package com.zimbra.cs.service.admin;

import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.Alias;
import com.zimbra.cs.account.AttributeClass;
import com.zimbra.cs.account.AttributeManager;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.CalendarResource;
import com.zimbra.cs.account.Cos;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.DynamicGroup;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.MailTarget;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.ACLAccessManager;
import com.zimbra.cs.account.accesscontrol.AccessControlUtil;
import com.zimbra.cs.account.accesscontrol.AdminRight;
import com.zimbra.cs.account.accesscontrol.AttrRight;
import com.zimbra.cs.account.accesscontrol.GlobalAccessManager;
import com.zimbra.cs.account.accesscontrol.GranteeType;
import com.zimbra.cs.account.accesscontrol.HardRules;
import com.zimbra.cs.account.accesscontrol.PseudoTarget;
import com.zimbra.cs.account.accesscontrol.Right;
import com.zimbra.cs.account.accesscontrol.RightCommand;
import com.zimbra.cs.account.accesscontrol.Rights;
import com.zimbra.cs.account.accesscontrol.TargetType;
import com.zimbra.cs.account.names.NameUtil;
import com.zimbra.cs.service.admin.AdminRightCheckPoint;
import com.zimbra.soap.DocumentHandler;
import com.zimbra.soap.ZimbraSoapContext;
import com.zimbra.soap.admin.type.GranteeSelector;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl.class */
public abstract class AdminAccessControl {
    protected AccessManager mAccessMgr;
    protected ZimbraSoapContext mZsc;
    protected Account mAuthedAcct;
    protected AuthToken mAuthToken;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$ACLAccessControl.class */
    public static class ACLAccessControl extends AdminAccessControl {
        private ACLAccessControl(AccessManager accessManager, ZimbraSoapContext zimbraSoapContext, AuthToken authToken, Account account) {
            super(accessManager, zimbraSoapContext, authToken, account);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean isSufficientAdminForSoap(Map<String, Object> map, DocumentHandler documentHandler) {
            return this.mAuthToken.isAdmin() || this.mAuthToken.isDelegatedAdmin();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean isSufficientAdminForZimletFilterServlet() {
            return this.mAuthToken.isAdmin() || this.mAuthToken.isDelegatedAdmin();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkModifyAttrs(AttributeClass attributeClass, Map<String, Object> map) throws ServiceException {
            throw ServiceException.FAILURE("internal error", (Throwable) null);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkSetAttrsOnCreate(TargetType targetType, String str, Map<String, Object> map) throws ServiceException {
            if (!this.mAccessMgr.canSetAttrsOnCreate(this.mAuthedAcct, targetType, str, map, true)) {
                throw ServiceException.PERM_DENIED("cannot set attrs");
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRightsToList(NamedEntry namedEntry, AdminRight adminRight, Object obj) throws ServiceException {
            try {
                checkRight(namedEntry, adminRight);
                if (obj == null) {
                    return true;
                }
                if ((obj instanceof Set) && ((Set) obj).isEmpty()) {
                    ZimbraLog.acl.warn(getClass().getName() + ": skipping entry " + namedEntry.getName() + ": non of the requested attrs is valid on the entry");
                    return false;
                }
                try {
                    checkRight(namedEntry, obj);
                    return true;
                } catch (ServiceException e) {
                    if (!"service.PERM_DENIED".equals(e.getCode())) {
                        throw e;
                    }
                    ZimbraLog.acl.warn(getClass().getName() + ": skipping entry " + namedEntry.getName() + ": " + e.getMessage());
                    return false;
                }
            } catch (ServiceException e2) {
                if (!"service.PERM_DENIED".equals(e2.getCode())) {
                    throw e2;
                }
                ZimbraLog.acl.warn(getClass().getName() + ": skipping entry " + namedEntry.getName() + ": " + e2.getMessage());
                return false;
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRightsToListCos(Cos cos, AdminRight adminRight, Object obj) throws ServiceException {
            return hasRightsToList(cos, adminRight, obj);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkRight(Entry entry, Object obj) throws ServiceException {
            if (entry == null) {
                entry = Provisioning.getInstance().getGlobalGrant();
            }
            if (!doCheckRight(entry, obj)) {
                throw ServiceException.PERM_DENIED(printNeededRight(entry, obj));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRight(Entry entry, Object obj) throws ServiceException {
            if (entry == null) {
                entry = Provisioning.getInstance().getGlobalGrant();
            }
            return doCheckRight(entry, obj);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkCosRight(Cos cos, Object obj) throws ServiceException {
            if (!doCheckRight(cos, obj)) {
                throw ServiceException.PERM_DENIED(printNeededRight(cos, obj));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkAccountRight(AdminDocumentHandler adminDocumentHandler, Account account, Object obj) throws ServiceException {
            soapOnly();
            checkDomainStatus(account);
            Boolean canAccessAccountCommon = adminDocumentHandler.canAccessAccountCommon(this.mZsc, account, false);
            if (!(canAccessAccountCommon == null ? doCheckRight(account, obj) : canAccessAccountCommon.booleanValue())) {
                throw ServiceException.PERM_DENIED(printNeededRight(account, obj));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkCalendarResourceRight(AdminDocumentHandler adminDocumentHandler, CalendarResource calendarResource, Object obj) throws ServiceException {
            soapOnly();
            checkDomainStatus(calendarResource);
            Boolean canAccessAccountCommon = adminDocumentHandler.canAccessAccountCommon(this.mZsc, calendarResource, false);
            if (!(canAccessAccountCommon == null ? doCheckRight(calendarResource, obj) : canAccessAccountCommon.booleanValue())) {
                throw ServiceException.PERM_DENIED(printNeededRight(calendarResource, obj));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDistributionListRight(AdminDocumentHandler adminDocumentHandler, DistributionList distributionList, Object obj) throws ServiceException {
            soapOnly();
            checkDomainStatus(distributionList);
            if (!doCheckRight(distributionList, obj)) {
                throw ServiceException.PERM_DENIED(printNeededRight(distributionList, obj));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDynamicGroupRight(AdminDocumentHandler adminDocumentHandler, DynamicGroup dynamicGroup, Object obj) throws ServiceException {
            soapOnly();
            checkDomainStatus(dynamicGroup);
            if (!doCheckRight(dynamicGroup, obj)) {
                throw ServiceException.PERM_DENIED(printNeededRight(dynamicGroup, obj));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRightByEmail(AdminDocumentHandler adminDocumentHandler, String str, AdminRight adminRight) throws ServiceException {
            soapOnly();
            String domainNameFromEmail = NameUtil.EmailAddress.getDomainNameFromEmail(str);
            Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, domainNameFromEmail);
            if (domain == null) {
                throw AccountServiceException.NO_SUCH_DOMAIN(domainNameFromEmail);
            }
            checkDomainStatus(domain);
            if (!doCheckRight(domain, adminRight)) {
                throw ServiceException.PERM_DENIED(printNeededRight(domain, adminRight));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRight(AdminDocumentHandler adminDocumentHandler, String str, Object obj) throws ServiceException {
            soapOnly();
            Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, str);
            if (domain == null) {
                throw ServiceException.PERM_DENIED("no such domain: " + str);
            }
            if (!doCheckRight(domain, obj)) {
                throw ServiceException.PERM_DENIED(printNeededRight(domain, obj));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRight(AdminDocumentHandler adminDocumentHandler, Domain domain, Object obj) throws ServiceException {
            soapOnly();
            if (!doCheckRight(domain, obj)) {
                throw ServiceException.PERM_DENIED(printNeededRight(domain, obj));
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public AccessManager.AttrRightChecker getAttrRightChecker(Entry entry) throws ServiceException {
            return new AttributeRightChecker(entry);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public AccessManager.AttrRightChecker getAttrRightChecker(Entry entry, Set<HardRules.HardRule> set) throws ServiceException {
            try {
                return getAttrRightChecker(entry);
            } catch (ServiceException e) {
                if ("service.PERM_DENIED".equals(e.getCode()) && set.contains(HardRules.HardRule.ruleVolated(e))) {
                    return new AccessManager.AttrRightChecker() { // from class: com.zimbra.cs.service.admin.AdminAccessControl.ACLAccessControl.1
                        @Override // com.zimbra.cs.account.AccessManager.AttrRightChecker
                        public boolean allowAttr(String str) {
                            return false;
                        }
                    };
                }
                throw e;
            }
        }

