package com.zimbra.cs.mailbox;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.StringUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.GuestAccount;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.db.Versions;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CopyOnWriteArrayList;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:com/zimbra/cs/mailbox/ACL.class */
public final class ACL {
    public static final short RIGHT_READ = 1;
    public static final short RIGHT_WRITE = 2;
    public static final short RIGHT_INSERT = 4;
    public static final short RIGHT_DELETE = 8;
    public static final short RIGHT_ACTION = 16;
    public static final short RIGHT_ADMIN = 256;
    public static final short RIGHT_SUBFOLDER = 512;
    public static final short RIGHT_PRIVATE = 1024;
    public static final short RIGHT_FREEBUSY = 2048;
    private static final short SUBFOLDER_RIGHTS = 5;
    private static final short GRANTABLE_RIGHTS = 3359;
    public static final short ROLE_VIEW = 1;
    public static final short ROLE_MANAGER = 31;
    public static final short ROLE_ADMIN = 287;
    public static final byte GRANTEE_USER = 1;
    public static final byte GRANTEE_GROUP = 2;
    public static final byte GRANTEE_AUTHUSER = 3;
    public static final byte GRANTEE_DOMAIN = 4;
    public static final byte GRANTEE_COS = 5;
    public static final byte GRANTEE_PUBLIC = 6;
    public static final byte GRANTEE_GUEST = 7;
    public static final byte GRANTEE_KEY = 8;
    private static final int ACCESSKEY_SIZE_BYTES = 16;
    private final List<Grant> mGrants;
    private long mInternalGrantExpiry;
    private long mGuestGrantExpiry;
    private static final String FN_GRANTS = "g";
    private static final String FN_INT_GRANT_EXPIRY = "ie";
    private static final String FN_GST_GRANT_EXPIRY = "ge";
    public static final char ABBR_READ = 'r';
    public static final char ABBR_WRITE = 'w';
    public static final char ABBR_INSERT = 'i';
    public static final char ABBR_DELETE = 'd';
    public static final char ABBR_ACTION = 'x';
    public static final char ABBR_ADMIN = 'a';
    public static final char ABBR_PRIVATE = 'p';
    public static final char ABBR_FREEBUSY = 'f';
    public static final char ABBR_CREATE_FOLDER = 'c';

    /* loaded from: input_file:com/zimbra/cs/mailbox/ACL$Grant.class */
    public static class Grant {
        private String mGrantee;
        private String mName;
        private final byte mType;
        private short mRights;
        private String mSecret;
        private long mExpiry;
        private static final String FN_GRANTEE = "g";
        private static final String FN_NAME = "n";
        private static final String FN_TYPE = "t";
        private static final String FN_RIGHTS = "r";
        private static final String FN_PASSWORD = "a";
        private static final String FN_ACCESSKEY = "k";
        private static final String FN_EXPIRY = "e";

        Grant(String str, byte b, short s) {
            this.mExpiry = 0L;
            this.mGrantee = str;
            this.mType = b;
            this.mRights = (short) (s & ACL.GRANTABLE_RIGHTS);
        }

        Grant(String str, byte b, short s, String str2, long j) {
            this(str, b, s);
            if (this.mType == 7 || this.mType == 8) {
                this.mSecret = str2;
            }
            this.mExpiry = j;
        }

        public Grant(Metadata metadata) throws ServiceException {
            this.mExpiry = 0L;
            this.mType = (byte) metadata.getLong("t");
            this.mRights = (short) (metadata.getLong("r") & 3359);
            this.mName = metadata.get(FN_NAME, null);
            if (hasGrantee()) {
                this.mGrantee = metadata.get(FN_GRANTEE);
            }
            if (this.mType == 7) {
                this.mSecret = metadata.get("a", null);
            } else if (this.mType == 8) {
                this.mSecret = metadata.get(FN_ACCESSKEY);
            }
            this.mExpiry = metadata.getLong(FN_EXPIRY, 0L);
        }

