package org.apache.directory.server.core.authz;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.directory.server.core.DefaultCoreSession;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.authn.LdapPrincipal;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.filtering.EntryFilter;
import org.apache.directory.server.core.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
import org.apache.directory.server.core.interceptor.NextInterceptor;
import org.apache.directory.server.core.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.interceptor.context.ListOperationContext;
import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchingOperationContext;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.normalizers.OidNormalizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/apacheds-all-1.5.5.jar:org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.class */
public class DefaultAuthorizationInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationInterceptor.class);
    private static LdapDN USER_BASE_DN;
    private static LdapDN GROUP_BASE_DN;
    private static LdapDN ADMIN_GROUP_DN;
    private boolean enabled = true;
    private Set<String> administrators = new HashSet(2);
    private Map<String, OidNormalizer> normalizerMapping;
    private PartitionNexus nexus;
    private AttributeType uniqueMemberAT;

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void init(DirectoryService directoryService) throws Exception {
        this.nexus = directoryService.getPartitionNexus();
        this.normalizerMapping = directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping();
        this.enabled = !directoryService.isAccessControlEnabled();
        USER_BASE_DN = PartitionNexus.getUsersBaseName();
        USER_BASE_DN.normalize(this.normalizerMapping);
        GROUP_BASE_DN = PartitionNexus.getGroupsBaseName();
        GROUP_BASE_DN.normalize(this.normalizerMapping);
        ADMIN_GROUP_DN = new LdapDN(ServerDNConstants.ADMINISTRATORS_GROUP_DN);
        ADMIN_GROUP_DN.normalize(this.normalizerMapping);
        this.uniqueMemberAT = directoryService.getRegistries().getAttributeTypeRegistry().lookup(SchemaConstants.UNIQUE_MEMBER_AT_OID);
        loadAdministrators(directoryService);
    }

    private void loadAdministrators(DirectoryService directoryService) throws Exception {
        HashSet hashSet = new HashSet(2);
        LdapDN ldapDN = new LdapDN(ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED);
        ldapDN.normalize(directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping());
        ClonedServerEntry lookup = this.nexus.lookup(new LookupOperationContext(new DefaultCoreSession(new LdapPrincipal(ldapDN, AuthenticationLevel.STRONG), directoryService), ADMIN_GROUP_DN));
        if (lookup == null) {
            return;
        }
        Iterator<Value<?>> it = lookup.get(this.uniqueMemberAT).iterator();
        while (it.hasNext()) {
            LdapDN ldapDN2 = new LdapDN(it.next().getString());
            ldapDN2.normalize(this.normalizerMapping);
            hashSet.add(ldapDN2.getNormName());
        }
        this.administrators = hashSet;
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void delete(NextInterceptor nextInterceptor, DeleteOperationContext deleteOperationContext) throws Exception {
        LdapDN dn = deleteOperationContext.getDn();
        if (!this.enabled) {
            nextInterceptor.delete(deleteOperationContext);
            return;
        }
        LdapDN jndiName = getPrincipal().getJndiName();
        if (dn.isEmpty()) {
            LOG.error("The rootDSE cannot be deleted!");
            throw new LdapNoPermissionException("The rootDSE cannot be deleted!");
        }
        if (dn.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            LOG.error("The Administrators group cannot be deleted!");
            throw new LdapNoPermissionException("The Administrators group cannot be deleted!");
        }
        if (isTheAdministrator(dn)) {
            String str = (("User " + jndiName.getUpName()) + " does not have permission to delete the admin account.") + " No one not even the admin can delete this account!";
            LOG.error(str);
            throw new LdapNoPermissionException(str);
        }
        if (dn.size() > 2 && !isAnAdministrator(jndiName)) {
            if (dn.startsWith(USER_BASE_DN)) {
                String str2 = (("User " + jndiName.getUpName()) + " does not have permission to delete the user account: ") + dn.getUpName() + ". Only the admin can delete user accounts.";
                LOG.error(str2);
                throw new LdapNoPermissionException(str2);
            }
            if (dn.startsWith(GROUP_BASE_DN)) {
                String str3 = (("User " + jndiName.getUpName()) + " does not have permission to delete the group entry: ") + dn.getUpName() + ". Only the admin can delete groups.";
                LOG.error(str3);
                throw new LdapNoPermissionException(str3);
            }
        }
        nextInterceptor.delete(deleteOperationContext);
    }