        private boolean doCheckRight(Entry entry, Object obj) throws ServiceException {
            if (!(obj instanceof AdminRight)) {
                if (obj instanceof Set) {
                    return this.mAccessMgr.canGetAttrs(this.mAuthedAcct, entry, (Set<String>) obj, true);
                }
                if (obj instanceof Map) {
                    return this.mAccessMgr.canSetAttrs(this.mAuthedAcct, entry, (Map<String, Object>) obj, true);
                }
                if (obj instanceof DynamicAttrsRight) {
                    return ((DynamicAttrsRight) obj).checkRight(this.mAccessMgr, this.mAuthedAcct, entry);
                }
                throw ServiceException.FAILURE("internal error", (Throwable) null);
            }
            AdminRight adminRight = (AdminRight) obj;
            if (adminRight.isPresetRight()) {
                return this.mAccessMgr.canDo((MailTarget) this.mAuthedAcct, entry, (Right) obj, true, (AccessManager.ViaGrant) null);
            }
            if (adminRight.isAttrRight()) {
                if (adminRight.getRightType() == Right.RightType.getAttrs) {
                    return this.mAccessMgr.canGetAttrs(this.mAuthedAcct, entry, ((AttrRight) obj).getAttrs(), true);
                }
                if (adminRight.getRightType() == Right.RightType.setAttrs) {
                    return this.mAccessMgr.canSetAttrs(this.mAuthedAcct, entry, ((AttrRight) obj).getAttrs(), true);
                }
            }
            throw ServiceException.FAILURE("internal error", (Throwable) null);
        }

