package com.zimbra.cs.account;

import com.zimbra.common.localconfig.LC;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.ZAttrProvisioning;
import com.zimbra.cs.account.accesscontrol.ACLAccessManager;
import com.zimbra.cs.account.accesscontrol.GlobalAccessManager;
import com.zimbra.cs.account.accesscontrol.Right;
import com.zimbra.cs.account.accesscontrol.TargetType;
import com.zimbra.cs.mailbox.OperationContextData;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/account/AccessManager.class */
public abstract class AccessManager {
    private static AccessManager sManager;

    /* loaded from: input_file:com/zimbra/cs/account/AccessManager$AttrRightChecker.class */
    public interface AttrRightChecker {
        boolean allowAttr(String str);
    }

    /* loaded from: input_file:com/zimbra/cs/account/AccessManager$ViaGrant.class */
    public static class ViaGrant {
        private ViaGrant mImpl;

        public void setImpl(ViaGrant viaGrant) {
            this.mImpl = viaGrant;
        }

        public String getTargetType() {
            if (this.mImpl == null) {
                return null;
            }
            return this.mImpl.getTargetType();
        }

        public String getTargetName() {
            if (this.mImpl == null) {
                return null;
            }
            return this.mImpl.getTargetName();
        }

        public String getGranteeType() {
            if (this.mImpl == null) {
                return null;
            }
            return this.mImpl.getGranteeType();
        }

        public String getGranteeName() {
            if (this.mImpl == null) {
                return null;
            }
            return this.mImpl.getGranteeName();
        }

        public String getRight() {
            if (this.mImpl == null) {
                return null;
            }
            return this.mImpl.getRight();
        }

        public boolean isNegativeGrant() {
            return (this.mImpl == null ? null : Boolean.valueOf(this.mImpl.isNegativeGrant())).booleanValue();
        }

        public boolean available() {
            return this.mImpl != null;
        }
    }

    public static AccessManager getInstance() {
        String value;
        if (sManager == null) {
            try {
                String attr = Provisioning.getInstance().getConfig().getAttr(ZAttrProvisioning.A_zimbraAdminAccessControlMech);
                if (attr != null) {
                    ZAttrProvisioning.AdminAccessControlMech fromString = ZAttrProvisioning.AdminAccessControlMech.fromString(attr);
                    if (fromString == ZAttrProvisioning.AdminAccessControlMech.acl) {
                        sManager = new ACLAccessManager();
                    } else if (fromString == ZAttrProvisioning.AdminAccessControlMech.global) {
                        sManager = new GlobalAccessManager();
                    }
                }
            } catch (ServiceException e) {
                ZimbraLog.account.warn("unable to determine access manager from global config attribute zimbraAdminAccessControlMech, fallback to use LC key " + LC.zimbra_class_accessmanager.key(), e);
            }
            if (sManager == null && (value = LC.zimbra_class_accessmanager.value()) != null && !value.equals(OperationContextData.GranteeNames.EMPTY_NAME)) {
                try {
                    sManager = (AccessManager) Class.forName(value).newInstance();
                } catch (Exception e2) {
                    ZimbraLog.account.error("could not instantiate AccessManager interface of class '" + value + "'; defaulting to DomainAccessManager", e2);
                }
            }
            if (sManager == null) {
                sManager = new GlobalAccessManager();
            }
            ZimbraLog.account.info("Initialized access manager: " + sManager.getClass().getCanonicalName());
        }
        return sManager;
    }

    public abstract boolean isDomainAdminOnly(AuthToken authToken);

    public abstract boolean isAdequateAdminAccount(Account account);

    public Account getAccount(AuthToken authToken) throws ServiceException {
        return Provisioning.getInstance().get(Provisioning.AccountBy.id, authToken.getAccountId(), authToken);
    }

    protected Account getAdminAccount(AuthToken authToken) throws ServiceException {
        String adminAccountId = authToken.getAdminAccountId();
        if (adminAccountId == null) {
            return null;
        }
        return Provisioning.getInstance().get(Provisioning.AccountBy.id, adminAccountId, authToken);
    }

    public Domain getDomain(AuthToken authToken) throws ServiceException {
        return Provisioning.getInstance().getDomain(getAccount(authToken));
    }

    public abstract boolean canAccessAccount(AuthToken authToken, Account account, boolean z) throws ServiceException;

    public abstract boolean canAccessAccount(AuthToken authToken, Account account) throws ServiceException;