    private boolean isTheAdministrator(LdapDN ldapDN) {
        return ldapDN.getNormName().equals(ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED);
    }

    private boolean isAnAdministrator(LdapDN ldapDN) {
        return isTheAdministrator(ldapDN) || this.administrators.contains(ldapDN.getNormName());
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, ModifyOperationContext modifyOperationContext) throws Exception {
        if (!this.enabled) {
            nextInterceptor.modify(modifyOperationContext);
            return;
        }
        LdapDN dn = modifyOperationContext.getDn();
        protectModifyAlterations(dn);
        nextInterceptor.modify(modifyOperationContext);
        if (dn.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            loadAdministrators(modifyOperationContext.getSession().getDirectoryService());
        }
    }

    private void protectModifyAlterations(LdapDN ldapDN) throws Exception {
        LdapDN jndiName = getPrincipal().getJndiName();
        if (ldapDN.isEmpty()) {
            LOG.error("The rootDSE cannot be modified!");
            throw new LdapNoPermissionException("The rootDSE cannot be modified!");
        }
        if (isAnAdministrator(jndiName) || ldapDN.getNormName().equals(getPrincipal().getJndiName().getNormName())) {
            return;
        }
        if (ldapDN.getNormName().equals(ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED)) {
            String str = (("User " + jndiName.getUpName()) + " does not have permission to modify the account of the") + " admin user.";
            LOG.error(str);
            throw new LdapNoPermissionException(str);
        }
        if (ldapDN.size() > 2) {
            if (ldapDN.startsWith(USER_BASE_DN)) {
                String str2 = (((("User " + jndiName.getUpName()) + " does not have permission to modify the account of the") + " user " + ldapDN.getUpName() + ".\nEven the owner of an account cannot") + " modify it.\nUser accounts can only be modified by the") + " administrator.";
                LOG.error(str2);
                throw new LdapNoPermissionException(str2);
            }
            if (ldapDN.startsWith(GROUP_BASE_DN)) {
                String str3 = (("User " + jndiName.getUpName()) + " does not have permission to modify the group entry ") + ldapDN.getUpName() + ".\nGroups can only be modified by the admin.";
                LOG.error(str3);
                throw new LdapNoPermissionException(str3);
            }
        }
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void rename(NextInterceptor nextInterceptor, RenameOperationContext renameOperationContext) throws Exception {
        if (this.enabled) {
            protectDnAlterations(renameOperationContext.getDn());
        }
        nextInterceptor.rename(renameOperationContext);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, MoveOperationContext moveOperationContext) throws Exception {
        if (this.enabled) {
            protectDnAlterations(moveOperationContext.getDn());
        }
        nextInterceptor.move(moveOperationContext);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void moveAndRename(NextInterceptor nextInterceptor, MoveAndRenameOperationContext moveAndRenameOperationContext) throws Exception {
        if (this.enabled) {
            protectDnAlterations(moveAndRenameOperationContext.getDn());
        }
        nextInterceptor.moveAndRename(moveAndRenameOperationContext);
    }

    private void protectDnAlterations(LdapDN ldapDN) throws Exception {
        LdapDN jndiName = getPrincipal().getJndiName();
        if (ldapDN.isEmpty()) {
            LOG.error("The rootDSE cannot be moved or renamed!");
            throw new LdapNoPermissionException("The rootDSE cannot be moved or renamed!");
        }
        if (ldapDN.getNormName().equals(ADMIN_GROUP_DN.getNormName())) {
            LOG.error("The Administrators group cannot be moved or renamed!");
            throw new LdapNoPermissionException("The Administrators group cannot be moved or renamed!");
        }
        if (isTheAdministrator(ldapDN)) {
            String str = ((("User '" + jndiName.getUpName()) + "' does not have permission to move or rename the admin") + " account.  No one not even the admin can move or") + " rename " + ldapDN.getUpName() + "!";
            LOG.error(str);
            throw new LdapNoPermissionException(str);
        }
        if (ldapDN.size() > 2 && ldapDN.startsWith(USER_BASE_DN) && !isAnAdministrator(jndiName)) {
            String str2 = ((("User '" + jndiName.getUpName()) + "' does not have permission to move or rename the user") + " account: " + ldapDN.getUpName() + ". Only the admin can move or") + " rename user accounts.";
            LOG.error(str2);
            throw new LdapNoPermissionException(str2);
        }
        if (ldapDN.size() <= 2 || !ldapDN.startsWith(GROUP_BASE_DN) || isAnAdministrator(jndiName)) {
            return;
        }
        throw new LdapNoPermissionException((("User " + jndiName.getUpName()) + " does not have permission to move or rename the group entry ") + ldapDN.getUpName() + ".\nGroups can only be moved or renamed by the admin.");
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public ClonedServerEntry lookup(NextInterceptor nextInterceptor, LookupOperationContext lookupOperationContext) throws Exception {
        ClonedServerEntry lookup = nextInterceptor.lookup(lookupOperationContext);
        if (!this.enabled || lookup == null) {
            return lookup;
        }
        protectLookUp(lookupOperationContext.getSession().getEffectivePrincipal().getJndiName(), lookupOperationContext.getDn());
        return lookup;
    }

