package org.opends.server.authorization.dseecompat;

import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import org.opends.server.core.DirectoryServer;
import org.opends.server.protocols.asn1.ASN1OctetString;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AttributeValue;
import org.opends.server.types.SearchResultEntry;

/* loaded from: input_file:org/opends/server/authorization/dseecompat/AciEffectiveRights.class */
public class AciEffectiveRights {
    private static final int ACL_RIGHTS = 1;
    private static final int ACL_RIGHTS_INFO = 2;
    private static final int ACL_TARGATTR_DENY_MATCH = 4;
    private static final int ACL_TARGATTR_ALLOW_MATCH = 8;
    private static final String aclRightsAttrStr = "aclRights";
    private static final String aclRightsInfoAttrStr = "aclRightsInfo";
    private static final String entryLevelStr = "entryLevel";
    private static final String attributeLevelStr = "attributeLevel";
    private static final String aclRightsEntryLevelStr = "aclRights;entryLevel";
    private static final String aclRightsAttributeLevelStr = "aclRights;attributeLevel";
    private static final String aclRightsInfoAttrLogsStr = "aclRightsInfo;logs;attributeLevel";
    private static final String aclRightsInfoEntryLogsStr = "aclRightsInfo;logs;entryLevel";
    private static final String dnAttrStr = "distinguishedname";
    private static AttributeType aclRights = null;
    private static AttributeType aclRightsInfo = null;
    private static AttributeType dnAttributeType = null;
    private static String ALLOWED = "access allowed";
    private static String NOT_ALLOWED = "access not allowed";
    private static String anonymous = "anonymous";
    private static String summaryFormatStr = "acl_summary(%s): %s(%s) on entry/attr(%s, %s) to (%s) (not proxied) ( reason: %s %s)";
    private static String EVALUATED_ALLOW = "evaluated allow";
    private static String EVALUATED_DENY = "evaluated deny";
    private static String NO_ALLOWS = "no acis matched the resource";
    private static String NO_ALLOWS_MATCHED = "no acis matched the subject";
    private static String SKIP_ACI = "user has bypass-acl privileges";

    public static SearchResultEntry addRightsToEntry(AciHandler aciHandler, LinkedHashSet<String> linkedHashSet, AciLDAPOperationContainer aciLDAPOperationContainer, SearchResultEntry searchResultEntry, boolean z) {
        SearchResultEntry addEntryLevelRights;
        LinkedList linkedList = new LinkedList();
        int i = 0;
        if (aclRights == null) {
            aclRights = DirectoryServer.getAttributeType(aclRightsAttrStr.toLowerCase());
        }
        if (aclRightsInfo == null) {
            aclRightsInfo = DirectoryServer.getAttributeType(aclRightsInfoAttrStr.toLowerCase());
        }
        if (dnAttributeType == null) {
            dnAttributeType = DirectoryServer.getAttributeType(dnAttrStr);
        }
        Iterator<String> it = linkedHashSet.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (next.equalsIgnoreCase(aclRightsAttrStr)) {
                i |= 1;
            } else if (next.equalsIgnoreCase(aclRightsInfoAttrStr)) {
                i |= 2;
            } else if (next.equals("*")) {
                linkedList.add(DirectoryServer.getObjectClassAttributeType());
                linkedList.addAll(searchResultEntry.getUserAttributes().keySet());
            } else if (next.equals("+")) {
                linkedList.addAll(searchResultEntry.getOperationalAttributes().keySet());
            } else {
                AttributeType attributeType = DirectoryServer.getAttributeType(next);
                AttributeType attributeType2 = attributeType;
                if (attributeType == null) {
                    attributeType2 = DirectoryServer.getDefaultAttributeType(next);
                }
                linkedList.add(attributeType2);
            }
        }
        if (i == 0 || !(z || rightsAccessAllowed(aciLDAPOperationContainer, aciHandler, i))) {
            return searchResultEntry;
        }
        aciLDAPOperationContainer.setGetEffectiveRightsEval();
        aciLDAPOperationContainer.useAuthzid(true);
        if (linkedList.isEmpty()) {
            addEntryLevelRights = addEntryLevelRights(aciLDAPOperationContainer, aciHandler, i, addAttributeLevelRights(aciLDAPOperationContainer, aciHandler, i, searchResultEntry, aciLDAPOperationContainer.getSpecificAttributes(), z, true), z);
        } else {
            addEntryLevelRights = addEntryLevelRights(aciLDAPOperationContainer, aciHandler, i, addAttributeLevelRights(aciLDAPOperationContainer, aciHandler, i, addAttributeLevelRights(aciLDAPOperationContainer, aciHandler, i, searchResultEntry, linkedList, z, false), aciLDAPOperationContainer.getSpecificAttributes(), z, true), z);
        }
        return addEntryLevelRights;
    }

