package com.zimbra.cs.service.admin;

import com.google.common.base.Joiner;
import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.soap.Element;
import com.zimbra.common.util.EmailUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.AttributeClass;
import com.zimbra.cs.account.AttributeManager;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.CalendarResource;
import com.zimbra.cs.account.Cos;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.DynamicGroup;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.Group;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.Server;
import com.zimbra.cs.account.accesscontrol.AdminRight;
import com.zimbra.cs.account.accesscontrol.PseudoTarget;
import com.zimbra.cs.account.accesscontrol.Rights;
import com.zimbra.cs.account.accesscontrol.TargetType;
import com.zimbra.cs.account.names.NameUtil;
import com.zimbra.cs.service.FileUploadServlet;
import com.zimbra.cs.service.PreAuthServlet;
import com.zimbra.cs.service.admin.AdminRightCheckPoint;
import com.zimbra.cs.session.Session;
import com.zimbra.soap.DocumentHandler;
import com.zimbra.soap.ZimbraSoapContext;
import com.zimbra.soap.admin.type.CosSelector;
import com.zimbra.soap.admin.type.DomainSelector;
import com.zimbra.soap.admin.type.ServerSelector;
import com.zimbra.soap.type.AccountSelector;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler.class */
public abstract class AdminDocumentHandler extends DocumentHandler implements AdminRightCheckPoint {

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$AccountHarvestingChecker.class */
    public interface AccountHarvestingChecker {
        void check(Account account, String str) throws ServiceException;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$AccountHarvestingCheckerBase.class */
    public abstract class AccountHarvestingCheckerBase implements AccountHarvestingChecker {
        protected final ZimbraSoapContext zsc;
        protected final AuthToken authToken;
        protected ServiceException firstException = null;

        protected abstract void doRightsCheck(Account account) throws ServiceException;

        public AccountHarvestingCheckerBase(ZimbraSoapContext zimbraSoapContext) {
            this.zsc = zimbraSoapContext;
            this.authToken = zimbraSoapContext.getAuthToken();
        }

        protected boolean hasRight(Account account, String str) {
            try {
                doRightsCheck(account);
                return true;
            } catch (ServiceException e) {
                if (this.firstException != null) {
                    return false;
                }
                if (this.authToken.isAdmin()) {
                    this.firstException = e;
                    return false;
                }
                this.firstException = ServiceException.DEFEND_ACCOUNT_HARVEST(str);
                return false;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$AccountHarvestingCheckerUsingCheckAccountRight.class */
    public class AccountHarvestingCheckerUsingCheckAccountRight extends AccountHarvestingCheckerBase {
        private Object needed;

        public AccountHarvestingCheckerUsingCheckAccountRight(ZimbraSoapContext zimbraSoapContext, Object obj) {
            super(zimbraSoapContext);
            this.needed = null;
            this.needed = obj;
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.AccountHarvestingCheckerBase
        protected void doRightsCheck(Account account) throws ServiceException {
            AdminDocumentHandler.this.checkAccountRight(this.zsc, account, this.needed);
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.AccountHarvestingChecker
        public void check(Account account, String str) throws ServiceException {
            if (!hasRight(account, str)) {
                throw this.firstException;
            }
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$AccountHarvestingCheckerUsingCheckRight.class */
    protected class AccountHarvestingCheckerUsingCheckRight extends AccountHarvestingCheckerBase {
        private final AdminRight adminRight;
        private final Map<String, Object> context;

        public AccountHarvestingCheckerUsingCheckRight(ZimbraSoapContext zimbraSoapContext, Map<String, Object> map, AdminRight adminRight) {
            super(zimbraSoapContext);
            this.adminRight = adminRight;
            this.context = map;
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.AccountHarvestingCheckerBase
        protected void doRightsCheck(Account account) throws ServiceException {
            AdminDocumentHandler.this.checkRight(this.zsc, this.context, account, this.adminRight);
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.AccountHarvestingChecker
        public void check(Account account, String str) throws ServiceException {
            if (!hasRight(account, str)) {
                throw this.firstException;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$CalResourceHarvestingChecker.class */
    public interface CalResourceHarvestingChecker {
        void check(CalendarResource calendarResource, String str) throws ServiceException;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$CalResourceHarvestingCheckerBase.class */
    public abstract class CalResourceHarvestingCheckerBase implements CalResourceHarvestingChecker {
        protected final ZimbraSoapContext zsc;
        protected final AuthToken authToken;
        protected ServiceException firstException = null;

        protected abstract void doRightsCheck(CalendarResource calendarResource) throws ServiceException;

        public CalResourceHarvestingCheckerBase(ZimbraSoapContext zimbraSoapContext) {
            this.zsc = zimbraSoapContext;
            this.authToken = zimbraSoapContext.getAuthToken();
        }

