package org.apache.directory.server.core.authz;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.directory.server.core.api.CoreSession;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.InterceptorEnum;
import org.apache.directory.server.core.api.LdapPrincipal;
import org.apache.directory.server.core.api.filtering.EntryFilter;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
import org.apache.directory.server.core.api.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ListOperationContext;
import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.api.interceptor.context.OperationContext;
import org.apache.directory.server.core.api.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchingOperationContext;
import org.apache.directory.server.core.api.partition.PartitionNexus;
import org.apache.directory.server.core.shared.DefaultCoreSession;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.model.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.model.entry.Entry;
import org.apache.directory.shared.ldap.model.entry.Value;
import org.apache.directory.shared.ldap.model.exception.LdapException;
import org.apache.directory.shared.ldap.model.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.model.name.Dn;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.class */
public class DefaultAuthorizationInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationInterceptor.class);
    private static Dn ADMIN_SYSTEM_DN;
    private static Dn GROUPS_BASE_DN;
    private static Dn USERS_BASE_DN;
    private static Dn ADMIN_GROUP_DN;
    private Set<String> administrators;
    private PartitionNexus nexus;

    /* loaded from: input_file:org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor$DefaultAuthorizationSearchFilter.class */
    private class DefaultAuthorizationSearchFilter implements EntryFilter {
        private DefaultAuthorizationSearchFilter() {
        }

        public boolean accept(SearchingOperationContext searchingOperationContext, Entry entry) throws Exception {
            return DefaultAuthorizationInterceptor.this.isSearchable(searchingOperationContext, entry);
        }
    }

    public DefaultAuthorizationInterceptor() {
        super(InterceptorEnum.DEFAULT_AUTHORIZATION_INTERCEPTOR);
        this.administrators = new HashSet(2);
    }

    public void init(DirectoryService directoryService) throws LdapException {
        super.init(directoryService);
        this.nexus = directoryService.getPartitionNexus();
        ADMIN_SYSTEM_DN = directoryService.getDnFactory().create("uid=admin,ou=system");
        GROUPS_BASE_DN = directoryService.getDnFactory().create("ou=groups,ou=system");
        USERS_BASE_DN = directoryService.getDnFactory().create("ou=users,ou=system");
        ADMIN_GROUP_DN = directoryService.getDnFactory().create("cn=Administrators,ou=groups,ou=system");
        loadAdministrators(directoryService);
    }

    private void loadAdministrators(DirectoryService directoryService) throws LdapException {
        HashSet hashSet = new HashSet(2);
        Entry lookup = this.nexus.lookup(new LookupOperationContext(new DefaultCoreSession(new LdapPrincipal(this.schemaManager, directoryService.getDnFactory().create("0.9.2342.19200300.100.1.1=admin,2.5.4.11=system"), AuthenticationLevel.STRONG), directoryService), ADMIN_GROUP_DN));
        if (lookup == null) {
            return;
        }
        Iterator it = lookup.get(UNIQUE_MEMBER_AT).iterator();
        while (it.hasNext()) {
            hashSet.add(directoryService.getDnFactory().create(((Value) it.next()).getString()).getNormName());
        }
        this.administrators = hashSet;
    }

    public void delete(DeleteOperationContext deleteOperationContext) throws LdapException {
        if (deleteOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            next(deleteOperationContext);
            return;
        }
        Dn dn = deleteOperationContext.getDn();
        if (dn.isEmpty()) {
            String err = I18n.err(I18n.ERR_12, new Object[0]);
            LOG.error(err);
            throw new LdapNoPermissionException(err);
        }
        if (dn.equals(ADMIN_GROUP_DN)) {
            String err2 = I18n.err(I18n.ERR_13, new Object[0]);
            LOG.error(err2);
            throw new LdapNoPermissionException(err2);
        }
        Dn dn2 = getPrincipal(deleteOperationContext).getDn();
        if (dn.equals(ADMIN_SYSTEM_DN)) {
            String err3 = I18n.err(I18n.ERR_14, new Object[]{dn2.getName()});
            LOG.error(err3);
            throw new LdapNoPermissionException(err3);
        }
        if (dn.size() > 2 && !isAnAdministrator(dn2)) {
            if (dn.isDescendantOf(ADMIN_SYSTEM_DN)) {
                String err4 = I18n.err(I18n.ERR_15, new Object[]{dn2.getName(), dn.getName()});
                LOG.error(err4);
                throw new LdapNoPermissionException(err4);
            }
            if (dn.isDescendantOf(GROUPS_BASE_DN)) {
                String err5 = I18n.err(I18n.ERR_16, new Object[]{dn2.getName(), dn.getName()});
                LOG.error(err5);
                throw new LdapNoPermissionException(err5);
            }
            if (dn.isDescendantOf(USERS_BASE_DN)) {
                String err6 = I18n.err(I18n.ERR_16, new Object[]{dn2.getName(), dn.getName()});
                LOG.error(err6);
                throw new LdapNoPermissionException(err6);
            }
        }
        next(deleteOperationContext);
    }