    private static SearchResultEntry addAttributeLevelRights(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, int i, SearchResultEntry searchResultEntry, List<AttributeType> list, boolean z, boolean z2) {
        if (list == null) {
            return searchResultEntry;
        }
        for (AttributeType attributeType : list) {
            StringBuilder sb = new StringBuilder();
            aciLDAPOperationContainer.setCurrentAttributeType(attributeType);
            aciLDAPOperationContainer.setCurrentAttributeValue(null);
            aciLDAPOperationContainer.setRights(4194306);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "search"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, searchResultEntry, "search");
            sb.append(',');
            aciLDAPOperationContainer.setRights(4194308);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "read"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, searchResultEntry, "read");
            sb.append(',');
            aciLDAPOperationContainer.setRights(4194305);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "compare"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, searchResultEntry, "compare");
            sb.append(',');
            aciLDAPOperationContainer.setCurrentAttributeValue(new AttributeValue(attributeType, "dum###Val"));
            sb.append(attributeLevelWriteRights(aciLDAPOperationContainer, aciHandler, z));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, searchResultEntry, "write");
            sb.append(',');
            AttributeValue attributeValue = new AttributeValue(attributeType, new ASN1OctetString(aciLDAPOperationContainer.getClientDN().toString()));
            if (!z2) {
                aciLDAPOperationContainer.setCurrentAttributeType(dnAttributeType);
            }
            aciLDAPOperationContainer.setCurrentAttributeValue(attributeValue);
            aciLDAPOperationContainer.setRights(4196352);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "selfwrite_add"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, searchResultEntry, "selfwrite_add");
            sb.append(',');
            aciLDAPOperationContainer.setRights(4195328);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "selfwrite_delete"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, searchResultEntry, "selfwrite_delete");
            sb.append(',');
            aciLDAPOperationContainer.setCurrentAttributeType(attributeType);
            aciLDAPOperationContainer.setCurrentAttributeValue(null);
            aciLDAPOperationContainer.setRights(4194432);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "proxy"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, searchResultEntry, "proxy");
            if (hasAttrMask(i, 1)) {
                String str = "aclRights;attributeLevel;" + attributeType.getNormalizedPrimaryName();
                AttributeType defaultAttributeType = DirectoryServer.getDefaultAttributeType(str);
                LinkedHashSet linkedHashSet = new LinkedHashSet();
                linkedHashSet.add(new AttributeValue(defaultAttributeType, sb.toString()));
                Attribute attribute = new Attribute(defaultAttributeType, str, linkedHashSet);
                if (!searchResultEntry.hasAttribute(defaultAttributeType)) {
                    searchResultEntry.addAttribute(attribute, null);
                }
            }
        }
        aciLDAPOperationContainer.setCurrentAttributeValue(null);
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        return searchResultEntry;
    }

    private static String attributeLevelWriteRights(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, boolean z) {
        boolean z2 = false;
        boolean z3 = false;
        StringBuilder sb = new StringBuilder();
        if (z && aciLDAPOperationContainer.isAuthzidAuthorizationDN()) {
            sb.append("write").append(":1");
            aciLDAPOperationContainer.setEvalReason(EnumEvalReason.SKIP_ACI);
            aciLDAPOperationContainer.setDecidingAci(null);
            createSummary(aciLDAPOperationContainer, true, "main");
        } else {
            aciLDAPOperationContainer.resetEffectiveRightsParams();
            aciLDAPOperationContainer.setTargAttrFiltersAciName(null);
            aciLDAPOperationContainer.setRights(4196352);
            if (aciHandler.accessAllowed(aciLDAPOperationContainer) && aciLDAPOperationContainer.getTargAttrFiltersAciName() == null) {
                z2 = true;
            }
            aciLDAPOperationContainer.setRights(4195328);
            if (aciHandler.accessAllowed(aciLDAPOperationContainer) && aciLDAPOperationContainer.getTargAttrFiltersAciName() == null) {
                z3 = true;
            }
            if (z2 && z3) {
                sb.append("write").append(":1");
            } else if (aciLDAPOperationContainer.getTargAttrFiltersAciName() != null) {
                sb.append("write").append(":?");
            } else {
                sb.append("write").append(":0");
            }
        }
        return sb.toString();
    }

