package com.zimbra.qa.unittest.prov.ldap;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.SetUtil;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AttributeClass;
import com.zimbra.cs.account.AttributeManager;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.Group;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Zimlet;
import com.zimbra.cs.account.accesscontrol.ACLUtil;
import com.zimbra.cs.account.accesscontrol.AdminRight;
import com.zimbra.cs.account.accesscontrol.AllowedAttrs;
import com.zimbra.cs.account.accesscontrol.CheckAttrRight;
import com.zimbra.cs.account.accesscontrol.GranteeType;
import com.zimbra.cs.account.accesscontrol.Right;
import com.zimbra.cs.account.accesscontrol.RightBearer;
import com.zimbra.cs.account.accesscontrol.RightCommand;
import com.zimbra.cs.account.accesscontrol.TargetType;
import com.zimbra.cs.account.accesscontrol.ZimbraACE;
import com.zimbra.cs.account.accesscontrol.generated.RightConsts;
import com.zimbra.cs.account.ldap.LdapProv;
import com.zimbra.cs.dav.DavElements;
import com.zimbra.cs.ldap.LdapConstants;
import com.zimbra.cs.util.BuildInfoGenerated;
import com.zimbra.qa.unittest.TestUtil;
import com.zimbra.qa.unittest.prov.Verify;
import com.zimbra.qa.unittest.prov.ldap.ACLTestUtil;
import com.zimbra.soap.admin.type.GranteeSelector;
import com.zimbra.soap.type.TargetBy;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:com/zimbra/qa/unittest/prov/ldap/TestACLAttrRight.class */
public class TestACLAttrRight extends LdapTest {
    private static Right ATTR_RIGHT_GET_ALL;
    private static Right ATTR_RIGHT_GET_SOME;
    private static Right ATTR_RIGHT_SET_ALL;
    private static Right ATTR_RIGHT_SET_SOME;
    private static Map<String, Object> ATTRS_SOME;
    private static AllowedAttrs EXPECTED_SOME;
    private static AllowedAttrs EXPECTED_SOME_EMPTY;
    private static AllowedAttrs EXPECTED_ALL_MINUS_SOME;
    private static Map<String, Object> ATTRS_SOME_MORE;
    private static final ACLTestUtil.AllowOrDeny ALLOW = ACLTestUtil.AllowOrDeny.ALLOW;
    private static final ACLTestUtil.AllowOrDeny DENY = ACLTestUtil.AllowOrDeny.DENY;
    protected static final ACLTestUtil.GetOrSet GET = ACLTestUtil.GetOrSet.GET;
    protected static final ACLTestUtil.GetOrSet SET = ACLTestUtil.GetOrSet.SET;
    private static LdapProvTestUtil provUtil;
    private static LdapProv prov;
    private static Domain domain;
    private static String DOMAIN_NAME;
    private static Account globalAdmin;

    @BeforeClass
    public static void init() throws Exception {
        provUtil = new LdapProvTestUtil();
        prov = provUtil.getProv();
        domain = provUtil.createDomain(baseDomainName());
        DOMAIN_NAME = domain.getName();
        globalAdmin = provUtil.createGlobalAdmin("globaladmin", domain);
        HashSet hashSet = new HashSet();
        ATTRS_SOME = new HashMap();
        ATTRS_SOME.put("zimbraMailQuota", "123");
        ATTRS_SOME.put("zimbraQuotaWarnPercent", "123");
        ATTRS_SOME.put("zimbraQuotaWarnInterval", "123");
        ATTRS_SOME.put("zimbraQuotaWarnMessage", "123");
        ATTRS_SOME_MORE = new HashMap(ATTRS_SOME);
        ATTRS_SOME_MORE.put("zimbraFeatureMailEnabled", LdapConstants.LDAP_TRUE);
        ATTRS_SOME_MORE.put("zimbraFeatureCalendarEnabled", LdapConstants.LDAP_TRUE);
        ATTRS_SOME_MORE.put("zimbraPrefLocale", DavElements.LANG_EN_US);
        Set<String> allAttrsInClass = AttributeManager.getInstance().getAllAttrsInClass(AttributeClass.account);
        ATTR_RIGHT_GET_ALL = ACLTestUtil.getRight(RightConsts.RT_getAccount);
        ATTR_RIGHT_GET_SOME = ACLTestUtil.getRight("test-getAttrs-account-2");
        ATTR_RIGHT_SET_ALL = ACLTestUtil.getRight(RightConsts.RT_modifyAccount);
        ATTR_RIGHT_SET_SOME = ACLTestUtil.getRight("test-setAttrs-account-2");
        Set subtract = SetUtil.subtract(allAttrsInClass, ATTRS_SOME.keySet());
        EXPECTED_SOME = AllowedAttrs.ALLOW_SOME_ATTRS(ATTRS_SOME.keySet());
        EXPECTED_SOME_EMPTY = AllowedAttrs.ALLOW_SOME_ATTRS(hashSet);
        EXPECTED_ALL_MINUS_SOME = AllowedAttrs.ALLOW_SOME_ATTRS(subtract);
    }

