package org.apache.directory.server.core.authz;

import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import org.apache.directory.server.core.DirectoryServiceConfiguration;
import org.apache.directory.server.core.configuration.InterceptorConfiguration;
import org.apache.directory.server.core.enumeration.SearchResultFilter;
import org.apache.directory.server.core.enumeration.SearchResultFilteringEnumeration;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
import org.apache.directory.server.core.interceptor.NextInterceptor;
import org.apache.directory.server.core.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.interceptor.context.ListOperationContext;
import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.invocation.Invocation;
import org.apache.directory.server.core.invocation.InvocationStack;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.message.ServerSearchResult;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.OidNormalizer;
import org.apache.directory.shared.ldap.util.AttributeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/authz/DefaultAuthorizationService.class */
public class DefaultAuthorizationService extends BaseInterceptor {
    private static final Logger log = LoggerFactory.getLogger(DefaultAuthorizationService.class);
    private static LdapDN USER_BASE_DN;
    private static LdapDN GROUP_BASE_DN;
    private static LdapDN ADMIN_GROUP_DN;
    private boolean enabled = true;
    private Set<String> administrators = new HashSet(2);
    private Map<String, OidNormalizer> normalizerMapping;
    private PartitionNexus nexus;
    private AttributeTypeRegistry attrRegistry;
    private AttributeType uniqueMemberAT;

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void init(DirectoryServiceConfiguration directoryServiceConfiguration, InterceptorConfiguration interceptorConfiguration) throws NamingException {
        this.nexus = directoryServiceConfiguration.getPartitionNexus();
        this.normalizerMapping = directoryServiceConfiguration.getRegistries().getAttributeTypeRegistry().getNormalizerMapping();
        this.enabled = !directoryServiceConfiguration.getStartupConfiguration().isAccessControlEnabled();
        USER_BASE_DN = PartitionNexus.getUsersBaseName();
        USER_BASE_DN.normalize(this.normalizerMapping);
        GROUP_BASE_DN = PartitionNexus.getGroupsBaseName();
        GROUP_BASE_DN.normalize(this.normalizerMapping);
        ADMIN_GROUP_DN = new LdapDN("cn=Administrators,ou=groups,ou=system");
        ADMIN_GROUP_DN.normalize(this.normalizerMapping);
        this.attrRegistry = directoryServiceConfiguration.getRegistries().getAttributeTypeRegistry();
        this.uniqueMemberAT = this.attrRegistry.lookup("2.5.4.50");
        loadAdministrators();
    }

    private void loadAdministrators() throws NamingException {
        HashSet hashSet = new HashSet(2);
        Attributes lookup = this.nexus.lookup(new LookupOperationContext(ADMIN_GROUP_DN));
        if (lookup == null) {
            return;
        }
        Attribute attribute = AttributeUtils.getAttribute(lookup, this.uniqueMemberAT);
        for (int i = 0; i < attribute.size(); i++) {
            LdapDN ldapDN = new LdapDN((String) attribute.get(i));
            ldapDN.normalize(this.normalizerMapping);
            hashSet.add(ldapDN.getNormName());
        }
        this.administrators = hashSet;
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void delete(NextInterceptor nextInterceptor, DeleteOperationContext deleteOperationContext) throws NamingException {
        LdapDN dn = deleteOperationContext.getDn();
        if (!this.enabled) {
            nextInterceptor.delete(deleteOperationContext);
            return;
        }
        LdapDN jndiName = getPrincipal().getJndiName();
        if (dn.isEmpty()) {
            log.error("The rootDSE cannot be deleted!");
            throw new LdapNoPermissionException("The rootDSE cannot be deleted!");
        }
        if (dn.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            log.error("The Administrators group cannot be deleted!");
            throw new LdapNoPermissionException("The Administrators group cannot be deleted!");
        }
        if (isTheAdministrator(dn)) {
            String str = (("User " + jndiName.getUpName()) + " does not have permission to delete the admin account.") + " No one not even the admin can delete this account!";
            log.error(str);
            throw new LdapNoPermissionException(str);
        }
        if (dn.size() > 2 && !isAnAdministrator(jndiName)) {
            if (dn.startsWith(USER_BASE_DN)) {
                String str2 = (("User " + jndiName.getUpName()) + " does not have permission to delete the user account: ") + dn.getUpName() + ". Only the admin can delete user accounts.";
                log.error(str2);
                throw new LdapNoPermissionException(str2);
            }
            if (dn.startsWith(GROUP_BASE_DN)) {
                String str3 = (("User " + jndiName.getUpName()) + " does not have permission to delete the group entry: ") + dn.getUpName() + ". Only the admin can delete groups.";
                log.error(str3);
                throw new LdapNoPermissionException(str3);
            }
        }
        nextInterceptor.delete(deleteOperationContext);
    }