        private String printNeededRight(Entry entry, Object obj) throws ServiceException {
            if ((obj instanceof AdminRight) && AdminRight.PR_SYSTEM_ADMIN_ONLY == ((AdminRight) obj)) {
                return AdminRightCheckPoint.Notes.SYSTEM_ADMINS_ONLY;
            }
            String str = PseudoTarget.isPseudoEntry(entry) ? "" : entry instanceof Alias ? " for alias " + entry.getLabel() : " for " + TargetType.getTargetType(entry).name() + " " + entry.getLabel();
            if (obj instanceof AdminRight) {
                return "need right: " + ((AdminRight) obj).getName() + str;
            }
            if (obj instanceof Set) {
                return "cannot get attrs on " + str;
            }
            if (obj instanceof Map) {
                return "cannot set attrs on " + str;
            }
            throw ServiceException.FAILURE("internal error", (Throwable) null);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$AttributeRightChecker.class */
    public static class AttributeRightChecker implements AccessManager.AttrRightChecker {
        private final AccessManager.AttrRightChecker mRightChecker;

        private AttributeRightChecker(AdminAccessControl adminAccessControl, Entry entry) throws ServiceException {
            this.mRightChecker = adminAccessControl.mAccessMgr.getGetAttrsChecker(adminAccessControl.mAuthedAcct, entry, true);
        }

        @Override // com.zimbra.cs.account.AccessManager.AttrRightChecker
        public boolean allowAttr(String str) {
            return this.mRightChecker.allowAttr(str);
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$BulkRightChecker.class */
    public static abstract class BulkRightChecker implements NamedEntry.CheckRight {
        protected AdminAccessControl mAC;
        protected Provisioning mProv;
        RightCommand.AllEffectiveRights mAllEffRights;
        private Map<Right, Set<HardRules.HardRule>> mIgnoreHardRules;

        public BulkRightChecker(AdminAccessControl adminAccessControl, Provisioning provisioning) throws ServiceException {
            this.mAC = adminAccessControl;
            this.mProv = provisioning == null ? Provisioning.getInstance() : provisioning;
        }

        protected void setIgnoreHardRules(Map<Right, Set<HardRules.HardRule>> map) throws ServiceException {
            this.mIgnoreHardRules = map;
        }

        protected boolean allowAll() {
            return AccessControlUtil.isGlobalAdmin(this.mAC.mAuthedAcct, true);
        }

        protected boolean hasRight(NamedEntry namedEntry, AdminRight adminRight) throws ServiceException {
            return this.mAC instanceof ACLAccessControl ? hasRightImplBulk(namedEntry, adminRight) : hasRightImplBulkDefault(namedEntry, adminRight);
        }

        private boolean hasRightImplBulkDefault(NamedEntry namedEntry, AdminRight adminRight) throws ServiceException {
            try {
                this.mAC.checkRight(namedEntry, adminRight);
                return true;
            } catch (ServiceException e) {
                return false;
            }
        }