    @AfterClass
    public static void cleanup() throws Exception {
        Cleanup.deleteAll(baseDomainName());
    }

    private String getAddress(String str) {
        return TestUtil.getAddress(str, DOMAIN_NAME);
    }

    private String getAddress(String str, String str2) {
        return getAddress(str + "-" + str2);
    }

    private Account createAccount(String str) throws Exception {
        return provUtil.createAccount(str);
    }

    private List<ZimbraACE> grantRight(TargetType targetType, Entry entry, Set<ZimbraACE> set) throws ServiceException {
        Entry lookupTarget;
        Iterator<ZimbraACE> it = set.iterator();
        while (it.hasNext()) {
            Assert.assertTrue(it.next().getRight().isUserRight());
        }
        if (entry instanceof Zimlet) {
            lookupTarget = TargetType.lookupTarget(prov, targetType, TargetBy.name, ((Zimlet) entry).getName());
        } else {
            lookupTarget = TargetType.lookupTarget(prov, targetType, TargetBy.id, entry instanceof NamedEntry ? ((NamedEntry) entry).getId() : null);
        }
        return ACLUtil.grantRight(prov, lookupTarget, set);
    }

    private void grantRight(Account account, TargetType targetType, NamedEntry namedEntry, GranteeType granteeType, NamedEntry namedEntry2, Right right, ACLTestUtil.AllowOrDeny allowOrDeny) throws ServiceException {
        RightCommand.grantRight(prov, account, targetType.getCode(), TargetBy.name, namedEntry == null ? null : namedEntry.getName(), granteeType.getCode(), GranteeSelector.GranteeBy.name, namedEntry2.getName(), (String) null, right.getName(), allowOrDeny.toRightModifier());
    }

    private void verify(Account account, Entry entry, ACLTestUtil.GetOrSet getOrSet, AllowedAttrs allowedAttrs) throws Exception {
        verifyEquals(allowedAttrs, getOrSet.isGet() ? CheckAttrRight.accessibleAttrs(new RightBearer.Grantee(account), entry, AdminRight.PR_GET_ATTRS, false) : CheckAttrRight.accessibleAttrs(new RightBearer.Grantee(account), entry, AdminRight.PR_SET_ATTRS, false));
    }

    void verifyEquals(AllowedAttrs allowedAttrs, AllowedAttrs allowedAttrs2) throws Exception {
        Assert.assertEquals(allowedAttrs.getResult(), allowedAttrs2.getResult());
        if (allowedAttrs2.getResult() == AllowedAttrs.Result.ALLOW_SOME) {
            Verify.verifyEquals(allowedAttrs.getAllowed(), allowedAttrs2.getAllowed());
        }
    }

