package com.zimbra.qa.unittest.prov.ldap;

import com.zimbra.common.service.ServiceException;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.GlobalGrant;
import com.zimbra.cs.account.Group;
import com.zimbra.cs.account.GuestAccount;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.accesscontrol.GranteeType;
import com.zimbra.cs.account.accesscontrol.Right;
import com.zimbra.cs.account.accesscontrol.RightCommand;
import com.zimbra.cs.account.accesscontrol.TargetType;
import com.zimbra.cs.account.ldap.LdapProv;
import com.zimbra.cs.service.AuthProvider;
import com.zimbra.cs.util.BuildInfoGenerated;
import com.zimbra.qa.unittest.prov.ldap.ACLTestUtil;
import com.zimbra.soap.admin.type.GranteeSelector;
import com.zimbra.soap.type.TargetBy;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:com/zimbra/qa/unittest/prov/ldap/TestACLNegativeGrant.class */
public class TestACLNegativeGrant extends LdapTest {
    private static LdapProvTestUtil provUtil;
    private static LdapProv prov;
    private static Domain baseDomain;
    private static String BASE_DOMAIN_NAME;
    private static Account globalAdmin;

    @BeforeClass
    public static void init() throws Exception {
        provUtil = new LdapProvTestUtil();
        prov = provUtil.getProv();
        baseDomain = provUtil.createDomain(baseDomainName());
        BASE_DOMAIN_NAME = baseDomain.getName();
        globalAdmin = provUtil.createGlobalAdmin("globaladmin", baseDomain);
        ACLTestUtil.initTestRights();
    }

    @AfterClass
    public static void cleanup() throws Exception {
        Cleanup.deleteAll(baseDomainName());
    }

    private void grantRight(Account account, TargetType targetType, NamedEntry namedEntry, GranteeType granteeType, NamedEntry namedEntry2, Right right, ACLTestUtil.AllowOrDeny allowOrDeny) throws ServiceException {
        RightCommand.grantRight(prov, account, targetType.getCode(), TargetBy.name, namedEntry == null ? null : namedEntry.getName(), granteeType.getCode(), GranteeSelector.GranteeBy.name, namedEntry2.getName(), (String) null, right.getName(), allowOrDeny.toRightModifier());
    }

    protected void revokeRight(Account account, TargetType targetType, NamedEntry namedEntry, GranteeType granteeType, NamedEntry namedEntry2, Right right, ACLTestUtil.AllowOrDeny allowOrDeny) throws ServiceException {
        RightCommand.revokeRight(prov, account, targetType.getCode(), TargetBy.name, namedEntry == null ? null : namedEntry.getName(), granteeType.getCode(), GranteeSelector.GranteeBy.name, namedEntry2.getName(), right.getName(), allowOrDeny.toRightModifier());
    }

    protected void verify(Account account, Entry entry, Right right, ACLTestUtil.AsAdmin asAdmin, ACLTestUtil.AllowOrDeny allowOrDeny, ACLTestUtil.TestViaGrant testViaGrant) throws Exception {
        AccessManager accessManager = AccessManager.getInstance();
        AccessManager.ViaGrant viaGrant = testViaGrant == null ? null : new AccessManager.ViaGrant();
        Assert.assertEquals(Boolean.valueOf(allowOrDeny.allow()), Boolean.valueOf(accessManager.canDo(account == null ? null : account, entry, right, asAdmin.yes(), viaGrant)));
        ACLTestUtil.TestViaGrant.verifyEquals(testViaGrant, viaGrant);
        AccessManager.ViaGrant viaGrant2 = testViaGrant == null ? null : new AccessManager.ViaGrant();
        Assert.assertEquals(Boolean.valueOf(allowOrDeny.allow()), Boolean.valueOf(accessManager.canDo(account == null ? null : AuthProvider.getAuthToken(account), entry, right, asAdmin.yes(), viaGrant2)));
        ACLTestUtil.TestViaGrant.verifyEquals(testViaGrant, viaGrant2);
        AccessManager.ViaGrant viaGrant3 = testViaGrant == null ? null : new AccessManager.ViaGrant();
        boolean canDo = accessManager.canDo(account == null ? null : account.getName(), entry, right, asAdmin.yes(), viaGrant3);
        if (!(account instanceof GuestAccount) || ((GuestAccount) account).getAccessKey() == null) {
            Assert.assertEquals(Boolean.valueOf(allowOrDeny.allow()), Boolean.valueOf(canDo));
            ACLTestUtil.TestViaGrant.verifyEquals(testViaGrant, viaGrant3);
        }
    }