        protected boolean hasRight(CalendarResource calendarResource, String str) {
            try {
                doRightsCheck(calendarResource);
                return true;
            } catch (ServiceException e) {
                if (this.firstException != null) {
                    return false;
                }
                if (this.authToken.isAdmin()) {
                    this.firstException = e;
                    return false;
                }
                this.firstException = ServiceException.DEFEND_CALENDAR_RESOURCE_HARVEST(str);
                return false;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$CalResourceHarvestingCheckerUsingCheckCalendarResourceRight.class */
    public class CalResourceHarvestingCheckerUsingCheckCalendarResourceRight extends CalResourceHarvestingCheckerBase {
        private Object needed;

        public CalResourceHarvestingCheckerUsingCheckCalendarResourceRight(ZimbraSoapContext zimbraSoapContext, Object obj) {
            super(zimbraSoapContext);
            this.needed = null;
            this.needed = obj;
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.CalResourceHarvestingCheckerBase
        protected void doRightsCheck(CalendarResource calendarResource) throws ServiceException {
            AdminDocumentHandler.this.checkCalendarResourceRight(this.zsc, calendarResource, this.needed);
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.CalResourceHarvestingChecker
        public void check(CalendarResource calendarResource, String str) throws ServiceException {
            if (!hasRight(calendarResource, str)) {
                throw this.firstException;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$GroupHarvestingChecker.class */
    public interface GroupHarvestingChecker {
        void check(Group group, String str) throws ServiceException;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$GroupHarvestingCheckerBase.class */
    public abstract class GroupHarvestingCheckerBase implements GroupHarvestingChecker {
        protected final ZimbraSoapContext zsc;
        protected final AuthToken authToken;
        protected ServiceException firstException = null;

        protected abstract void doRightsCheck(Group group) throws ServiceException;

        public GroupHarvestingCheckerBase(ZimbraSoapContext zimbraSoapContext) {
            this.zsc = zimbraSoapContext;
            this.authToken = zimbraSoapContext.getAuthToken();
        }

        protected boolean hasRight(Group group, String str) {
            try {
                doRightsCheck(group);
                return true;
            } catch (ServiceException e) {
                if (this.firstException != null) {
                    return false;
                }
                if (this.authToken.isAdmin()) {
                    this.firstException = e;
                    return false;
                }
                this.firstException = ServiceException.DEFEND_DL_HARVEST(str);
                return false;
            }
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$GroupHarvestingCheckerUsingCheckGroupRight.class */
    protected class GroupHarvestingCheckerUsingCheckGroupRight extends GroupHarvestingCheckerBase {
        private Object needed;

        public GroupHarvestingCheckerUsingCheckGroupRight(ZimbraSoapContext zimbraSoapContext, Object obj) {
            super(zimbraSoapContext);
            this.needed = null;
            this.needed = obj;
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.GroupHarvestingCheckerBase
        protected void doRightsCheck(Group group) throws ServiceException {
            if (group.isDynamic()) {
                AdminDocumentHandler.this.checkDynamicGroupRight(this.zsc, (DynamicGroup) group, this.needed);
            } else {
                AdminDocumentHandler.this.checkDistributionListRight(this.zsc, (DistributionList) group, this.needed);
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.GroupHarvestingChecker
        public void check(Group group, String str) throws ServiceException {
            if (!hasRight(group, str)) {
                throw this.firstException;
            }
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$GroupHarvestingCheckerUsingCheckRight.class */
    protected class GroupHarvestingCheckerUsingCheckRight extends GroupHarvestingCheckerBase {
        private final AdminRight adminRight;
        private final Map<String, Object> context;

        public GroupHarvestingCheckerUsingCheckRight(ZimbraSoapContext zimbraSoapContext, Map<String, Object> map, AdminRight adminRight) {
            super(zimbraSoapContext);
            this.adminRight = adminRight;
            this.context = map;
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.GroupHarvestingCheckerBase
        protected void doRightsCheck(Group group) throws ServiceException {
            AdminDocumentHandler.this.checkRight(this.zsc, this.context, group, this.adminRight);
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.GroupHarvestingChecker
        public void check(Group group, String str) throws ServiceException {
            if (!hasRight(group, str)) {
                throw this.firstException;
            }
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminDocumentHandler$GroupHarvestingCheckerUsingGetAttrsPerms.class */
    protected class GroupHarvestingCheckerUsingGetAttrsPerms extends GroupHarvestingCheckerBase {
        private final AccessManager.AttrRightChecker arc;
        private final List<String> getAttrs;
        private String currAttr;

        public GroupHarvestingCheckerUsingGetAttrsPerms(ZimbraSoapContext zimbraSoapContext, AccessManager.AttrRightChecker attrRightChecker, List<String> list) {
            super(zimbraSoapContext);
            this.arc = attrRightChecker;
            this.getAttrs = list;
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.GroupHarvestingCheckerBase
        protected void doRightsCheck(Group group) throws ServiceException {
            if (this.arc != null && !this.arc.allowAttr(this.currAttr)) {
                throw ServiceException.DEFEND_DL_HARVEST(group.getName());
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminDocumentHandler.GroupHarvestingChecker
        public void check(Group group, String str) throws ServiceException {
            Iterator<String> it = this.getAttrs.iterator();
            while (it.hasNext()) {
                this.currAttr = it.next();
                if (hasRight(group, str)) {
                    return;
                }
            }
            throw this.firstException;
        }
    }

