package com.zimbra.cs.account;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.EmailUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.Right;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/account/DomainAccessManager.class */
public class DomainAccessManager extends AccessManager {
    @Override // com.zimbra.cs.account.AccessManager
    public boolean isDomainAdminOnly(AuthToken authToken) {
        return authToken.isDomainAdmin() && !authToken.isAdmin();
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean isAdequateAdminAccount(Account account) {
        return account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsDomainAdminAccount, false) || account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsAdminAccount, false);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(AuthToken authToken, Account account, boolean z) throws ServiceException {
        if (!authToken.isZimbraUser()) {
            return false;
        }
        checkDomainStatus(account);
        if ((z && authToken.isAdmin()) || isParentOf(authToken, account)) {
            return true;
        }
        if (!z || !authToken.isDomainAdmin() || account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsAdminAccount, false)) {
            return false;
        }
        return getDomain(authToken).getId().equals(Provisioning.getInstance().getDomain(account).getId());
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(AuthToken authToken, Account account) throws ServiceException {
        return canAccessAccount(authToken, account, true);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(Account account, Account account2, boolean z) throws ServiceException {
        if (account == null) {
            return false;
        }
        checkDomainStatus(account2);
        if ((z && account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsAdminAccount, false)) || isParentOf(account, account2)) {
            return true;
        }
        if (z && !account2.getBooleanAttr(ZAttrProvisioning.A_zimbraIsAdminAccount, false) && account2.getDomainName() != null && account2.getDomainName().equals(account.getDomainName())) {
            return account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsDomainAdminAccount, false);
        }
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(Account account, Account account2) throws ServiceException {
        return canAccessAccount(account, account2, true);
    }

    private boolean canAccessDomainInternal(AuthToken authToken, String str) throws ServiceException {
        if (authToken.isAdmin()) {
            return true;
        }
        if (authToken.isDomainAdmin()) {
            return getDomain(authToken).getName().equalsIgnoreCase(str);
        }
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessDomain(AuthToken authToken, String str) throws ServiceException {
        if (!authToken.isZimbraUser()) {
            return false;
        }
        checkDomainStatus(str);
        return canAccessDomainInternal(authToken, str);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessDomain(AuthToken authToken, Domain domain) throws ServiceException {
        if (!authToken.isZimbraUser()) {
            return false;
        }
        checkDomainStatus(domain);
        return canAccessDomainInternal(authToken, domain.getName());
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessCos(AuthToken authToken, Cos cos) throws ServiceException {
        if (!authToken.isZimbraUser()) {
            return false;
        }
        if (authToken.isAdmin()) {
            return true;
        }
        if (!authToken.isDomainAdmin()) {
            return false;
        }
        String id = cos.getId();
        Iterator<String> it = getDomain(authToken).getMultiAttrSet(ZAttrProvisioning.A_zimbraDomainCOSMaxAccounts).iterator();
        while (it.hasNext()) {
            String[] split = it.next().split(":");
            if (split.length == 2 && split[0].equals(id)) {
                return true;
            }
        }
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessEmail(AuthToken authToken, String str) throws ServiceException {
        String[] localPartAndDomain = EmailUtil.getLocalPartAndDomain(str);
        if (localPartAndDomain == null) {
            throw ServiceException.INVALID_REQUEST("must be valid email address: " + str, (Throwable) null);
        }
        Account account = Provisioning.getInstance().get(Provisioning.AccountBy.name, str, authToken);
        if (account == null || !isParentOf(authToken, account)) {
            return canAccessDomain(authToken, localPartAndDomain[1]);
        }
        return true;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canModifyMailQuota(AuthToken authToken, Account account, long j) throws ServiceException {
        if (canAccessAccount(authToken, account)) {
            return canSetMailQuota(authToken, account, j);
        }
        return false;
    }

    public static boolean canSetMailQuota(AuthToken authToken, Account account, long j) throws ServiceException {
        if (authToken.isAdmin()) {
            return true;
        }
        Account account2 = Provisioning.getInstance().get(Provisioning.AccountBy.id, authToken.getAccountId(), authToken);
        if (account2 == null) {
            return false;
        }
        long longAttr = account2.getLongAttr(ZAttrProvisioning.A_zimbraDomainAdminMaxMailQuota, -1L);
        if (longAttr == 0) {
            return true;
        }
        if (longAttr != -1 && j != 0 && j <= longAttr) {
            return true;
        }
        ZimbraLog.account.warn(String.format("invalid attempt to change quota: admin(%s) account(%s) quota(%d) max(%d)", account2.getName(), account.getName(), Long.valueOf(j), Long.valueOf(longAttr)));
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(AuthToken authToken, Entry entry, Right right, boolean z) {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(Account account, Entry entry, Right right, boolean z) {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(String str, Entry entry, Right right, boolean z) {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canGetAttrs(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canGetAttrs(AuthToken authToken, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(AuthToken authToken, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(Account account, Entry entry, Map<String, Object> map, boolean z) throws ServiceException {
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(AuthToken authToken, Entry entry, Map<String, Object> map, boolean z) throws ServiceException {
        return false;
    }
}
