package org.opends.server.authorization.dseecompat;

import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.SortedSet;
import java.util.concurrent.locks.Lock;
import org.opends.messages.AccessControlMessages;
import org.opends.messages.Message;
import org.opends.server.admin.std.server.DseeCompatAccessControlHandlerCfg;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.api.ClientConnection;
import org.opends.server.backends.jeb.EntryContainer;
import org.opends.server.config.ConfigConstants;
import org.opends.server.config.ConfigException;
import org.opends.server.controls.GetEffectiveRightsRequestControl;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ExtendedOperation;
import org.opends.server.core.SearchOperation;
import org.opends.server.loggers.ErrorLogger;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.protocols.ldap.LDAPControl;
import org.opends.server.schema.SchemaConstants;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeBuilder;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AttributeValue;
import org.opends.server.types.AttributeValues;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DereferencePolicy;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.LockManager;
import org.opends.server.types.Operation;
import org.opends.server.types.Privilege;
import org.opends.server.types.RDN;
import org.opends.server.types.ResultCode;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.types.SearchResultReference;
import org.opends.server.types.SearchScope;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;
import org.opends.server.workflowelement.localbackend.LocalBackendAddOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendBindOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendCompareOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendDeleteOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendModifyDNOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendModifyOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendSearchOperation;

/* loaded from: input_file:org/opends/server/authorization/dseecompat/AciHandler.class */
public final class AciHandler extends AccessControlHandler<DseeCompatAccessControlHandlerCfg> {
    public static final String ALL_ATTRS_RESOURCE_ENTRY = "allAttrsResourceEntry";
    public static final String ALL_OP_ATTRS_MATCHED = "allOpAttrsMatched";
    public static final String ALL_USER_ATTRS_MATCHED = "allUserAttrsMatched";
    public static final String ORIG_AUTH_ENTRY = "origAuthorizationEntry";
    static AttributeType aciType;
    static AttributeType globalAciType;
    private static AttributeType debugSearchIndex;
    private static DN debugSearchIndexDN;
    private static AttributeType refAttrType;
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private AciList aciList;
    private AciListenerManager aciListenerMgr;

    private static void initStatics() {
        AttributeType attributeType = DirectoryServer.getAttributeType("aci");
        aciType = attributeType;
        if (attributeType == null) {
            aciType = DirectoryServer.getDefaultAttributeType("aci");
        }
        AttributeType attributeType2 = DirectoryServer.getAttributeType(ConfigConstants.ATTR_AUTHZ_GLOBAL_ACI);
        globalAciType = attributeType2;
        if (attributeType2 == null) {
            globalAciType = DirectoryServer.getDefaultAttributeType(ConfigConstants.ATTR_AUTHZ_GLOBAL_ACI);
        }
        AttributeType attributeType3 = DirectoryServer.getAttributeType(EntryContainer.ATTR_DEBUG_SEARCH_INDEX);
        debugSearchIndex = attributeType3;
        if (attributeType3 == null) {
            debugSearchIndex = DirectoryServer.getDefaultAttributeType(EntryContainer.ATTR_DEBUG_SEARCH_INDEX);
        }
        AttributeType attributeType4 = DirectoryServer.getAttributeType(ServerConstants.ATTR_REFERRAL_URL);
        refAttrType = attributeType4;
        if (attributeType4 == null) {
            refAttrType = DirectoryServer.getDefaultAttributeType(ServerConstants.ATTR_REFERRAL_URL);
        }
        try {
            debugSearchIndexDN = DN.decode("cn=debugsearch");
        } catch (DirectoryException e) {
        }
    }

    @Override // org.opends.server.api.AccessControlHandler
    public SearchResultEntry filterEntry(SearchOperation searchOperation, SearchResultEntry searchResultEntry) {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(searchOperation, 4, searchResultEntry);
        aciLDAPOperationContainer.setSeenEntry(true);
        boolean skipAccessCheck = skipAccessCheck(searchOperation);
        SearchResultEntry accessAllowedAttrs = !skipAccessCheck ? accessAllowedAttrs(aciLDAPOperationContainer) : searchResultEntry;
        if (aciLDAPOperationContainer.hasGetEffectiveRightsControl()) {
            accessAllowedAttrs = AciEffectiveRights.addRightsToEntry(this, searchOperation.getAttributes(), aciLDAPOperationContainer, accessAllowedAttrs, skipAccessCheck);
        }
        return accessAllowedAttrs;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public SearchResultEntry filterEntry(Operation operation, Entry entry) {
        return accessAllowedAttrs(new AciLDAPOperationContainer(operation, 4, entry));
    }

