package com.zimbra.cs.account.accesscontrol;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.EmailUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.Cos;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.DomainAccessManager;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.GuestAccount;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.ZAttrProvisioning;
import com.zimbra.cs.account.accesscontrol.Right;
import com.zimbra.cs.account.accesscontrol.RightBearer;
import com.zimbra.cs.account.accesscontrol.RightCommand;
import com.zimbra.cs.account.accesscontrol.Rights;
import com.zimbra.cs.account.ldap.LdapUtil;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/ACLAccessManager.class */
public class ACLAccessManager extends AccessManager implements AdminConsoleCapable {
    public ACLAccessManager() throws ServiceException {
        RightManager.getInstance();
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean isAdequateAdminAccount(Account account) {
        return account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsDelegatedAdminAccount, false) || account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsAdminAccount, false);
    }

    private Account actualTargetForAdminLoginAs(Account account) throws ServiceException {
        return account.isCalendarResource() ? Provisioning.getInstance().get(Provisioning.CalendarResourceBy.id, account.getId()) : account;
    }

    private AdminRight actualRightForAdminLoginAs(Account account) {
        return account.isCalendarResource() ? Rights.Admin.R_adminLoginCalendarResourceAs : Rights.Admin.R_adminLoginAs;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean isDomainAdminOnly(AuthToken authToken) {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(AuthToken authToken, Account account, boolean z) throws ServiceException {
        checkDomainStatus(account);
        if (isParentOf(authToken, account)) {
            return true;
        }
        return z ? canDo(authToken, actualTargetForAdminLoginAs(account), actualRightForAdminLoginAs(account), z) : canDo(authToken, account, Rights.User.R_loginAs, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(AuthToken authToken, Account account) throws ServiceException {
        return canAccessAccount(authToken, account, true);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(Account account, Account account2, boolean z) throws ServiceException {
        checkDomainStatus(account2);
        if (isParentOf(account, account2)) {
            return true;
        }
        return z ? canDo(account, actualTargetForAdminLoginAs(account2), actualRightForAdminLoginAs(account2), z) : canDo(account, account2, Rights.User.R_loginAs, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(Account account, Account account2) throws ServiceException {
        return canAccessAccount(account, account2, true);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessCos(AuthToken authToken, Cos cos) throws ServiceException {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessDomain(AuthToken authToken, String str) throws ServiceException {
        throw ServiceException.FAILURE("internal error", (Throwable) null);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessDomain(AuthToken authToken, Domain domain) throws ServiceException {
        throw ServiceException.FAILURE("internal error", (Throwable) null);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessEmail(AuthToken authToken, String str) throws ServiceException {
        throw ServiceException.FAILURE("internal error", (Throwable) null);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canModifyMailQuota(AuthToken authToken, Account account, long j) throws ServiceException {
        return DomainAccessManager.canSetMailQuota(authToken, account, j);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(Account account, Entry entry, Right right, boolean z) {
        try {
            return canDo(account, entry, right, z, (AccessManager.ViaGrant) null);
        } catch (ServiceException e) {
            ZimbraLog.acl.warn("right denied", e);
            return false;
        }
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(AuthToken authToken, Entry entry, Right right, boolean z) {
        try {
            return canDo(authToken, entry, right, z, (AccessManager.ViaGrant) null);
        } catch (ServiceException e) {
            ZimbraLog.acl.warn("right denied", e);
            return false;
        }
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(String str, Entry entry, Right right, boolean z) {
        try {
            return canDo(str, entry, right, z, (AccessManager.ViaGrant) null);
        } catch (ServiceException e) {
            ZimbraLog.acl.warn("right denied", e);
            return false;
        }
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(Account account, Entry entry, Right right, boolean z, AccessManager.ViaGrant viaGrant) throws ServiceException {
        Boolean checkHardRules = HardRules.checkHardRules(account, z, entry, right);
        if (checkHardRules != null) {
            return checkHardRules.booleanValue();
        }
        if (z) {
            if (right == AdminRight.PR_ALWAYS_ALLOW) {
                return true;
            }
            if (right == AdminRight.PR_SYSTEM_ADMIN_ONLY) {
                return false;
            }
        }
        return checkPresetRight(account, entry, right, false, z, viaGrant);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(AuthToken authToken, Entry entry, Right right, boolean z, AccessManager.ViaGrant viaGrant) throws ServiceException {
        try {
            Account authTokenToAccount = AccessControlUtil.authTokenToAccount(authToken, right);
            if (authTokenToAccount != null) {
                return canDo(authTokenToAccount, entry, right, z, viaGrant);
