package com.zimbra.qa.unittest;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.CliUtil;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.GlobalGrant;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.GranteeType;
import com.zimbra.cs.account.accesscontrol.Right;
import com.zimbra.cs.account.accesscontrol.RightCommand;
import com.zimbra.cs.account.accesscontrol.RightManager;
import com.zimbra.cs.account.accesscontrol.Rights;
import com.zimbra.cs.account.accesscontrol.TargetType;

/* loaded from: input_file:com/zimbra/qa/unittest/TestACPermissionCache.class */
public class TestACPermissionCache extends TestAC {
    protected static final AccessManager accessMgr = AccessManager.getInstance();
    private static final Right A_USER_RIGHT = TestAC.USER_RIGHT;
    private static final Right A_USER_RIGHT_DISTRIBUTION_LIST = TestAC.USER_RIGHT_DISTRIBUTION_LIST;
    private static final Right A_CACHEABLE_ADMIN_RIGHT = Rights.Admin.R_adminLoginAs;
    private static final String GRANTTARGET_USER_ACCT = "granttarget-user-acct";
    private static final String GRANTTARGET_USER_GROUP = "granttarget-user-group";
    private static final String SUBGROUP_OF_GRANTTARGET_USER_GROUP = "subgroup-of-granttarget-user-group";
    private static final String TARGET_USER_ACCT = "target-user-acct";
    private static final String TARGET_USER_GROUP = "target-user-group";
    private static final String GRANTEE_USER_ACCT = "grantee-user-acct";
    private static final String GRANTEE_USER_GROUP = "grantee-user-group";
    private static final String GRANTEE_ADMIN_ACCT = "grantee-admin-acct";
    private static final String GRANTEE_ADMIN_GROUP = "grantee-admin-group";
    private static final String GRANTEE_GUEST_ACCT = "grantee-guest-acct";
    private static final String GRANTEE_GUEST_ACCT_PASSWORD = "grantee-guest-acct-password";

    public void tearDown() throws Exception {
        deleteAllEntries();
    }

    static Right getRight(String str) throws ServiceException {
        return RightManager.getInstance().getRight(str);
    }

    private void grantRight(TargetType targetType, Entry entry, GranteeType granteeType, NamedEntry namedEntry, Right right) throws ServiceException {
        grantRight(targetType, entry, granteeType, namedEntry, null, right);
    }

    private void revokeRight(TargetType targetType, Entry entry, GranteeType granteeType, NamedEntry namedEntry, Right right) throws ServiceException {
        RightCommand.revokeRight(this.mProv, getGlobalAdminAcct(), targetType.getCode(), Provisioning.TargetBy.name, entry.getLabel(), granteeType.getCode(), Provisioning.GranteeBy.name, namedEntry.getName(), right.getName(), null);
    }

    private void grantRight(TargetType targetType, Entry entry, GranteeType granteeType, NamedEntry namedEntry, String str, Right right) throws ServiceException {
        RightCommand.grantRight(this.mProv, getGlobalAdminAcct(), targetType.getCode(), Provisioning.TargetBy.name, entry.getLabel(), granteeType.getCode(), Provisioning.GranteeBy.name, namedEntry.getName(), str, right.getName(), null);
    }

    public void testGuestAccount() throws Exception {
        Right right = A_USER_RIGHT;
        Account createUserAccount = createUserAccount(GRANTTARGET_USER_ACCT, createDomain());
        Account createGuestAccount = createGuestAccount(GRANTEE_GUEST_ACCT, GRANTEE_GUEST_ACCT_PASSWORD);
        Account createGuestAccount2 = createGuestAccount("grantee-user-acctnot", GRANTEE_GUEST_ACCT_PASSWORD);
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_GUEST, createGuestAccount, GRANTEE_GUEST_ACCT_PASSWORD, right);
        assertTrue(accessMgr.canDo(createGuestAccount, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        assertFalse(accessMgr.canDo(createGuestAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    public void testGrantChangeOnTarget() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(GRANTTARGET_USER_ACCT, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_USER, createUserAccount2, right);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.account, createUserAccount, GranteeType.GT_USER, createUserAccount2, right);
        assertFalse(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_USER, createUserAccount2, right);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    public void testGrantChangeOnDirectlyInheritedDistributionList() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserGroup = createUserGroup(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserGroup2 = createUserGroup(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        this.mProv.addMembers(createUserGroup, new String[]{createUserGroup2.getName()});
        grantRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup2, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertFalse(accessMgr.canDo(createUserAccount, (Entry) createUserGroup2, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup2, right, false, (AccessManager.ViaGrant) null));
    }

    public void testGrantChangeOnIndirectlyInheritedDistributionList() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserGroup = createUserGroup(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserGroup2 = createUserGroup(SUBGROUP_OF_GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserGroup3 = createUserGroup(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        this.mProv.addMembers(createUserGroup, new String[]{createUserGroup2.getName()});
        this.mProv.addMembers(createUserGroup2, new String[]{createUserGroup3.getName()});
        grantRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup3, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertFalse(accessMgr.canDo(createUserAccount, (Entry) createUserGroup3, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup3, right, false, (AccessManager.ViaGrant) null));
    }