        private boolean hasRightImplBulk(NamedEntry namedEntry, AdminRight adminRight) throws ServiceException {
            Set<HardRules.HardRule> set;
            try {
                Boolean checkHardRules = HardRules.checkHardRules(this.mAC.mAuthedAcct, true, namedEntry, adminRight);
                if (checkHardRules != null) {
                    return checkHardRules.booleanValue();
                }
            } catch (ServiceException e) {
                if (!"service.PERM_DENIED".equals(e.getCode())) {
                    throw e;
                }
                boolean z = false;
                if (this.mIgnoreHardRules != null && (set = this.mIgnoreHardRules.get(adminRight)) != null && set.contains(HardRules.HardRule.ruleVolated(e))) {
                    z = true;
                }
                if (!z) {
                    ZimbraLog.acl.warn(getClass().getName() + ": skipping entry " + namedEntry.getName() + ": " + e.getMessage());
                    return false;
                }
                ZimbraLog.acl.debug(getClass().getName() + ": not skipping entry " + namedEntry.getName() + ": " + e.getMessage());
            }
            if (this.mAllEffRights == null) {
                this.mAllEffRights = this.mProv.getAllEffectiveRights(GranteeType.GT_USER.getCode(), GranteeSelector.GranteeBy.id, this.mAC.mAuthedAcct.getId(), false, false);
            }
            RightCommand.RightsByTargetType rightsByTargetType = this.mAllEffRights.rightsByTargetType().get(adminRight.getTargetType());
            if (rightsByTargetType == null || rightsByTargetType.hasNoRight()) {
                return false;
            }
            String name = namedEntry.getName();
            for (RightCommand.RightAggregation rightAggregation : rightsByTargetType.entries()) {
                if (rightAggregation.entries().contains(name)) {
                    return hasRightBulk(rightAggregation.effectiveRights(), namedEntry, adminRight);
                }
            }
            String targetDomainName = TargetType.getTargetDomainName(this.mProv, namedEntry);
            if (targetDomainName != null && (rightsByTargetType instanceof RightCommand.DomainedRightsByTargetType)) {
                for (RightCommand.RightAggregation rightAggregation2 : ((RightCommand.DomainedRightsByTargetType) rightsByTargetType).domains()) {
                    if (rightAggregation2.entries().contains(targetDomainName)) {
                        return hasRightBulk(rightAggregation2.effectiveRights(), namedEntry, adminRight);
                    }
                }
            }
            return hasRightBulk(rightsByTargetType.all(), namedEntry, adminRight);
        }

        private boolean hasRightBulk(RightCommand.EffectiveRights effectiveRights, NamedEntry namedEntry, AdminRight adminRight) {
            List<String> presetRights;
            return (effectiveRights == null || (presetRights = effectiveRights.presetRights()) == null || !presetRights.contains(adminRight.getName())) ? false : true;
        }

