package com.zimbra.qa.unittest;

import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.CliUtil;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AlwaysOnCluster;
import com.zimbra.cs.account.CalendarResource;
import com.zimbra.cs.account.Cos;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.Server;
import com.zimbra.cs.account.UCService;
import com.zimbra.cs.account.XMPPComponent;
import com.zimbra.cs.account.Zimlet;
import com.zimbra.cs.account.accesscontrol.GranteeType;
import com.zimbra.cs.account.accesscontrol.Right;
import com.zimbra.cs.account.accesscontrol.TargetType;
import com.zimbra.cs.dav.DavElements;
import com.zimbra.cs.mailbox.Metadata;
import com.zimbra.cs.util.BuildInfoGenerated;
import com.zimbra.qa.unittest.TestACL;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/zimbra/qa/unittest/TestACLGrant.class */
public class TestACLGrant extends TestACL {
    private static String TEST_CASE_NAME = "TestACLGrant-";
    private static String ACCOUNT_NAME = getEmailAddr(TEST_CASE_NAME + "account").toLowerCase();
    private static String CALENDAR_RESOURCE_NAME = getEmailAddr(TEST_CASE_NAME + Metadata.FN_CREATOR).toLowerCase();
    private static String COS_NAME = TEST_CASE_NAME + "cos".toLowerCase();
    private static String DISTRIBUTION_LIST_NAME = getEmailAddr(TEST_CASE_NAME + "dl").toLowerCase();
    private static String SUBDOMAIN_NAME = getSubDomainName(TEST_CASE_NAME + "domain").toLowerCase();
    private static String SERVER_NAME = TEST_CASE_NAME + "server".toLowerCase();
    private static String ALWAYSONCLUSTER_NAME = TEST_CASE_NAME + "alwaysOnCluster".toLowerCase();
    private static String UC_SERVICE_NAME = TEST_CASE_NAME + "ucservice".toLowerCase();
    private static String XMPP_COMPONENT_NAME = TEST_CASE_NAME + "xmppcomponent".toLowerCase();
    private static String ZIMLET_NAME = TEST_CASE_NAME + Provisioning.SERVICE_ZIMLET.toLowerCase();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/qa/unittest/TestACLGrant$Result.class */
    public enum Result {
        GOOD,
        INVALID_REQUEST,
        PERM_DENIED
    }

    private Account getAccount() throws ServiceException {
        Account account = mProv.get(Key.AccountBy.name, ACCOUNT_NAME);
        if (account == null) {
            account = mProv.createAccount(ACCOUNT_NAME, "test123", null);
        }
        return account;
    }

    private CalendarResource getCalendarResource() throws ServiceException {
        CalendarResource calendarResource = mProv.get(Key.CalendarResourceBy.name, CALENDAR_RESOURCE_NAME);
        if (calendarResource == null) {
            HashMap hashMap = new HashMap();
            hashMap.put("displayName", "CALENDAR_RESOURCE_NAME");
            hashMap.put("zimbraCalResType", "Equipment");
            calendarResource = mProv.createCalendarResource(CALENDAR_RESOURCE_NAME, "test123", hashMap);
        }
        return calendarResource;
    }

    private Cos getCos() throws ServiceException {
        Cos cos = mProv.get(Key.CosBy.name, COS_NAME);
        if (cos == null) {
            cos = mProv.createCos(COS_NAME, null);
        }
        return cos;
    }

    private DistributionList getDistributionList() throws ServiceException {
        DistributionList distributionList = mProv.get(Key.DistributionListBy.name, DISTRIBUTION_LIST_NAME);
        if (distributionList == null) {
            distributionList = mProv.createDistributionList(DISTRIBUTION_LIST_NAME, new HashMap());
        }
        return distributionList;
    }

    private Domain getDomain() throws ServiceException {
        Domain domain = mProv.get(Key.DomainBy.name, SUBDOMAIN_NAME);
        if (domain == null) {
            domain = mProv.createDomain(SUBDOMAIN_NAME, new HashMap());
        }
        return domain;
    }