        public boolean hasGrantee() {
            return (this.mType == 3 || this.mType == 6) ? false : true;
        }

        public String getGranteeId() {
            if (hasGrantee()) {
                return this.mGrantee;
            }
            return null;
        }

        public byte getGranteeType() {
            return this.mType;
        }

        public short getGrantedRights() {
            return this.mRights;
        }

        public short getGrantedRights(Account account, ACL acl) throws ServiceException {
            if (isExpired(acl)) {
                if (!ZimbraLog.acl.isTraceEnabled()) {
                    return (short) 0;
                }
                ZimbraLog.acl.trace("ACL.GrantedRights 0 for acl=%s (expired)", new Object[]{acl});
                return (short) 0;
            }
            if (matches(account)) {
                if (ZimbraLog.acl.isTraceEnabled()) {
                    ZimbraLog.acl.trace("ACL.GrantedRights %s for acl=%s", new Object[]{Short.valueOf(this.mRights), acl});
                }
                return this.mRights;
            }
            if (!ZimbraLog.acl.isTraceEnabled()) {
                return (short) 0;
            }
            Log log = ZimbraLog.acl;
            Object[] objArr = new Object[2];
            objArr[0] = acl;
            objArr[1] = account == null ? "'null acct'" : account.getName();
            log.trace("ACL.GrantedRights 0 for acl=%s (does not match %s)", objArr);
            return (short) 0;
        }

        private boolean isExpired(ACL acl) {
            long effectiveExpiry = getEffectiveExpiry(acl);
            return effectiveExpiry != 0 && System.currentTimeMillis() > effectiveExpiry;
        }

        public long getEffectiveExpiry(ACL acl) {
            long j = this.mExpiry;
            if (j == 0) {
                if (this.mType == 7 || this.mType == 8) {
                    j = acl.getGuestGrantExpiry();
                } else if (this.mType != 6) {
                    j = acl.getInternalGrantExpiry();
                }
            }
            return j;
        }

        public String getGranteeName() {
            return this.mName;
        }

        public void setGranteeName(String str) {
            this.mName = str;
        }

        public boolean matches(Account account) throws ServiceException {
            Provisioning provisioning = Provisioning.getInstance();
            if (account == null) {
                return this.mType == 6;
            }
            switch (this.mType) {
                case 1:
                    return this.mGrantee.equals(account.getId());
                case 2:
                    return provisioning.inACLGroup(account, this.mGrantee);
                case 3:
                    return isInternalAccount(account);
                case 4:
                    return matchesDomainGrantee(account, provisioning);
                case 5:
                    return this.mGrantee.equals(getId(provisioning.getCOS(account)));
                case 6:
                    return true;
                case 7:
                    return matchesGuestAccount(account);
                case 8:
                    return matchesAccessKey(account);
                default:
                    throw ServiceException.FAILURE("unknown ACL grantee type: " + ((int) this.mType), (Throwable) null);
            }
        }

        private boolean matchesDomainGrantee(Account account, Provisioning provisioning) throws ServiceException {
            return !account.isIsExternalVirtualAccount() && this.mGrantee.equals(getId(provisioning.getDomain(account)));
        }

        private boolean isInternalAccount(Account account) {
            return (account.getId().equals(GuestAccount.GUID_PUBLIC) || account.isIsExternalVirtualAccount()) ? false : true;
        }

        private boolean matchesGuestAccount(Account account) {
            if (account instanceof GuestAccount) {
                if (StringUtil.isNullOrEmpty(this.mSecret)) {
                    return false;
                }
                return ((GuestAccount) account).matches(this.mGrantee, this.mSecret);
            }
            if (account.isIsExternalVirtualAccount()) {
                return this.mGrantee.equalsIgnoreCase(account.getExternalUserMailAddress());
            }
            return false;
        }