    @Override // org.opends.server.api.AccessControlHandler
    public void finalizeAccessControlHandler() {
        this.aciListenerMgr.finalizeListenerManager();
        AciEffectiveRights.finalizeOnShutdown();
        DirectoryServer.deregisterSupportedControl(ServerConstants.OID_GET_EFFECTIVE_RIGHTS);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public void initializeAccessControlHandler(DseeCompatAccessControlHandlerCfg dseeCompatAccessControlHandlerCfg) throws ConfigException, InitializationException {
        initStatics();
        DN dn = dseeCompatAccessControlHandlerCfg.dn();
        this.aciList = new AciList(dn);
        this.aciListenerMgr = new AciListenerManager(this.aciList, dn);
        processGlobalAcis(dseeCompatAccessControlHandlerCfg);
        processConfigAcis();
        DirectoryServer.registerSupportedControl(ServerConstants.OID_GET_EFFECTIVE_RIGHTS);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(DN dn, Operation operation, Control control) throws DirectoryException {
        boolean skipAccessCheck = skipAccessCheck(operation);
        boolean z = skipAccessCheck;
        if (!skipAccessCheck) {
            z = accessAllowed(new AciLDAPOperationContainer(operation, new Entry(dn, null, null, null), control, 16388));
        }
        if (control.getOID().equals(ServerConstants.OID_PROXIED_AUTH_V2) || control.getOID().equals(ServerConstants.OID_PROXIED_AUTH_V1)) {
            operation.setAttachment(ORIG_AUTH_ENTRY, operation.getAuthorizationEntry());
        } else if (control.getOID().equals(ServerConstants.OID_GET_EFFECTIVE_RIGHTS)) {
            operation.setAttachment(ServerConstants.OID_GET_EFFECTIVE_RIGHTS, control instanceof LDAPControl ? GetEffectiveRightsRequestControl.DECODER.decode(control.isCritical(), ((LDAPControl) control).getValue()) : (GetEffectiveRightsRequestControl) control);
        }
        return z;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(ExtendedOperation extendedOperation) {
        boolean skipAccessCheck = skipAccessCheck(extendedOperation);
        boolean z = skipAccessCheck;
        if (!skipAccessCheck) {
            z = accessAllowed(new AciLDAPOperationContainer(extendedOperation, new Entry(extendedOperation.getAuthorizationDN(), null, null, null), 32772));
        }
        return z;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendAddOperation localBackendAddOperation) throws DirectoryException {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(localBackendAddOperation, 32);
        boolean isAllowed = isAllowed(aciLDAPOperationContainer, localBackendAddOperation);
        if (isAllowed) {
            isAllowed = verifySyntax(localBackendAddOperation.getEntryToAdd(), localBackendAddOperation, aciLDAPOperationContainer.getClientDN());
        }
        return isAllowed;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendBindOperation localBackendBindOperation) {
        return true;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendCompareOperation localBackendCompareOperation) {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(localBackendCompareOperation, 1);
        String rawAttributeType = localBackendCompareOperation.getRawAttributeType();
        int indexOf = rawAttributeType.indexOf(59);
        String lowerCase = indexOf > 0 ? StaticUtils.toLowerCase(rawAttributeType.substring(0, indexOf)) : StaticUtils.toLowerCase(rawAttributeType);
        AttributeType attributeType = DirectoryServer.getAttributeType(lowerCase);
        AttributeType attributeType2 = attributeType;
        if (attributeType == null) {
            attributeType2 = DirectoryServer.getDefaultAttributeType(lowerCase);
        }
        AttributeValue create = AttributeValues.create(attributeType2, localBackendCompareOperation.getAssertionValue());
        aciLDAPOperationContainer.setCurrentAttributeType(attributeType2);
        aciLDAPOperationContainer.setCurrentAttributeValue(create);
        return isAllowed(aciLDAPOperationContainer, localBackendCompareOperation);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendDeleteOperation localBackendDeleteOperation) {
        return isAllowed(new AciLDAPOperationContainer(localBackendDeleteOperation, 16), localBackendDeleteOperation);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendModifyDNOperation localBackendModifyDNOperation) {
        boolean z = true;
        RDN rdn = localBackendModifyDNOperation.getOriginalEntry().getDN().getRDN();
        RDN newRDN = localBackendModifyDNOperation.getNewRDN();
        if (!skipAccessCheck(localBackendModifyDNOperation)) {
            DN newSuperior = localBackendModifyDNOperation.getNewSuperior();
            if (newSuperior != null) {
                try {
                    z = aciCheckSuperiorEntry(newSuperior, localBackendModifyDNOperation);
                } catch (DirectoryException e) {
                    z = false;
                }
            }
            boolean equals = rdn.equals(newRDN);
            if (z && !equals) {
                z = aciCheckRDNs(localBackendModifyDNOperation, rdn, newRDN);
            }
            if (z && newSuperior != null) {
                AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(localBackendModifyDNOperation, Aci.ACI_EXPORT, localBackendModifyDNOperation.getOriginalEntry());
                if (!equals) {
                    aciLDAPOperationContainer.setSeenEntry(true);
                }
                z = accessAllowed(aciLDAPOperationContainer);
            }
        }
        return z;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendModifyOperation localBackendModifyOperation) throws DirectoryException {
        return aciCheckMods(new AciLDAPOperationContainer(localBackendModifyOperation, 0), localBackendModifyOperation, skipAccessCheck(localBackendModifyOperation));
