package com.zimbra.cs.account.accesscontrol;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.accesscontrol.RightBearer;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/AllowedAttrs.class */
public class AllowedAttrs implements AccessManager.AttrRightChecker {
    private static final Log sLog = ZimbraLog.acl;
    private Result mResult;
    private Set<String> mAllowSome;

    /* loaded from: input_file:com/zimbra/cs/account/accesscontrol/AllowedAttrs$Result.class */
    public enum Result {
        ALLOW_ALL,
        DENY_ALL,
        ALLOW_SOME
    }

    public static final AllowedAttrs ALLOW_ALL_ATTRS() {
        return new AllowedAttrs(Result.ALLOW_ALL, null);
    }

    public static final AllowedAttrs DENY_ALL_ATTRS() {
        return new AllowedAttrs(Result.DENY_ALL, null);
    }

    public static AllowedAttrs ALLOW_SOME_ATTRS(Set<String> set) {
        return new AllowedAttrs(Result.ALLOW_SOME, set);
    }

    private AllowedAttrs(Result result, Set<String> set) {
        this.mResult = result;
        this.mAllowSome = set;
    }

    public Result getResult() {
        return this.mResult;
    }

    public Set<String> getAllowed() {
        return this.mAllowSome;
    }

    @Override // com.zimbra.cs.account.AccessManager.AttrRightChecker
    public boolean allowAttr(String str) {
        if (this.mResult == Result.ALLOW_ALL) {
            return true;
        }
        if (this.mResult == Result.DENY_ALL) {
            return false;
        }
        return getAllowed().contains(getActualAttrName(str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canAccessAttrs(Set<String> set, Entry entry) throws ServiceException {
        if (sLog.isDebugEnabled()) {
            sLog.debug("canAccessAttrs attrsAllowed: " + dump());
            StringBuilder sb = new StringBuilder();
            if (set == null) {
                sb.append("<all attributes>");
            } else {
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    sb.append(it.next() + " ");
                }
            }
            sLog.debug("canAccessAttrs attrsNeeded: " + sb.toString());
        }
        if (this.mResult == Result.ALLOW_ALL) {
            return true;
        }
        if (this.mResult == Result.DENY_ALL || set == null) {
            return false;
        }
        Set<String> allowed = getAllowed();
        Iterator<String> it2 = set.iterator();
        while (it2.hasNext()) {
            String actualAttrName = getActualAttrName(it2.next());
            HardRules.checkForbiddenAttr(actualAttrName);
            if (!allowed.contains(actualAttrName)) {
                throw ServiceException.PERM_DENIED("cannot access attribute " + actualAttrName + " on " + TargetType.getTargetType(entry) + " target " + entry.getLabel());
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canSetAttrsWithinConstraints(RightBearer.Grantee grantee, Entry entry, Map<String, Object> map) throws ServiceException {
        if (map == null) {
            throw ServiceException.FAILURE("internal error", (Throwable) null);
        }
        if (this.mResult == Result.DENY_ALL) {
            return false;
        }
        Entry constraintEntry = AttributeConstraint.getConstraintEntry(entry);
        Map<String, AttributeConstraint> constraint = constraintEntry == null ? null : AttributeConstraint.getConstraint(constraintEntry);
        boolean z = (constraint == null || constraint.isEmpty()) ? false : true;
        if (z) {
            AllowedAttrs accessibleAttrs = CheckAttrRight.accessibleAttrs(grantee, constraintEntry, AdminRight.PR_SET_ATTRS, false);
            if (accessibleAttrs.getResult() == Result.ALLOW_ALL || (accessibleAttrs.getResult() == Result.ALLOW_SOME && accessibleAttrs.getAllowed().contains("zimbraConstraint"))) {
                z = false;
            }
        }
        boolean z2 = this.mResult == Result.ALLOW_ALL;
        Set<String> allowed = getAllowed();
        for (Map.Entry<String, Object> entry2 : map.entrySet()) {
            String actualAttrName = getActualAttrName(entry2.getKey());
            HardRules.checkForbiddenAttr(actualAttrName);
            if (!z2 && !allowed.contains(actualAttrName)) {
                throw ServiceException.PERM_DENIED("cannot access attribute " + actualAttrName + " on " + TargetType.getTargetType(entry) + " target " + entry.getLabel());
            }
            if (z && AttributeConstraint.violateConstraint(constraint, actualAttrName, entry2.getValue())) {
                return false;
            }
        }
        return true;
    }

    private String getActualAttrName(String str) {
        return (str.charAt(0) == '+' || str.charAt(0) == '-') ? str.substring(1) : str;
    }

    public String dump() {
        StringBuilder sb = new StringBuilder();
        sb.append("result = " + this.mResult + " ");
        if (this.mResult == Result.ALLOW_SOME) {
            sb.append("allowed = (");
            Iterator<String> it = this.mAllowSome.iterator();
            while (it.hasNext()) {
                sb.append(it.next() + " ");
            }
            sb.append(")");
        }
        return sb.toString();
    }
}