    @Test
    public void groupGranteeTest1() throws Exception {
        Account account = globalAdmin;
        Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
        Account createDelegatedAdmin = provUtil.createDelegatedAdmin(genAcctNameLocalPart("acct"), baseDomain);
        Group createAdminGroup = provUtil.createAdminGroup(genAcctNameLocalPart("group1"), baseDomain);
        Group createAdminGroup2 = provUtil.createAdminGroup(genAcctNameLocalPart("group2"), baseDomain);
        prov.addGroupMembers(createAdminGroup, new String[]{createDelegatedAdmin.getName()});
        prov.addGroupMembers(createAdminGroup2, new String[]{createDelegatedAdmin.getName()});
        NamedEntry createAccount = provUtil.createAccount(genAcctNameLocalPart("target"), baseDomain);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup, right, ACLTestUtil.AllowOrDeny.ALLOW);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup2, right, ACLTestUtil.AllowOrDeny.DENY);
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, new ACLTestUtil.TestViaGrant(TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup2.getName(), right, true));
    }

    public void groupGranteeTest2() throws Exception {
        Domain createDomain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
        Account account = globalAdmin;
        Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
        Account createDelegatedAdmin = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), createDomain);
        Group createAdminGroup = provUtil.createAdminGroup(genGroupNameLocalPart("GG1"), createDomain);
        Group createAdminGroup2 = provUtil.createAdminGroup(genGroupNameLocalPart("GG2"), createDomain);
        Group createAdminGroup3 = provUtil.createAdminGroup(genGroupNameLocalPart("GG3"), createDomain);
        Group createAdminGroup4 = provUtil.createAdminGroup(genGroupNameLocalPart("GG4"), createDomain);
        Group createAdminGroup5 = provUtil.createAdminGroup(genGroupNameLocalPart("GG5"), createDomain);
        Group createAdminGroup6 = provUtil.createAdminGroup(genGroupNameLocalPart("GG6"), createDomain);
        prov.addGroupMembers(createAdminGroup, new String[]{createDelegatedAdmin.getName(), createAdminGroup2.getName()});
        prov.addGroupMembers(createAdminGroup2, new String[]{createDelegatedAdmin.getName(), createAdminGroup3.getName()});
        prov.addGroupMembers(createAdminGroup3, new String[]{createDelegatedAdmin.getName()});
        prov.addGroupMembers(createAdminGroup4, new String[]{createDelegatedAdmin.getName(), createAdminGroup5.getName()});
        prov.addGroupMembers(createAdminGroup5, new String[]{createDelegatedAdmin.getName(), createAdminGroup6.getName()});
        prov.addGroupMembers(createAdminGroup6, new String[]{createDelegatedAdmin.getName()});
        NamedEntry createAccount = provUtil.createAccount(genAcctNameLocalPart("target"), createDomain);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup, right, ACLTestUtil.AllowOrDeny.ALLOW);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup2, right, ACLTestUtil.AllowOrDeny.DENY);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup3, right, ACLTestUtil.AllowOrDeny.ALLOW);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup4, right, ACLTestUtil.AllowOrDeny.DENY);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup5, right, ACLTestUtil.AllowOrDeny.ALLOW);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup6, right, ACLTestUtil.AllowOrDeny.DENY);
        ACLTestUtil.TestViaGrant testViaGrant = new ACLTestUtil.TestViaGrant(TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup2.getName(), right, true);
        testViaGrant.addCanAlsoVia(new ACLTestUtil.TestViaGrant(TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup4.getName(), right, true));
        testViaGrant.addCanAlsoVia(new ACLTestUtil.TestViaGrant(TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup6.getName(), right, true));
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, testViaGrant);
    }