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendSearchOperation localBackendSearchOperation) {
        return true;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(Operation operation, Entry entry, SearchFilter searchFilter) throws DirectoryException {
        return testFilter(new AciLDAPOperationContainer(operation, 4, entry), searchFilter);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean mayProxy(Entry entry, Entry entry2, Operation operation) {
        boolean skipAccessCheck = skipAccessCheck(entry);
        boolean z = skipAccessCheck;
        if (!skipAccessCheck) {
            z = accessAllowedEntry(new AciLDAPOperationContainer(operation, entry2, new AuthenticationInfo(entry, DirectoryServer.isRootDN(entry.getDN())), 128));
        }
        return z;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean maySend(DN dn, SearchOperation searchOperation, SearchResultReference searchResultReference) {
        boolean skipAccessCheck = skipAccessCheck(searchOperation);
        boolean z = skipAccessCheck;
        if (!skipAccessCheck) {
            Entry entry = new Entry(dn, null, null, null);
            AttributeBuilder attributeBuilder = new AttributeBuilder(refAttrType, ServerConstants.ATTR_REFERRAL_URL);
            Iterator<String> it = searchResultReference.getReferralURLs().iterator();
            while (it.hasNext()) {
                attributeBuilder.add(AttributeValues.create(refAttrType, it.next()));
            }
            entry.addAttribute(attributeBuilder.toAttribute(), null);
            AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(searchOperation, 4, new SearchResultEntry(entry));
            aciLDAPOperationContainer.setCurrentAttributeType(refAttrType);
            z = accessAllowed(aciLDAPOperationContainer);
        }
        return z;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean maySend(SearchOperation searchOperation, SearchResultEntry searchResultEntry) {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(searchOperation, 2, searchResultEntry);
        boolean skipAccessCheck = skipAccessCheck(searchOperation);
        boolean z = skipAccessCheck;
        if (!skipAccessCheck) {
            try {
                z = testFilter(aciLDAPOperationContainer, searchOperation.getFilter());
            } catch (DirectoryException e) {
                z = false;
            }
            if (z) {
                aciLDAPOperationContainer.clearEvalAttributes(0);
                aciLDAPOperationContainer.setRights(4);
                z = accessAllowedEntry(aciLDAPOperationContainer);
                if (z) {
                    if (!aciLDAPOperationContainer.hasEvalUserAttributes()) {
                        searchOperation.setAttachment(ALL_USER_ATTRS_MATCHED, ALL_USER_ATTRS_MATCHED);
                    }
                    if (!aciLDAPOperationContainer.hasEvalOpAttributes()) {
                        searchOperation.setAttachment(ALL_OP_ATTRS_MATCHED, ALL_OP_ATTRS_MATCHED);
                    }
                }
            }
        }
        searchOperation.setAttachment(ALL_ATTRS_RESOURCE_ENTRY, searchResultEntry);
        return z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean accessAllowed(AciContainer aciContainer) {
        DN dn = aciContainer.getResourceEntry().getDN();
        if (aciContainer.hasRights(Aci.ACI_WRITE_ADD) || aciContainer.hasRights(Aci.ACI_WRITE_DELETE)) {
            aciContainer.setRights(aciContainer.getRights() | 8);
        }
        if (aciContainer.getCurrentAttributeValue() != null && aciContainer.hasRights(8) && isAttributeDN(aciContainer.getCurrentAttributeType())) {
            String str = null;
            try {
                str = aciContainer.getCurrentAttributeValue().getValue().toString();
                if (DN.decode(str).equals(aciContainer.getClientDN())) {
                    aciContainer.setRights(aciContainer.getRights() | 64);
                }
            } catch (DirectoryException e) {
                ErrorLogger.logError(AccessControlMessages.WARN_ACI_NOT_VALID_DN.get(str));
            }
        }
        if (!aciContainer.hasSeenEntry()) {
            if (aciContainer.isProxiedAuthorization() && !aciContainer.hasRights(128) && !aciContainer.hasRights(Aci.ACI_SKIP_PROXY_CHECK)) {
                int rights = aciContainer.getRights();
                aciContainer.setRights(128);
                aciContainer.useOrigAuthorizationEntry(true);
                if (!accessAllowed(aciContainer)) {
                    return false;
                }
                aciContainer.setRights(rights);
                aciContainer.useOrigAuthorizationEntry(false);
            }
            aciContainer.setSeenEntry(true);
        }
        createApplicableList(this.aciList.getCandidateAcis(dn), aciContainer);
        boolean testApplicableLists = testApplicableLists(aciContainer);
        if (aciContainer.isGetEffectiveRightsEval()) {
            AciEffectiveRights.createSummary(aciContainer, testApplicableLists, "main");
        }
        return testApplicableLists;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean accessAllowedEntry(AciLDAPOperationContainer aciLDAPOperationContainer) {
        aciLDAPOperationContainer.setIsFirstAttribute(true);
        Iterator<AttributeType> it = getAllAttrs(aciLDAPOperationContainer.getResourceEntry()).iterator();
        while (it.hasNext()) {
            aciLDAPOperationContainer.setCurrentAttributeType(it.next());
            if (accessAllowed(aciLDAPOperationContainer)) {
                if (!aciLDAPOperationContainer.hasEntryTestRule()) {
                    return true;
                }
                aciLDAPOperationContainer.setCurrentAttributeType(null);
                return accessAllowed(aciLDAPOperationContainer) || !aciLDAPOperationContainer.isDenyEval();
            }
        }
        return false;
    }