    private final boolean isTheAdministrator(LdapDN ldapDN) {
        return ldapDN.getNormName().equals(PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED);
    }

    private final boolean isAnAdministrator(LdapDN ldapDN) {
        if (isTheAdministrator(ldapDN)) {
            return true;
        }
        return this.administrators.contains(ldapDN.getNormName());
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, ModifyOperationContext modifyOperationContext) throws NamingException {
        if (!this.enabled) {
            nextInterceptor.modify(modifyOperationContext);
            return;
        }
        LdapDN dn = modifyOperationContext.getDn();
        protectModifyAlterations(dn);
        nextInterceptor.modify(modifyOperationContext);
        if (dn.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            loadAdministrators();
        }
    }

    private void protectModifyAlterations(LdapDN ldapDN) throws NamingException {
        LdapDN jndiName = getPrincipal().getJndiName();
        if (ldapDN.isEmpty()) {
            log.error("The rootDSE cannot be modified!");
            throw new LdapNoPermissionException("The rootDSE cannot be modified!");
        }
        if (isAnAdministrator(jndiName) || ldapDN.getNormName().equals(getPrincipal().getJndiName().getNormName())) {
            return;
        }
        if (ldapDN.getNormName().equals(PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED)) {
            String str = (("User " + jndiName.getUpName()) + " does not have permission to modify the account of the") + " admin user.";
            log.error(str);
            throw new LdapNoPermissionException(str);
        }
        if (ldapDN.size() > 2) {
            if (ldapDN.startsWith(USER_BASE_DN)) {
                String str2 = (((("User " + jndiName.getUpName()) + " does not have permission to modify the account of the") + " user " + ldapDN.getUpName() + ".\nEven the owner of an account cannot") + " modify it.\nUser accounts can only be modified by the") + " administrator.";
                log.error(str2);
                throw new LdapNoPermissionException(str2);
            }
            if (ldapDN.startsWith(GROUP_BASE_DN)) {
                String str3 = (("User " + jndiName.getUpName()) + " does not have permission to modify the group entry ") + ldapDN.getUpName() + ".\nGroups can only be modified by the admin.";
                log.error(str3);
                throw new LdapNoPermissionException(str3);
            }
        }
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void rename(NextInterceptor nextInterceptor, RenameOperationContext renameOperationContext) throws NamingException {
        if (this.enabled) {
            protectDnAlterations(renameOperationContext.getDn());
        }
        nextInterceptor.rename(renameOperationContext);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, MoveOperationContext moveOperationContext) throws NamingException {
        if (this.enabled) {
            protectDnAlterations(moveOperationContext.getDn());
        }
        nextInterceptor.move(moveOperationContext);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void moveAndRename(NextInterceptor nextInterceptor, MoveAndRenameOperationContext moveAndRenameOperationContext) throws NamingException {
        if (this.enabled) {
            protectDnAlterations(moveAndRenameOperationContext.getDn());
        }
        nextInterceptor.moveAndRename(moveAndRenameOperationContext);
    }

    private void protectDnAlterations(LdapDN ldapDN) throws NamingException {
        LdapDN jndiName = getPrincipal().getJndiName();
        if (ldapDN.isEmpty()) {
            log.error("The rootDSE cannot be moved or renamed!");
            throw new LdapNoPermissionException("The rootDSE cannot be moved or renamed!");
        }
        if (ldapDN.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            log.error("The Administrators group cannot be moved or renamed!");
            throw new LdapNoPermissionException("The Administrators group cannot be moved or renamed!");
        }
        if (isTheAdministrator(ldapDN)) {
            String str = ((("User '" + jndiName.getUpName()) + "' does not have permission to move or rename the admin") + " account.  No one not even the admin can move or") + " rename " + ldapDN.getUpName() + "!";
            log.error(str);
            throw new LdapNoPermissionException(str);
        }
        if (ldapDN.size() > 2 && ldapDN.startsWith(USER_BASE_DN) && !isAnAdministrator(jndiName)) {
            String str2 = ((("User '" + jndiName.getUpName()) + "' does not have permission to move or rename the user") + " account: " + ldapDN.getUpName() + ". Only the admin can move or") + " rename user accounts.";
            log.error(str2);
            throw new LdapNoPermissionException(str2);
        }
        if (ldapDN.size() <= 2 || !ldapDN.startsWith(GROUP_BASE_DN) || isAnAdministrator(jndiName)) {
            return;
        }
        throw new LdapNoPermissionException((("User " + jndiName.getUpName()) + " does not have permission to move or rename the group entry ") + ldapDN.getUpName() + ".\nGroups can only be moved or renamed by the admin.");
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, LookupOperationContext lookupOperationContext) throws NamingException {
        Attributes lookup = nextInterceptor.lookup(lookupOperationContext);
        if (!this.enabled || lookup == null) {
            return lookup;
        }
        protectLookUp(lookupOperationContext.getDn());
        return lookup;
    }