        private boolean matchesAccessKey(Account account) {
            if (account instanceof GuestAccount) {
                return ((GuestAccount) account).matchesAccessKey(this.mGrantee, this.mSecret);
            }
            return false;
        }

        private static final String getId(NamedEntry namedEntry) {
            if (namedEntry == null) {
                return null;
            }
            return namedEntry.getId();
        }

        public boolean isGrantee(String str) {
            return (str == null || str.equals(GuestAccount.GUID_PUBLIC)) ? this.mType == 6 : str.equals(GuestAccount.GUID_AUTHUSER) ? this.mType == 3 : (this.mType == 7 || this.mType == 8) ? str.equalsIgnoreCase(this.mGrantee) : str.equals(this.mGrantee);
        }

        void setRights(short s) {
            this.mRights = s;
        }

        void setPassword(String str) {
            if ((this.mType == 7 || this.mType == 8) && str != null) {
                this.mSecret = str;
            }
        }

        public String getPassword() {
            return this.mSecret;
        }

        public void setExpiry(long j) {
            this.mExpiry = j;
        }

        public long getExpiry() {
            return this.mExpiry;
        }

        public Metadata encode() {
            Metadata metadata = new Metadata();
            metadata.put(FN_GRANTEE, hasGrantee() ? this.mGrantee : null);
            metadata.put(FN_NAME, this.mName);
            metadata.put("t", this.mType);
            metadata.put("r", this.mRights);
            if (this.mType == 8) {
                metadata.put(FN_ACCESSKEY, this.mSecret);
            } else {
                metadata.put("a", this.mSecret);
            }
            metadata.put(FN_EXPIRY, this.mExpiry);
            return metadata;
        }
    }

    public ACL() {
        this.mGrants = new CopyOnWriteArrayList();
        this.mInternalGrantExpiry = 0L;
        this.mGuestGrantExpiry = 0L;
    }

    public ACL(long j, long j2) {
        this.mGrants = new CopyOnWriteArrayList();
        this.mInternalGrantExpiry = 0L;
        this.mGuestGrantExpiry = 0L;
        this.mInternalGrantExpiry = j;
        this.mGuestGrantExpiry = j2;
    }

    public ACL(MetadataList metadataList) {
        this.mGrants = new CopyOnWriteArrayList();
        this.mInternalGrantExpiry = 0L;
        this.mGuestGrantExpiry = 0L;
        decodeGrants(metadataList);
    }

    public ACL(Metadata metadata) {
        this.mGrants = new CopyOnWriteArrayList();
        this.mInternalGrantExpiry = 0L;
        this.mGuestGrantExpiry = 0L;
        MetadataList metadataList = null;
        try {
            metadataList = metadata.getList(FN_GRANTS, true);
            this.mInternalGrantExpiry = metadata.getLong(FN_INT_GRANT_EXPIRY, 0L);
            this.mGuestGrantExpiry = metadata.getLong("ge", 0L);
        } catch (ServiceException e) {
            ZimbraLog.mailbox.warn("malformed ACL: " + metadata, e);
        }
        if (metadataList != null) {
            decodeGrants(metadataList);
        }
    }

    private void decodeGrants(MetadataList metadataList) {
        for (int i = 0; i < metadataList.size(); i++) {
            try {
                this.mGrants.add(new Grant(metadataList.getMap(i)));
            } catch (ServiceException e) {
                ZimbraLog.mailbox.warn("malformed permission grant: " + metadataList, e);
            }
        }
    }

    public long getInternalGrantExpiry() {
        return this.mInternalGrantExpiry;
    }