    @Override // com.zimbra.soap.DocumentHandler
    public boolean needsAuth(Map<String, Object> map) {
        return true;
    }

    @Override // com.zimbra.soap.DocumentHandler
    public boolean needsAdminAuth(Map<String, Object> map) {
        return true;
    }

    @Override // com.zimbra.soap.DocumentHandler
    public boolean isAdminCommand() {
        return true;
    }

    protected String[] getProxiedAccountPath() {
        return null;
    }

    protected String[] getProxiedAccountElementPath() {
        return null;
    }

    protected String[] getProxiedResourcePath() {
        return null;
    }

    protected String[] getProxiedResourceElementPath() {
        return null;
    }

    protected String[] getProxiedServerPath() {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Account getAccount(Provisioning provisioning, Key.AccountBy accountBy, String str, AuthToken authToken) throws ServiceException {
        Account account;
        try {
            account = provisioning.get(accountBy, str, true, authToken);
        } catch (ServiceException e) {
            account = provisioning.get(accountBy, str, false, authToken);
        }
        return account;
    }

    private CalendarResource getCalendarResource(Provisioning provisioning, Key.CalendarResourceBy calendarResourceBy, String str) throws ServiceException {
        CalendarResource calendarResource;
        try {
            calendarResource = provisioning.get(calendarResourceBy, str, true);
        } catch (ServiceException e) {
            calendarResource = provisioning.get(calendarResourceBy, str, false);
        }
        return calendarResource;
    }

    public static Entry pseudoTargetInSameDomainAsEmail(TargetType targetType, String str) {
        String[] localPartAndDomain = EmailUtil.getLocalPartAndDomain(str);
        if (localPartAndDomain == null || localPartAndDomain.length < 2) {
            return null;
        }
        try {
            return PseudoTarget.createPseudoTarget(Provisioning.getInstance(), targetType, Key.DomainBy.name, localPartAndDomain[1], false, null, null);
        } catch (ServiceException e) {
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstAccountHarvestingWhenAbsent(Key.AccountBy accountBy, String str, ZimbraSoapContext zimbraSoapContext, AccountHarvestingChecker accountHarvestingChecker) throws ServiceException {
        Entry pseudoTargetInSameDomainAsEmail;
        AuthToken authToken = zimbraSoapContext.getAuthToken();
        if (authToken.isAdmin()) {
            throw AccountServiceException.NO_SUCH_ACCOUNT(str);
        }
        if (!Key.AccountBy.name.equals(accountBy) || !AuthToken.isAnyAdmin(authToken) || (pseudoTargetInSameDomainAsEmail = pseudoTargetInSameDomainAsEmail(TargetType.account, str)) == null) {
            throw ServiceException.DEFEND_ACCOUNT_HARVEST(str);
        }
        accountHarvestingChecker.check((Account) pseudoTargetInSameDomainAsEmail, str);
        throw AccountServiceException.NO_SUCH_ACCOUNT(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstAccountHarvesting(Account account, Key.AccountBy accountBy, String str, ZimbraSoapContext zimbraSoapContext, AccountHarvestingChecker accountHarvestingChecker) throws ServiceException {
        if (account == null) {
            defendAgainstAccountHarvestingWhenAbsent(accountBy, str, zimbraSoapContext, accountHarvestingChecker);
        } else {
            accountHarvestingChecker.check(account, str);
        }
    }

