package com.zimbra.cs.account.accesscontrol;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.Group;
import com.zimbra.cs.account.MailTarget;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.Rights;
import java.util.List;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/CrossDomain.class */
public class CrossDomain {
    private static final Log sLog = ZimbraLog.acl;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean crossDomainOK(Provisioning provisioning, MailTarget mailTarget, Domain domain, Domain domain2, Group group) throws ServiceException {
        if (checkCrossDomain(provisioning, domain, domain2, group)) {
            return true;
        }
        sLog.info("No cross domain right for %s on domain %s, skipping positive grants on dl %s", new Object[]{mailTarget.getName(), domain2.getName(), group.getName()});
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Boolean checkCrossDomainAdminRight(Provisioning provisioning, Domain domain, Entry entry, boolean z) throws ServiceException {
        if (!(entry instanceof Domain)) {
            throw ServiceException.FAILURE("internal error", (Throwable) null);
        }
        List<ZimbraACE> allACEs = ACLUtil.getAllACEs(entry);
        if (allACEs == null) {
            return Boolean.FALSE;
        }
        for (ZimbraACE zimbraACE : allACEs) {
            if (zimbraACE.getRight() == Rights.Admin.R_crossDomainAdmin && zimbraACE.getGranteeType() == GranteeType.GT_DOMAIN && zimbraACE.getGrantee().equals(domain.getId())) {
                if (zimbraACE.deny()) {
                    return Boolean.FALSE;
                }
                if (z && zimbraACE.canExecuteOnly()) {
                    return false;
                }
                return Boolean.TRUE;
            }
        }
        return Boolean.FALSE;
    }

    static boolean checkCrossDomain(Provisioning provisioning, Domain domain, Domain domain2, Group group) throws ServiceException {
        if (domain2 == null) {
            return true;
        }
        Domain domain3 = group.getDomain();
        if (domain3 == null) {
            ZimbraLog.acl.warn("cannot get domain for dl " + group.getName() + " for checking cross doamin right");
            return false;
        }
        if (domain2.getId().equals(domain.getId()) || domain2.getId().equals(domain3.getId())) {
            return true;
        }
        return checkCrossDomainAdminRight(provisioning, domain, domain2, false).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean validateCrossDomainAdminGrant(Right right, GranteeType granteeType) throws ServiceException {
        if (right == Rights.Admin.R_crossDomainAdmin && granteeType != GranteeType.GT_DOMAIN) {
            throw ServiceException.INVALID_REQUEST("grantee for right " + Rights.Admin.R_crossDomainAdmin.getName() + " must be a domain.", (Throwable) null);
        }
        if (right == Rights.Admin.R_crossDomainAdmin || granteeType != GranteeType.GT_DOMAIN) {
            return right == Rights.Admin.R_crossDomainAdmin;
        }
        throw ServiceException.INVALID_REQUEST("grantee for right " + right.getName() + " cannot be a domain.", (Throwable) null);
    }
}