    private static SearchResultEntry addEntryLevelRights(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, int i, SearchResultEntry searchResultEntry, boolean z) {
        StringBuilder sb = new StringBuilder();
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194336);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "add"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, searchResultEntry, "add");
        sb.append(',');
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194320);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "delete"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, searchResultEntry, "delete");
        sb.append(',');
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.useFullResourceEntry(true);
        aciLDAPOperationContainer.setRights(4194308);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "read"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, searchResultEntry, "read");
        sb.append(',');
        aciLDAPOperationContainer.useFullResourceEntry(false);
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194312);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "write"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, searchResultEntry, "write");
        sb.append(',');
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194432);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "proxy"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, searchResultEntry, "proxy");
        if (hasAttrMask(i, 1)) {
            AttributeType defaultAttributeType = DirectoryServer.getDefaultAttributeType(aclRightsEntryLevelStr);
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            linkedHashSet.add(new AttributeValue(defaultAttributeType, sb.toString()));
            searchResultEntry.addAttribute(new Attribute(defaultAttributeType, aclRightsEntryLevelStr, linkedHashSet), null);
        }
        return searchResultEntry;
    }

    private static String rightsString(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, boolean z, String str) {
        StringBuilder sb = new StringBuilder();
        aciLDAPOperationContainer.resetEffectiveRightsParams();
        if (z && aciLDAPOperationContainer.isAuthzidAuthorizationDN()) {
            sb.append(str).append(":1");
            aciLDAPOperationContainer.setEvalReason(EnumEvalReason.SKIP_ACI);
            aciLDAPOperationContainer.setDecidingAci(null);
            createSummary(aciLDAPOperationContainer, true, "main");
        } else {
            if ((aciLDAPOperationContainer.hasRights(4) && aciLDAPOperationContainer.getCurrentAttributeType() == null) ? aciHandler.accessAllowedEntry(aciLDAPOperationContainer) : aciHandler.accessAllowed(aciLDAPOperationContainer)) {
                sb.append(str).append(":1");
            } else {
                sb.append(str).append(":0");
            }
        }
        return sb.toString();
    }

    private static boolean rightsAccessAllowed(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, int i) {
        boolean z = true;
        boolean z2 = true;
        if (hasAttrMask(i, 1)) {
            aciLDAPOperationContainer.setCurrentAttributeType(aclRights);
            aciLDAPOperationContainer.setRights(4194308);
            z = aciHandler.accessAllowed(aciLDAPOperationContainer);
        }
        if (hasAttrMask(i, 2)) {
            aciLDAPOperationContainer.setCurrentAttributeType(aclRightsInfo);
            aciLDAPOperationContainer.setRights(4194308);
            z2 = aciHandler.accessAllowed(aciLDAPOperationContainer);
        }
        return z && z2;
    }

    private static void addAttrLevelRightsInfo(AciLDAPOperationContainer aciLDAPOperationContainer, int i, AttributeType attributeType, SearchResultEntry searchResultEntry, String str) {
        if (hasAttrMask(i, 2)) {
            String str2 = "aclRightsInfo;logs;attributeLevel;" + str + ";" + attributeType.getPrimaryName();
            AttributeType defaultAttributeType = DirectoryServer.getDefaultAttributeType(str2);
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            linkedHashSet.add(new AttributeValue(defaultAttributeType, aciLDAPOperationContainer.getEvalSummary()));
            Attribute attribute = new Attribute(defaultAttributeType, str2, linkedHashSet);
            if (searchResultEntry.hasAttribute(defaultAttributeType)) {
                return;
            }
            searchResultEntry.addAttribute(attribute, null);
        }
    }