        @Override // com.zimbra.cs.account.NamedEntry.CheckRight
        public abstract boolean allow(NamedEntry namedEntry) throws ServiceException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$DomainAccessControl.class */
    public static class DomainAccessControl extends AdminAccessControl {
        private DomainAccessControl(AccessManager accessManager, ZimbraSoapContext zimbraSoapContext, AuthToken authToken, Account account) {
            super(accessManager, zimbraSoapContext, authToken, account);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean isSufficientAdminForSoap(Map<String, Object> map, DocumentHandler documentHandler) {
            if (this.mAuthToken.isAdmin()) {
                return true;
            }
            return documentHandler.domainAuthSufficient(map) && this.mAuthToken.isDomainAdmin();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean isSufficientAdminForZimletFilterServlet() {
            return this.mAuthToken.isAdmin() || this.mAuthToken.isDomainAdmin();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkModifyAttrs(AttributeClass attributeClass, Map<String, Object> map) throws ServiceException {
            Iterator<String> it = map.keySet().iterator();
            while (it.hasNext()) {
                String next = it.next();
                if (next.charAt(0) == '+' || next.charAt(0) == '-') {
                    next = next.substring(1);
                }
                if (!AttributeManager.getInstance().isDomainAdminModifiable(next, attributeClass)) {
                    throw ServiceException.PERM_DENIED("can not modify attr: " + next);
                }
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkSetAttrsOnCreate(TargetType targetType, String str, Map<String, Object> map) throws ServiceException {
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRightsToList(NamedEntry namedEntry, AdminRight adminRight, Object obj) throws ServiceException {
            return true;
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRightsToListCos(Cos cos, AdminRight adminRight, Object obj) throws ServiceException {
            return isDomainAdminOnly() ? this.mAccessMgr.canAccessCos(this.mAuthToken, cos) : true;
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRight(Entry entry, Object obj) throws ServiceException {
            return false;
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkRight(Entry entry, Object obj) throws ServiceException {
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkCosRight(Cos cos, Object obj) throws ServiceException {
            if (isDomainAdminOnly() && !this.mAccessMgr.canAccessCos(this.mAuthToken, cos)) {
                throw ServiceException.PERM_DENIED("can not access cos");
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkAccountRight(AdminDocumentHandler adminDocumentHandler, Account account, Object obj) throws ServiceException {
            soapOnly();
            if (!adminDocumentHandler.canAccessAccount(this.mZsc, account)) {
                throw ServiceException.PERM_DENIED("can not access account");
            }
            if (isDomainAdminOnly() && (obj instanceof Map)) {
                checkModifyAttrs(AttributeClass.account, (Map) obj);
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkCalendarResourceRight(AdminDocumentHandler adminDocumentHandler, CalendarResource calendarResource, Object obj) throws ServiceException {
            soapOnly();
            if (!adminDocumentHandler.canAccessAccount(this.mZsc, calendarResource)) {
                throw ServiceException.PERM_DENIED("can not access calendar resource");
            }
            if (isDomainAdminOnly() && (obj instanceof Map)) {
                checkModifyAttrs(AttributeClass.calendarResource, (Map) obj);
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDistributionListRight(AdminDocumentHandler adminDocumentHandler, DistributionList distributionList, Object obj) throws ServiceException {
            soapOnly();
            if (!adminDocumentHandler.canAccessEmail(this.mZsc, distributionList.getName())) {
                throw ServiceException.PERM_DENIED("can not access dl");
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDynamicGroupRight(AdminDocumentHandler adminDocumentHandler, DynamicGroup dynamicGroup, Object obj) throws ServiceException {
            soapOnly();
            if (!adminDocumentHandler.canAccessEmail(this.mZsc, dynamicGroup.getName())) {
                throw ServiceException.PERM_DENIED("can not access group");
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRightByEmail(AdminDocumentHandler adminDocumentHandler, String str, AdminRight adminRight) throws ServiceException {
            soapOnly();
            if (!adminDocumentHandler.canAccessEmail(this.mZsc, str)) {
                throw ServiceException.PERM_DENIED("can not access email:" + str);
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRight(AdminDocumentHandler adminDocumentHandler, String str, Object obj) throws ServiceException {
            soapOnly();
            if (isDomainAdminOnly()) {
                if (!adminDocumentHandler.canAccessDomain(this.mZsc, str)) {
                    throw ServiceException.PERM_DENIED("can not access domain");
                }
                if (obj instanceof Map) {
                    checkModifyAttrs(AttributeClass.domain, (Map) obj);
                }
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRight(AdminDocumentHandler adminDocumentHandler, Domain domain, Object obj) throws ServiceException {
            soapOnly();
            checkDomainRight(adminDocumentHandler, domain.getName(), obj);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public AccessManager.AttrRightChecker getAttrRightChecker(Entry entry) throws ServiceException {
            return null;
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public AccessManager.AttrRightChecker getAttrRightChecker(Entry entry, Set<HardRules.HardRule> set) throws ServiceException {
            return null;
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$DynamicAttrsRight.class */
    public static abstract class DynamicAttrsRight {
        abstract boolean checkRight(AccessManager accessManager, Account account, Entry entry) throws ServiceException;
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$GetAttrsRight.class */
    public static class GetAttrsRight extends DynamicAttrsRight {
        private final Set<String> mAttrs = new HashSet();