    private SearchResultEntry accessAllowedAttrs(AciLDAPOperationContainer aciLDAPOperationContainer) {
        Entry resourceEntry = aciLDAPOperationContainer.getResourceEntry();
        for (AttributeType attributeType : getAllAttrs(resourceEntry)) {
            if (!aciLDAPOperationContainer.hasAllUserAttributes() || attributeType.isOperational()) {
                if (!aciLDAPOperationContainer.hasAllOpAttributes() || !attributeType.isOperational()) {
                    aciLDAPOperationContainer.setCurrentAttributeType(attributeType);
                    if (!accessAllowed(aciLDAPOperationContainer)) {
                        resourceEntry.removeAttribute(attributeType);
                    }
                }
            }
        }
        return aciLDAPOperationContainer.getSearchResultEntry();
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:45:0x0160. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:80:0x023b  */
    /* JADX WARN: Removed duplicated region for block: B:87:0x0251 A[Catch: AciException -> 0x0266, TryCatch #0 {AciException -> 0x0266, blocks: (B:85:0x0246, B:87:0x0251, B:88:0x0256), top: B:84:0x0246 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean aciCheckMods(org.opends.server.authorization.dseecompat.AciLDAPOperationContainer r6, org.opends.server.workflowelement.localbackend.LocalBackendModifyOperation r7, boolean r8) throws org.opends.server.types.DirectoryException {
        /*
            Method dump skipped, instructions count: 655
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.opends.server.authorization.dseecompat.AciHandler.aciCheckMods(org.opends.server.authorization.dseecompat.AciLDAPOperationContainer, org.opends.server.workflowelement.localbackend.LocalBackendModifyOperation, boolean):boolean");
    }