    public long getGuestGrantExpiry() {
        return this.mGuestGrantExpiry;
    }

    public Short getGrantedRights(Account account) throws ServiceException {
        if (this.mGrants.isEmpty()) {
            if (!ZimbraLog.acl.isTraceEnabled()) {
                return null;
            }
            ZimbraLog.acl.trace("ACL.GrantedRights NULL (no grants)");
            return null;
        }
        short s = 0;
        Iterator<Grant> it = this.mGrants.iterator();
        while (it.hasNext()) {
            s = (short) (s | it.next().getGrantedRights(account, this));
        }
        if ((s & 5) == 5) {
            s = (short) (s | 512);
        }
        if (ZimbraLog.acl.isTraceEnabled()) {
            ZimbraLog.acl.trace("ACL.GrantedRights %s from %s grants", new Object[]{Short.valueOf(s), Integer.valueOf(this.mGrants.size())});
        }
        return Short.valueOf(s);
    }

    public boolean isEmpty() {
        return this.mGrants.isEmpty();
    }

    public Grant grantAccess(String str, byte b, short s, String str2) throws ServiceException {
        return grantAccess(str, b, s, str2, 0L);
    }

    public Grant grantAccess(String str, byte b, short s, String str2, long j) throws ServiceException {
        if (j != 0) {
            if (b == 7 || b == 8) {
                if (this.mGuestGrantExpiry != 0 && j > this.mGuestGrantExpiry) {
                    throw ServiceException.PERM_DENIED("share expiration policy conflict");
                }
            } else if (b != 6 && this.mInternalGrantExpiry != 0 && j > this.mInternalGrantExpiry) {
                throw ServiceException.PERM_DENIED("share expiration policy conflict");
            }
        }
        if (b == 3) {
            str = GuestAccount.GUID_AUTHUSER;
        } else if (b == 6) {
            str = GuestAccount.GUID_PUBLIC;
        } else if (str == null) {
            throw ServiceException.INVALID_REQUEST("missing grantee id", (Throwable) null);
        }
        if (b == 8 && str2 == null) {
            str2 = generateAccessKey();
        }
        if (!this.mGrants.isEmpty()) {
            for (Grant grant : this.mGrants) {
                if (grant.isGrantee(str)) {
                    if (grant.getGrantedRights() == s && (((b != 7 && b != 8) || StringUtil.equal(grant.getPassword(), str2)) && grant.getExpiry() == j)) {
                        throw MailServiceException.GRANTEE_EXISTS(str, null);
                    }
                    grant.setRights(s);
                    if (b == 7 || b == 8) {
                        grant.setPassword(str2);
                    }
                    grant.setExpiry(j);
                    return grant;
                }
            }
        }
        Grant grant2 = new Grant(str, b, s, str2, j);
        this.mGrants.add(grant2);
        return grant2;
    }

    public boolean revokeAccess(String str) {
        if (this.mGrants == null || this.mGrants.isEmpty()) {
            return false;
        }
        int size = this.mGrants.size();
        for (Grant grant : this.mGrants) {
            if (grant.isGrantee(str)) {
                this.mGrants.remove(grant);
            }
        }
        return this.mGrants.size() != size;
    }

    public void setGuestGrantExpiry(long j) {
        this.mGuestGrantExpiry = j;
    }

    public void setInternalGrantExpiry(long j) {
        this.mInternalGrantExpiry = j;
    }

    public Metadata encode() {
        Metadata metadata = new Metadata();
        MetadataList metadataList = new MetadataList();
        Iterator<Grant> it = this.mGrants.iterator();
        while (it.hasNext()) {
            metadataList.add(it.next().encode());
        }
        metadata.put(FN_GRANTS, metadataList);
        metadata.put(FN_INT_GRANT_EXPIRY, this.mInternalGrantExpiry);
        metadata.put("ge", this.mGuestGrantExpiry);
        return metadata;
    }

    public String toString() {
        return encode().toString();
    }

    public ACL duplicate() {
        return new ACL(encode());
    }

    public List<Grant> getGrants() {
        return Collections.unmodifiableList(this.mGrants);
    }

    public int getNumberOfGrantsByType(byte b) {
        int i = 0;
        if (this.mGrants != null) {
            Iterator<Grant> it = this.mGrants.iterator();
            while (it.hasNext()) {
                if (it.next().getGranteeType() == b) {
                    i++;
                }
            }
        }
        return i;
    }