    public void testGrantChangeOnDomain() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(TARGET_USER_ACCT, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        grantRight(TargetType.domain, createDomain, GranteeType.GT_USER, createUserAccount2, right);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.domain, createDomain, GranteeType.GT_USER, createUserAccount2, right);
        assertFalse(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.domain, createDomain, GranteeType.GT_USER, createUserAccount2, right);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    public void testGrantChangeOnGlobalGrant() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        GlobalGrant globalGrant = this.mProv.getGlobalGrant();
        Account createUserAccount = createUserAccount(TARGET_USER_ACCT, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        grantRight(TargetType.global, globalGrant, GranteeType.GT_USER, createUserAccount2, right);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.global, globalGrant, GranteeType.GT_USER, createUserAccount2, right);
        assertFalse(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.global, globalGrant, GranteeType.GT_USER, createUserAccount2, right);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    public void testDirectGroupMembershipChanged() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserGroup = createUserGroup(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserGroup2 = createUserGroup(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        this.mProv.addMembers(createUserGroup, new String[]{createUserGroup2.getName()});
        grantRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup2, right, false, (AccessManager.ViaGrant) null));
        this.mProv.removeMembers(createUserGroup, new String[]{createUserGroup2.getName()});
        assertFalse(accessMgr.canDo(createUserAccount, (Entry) createUserGroup2, right, false, (AccessManager.ViaGrant) null));
        this.mProv.addMembers(createUserGroup, new String[]{createUserGroup2.getName()});
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup2, right, false, (AccessManager.ViaGrant) null));
    }

    public void testIndirectGroupMembershipChanged() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserGroup = createUserGroup(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserGroup2 = createUserGroup(SUBGROUP_OF_GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserGroup3 = createUserGroup(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        this.mProv.addMembers(createUserGroup, new String[]{createUserGroup2.getName()});
        this.mProv.addMembers(createUserGroup2, new String[]{createUserGroup3.getName()});
        grantRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup3, right, false, (AccessManager.ViaGrant) null));
        this.mProv.removeMembers(createUserGroup2, new String[]{createUserGroup3.getName()});
        assertFalse(accessMgr.canDo(createUserAccount, (Entry) createUserGroup3, right, false, (AccessManager.ViaGrant) null));
        this.mProv.addMembers(createUserGroup2, new String[]{createUserGroup3.getName()});
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup3, right, false, (AccessManager.ViaGrant) null));
    }

    public void testDomainOfTargetChanged() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(TARGET_USER_ACCT, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        grantRight(TargetType.domain, createDomain, GranteeType.GT_USER, createUserAccount2, right);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        Domain createDomain2 = createDomain();
        String id = createUserAccount.getId();
        String name = createUserAccount.getName();
        this.mProv.renameAccount(id, getEmailLocalpart(createUserAccount.getName()) + "@" + createDomain2.getName());
        assertFalse(accessMgr.canDo(createUserAccount2, (Entry) this.mProv.get(Provisioning.AccountBy.id, id), right, false, (AccessManager.ViaGrant) null));
        this.mProv.renameAccount(id, name);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) this.mProv.get(Provisioning.AccountBy.id, id), right, false, (AccessManager.ViaGrant) null));
    }

    public void testGrantTargetDeleted() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserGroup = createUserGroup(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserGroup2 = createUserGroup(SUBGROUP_OF_GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserGroup3 = createUserGroup(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        this.mProv.addMembers(createUserGroup, new String[]{createUserGroup2.getName()});
        this.mProv.addMembers(createUserGroup2, new String[]{createUserGroup3.getName()});
        grantRight(TargetType.dl, createUserGroup, GranteeType.GT_USER, createUserAccount, right);
        assertTrue(accessMgr.canDo(createUserAccount, (Entry) createUserGroup3, right, false, (AccessManager.ViaGrant) null));
    }

    public void testGranteeGroupMembershipChanged() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(GRANTTARGET_USER_ACCT, createDomain);
        DistributionList createUserGroup = createUserGroup(GRANTEE_USER_GROUP, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        this.mProv.addMembers(createUserGroup, new String[]{createUserAccount2.getName()});
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_GROUP, createUserGroup, right);
        assertTrue(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        this.mProv.removeMembers(createUserGroup, new String[]{createUserAccount2.getName()});
        assertFalse(accessMgr.canDo(createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    public void testGranteeAdminFlagChanged() throws Exception {
        Right right = A_CACHEABLE_ADMIN_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(GRANTTARGET_USER_ACCT, createDomain);
        Account createDelegatedAdminAccount = createDelegatedAdminAccount(GRANTEE_ADMIN_ACCT, createDomain);
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_USER, createDelegatedAdminAccount, right);
        boolean canDo = accessMgr.canDo(createDelegatedAdminAccount, (Entry) createUserAccount, right, true, (AccessManager.ViaGrant) null);
        assertTrue(canDo);
        createDelegatedAdminAccount.setIsDelegatedAdminAccount(false);
        try {
            canDo = accessMgr.canDo(createDelegatedAdminAccount, (Entry) createUserAccount, right, true, (AccessManager.ViaGrant) null);
        } catch (ServiceException e) {
            if ("service.PERM_DENIED".equals(e.getCode())) {
                canDo = false;
            }
        }
        assertFalse(canDo);
        createDelegatedAdminAccount.setIsDelegatedAdminAccount(true);
        assertTrue(accessMgr.canDo(createDelegatedAdminAccount, (Entry) createUserAccount, right, true, (AccessManager.ViaGrant) null));
    }

    public static void main(String[] strArr) throws Exception {
        CliUtil.toolSetup("INFO");
        TestUtil.runTest(TestACPermissionCache.class);
    }
}