    private Server getServer() throws ServiceException {
        Server server = mProv.get(Key.ServerBy.name, SERVER_NAME);
        if (server == null) {
            server = mProv.createServer(SERVER_NAME, new HashMap());
        }
        return server;
    }

    private AlwaysOnCluster getAlwaysOnCluster() throws ServiceException {
        AlwaysOnCluster alwaysOnCluster = mProv.get(Key.AlwaysOnClusterBy.name, ALWAYSONCLUSTER_NAME);
        if (alwaysOnCluster == null) {
            alwaysOnCluster = mProv.createAlwaysOnCluster(ALWAYSONCLUSTER_NAME, new HashMap());
        }
        return alwaysOnCluster;
    }

    private UCService getUCService() throws ServiceException {
        UCService uCService = mProv.get(Key.UCServiceBy.name, UC_SERVICE_NAME);
        if (uCService == null) {
            uCService = mProv.createUCService(UC_SERVICE_NAME, new HashMap());
        }
        return uCService;
    }

    private XMPPComponent getXMPPComponent() throws ServiceException {
        XMPPComponent xMPPComponent = mProv.get(Key.XMPPComponentBy.name, XMPP_COMPONENT_NAME);
        if (xMPPComponent == null) {
            HashMap hashMap = new HashMap();
            hashMap.put("zimbraXMPPComponentCategory", "whatever");
            hashMap.put("zimbraXMPPComponentClassName", "whatever");
            hashMap.put("zimbraXMPPComponentType", "whatever");
            xMPPComponent = mProv.createXMPPComponent(XMPP_COMPONENT_NAME, getDomain(), getServer(), hashMap);
        }
        return xMPPComponent;
    }

    private Zimlet getZimlet() throws ServiceException {
        Zimlet zimlet = mProv.getZimlet(ZIMLET_NAME);
        if (zimlet == null) {
            HashMap hashMap = new HashMap();
            hashMap.put("zimbraZimletVersion", "1.0");
            zimlet = mProv.createZimlet(ZIMLET_NAME, hashMap);
        }
        return zimlet;
    }

    private void doTargetTest(Account account, Account account2, TargetType targetType, NamedEntry namedEntry, Right right, Set<TargetType> set) throws ServiceException {
        Boolean bool;
        try {
            grantRight(account, targetType, namedEntry, GranteeType.GT_USER, account2, right, ALLOW);
            revokeRight(account, targetType, namedEntry, GranteeType.GT_USER, account2, right, ALLOW);
            bool = Boolean.TRUE;
        } catch (ServiceException e) {
            if (!e.getCode().equals("service.INVALID_REQUEST")) {
                throw e;
            }
            bool = Boolean.FALSE;
        }
        if (set.contains(targetType)) {
            assertEquals(Boolean.TRUE, bool);
        } else {
            assertEquals(Boolean.FALSE, bool);
        }
    }

    private void doTargetTest(Account account, Account account2, Right right, Set<TargetType> set) throws ServiceException {
        doTargetTest(account, account2, TargetType.account, getAccount(), right, set);
        doTargetTest(account, account2, TargetType.calresource, getCalendarResource(), right, set);
        doTargetTest(account, account2, TargetType.cos, getCos(), right, set);
        doTargetTest(account, account2, TargetType.dl, getDistributionList(), right, set);
        doTargetTest(account, account2, TargetType.domain, getDomain(), right, set);
        doTargetTest(account, account2, TargetType.server, getServer(), right, set);
        doTargetTest(account, account2, TargetType.alwaysoncluster, getAlwaysOnCluster(), right, set);
        doTargetTest(account, account2, TargetType.ucservice, getUCService(), right, set);
        doTargetTest(account, account2, TargetType.xmppcomponent, getXMPPComponent(), right, set);
        doTargetTest(account, account2, TargetType.zimlet, getZimlet(), right, set);
        doTargetTest(account, account2, TargetType.config, null, right, set);
        doTargetTest(account, account2, TargetType.global, null, right, set);
    }