    private void oneGrantSome(ACLTestUtil.AllowOrDeny allowOrDeny, ACLTestUtil.GetOrSet getOrSet, AllowedAttrs allowedAttrs) throws Exception {
        String str = "oneGrantSome-" + allowOrDeny.name() + "-" + getOrSet.name();
        System.out.println("Testing " + str);
        Account account = globalAdmin;
        Account createDelegatedAdmin = provUtil.createDelegatedAdmin(getAddress(str, BuildInfoGenerated.RELCLASS));
        Right right = getOrSet.isGet() ? ATTR_RIGHT_GET_SOME : ATTR_RIGHT_SET_SOME;
        Account createAccount = createAccount(getAddress(str, "TA"));
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin, right, allowOrDeny);
        verify(createDelegatedAdmin, createAccount, getOrSet, allowedAttrs);
    }

    public void oneGrantAll(ACLTestUtil.AllowOrDeny allowOrDeny, ACLTestUtil.GetOrSet getOrSet, AllowedAttrs allowedAttrs) throws Exception {
        String str = "oneGrantAll-" + allowOrDeny.name() + "-" + getOrSet.name();
        System.out.println("Testing " + str);
        Account account = globalAdmin;
        Account createDelegatedAdmin = provUtil.createDelegatedAdmin(getAddress(str, BuildInfoGenerated.RELCLASS));
        Right right = getOrSet.isGet() ? ATTR_RIGHT_GET_ALL : ATTR_RIGHT_SET_ALL;
        Account createAccount = createAccount(getAddress(str, "TA"));
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin, right, allowOrDeny);
        verify(createDelegatedAdmin, createAccount, getOrSet, allowedAttrs);
    }

    private void someAllSameLevel(ACLTestUtil.AllowOrDeny allowOrDeny, ACLTestUtil.AllowOrDeny allowOrDeny2, ACLTestUtil.GetOrSet getOrSet, AllowedAttrs allowedAttrs) throws Exception {
        Right right;
        Right right2;
        String str = "someAllSameLevel-" + allowOrDeny.name() + "-some-" + allowOrDeny2.name() + "-all-" + getOrSet.name();
        System.out.println("Testing " + str);
        Account account = globalAdmin;
        Account createDelegatedAdmin = provUtil.createDelegatedAdmin(getAddress(str, BuildInfoGenerated.RELCLASS));
        if (getOrSet.isGet()) {
            right = ATTR_RIGHT_GET_SOME;
            right2 = ATTR_RIGHT_GET_ALL;
        } else {
            right = ATTR_RIGHT_SET_SOME;
            right2 = ATTR_RIGHT_SET_ALL;
        }
        Account createAccount = createAccount(getAddress(str, "TA"));
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin, right, allowOrDeny);
        grantRight(account, TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin, right2, allowOrDeny2);
        verify(createDelegatedAdmin, createAccount, getOrSet, allowedAttrs);
    }

    public void someAllDiffLevel(ACLTestUtil.AllowOrDeny allowOrDeny, ACLTestUtil.AllowOrDeny allowOrDeny2, boolean z, ACLTestUtil.GetOrSet getOrSet, AllowedAttrs allowedAttrs) throws Exception {
        Right right;
        Right right2;
        String str = "someAllDiffLevel-" + allowOrDeny.name() + "-some-" + allowOrDeny2.name() + "-all-" + (z ? "someIsCloser" : "allIsCloser") + "-" + getOrSet.name();
        System.out.println("Testing " + str);
        Account account = globalAdmin;
        Account createDelegatedAdmin = provUtil.createDelegatedAdmin(getAddress(str, BuildInfoGenerated.RELCLASS));
        Group createAdminGroup = provUtil.createAdminGroup(getAddress(str, "GG"));
        prov.addGroupMembers(createAdminGroup, new String[]{createDelegatedAdmin.getName()});
        if (getOrSet.isGet()) {
            right = ATTR_RIGHT_GET_SOME;
            right2 = ATTR_RIGHT_GET_ALL;
        } else {
            right = ATTR_RIGHT_SET_SOME;
            right2 = ATTR_RIGHT_SET_ALL;
        }
        Account createAccount = createAccount(getAddress(str, "TA"));
        if (z) {
            grantRight(account, TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin, right, allowOrDeny);
            grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup, right2, allowOrDeny2);
        } else {
            grantRight(account, TargetType.account, createAccount, GranteeType.GT_USER, createDelegatedAdmin, right2, allowOrDeny2);
            grantRight(account, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup, right, allowOrDeny);
        }
        verify(createDelegatedAdmin, createAccount, getOrSet, allowedAttrs);
    }

