package com.zimbra.cs.account.accesscontrol;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.Group;
import com.zimbra.cs.account.MailTarget;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.PermissionCache;
import com.zimbra.cs.account.accesscontrol.Rights;
import java.util.List;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/CheckPresetRight.class */
public class CheckPresetRight extends CheckRight {
    private static final Log sLog = ZimbraLog.acl;
    private final MailTarget mGranteeMailTarget;
    private final AccessManager.ViaGrant mVia;
    private Provisioning.GroupMembership mGranteeGroups;
    private final SeenRight mSeenRight;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/zimbra/cs/account/accesscontrol/CheckPresetRight$SeenRight.class */
    public static class SeenRight {
        private boolean mSeen;

        private SeenRight() {
        }

        void setSeenRight() {
            this.mSeen = true;
        }

        boolean seenRight() {
            return this.mSeen;
        }
    }

    public static Boolean check(MailTarget mailTarget, Entry entry, Right right, boolean z, AccessManager.ViaGrant viaGrant) throws ServiceException {
        Boolean checkRight;
        PermissionCache.CachedPermission cachedPermission = null;
        if (viaGrant == null) {
            cachedPermission = PermissionCache.cacheGet(mailTarget, entry, right, z);
        }
        if (cachedPermission == null || cachedPermission == PermissionCache.CachedPermission.NOT_CACHED) {
            checkRight = new CheckPresetRight(mailTarget, entry, right, z, viaGrant).checkRight();
            PermissionCache.cachePut(mailTarget, entry, right, z, checkRight);
        } else {
            checkRight = cachedPermission.getResult();
        }
        if (sLog.isDebugEnabled()) {
            Log log = sLog;
            Object[] objArr = new Object[6];
            objArr[0] = checkRight == null ? "no matching ACL" : checkRight;
            objArr[1] = entry.getLabel();
            objArr[2] = mailTarget.getName();
            objArr[3] = right.getName();
            objArr[4] = Boolean.valueOf(z);
            objArr[5] = cachedPermission;
            log.debug("check ACL: %s (target=%s, grantee=%s, right=%s, canDelegateNeeded=%s, wasCached=%s)", objArr);
        }
        return checkRight;
    }

    private CheckPresetRight(MailTarget mailTarget, Entry entry, Right right, boolean z, AccessManager.ViaGrant viaGrant) throws ServiceException {
        super(entry, right, z);
        this.mGranteeMailTarget = mailTarget;
        this.mVia = viaGrant;
        this.mTargetType = TargetType.getTargetType(this.mTarget);
        this.mSeenRight = new SeenRight();
    }

    private Provisioning.GroupMembership getGranteeGroups() throws ServiceException {
        if (this.mGranteeGroups == null) {
            boolean z = !this.mRightNeeded.isUserRight();
            this.mGranteeGroups = this.mProv.getGroupMembership(this.mGranteeMailTarget, z);
            if (this.mGranteeMailTarget instanceof DistributionList) {
                DistributionList distributionList = (DistributionList) this.mGranteeMailTarget;
                if (!z || distributionList.isIsAdminGroup()) {
                    this.mGranteeGroups.append(new Provisioning.MemberOf(distributionList.getId(), distributionList.isIsAdminGroup(), false), distributionList.getId());
                }
            }
        }
        return this.mGranteeGroups;
    }

    private boolean matchesGroupGrantee(ZimbraACE zimbraACE) throws ServiceException {
        if (getGranteeGroups().groupIds().contains(zimbraACE.getGrantee())) {
            return true;
        }
        if (zimbraACE.getGranteeType() == GranteeType.GT_EXT_GROUP) {
            return zimbraACE.matchesGrantee(this.mGranteeMailTarget, !this.mRightNeeded.isUserRight());
        }
        return false;
    }

    private Boolean checkRight() throws ServiceException {
        if (!this.mRightNeeded.isPresetRight()) {
            throw ServiceException.INVALID_REQUEST("RightChecker.canDo can only check preset right, right " + this.mRightNeeded.getName() + " is a " + this.mRightNeeded.getRightType() + " right", (Throwable) null);
        }
        boolean z = !this.mRightNeeded.isUserRight();
        Domain domain = null;
        if (z) {
            if (!RightBearer.isValidGranteeForAdminRights(GranteeType.GT_USER, this.mGranteeMailTarget)) {
                return null;
            }
            domain = this.mProv.getDomain(this.mGranteeMailTarget);
            if (domain == null) {
                throw ServiceException.FAILURE("internal error, cannot find domain for " + this.mGranteeMailTarget.getName(), (Throwable) null);
            }
            if (this.mRightNeeded == Rights.Admin.R_crossDomainAdmin) {
                return CrossDomain.checkCrossDomainAdminRight(this.mProv, domain, this.mTarget, this.mCanDelegateNeeded);
            }
        }
        Boolean bool = null;
        List<ZimbraACE> allACEs = ACLUtil.getAllACEs(this.mTarget);
        if (allACEs != null) {
            bool = checkTarget(allACEs, false);
            if (bool != null) {
                return bool;
            }
        }
        Domain targetDomain = TargetType.getTargetDomain(this.mProv, this.mTarget);
        TargetIterator targetIeterator = TargetIterator.getTargetIeterator(this.mProv, this.mTarget, CheckRight.allowGroupTarget(this.mRightNeeded));
        GroupACLs groupACLs = null;
        while (true) {
            Entry next = targetIeterator.next();
            if (next == null) {
                if (this.mSeenRight.seenRight()) {
                    return Boolean.FALSE;
                }
                return null;
            }
            List<ZimbraACE> allACEs2 = ACLUtil.getAllACEs(next);
            if (!(next instanceof Group)) {
                if (groupACLs != null) {
                    List<ZimbraACE> allACLs = groupACLs.getAllACLs();
                    if (allACLs != null) {
                        bool = checkTarget(allACLs, false);
                    }
                    if (bool != null) {
                        return bool;
                    }
                    groupACLs = null;
                }
                if (allACEs2 != null) {
                    bool = checkTarget(allACEs2, this.mTargetType == TargetType.domain && (next instanceof Domain));
                    if (bool != null) {
                        return bool;
                    }
                } else {
                    continue;
                }
            } else if (allACEs2 != null) {
                boolean z2 = false;
                if (z) {
                    z2 = !CrossDomain.crossDomainOK(this.mProv, this.mGranteeMailTarget, domain, targetDomain, (Group) next);
                }
                if (groupACLs == null) {
                    groupACLs = new GroupACLs(this.mTarget);
                }
                groupACLs.collectACL((Group) next, z2);
            }
        }
    }

