package org.opends.server.authorization.dseecompat;

import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.eclipse.persistence.internal.helper.Helper;
import org.forgerock.i18n.LocalizedIllegalArgumentException;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.opends.messages.AccessControlMessages;
import org.opends.server.core.DirectoryServer;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.LDAPURL;
import org.opends.server.types.SearchFilter;

/* loaded from: input_file:WEB-INF/lib/opendj.jar:org/opends/server/authorization/dseecompat/UserDN.class */
public class UserDN implements KeywordBindRule {
    private static final String URL_STR = "ldap:///";
    private final List<UserDNTypeURL> urlList;
    private final EnumBindRuleType type;

    private UserDN(EnumBindRuleType enumBindRuleType, List<UserDNTypeURL> list) {
        this.type = enumBindRuleType;
        this.urlList = list;
    }

    public static KeywordBindRule decode(String str, EnumBindRuleType enumBindRuleType) throws AciException {
        String[] split = str.split("[|][|]");
        LinkedList linkedList = new LinkedList();
        for (String str2 : split) {
            StringBuilder sb = new StringBuilder(str2.trim());
            try {
                linkedList.add(new UserDNTypeURL(getType(sb), LDAPURL.decode(sb.toString(), true)));
            } catch (LocalizedIllegalArgumentException | DirectoryException e) {
                throw new AciException(AccessControlMessages.WARN_ACI_SYNTAX_INVALID_USERDN_URL.get(e.getMessageObject()));
            }
        }
        return new UserDN(enumBindRuleType, linkedList);
    }

    private static EnumUserDNType getType(StringBuilder sb) {
        String sb2 = sb.toString();
        if (sb2.contains("?")) {
            return EnumUserDNType.URL;
        }
        if (sb2.equalsIgnoreCase("ldap:///self")) {
            sb.replace(0, sb.length(), "ldap:///");
            return EnumUserDNType.SELF;
        }
        if (sb2.equalsIgnoreCase("ldap:///anyone")) {
            sb.replace(0, sb.length(), "ldap:///");
            return EnumUserDNType.ANYONE;
        }
        if (sb2.equalsIgnoreCase("ldap:///parent")) {
            sb.replace(0, sb.length(), "ldap:///");
            return EnumUserDNType.PARENT;
        }
        if (!sb2.equalsIgnoreCase("ldap:///all")) {
            return sb2.contains("*") ? EnumUserDNType.DNPATTERN : EnumUserDNType.DN;
        }
        sb.replace(0, sb.length(), "ldap:///");
        return EnumUserDNType.ALL;
    }

    @Override // org.opends.server.authorization.dseecompat.KeywordBindRule
    public EnumEvalResult evaluate(AciEvalContext aciEvalContext) {
        EnumEvalResult enumEvalResult = EnumEvalResult.FALSE;
        boolean isAnonymousUser = aciEvalContext.isAnonymousUser();
        Iterator<UserDNTypeURL> it = this.urlList.iterator();
        while (it.hasNext() && enumEvalResult != EnumEvalResult.TRUE && enumEvalResult != EnumEvalResult.ERR) {
            UserDNTypeURL next = it.next();
            if (!isAnonymousUser) {
                enumEvalResult = evalNonAnonymous(aciEvalContext, next);
            } else if (next.getUserDNType() == EnumUserDNType.ANYONE) {
                enumEvalResult = EnumEvalResult.TRUE;
            }
        }
        return enumEvalResult.getRet(this.type, false);
    }

    private EnumEvalResult evalNonAnonymous(AciEvalContext aciEvalContext, UserDNTypeURL userDNTypeURL) {
        return evalNonAnonymous0(aciEvalContext, userDNTypeURL) ? EnumEvalResult.TRUE : EnumEvalResult.FALSE;
    }