        public void addAttr(String str) {
            this.mAttrs.add(str);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl.DynamicAttrsRight
        boolean checkRight(AccessManager accessManager, Account account, Entry entry) throws ServiceException {
            return accessManager.canGetAttrs(account, entry, this.mAttrs, true);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$GlobalAccessControl.class */
    public static class GlobalAccessControl extends AdminAccessControl {
        private GlobalAccessControl(AccessManager accessManager, ZimbraSoapContext zimbraSoapContext, AuthToken authToken, Account account) {
            super(accessManager, zimbraSoapContext, authToken, account);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkAccountRight(AdminDocumentHandler adminDocumentHandler, Account account, Object obj) throws ServiceException {
            soapOnly();
            checkDomainStatus(account);
            Boolean canAccessAccountCommon = adminDocumentHandler.canAccessAccountCommon(this.mZsc, account, false);
            if (canAccessAccountCommon == null) {
                throwIfNotAllowed();
            } else if (!canAccessAccountCommon.booleanValue()) {
                throw ServiceException.PERM_DENIED("only global admin is allowed");
            }
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkCalendarResourceRight(AdminDocumentHandler adminDocumentHandler, CalendarResource calendarResource, Object obj) throws ServiceException {
            checkAccountRight(adminDocumentHandler, calendarResource, obj);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkCosRight(Cos cos, Object obj) throws ServiceException {
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDistributionListRight(AdminDocumentHandler adminDocumentHandler, DistributionList distributionList, Object obj) throws ServiceException {
            soapOnly();
            checkDomainStatus(distributionList);
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDynamicGroupRight(AdminDocumentHandler adminDocumentHandler, DynamicGroup dynamicGroup, Object obj) throws ServiceException {
            soapOnly();
            checkDomainStatus(dynamicGroup);
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRight(AdminDocumentHandler adminDocumentHandler, String str, Object obj) throws ServiceException {
            soapOnly();
            if (Provisioning.getInstance().get(Key.DomainBy.name, str) == null) {
                throw ServiceException.PERM_DENIED("no such domain: " + str);
            }
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRight(AdminDocumentHandler adminDocumentHandler, Domain domain, Object obj) throws ServiceException {
            soapOnly();
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkDomainRightByEmail(AdminDocumentHandler adminDocumentHandler, String str, AdminRight adminRight) throws ServiceException {
            soapOnly();
            String domainNameFromEmail = NameUtil.EmailAddress.getDomainNameFromEmail(str);
            Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, domainNameFromEmail);
            if (domain == null) {
                throw AccountServiceException.NO_SUCH_DOMAIN(domainNameFromEmail);
            }
            checkDomainStatus(domain);
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkModifyAttrs(AttributeClass attributeClass, Map<String, Object> map) throws ServiceException {
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRight(Entry entry, Object obj) throws ServiceException {
            return doCheckRight();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkRight(Entry entry, Object obj) throws ServiceException {
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public void checkSetAttrsOnCreate(TargetType targetType, String str, Map<String, Object> map) throws ServiceException {
            throwIfNotAllowed();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public AccessManager.AttrRightChecker getAttrRightChecker(Entry entry) throws ServiceException {
            return new AttributeRightChecker(entry);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public AccessManager.AttrRightChecker getAttrRightChecker(Entry entry, Set<HardRules.HardRule> set) throws ServiceException {
            return getAttrRightChecker(entry);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRightsToList(NamedEntry namedEntry, AdminRight adminRight, Object obj) throws ServiceException {
            return doCheckRight();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean hasRightsToListCos(Cos cos, AdminRight adminRight, Object obj) throws ServiceException {
            return doCheckRight();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean isSufficientAdminForSoap(Map<String, Object> map, DocumentHandler documentHandler) {
            return this.mAuthToken.isAdmin();
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl
        public boolean isSufficientAdminForZimletFilterServlet() {
            return this.mAuthToken.isAdmin();
        }

        private void throwIfNotAllowed() throws ServiceException {
            if (!doCheckRight()) {
                throw ServiceException.PERM_DENIED("only global admin is allowed");
            }
        }

        private boolean doCheckRight() {
            return this.mAccessMgr.canDo((MailTarget) this.mAuthedAcct, (Entry) null, (Right) null, true);
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$SearchDirectoryRightChecker.class */
    public static class SearchDirectoryRightChecker extends BulkRightChecker {
        protected boolean mAllowAll;

        public SearchDirectoryRightChecker(AdminAccessControl adminAccessControl, Provisioning provisioning, Set<String> set) throws ServiceException {
            super(adminAccessControl, provisioning);
            HashMap newHashMap = Maps.newHashMap();
            newHashMap.put(Rights.Admin.R_listAccount, EnumSet.of(HardRules.HardRule.DELEGATED_ADMIN_CANNOT_ACCESS_GLOBAL_ADMIN));
            newHashMap.put(Rights.Admin.R_listCalendarResource, EnumSet.of(HardRules.HardRule.DELEGATED_ADMIN_CANNOT_ACCESS_GLOBAL_ADMIN));
            setIgnoreHardRules(newHashMap);
            this.mAllowAll = allowAll();
        }

