package com.zimbra.cs.account.accesscontrol;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.DynamicGroup;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.Server;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/RightBearer.class */
public abstract class RightBearer {
    protected NamedEntry mRightBearer;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/zimbra/cs/account/accesscontrol/RightBearer$GlobalAdmin.class */
    public static class GlobalAdmin extends RightBearer {
        private GlobalAdmin(NamedEntry namedEntry) throws ServiceException {
            super(namedEntry);
        }
    }

    @VisibleForTesting
    /* loaded from: input_file:com/zimbra/cs/account/accesscontrol/RightBearer$Grantee.class */
    public static class Grantee extends RightBearer {
        GranteeType mGranteeType;
        Domain mGranteeDomain;
        Set<String> mIdAndGroupIds;
        private static final Cache<GranteeCacheKey, Grantee> GRANTEE_CACHE;
        private static final long MAX_CACHE_EXPIRY = 1800000;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/zimbra/cs/account/accesscontrol/RightBearer$Grantee$GranteeCacheKey.class */
        public static final class GranteeCacheKey {
            private final NamedEntry namedEntry;
            private final Set<Right> rights;
            private final boolean adminOnly;

            private GranteeCacheKey(NamedEntry namedEntry, Set<Right> set, boolean z) {
                this.namedEntry = namedEntry;
                this.rights = set;
                this.adminOnly = z;
            }

            public boolean equals(Object obj) {
                if (!(obj instanceof GranteeCacheKey)) {
                    return false;
                }
                GranteeCacheKey granteeCacheKey = (GranteeCacheKey) obj;
                if (this.adminOnly == granteeCacheKey.adminOnly && this.namedEntry.getName().equals(granteeCacheKey.namedEntry.getName())) {
                    return this.rights == null ? granteeCacheKey.rights == null : this.rights.equals(granteeCacheKey.rights);
                }
                return false;
            }

            public int hashCode() {
                int hashCode = this.namedEntry.getName().hashCode() + Boolean.valueOf(this.adminOnly).hashCode();
                if (this.rights != null) {
                    hashCode += this.rights.hashCode();
                }
                return hashCode;
            }
        }

        @VisibleForTesting
        public Grantee(NamedEntry namedEntry) throws ServiceException {
            this(namedEntry, (Set) null, true);
        }

        protected Grantee(NamedEntry namedEntry, boolean z) throws ServiceException {
            this(namedEntry, (Set) null, z);
        }

        protected Grantee(NamedEntry namedEntry, Set<Right> set, boolean z) throws ServiceException {
            super(namedEntry);
            Provisioning provisioning = namedEntry.getProvisioning();
            Provisioning.GroupMembership groupMembership = null;
            if (namedEntry instanceof Account) {
                this.mGranteeType = GranteeType.GT_USER;
                this.mGranteeDomain = provisioning.getDomain((Account) namedEntry);
                groupMembership = provisioning.getGroupMembershipWithRights((Account) namedEntry, set, z);
            } else if (namedEntry instanceof DistributionList) {
                this.mGranteeType = GranteeType.GT_GROUP;
                this.mGranteeDomain = provisioning.getDomain((DistributionList) namedEntry);
                groupMembership = provisioning.getGroupMembership((DistributionList) namedEntry, z);
            } else if (namedEntry instanceof DynamicGroup) {
                this.mGranteeType = GranteeType.GT_GROUP;
                this.mGranteeDomain = provisioning.getDomain((DynamicGroup) namedEntry);
            } else {
                if (z) {
                    throw ServiceException.INVALID_REQUEST("invalid grantee type", (Throwable) null);
                }
                if (namedEntry instanceof Domain) {
                    this.mGranteeType = GranteeType.GT_DOMAIN;
                    this.mGranteeDomain = (Domain) namedEntry;
                }
            }
            if (z && !RightBearer.isValidGranteeForAdminRights(this.mGranteeType, namedEntry)) {
                throw ServiceException.INVALID_REQUEST("invalid grantee", (Throwable) null);
            }
            if (this.mGranteeDomain == null) {
                throw ServiceException.FAILURE("internal error, cannot get domain for grantee", (Throwable) null);
            }
            this.mIdAndGroupIds = new HashSet();
            this.mIdAndGroupIds.add(namedEntry.getId());
            if (groupMembership != null) {
                this.mIdAndGroupIds.addAll(groupMembership.groupIds());
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public static Grantee getGrantee(NamedEntry namedEntry) throws ServiceException {
            return getGrantee(namedEntry, (Set) null, true);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public static Grantee getGrantee(NamedEntry namedEntry, boolean z) throws ServiceException {
            return getGrantee(namedEntry, (Set) null, z);
        }