    protected void defendAgainstAccountHarvestingWhenAbsent(Key.AccountBy accountBy, String str, ZimbraSoapContext zimbraSoapContext, Object obj) throws ServiceException {
        defendAgainstAccountHarvestingWhenAbsent(accountBy, str, zimbraSoapContext, (AccountHarvestingChecker) new AccountHarvestingCheckerUsingCheckAccountRight(zimbraSoapContext, obj));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstAccountHarvesting(Account account, Key.AccountBy accountBy, String str, ZimbraSoapContext zimbraSoapContext, Object obj) throws ServiceException {
        AccountHarvestingCheckerUsingCheckAccountRight accountHarvestingCheckerUsingCheckAccountRight = new AccountHarvestingCheckerUsingCheckAccountRight(zimbraSoapContext, obj);
        if (account == null) {
            defendAgainstAccountHarvestingWhenAbsent(accountBy, str, zimbraSoapContext, (AccountHarvestingChecker) accountHarvestingCheckerUsingCheckAccountRight);
        } else {
            accountHarvestingCheckerUsingCheckAccountRight.check(account, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstAccountOrCalendarResourceHarvestingWhenAbsent(Key.AccountBy accountBy, String str, ZimbraSoapContext zimbraSoapContext, AdminRight adminRight, AdminRight adminRight2) throws ServiceException {
        try {
            defendAgainstCalResourceHarvestingWhenAbsent(Key.CalendarResourceBy.fromString(accountBy.toString()), str, zimbraSoapContext, new CalResourceHarvestingCheckerUsingCheckCalendarResourceRight(zimbraSoapContext, adminRight2));
        } catch (ServiceException e) {
            defendAgainstAccountHarvestingWhenAbsent(accountBy, str, zimbraSoapContext, adminRight);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstAccountOrCalendarResourceHarvesting(Account account, Key.AccountBy accountBy, String str, ZimbraSoapContext zimbraSoapContext, AdminRight adminRight, AdminRight adminRight2) throws ServiceException {
        if (account == null) {
            defendAgainstAccountOrCalendarResourceHarvestingWhenAbsent(accountBy, str, zimbraSoapContext, adminRight, adminRight2);
        } else if (account.isCalendarResource()) {
            defendAgainstCalResourceHarvesting(Provisioning.getInstance().get(Key.CalendarResourceBy.id, account.getId()), Key.CalendarResourceBy.fromString(accountBy.toString()), str, zimbraSoapContext, adminRight2);
        } else {
            defendAgainstAccountHarvesting(account, accountBy, str, zimbraSoapContext, adminRight);
        }
    }

    protected void defendAgainstCalResourceHarvestingWhenAbsent(Key.CalendarResourceBy calendarResourceBy, String str, ZimbraSoapContext zimbraSoapContext, CalResourceHarvestingChecker calResourceHarvestingChecker) throws ServiceException {
        Entry pseudoTargetInSameDomainAsEmail;
        AuthToken authToken = zimbraSoapContext.getAuthToken();
        if (authToken.isAdmin()) {
            throw AccountServiceException.NO_SUCH_CALENDAR_RESOURCE(str);
        }
        if (!Key.CalendarResourceBy.name.equals(calendarResourceBy) || !AuthToken.isAnyAdmin(authToken) || (pseudoTargetInSameDomainAsEmail = pseudoTargetInSameDomainAsEmail(TargetType.calresource, str)) == null) {
            throw ServiceException.DEFEND_CALENDAR_RESOURCE_HARVEST(str);
        }
        calResourceHarvestingChecker.check((CalendarResource) pseudoTargetInSameDomainAsEmail, str);
        throw AccountServiceException.NO_SUCH_CALENDAR_RESOURCE(str);
    }

    protected void defendAgainstCalResourceHarvesting(CalendarResource calendarResource, Key.CalendarResourceBy calendarResourceBy, String str, ZimbraSoapContext zimbraSoapContext, CalResourceHarvestingChecker calResourceHarvestingChecker) throws ServiceException {
        if (calendarResource == null) {
            defendAgainstCalResourceHarvestingWhenAbsent(calendarResourceBy, str, zimbraSoapContext, calResourceHarvestingChecker);
        } else {
            calResourceHarvestingChecker.check(calendarResource, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstCalResourceHarvesting(CalendarResource calendarResource, Key.CalendarResourceBy calendarResourceBy, String str, ZimbraSoapContext zimbraSoapContext, Object obj) throws ServiceException {
        CalResourceHarvestingCheckerUsingCheckCalendarResourceRight calResourceHarvestingCheckerUsingCheckCalendarResourceRight = new CalResourceHarvestingCheckerUsingCheckCalendarResourceRight(zimbraSoapContext, obj);
        if (calendarResource == null) {
            defendAgainstCalResourceHarvestingWhenAbsent(calendarResourceBy, str, zimbraSoapContext, calResourceHarvestingCheckerUsingCheckCalendarResourceRight);
        } else {
            calResourceHarvestingCheckerUsingCheckCalendarResourceRight.check(calendarResource, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstServerNameHarvesting(Server server, Key.ServerBy serverBy, String str, ZimbraSoapContext zimbraSoapContext, AdminRight adminRight) throws ServiceException {
        if (server == null) {
            defendAgainstServerNameHarvestingWhenAbsent(serverBy, str, zimbraSoapContext, adminRight);
        } else {
            checkRight(zimbraSoapContext, server, adminRight);
        }
    }