    @Test
    public void testOneGrantSome() throws Exception {
        oneGrantSome(ALLOW, SET, EXPECTED_SOME);
        oneGrantSome(DENY, SET, EXPECTED_SOME_EMPTY);
        oneGrantSome(ALLOW, GET, EXPECTED_SOME);
        oneGrantSome(DENY, GET, EXPECTED_SOME_EMPTY);
    }

    @Test
    public void testOneGrantAll() throws Exception {
        oneGrantAll(ALLOW, SET, AllowedAttrs.ALLOW_ALL_ATTRS());
        oneGrantAll(DENY, SET, AllowedAttrs.DENY_ALL_ATTRS());
        oneGrantAll(ALLOW, GET, AllowedAttrs.ALLOW_ALL_ATTRS());
        oneGrantAll(DENY, GET, AllowedAttrs.DENY_ALL_ATTRS());
    }

    @Test
    public void testTwoGrantsSameLevel() throws Exception {
        someAllSameLevel(ALLOW, ALLOW, SET, AllowedAttrs.ALLOW_ALL_ATTRS());
        someAllSameLevel(DENY, ALLOW, SET, EXPECTED_ALL_MINUS_SOME);
        someAllSameLevel(ALLOW, DENY, SET, AllowedAttrs.DENY_ALL_ATTRS());
        someAllSameLevel(DENY, DENY, SET, AllowedAttrs.DENY_ALL_ATTRS());
        someAllSameLevel(ALLOW, ALLOW, GET, AllowedAttrs.ALLOW_ALL_ATTRS());
        someAllSameLevel(DENY, ALLOW, GET, EXPECTED_ALL_MINUS_SOME);
        someAllSameLevel(ALLOW, DENY, GET, AllowedAttrs.DENY_ALL_ATTRS());
        someAllSameLevel(DENY, DENY, GET, AllowedAttrs.DENY_ALL_ATTRS());
    }

    @Test
    public void testTwoGrantsDiffLevel() throws Exception {
        someAllDiffLevel(ALLOW, ALLOW, true, SET, AllowedAttrs.ALLOW_ALL_ATTRS());
        someAllDiffLevel(DENY, ALLOW, true, SET, EXPECTED_ALL_MINUS_SOME);
        someAllDiffLevel(ALLOW, DENY, true, SET, EXPECTED_SOME);
        someAllDiffLevel(DENY, DENY, true, SET, AllowedAttrs.DENY_ALL_ATTRS());
        someAllDiffLevel(ALLOW, ALLOW, false, SET, AllowedAttrs.ALLOW_ALL_ATTRS());
        someAllDiffLevel(DENY, ALLOW, false, SET, AllowedAttrs.ALLOW_ALL_ATTRS());
        someAllDiffLevel(ALLOW, DENY, false, SET, AllowedAttrs.DENY_ALL_ATTRS());
        someAllDiffLevel(DENY, DENY, false, SET, AllowedAttrs.DENY_ALL_ATTRS());
        someAllDiffLevel(ALLOW, ALLOW, true, GET, AllowedAttrs.ALLOW_ALL_ATTRS());
        someAllDiffLevel(DENY, ALLOW, true, GET, EXPECTED_ALL_MINUS_SOME);
        someAllDiffLevel(ALLOW, DENY, true, GET, EXPECTED_SOME);
        someAllDiffLevel(DENY, DENY, true, GET, AllowedAttrs.DENY_ALL_ATTRS());
        someAllDiffLevel(ALLOW, ALLOW, false, GET, AllowedAttrs.ALLOW_ALL_ATTRS());
        someAllDiffLevel(DENY, ALLOW, false, GET, AllowedAttrs.ALLOW_ALL_ATTRS());
        someAllDiffLevel(ALLOW, DENY, false, GET, AllowedAttrs.DENY_ALL_ATTRS());
        someAllDiffLevel(DENY, DENY, false, GET, AllowedAttrs.DENY_ALL_ATTRS());
    }
}
