package org.apache.directory.server.core.authz;

import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import org.apache.directory.server.core.DirectoryServiceConfiguration;
import org.apache.directory.server.core.configuration.InterceptorConfiguration;
import org.apache.directory.server.core.enumeration.SearchResultFilter;
import org.apache.directory.server.core.enumeration.SearchResultFilteringEnumeration;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
import org.apache.directory.server.core.interceptor.NextInterceptor;
import org.apache.directory.server.core.invocation.Invocation;
import org.apache.directory.server.core.invocation.InvocationStack;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.filter.ExprNode;
import org.apache.directory.shared.ldap.message.ModificationItemImpl;
import org.apache.directory.shared.ldap.name.LdapDN;

/* loaded from: input_file:org/apache/directory/server/core/authz/DefaultAuthorizationService.class */
public class DefaultAuthorizationService extends BaseInterceptor {
    private static LdapDN USER_BASE_DN;
    private static LdapDN USER_BASE_DN_NORMALIZED;
    private static LdapDN GROUP_BASE_DN;
    private static LdapDN GROUP_BASE_DN_NORMALIZED;
    private static LdapDN ADMIN_GROUP_DN;
    private static LdapDN ADMIN_GROUP_DN_NORMALIZED;
    private boolean enabled = true;
    private Set administrators = new HashSet(2);
    private Map normalizerMapping;
    private PartitionNexus nexus;

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void init(DirectoryServiceConfiguration directoryServiceConfiguration, InterceptorConfiguration interceptorConfiguration) throws NamingException {
        this.nexus = directoryServiceConfiguration.getPartitionNexus();
        this.normalizerMapping = directoryServiceConfiguration.getGlobalRegistries().getAttributeTypeRegistry().getNormalizerMapping();
        this.enabled = !directoryServiceConfiguration.getStartupConfiguration().isAccessControlEnabled();
        USER_BASE_DN = PartitionNexus.getUsersBaseName();
        USER_BASE_DN_NORMALIZED = LdapDN.normalize(USER_BASE_DN, this.normalizerMapping);
        GROUP_BASE_DN = PartitionNexus.getGroupsBaseName();
        GROUP_BASE_DN_NORMALIZED = LdapDN.normalize(GROUP_BASE_DN, this.normalizerMapping);
        ADMIN_GROUP_DN = new LdapDN("cn=Administrators,ou=groups,ou=system");
        ADMIN_GROUP_DN_NORMALIZED = (LdapDN) ADMIN_GROUP_DN.clone();
        ADMIN_GROUP_DN_NORMALIZED.normalize(this.normalizerMapping);
        loadAdministrators();
    }

    private void loadAdministrators() throws NamingException {
        HashSet hashSet = new HashSet(2);
        Attributes lookup = this.nexus.lookup(ADMIN_GROUP_DN_NORMALIZED);
        if (lookup == null) {
            return;
        }
        Attribute attribute = lookup.get("uniqueMember");
        for (int i = 0; i < attribute.size(); i++) {
            LdapDN ldapDN = new LdapDN((String) attribute.get(i));
            ldapDN.normalize(this.normalizerMapping);
            hashSet.add(ldapDN.toNormName());
        }
        this.administrators = hashSet;
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void delete(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        if (!this.enabled) {
            nextInterceptor.delete(ldapDN);
            return;
        }
        LdapDN jndiName = getPrincipal().getJndiName();
        if (ldapDN.toString().equals("")) {
            throw new LdapNoPermissionException("The rootDSE cannot be deleted!");
        }
        if (ldapDN.toNormName().equals(ADMIN_GROUP_DN_NORMALIZED.toNormName())) {
            throw new LdapNoPermissionException("The Administrators group cannot be deleted!");
        }
        if (isTheAdministrator(ldapDN)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to delete the admin account.").toString()).append(" No one not even the admin can delete this account!").toString());
        }
        if (ldapDN.size() > 2 && ldapDN.startsWith(USER_BASE_DN) && !isAnAdministrator(jndiName)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to delete the user account: ").toString()).append(ldapDN).append(". Only the admin can delete user accounts.").toString());
        }
        if (ldapDN.size() <= 2 || !ldapDN.startsWith(GROUP_BASE_DN) || isAnAdministrator(jndiName)) {
            nextInterceptor.delete(ldapDN);
        } else {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to delete the group entry: ").toString()).append(ldapDN).append(". Only the admin can delete groups.").toString());
        }
    }

