package com.zimbra.cs.account.grouphandler;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.EntryCacheDataKey;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.ExternalGroup;
import com.zimbra.cs.account.auth.AuthMechanism;
import com.zimbra.cs.account.ldap.LdapProv;
import com.zimbra.cs.dav.DavElements;
import com.zimbra.cs.ldap.IAttributes;
import com.zimbra.cs.ldap.ILdapContext;
import com.zimbra.cs.ldap.LdapClient;
import com.zimbra.cs.ldap.LdapConstants;
import com.zimbra.cs.ldap.LdapUtil;
import com.zimbra.cs.ldap.SearchLdapOptions;
import com.zimbra.cs.ldap.ZLdapContext;
import com.zimbra.cs.ldap.ZLdapFilterFactory;
import com.zimbra.cs.ldap.ZSearchScope;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;

/* loaded from: input_file:com/zimbra/cs/account/grouphandler/ADGroupHandler.class */
public class ADGroupHandler extends GroupHandler {
    private static final String MAIL_ATTR = "mail";
    private static final String MEMBER_OF_ATTR = "memberOf";

    /* loaded from: input_file:com/zimbra/cs/account/grouphandler/ADGroupHandler$SearchADGroupMembers.class */
    private static class SearchADGroupMembers extends SearchLdapOptions.SearchLdapVisitor {
        TreeSet<String> result;

        SearchADGroupMembers() {
            super(false);
            this.result = new TreeSet<>();
        }

        @Override // com.zimbra.cs.ldap.SearchLdapOptions.SearchLdapVisitor
        public void visit(String str, IAttributes iAttributes) {
            try {
                String attrString = iAttributes.getAttrString(ADGroupHandler.MAIL_ATTR);
                if (attrString != null) {
                    this.result.add(attrString);
                }
            } catch (ServiceException e) {
                ZimbraLog.gal.warn("unable to get attribute mail from search result", e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public TreeSet<String> searchLdap(ILdapContext iLdapContext, String str, String str2) {
            try {
                LdapProv.getInst().getHelper().searchLdap(iLdapContext, new SearchLdapOptions(str, ZLdapFilterFactory.getInstance().memberOf(str2), new String[]{ADGroupHandler.MAIL_ATTR}, 0, (Set<String>) null, ZSearchScope.SEARCH_SCOPE_SUBTREE, this));
            } catch (ServiceException e) {
                ZimbraLog.gal.warn("unable to search group members", e);
            }
            return this.result;
        }
    }

    @Override // com.zimbra.cs.account.grouphandler.GroupHandler
    public boolean isGroup(IAttributes iAttributes) {
        try {
            return iAttributes.getMultiAttrStringAsList(LdapConstants.ATTR_objectClass, IAttributes.CheckBinary.NOCHECK).contains(DavElements.P_GROUP);
        } catch (ServiceException e) {
            ZimbraLog.gal.warn("unable to get attribute objectClass", e);
            return false;
        }
    }

    @Override // com.zimbra.cs.account.grouphandler.GroupHandler
    public String[] getMembers(ILdapContext iLdapContext, String str, String str2, IAttributes iAttributes) throws ServiceException {
        if (ZimbraLog.gal.isDebugEnabled()) {
            try {
                ZimbraLog.gal.debug("Fetching members for group " + iAttributes.getAttrString(MAIL_ATTR) + " [" + str2 + "]");
            } catch (ServiceException e) {
                ZimbraLog.gal.debug("unable to get email address of group " + str2, e);
            }
        }
        TreeSet searchLdap = new SearchADGroupMembers().searchLdap(iLdapContext, str, str2);
        return (String[]) searchLdap.toArray(new String[searchLdap.size()]);
    }

    @Override // com.zimbra.cs.account.grouphandler.GroupHandler
    public ZLdapContext getExternalDelegatedAdminGroupsLdapContext(Domain domain, boolean z) throws ServiceException {
        if (domainAdminAuthMechIsAD(domain, z)) {
            return super.getExternalDelegatedAdminGroupsLdapContext(domain, z);
        }
        throw ServiceException.INVALID_REQUEST("domain auth mech must be AD", (Throwable) null);
    }

    private static boolean domainAdminAuthMechIsAD(Domain domain, boolean z) {
        return z ? AuthMechanism.AuthMech.ad.name().equals(domain.getAuthMechAdmin()) : AuthMechanism.AuthMech.ad.name().equals(domain.getAuthMech());
    }

    private boolean legitimateDelegatedAdminAsGroupMember(ExternalGroup externalGroup, Account account, boolean z) throws ServiceException {
        String zimbraDomainId = externalGroup.getZimbraDomainId();
        Domain domain = Provisioning.getInstance().getDomain(account);
        return domain != null && domainAdminAuthMechIsAD(domain, z) && domain.getId().equals(zimbraDomainId);
    }

    @Override // com.zimbra.cs.account.grouphandler.GroupHandler
    public boolean inDelegatedAdminGroup(ExternalGroup externalGroup, Account account, boolean z) throws ServiceException {
        if (!legitimateDelegatedAdminAsGroupMember(externalGroup, account, z)) {
            return false;
        }
        List list = (List) account.getCachedData(EntryCacheDataKey.GROUPEDENTRY_EXTERNAL_GROUP_DNS);
        if (list != null) {
            return list.contains(externalGroup.getDN());
        }
        List<String> delegatedAdminGroups = getDelegatedAdminGroups(account, z);
        account.setCachedData(EntryCacheDataKey.GROUPEDENTRY_EXTERNAL_GROUP_DNS, delegatedAdminGroups);
        return delegatedAdminGroups.contains(externalGroup.getDN());
    }

    private List<String> getDelegatedAdminGroups(Account account, boolean z) throws ServiceException {
        String authLdapBindDn;
        LdapProv inst = LdapProv.getInst();
        Domain domain = inst.getDomain(account);
        if (domain == null) {
            throw ServiceException.FAILURE("unable to get domain for account " + account.getName(), (Throwable) null);
        }
        String authLdapExternalDn = account.getAuthLdapExternalDn();
        if (authLdapExternalDn == null && (authLdapBindDn = domain.getAuthLdapBindDn()) != null) {
            authLdapExternalDn = LdapUtil.computeDn(account.getName(), authLdapBindDn);
        }
        if (authLdapExternalDn == null) {
            throw ServiceException.FAILURE("unable to get external DN for account " + account.getName(), (Throwable) null);
        }
        ZLdapContext zLdapContext = null;
        try {
            zLdapContext = getExternalDelegatedAdminGroupsLdapContext(domain, z);
            List<String> multiAttrStringAsList = inst.getHelper().getAttributes(zLdapContext, authLdapExternalDn, new String[]{"memberOf"}).getMultiAttrStringAsList("memberOf", IAttributes.CheckBinary.NOCHECK);
            LdapClient.closeContext(zLdapContext);
            return multiAttrStringAsList;
        } catch (Throwable th) {
            LdapClient.closeContext(zLdapContext);
            throw th;
        }
    }
}
