package org.opends.server.authorization.dseecompat;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import org.forgerock.json.resource.PatchOperation;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.forgerock.opendj.ldap.schema.CoreSchema;
import org.forgerock.opendj.ldap.schema.Schema;
import org.opends.server.core.DirectoryServer;
import org.opends.server.types.Attribute;
import org.opends.server.types.Attributes;
import org.opends.server.types.Entry;
import org.slf4j.Marker;

/* JADX WARN: Classes with same name are omitted:
  input_file:embedded-opendj/opendj.zip:opendj/lib/opendj.jar:org/opends/server/authorization/dseecompat/AciEffectiveRights.class
 */
/* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-server-legacy.jar:org/opends/server/authorization/dseecompat/AciEffectiveRights.class */
public class AciEffectiveRights {
    private static final int ACL_RIGHTS = 1;
    private static final int ACL_RIGHTS_INFO = 2;
    private static final int ACL_TARGATTR_DENY_MATCH = 4;
    private static final int ACL_TARGATTR_ALLOW_MATCH = 8;
    private static final String aclRightsAttrStr = "aclRights";
    private static final String aclRightsInfoAttrStr = "aclRightsInfo";
    private static final String entryLevelStr = "entryLevel";
    private static final String attributeLevelStr = "attributeLevel";
    private static final String aclRightsEntryLevelStr = "aclRights;entryLevel";
    private static final String aclRightsAttributeLevelStr = "aclRights;attributeLevel";
    private static final String aclRightsInfoAttrLogsStr = "aclRightsInfo;logs;attributeLevel";
    private static final String aclRightsInfoEntryLogsStr = "aclRightsInfo;logs;entryLevel";
    private static AttributeType aclRights;
    private static AttributeType aclRightsInfo;
    private static AttributeType dnAttributeType;
    private static final String dnAttrStr = "distinguishedname";
    private static final String ALLOWED = "access allowed";
    private static final String NOT_ALLOWED = "access not allowed";
    private static final String anonymous = "anonymous";
    private static final String summaryFormatStr = "acl_summary(%s): %s(%s) on entry/attr(%s, %s) to (%s) (not proxied) ( reason: %s %s)";
    private static final String EVALUATED_ALLOW = "evaluated allow";
    private static final String EVALUATED_DENY = "evaluated deny";
    private static final String NO_ALLOWS = "no acis matched the resource";
    private static final String NO_ALLOWS_MATCHED = "no acis matched the subject";
    private static final String SKIP_ACI = "user has bypass-acl privileges";

    public static void addRightsToEntry(AciHandler aciHandler, Set<String> set, AciLDAPOperationContainer aciLDAPOperationContainer, Entry entry, boolean z) {
        Schema schema = DirectoryServer.getInstance().getServerContext().getSchema();
        if (aclRights == null) {
            aclRights = schema.getAttributeType(aclRightsAttrStr);
        }
        if (aclRightsInfo == null) {
            aclRightsInfo = schema.getAttributeType(aclRightsInfoAttrStr);
        }
        if (dnAttributeType == null) {
            dnAttributeType = schema.getAttributeType(dnAttrStr);
        }
        LinkedList linkedList = new LinkedList();
        int i = 0;
        for (String str : set) {
            if (aclRightsAttrStr.equalsIgnoreCase(str)) {
                i |= 1;
            } else if (aclRightsInfoAttrStr.equalsIgnoreCase(str)) {
                i |= 2;
            } else if ("*".equals(str)) {
                linkedList.add(CoreSchema.getObjectClassAttributeType());
                linkedList.addAll(entry.getUserAttributes().keySet());
            } else if (Marker.ANY_NON_NULL_MARKER.equals(str)) {
                linkedList.addAll(entry.getOperationalAttributes().keySet());
            } else {
                linkedList.add(schema.getAttributeType(str));
            }
        }
        if (i != 0) {
            if (z || rightsAccessAllowed(aciLDAPOperationContainer, aciHandler, i)) {
                aciLDAPOperationContainer.setGetEffectiveRightsEval();
                aciLDAPOperationContainer.useAuthzid(true);
                if (!linkedList.isEmpty()) {
                    addAttributeLevelRights(aciLDAPOperationContainer, aciHandler, i, entry, linkedList, z, false);
                }
                addAttributeLevelRights(aciLDAPOperationContainer, aciHandler, i, entry, aciLDAPOperationContainer.getSpecificAttributes(), z, true);
                addEntryLevelRights(aciLDAPOperationContainer, aciHandler, i, entry, z);
            }
        }
    }

