package com.zimbra.cs.account.accesscontrol;

import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.SetUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.GlobalGrant;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.RightBearer;
import com.zimbra.cs.account.accesscontrol.SearchGrants;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/ParticallyDenied.class */
public class ParticallyDenied {
    private static final Log sLog = ZimbraLog.acl;

    private static boolean isSubTarget(Provisioning provisioning, Entry entry, Entry entry2) throws ServiceException {
        Provisioning.GroupMembership groupMembership;
        if (!(entry instanceof Domain)) {
            if (!(entry instanceof DistributionList)) {
                if (entry instanceof GlobalGrant) {
                    return true;
                }
                throw ServiceException.FAILURE("internal error, unexpected entry type: " + entry.getLabel(), (Throwable) null);
            }
            DistributionList distributionList = (DistributionList) entry;
            if (entry2 instanceof Account) {
                return provisioning.inDistributionList((Account) entry2, distributionList.getId());
            }
            if (entry2 instanceof DistributionList) {
                return provisioning.inDistributionList((DistributionList) entry2, distributionList.getId());
            }
            return false;
        }
        Domain domain = (Domain) entry;
        Domain targetDomain = TargetType.getTargetDomain(provisioning, entry2);
        if (targetDomain == null) {
            return false;
        }
        if (domain.getId().equals(targetDomain.getId())) {
            return true;
        }
        if (entry2 instanceof Account) {
            groupMembership = provisioning.getGroupMembership((Account) entry2, false);
        } else {
            if (!(entry2 instanceof DistributionList)) {
                return false;
            }
            groupMembership = provisioning.getGroupMembership((DistributionList) entry2, false);
        }
        Iterator<String> it = groupMembership.groupIds().iterator();
        while (it.hasNext()) {
            Domain domain2 = provisioning.getDomain(provisioning.getDLBasic(Key.DistributionListBy.id, it.next()));
            if (domain2 != null && domain.getId().equals(domain2.getId())) {
                return true;
            }
        }
        return false;
    }

    private static void checkDenied(Provisioning provisioning, Entry entry, Right right, Set<SearchGrants.GrantsOnTarget> set, String str, Set<String> set2) throws ServiceException {
        for (SearchGrants.GrantsOnTarget grantsOnTarget : set) {
            Entry targetEntry = grantsOnTarget.getTargetEntry();
            if (isSubTarget(provisioning, entry, targetEntry)) {
                for (ZimbraACE zimbraACE : grantsOnTarget.getAcl().getDeniedACEs()) {
                    if ((str != null && str.equals(zimbraACE.getGrantee())) || (set2 != null && set2.contains(zimbraACE.getGrantee()))) {
                        if (right.overlaps(zimbraACE.getRight())) {
                            throw ServiceException.PERM_DENIED(String.format("insufficient right to grant. Right '%s' is denied to grp/usr '%s' on target %s", zimbraACE.getRight().getName(), zimbraACE.getGrantee(), targetEntry.getLabel()));
                        }
                    }
                }
            }
        }
    }

    private static void getAllGrantableTargetTypes(Right right, Set<TargetType> set) throws ServiceException {
        if (right.isPresetRight() || right.isAttrRight()) {
            set.addAll(right.getGrantableTargetTypes());
        } else if (right.isComboRight()) {
            Iterator<Right> it = ((ComboRight) right).getAllRights().iterator();
            while (it.hasNext()) {
                getAllGrantableTargetTypes(it.next(), set);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void checkPartiallyDenied(Account account, TargetType targetType, Entry entry, Right right) throws ServiceException {
        if (AccessControlUtil.isGlobalAdmin(account, true)) {
            return;
        }
        Provisioning provisioning = Provisioning.getInstance();
        Set<TargetType> subTargetTypes = targetType.subTargetTypes();
        HashSet hashSet = new HashSet();
        getAllGrantableTargetTypes(right, hashSet);
        Set intersect = SetUtil.intersect(subTargetTypes, hashSet);
        if (intersect.isEmpty()) {
            return;
        }
        Set<String> idAndGroupIds = RightBearer.Grantee.getGrantee(account).getIdAndGroupIds();
        Set<SearchGrants.GrantsOnTarget> results = new SearchGrants(provisioning, intersect, idAndGroupIds).doSearch().getResults();
        checkDenied(provisioning, entry, right, results, account.getId(), null);
        checkDenied(provisioning, entry, right, results, null, idAndGroupIds);
    }
}
