package com.zimbra.cs.account.accesscontrol;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.EmailUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.Cos;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.ZAttrProvisioning;
import com.zimbra.cs.account.accesscontrol.RightCommand;
import com.zimbra.cs.account.accesscontrol.Rights;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/GlobalAccessManager.class */
public class GlobalAccessManager extends AccessManager implements AdminConsoleCapable {
    private ACLAccessManager mAclAccessManager;

    public GlobalAccessManager() {
        try {
            this.mAclAccessManager = new ACLAccessManager();
        } catch (ServiceException e) {
            ZimbraLog.acl.warn("unable to instaintiate ACLAccessManager, user rights will not be honored", e);
        }
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean isAdequateAdminAccount(Account account) {
        return account.getBooleanAttr(ZAttrProvisioning.A_zimbraIsAdminAccount, false);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(AuthToken authToken, Account account, boolean z) throws ServiceException {
        if (!authToken.isZimbraUser()) {
            return false;
        }
        checkDomainStatus(account);
        if (isGlobalAdmin(authToken, z) || isParentOf(authToken, account)) {
            return true;
        }
        return canDo(authToken, account, Rights.User.R_loginAs, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(AuthToken authToken, Account account) throws ServiceException {
        return canAccessAccount(authToken, account, true);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(Account account, Account account2, boolean z) throws ServiceException {
        if (account == null) {
            return false;
        }
        checkDomainStatus(account2);
        if (AccessControlUtil.isGlobalAdmin(account, z) || isParentOf(account, account2)) {
            return true;
        }
        return canDo(account, account2, Rights.User.R_loginAs, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(Account account, Account account2) throws ServiceException {
        return canAccessAccount(account, account2, true);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessCos(AuthToken authToken, Cos cos) throws ServiceException {
        if (authToken.isZimbraUser()) {
            return isGlobalAdmin(authToken);
        }
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessDomain(AuthToken authToken, String str) throws ServiceException {
        if (!authToken.isZimbraUser()) {
            return false;
        }
        checkDomainStatus(str);
        return isGlobalAdmin(authToken);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessDomain(AuthToken authToken, Domain domain) throws ServiceException {
        if (!authToken.isZimbraUser()) {
            return false;
        }
        checkDomainStatus(domain);
        return isGlobalAdmin(authToken);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canAccessEmail(AuthToken authToken, String str) throws ServiceException {
        String[] localPartAndDomain = EmailUtil.getLocalPartAndDomain(str);
        if (localPartAndDomain == null) {
            throw ServiceException.INVALID_REQUEST("must be valid email address: " + str, (Throwable) null);
        }
        Account account = Provisioning.getInstance().get(Provisioning.AccountBy.name, str, authToken);
        if (account == null || !isParentOf(authToken, account)) {
            return canAccessDomain(authToken, localPartAndDomain[1]);
        }
        return true;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(Account account, Entry entry, Right right, boolean z) {
        if (right == null || !right.isUserRight()) {
            return AccessControlUtil.isGlobalAdmin(account, z);
        }
        if (this.mAclAccessManager != null) {
            return this.mAclAccessManager.canDo(account, entry, right, z);
        }
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(AuthToken authToken, Entry entry, Right right, boolean z) {
        Account authTokenToAccount = AccessControlUtil.authTokenToAccount(authToken, right);
        if (authTokenToAccount != null) {
            return canDo(authTokenToAccount, entry, right, z);
        }
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canDo(String str, Entry entry, Right right, boolean z) {
        Account emailAddrToAccount = AccessControlUtil.emailAddrToAccount(str, right);
        if (emailAddrToAccount != null) {
            return canDo(emailAddrToAccount, entry, right, z);
        }
        return false;
    }

    @Override // com.zimbra.cs.account.AccessManager
    public AccessManager.AttrRightChecker canGetAttrs(Account account, Entry entry, boolean z) throws ServiceException {
        return AccessControlUtil.isGlobalAdmin(account, z) == Boolean.TRUE.booleanValue() ? AllowedAttrs.ALLOW_ALL_ATTRS() : AllowedAttrs.DENY_ALL_ATTRS();
    }

    @Override // com.zimbra.cs.account.AccessManager
    public AccessManager.AttrRightChecker canGetAttrs(AuthToken authToken, Entry entry, boolean z) throws ServiceException {
        return canGetAttrs(authToken.getAccount(), entry, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canGetAttrs(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return AccessControlUtil.isGlobalAdmin(account, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canGetAttrs(AuthToken authToken, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return isGlobalAdmin(authToken, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canModifyMailQuota(AuthToken authToken, Account account, long j) throws ServiceException {
        return isGlobalAdmin(authToken);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return AccessControlUtil.isGlobalAdmin(account, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(AuthToken authToken, Entry entry, Set<String> set, boolean z) throws ServiceException {
        return isGlobalAdmin(authToken, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(Account account, Entry entry, Map<String, Object> map, boolean z) throws ServiceException {
        return AccessControlUtil.isGlobalAdmin(account, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean canSetAttrs(AuthToken authToken, Entry entry, Map<String, Object> map, boolean z) throws ServiceException {
        return isGlobalAdmin(authToken, z);
    }

    @Override // com.zimbra.cs.account.AccessManager
    public boolean isDomainAdminOnly(AuthToken authToken) {
        return false;
    }

    private boolean isGlobalAdmin(AuthToken authToken) {
        return isGlobalAdmin(authToken, true);
    }

    private boolean isGlobalAdmin(AuthToken authToken, boolean z) {
        return z && authToken.isAdmin();
    }

    @Override // com.zimbra.cs.account.accesscontrol.AdminConsoleCapable
    public void getAllEffectiveRights(RightBearer rightBearer, boolean z, boolean z2, RightCommand.AllEffectiveRights allEffectiveRights) throws ServiceException {
        CollectAllEffectiveRights.getAllEffectiveRights(rightBearer, z, z2, allEffectiveRights);
    }

    @Override // com.zimbra.cs.account.accesscontrol.AdminConsoleCapable
    public void getEffectiveRights(RightBearer rightBearer, Entry entry, boolean z, boolean z2, RightCommand.EffectiveRights effectiveRights) throws ServiceException {
        CollectEffectiveRights.getEffectiveRights(rightBearer, entry, z, z2, effectiveRights);
    }

    @Override // com.zimbra.cs.account.accesscontrol.AdminConsoleCapable
    public Set<TargetType> targetTypesForGrantSearch() {
        HashSet hashSet = new HashSet();
        hashSet.add(TargetType.account);
        hashSet.add(TargetType.calresource);
        hashSet.add(TargetType.dl);
        return hashSet;
    }
}