    private static void addAttributeLevelRights(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, int i, Entry entry, List<AttributeType> list, boolean z, boolean z2) {
        if (list == null) {
            return;
        }
        for (AttributeType attributeType : list) {
            StringBuilder sb = new StringBuilder();
            aciLDAPOperationContainer.setCurrentAttributeType(attributeType);
            aciLDAPOperationContainer.setCurrentAttributeValue(null);
            aciLDAPOperationContainer.setRights(4194306);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "search"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, entry, "search");
            sb.append(',');
            aciLDAPOperationContainer.setRights(4194308);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "read"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, entry, "read");
            sb.append(',');
            aciLDAPOperationContainer.setRights(4194305);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "compare"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, entry, "compare");
            sb.append(',');
            aciLDAPOperationContainer.setCurrentAttributeValue(ByteString.valueOfUtf8("dum###Val"));
            sb.append(attributeLevelWriteRights(aciLDAPOperationContainer, aciHandler, z));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, entry, "write");
            sb.append(',');
            ByteString valueOfUtf8 = ByteString.valueOfUtf8(aciLDAPOperationContainer.getClientDN().toString());
            if (!z2) {
                aciLDAPOperationContainer.setCurrentAttributeType(dnAttributeType);
            }
            aciLDAPOperationContainer.setCurrentAttributeValue(valueOfUtf8);
            aciLDAPOperationContainer.setRights(4196352);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "selfwrite_add"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, entry, "selfwrite_add");
            sb.append(',');
            aciLDAPOperationContainer.setRights(4195328);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "selfwrite_delete"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, entry, "selfwrite_delete");
            sb.append(',');
            aciLDAPOperationContainer.setCurrentAttributeType(attributeType);
            aciLDAPOperationContainer.setCurrentAttributeValue(null);
            aciLDAPOperationContainer.setRights(4194432);
            sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "proxy"));
            addAttrLevelRightsInfo(aciLDAPOperationContainer, i, attributeType, entry, "proxy");
            if (hasAttrMask(i, 1)) {
                Attribute create = Attributes.create("aclRights;attributeLevel;" + attributeType.getNameOrOID(), sb.toString());
                if (!entry.hasAttribute(create.getAttributeDescription().getAttributeType())) {
                    entry.addAttribute(create, (List<ByteString>) null);
                }
            }
        }
        aciLDAPOperationContainer.setCurrentAttributeValue(null);
        aciLDAPOperationContainer.setCurrentAttributeType(null);
    }

    private static String attributeLevelWriteRights(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, boolean z) {
        StringBuilder sb = new StringBuilder();
        if (z && aciLDAPOperationContainer.isAuthzidAuthorizationDN()) {
            sb.append("write").append(":1");
            aciLDAPOperationContainer.setEvaluationResult(EnumEvalReason.SKIP_ACI, null);
            aciLDAPOperationContainer.setEvalSummary(createSummary(aciLDAPOperationContainer, true));
        } else {
            aciLDAPOperationContainer.resetEffectiveRightsParams();
            aciLDAPOperationContainer.setTargAttrFiltersAciName(null);
            aciLDAPOperationContainer.setRights(4196352);
            boolean z2 = aciHandler.accessAllowed(aciLDAPOperationContainer) && aciLDAPOperationContainer.getTargAttrFiltersAciName() == null;
            aciLDAPOperationContainer.setRights(4195328);
            boolean z3 = aciHandler.accessAllowed(aciLDAPOperationContainer) && aciLDAPOperationContainer.getTargAttrFiltersAciName() == null;
            if (z2 && z3) {
                sb.append("write").append(":1");
            } else if (aciLDAPOperationContainer.getTargAttrFiltersAciName() != null) {
                sb.append("write").append(":?");
            } else {
                sb.append("write").append(":0");
            }
        }
        return sb.toString();
    }