    public EntryFilteringCursor list(ListOperationContext listOperationContext) throws LdapException {
        EntryFilteringCursor next = next(listOperationContext);
        if (listOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return next;
        }
        next.addEntryFilter(new DefaultAuthorizationSearchFilter());
        return next;
    }

    public Entry lookup(LookupOperationContext lookupOperationContext) throws LdapException {
        CoreSession session = lookupOperationContext.getSession();
        Entry next = next(lookupOperationContext);
        if (session.getDirectoryService().isAccessControlEnabled()) {
            return next;
        }
        protectLookUp(session.getEffectivePrincipal().getDn(), lookupOperationContext.getDn());
        return next;
    }

    public void modify(ModifyOperationContext modifyOperationContext) throws LdapException {
        if (modifyOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            next(modifyOperationContext);
            return;
        }
        Dn dn = modifyOperationContext.getDn();
        protectModifyAlterations(modifyOperationContext, dn);
        next(modifyOperationContext);
        if (dn.equals(ADMIN_GROUP_DN)) {
            loadAdministrators(modifyOperationContext.getSession().getDirectoryService());
        }
    }

    public void move(MoveOperationContext moveOperationContext) throws LdapException {
        if (!moveOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            protectDnAlterations(moveOperationContext, moveOperationContext.getDn());
        }
        next(moveOperationContext);
    }

    public void moveAndRename(MoveAndRenameOperationContext moveAndRenameOperationContext) throws LdapException {
        if (!moveAndRenameOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            protectDnAlterations(moveAndRenameOperationContext, moveAndRenameOperationContext.getDn());
        }
        next(moveAndRenameOperationContext);
    }

    public void rename(RenameOperationContext renameOperationContext) throws LdapException {
        if (!renameOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            protectDnAlterations(renameOperationContext, renameOperationContext.getDn());
        }
        next(renameOperationContext);
    }

    public EntryFilteringCursor search(SearchOperationContext searchOperationContext) throws LdapException {
        EntryFilteringCursor next = next(searchOperationContext);
        if (searchOperationContext.getSession().getDirectoryService().isAccessControlEnabled()) {
            return next;
        }
        next.addEntryFilter(new DefaultAuthorizationSearchFilter());
        return next;
    }

    private boolean isTheAdministrator(Dn dn) {
        return dn.equals(ADMIN_SYSTEM_DN);
    }

    private boolean isAnAdministrator(Dn dn) {
        return isTheAdministrator(dn) || this.administrators.contains(dn.getNormName());
    }

    private void protectModifyAlterations(OperationContext operationContext, Dn dn) throws LdapException {
        Dn dn2 = getPrincipal(operationContext).getDn();
        if (dn.isEmpty()) {
            String err = I18n.err(I18n.ERR_17, new Object[0]);
            LOG.error(err);
            throw new LdapNoPermissionException(err);
        }
        if (isAnAdministrator(dn2) || dn.equals(getPrincipal(operationContext).getDn())) {
            return;
        }
        if (dn.equals(ADMIN_SYSTEM_DN)) {
            String err2 = I18n.err(I18n.ERR_18, new Object[]{dn2.getName()});
            LOG.error(err2);
            throw new LdapNoPermissionException(err2);
        }
        if (dn.size() > 2) {
            if (dn.isDescendantOf(ADMIN_SYSTEM_DN)) {
                String err3 = I18n.err(I18n.ERR_19, new Object[]{dn2.getName(), dn.getName()});
                LOG.error(err3);
                throw new LdapNoPermissionException(err3);
            }
            if (dn.isDescendantOf(GROUPS_BASE_DN)) {
                String err4 = I18n.err(I18n.ERR_20, new Object[]{dn2.getName(), dn.getName()});
                LOG.error(err4);
                throw new LdapNoPermissionException(err4);
            }
            if (dn.isDescendantOf(USERS_BASE_DN)) {
                String err5 = I18n.err(I18n.ERR_20, new Object[]{dn2.getName(), dn.getName()});
                LOG.error(err5);
                throw new LdapNoPermissionException(err5);
            }
        }
    }