            }
            return false;
        } catch (ServiceException e) {
            ZimbraLog.acl.warn("ACL checking failed", e);
            return false;
        }
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(String str, Entry entry, Right right, boolean z, AccessManager.ViaGrant viaGrant) throws ServiceException {
        try {
            Account emailAddrToAccount = AccessControlUtil.emailAddrToAccount(str, right);
            if (emailAddrToAccount != null) {
                return canDo(emailAddrToAccount, entry, right, z, viaGrant);
            }
            return false;
        } catch (ServiceException e) {
            ZimbraLog.acl.warn("ACL checking failed", e);
            return false;
        }
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canGetAttrs(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException {
        Boolean checkHardRules = HardRules.checkHardRules(account, z, entry, null);
        return checkHardRules != null ? checkHardRules.booleanValue() : canGetAttrsInternal(account, entry, set, false);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canGetAttrs(AuthToken authToken, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return canGetAttrs(authToken.getAccount(), entry, set, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public AccessManager.AttrRightChecker canGetAttrs(Account account, Entry entry, boolean z) throws ServiceException {
        Boolean checkHardRules = HardRules.checkHardRules(account, z, entry, null);
        return checkHardRules == Boolean.TRUE ? AllowedAttrs.ALLOW_ALL_ATTRS() : checkHardRules == Boolean.FALSE ? AllowedAttrs.DENY_ALL_ATTRS() : CheckAttrRight.accessibleAttrs(new RightBearer.Grantee(account), entry, AdminRight.PR_GET_ATTRS, false);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public AccessManager.AttrRightChecker canGetAttrs(AuthToken authToken, Entry entry, boolean z) throws ServiceException {
        return canGetAttrs(authToken.getAccount(), entry, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException {
        Boolean checkHardRules = HardRules.checkHardRules(account, z, entry, null);
        return checkHardRules != null ? checkHardRules.booleanValue() : canSetAttrsInternal(account, entry, set, false);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(AuthToken authToken, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return canSetAttrs(authToken.getAccount(), entry, set, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(Account account, Entry entry, Map<String, Object> map, boolean z) throws ServiceException {
        Boolean checkHardRules = HardRules.checkHardRules(account, z, entry, null);
        if (checkHardRules != null) {
            return checkHardRules.booleanValue();
        }
        RightBearer.Grantee grantee = new RightBearer.Grantee(account);
        return CheckAttrRight.accessibleAttrs(grantee, entry, AdminRight.PR_SET_ATTRS, false).canSetAttrsWithinConstraints(grantee, entry, map);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(AuthToken authToken, Entry entry, Map<String, Object> map, boolean z) throws ServiceException {
        return canSetAttrs(authToken.getAccount(), entry, map, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrsOnCreate(Account account, TargetType targetType, String str, Map<String, Object> map, boolean z) throws ServiceException {
        Provisioning.DomainBy domainBy = null;
        String str2 = null;
        Provisioning.CosBy cosBy = null;
        String str3 = null;
        if (targetType == TargetType.account || targetType == TargetType.calresource || targetType == TargetType.dl) {
            String[] localPartAndDomain = EmailUtil.getLocalPartAndDomain(str);
            if (localPartAndDomain == null) {
                throw ServiceException.INVALID_REQUEST("must be valid email address: " + str, (Throwable) null);
            }
            domainBy = Provisioning.DomainBy.name;
            str2 = localPartAndDomain[1];
        }
        if (targetType == TargetType.account || targetType == TargetType.calresource) {
            str3 = (String) map.get(ZAttrProvisioning.A_zimbraCOSId);
            if (str3 != null) {
                cosBy = LdapUtil.isValidUUID(str3) ? Provisioning.CosBy.id : Provisioning.CosBy.name;
            }
        }
        return canSetAttrs(account, PseudoTarget.createPseudoTarget(Provisioning.getInstance(), targetType, domainBy, str2, false, cosBy, str3, str), map, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canPerform(Account account, Entry entry, Right right, boolean z, Map<String, Object> map, boolean z2, AccessManager.ViaGrant viaGrant) throws ServiceException {
        Boolean checkHardRules = HardRules.checkHardRules(account, z2, entry, right);
        if (checkHardRules != null) {
            return checkHardRules.booleanValue();
        }
        boolean z3 = false;
        if (right.isPresetRight()) {
            z3 = checkPresetRight(account, entry, right, z, z2, viaGrant);
        } else if (right.isAttrRight()) {
            z3 = checkAttrRight(account, entry, (AttrRight) right, z, map, z2);
        } else if (right.isComboRight()) {
            Iterator<Right> it = ((ComboRight) right).getAllRights().iterator();
            while (it.hasNext()) {
                if (!canPerform(account, entry, it.next(), z, map, z2, (AccessManager.ViaGrant) null)) {
                    return false;
                }
            }
            z3 = true;
        }
        return z3;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canPerform(AuthToken authToken, Entry entry, Right right, boolean z, Map<String, Object> map, boolean z2, AccessManager.ViaGrant viaGrant) throws ServiceException {
        return canPerform(authToken.getAccount(), entry, right, z, map, z2, viaGrant);
    }