    private final boolean isTheAdministrator(LdapDN ldapDN) {
        return ldapDN.toNormName() == PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED || ldapDN.toNormName().equals(PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED);
    }

    private final boolean isAnAdministrator(LdapDN ldapDN) throws NamingException {
        if (isTheAdministrator(ldapDN)) {
            return true;
        }
        return this.administrators.contains(ldapDN.toNormName());
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public boolean hasEntry(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        return super.hasEntry(nextInterceptor, ldapDN);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, LdapDN ldapDN, int i, Attributes attributes) throws NamingException {
        if (!this.enabled) {
            nextInterceptor.modify(ldapDN, i, attributes);
            return;
        }
        protectModifyAlterations(ldapDN);
        nextInterceptor.modify(ldapDN, i, attributes);
        if (ldapDN.toNormName().equals(ADMIN_GROUP_DN_NORMALIZED.toNormName())) {
            loadAdministrators();
        }
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, LdapDN ldapDN, ModificationItemImpl[] modificationItemImplArr) throws NamingException {
        if (!this.enabled) {
            nextInterceptor.modify(ldapDN, modificationItemImplArr);
            return;
        }
        protectModifyAlterations(ldapDN);
        nextInterceptor.modify(ldapDN, modificationItemImplArr);
        if (ldapDN.toNormName().equals(ADMIN_GROUP_DN_NORMALIZED.toNormName())) {
            loadAdministrators();
        }
    }

    private void protectModifyAlterations(LdapDN ldapDN) throws NamingException {
        LdapDN jndiName = getPrincipal().getJndiName();
        if (ldapDN.size() == 0) {
            throw new LdapNoPermissionException("The rootDSE cannot be modified!");
        }
        if (isAnAdministrator(jndiName) || ldapDN.toNormName().equals(getPrincipal().getJndiName().toNormName())) {
            return;
        }
        if (ldapDN.toNormName().equals(PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to modify the account of the").toString()).append(" admin user.").toString());
        }
        if (ldapDN.size() > 2 && ldapDN.startsWith(USER_BASE_DN_NORMALIZED)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to modify the account of the").toString()).append(" user ").append(ldapDN).append(".\nEven the owner of an account cannot").toString()).append(" modify it.\nUser accounts can only be modified by the").toString()).append(" administrator.").toString());
        }
        if (ldapDN.size() <= 2 || !ldapDN.startsWith(GROUP_BASE_DN_NORMALIZED)) {
            return;
        }
        throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to modify the group entry ").toString()).append(ldapDN.getUpName()).append(".\nGroups can only be modified by the admin.").toString());
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modifyRn(NextInterceptor nextInterceptor, LdapDN ldapDN, String str, boolean z) throws NamingException {
        if (this.enabled) {
            protectDnAlterations(ldapDN);
        }
        nextInterceptor.modifyRn(ldapDN, str, z);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, LdapDN ldapDN, LdapDN ldapDN2) throws NamingException {
        if (this.enabled) {
            protectDnAlterations(ldapDN);
        }
        nextInterceptor.move(ldapDN, ldapDN2);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, LdapDN ldapDN, LdapDN ldapDN2, String str, boolean z) throws NamingException {
        if (this.enabled) {
            protectDnAlterations(ldapDN);
        }
        nextInterceptor.move(ldapDN, ldapDN2, str, z);
    }

    private void protectDnAlterations(LdapDN ldapDN) throws NamingException {
        LdapDN jndiName = getPrincipal().getJndiName();
        if (ldapDN.toString().equals("")) {
            throw new LdapNoPermissionException("The rootDSE cannot be moved or renamed!");
        }
        if (ldapDN.toNormName().equals(ADMIN_GROUP_DN_NORMALIZED.toNormName())) {
            throw new LdapNoPermissionException("The Administrators group cannot be moved or renamed!");
        }
        if (isTheAdministrator(ldapDN)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User '").append(jndiName.getUpName()).toString()).append("' does not have permission to move or rename the admin").toString()).append(" account.  No one not even the admin can move or").toString()).append(" rename ").append(ldapDN).append("!").toString());
        }
        if (ldapDN.size() > 2 && ldapDN.startsWith(USER_BASE_DN_NORMALIZED) && !isAnAdministrator(jndiName)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User '").append(jndiName).toString()).append("' does not have permission to move or rename the user").toString()).append(" account: ").append(ldapDN).append(". Only the admin can move or").toString()).append(" rename user accounts.").toString());
        }
        if (ldapDN.size() <= 2 || !ldapDN.startsWith(GROUP_BASE_DN_NORMALIZED) || isAnAdministrator(jndiName)) {
            return;
        }
        throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to move or rename the group entry ").toString()).append(ldapDN).append(".\nGroups can only be moved or renamed by the admin.").toString());
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        Attributes lookup = nextInterceptor.lookup(ldapDN);
        if (!this.enabled || lookup == null) {
            return lookup;
        }
        protectLookUp(ldapDN);
        return lookup;
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, LdapDN ldapDN, String[] strArr) throws NamingException {
        Attributes lookup = nextInterceptor.lookup(ldapDN, strArr);
        if (!this.enabled || lookup == null) {
            return lookup;
        }
        protectLookUp(ldapDN);
        return lookup;
    }