    protected void defendAgainstServerNameHarvestingWhenAbsent(Key.ServerBy serverBy, String str, ZimbraSoapContext zimbraSoapContext, AdminRight adminRight) throws ServiceException {
        if (zimbraSoapContext.getAuthToken().isAdmin()) {
            throw AccountServiceException.NO_SUCH_SERVER(str);
        }
        checkRight(zimbraSoapContext, PseudoTarget.createPseudoTarget(Provisioning.getInstance(), TargetType.server, null, null, false, null, null), adminRight);
        throw AccountServiceException.NO_SUCH_SERVER(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstGroupHarvestingWhenAbsent(Key.DistributionListBy distributionListBy, String str, ZimbraSoapContext zimbraSoapContext, GroupHarvestingChecker groupHarvestingChecker) throws ServiceException {
        Entry pseudoTargetInSameDomainAsEmail;
        AuthToken authToken = zimbraSoapContext.getAuthToken();
        if (authToken.isAdmin()) {
            throw AccountServiceException.NO_SUCH_DISTRIBUTION_LIST(str);
        }
        if (!Key.DistributionListBy.name.equals(distributionListBy) || !AuthToken.isAnyAdmin(authToken) || (pseudoTargetInSameDomainAsEmail = pseudoTargetInSameDomainAsEmail(TargetType.dl, str)) == null) {
            throw ServiceException.DEFEND_DL_HARVEST(str);
        }
        groupHarvestingChecker.check((DistributionList) pseudoTargetInSameDomainAsEmail, str);
        throw AccountServiceException.NO_SUCH_DISTRIBUTION_LIST(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstGroupHarvesting(Group group, Key.DistributionListBy distributionListBy, String str, ZimbraSoapContext zimbraSoapContext, GroupHarvestingChecker groupHarvestingChecker) throws ServiceException {
        if (group == null) {
            defendAgainstGroupHarvestingWhenAbsent(distributionListBy, str, zimbraSoapContext, groupHarvestingChecker);
        } else {
            groupHarvestingChecker.check(group, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstGroupHarvestingWhenAbsent(Key.DistributionListBy distributionListBy, String str, ZimbraSoapContext zimbraSoapContext, AdminRight adminRight) throws ServiceException {
        defendAgainstGroupHarvestingWhenAbsent(distributionListBy, str, zimbraSoapContext, new GroupHarvestingCheckerUsingCheckGroupRight(zimbraSoapContext, adminRight));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void defendAgainstGroupHarvesting(Group group, Key.DistributionListBy distributionListBy, String str, ZimbraSoapContext zimbraSoapContext, Object obj, Object obj2) throws ServiceException {
        if (group == null) {
            defendAgainstGroupHarvestingWhenAbsent(distributionListBy, str, zimbraSoapContext, new GroupHarvestingCheckerUsingCheckGroupRight(zimbraSoapContext, obj2));
        } else {
            new GroupHarvestingCheckerUsingCheckGroupRight(zimbraSoapContext, group.isDynamic() ? obj : obj2).check(group, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.zimbra.soap.DocumentHandler
    public Element proxyIfNecessary(Element element, Map<String, Object> map) throws ServiceException {
        Server server;
        CalendarResource calendarResource;
        CalendarResource calendarResource2;
        Account account;
        Account account2;
        ZimbraSoapContext zimbraSoapContext = getZimbraSoapContext(map);
        if (zimbraSoapContext.getProxyTarget() != null) {
            return null;
        }
        try {
            Provisioning provisioning = Provisioning.getInstance();
            Provisioning.Reasons reasons = new Provisioning.Reasons();
            String[] proxiedAccountPath = getProxiedAccountPath();
            String xPath = proxiedAccountPath != null ? getXPath(element, proxiedAccountPath) : null;
            if (xPath != null && (account2 = getAccount(provisioning, Key.AccountBy.id, xPath, zimbraSoapContext.getAuthToken())) != null && !Provisioning.onLocalServer(account2, reasons)) {
                if (zimbraSoapContext.getHopCount() > 2 || ZimbraLog.soap.isDebugEnabled()) {
                    ZimbraLog.soap.info("Proxying request:ProxiedAccountPath=%s reasons:%s", new Object[]{Joiner.on("/").join(proxiedAccountPath), reasons.getReason()});
                }
                return proxyRequest(element, map, xPath);
            }
            String[] proxiedAccountElementPath = getProxiedAccountElementPath();
            Element xPathElement = proxiedAccountElementPath != null ? getXPathElement(element, proxiedAccountElementPath) : null;
            if (xPathElement != null && (account = getAccount(provisioning, Key.AccountBy.fromString(xPathElement.getAttribute(PreAuthServlet.PARAM_BY)), xPathElement.getText(), zimbraSoapContext.getAuthToken())) != null && !Provisioning.onLocalServer(account, reasons)) {
                if (zimbraSoapContext.getHopCount() > 2 || ZimbraLog.soap.isDebugEnabled()) {
                    ZimbraLog.soap.info("Proxying request:ProxiedAccountElementPath=%s acctElt=%s reasons:%s", new Object[]{Joiner.on("/").join(proxiedAccountElementPath), xPathElement.toString(), reasons.getReason()});
                }
                return proxyRequest(element, map, account.getId());
            }
            String[] proxiedResourcePath = getProxiedResourcePath();
            String xPath2 = proxiedResourcePath != null ? getXPath(element, proxiedResourcePath) : null;
            if (xPath2 != null && (calendarResource2 = getCalendarResource(provisioning, Key.CalendarResourceBy.id, xPath2)) != null && !Provisioning.onLocalServer(calendarResource2, reasons)) {
                if (zimbraSoapContext.getHopCount() > 2 || ZimbraLog.soap.isDebugEnabled()) {
                    ZimbraLog.soap.info("Proxying request:ProxiedResourcePath=%s rsrcId=%s reasons:%s", new Object[]{Joiner.on("/").join(proxiedResourcePath), xPath2, reasons.getReason()});
                }
                return proxyRequest(element, map, xPath2);
            }
            String[] proxiedResourceElementPath = getProxiedResourceElementPath();
            Element xPathElement2 = proxiedResourceElementPath != null ? getXPathElement(element, proxiedResourceElementPath) : null;
            if (xPathElement2 != null && (calendarResource = getCalendarResource(provisioning, Key.CalendarResourceBy.fromString(xPathElement2.getAttribute(PreAuthServlet.PARAM_BY)), xPathElement2.getText())) != null && !Provisioning.onLocalServer(calendarResource, reasons)) {
                if (zimbraSoapContext.getHopCount() > 2 || ZimbraLog.soap.isDebugEnabled()) {
                    ZimbraLog.soap.info("Proxying request:ProxiedResourceElementPath=%s resourceElt=%s reasons:%s", new Object[]{Joiner.on("/").join(proxiedResourceElementPath), xPathElement2.toString(), reasons.getReason()});
                }
                return proxyRequest(element, map, calendarResource.getId());
            }
            String[] proxiedServerPath = getProxiedServerPath();
            String xPath3 = proxiedServerPath != null ? getXPath(element, proxiedServerPath) : null;
            if (xPath3 == null || (server = provisioning.get(Key.ServerBy.id, xPath3)) == null || getLocalHostId().equalsIgnoreCase(server.getId())) {
                return null;
            }
            if (zimbraSoapContext.getHopCount() > 2 || ZimbraLog.soap.isDebugEnabled()) {
                ZimbraLog.soap.info("Proxying request:ProxiedServerPath=%s serverId=%s server=%s server ID=%s != localHostId=%s", new Object[]{Joiner.on("/").join(proxiedServerPath), xPath3, server.getName(), server.getId(), getLocalHostId()});
            }
            return proxyRequest(element, map, server);
        } catch (ServiceException e) {
            if ("service.PROXY_ERROR".equals(e.getCode())) {
                return null;
            }
            throw e;
        }
    }