    public void testAccountRight() throws Exception {
        String testName = getTestName();
        Account systemAdminAccount = getSystemAdminAccount(getEmailAddr(testName, "authed"));
        Account createAdminAccount = createAdminAccount(getEmailAddr(testName, BuildInfoGenerated.RELCLASS));
        HashSet hashSet = new HashSet();
        hashSet.add(TargetType.account);
        hashSet.add(TargetType.calresource);
        hashSet.add(TargetType.dl);
        hashSet.add(TargetType.domain);
        hashSet.add(TargetType.global);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight("test-preset-account"), hashSet);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight("test-getAttrs-account"), hashSet);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight(inlineRightGet(TargetType.account, DavElements.P_DESCRIPTION)), hashSet);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight("test-setAttrs-account"), hashSet);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight(inlineRightSet(TargetType.account, DavElements.P_DESCRIPTION)), hashSet);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight("test-combo-account"), hashSet);
        hashSet.clear();
        hashSet.add(TargetType.account);
        hashSet.add(TargetType.cos);
        hashSet.add(TargetType.calresource);
        hashSet.add(TargetType.dl);
        hashSet.add(TargetType.domain);
        hashSet.add(TargetType.global);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight("test-getAttrs-accountCos"), hashSet);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight("test-setAttrs-accountCos"), hashSet);
        hashSet.clear();
        hashSet.add(TargetType.global);
        doTargetTest(systemAdminAccount, createAdminAccount, getRight("test-combo-account-cos-accountCos"), hashSet);
    }

    private void doTestGrant(Account account, TargetType targetType, NamedEntry namedEntry, GranteeType granteeType, NamedEntry namedEntry2, Right right, TestACL.AllowOrDeny allowOrDeny, Result result) throws ServiceException {
        Result result2;
        try {
            grantRight(account, targetType, namedEntry, granteeType, namedEntry2, right, allowOrDeny);
            result2 = Result.GOOD;
        } catch (ServiceException e) {
            if (e.getCode().equals("service.INVALID_REQUEST")) {
                result2 = Result.INVALID_REQUEST;
            } else {
                if (!e.getCode().equals("service.PERM_DENIED")) {
                    throw e;
                }
                result2 = Result.PERM_DENIED;
            }
        }
        assertEquals(result, result2);
    }

    private void doTestRevoke(Account account, TargetType targetType, NamedEntry namedEntry, GranteeType granteeType, NamedEntry namedEntry2, Right right, TestACL.AllowOrDeny allowOrDeny, Result result) throws ServiceException {
        Result result2;
        try {
            revokeRight(account, targetType, namedEntry, granteeType, namedEntry2, right, allowOrDeny);
            result2 = Result.GOOD;
        } catch (ServiceException e) {
            if (e.getCode().equals("service.INVALID_REQUEST")) {
                result2 = Result.INVALID_REQUEST;
            } else {
                if (!e.getCode().equals("service.PERM_DENIED")) {
                    throw e;
                }
                result2 = Result.PERM_DENIED;
            }
        }
        assertEquals(result, result2);
    }

    private void doTestDelegate(Account account, TargetType targetType, NamedEntry namedEntry, GranteeType granteeType, NamedEntry namedEntry2, Right right, TestACL.AllowOrDeny allowOrDeny, Result result) throws ServiceException {
        doTestGrant(account, targetType, namedEntry, granteeType, namedEntry2, right, allowOrDeny, result);
        doTestRevoke(account, targetType, namedEntry, granteeType, namedEntry2, right, allowOrDeny, result);
    }

    private void doTestDelegate(Account account, TargetType targetType, NamedEntry namedEntry, GranteeType granteeType, NamedEntry namedEntry2, Right right, Result result) throws ServiceException {
        doTestDelegate(account, targetType, namedEntry, granteeType, namedEntry2, right, ALLOW, result);
        doTestDelegate(account, targetType, namedEntry, granteeType, namedEntry2, right, DENY, result);
    }