        private boolean hasRightsToListDanglingAlias(Alias alias) throws ServiceException {
            return this.mAC.hasRightsToList(alias, AdminRight.PR_SYSTEM_ADMIN_ONLY, null);
        }

        private boolean hasRightsToListAlias_old(Alias alias) throws ServiceException {
            NamedEntry target = alias.getTarget(this.mProv);
            return target == null ? hasRightsToListDanglingAlias(alias) : allow(target);
        }

        private boolean hasRightsToListAlias(Alias alias) throws ServiceException {
            Domain domain = this.mProv.getDomain(alias);
            if (domain == null) {
                return false;
            }
            return hasRight(domain, Rights.Admin.R_listAlias);
        }

        private AdminRight needRight(NamedEntry namedEntry) throws ServiceException {
            if (namedEntry instanceof CalendarResource) {
                return Rights.Admin.R_listCalendarResource;
            }
            if (namedEntry instanceof Account) {
                return Rights.Admin.R_listAccount;
            }
            if (namedEntry instanceof DistributionList) {
                return Rights.Admin.R_listDistributionList;
            }
            if (namedEntry instanceof DynamicGroup) {
                return Rights.Admin.R_listGroup;
            }
            if (namedEntry instanceof Domain) {
                return Rights.Admin.R_listDomain;
            }
            if (namedEntry instanceof Cos) {
                return Rights.Admin.R_listCos;
            }
            return null;
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl.BulkRightChecker, com.zimbra.cs.account.NamedEntry.CheckRight
        public boolean allow(NamedEntry namedEntry) throws ServiceException {
            if (this.mAllowAll) {
                return true;
            }
            if (namedEntry instanceof Alias) {
                return hasRightsToListAlias((Alias) namedEntry);
            }
            AdminRight needRight = needRight(namedEntry);
            if (needRight != null) {
                return hasRight(namedEntry, needRight);
            }
            return false;
        }

        public List<NamedEntry> getAllowed(List<NamedEntry> list, int i) throws ServiceException {
            ArrayList newArrayListWithExpectedSize = Lists.newArrayListWithExpectedSize(list.size());
            for (int i2 = 0; i2 < list.size(); i2++) {
                NamedEntry namedEntry = list.get(i2);
                if (allow(namedEntry)) {
                    newArrayListWithExpectedSize.add(namedEntry);
                }
                if (newArrayListWithExpectedSize.size() >= i) {
                    break;
                }
            }
            return newArrayListWithExpectedSize;
        }

        @Deprecated
        public List getAllowed(List list) throws ServiceException {
            return getAllowed(list, list.size());
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$SetAttrsRight.class */
    public static class SetAttrsRight extends DynamicAttrsRight {
        private final Set<String> mAttrs = new HashSet();

        public void addAttr(String str) {
            this.mAttrs.add(str);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl.DynamicAttrsRight
        boolean checkRight(AccessManager accessManager, Account account, Entry entry) throws ServiceException {
            return accessManager.canSetAttrs(account, entry, this.mAttrs, true);
        }
    }

    /* loaded from: input_file:com/zimbra/cs/service/admin/AdminAccessControl$SetAttrsRightWithConstraintChecking.class */
    public static class SetAttrsRightWithConstraintChecking extends DynamicAttrsRight {
        private final Map<String, Object> mAttrs = new HashMap();

        public void addAttr(String str, Object obj) {
            this.mAttrs.put(str, obj);
        }