    private void protectLookUp(LdapDN ldapDN) throws NamingException {
        LdapDN jndiName = ((LdapContext) InvocationStack.getInstance().peek().getCaller()).getPrincipal().getJndiName();
        if (isAnAdministrator(jndiName)) {
            return;
        }
        if (ldapDN.size() > 2 && ldapDN.startsWith(USER_BASE_DN_NORMALIZED)) {
            if (ldapDN.getNormName().equals(jndiName.getNormName())) {
                return;
            }
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("Access to user account '").append(ldapDN).append("' not permitted").toString()).append(" for user '").append(jndiName).append("'.  Only the admin can").toString()).append(" access user account information").toString());
        }
        if (ldapDN.size() <= 2 || !ldapDN.startsWith(GROUP_BASE_DN_NORMALIZED)) {
            if (!isTheAdministrator(ldapDN) || ldapDN.getNormName().equals(jndiName.getNormName())) {
                return;
            }
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append("Access to admin account not permitted for user '").append(jndiName).append("'.  Only the admin can").toString()).append(" access admin account information").toString());
        }
        if (ldapDN.getNormName().equals(jndiName.getNormName())) {
            return;
        }
        throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("Access to group '").append(ldapDN).append("' not permitted").toString()).append(" for user '").append(jndiName).append("'.  Only the admin can").toString()).append(" access group information").toString());
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public NamingEnumeration search(NextInterceptor nextInterceptor, LdapDN ldapDN, Map map, ExprNode exprNode, SearchControls searchControls) throws NamingException {
        NamingEnumeration search = nextInterceptor.search(ldapDN, map, exprNode, searchControls);
        return !this.enabled ? search : new SearchResultFilteringEnumeration(search, searchControls, InvocationStack.getInstance().peek(), new SearchResultFilter(this) { // from class: org.apache.directory.server.core.authz.DefaultAuthorizationService.1
            private final DefaultAuthorizationService this$0;

            {
                this.this$0 = this;
            }

            @Override // org.apache.directory.server.core.enumeration.SearchResultFilter
            public boolean accept(Invocation invocation, SearchResult searchResult, SearchControls searchControls2) throws NamingException {
                return this.this$0.isSearchable(invocation, searchResult);
            }
        });
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public NamingEnumeration list(NextInterceptor nextInterceptor, LdapDN ldapDN) throws NamingException {
        NamingEnumeration list = nextInterceptor.list(ldapDN);
        return !this.enabled ? list : new SearchResultFilteringEnumeration(list, (SearchControls) null, InvocationStack.getInstance().peek(), new SearchResultFilter(this) { // from class: org.apache.directory.server.core.authz.DefaultAuthorizationService.2
            private final DefaultAuthorizationService this$0;

            {
                this.this$0 = this;
            }

            @Override // org.apache.directory.server.core.enumeration.SearchResultFilter
            public boolean accept(Invocation invocation, SearchResult searchResult, SearchControls searchControls) throws NamingException {
                return this.this$0.isSearchable(invocation, searchResult);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSearchable(Invocation invocation, SearchResult searchResult) throws NamingException {
        LdapDN jndiName = invocation.getCaller().getPrincipal().getJndiName();
        LdapDN ldapDN = new LdapDN(searchResult.getName());
        ldapDN.normalize(this.normalizerMapping);
        if (isAnAdministrator(jndiName) || ldapDN.toNormName().equals(jndiName.toNormName())) {
            return true;
        }
        return (ldapDN.size() <= 2 || !(ldapDN.toNormName().endsWith(USER_BASE_DN_NORMALIZED.toNormName()) || ldapDN.toNormName().endsWith(GROUP_BASE_DN_NORMALIZED.toNormName()))) && !isTheAdministrator(ldapDN);
    }
}
