package com.zimbra.cs.account.accesscontrol;

import com.zimbra.common.service.ServiceException;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.MailTarget;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/HardRules.class */
public class HardRules {
    private static Set<String> ALWAYS_FORBIDDEN_ATTRS;

    /* loaded from: input_file:com/zimbra/cs/account/accesscontrol/HardRules$HardRule.class */
    public enum HardRule {
        NOT_EFFECTIVE_DELEGATED_ADMIN_ACCOUNT,
        DELEGATED_ADMIN_CANNOT_ACCESS_GLOBAL_ADMIN;

        public static HardRule ruleVolated(ServiceException serviceException) {
            List args;
            if (!"service.PERM_DENIED".equals(serviceException.getCode()) || (args = serviceException.getArgs()) == null) {
                return null;
            }
            Iterator it = args.iterator();
            while (it.hasNext()) {
                String name = ((ServiceException.Argument) it.next()).getName();
                if (name != null) {
                    try {
                        return valueOf(name);
                    } catch (IllegalArgumentException e) {
                    }
                }
            }
            return null;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static ServiceException.Argument getExceptionArgument(HardRule hardRule) {
            return new ServiceException.InternalArgument(hardRule.name(), "VIOLATED", ServiceException.Argument.Type.STR);
        }
    }

    public static Boolean checkHardRules(MailTarget mailTarget, boolean z, Entry entry, Right right) throws ServiceException {
        if ((mailTarget instanceof Account) && AccessControlUtil.isGlobalAdmin((Account) mailTarget, z)) {
            return Boolean.TRUE;
        }
        if (!(right == null || !right.isUserRight())) {
            return null;
        }
        if (!(mailTarget instanceof Account)) {
            throw ServiceException.PERM_DENIED("not an eligible admin account (not an account)", new ServiceException.Argument[]{HardRule.getExceptionArgument(HardRule.NOT_EFFECTIVE_DELEGATED_ADMIN_ACCOUNT)});
        }
        if (!AccessControlUtil.isDelegatedAdmin((Account) mailTarget, z)) {
            throw ServiceException.PERM_DENIED("not an eligible admin account", new ServiceException.Argument[]{HardRule.getExceptionArgument(HardRule.NOT_EFFECTIVE_DELEGATED_ADMIN_ACCOUNT)});
        }
        if ((entry instanceof Account) && AccessControlUtil.isGlobalAdmin((Account) entry, true)) {
            throw ServiceException.PERM_DENIED("delegated admin is not allowed to access a global admin's account", new ServiceException.Argument[]{HardRule.getExceptionArgument(HardRule.DELEGATED_ADMIN_CANNOT_ACCESS_GLOBAL_ADMIN)});
        }
        return null;
    }

    public static void checkForbiddenAttr(String str) throws ServiceException {
        if (isForbiddenAttr(str)) {
            throw ServiceException.PERM_DENIED("delegated admin is not allowed to modify " + str);
        }
    }

    public static boolean isForbiddenAttr(String str) {
        return ALWAYS_FORBIDDEN_ATTRS.contains(str.toLowerCase());
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add("zimbraIsAdminAccount".toLowerCase());
        ALWAYS_FORBIDDEN_ATTRS = Collections.unmodifiableSet(hashSet);
    }
}