    private boolean aciCheckRDNs(LocalBackendModifyDNOperation localBackendModifyDNOperation, RDN rdn, RDN rdn2) {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(localBackendModifyDNOperation, 8, localBackendModifyDNOperation.getOriginalEntry());
        boolean accessAllowed = accessAllowed(aciLDAPOperationContainer);
        if (accessAllowed) {
            accessAllowed = checkRDN(Aci.ACI_WRITE_ADD, rdn2, aciLDAPOperationContainer);
        }
        if (accessAllowed && localBackendModifyDNOperation.deleteOldRDN()) {
            accessAllowed = checkRDN(Aci.ACI_WRITE_DELETE, rdn, aciLDAPOperationContainer);
        }
        return accessAllowed;
    }

    private boolean aciCheckSuperiorEntry(DN dn, LocalBackendModifyDNOperation localBackendModifyDNOperation) throws DirectoryException {
        Lock lock = null;
        for (int i = 0; i < 3; i++) {
            lock = LockManager.lockRead(dn);
            if (lock != null) {
                break;
            }
        }
        if (lock == null) {
            ErrorLogger.logError(AccessControlMessages.WARN_ACI_HANDLER_CANNOT_LOCK_NEW_SUPERIOR_USER.get(String.valueOf(dn)));
            return false;
        }
        try {
            Entry entry = DirectoryServer.getEntry(dn);
            return entry != null ? accessAllowed(new AciLDAPOperationContainer(localBackendModifyDNOperation, 256, entry)) : false;
        } finally {
            LockManager.unlock(dn, lock);
        }
    }

    private boolean checkRDN(int i, RDN rdn, AciContainer aciContainer) {
        boolean z = false;
        int numValues = rdn.getNumValues();
        aciContainer.setRights(i);
        for (int i2 = 0; i2 < numValues; i2++) {
            AttributeType attributeType = rdn.getAttributeType(i2);
            AttributeValue attributeValue = rdn.getAttributeValue(i2);
            aciContainer.setCurrentAttributeType(attributeType);
            aciContainer.setCurrentAttributeValue(attributeValue);
            boolean accessAllowed = accessAllowed(aciContainer);
            z = accessAllowed;
            if (!accessAllowed) {
                break;
            }
        }
        return z;
    }

    private void createApplicableList(LinkedList<Aci> linkedList, AciTargetMatchContext aciTargetMatchContext) {
        LinkedList<Aci> linkedList2 = new LinkedList<>();
        LinkedList<Aci> linkedList3 = new LinkedList<>();
        Iterator<Aci> it = linkedList.iterator();
        while (it.hasNext()) {
            Aci next = it.next();
            if (Aci.isApplicable(next, aciTargetMatchContext)) {
                if (next.hasAccessType(EnumAccessType.DENY)) {
                    linkedList2.add(next);
                }
                if (next.hasAccessType(EnumAccessType.ALLOW)) {
                    linkedList3.add(next);
                }
            }
            if (aciTargetMatchContext.getTargAttrFiltersMatch()) {
                aciTargetMatchContext.setTargAttrFiltersMatch(false);
            }
        }
        aciTargetMatchContext.setAllowList(linkedList3);
        aciTargetMatchContext.setDenyList(linkedList2);
    }