    @Test
    public void groupGranteeTest3() throws Exception {
        Domain createDomain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
        Account account = globalAdmin;
        Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
        Account createDelegatedAdmin = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), createDomain);
        Group createAdminGroup = provUtil.createAdminGroup(genGroupNameLocalPart(BuildInfoGenerated.RELCLASS), createDomain);
        Group createAdminGroup2 = provUtil.createAdminGroup(genGroupNameLocalPart("GB"), createDomain);
        Group createAdminGroup3 = provUtil.createAdminGroup(genGroupNameLocalPart("GC"), createDomain);
        prov.addGroupMembers(createAdminGroup, new String[]{createAdminGroup2.getName()});
        prov.addGroupMembers(createAdminGroup2, new String[]{createAdminGroup3.getName()});
        prov.addGroupMembers(createAdminGroup3, new String[]{createDelegatedAdmin.getName()});
        Account createAccount = provUtil.createAccount(genAcctNameLocalPart("target"), createDomain);
        DistributionList createDistributionList = provUtil.createDistributionList(genGroupNameLocalPart("G1"), createDomain);
        DistributionList createDistributionList2 = provUtil.createDistributionList(genGroupNameLocalPart("G2"), createDomain);
        DistributionList createDistributionList3 = provUtil.createDistributionList(genGroupNameLocalPart("G3"), createDomain);
        prov.addGroupMembers(createDistributionList, new String[]{createDistributionList2.getName()});
        prov.addGroupMembers(createDistributionList2, new String[]{createDistributionList3.getName()});
        prov.addGroupMembers(createDistributionList3, new String[]{createAccount.getName()});
        grantRight(account, TargetType.dl, createDistributionList, GranteeType.GT_GROUP, createAdminGroup3, right, ACLTestUtil.AllowOrDeny.ALLOW);
        grantRight(account, TargetType.dl, createDistributionList2, GranteeType.GT_GROUP, createAdminGroup2, right, ACLTestUtil.AllowOrDeny.DENY);
        grantRight(account, TargetType.dl, createDistributionList3, GranteeType.GT_GROUP, createAdminGroup, right, ACLTestUtil.AllowOrDeny.DENY);
        ACLTestUtil.TestViaGrant testViaGrant = new ACLTestUtil.TestViaGrant(TargetType.dl, createDistributionList2, GranteeType.GT_GROUP, createAdminGroup2.getName(), right, true);
        testViaGrant.addCanAlsoVia(new ACLTestUtil.TestViaGrant(TargetType.dl, createDistributionList3, GranteeType.GT_GROUP, createAdminGroup.getName(), right, true));
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, testViaGrant);
    }

    @Test
    public void targetPrecedence() throws Exception {
        Domain createDomain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
        Account account = globalAdmin;
        Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
        Account createDelegatedAdmin = provUtil.createDelegatedAdmin(genAcctNameLocalPart("grantee"), createDomain);
        NamedEntry createAccount = provUtil.createAccount(genAcctNameLocalPart("target"), createDomain);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.ALLOW);
        DistributionList createDistributionList = provUtil.createDistributionList(genGroupNameLocalPart("group1"), createDomain);
        DistributionList createDistributionList2 = provUtil.createDistributionList(genGroupNameLocalPart("group2"), createDomain);
        prov.addMembers(createDistributionList, new String[]{createDistributionList2.getName()});
        prov.addMembers(createDistributionList2, new String[]{createAccount.getName()});
        grantRight(account, TargetType.dl, createDistributionList2, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.DENY);
        grantRight(account, TargetType.dl, createDistributionList, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.ALLOW);
        grantRight(account, TargetType.domain, createDomain, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.DENY);
        GlobalGrant globalGrant = prov.getGlobalGrant();
        grantRight(account, TargetType.global, null, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.ALLOW);
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.ALLOW, new ACLTestUtil.TestViaGrant(TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin.getName(), right, false));
        revokeRight(account, TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.ALLOW);
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, new ACLTestUtil.TestViaGrant(TargetType.dl, createDistributionList2, GranteeType.GT_USER, createDelegatedAdmin.getName(), right, true));
        revokeRight(account, TargetType.dl, createDistributionList2, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.DENY);
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.ALLOW, new ACLTestUtil.TestViaGrant(TargetType.dl, createDistributionList, GranteeType.GT_USER, createDelegatedAdmin.getName(), right, false));
        revokeRight(account, TargetType.dl, createDistributionList, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.ALLOW);
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, new ACLTestUtil.TestViaGrant(TargetType.domain, createDomain, GranteeType.GT_USER, createDelegatedAdmin.getName(), right, true));
        revokeRight(account, TargetType.domain, createDomain, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.DENY);
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.ALLOW, new ACLTestUtil.TestViaGrant(TargetType.global, globalGrant, GranteeType.GT_USER, createDelegatedAdmin.getName(), right, false));
        revokeRight(account, TargetType.global, null, GranteeType.GT_USER, createDelegatedAdmin, right, ACLTestUtil.AllowOrDeny.ALLOW);
        verify(createDelegatedAdmin, createAccount, right, ACLTestUtil.AsAdmin.AS_ADMIN, ACLTestUtil.AllowOrDeny.DENY, null);
    }
}