    public static short stringToRights(String str) throws ServiceException {
        short s = 0;
        if (str != null && str.length() != 0) {
            for (int i = 0; i < str.length(); i++) {
                switch (str.charAt(i)) {
                    case ABBR_ADMIN /* 97 */:
                        s = (short) (s | 256);
                        break;
                    case 'b':
                    case 'e':
                    case 'g':
                    case 'h':
                    case 'j':
                    case 'k':
                    case Versions.DB_VERSION /* 108 */:
                    case 'm':
                    case 'n':
                    case 'o':
                    case 'q':
                    case 's':
                    case 't':
                    case 'u':
                    case 'v':
                    default:
                        throw ServiceException.INVALID_REQUEST("unknown right: " + str.charAt(i), (Throwable) null);
                    case ABBR_CREATE_FOLDER /* 99 */:
                        break;
                    case 'd':
                        s = (short) (s | 8);
                        break;
                    case 'f':
                        s = (short) (s | 2048);
                        break;
                    case ABBR_INSERT /* 105 */:
                        s = (short) (s | 4);
                        break;
                    case ABBR_PRIVATE /* 112 */:
                        s = (short) (s | 1024);
                        break;
                    case ABBR_READ /* 114 */:
                        s = (short) (s | 1);
                        break;
                    case ABBR_WRITE /* 119 */:
                        s = (short) (s | 2);
                        break;
                    case ABBR_ACTION /* 120 */:
                        s = (short) (s | 16);
                        break;
                }
            }
        }
        return s;
    }

    public static String rightsToString(short s) {
        if (s == 0) {
            return "";
        }
        StringBuffer stringBuffer = new StringBuffer();
        if ((s & 1) != 0) {
            stringBuffer.append('r');
        }
        if ((s & 2) != 0) {
            stringBuffer.append('w');
        }
        if ((s & 4) != 0) {
            stringBuffer.append('i');
        }
        if ((s & 8) != 0) {
            stringBuffer.append('d');
        }
        if ((s & 16) != 0) {
            stringBuffer.append('x');
        }
        if ((s & 256) != 0) {
            stringBuffer.append('a');
        }
        if ((s & 1024) != 0) {
            stringBuffer.append('p');
        }
        if ((s & 2048) != 0) {
            stringBuffer.append('f');
        }
        if ((s & 512) != 0) {
            stringBuffer.append('c');
        }
        return stringBuffer.toString();
    }

    public static byte stringToType(String str) throws ServiceException {
        if (str.equalsIgnoreCase("usr")) {
            return (byte) 1;
        }
        if (str.equalsIgnoreCase("grp")) {
            return (byte) 2;
        }
        if (str.equalsIgnoreCase("cos")) {
            return (byte) 5;
        }
        if (str.equalsIgnoreCase("dom")) {
            return (byte) 4;
        }
        if (str.equalsIgnoreCase("all")) {
            return (byte) 3;
        }
        if (str.equalsIgnoreCase("pub")) {
            return (byte) 6;
        }
        if (str.equalsIgnoreCase("guest")) {
            return (byte) 7;
        }
        if (str.equalsIgnoreCase("key")) {
            return (byte) 8;
        }
        throw ServiceException.INVALID_REQUEST("unknown grantee type: " + str, (Throwable) null);
    }

    public static String typeToString(byte b) {
        if (b == 1) {
            return "usr";
        }
        if (b == 2) {
            return "grp";
        }
        if (b == 6) {
            return "pub";
        }
        if (b == 3) {
            return "all";
        }
        if (b == 5) {
            return "cos";
        }
        if (b == 4) {
            return "dom";
        }
        if (b == 7) {
            return "guest";
        }
        if (b == 8) {
            return "key";
        }
        return null;
    }

    public static String generateAccessKey() {
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        return new String(Hex.encodeHex(bArr));
    }
}