    private boolean evalNonAnonymous0(AciEvalContext aciEvalContext, UserDNTypeURL userDNTypeURL) {
        DN clientDN = aciEvalContext.getClientDN();
        DN resourceDN = aciEvalContext.getResourceDN();
        EnumUserDNType userDNType = userDNTypeURL.getUserDNType();
        LDAPURL url = userDNTypeURL.getURL();
        switch (userDNType) {
            case URL:
                return evalURL0(aciEvalContext, url);
            case ANYONE:
            case ALL:
                return true;
            case SELF:
                return clientDN.equals(resourceDN);
            case PARENT:
                DN parent = resourceDN.parent();
                return parent != null && parent.equals(clientDN);
            case DNPATTERN:
                return evalDNPattern(aciEvalContext, url);
            case DN:
                return evalDN(clientDN, url);
            default:
                return false;
        }
    }

    private boolean evalDN(DN dn, LDAPURL ldapurl) {
        try {
            DN baseDN = ldapurl.getBaseDN();
            if (dn.equals(baseDN)) {
                return true;
            }
            DN actualRootBindDN = DirectoryServer.getActualRootBindDN(baseDN);
            DN actualRootBindDN2 = DirectoryServer.getActualRootBindDN(dn);
            if (actualRootBindDN != null) {
                baseDN = actualRootBindDN;
            }
            if (actualRootBindDN2 != null) {
                dn = actualRootBindDN2;
            }
            return dn.equals(baseDN);
        } catch (DirectoryException e) {
            return false;
        }
    }

    private boolean evalDNPattern(AciEvalContext aciEvalContext, LDAPURL ldapurl) {
        try {
            return PatternDN.decode(ldapurl.getRawBaseDN()).matchesDN(aciEvalContext.getClientDN());
        } catch (DirectoryException e) {
            return false;
        }
    }

    public static EnumEvalResult evalURL(AciEvalContext aciEvalContext, LDAPURL ldapurl) {
        return evalURL0(aciEvalContext, ldapurl) ? EnumEvalResult.TRUE : EnumEvalResult.FALSE;
    }

    private static boolean evalURL0(AciEvalContext aciEvalContext, LDAPURL ldapurl) {
        try {
            DN baseDN = ldapurl.getBaseDN();
            SearchFilter filter = ldapurl.getFilter();
            SearchScope scope = ldapurl.getScope();
            if (scope == SearchScope.WHOLE_SUBTREE) {
                if (!aciEvalContext.getClientDN().isSubordinateOrEqualTo(baseDN)) {
                    return false;
                }
            } else if (scope == SearchScope.SINGLE_LEVEL) {
                DN parent = aciEvalContext.getClientDN().parent();
                if (parent != null && !parent.equals(baseDN)) {
                    return false;
                }
            } else if (scope == SearchScope.SUBORDINATES) {
                DN clientDN = aciEvalContext.getClientDN();
                if (clientDN.size() <= baseDN.size() || !clientDN.isSubordinateOrEqualTo(baseDN)) {
                    return false;
                }
            } else if (!aciEvalContext.getClientDN().equals(baseDN)) {
                return false;
            }
            try {
                return filter.matchesEntry(aciEvalContext.getClientEntry());
            } catch (DirectoryException e) {
                return false;
            }
        } catch (DirectoryException e2) {
            return false;
        }
    }

    public static boolean evaluate(Entry entry, DN dn, AttributeType attributeType) {
        Iterator<ByteString> it = entry.getAllAttributes(attributeType).get(0).iterator();
        while (it.hasNext()) {
            try {
                if (DN.valueOf(it.next().toString()).equals(dn)) {
                    return true;
                }
            } catch (LocalizedIllegalArgumentException e) {
                return false;
            }
        }
        return false;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        toString(sb);
        return sb.toString();
    }

    @Override // org.opends.server.authorization.dseecompat.KeywordBindRule
    public final void toString(StringBuilder sb) {
        sb.append("userdn");
        sb.append(this.type.getType());
        for (UserDNTypeURL userDNTypeURL : this.urlList) {
            sb.append(Helper.DEFAULT_DATABASE_DELIMITER);
            sb.append("ldap:///");
            sb.append(userDNTypeURL.getUserDNType().toString().toLowerCase());
            sb.append(Helper.DEFAULT_DATABASE_DELIMITER);
        }
    }
}