    public abstract boolean canAccessAccount(Account account, Account account2, boolean z) throws ServiceException;

    public abstract boolean canAccessAccount(Account account, Account account2) throws ServiceException;

    public abstract boolean canAccessDomain(AuthToken authToken, String str) throws ServiceException;

    public abstract boolean canAccessDomain(AuthToken authToken, Domain domain) throws ServiceException;

    public abstract boolean canAccessCos(AuthToken authToken, Cos cos) throws ServiceException;

    public abstract boolean canAccessEmail(AuthToken authToken, String str) throws ServiceException;

    public abstract boolean canModifyMailQuota(AuthToken authToken, Account account, long j) throws ServiceException;

    public boolean allowPrivateAccess(Account account, Account account2, boolean z) throws ServiceException {
        if (account == null || account2 == null) {
            return false;
        }
        return account.getId().equalsIgnoreCase(account2.getId()) || canAccessAccount(account, account2, z);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isParentOf(AuthToken authToken, Account account) throws ServiceException {
        return isParentOf(getAccount(authToken), account);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isParentOf(Account account, Account account2) {
        return account.getMultiAttrSet(ZAttrProvisioning.A_zimbraChildAccount).contains(account2.getId());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkDomainStatus(Account account) throws ServiceException {
        checkDomainStatus(Provisioning.getInstance().getDomain(account));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkDomainStatus(String str) throws ServiceException {
        checkDomainStatus(Provisioning.getInstance().get(Provisioning.DomainBy.name, str));
    }

    public void checkDomainStatus(Domain domain) throws ServiceException {
        if (domain != null) {
            if (domain.isSuspended() || domain.isShutdown()) {
                throw ServiceException.PERM_DENIED("domain is " + domain.getDomainStatusAsString());
            }
        }
    }

    public abstract boolean canDo(Account account, Entry entry, Right right, boolean z);

    public abstract boolean canDo(AuthToken authToken, Entry entry, Right right, boolean z);

    public abstract boolean canDo(String str, Entry entry, Right right, boolean z);

    public boolean canDo(Account account, Entry entry, Right right, boolean z, ViaGrant viaGrant) throws ServiceException {
        return canDo(account, entry, right, z);
    }

    public boolean canDo(AuthToken authToken, Entry entry, Right right, boolean z, ViaGrant viaGrant) throws ServiceException {
        return canDo(authToken, entry, right, z);
    }

    public boolean canDo(String str, Entry entry, Right right, boolean z, ViaGrant viaGrant) throws ServiceException {
        return canDo(str, entry, right, z);
    }

    public abstract boolean canGetAttrs(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException;

    public abstract boolean canGetAttrs(AuthToken authToken, Entry entry, Set<String> set, boolean z) throws ServiceException;

    public AttrRightChecker canGetAttrs(Account account, Entry entry, boolean z) throws ServiceException {
        throw ServiceException.FAILURE("not supported", (Throwable) null);
    }

    public AttrRightChecker canGetAttrs(AuthToken authToken, Entry entry, boolean z) throws ServiceException {
        throw ServiceException.FAILURE("not supported", (Throwable) null);
    }

    public abstract boolean canSetAttrs(Account account, Entry entry, Set<String> set, boolean z) throws ServiceException;

    public abstract boolean canSetAttrs(AuthToken authToken, Entry entry, Set<String> set, boolean z) throws ServiceException;

    public abstract boolean canSetAttrs(Account account, Entry entry, Map<String, Object> map, boolean z) throws ServiceException;

    public abstract boolean canSetAttrs(AuthToken authToken, Entry entry, Map<String, Object> map, boolean z) throws ServiceException;

    public boolean canSetAttrsOnCreate(Account account, TargetType targetType, String str, Map<String, Object> map, boolean z) throws ServiceException {
        throw ServiceException.FAILURE("not supported", (Throwable) null);
    }

    public boolean canPerform(Account account, Entry entry, Right right, boolean z, Map<String, Object> map, boolean z2, ViaGrant viaGrant) throws ServiceException {
        throw ServiceException.FAILURE("not supported", (Throwable) null);
    }

    public boolean canPerform(AuthToken authToken, Entry entry, Right right, boolean z, Map<String, Object> map, boolean z2, ViaGrant viaGrant) throws ServiceException {
        throw ServiceException.FAILURE("not supported", (Throwable) null);
    }
}