    @Override // com.zimbra.soap.DocumentHandler
    public Session.Type getDefaultSessionType() {
        return Session.Type.ADMIN;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> getReqAttrs(Element element, AttributeClass attributeClass) throws ServiceException {
        return getReqAttrs(element.getAttribute("attrs", (String) null), attributeClass);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> getReqAttrs(String str, AttributeClass attributeClass) throws ServiceException {
        if (str == null) {
            return null;
        }
        String[] split = str.split(FileUploadServlet.UPLOAD_DELIMITER);
        Set<String> allAttrsInClass = AttributeManager.getInstance().getAllAttrsInClass(attributeClass);
        HashSet hashSet = new HashSet();
        for (String str2 : split) {
            if (!allAttrsInClass.contains(str2)) {
                throw ServiceException.INVALID_REQUEST("requested attribute " + str2 + " is not on " + attributeClass.name(), (Throwable) null);
            }
            hashSet.add(str2);
        }
        return hashSet;
    }

    public boolean isDomainAdminOnly(ZimbraSoapContext zimbraSoapContext) {
        return AccessManager.getInstance().isDomainAdminOnly(zimbraSoapContext.getAuthToken());
    }

    public Domain getAuthTokenAccountDomain(ZimbraSoapContext zimbraSoapContext) throws ServiceException {
        return AccessManager.getInstance().getDomain(zimbraSoapContext.getAuthToken());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean canAccessDomain(ZimbraSoapContext zimbraSoapContext, String str) throws ServiceException {
        return AccessManager.getInstance().canAccessDomain(zimbraSoapContext.getAuthToken(), str);
    }

    protected boolean canAccessDomain(ZimbraSoapContext zimbraSoapContext, Domain domain) throws ServiceException {
        return canAccessDomain(zimbraSoapContext, domain.getName());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean canModifyMailQuota(ZimbraSoapContext zimbraSoapContext, Account account, long j) throws ServiceException {
        return AccessManager.getInstance().canModifyMailQuota(zimbraSoapContext.getAuthToken(), account, j);
    }

    public boolean canAccessEmail(ZimbraSoapContext zimbraSoapContext, String str) throws ServiceException {
        return canAccessDomain(zimbraSoapContext, NameUtil.EmailAddress.getDomainNameFromEmail(str));
    }