    private List<AttributeType> getAllAttrs(Entry entry) {
        Map<AttributeType, List<Attribute>> userAttributes = entry.getUserAttributes();
        Map<AttributeType, List<Attribute>> operationalAttributes = entry.getOperationalAttributes();
        LinkedList linkedList = new LinkedList();
        Attribute objectClassAttribute = entry.getObjectClassAttribute();
        if (objectClassAttribute != null) {
            linkedList.add(objectClassAttribute.getAttributeType());
        }
        linkedList.addAll(userAttributes.keySet());
        linkedList.addAll(operationalAttributes.keySet());
        return linkedList;
    }

    private boolean isAllowed(AciLDAPOperationContainer aciLDAPOperationContainer, Operation operation) {
        return skipAccessCheck(operation) || accessAllowed(aciLDAPOperationContainer);
    }

    private boolean isAttributeDN(AttributeType attributeType) {
        return attributeType.getSyntaxOID().equals(SchemaConstants.SYNTAX_DN_OID);
    }

    private void processConfigAcis() throws InitializationException {
        try {
            DN decode = DN.decode(ConfigConstants.DN_CONFIG_ROOT);
            LinkedHashSet<String> linkedHashSet = new LinkedHashSet<>(1);
            linkedHashSet.add("aci");
            LinkedList<Message> linkedList = new LinkedList<>();
            InternalSearchOperation processSearch = InternalClientConnection.getRootConnection().processSearch(decode, SearchScope.WHOLE_SUBTREE, DereferencePolicy.NEVER_DEREF_ALIASES, 0, 0, false, SearchFilter.createFilterFromString("aci=*"), linkedHashSet);
            if (!processSearch.getSearchEntries().isEmpty()) {
                int addAci = this.aciList.addAci(processSearch.getSearchEntries(), linkedList);
                if (!linkedList.isEmpty()) {
                    this.aciListenerMgr.logMsgsSetLockDownMode(linkedList);
                }
                ErrorLogger.logError(AccessControlMessages.INFO_ACI_ADD_LIST_ACIS.get(Integer.toString(addAci), String.valueOf(decode)));
            }
        } catch (DirectoryException e) {
            throw new InitializationException(AccessControlMessages.INFO_ACI_HANDLER_FAIL_PROCESS_ACI.get(), e);
        }
    }

    private void processGlobalAcis(DseeCompatAccessControlHandlerCfg dseeCompatAccessControlHandlerCfg) throws InitializationException {
        SortedSet<Aci> globalACI = dseeCompatAccessControlHandlerCfg.getGlobalACI();
        if (globalACI != null) {
            try {
                this.aciList.addAci(DN.nullDN(), globalACI);
                ErrorLogger.logError(AccessControlMessages.INFO_ACI_ADD_LIST_GLOBAL_ACIS.get(Integer.toString(globalACI.size())));
            } catch (Exception e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                throw new InitializationException(AccessControlMessages.INFO_ACI_HANDLER_FAIL_PROCESS_GLOBAL_ACI.get(String.valueOf(dseeCompatAccessControlHandlerCfg.dn())), e);
            }
        }
    }

    private boolean skipAccessCheck(Entry entry) {
        return ClientConnection.hasPrivilege(entry, Privilege.BYPASS_ACL);
    }

    private boolean skipAccessCheck(Operation operation) {
        return operation.getClientConnection().hasPrivilege(Privilege.BYPASS_ACL, operation);
    }