    private void protectLookUp(LdapDN ldapDN) throws NamingException {
        LdapDN jndiName = ((LdapContext) InvocationStack.getInstance().peek().getCaller()).getPrincipal().getJndiName();
        if (isAnAdministrator(jndiName)) {
            return;
        }
        if (ldapDN.size() > 2) {
            if (ldapDN.startsWith(USER_BASE_DN)) {
                if (ldapDN.getNormName().equals(jndiName.getNormName())) {
                    return;
                }
                String str = (("Access to user account '" + ldapDN.getUpName() + "' not permitted") + " for user '" + jndiName.getUpName() + "'.  Only the admin can") + " access user account information";
                log.error(str);
                throw new LdapNoPermissionException(str);
            }
            if (ldapDN.startsWith(GROUP_BASE_DN)) {
                if (ldapDN.getNormName().equals(jndiName.getNormName())) {
                    return;
                }
                String str2 = (("Access to group '" + ldapDN.getUpName() + "' not permitted") + " for user '" + jndiName.getUpName() + "'.  Only the admin can") + " access group information";
                log.error(str2);
                throw new LdapNoPermissionException(str2);
            }
        }
        if (!isTheAdministrator(ldapDN) || ldapDN.getNormName().equals(jndiName.getNormName())) {
            return;
        }
        String str3 = ("Access to admin account not permitted for user '" + jndiName.getUpName() + "'.  Only the admin can") + " access admin account information";
        log.error(str3);
        throw new LdapNoPermissionException(str3);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public NamingEnumeration<SearchResult> search(NextInterceptor nextInterceptor, SearchOperationContext searchOperationContext) throws NamingException {
        NamingEnumeration<SearchResult> search = nextInterceptor.search(searchOperationContext);
        if (!this.enabled) {
            return search;
        }
        return new SearchResultFilteringEnumeration(search, searchOperationContext.getSearchControls(), InvocationStack.getInstance().peek(), new SearchResultFilter() { // from class: org.apache.directory.server.core.authz.DefaultAuthorizationService.1
            @Override // org.apache.directory.server.core.enumeration.SearchResultFilter
            public boolean accept(Invocation invocation, SearchResult searchResult, SearchControls searchControls) throws NamingException {
                return DefaultAuthorizationService.this.isSearchable(invocation, searchResult);
            }
        }, "Search Default Authorization filter");
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public NamingEnumeration<SearchResult> list(NextInterceptor nextInterceptor, ListOperationContext listOperationContext) throws NamingException {
        NamingEnumeration<SearchResult> list = nextInterceptor.list(listOperationContext);
        return !this.enabled ? list : new SearchResultFilteringEnumeration(list, (SearchControls) null, InvocationStack.getInstance().peek(), new SearchResultFilter() { // from class: org.apache.directory.server.core.authz.DefaultAuthorizationService.2
            @Override // org.apache.directory.server.core.enumeration.SearchResultFilter
            public boolean accept(Invocation invocation, SearchResult searchResult, SearchControls searchControls) throws NamingException {
                return DefaultAuthorizationService.this.isSearchable(invocation, searchResult);
            }
        }, "List Default Authorization filter");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSearchable(Invocation invocation, SearchResult searchResult) throws NamingException {
        LdapDN jndiName = invocation.getCaller().getPrincipal().getJndiName();
        LdapDN dn = ((ServerSearchResult) searchResult).getDn();
        if (!dn.isNormalized()) {
            dn.normalize(this.normalizerMapping);
        }
        if (isAnAdministrator(jndiName) || dn.getNormName().equals(jndiName.getNormName())) {
            return true;
        }
        return (dn.size() <= 2 || !(dn.getNormName().endsWith(USER_BASE_DN.getNormName()) || dn.getNormName().endsWith(GROUP_BASE_DN.getNormName()))) && !isTheAdministrator(dn);
    }
}
