package com.zimbra.qa.unittest.prov.ldap;

import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.cs.account.AccessManager;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.DistributionList;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.GlobalGrant;
import com.zimbra.cs.account.GuestAccount;
import com.zimbra.cs.account.MailTarget;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.accesscontrol.GranteeType;
import com.zimbra.cs.account.accesscontrol.Right;
import com.zimbra.cs.account.accesscontrol.RightCommand;
import com.zimbra.cs.account.accesscontrol.RightModifier;
import com.zimbra.cs.account.accesscontrol.Rights;
import com.zimbra.cs.account.accesscontrol.TargetType;
import com.zimbra.cs.account.ldap.LdapProv;
import com.zimbra.soap.admin.type.GranteeSelector;
import com.zimbra.soap.type.TargetBy;
import java.util.HashMap;
import java.util.Map;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:com/zimbra/qa/unittest/prov/ldap/TestACLPermissionCache.class */
public class TestACLPermissionCache extends LdapTest {
    private static AccessManager accessMgr;
    private static Right A_USER_RIGHT;
    private static Right A_USER_RIGHT_DISTRIBUTION_LIST;
    private static Right A_CACHEABLE_ADMIN_RIGHT;
    private static final String GRANTTARGET_USER_ACCT = "granttarget-user-acct";
    private static final String GRANTTARGET_USER_GROUP = "granttarget-user-group";
    private static final String SUBGROUP_OF_GRANTTARGET_USER_GROUP = "subgroup-of-granttarget-user-group";
    private static final String TARGET_USER_ACCT = "target-user-acct";
    private static final String TARGET_USER_GROUP = "target-user-group";
    private static final String GRANTEE_USER_ACCT = "grantee-user-acct";
    private static final String GRANTEE_USER_GROUP = "grantee-user-group";
    private static final String GRANTEE_ADMIN_ACCT = "grantee-admin-acct";
    private static final String GRANTEE_ADMIN_GROUP = "grantee-admin-group";
    private static final String GRANTEE_GUEST_ACCT = "grantee-guest-acct";
    private static final String GRANTEE_GUEST_ACCT_PASSWORD = "grantee-guest-acct-password";
    private static int sequence = 1;
    private static LdapProvTestUtil provUtil;
    private static LdapProv mProv;
    private static Domain baseDomain;
    private static String BASE_DOMAIN_NAME;
    private static Account globalAdmin;

    @BeforeClass
    public static void init() throws Exception {
        provUtil = new LdapProvTestUtil();
        mProv = provUtil.getProv();
        baseDomain = provUtil.createDomain(baseDomainName());
        BASE_DOMAIN_NAME = baseDomain.getName();
        globalAdmin = provUtil.createGlobalAdmin("globaladmin", baseDomain);
        accessMgr = AccessManager.getInstance();
        ACLTestUtil.initTestRights();
        A_USER_RIGHT = ACLTestUtil.USER_RIGHT;
        A_USER_RIGHT_DISTRIBUTION_LIST = ACLTestUtil.USER_RIGHT_DISTRIBUTION_LIST;
        A_CACHEABLE_ADMIN_RIGHT = Rights.Admin.R_adminLoginAs;
    }

    @AfterClass
    public static void cleanup() throws Exception {
        Cleanup.deleteAll(baseDomainName());
    }

    private void grantRight(TargetType targetType, Entry entry, GranteeType granteeType, NamedEntry namedEntry, Right right) throws ServiceException {
        grantRight(targetType, entry, granteeType, namedEntry, null, right);
    }

    private void revokeRight(TargetType targetType, Entry entry, GranteeType granteeType, NamedEntry namedEntry, Right right) throws ServiceException {
        RightCommand.revokeRight(mProv, globalAdmin, targetType.getCode(), TargetBy.name, entry.getLabel(), granteeType.getCode(), GranteeSelector.GranteeBy.name, namedEntry.getName(), right.getName(), (RightModifier) null);
    }

    private void grantRight(TargetType targetType, Entry entry, GranteeType granteeType, NamedEntry namedEntry, String str, Right right) throws ServiceException {
        RightCommand.grantRight(mProv, globalAdmin, targetType.getCode(), TargetBy.name, entry.getLabel(), granteeType.getCode(), GranteeSelector.GranteeBy.name, namedEntry.getName(), str, right.getName(), (RightModifier) null);
    }