    private Boolean checkTarget(List<ZimbraACE> list, boolean z) throws ServiceException {
        Boolean checkPresetRight = checkPresetRight(list, (short) (2 | (this.mRightNeeded.isUserRight() ? 0 : 1)), z);
        if (checkPresetRight != null) {
            return checkPresetRight;
        }
        Boolean checkGroupPresetRight = checkGroupPresetRight(list, (short) 4, z);
        if (checkGroupPresetRight != null) {
            return checkGroupPresetRight;
        }
        if (!this.mRightNeeded.isUserRight()) {
            return null;
        }
        Boolean checkPresetRight2 = checkPresetRight(list, (short) 8, z);
        if (checkPresetRight2 != null) {
            return checkPresetRight2;
        }
        Boolean checkPresetRight3 = checkPresetRight(list, (short) 16, z);
        if (checkPresetRight3 != null) {
            return checkPresetRight3;
        }
        Boolean checkPresetRight4 = checkPresetRight(list, (short) 32, z);
        if (checkPresetRight4 != null) {
            return checkPresetRight4;
        }
        return null;
    }

    private boolean matchesPresetRight(ZimbraACE zimbraACE, short s, boolean z) throws ServiceException {
        if (!zimbraACE.getGranteeType().hasFlags(s) || !CheckRight.rightApplicableOnTargetType(this.mTargetType, this.mRightNeeded, this.mCanDelegateNeeded)) {
            return false;
        }
        if (this.mCanDelegateNeeded && zimbraACE.canExecuteOnly()) {
            return false;
        }
        if (!zimbraACE.deny() && z != zimbraACE.subDomain()) {
            return false;
        }
        Right right = zimbraACE.getRight();
        if (right.isPresetRight() && right == this.mRightNeeded) {
            return true;
        }
        return right.isComboRight() && ((ComboRight) right).containsPresetRight(this.mRightNeeded);
    }

    private Boolean checkPresetRight(List<ZimbraACE> list, short s, boolean z) throws ServiceException {
        for (ZimbraACE zimbraACE : list) {
            if (matchesPresetRight(zimbraACE, s, z)) {
                this.mSeenRight.setSeenRight();
                if (zimbraACE.matchesGrantee(this.mGranteeMailTarget, !this.mRightNeeded.isUserRight())) {
                    return gotResult(zimbraACE);
                }
            }
        }
        return null;
    }

    private Boolean checkGroupPresetRight(List<ZimbraACE> list, short s, boolean z) throws ServiceException {
        for (ZimbraACE zimbraACE : list) {
            if (matchesPresetRight(zimbraACE, s, z)) {
                this.mSeenRight.setSeenRight();
                if (matchesGroupGrantee(zimbraACE)) {
                    return gotResult(zimbraACE);
                }
            }
        }
        return null;
    }

    private Boolean gotResult(ZimbraACE zimbraACE) throws ServiceException {
        if (zimbraACE.deny()) {
            if (sLog.isDebugEnabled()) {
                sLog.debug("Right [%s] DENIED to %s via grant: %s on: %s=%s", new Object[]{this.mRightNeeded.getName(), this.mGranteeMailTarget.getName(), zimbraACE.dump(false), zimbraACE.getTargetType().getCode(), zimbraACE.getTargetName()});
            }
            if (this.mVia != null) {
                this.mVia.setImpl(new ViaGrantImpl(zimbraACE.getTargetType(), zimbraACE.getTargetName(), zimbraACE.getGranteeType(), zimbraACE.getGranteeDisplayName(), zimbraACE.getRight(), zimbraACE.deny()));
            }
            return Boolean.FALSE;
        }
        if (sLog.isDebugEnabled()) {
            sLog.debug("Right [%s] ALLOWED to %s via grant: %s on: %s=%s", new Object[]{this.mRightNeeded.getName(), this.mGranteeMailTarget.getName(), zimbraACE.dump(false), zimbraACE.getTargetType().getCode(), zimbraACE.getTargetName()});
        }
        if (this.mVia != null) {
            this.mVia.setImpl(new ViaGrantImpl(zimbraACE.getTargetType(), zimbraACE.getTargetName(), zimbraACE.getGranteeType(), zimbraACE.getGranteeDisplayName(), zimbraACE.getRight(), zimbraACE.deny()));
        }
        return Boolean.TRUE;
    }
}