        private static Grantee getGranteeFromCache(NamedEntry namedEntry, Set<Right> set, boolean z) throws ServiceException {
            Grantee grantee = null;
            final GranteeCacheKey granteeCacheKey = new GranteeCacheKey(namedEntry, set, z);
            try {
                grantee = (Grantee) GRANTEE_CACHE.get(granteeCacheKey, new Callable<Grantee>() { // from class: com.zimbra.cs.account.accesscontrol.RightBearer.Grantee.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public Grantee call() throws ServiceException {
                        return new Grantee(GranteeCacheKey.this.namedEntry, GranteeCacheKey.this.rights, GranteeCacheKey.this.adminOnly);
                    }
                });
            } catch (ExecutionException e) {
                ServiceException cause = e.getCause();
                if (cause != null && (cause instanceof ServiceException)) {
                    throw cause;
                }
                ZimbraLog.acl.debug("Unexpected escape getting from GRANTEE_CACHE", e);
            }
            return grantee;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public static Grantee getGrantee(NamedEntry namedEntry, Set<Right> set, boolean z) throws ServiceException {
            return null == GRANTEE_CACHE ? new Grantee(namedEntry, set, z) : getGranteeFromCache(namedEntry, set, z);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean isAccount() {
            return this.mGranteeType == GranteeType.GT_USER;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Account getAccount() throws ServiceException {
            if (this.mGranteeType != GranteeType.GT_USER) {
                throw ServiceException.FAILURE("internal error", (Throwable) null);
            }
            return (Account) this.mRightBearer;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Domain getDomain() {
            return this.mGranteeDomain;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Set<String> getIdAndGroupIds() {
            return this.mIdAndGroupIds;
        }

        public static void clearGranteeCache() {
            if (null != GRANTEE_CACHE) {
                ZimbraLog.acl.debug("Clearing short term grantee cache of %d items.", new Object[]{Long.valueOf(GRANTEE_CACHE.size())});
                GRANTEE_CACHE.invalidateAll();
            }
        }

        static {
            long j;
            long j2 = 0;
            try {
                Server localServer = Provisioning.getInstance().getLocalServer();
                j = localServer.getShortTermGranteeCacheSize();
                if (j > 0) {
                    j2 = localServer.getShortTermGranteeCacheExpiration();
                    if (j2 < 0) {
                        j2 = 0;
                        j = 0;
                    } else if (j2 > MAX_CACHE_EXPIRY) {
                        j2 = 1800000;
                    }
                }
            } catch (ServiceException e) {
                j = 0;
            }
            if (j <= 0) {
                GRANTEE_CACHE = null;
            } else {
                GRANTEE_CACHE = CacheBuilder.newBuilder().maximumSize(j).expireAfterWrite(j2, TimeUnit.MILLISECONDS).build();
                ZimbraLog.acl.trace("RightBearer GRANTEE_CACHE BUILD size=%d expire=%dms", new Object[]{Long.valueOf(j), Long.valueOf(j2)});
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static RightBearer newRightBearer(NamedEntry namedEntry) throws ServiceException {
        return ((namedEntry instanceof Account) && AccessControlUtil.isGlobalAdmin((Account) namedEntry, true)) ? new GlobalAdmin(namedEntry) : Grantee.getGrantee(namedEntry);
    }

    protected RightBearer(NamedEntry namedEntry) {
        this.mRightBearer = namedEntry;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getId() {
        return this.mRightBearer.getId();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getName() {
        return this.mRightBearer.getName();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isValidGranteeForAdminRights(GranteeType granteeType, NamedEntry namedEntry) {
        return granteeType == GranteeType.GT_USER ? !namedEntry.getBooleanAttr("zimbraIsAdminAccount", false) && namedEntry.getBooleanAttr("zimbraIsDelegatedAdminAccount", false) : granteeType == GranteeType.GT_GROUP ? namedEntry.getBooleanAttr("zimbraIsAdminGroup", false) : granteeType == GranteeType.GT_EXT_GROUP;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean matchesGrantee(Grantee grantee, ZimbraACE zimbraACE) throws ServiceException {
        if (grantee.getIdAndGroupIds().contains(zimbraACE.getGrantee())) {
            return true;
        }
        if (zimbraACE.getGranteeType() != GranteeType.GT_EXT_GROUP) {
            return false;
        }
        if (grantee.isAccount()) {
            return zimbraACE.matchesGrantee(grantee.getAccount(), true);
        }
        throw ServiceException.FAILURE("Not yet implemented", (Throwable) null);
    }
}