    private static synchronized String nextSeq() {
        StringBuilder append = new StringBuilder().append("");
        int i = sequence;
        sequence = i + 1;
        return append.append(i).toString();
    }

    private String domainName() {
        return nextSeq() + "." + BASE_DOMAIN_NAME;
    }

    private Domain createDomain() throws Exception {
        return provUtil.createDomain(domainName());
    }

    private Account createUserAccount(String str, Domain domain) throws Exception {
        if (domain == null) {
            domain = createDomain();
        }
        return provUtil.createAccount(str, domain);
    }

    private Account createGuestAccount(String str, String str2) {
        return new GuestAccount(str, str2);
    }

    private Account createDelegatedAdminAccount(String str, Domain domain) throws Exception {
        if (domain == null) {
            domain = createDomain();
        }
        return provUtil.createDelegatedAdmin(str, domain);
    }

    private DistributionList createDistributionList(String str, Domain domain, Map<String, Object> map) throws Exception {
        if (domain == null) {
            domain = createDomain();
        }
        return provUtil.createDistributionList(str, domain, map);
    }

    private DistributionList createUserDistributionList(String str, Domain domain) throws Exception {
        return createDistributionList(str, domain, new HashMap());
    }

    private String getEmailLocalpart(String str) {
        return str.split("@")[0];
    }

