package org.apache.ldap.server.authz;

import java.util.Map;
import javax.naming.Name;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import org.apache.commons.lang.StringUtils;
import org.apache.ldap.common.exception.LdapNoPermissionException;
import org.apache.ldap.common.filter.ExprNode;
import org.apache.ldap.common.name.DnParser;
import org.apache.ldap.server.configuration.InterceptorConfiguration;
import org.apache.ldap.server.enumeration.SearchResultFilter;
import org.apache.ldap.server.enumeration.SearchResultFilteringEnumeration;
import org.apache.ldap.server.interceptor.BaseInterceptor;
import org.apache.ldap.server.interceptor.NextInterceptor;
import org.apache.ldap.server.invocation.InvocationStack;
import org.apache.ldap.server.jndi.ContextFactoryConfiguration;
import org.apache.ldap.server.jndi.ServerContext;
import org.apache.ldap.server.partition.ContextPartitionNexus;
import org.apache.ldap.server.schema.ConcreteNameComponentNormalizer;

/* loaded from: input_file:org/apache/ldap/server/authz/AuthorizationService.class */
public class AuthorizationService extends BaseInterceptor {
    private static final Name ADMIN_DN = ContextPartitionNexus.getAdminName();
    private static final Name USER_BASE_DN = ContextPartitionNexus.getUsersBaseName();
    private static final Name GROUP_BASE_DN = ContextPartitionNexus.getGroupsBaseName();
    private DnParser dnParser;

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void init(ContextFactoryConfiguration contextFactoryConfiguration, InterceptorConfiguration interceptorConfiguration) throws NamingException {
        this.dnParser = new DnParser(new ConcreteNameComponentNormalizer(contextFactoryConfiguration.getGlobalRegistries().getAttributeTypeRegistry()));
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void delete(NextInterceptor nextInterceptor, Name name) throws NamingException {
        Name jndiName = getPrincipal().getJndiName();
        if (name.toString().equals(StringUtils.EMPTY)) {
            throw new LdapNoPermissionException("The rootDSE cannot be deleted!");
        }
        if (name == ADMIN_DN || name.equals(ADMIN_DN)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to delete the admin account.").toString()).append(" No one not even the admin can delete this account!").toString());
        }
        if (name.size() > 2 && name.startsWith(USER_BASE_DN) && !jndiName.equals(ADMIN_DN)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to delete the user account: ").toString()).append(name).append(". Only the admin can delete user accounts.").toString());
        }
        if (name.size() <= 2 || !name.startsWith(GROUP_BASE_DN) || jndiName.equals(ADMIN_DN)) {
            nextInterceptor.delete(name);
        } else {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to delete the group entry: ").toString()).append(name).append(". Only the admin can delete groups.").toString());
        }
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public boolean hasEntry(NextInterceptor nextInterceptor, Name name) throws NamingException {
        return super.hasEntry(nextInterceptor, name);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, Name name, int i, Attributes attributes) throws NamingException {
        protectModifyAlterations(name);
        nextInterceptor.modify(name, i, attributes);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, Name name, ModificationItem[] modificationItemArr) throws NamingException {
        protectModifyAlterations(name);
        nextInterceptor.modify(name, modificationItemArr);
    }

    private void protectModifyAlterations(Name name) throws LdapNoPermissionException {
        Name jndiName = getPrincipal().getJndiName();
        if (name.toString().equals(StringUtils.EMPTY)) {
            throw new LdapNoPermissionException("The rootDSE cannot be modified!");
        }
        if (jndiName.equals(ADMIN_DN)) {
            return;
        }
        if (name == ADMIN_DN || name.equals(ADMIN_DN)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to modify the admin account.").toString());
        }
        if (name.size() > 2 && name.startsWith(USER_BASE_DN)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to modify the account of the").toString()).append(" user ").append(name).append(".\nEven the owner of an account cannot").toString()).append(" modify it.\nUser accounts can only be modified by the").toString()).append(" administrator.").toString());
        }
        if (name.size() <= 2 || !name.startsWith(GROUP_BASE_DN)) {
            return;
        }
        throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to modify the group entry ").toString()).append(name).append(".\nGroups can only be modified by the admin.").toString());
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void modifyRn(NextInterceptor nextInterceptor, Name name, String str, boolean z) throws NamingException {
        protectDnAlterations(name);
        nextInterceptor.modifyRn(name, str, z);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, Name name, Name name2) throws NamingException {
        protectDnAlterations(name);
        nextInterceptor.move(name, name2);
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public void move(NextInterceptor nextInterceptor, Name name, Name name2, String str, boolean z) throws NamingException {
        protectDnAlterations(name);
        nextInterceptor.move(name, name2, str, z);
    }