    private static void addEntryLevelRights(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, int i, Entry entry, boolean z) {
        StringBuilder sb = new StringBuilder();
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194336);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, PatchOperation.OPERATION_ADD));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, entry, PatchOperation.OPERATION_ADD);
        sb.append(',');
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194320);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "delete"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, entry, "delete");
        sb.append(',');
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194308);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "read"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, entry, "read");
        sb.append(',');
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194312);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "write"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, entry, "write");
        sb.append(',');
        aciLDAPOperationContainer.setCurrentAttributeType(null);
        aciLDAPOperationContainer.setRights(4194432);
        sb.append(rightsString(aciLDAPOperationContainer, aciHandler, z, "proxy"));
        addEntryLevelRightsInfo(aciLDAPOperationContainer, i, entry, "proxy");
        if (hasAttrMask(i, 1)) {
            entry.addAttribute(Attributes.create(aclRightsEntryLevelStr, sb.toString()), (List<ByteString>) null);
        }
    }

    private static String rightsString(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, boolean z, String str) {
        StringBuilder sb = new StringBuilder();
        aciLDAPOperationContainer.resetEffectiveRightsParams();
        if (z && aciLDAPOperationContainer.isAuthzidAuthorizationDN()) {
            sb.append(str).append(":1");
            aciLDAPOperationContainer.setEvaluationResult(EnumEvalReason.SKIP_ACI, null);
            aciLDAPOperationContainer.setEvalSummary(createSummary(aciLDAPOperationContainer, true));
        } else {
            sb.append(str).append((!aciLDAPOperationContainer.hasRights(4) || aciLDAPOperationContainer.getCurrentAttributeType() != null) ? aciHandler.accessAllowed(aciLDAPOperationContainer) : aciHandler.accessAllowedEntry(aciLDAPOperationContainer) ? ":1" : ":0");
        }
        return sb.toString();
    }

    private static boolean rightsAccessAllowed(AciLDAPOperationContainer aciLDAPOperationContainer, AciHandler aciHandler, int i) {
        boolean z = true;
        boolean z2 = true;
        if (hasAttrMask(i, 1)) {
            aciLDAPOperationContainer.setCurrentAttributeType(aclRights);
            aciLDAPOperationContainer.setRights(4194308);
            z = aciHandler.accessAllowed(aciLDAPOperationContainer);
        }
        if (hasAttrMask(i, 2)) {
            aciLDAPOperationContainer.setCurrentAttributeType(aclRightsInfo);
            aciLDAPOperationContainer.setRights(4194308);
            z2 = aciHandler.accessAllowed(aciLDAPOperationContainer);
        }
        return z && z2;
    }

    private static void addAttrLevelRightsInfo(AciLDAPOperationContainer aciLDAPOperationContainer, int i, AttributeType attributeType, Entry entry, String str) {
        if (hasAttrMask(i, 2)) {
            Attribute create = Attributes.create("aclRightsInfo;logs;attributeLevel;" + str + ";" + attributeType.getNameOrOID(), aciLDAPOperationContainer.getEvalSummary());
            if (entry.hasAttribute(create.getAttributeDescription().getAttributeType())) {
                return;
            }
            entry.addAttribute(create, (List<ByteString>) null);
        }
    }