    @Test
    public void testGuestAccount() throws Exception {
        Right right = A_USER_RIGHT;
        Account createUserAccount = createUserAccount(GRANTTARGET_USER_ACCT, createDomain());
        Account createGuestAccount = createGuestAccount(GRANTEE_GUEST_ACCT, GRANTEE_GUEST_ACCT_PASSWORD);
        Account createGuestAccount2 = createGuestAccount("grantee-user-acctnot", GRANTEE_GUEST_ACCT_PASSWORD);
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_GUEST, createGuestAccount, GRANTEE_GUEST_ACCT_PASSWORD, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createGuestAccount, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        Assert.assertFalse(accessMgr.canDo((MailTarget) createGuestAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testGrantChangeOnTarget() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(GRANTTARGET_USER_ACCT, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.account, createUserAccount, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testGrantChangeOnDirectlyInheritedDistributionList() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserDistributionList = createUserDistributionList(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserDistributionList2 = createUserDistributionList(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        mProv.addMembers(createUserDistributionList, new String[]{createUserDistributionList2.getName()});
        grantRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList2, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList2, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList2, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testGrantChangeOnIndirectlyInheritedDistributionList() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserDistributionList = createUserDistributionList(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserDistributionList2 = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserDistributionList3 = createUserDistributionList(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        mProv.addMembers(createUserDistributionList, new String[]{createUserDistributionList2.getName()});
        mProv.addMembers(createUserDistributionList2, new String[]{createUserDistributionList3.getName()});
        grantRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList3, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList3, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList3, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testGrantChangeOnDomain() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(TARGET_USER_ACCT, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        grantRight(TargetType.domain, createDomain, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.domain, createDomain, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.domain, createDomain, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testGrantChangeOnGlobalGrant() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        GlobalGrant globalGrant = mProv.getGlobalGrant();
        Account createUserAccount = createUserAccount(TARGET_USER_ACCT, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        grantRight(TargetType.global, globalGrant, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        revokeRight(TargetType.global, globalGrant, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        grantRight(TargetType.global, globalGrant, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testDirectGroupMembershipChanged() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserDistributionList = createUserDistributionList(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserDistributionList2 = createUserDistributionList(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        mProv.addMembers(createUserDistributionList, new String[]{createUserDistributionList2.getName()});
        grantRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList2, right, false, (AccessManager.ViaGrant) null));
        mProv.removeMembers(createUserDistributionList, new String[]{createUserDistributionList2.getName()});
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList2, right, false, (AccessManager.ViaGrant) null));
        mProv.addMembers(createUserDistributionList, new String[]{createUserDistributionList2.getName()});
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList2, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testIndirectGroupMembershipChanged() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserDistributionList = createUserDistributionList(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserDistributionList2 = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserDistributionList3 = createUserDistributionList(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        mProv.addMembers(createUserDistributionList, new String[]{createUserDistributionList2.getName()});
        mProv.addMembers(createUserDistributionList2, new String[]{createUserDistributionList3.getName()});
        grantRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList3, right, false, (AccessManager.ViaGrant) null));
        mProv.removeMembers(createUserDistributionList2, new String[]{createUserDistributionList3.getName()});
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList3, right, false, (AccessManager.ViaGrant) null));
        mProv.addMembers(createUserDistributionList2, new String[]{createUserDistributionList3.getName()});
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList3, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testDomainOfTargetChanged() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(TARGET_USER_ACCT, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        grantRight(TargetType.domain, createDomain, GranteeType.GT_USER, createUserAccount2, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        Domain createDomain2 = createDomain();
        String id = createUserAccount.getId();
        String name = createUserAccount.getName();
        mProv.renameAccount(id, getEmailLocalpart(createUserAccount.getName()) + "@" + createDomain2.getName());
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) mProv.get(Key.AccountBy.id, id), right, false, (AccessManager.ViaGrant) null));
        mProv.renameAccount(id, name);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) mProv.get(Key.AccountBy.id, id), right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void GrantTargetDeleted() throws Exception {
        Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
        Domain createDomain = createDomain();
        DistributionList createUserDistributionList = createUserDistributionList(GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserDistributionList2 = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, createDomain);
        DistributionList createUserDistributionList3 = createUserDistributionList(TARGET_USER_GROUP, createDomain);
        Account createUserAccount = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        mProv.addMembers(createUserDistributionList, new String[]{createUserDistributionList2.getName()});
        mProv.addMembers(createUserDistributionList2, new String[]{createUserDistributionList3.getName()});
        grantRight(TargetType.dl, createUserDistributionList, GranteeType.GT_USER, createUserAccount, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount, (Entry) createUserDistributionList3, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testGranteeGroupMembershipChanged() throws Exception {
        Right right = A_USER_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(GRANTTARGET_USER_ACCT, createDomain);
        DistributionList createUserDistributionList = createUserDistributionList(GRANTEE_USER_GROUP, createDomain);
        Account createUserAccount2 = createUserAccount(GRANTEE_USER_ACCT, createDomain);
        mProv.addMembers(createUserDistributionList, new String[]{createUserAccount2.getName()});
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_GROUP, createUserDistributionList, right);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
        mProv.removeMembers(createUserDistributionList, new String[]{createUserAccount2.getName()});
        Assert.assertFalse(accessMgr.canDo((MailTarget) createUserAccount2, (Entry) createUserAccount, right, false, (AccessManager.ViaGrant) null));
    }

    @Test
    public void testGranteeAdminFlagChanged() throws Exception {
        Right right = A_CACHEABLE_ADMIN_RIGHT;
        Domain createDomain = createDomain();
        Account createUserAccount = createUserAccount(GRANTTARGET_USER_ACCT, createDomain);
        Account createDelegatedAdminAccount = createDelegatedAdminAccount(GRANTEE_ADMIN_ACCT, createDomain);
        grantRight(TargetType.account, createUserAccount, GranteeType.GT_USER, createDelegatedAdminAccount, right);
        boolean canDo = accessMgr.canDo((MailTarget) createDelegatedAdminAccount, (Entry) createUserAccount, right, true, (AccessManager.ViaGrant) null);
        Assert.assertTrue(canDo);
        createDelegatedAdminAccount.setIsDelegatedAdminAccount(false);
        try {
            canDo = accessMgr.canDo((MailTarget) createDelegatedAdminAccount, (Entry) createUserAccount, right, true, (AccessManager.ViaGrant) null);
        } catch (ServiceException e) {
            if ("service.PERM_DENIED".equals(e.getCode())) {
                canDo = false;
            }
        }
        Assert.assertFalse(canDo);
        createDelegatedAdminAccount.setIsDelegatedAdminAccount(true);
        Assert.assertTrue(accessMgr.canDo((MailTarget) createDelegatedAdminAccount, (Entry) createUserAccount, right, true, (AccessManager.ViaGrant) null));
    }
}