        @Override // com.zimbra.cs.service.admin.AdminAccessControl.DynamicAttrsRight
        boolean checkRight(AccessManager accessManager, Account account, Entry entry) throws ServiceException {
            return accessManager.canSetAttrs(account, entry, this.mAttrs, true);
        }
    }

    public static AdminAccessControl getAdminAccessControl(ZimbraSoapContext zimbraSoapContext) throws ServiceException {
        return newAdminAccessControl(zimbraSoapContext, zimbraSoapContext.getAuthToken(), DocumentHandler.getAuthenticatedAccount(zimbraSoapContext));
    }

    public abstract boolean hasRight(Entry entry, Object obj) throws ServiceException;

    public static AdminAccessControl getAdminAccessControl(AuthToken authToken) throws ServiceException {
        Account account = Provisioning.getInstance().get(Key.AccountBy.id, authToken.getAccountId());
        if (account == null) {
            throw ServiceException.AUTH_REQUIRED();
        }
        return newAdminAccessControl(null, authToken, account);
    }

    public abstract boolean isSufficientAdminForSoap(Map<String, Object> map, DocumentHandler documentHandler);

    public abstract boolean isSufficientAdminForZimletFilterServlet();

    public static boolean isAdequateAdminAccount(Account account) {
        return AccessManager.getInstance().isAdequateAdminAccount(account);
    }

    public abstract void checkModifyAttrs(AttributeClass attributeClass, Map<String, Object> map) throws ServiceException;

    public abstract void checkSetAttrsOnCreate(TargetType targetType, String str, Map<String, Object> map) throws ServiceException;

    public abstract boolean hasRightsToList(NamedEntry namedEntry, AdminRight adminRight, Object obj) throws ServiceException;

    public abstract boolean hasRightsToListCos(Cos cos, AdminRight adminRight, Object obj) throws ServiceException;

    public abstract void checkRight(Entry entry, Object obj) throws ServiceException;

    public abstract void checkCosRight(Cos cos, Object obj) throws ServiceException;

    public abstract void checkAccountRight(AdminDocumentHandler adminDocumentHandler, Account account, Object obj) throws ServiceException;

    public abstract void checkCalendarResourceRight(AdminDocumentHandler adminDocumentHandler, CalendarResource calendarResource, Object obj) throws ServiceException;

    public abstract void checkDistributionListRight(AdminDocumentHandler adminDocumentHandler, DistributionList distributionList, Object obj) throws ServiceException;

    public abstract void checkDynamicGroupRight(AdminDocumentHandler adminDocumentHandler, DynamicGroup dynamicGroup, Object obj) throws ServiceException;

    public abstract void checkDomainRightByEmail(AdminDocumentHandler adminDocumentHandler, String str, AdminRight adminRight) throws ServiceException;

    public abstract void checkDomainRight(AdminDocumentHandler adminDocumentHandler, String str, Object obj) throws ServiceException;

    public abstract void checkDomainRight(AdminDocumentHandler adminDocumentHandler, Domain domain, Object obj) throws ServiceException;

    public abstract AccessManager.AttrRightChecker getAttrRightChecker(Entry entry) throws ServiceException;

    public abstract AccessManager.AttrRightChecker getAttrRightChecker(Entry entry, Set<HardRules.HardRule> set) throws ServiceException;

    private AdminAccessControl(AccessManager accessManager, ZimbraSoapContext zimbraSoapContext, AuthToken authToken, Account account) {
        this.mAccessMgr = accessManager;
        this.mZsc = zimbraSoapContext;
        this.mAuthToken = authToken;
        this.mAuthedAcct = account;
    }

    private static AdminAccessControl newAdminAccessControl(ZimbraSoapContext zimbraSoapContext, AuthToken authToken, Account account) {
        AccessManager accessManager = AccessManager.getInstance();
        return accessManager.getClass() == ACLAccessManager.class ? new ACLAccessControl(accessManager, zimbraSoapContext, authToken, account) : accessManager.getClass() == GlobalAccessManager.class ? new GlobalAccessControl(accessManager, zimbraSoapContext, authToken, account) : new DomainAccessControl(accessManager, zimbraSoapContext, authToken, account);
    }

    public boolean isDomainAdminOnly() {
        return this.mAccessMgr.isDomainAdminOnly(this.mAuthToken);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isDomainBasedAccessManager(AccessManager accessManager) {
        return !(accessManager instanceof ACLAccessManager);
    }

    protected void checkDomainStatus(Entry entry) throws ServiceException {
        this.mAccessMgr.checkDomainStatus(entry instanceof Domain ? (Domain) entry : TargetType.getTargetDomain(Provisioning.getInstance(), entry));
    }

    protected void soapOnly() throws ServiceException {
        if (this.mZsc == null) {
            throw ServiceException.FAILURE("internal error, called from non-SOAP servlet", (Throwable) null);
        }
    }
}