    public void checkModifyAttrs(ZimbraSoapContext zimbraSoapContext, AttributeClass attributeClass, Map<String, Object> map) throws ServiceException {
        AdminAccessControl.getAdminAccessControl(zimbraSoapContext).checkModifyAttrs(attributeClass, map);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkSetAttrsOnCreate(ZimbraSoapContext zimbraSoapContext, TargetType targetType, String str, Map<String, Object> map) throws ServiceException {
        AdminAccessControl.getAdminAccessControl(zimbraSoapContext).checkSetAttrsOnCreate(targetType, str, map);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasRightsToList(ZimbraSoapContext zimbraSoapContext, NamedEntry namedEntry, AdminRight adminRight, Object obj) throws ServiceException {
        return AdminAccessControl.getAdminAccessControl(zimbraSoapContext).hasRightsToList(namedEntry, adminRight, obj);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasRightsToListCos(ZimbraSoapContext zimbraSoapContext, Cos cos, AdminRight adminRight, Object obj) throws ServiceException {
        return AdminAccessControl.getAdminAccessControl(zimbraSoapContext).hasRightsToListCos(cos, adminRight, obj);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkRight(ZimbraSoapContext zimbraSoapContext, Map<String, Object> map, Entry entry, Object obj) throws ServiceException {
        if (!AdminAccessControl.isDomainBasedAccessManager(AccessManager.getInstance())) {
            return checkRight(zimbraSoapContext, entry, obj);
        }
        if (!isDomainAdminOnly(zimbraSoapContext) || domainAuthSufficient(map)) {
            return AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        }
        throw ServiceException.PERM_DENIED("cannot access entry");
    }

    public static AdminAccessControl checkRight(ZimbraSoapContext zimbraSoapContext, Entry entry, Object obj) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkRight(entry, obj);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkCosRight(ZimbraSoapContext zimbraSoapContext, Cos cos, Object obj) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkCosRight(cos, obj);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkAccountRight(ZimbraSoapContext zimbraSoapContext, Account account, Object obj) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkAccountRight(this, account, obj);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkCalendarResourceRight(ZimbraSoapContext zimbraSoapContext, CalendarResource calendarResource, Object obj) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkCalendarResourceRight(this, calendarResource, obj);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkAdminLoginAsRight(ZimbraSoapContext zimbraSoapContext, Provisioning provisioning, Account account) throws ServiceException {
        return account.isCalendarResource() ? checkCalendarResourceRight(zimbraSoapContext, provisioning.get(Key.CalendarResourceBy.id, account.getId()), Rights.Admin.R_adminLoginCalendarResourceAs) : checkAccountRight(zimbraSoapContext, account, Rights.Admin.R_adminLoginAs);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkDistributionListRight(ZimbraSoapContext zimbraSoapContext, DistributionList distributionList, Object obj) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkDistributionListRight(this, distributionList, obj);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkDynamicGroupRight(ZimbraSoapContext zimbraSoapContext, DynamicGroup dynamicGroup, Object obj) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkDynamicGroupRight(this, dynamicGroup, obj);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkDomainRightByEmail(ZimbraSoapContext zimbraSoapContext, String str, AdminRight adminRight) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkDomainRightByEmail(this, str, adminRight);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkDomainRight(ZimbraSoapContext zimbraSoapContext, String str, Object obj) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkDomainRight(this, str, obj);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AdminAccessControl checkDomainRight(ZimbraSoapContext zimbraSoapContext, Domain domain, Object obj) throws ServiceException {
        AdminAccessControl adminAccessControl = AdminAccessControl.getAdminAccessControl(zimbraSoapContext);
        adminAccessControl.checkDomainRight(this, domain, obj);
        return adminAccessControl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkRightTODO() {
    }

    public void docRights(List<AdminRight> list, List<String> list2) {
        list2.add(AdminRightCheckPoint.Notes.TODO);
    }

    public Account verifyAccountHarvestingAndPerms(AccountSelector accountSelector, ZimbraSoapContext zimbraSoapContext) throws ServiceException {
        Provisioning provisioning = Provisioning.getInstance();
        if (accountSelector == null) {
            ServiceException INVALID_REQUEST = ServiceException.INVALID_REQUEST(String.format("missing <%s>", "account"), (Throwable) null);
            ZimbraLog.filter.debug("AccountSelector not found", INVALID_REQUEST);
            throw INVALID_REQUEST;
        }
        String key = accountSelector.getKey();
        Key.AccountBy keyAccountBy = accountSelector.getBy().toKeyAccountBy();
        Account account = provisioning.get(keyAccountBy, key, zimbraSoapContext.getAuthToken());
        defendAgainstAccountHarvesting(account, keyAccountBy, key, zimbraSoapContext, Rights.Admin.R_getAccountInfo);
        if (canModifyOptions(zimbraSoapContext, account)) {
            return account;
        }
        ServiceException PERM_DENIED = ServiceException.PERM_DENIED("cannot modify options");
        ZimbraLog.filter.debug("Do not have permission to modify options on account %s", account.getName(), PERM_DENIED);
        throw PERM_DENIED;
    }