    private void protectDnAlterations(Name name) throws LdapNoPermissionException {
        Name jndiName = getPrincipal().getJndiName();
        if (name.toString().equals(StringUtils.EMPTY)) {
            throw new LdapNoPermissionException("The rootDSE cannot be moved or renamed!");
        }
        if (name == ADMIN_DN || name.equals(ADMIN_DN)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User '").append(jndiName).toString()).append("' does not have permission to move or rename the admin").toString()).append(" account.  No one not even the admin can move or").toString()).append(" rename ").append(name).append("!").toString());
        }
        if (name.size() > 2 && name.startsWith(USER_BASE_DN) && !jndiName.equals(ADMIN_DN)) {
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User '").append(jndiName).toString()).append("' does not have permission to move or rename the user").toString()).append(" account: ").append(name).append(". Only the admin can move or").toString()).append(" rename user accounts.").toString());
        }
        if (name.size() <= 2 || !name.startsWith(GROUP_BASE_DN) || jndiName.equals(ADMIN_DN)) {
            return;
        }
        throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("User ").append(jndiName).toString()).append(" does not have permission to move or rename the group entry ").toString()).append(name).append(".\nGroups can only be moved or renamed by the admin.").toString());
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, Name name) throws NamingException {
        Attributes lookup = nextInterceptor.lookup(name);
        if (lookup == null) {
            return null;
        }
        protectLookUp(name);
        return lookup;
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public Attributes lookup(NextInterceptor nextInterceptor, Name name, String[] strArr) throws NamingException {
        Attributes lookup = nextInterceptor.lookup(name, strArr);
        if (lookup == null) {
            return null;
        }
        protectLookUp(name);
        return lookup;
    }

    private void protectLookUp(Name name) throws NamingException {
        Name jndiName = ((ServerContext) InvocationStack.getInstance().peek().getCaller()).getPrincipal().getJndiName();
        if (jndiName.equals(ADMIN_DN)) {
            return;
        }
        if (name.size() > 2 && name.startsWith(USER_BASE_DN)) {
            if (name.toString().equals(jndiName.toString())) {
                return;
            }
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("Access to user account '").append(name).append("' not permitted").toString()).append(" for user '").append(jndiName).append("'.  Only the admin can").toString()).append(" access user account information").toString());
        }
        if (name.size() <= 2 || !name.startsWith(GROUP_BASE_DN)) {
            if (!name.equals(ADMIN_DN) || name.toString().equals(jndiName.toString())) {
                return;
            }
            throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append("Access to admin account not permitted for user '").append(jndiName).append("'.  Only the admin can").toString()).append(" access admin account information").toString());
        }
        if (name.toString().equals(jndiName.toString())) {
            return;
        }
        throw new LdapNoPermissionException(new StringBuffer().append(new StringBuffer().append(new StringBuffer().append("Access to group '").append(name).append("' not permitted").toString()).append(" for user '").append(jndiName).append("'.  Only the admin can").toString()).append(" access group information").toString());
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public NamingEnumeration search(NextInterceptor nextInterceptor, Name name, Map map, ExprNode exprNode, SearchControls searchControls) throws NamingException {
        return new SearchResultFilteringEnumeration(nextInterceptor.search(name, map, exprNode, searchControls), searchControls, InvocationStack.getInstance().peek().getCaller(), new SearchResultFilter(this) { // from class: org.apache.ldap.server.authz.AuthorizationService.1
            private final AuthorizationService this$0;

            {
                this.this$0 = this;
            }

            @Override // org.apache.ldap.server.enumeration.SearchResultFilter
            public boolean accept(LdapContext ldapContext, SearchResult searchResult, SearchControls searchControls2) throws NamingException {
                return this.this$0.isSearchable(ldapContext, searchResult);
            }
        });
    }

    @Override // org.apache.ldap.server.interceptor.BaseInterceptor, org.apache.ldap.server.interceptor.Interceptor
    public NamingEnumeration list(NextInterceptor nextInterceptor, Name name) throws NamingException {
        return new SearchResultFilteringEnumeration(nextInterceptor.list(name), (SearchControls) null, InvocationStack.getInstance().peek().getCaller(), new SearchResultFilter(this) { // from class: org.apache.ldap.server.authz.AuthorizationService.2
            private final AuthorizationService this$0;

            {
                this.this$0 = this;
            }

            @Override // org.apache.ldap.server.enumeration.SearchResultFilter
            public boolean accept(LdapContext ldapContext, SearchResult searchResult, SearchControls searchControls) throws NamingException {
                return this.this$0.isSearchable(ldapContext, searchResult);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSearchable(LdapContext ldapContext, SearchResult searchResult) throws NamingException {
        Name parse;
        synchronized (this.dnParser) {
            parse = this.dnParser.parse(searchResult.getName());
        }
        if (((ServerContext) ldapContext).getPrincipal().getJndiName().equals(ADMIN_DN)) {
            return true;
        }
        return (parse.size() <= 2 || !(parse.startsWith(USER_BASE_DN) || parse.startsWith(GROUP_BASE_DN))) && !parse.equals(ADMIN_DN);
    }
}