    private boolean checkPresetRight(Account account, Entry entry, Right right, boolean z, boolean z2, AccessManager.ViaGrant viaGrant) {
        Boolean bool;
        Boolean checkRight;
        if (account == null) {
            if (z) {
                return false;
            }
            try {
                if (!right.isUserRight()) {
                    return false;
                }
                account = GuestAccount.ANONYMOUS_ACCT;
            } catch (ServiceException e) {
                ZimbraLog.acl.warn("ACL checking failed: grantee=" + account.getName() + ", target=" + entry.getLabel() + ", right=" + right.getName() + " => denied", e);
                return false;
            }
        }
        if (right.isUserRight()) {
            if (entry instanceof Account) {
                if (((Account) entry).getId().equals(account.getId())) {
                    return true;
                }
                if (right != Rights.User.R_loginAs && canAccessAccount(account, (Account) entry, z2)) {
                    return true;
                }
            }
        } else if (entry == null) {
            return false;
        }
        Boolean bool2 = null;
        if (entry != null) {
            bool2 = CheckPresetRight.check(account, entry, right, z, viaGrant);
        }
        if (bool2 != null && bool2.booleanValue()) {
            return bool2.booleanValue();
        }
        if (z) {
            return false;
        }
        CheckRightFallback fallback = right.getFallback();
        if (fallback != null && (checkRight = fallback.checkRight(account, entry, z2)) != null) {
            ZimbraLog.acl.debug("checkPresetRight fallback to: " + checkRight.booleanValue());
            return checkRight.booleanValue();
        }
        if (bool2 != null || (bool = right.getDefault()) == null) {
            return false;
        }
        ZimbraLog.acl.debug("checkPresetRight default to: " + bool.booleanValue());
        return bool.booleanValue();
    }

    private boolean checkAttrRight(Account account, Entry entry, AttrRight attrRight, boolean z, Map<String, Object> map, boolean z2) throws ServiceException {
        boolean checkAttrRight;
        if (!CheckRight.rightApplicableOnTargetType(TargetType.getTargetType(entry), attrRight, z)) {
            return false;
        }
        if (attrRight.getRightType() == Right.RightType.getAttrs) {
            checkAttrRight = checkAttrRight(account, entry, attrRight, z);
        } else if (map == null || map.isEmpty()) {
            checkAttrRight = checkAttrRight(account, entry, attrRight, z);
        } else {
            if (z) {
                throw ServiceException.FAILURE("internal error", (Throwable) null);
            }
            checkAttrRight = canSetAttrs(account, entry, map, z2);
        }
        return checkAttrRight;
    }

    private boolean checkAttrRight(Account account, Entry entry, AttrRight attrRight, boolean z) throws ServiceException {
        return CheckAttrRight.accessibleAttrs(new RightBearer.Grantee(account), entry, attrRight, z).canAccessAttrs(attrRight.getAttrs(), entry);
    }

    private boolean canGetAttrsInternal(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return CheckAttrRight.accessibleAttrs(new RightBearer.Grantee(account), entry, AdminRight.PR_GET_ATTRS, z).canAccessAttrs(set, entry);
    }

    private boolean canSetAttrsInternal(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return CheckAttrRight.accessibleAttrs(new RightBearer.Grantee(account), entry, AdminRight.PR_SET_ATTRS, z).canAccessAttrs(set, entry);
    }

    @Override // com.zimbra.cs.account.accesscontrol.AdminConsoleCapable
    public void getAllEffectiveRights(RightBearer rightBearer, boolean z, boolean z2, RightCommand.AllEffectiveRights allEffectiveRights) throws ServiceException {
        CollectAllEffectiveRights.getAllEffectiveRights(rightBearer, z, z2, allEffectiveRights);
    }

    @Override // com.zimbra.cs.account.accesscontrol.AdminConsoleCapable
    public void getEffectiveRights(RightBearer rightBearer, Entry entry, boolean z, boolean z2, RightCommand.EffectiveRights effectiveRights) throws ServiceException {
        CollectEffectiveRights.getEffectiveRights(rightBearer, entry, z, z2, effectiveRights);
    }

    @Override // com.zimbra.cs.account.accesscontrol.AdminConsoleCapable
    public Set<TargetType> targetTypesForGrantSearch() {
        return new HashSet(Arrays.asList(TargetType.values()));
    }
}