    public Domain verifyDomainPerms(DomainSelector domainSelector, ZimbraSoapContext zimbraSoapContext) throws ServiceException {
        Provisioning provisioning = Provisioning.getInstance();
        if (domainSelector == null) {
            ServiceException INVALID_REQUEST = ServiceException.INVALID_REQUEST(String.format("missing <%s>", "domain"), (Throwable) null);
            ZimbraLog.filter.debug("DomainSelector not found", INVALID_REQUEST);
            throw INVALID_REQUEST;
        }
        Domain domain = provisioning.get(domainSelector);
        if (domain != null) {
            checkDomainRight(zimbraSoapContext, domain, Rights.Admin.R_getDomain);
            return domain;
        }
        ServiceException FAILURE = ServiceException.FAILURE(String.format("failed to get domain", new Object[0]), (Throwable) null);
        ZimbraLog.filter.debug("DomainSelector failed to get domain - %s:%s", domainSelector.getBy().toString(), domainSelector.getKey(), FAILURE);
        throw FAILURE;
    }

    public Cos verifyCosPerms(CosSelector cosSelector, ZimbraSoapContext zimbraSoapContext) throws ServiceException {
        Cos cosByName;
        Provisioning provisioning = Provisioning.getInstance();
        if (cosSelector == null) {
            ServiceException INVALID_REQUEST = ServiceException.INVALID_REQUEST(String.format("missing <%s>", "cos"), (Throwable) null);
            ZimbraLog.filter.debug("CosSelector not found", INVALID_REQUEST);
            throw INVALID_REQUEST;
        }
        if (cosSelector.getBy().toString().equals(CosSelector.CosBy.id.toString())) {
            cosByName = provisioning.getCosById(cosSelector.getKey());
        } else {
            if (!cosSelector.getBy().toString().equals(CosSelector.CosBy.name.toString())) {
                ServiceException INVALID_REQUEST2 = ServiceException.INVALID_REQUEST(String.format("invalid cosby", new Object[0]), (Throwable) null);
                ZimbraLog.filter.debug("CosSelector not valid - %s:%s", cosSelector.getBy().toString(), cosSelector.getKey(), INVALID_REQUEST2);
                throw INVALID_REQUEST2;
            }
            cosByName = provisioning.getCosByName(cosSelector.getKey());
        }
        if (cosByName != null) {
            checkCosRight(zimbraSoapContext, cosByName, Rights.Admin.R_getCos);
            return cosByName;
        }
        ServiceException FAILURE = ServiceException.FAILURE(String.format("failed to get cos", new Object[0]), (Throwable) null);
        ZimbraLog.filter.debug("CosSelector failed to get cos - %s:%s", cosSelector.getBy().toString(), cosSelector.getKey(), FAILURE);
        throw FAILURE;
    }

    public Server verifyServerPerms(ServerSelector serverSelector, ZimbraSoapContext zimbraSoapContext) throws ServiceException {
        Server serverByServiceHostname;
        Provisioning provisioning = Provisioning.getInstance();
        if (serverSelector == null) {
            ServiceException INVALID_REQUEST = ServiceException.INVALID_REQUEST(String.format("missing <%s>", "server"), (Throwable) null);
            ZimbraLog.filter.debug("ServerSelector not found", INVALID_REQUEST);
            throw INVALID_REQUEST;
        }
        if (serverSelector.getBy().toString().equals(ServerSelector.ServerBy.id.toString())) {
            serverByServiceHostname = provisioning.getServerById(serverSelector.getKey());
        } else if (serverSelector.getBy().toString().equals(ServerSelector.ServerBy.name.toString())) {
            serverByServiceHostname = provisioning.getServerByName(serverSelector.getKey());
        } else {
            if (!serverSelector.getBy().toString().equals(ServerSelector.ServerBy.serviceHostname.toString())) {
                ServiceException INVALID_REQUEST2 = ServiceException.INVALID_REQUEST(String.format("invalid serverby", new Object[0]), (Throwable) null);
                ZimbraLog.filter.debug("ServerSelector not valid - %s:%s", serverSelector.getBy().toString(), serverSelector.getKey(), INVALID_REQUEST2);
                throw INVALID_REQUEST2;
            }
            serverByServiceHostname = provisioning.getServerByServiceHostname(serverSelector.getKey());
        }
        if (serverByServiceHostname != null) {
            checkRight(zimbraSoapContext, serverByServiceHostname, Rights.Admin.R_getServer);
            return serverByServiceHostname;
        }
        ServiceException FAILURE = ServiceException.FAILURE(String.format("failed to get server", new Object[0]), (Throwable) null);
        ZimbraLog.filter.debug("ServerSelector failed to get server - %s:%s", serverSelector.getBy().toString(), serverSelector.getKey(), FAILURE);
        throw FAILURE;
    }
}