    private static void addEntryLevelRightsInfo(AciLDAPOperationContainer aciLDAPOperationContainer, int i, SearchResultEntry searchResultEntry, String str) {
        if (hasAttrMask(i, 2)) {
            String str2 = "aclRightsInfo;logs;entryLevel;" + str;
            AttributeType defaultAttributeType = DirectoryServer.getDefaultAttributeType(str2);
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            linkedHashSet.add(new AttributeValue(defaultAttributeType, aciLDAPOperationContainer.getEvalSummary()));
            searchResultEntry.addAttribute(new Attribute(defaultAttributeType, str2, linkedHashSet), null);
        }
    }

    private static boolean hasAttrMask(int i, int i2) {
        return (i & i2) != 0;
    }

    public static void createSummary(AciEvalContext aciEvalContext, boolean z, String str) {
        String str2 = NOT_ALLOWED;
        if (z) {
            str2 = ALLOWED;
        }
        String str3 = "";
        StringBuilder sb = new StringBuilder("");
        if (aciEvalContext.getEvalReason() == EnumEvalReason.EVALUATED_ALLOW_ACI) {
            str3 = EVALUATED_ALLOW;
            sb.append(", deciding_aci: ").append(aciEvalContext.getDecidingAciName());
        } else if (aciEvalContext.getEvalReason() == EnumEvalReason.EVALUATED_DENY_ACI) {
            str3 = EVALUATED_DENY;
            sb.append(", deciding_aci: ").append(aciEvalContext.getDecidingAciName());
        } else if (aciEvalContext.getEvalReason() == EnumEvalReason.NO_ALLOW_ACIS) {
            str3 = NO_ALLOWS;
        } else if (aciEvalContext.getEvalReason() == EnumEvalReason.NO_MATCHED_ALLOWS_ACIS) {
            str3 = NO_ALLOWS_MATCHED;
        } else if (aciEvalContext.getEvalReason() == EnumEvalReason.SKIP_ACI) {
            str3 = SKIP_ACI;
        }
        if (!aciEvalContext.isTargAttrFilterMatchAciEmpty() && !aciEvalContext.hasRights(64)) {
            if (aciEvalContext.getAllowList().isEmpty()) {
                aciEvalContext.setTargAttrFiltersAciName(null);
            } else if (z) {
                if (!aciEvalContext.hasTargAttrFiltersMatchOp(4)) {
                    aciEvalContext.setTargAttrFiltersAciName(null);
                }
            } else if (aciEvalContext.getEvalReason() == EnumEvalReason.EVALUATED_DENY_ACI) {
                aciEvalContext.setTargAttrFiltersAciName(null);
            } else if (!aciEvalContext.hasTargAttrFiltersMatchOp(8)) {
                aciEvalContext.setTargAttrFiltersAciName(null);
            }
        }
        String str4 = anonymous;
        if (!aciEvalContext.getClientDN().isNullDN()) {
            str4 = aciEvalContext.getClientDN().toString();
        }
        String rightToString = aciEvalContext.rightToString();
        AttributeType currentAttributeType = aciEvalContext.getCurrentAttributeType();
        String primaryName = currentAttributeType != null ? currentAttributeType.getPrimaryName() : "NULL";
        if (aciEvalContext.getTargAttrFiltersAciName() != null) {
            sb.append(", access depends on attr value");
        }
        aciEvalContext.setEvalSummary(String.format(summaryFormatStr, str, str2, rightToString, aciEvalContext.getResourceDN().toString(), primaryName, str4, str3, sb.toString()));
    }

    public static boolean setTargAttrAci(AciEvalContext aciEvalContext, Aci aci, boolean z) {
        boolean z2 = false;
        if (aciEvalContext.hasTargAttrFiltersMatchAci(aci)) {
            if (z) {
                aciEvalContext.setTargAttrFiltersMatchOp(4);
            } else {
                aciEvalContext.setTargAttrFiltersMatchOp(8);
            }
            z2 = true;
        }
        return z2;
    }
}