    private void protectDnAlterations(OperationContext operationContext, Dn dn) throws LdapException {
        Dn dn2 = getPrincipal(operationContext).getDn();
        if (dn.isEmpty()) {
            String err = I18n.err(I18n.ERR_234, new Object[0]);
            LOG.error(err);
            throw new LdapNoPermissionException(err);
        }
        if (dn.equals(ADMIN_GROUP_DN)) {
            String err2 = I18n.err(I18n.ERR_21, new Object[0]);
            LOG.error(err2);
            throw new LdapNoPermissionException(err2);
        }
        if (isTheAdministrator(dn)) {
            String err3 = I18n.err(I18n.ERR_22, new Object[]{dn2.getName(), dn.getName()});
            LOG.error(err3);
            throw new LdapNoPermissionException(err3);
        }
        if (dn.size() <= 2 || isAnAdministrator(dn2)) {
            return;
        }
        if (dn.isDescendantOf(ADMIN_SYSTEM_DN)) {
            String err4 = I18n.err(I18n.ERR_23, new Object[]{dn2.getName(), dn.getName()});
            LOG.error(err4);
            throw new LdapNoPermissionException(err4);
        }
        if (dn.isDescendantOf(GROUPS_BASE_DN)) {
            String err5 = I18n.err(I18n.ERR_24, new Object[]{dn2.getName(), dn.getName()});
            LOG.error(err5);
            throw new LdapNoPermissionException(err5);
        }
        if (dn.isDescendantOf(USERS_BASE_DN)) {
            String err6 = I18n.err(I18n.ERR_24, new Object[]{dn2.getName(), dn.getName()});
            LOG.error(err6);
            throw new LdapNoPermissionException(err6);
        }
    }

    private void protectLookUp(Dn dn, Dn dn2) throws LdapException {
        if (isAnAdministrator(dn)) {
            return;
        }
        if (dn2.size() > 2) {
            if (dn2.isDescendantOf(ADMIN_SYSTEM_DN)) {
                if (dn2.getNormName().equals(dn.getNormName())) {
                    return;
                }
                String err = I18n.err(I18n.ERR_25, new Object[]{dn2.getName(), dn.getName()});
                LOG.error(err);
                throw new LdapNoPermissionException(err);
            }
            if (dn2.isDescendantOf(GROUPS_BASE_DN) || dn2.isDescendantOf(USERS_BASE_DN)) {
                if (dn2.equals(dn)) {
                    return;
                }
                String err2 = I18n.err(I18n.ERR_26, new Object[]{dn2.getName(), dn.getName()});
                LOG.error(err2);
                throw new LdapNoPermissionException(err2);
            }
        }
        if (!isTheAdministrator(dn2) || dn2.getNormName().equals(dn.getNormName())) {
            return;
        }
        String err3 = I18n.err(I18n.ERR_27, new Object[]{dn.getName()});
        LOG.error(err3);
        throw new LdapNoPermissionException(err3);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSearchable(OperationContext operationContext, Entry entry) throws Exception {
        Dn dn = operationContext.getSession().getEffectivePrincipal().getDn();
        Dn dn2 = entry.getDn();
        dn2.apply(operationContext.getSession().getDirectoryService().getSchemaManager());
        if (isAnAdministrator(dn) || dn2.equals(dn)) {
            return true;
        }
        return (dn2.size() < 2 || !(dn2.isDescendantOf(ADMIN_SYSTEM_DN) || dn2.isDescendantOf(GROUPS_BASE_DN) || dn2.isDescendantOf(USERS_BASE_DN))) && !isTheAdministrator(dn2);
    }
}