    private void doDelegatePartialRight(Account account, TargetType targetType, NamedEntry namedEntry, GranteeType granteeType, NamedEntry namedEntry2, Result result) throws ServiceException {
        doTestDelegate(account, targetType, namedEntry, granteeType, namedEntry2, getRight("test-preset-account"), ALLOW, result);
        doTestDelegate(account, targetType, namedEntry, granteeType, namedEntry2, getRight("test-getAttrs-account"), ALLOW, result);
        doTestDelegate(account, targetType, namedEntry, granteeType, namedEntry2, getRight("test-setAttrs-account"), ALLOW, result);
        doTestDelegate(account, targetType, namedEntry, granteeType, namedEntry2, getRight(inlineRightGet(TargetType.account, DavElements.P_DESCRIPTION)), ALLOW, result);
        doTestDelegate(account, targetType, namedEntry, granteeType, namedEntry2, getRight(inlineRightSet(TargetType.account, DavElements.P_DESCRIPTION)), ALLOW, result);
        doTestDelegate(account, targetType, namedEntry, granteeType, namedEntry2, getRight("test-preset-domain"), ALLOW, (targetType == TargetType.domain || targetType == TargetType.global) ? result : Result.INVALID_REQUEST);
    }

    public void testDelegate() throws Exception {
        String testName = getTestName();
        Account systemAdminAccount = getSystemAdminAccount(getEmailAddr(testName, "authed"));
        Account createAdminAccount = createAdminAccount(getEmailAddr(testName, "GA_DELEGATOR"));
        Account createAdminAccount2 = createAdminAccount(getEmailAddr(testName, "GA_DELEGATEE"));
        DistributionList createAdminGroup = createAdminGroup(getEmailAddr(testName, "GG_DELEGATEE"));
        String lowerCase = getSubDomainName(testName).toLowerCase();
        Domain createDomain = mProv.createDomain(lowerCase, new HashMap());
        Right right = getRight("test-combo-account-domain");
        grantDelegableRight(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount, right);
        DistributionList createGroup = createGroup("dl@" + lowerCase);
        Account createAccount = createAccount("acct@" + lowerCase);
        Domain createDomain2 = mProv.createDomain("other." + lowerCase, new HashMap());
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount2, right, Result.GOOD);
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_GROUP, createAdminGroup, right, Result.GOOD);
        doTestDelegate(createAdminAccount, TargetType.dl, createGroup, GranteeType.GT_USER, createAdminAccount2, right, Result.INVALID_REQUEST);
        doTestDelegate(createAdminAccount, TargetType.dl, createGroup, GranteeType.GT_GROUP, createAdminGroup, right, Result.INVALID_REQUEST);
        doTestDelegate(createAdminAccount, TargetType.account, createAccount, GranteeType.GT_USER, createAdminAccount2, right, Result.INVALID_REQUEST);
        doTestDelegate(createAdminAccount, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup, right, Result.INVALID_REQUEST);
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain2, GranteeType.GT_USER, createAdminAccount2, right, Result.PERM_DENIED);
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain2, GranteeType.GT_GROUP, createAdminGroup, right, Result.PERM_DENIED);
        doTestDelegate(createAdminAccount, TargetType.global, null, GranteeType.GT_USER, createAdminAccount2, right, Result.PERM_DENIED);
        doTestDelegate(createAdminAccount, TargetType.global, null, GranteeType.GT_GROUP, createAdminGroup, right, Result.PERM_DENIED);
        doDelegatePartialRight(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount2, Result.GOOD);
        doDelegatePartialRight(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_GROUP, createAdminGroup, Result.GOOD);
        doDelegatePartialRight(createAdminAccount, TargetType.dl, createGroup, GranteeType.GT_USER, createAdminAccount2, Result.GOOD);
        doDelegatePartialRight(createAdminAccount, TargetType.dl, createGroup, GranteeType.GT_GROUP, createAdminGroup, Result.GOOD);
        doDelegatePartialRight(createAdminAccount, TargetType.account, createAccount, GranteeType.GT_USER, createAdminAccount2, Result.GOOD);
        doDelegatePartialRight(createAdminAccount, TargetType.account, createAccount, GranteeType.GT_GROUP, createAdminGroup, Result.GOOD);
        doDelegatePartialRight(createAdminAccount, TargetType.domain, createDomain2, GranteeType.GT_USER, createAdminAccount2, Result.PERM_DENIED);
        doDelegatePartialRight(createAdminAccount, TargetType.domain, createDomain2, GranteeType.GT_GROUP, createAdminGroup, Result.PERM_DENIED);
        doDelegatePartialRight(createAdminAccount, TargetType.global, createDomain2, GranteeType.GT_USER, createAdminAccount2, Result.PERM_DENIED);
        doDelegatePartialRight(createAdminAccount, TargetType.global, createDomain2, GranteeType.GT_GROUP, createAdminGroup, Result.PERM_DENIED);
    }