    private boolean testApplicableLists(AciEvalContext aciEvalContext) {
        aciEvalContext.setEvalReason(EnumEvalReason.NO_REASON);
        LinkedList<Aci> denyList = aciEvalContext.getDenyList();
        LinkedList<Aci> allowList = aciEvalContext.getAllowList();
        aciEvalContext.setDenyEval(true);
        if (allowList.isEmpty() && (!aciEvalContext.isGetEffectiveRightsEval() || aciEvalContext.hasRights(64) || !aciEvalContext.isTargAttrFilterMatchAciEmpty())) {
            aciEvalContext.setEvalReason(EnumEvalReason.NO_ALLOW_ACIS);
            aciEvalContext.setDecidingAci(null);
            return false;
        }
        Iterator<Aci> it = denyList.iterator();
        while (it.hasNext()) {
            Aci next = it.next();
            EnumEvalResult evaluate = Aci.evaluate(aciEvalContext, next);
            if (evaluate.equals(EnumEvalResult.FAIL)) {
                aciEvalContext.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
                aciEvalContext.setDecidingAci(next);
                return false;
            }
            if (evaluate.equals(EnumEvalResult.TRUE)) {
                if (!aciEvalContext.isGetEffectiveRightsEval() || aciEvalContext.hasRights(64) || aciEvalContext.isTargAttrFilterMatchAciEmpty()) {
                    aciEvalContext.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
                    aciEvalContext.setDecidingAci(next);
                    return false;
                }
                if (!AciEffectiveRights.setTargAttrAci(aciEvalContext, next, true)) {
                    aciEvalContext.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
                    aciEvalContext.setDecidingAci(next);
                    return false;
                }
            }
        }
        aciEvalContext.setDenyEval(false);
        Iterator<Aci> it2 = allowList.iterator();
        while (it2.hasNext()) {
            Aci next2 = it2.next();
            if (Aci.evaluate(aciEvalContext, next2).equals(EnumEvalResult.TRUE)) {
                if (!aciEvalContext.isGetEffectiveRightsEval() || aciEvalContext.hasRights(64) || aciEvalContext.isTargAttrFilterMatchAciEmpty()) {
                    aciEvalContext.setEvalReason(EnumEvalReason.EVALUATED_ALLOW_ACI);
                    aciEvalContext.setDecidingAci(next2);
                    return true;
                }
                if (!AciEffectiveRights.setTargAttrAci(aciEvalContext, next2, false)) {
                    aciEvalContext.setEvalReason(EnumEvalReason.EVALUATED_ALLOW_ACI);
                    aciEvalContext.setDecidingAci(next2);
                    return true;
                }
            }
        }
        aciEvalContext.setEvalReason(EnumEvalReason.NO_MATCHED_ALLOWS_ACIS);
        aciEvalContext.setDecidingAci(null);
        return false;
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:8:0x0029. Please report as an issue. */
    private boolean testFilter(AciLDAPOperationContainer aciLDAPOperationContainer, SearchFilter searchFilter) throws DirectoryException {
        boolean z = true;
        if (debugSearchIndexDN.equals(aciLDAPOperationContainer.getResourceDN()) && aciLDAPOperationContainer.getResourceEntry().hasAttribute(debugSearchIndex)) {
            return true;
        }
        switch (searchFilter.getFilterType()) {
            case AND:
            case OR:
                Iterator<SearchFilter> it = searchFilter.getFilterComponents().iterator();
                while (it.hasNext()) {
                    if (!testFilter(aciLDAPOperationContainer, it.next())) {
                        return false;
                    }
                }
                return z;
            case NOT:
                z = testFilter(aciLDAPOperationContainer, searchFilter.getNotComponent());
                return z;
            default:
                aciLDAPOperationContainer.setCurrentAttributeType(searchFilter.getAttributeType());
                z = accessAllowed(aciLDAPOperationContainer);
                return z;
        }
    }

    private boolean verifySyntax(Entry entry, Operation operation, DN dn) throws DirectoryException {
        if (!entry.hasOperationalAttribute(aciType)) {
            return true;
        }
        if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
            ErrorLogger.logError(AccessControlMessages.INFO_ACI_ADD_FAILED_PRIVILEGE.get(String.valueOf(entry.getDN()), String.valueOf(dn)));
            return false;
        }
        Iterator<Attribute> it = entry.getOperationalAttribute(aciType, null).iterator();
        while (it.hasNext()) {
            for (AttributeValue attributeValue : it.next()) {
                try {
                    Aci.decode(attributeValue.getValue(), entry.getDN());
                } catch (AciException e) {
                    throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, AccessControlMessages.WARN_ACI_ADD_FAILED_DECODE.get(String.valueOf(entry.getDN()), e.getMessage()));
                }
            }
        }
        return true;
    }

    static {
        initStatics();
    }
}