    private void protectLookUp(LdapDN ldapDN, LdapDN ldapDN2) throws Exception {
        if (isAnAdministrator(ldapDN)) {
            return;
        }
        if (ldapDN2.size() > 2) {
            if (ldapDN2.startsWith(USER_BASE_DN)) {
                if (ldapDN2.getNormName().equals(ldapDN.getNormName())) {
                    return;
                }
                String str = (("Access to user account '" + ldapDN2.getUpName() + "' not permitted") + " for user '" + ldapDN.getUpName() + "'.  Only the admin can") + " access user account information";
                LOG.error(str);
                throw new LdapNoPermissionException(str);
            }
            if (ldapDN2.startsWith(GROUP_BASE_DN)) {
                if (ldapDN2.getNormName().equals(ldapDN.getNormName())) {
                    return;
                }
                String str2 = (("Access to group '" + ldapDN2.getUpName() + "' not permitted") + " for user '" + ldapDN.getUpName() + "'.  Only the admin can") + " access group information";
                LOG.error(str2);
                throw new LdapNoPermissionException(str2);
            }
        }
        if (!isTheAdministrator(ldapDN2) || ldapDN2.getNormName().equals(ldapDN.getNormName())) {
            return;
        }
        String str3 = ("Access to admin account not permitted for user '" + ldapDN.getUpName() + "'.  Only the admin can") + " access admin account information";
        LOG.error(str3);
        throw new LdapNoPermissionException(str3);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public EntryFilteringCursor search(NextInterceptor nextInterceptor, SearchOperationContext searchOperationContext) throws Exception {
        EntryFilteringCursor search = nextInterceptor.search(searchOperationContext);
        if (!this.enabled) {
            return search;
        }
        search.addEntryFilter(new EntryFilter() { // from class: org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.1
            @Override // org.apache.directory.server.core.filtering.EntryFilter
            public boolean accept(SearchingOperationContext searchingOperationContext, ClonedServerEntry clonedServerEntry) throws Exception {
                return DefaultAuthorizationInterceptor.this.isSearchable(searchingOperationContext, clonedServerEntry);
            }
        });
        return search;
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public EntryFilteringCursor list(NextInterceptor nextInterceptor, ListOperationContext listOperationContext) throws Exception {
        EntryFilteringCursor list = nextInterceptor.list(listOperationContext);
        if (!this.enabled) {
            return list;
        }
        list.addEntryFilter(new EntryFilter() { // from class: org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.2
            @Override // org.apache.directory.server.core.filtering.EntryFilter
            public boolean accept(SearchingOperationContext searchingOperationContext, ClonedServerEntry clonedServerEntry) throws Exception {
                return DefaultAuthorizationInterceptor.this.isSearchable(searchingOperationContext, clonedServerEntry);
            }
        });
        return list;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSearchable(OperationContext operationContext, ClonedServerEntry clonedServerEntry) throws Exception {
        LdapDN jndiName = operationContext.getSession().getEffectivePrincipal().getJndiName();
        LdapDN dn = clonedServerEntry.getDn();
        if (!dn.isNormalized()) {
            dn.normalize(this.normalizerMapping);
        }
        if (isAnAdministrator(jndiName) || dn.getNormName().equals(jndiName.getNormName())) {
            return true;
        }
        return (dn.size() <= 2 || !(dn.getNormName().endsWith(USER_BASE_DN.getNormName()) || dn.getNormName().endsWith(GROUP_BASE_DN.getNormName()))) && !isTheAdministrator(dn);
    }
}