    public void testDelegateNonDelegableRight() throws Exception {
        String testName = getTestName();
        Account systemAdminAccount = getSystemAdminAccount(getEmailAddr(testName, "authed"));
        Account createAdminAccount = createAdminAccount(getEmailAddr(testName, "GA_DELEGATOR"));
        Account createAdminAccount2 = createAdminAccount(getEmailAddr(testName, "GA_DELEGATEE"));
        Domain createDomain = mProv.createDomain(getSubDomainName(testName).toLowerCase(), new HashMap());
        Right right = getRight("test-combo-account-domain");
        Right right2 = getRight("test-preset-account");
        Right right3 = getRight("test-preset-distributionlist");
        grantDelegableRight(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount, right);
        grantRight(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount, right2, ALLOW);
        grantRight(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount, right3, ALLOW);
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount2, right, Result.PERM_DENIED);
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount2, right2, Result.PERM_DENIED);
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount2, right3, Result.PERM_DENIED);
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount2, getRight("test-preset-domain"), Result.GOOD);
        doTestDelegate(createAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAdminAccount2, getRight(inlineRightGet(TargetType.account, DavElements.P_DESCRIPTION)), Result.GOOD);
    }

    public void testDelegateToNonAdmin() throws Exception {
        String testName = getTestName();
        Account systemAdminAccount = getSystemAdminAccount(getEmailAddr(testName, "authed"));
        Account createAccount = createAccount(getEmailAddr(testName, BuildInfoGenerated.RELCLASS));
        DistributionList createGroup = createGroup(getEmailAddr(testName, "GG"));
        Account createAccount2 = createAccount(getEmailAddr(testName, Provisioning.A_member));
        mProv.addMembers(createGroup, new String[]{createAccount2.getName()});
        String lowerCase = getSubDomainName(testName).toLowerCase();
        Domain createDomain = mProv.createDomain(lowerCase, new HashMap());
        Account createAccount3 = createAccount("acct@" + lowerCase);
        Right right = getRight("test-combo-account-domain");
        doTestGrant(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAccount, right, DELEGABLE, Result.INVALID_REQUEST);
        doTestGrant(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_GROUP, createGroup, right, DELEGABLE, Result.INVALID_REQUEST);
        doTestRevoke(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAccount, right, DELEGABLE, Result.GOOD);
        doTestRevoke(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_GROUP, createGroup, right, DELEGABLE, Result.GOOD);
        makeAccountAdmin(createAccount);
        makeGroupAdmin(createGroup);
        grantDelegableRight(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_USER, createAccount, right);
        grantDelegableRight(systemAdminAccount, TargetType.domain, createDomain, GranteeType.GT_GROUP, createGroup, right);
        verify(createAccount, createAccount3, getRight("test-preset-account"), (Map<String, Object>) null, ALLOW);
        verify(createAccount2, createAccount3, getRight("test-preset-account"), (Map<String, Object>) null, DENY);
        makeAccountAdmin(createAccount2);
        verify(createAccount2, createAccount3, getRight("test-preset-account"), (Map<String, Object>) null, ALLOW);
        makeGroupNonAdmin(createGroup);
        flushAccountCache(createAccount2);
        verify(createAccount2, createAccount3, getRight("test-preset-account"), (Map<String, Object>) null, DENY);
        makeGroupAdmin(createGroup);
        flushAccountCache(createAccount2);
        verify(createAccount2, createAccount3, getRight("test-preset-account"), (Map<String, Object>) null, ALLOW);
    }

    public static void main(String[] strArr) throws Exception {
        CliUtil.toolSetup("INFO");
        TestUtil.runTest(TestACLGrant.class);
    }
}
