine.hasPermission(invocation.getProxy(), groups, jndiName, caller.getPrincipal().getAuthenticationLevel(), ldapDN, null, null, SEARCH_ENTRY_PERMS, hashSet, lookup)) {
            return false;
        }
        NamingEnumeration iDs = searchResult.getAttributes().getIDs();
        while (iDs.hasMore()) {
            Attribute attribute = searchResult.getAttributes().get((String) iDs.next());
            if (this.engine.hasPermission(invocation.getProxy(), groups, jndiName, caller.getPrincipal().getAuthenticationLevel(), ldapDN, attribute.getID(), null, SEARCH_ATTRVAL_PERMS, hashSet, lookup)) {
                int i = 0;
                while (i < attribute.size()) {
                    if (!this.engine.hasPermission(invocation.getProxy(), groups, jndiName, caller.getPrincipal().getAuthenticationLevel(), ldapDN, attribute.getID(), attribute.get(i), SEARCH_ATTRVAL_PERMS, hashSet, lookup)) {
                        attribute.remove(i);
                        if (i > 0) {
                            i--;
                        }
                    }
                    i++;
                }
            } else {
                searchResult.getAttributes().remove(attribute.getID());
                if (attribute.size() == 0) {
                    searchResult.getAttributes().remove(attribute.getID());
                }
            }
        }
        return true;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$apache$directory$server$core$authz$AuthorizationService == null) {
            cls = class$("org.apache.directory.server.core.authz.AuthorizationService");
            class$org$apache$directory$server$core$authz$AuthorizationService = cls;
        } else {
            cls = class$org$apache$directory$server$core$authz$AuthorizationService;
        }
        log = LoggerFactory.getLogger(cls);
        HashSet hashSet = new HashSet(2);
        hashSet.add(MicroOperation.BROWSE);
        hashSet.add(MicroOperation.RETURN_DN);
        SEARCH_ENTRY_PERMS = Collections.unmodifiableCollection(hashSet);
        HashSet hashSet2 = new HashSet(2);
        hashSet2.add(MicroOperation.READ);
        hashSet2.add(MicroOperation.BROWSE);
        LOOKUP_PERMS = Collections.unmodifiableCollection(hashSet2);
        HashSet hashSet3 = new HashSet(2);
        hashSet3.add(MicroOperation.ADD);
        hashSet3.add(MicroOperation.REMOVE);
        REPLACE_PERMS = Collections.unmodifiableCollection(hashSet3);
        HashSet hashSet4 = new HashSet(2);
        hashSet4.add(MicroOperation.EXPORT);
        hashSet4.add(MicroOperation.RENAME);
        MOVERENAME_PERMS = Collections.unmodifiableCollection(hashSet4);
        SEARCH_ATTRVAL_PERMS = Collections.singleton(MicroOperation.READ);
        ADD_PERMS = Collections.singleton(MicroOperation.ADD);
        READ_PERMS = Collections.singleton(MicroOperation.READ);
        COMPARE_PERMS = Collections.singleton(MicroOperation.COMPARE);
        REMOVE_PERMS = Collections.singleton(MicroOperation.REMOVE);
        MATCHEDNAME_PERMS = Collections.singleton(MicroOperation.DISCLOSE_ON_ERROR);
        BROWSE_PERMS = Collections.singleton(MicroOperation.BROWSE);
        RENAME_PERMS = Collections.singleton(MicroOperation.RENAME);
        EXPORT_PERMS = Collections.singleton(MicroOperation.EXPORT);
        IMPORT_PERMS = Collections.singleton(MicroOperation.IMPORT);
        DEFAULT_SEARCH_CONTROLS = new SearchControls();
    }
}