    private static void addEntryLevelRightsInfo(AciLDAPOperationContainer aciLDAPOperationContainer, int i, Entry entry, String str) {
        if (hasAttrMask(i, 2)) {
            entry.addAttribute(Attributes.create("aclRightsInfo;logs;entryLevel;" + str, aciLDAPOperationContainer.getEvalSummary()), (List<ByteString>) null);
        }
    }

    private static boolean hasAttrMask(int i, int i2) {
        return (i & i2) != 0;
    }

    public static String createSummary(AciEvalContext aciEvalContext, boolean z) {
        String str = z ? ALLOWED : NOT_ALLOWED;
        String evalReason = getEvalReason(aciEvalContext.getEvalReason());
        StringBuilder decidingAci = getDecidingAci(aciEvalContext.getEvalReason(), aciEvalContext.getDecidingAciName());
        if (!aciEvalContext.isTargAttrFilterMatchAciEmpty() && !aciEvalContext.hasRights(64)) {
            if (aciEvalContext.getAllowList().isEmpty()) {
                aciEvalContext.setTargAttrFiltersAciName(null);
            } else if (z) {
                if (!aciEvalContext.hasTargAttrFiltersMatchOp(4)) {
                    aciEvalContext.setTargAttrFiltersAciName(null);
                }
            } else if (aciEvalContext.getEvalReason() == EnumEvalReason.EVALUATED_DENY_ACI) {
                aciEvalContext.setTargAttrFiltersAciName(null);
            } else if (!aciEvalContext.hasTargAttrFiltersMatchOp(8)) {
                aciEvalContext.setTargAttrFiltersAciName(null);
            }
        }
        String str2 = anonymous;
        if (!aciEvalContext.getClientDN().isRootDN()) {
            str2 = aciEvalContext.getClientDN().toString();
        }
        String rightToString = aciEvalContext.rightToString();
        AttributeType currentAttributeType = aciEvalContext.getCurrentAttributeType();
        String nameOrOID = currentAttributeType != null ? currentAttributeType.getNameOrOID() : "NULL";
        if (aciEvalContext.getTargAttrFiltersAciName() != null) {
            decidingAci.append(", access depends on attr value");
        }
        return String.format(summaryFormatStr, "main", str, rightToString, aciEvalContext.getResourceDN().toString(), nameOrOID, str2, evalReason, decidingAci.toString());
    }

    private static String getEvalReason(EnumEvalReason enumEvalReason) {
        return enumEvalReason == EnumEvalReason.EVALUATED_ALLOW_ACI ? EVALUATED_ALLOW : enumEvalReason == EnumEvalReason.EVALUATED_DENY_ACI ? EVALUATED_DENY : enumEvalReason == EnumEvalReason.NO_ALLOW_ACIS ? NO_ALLOWS : enumEvalReason == EnumEvalReason.NO_MATCHED_ALLOWS_ACIS ? NO_ALLOWS_MATCHED : enumEvalReason == EnumEvalReason.SKIP_ACI ? SKIP_ACI : JsonProperty.USE_DEFAULT_NAME;
    }

    private static StringBuilder getDecidingAci(EnumEvalReason enumEvalReason, String str) {
        StringBuilder sb = new StringBuilder();
        if (enumEvalReason == EnumEvalReason.EVALUATED_ALLOW_ACI) {
            sb.append(", deciding_aci: ").append(str);
        } else if (enumEvalReason == EnumEvalReason.EVALUATED_DENY_ACI) {
            sb.append(", deciding_aci: ").append(str);
        }
        return sb;
    }

    public static boolean setTargAttrAci(AciEvalContext aciEvalContext, Aci aci, boolean z) {
        if (!aciEvalContext.hasTargAttrFiltersMatchAci(aci)) {
            return false;
        }
        aciEvalContext.setTargAttrFiltersMatchOp(z ? 4 : 8);
        return true;
    }

    public static void finalizeOnShutdown() {
        aclRights = null;
        aclRightsInfo = null;
        dnAttributeType = null;
    }
}
