package net.tirasa.adsddl.ntsd.dacl;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.naming.CommunicationException;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.SizeLimitExceededException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.LdapContext;
import net.tirasa.adsddl.ntsd.ACE;
import net.tirasa.adsddl.ntsd.ACL;
import net.tirasa.adsddl.ntsd.SDDL;
import net.tirasa.adsddl.ntsd.SID;
import net.tirasa.adsddl.ntsd.controls.SDFlagsControl;
import net.tirasa.adsddl.ntsd.data.AceFlag;
import net.tirasa.adsddl.ntsd.data.AceObjectFlags;
import net.tirasa.adsddl.ntsd.data.AceType;
import net.tirasa.adsddl.ntsd.utils.GUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/adsddl-1.9.jar:net/tirasa/adsddl/ntsd/dacl/DACLAssertor.class */
public class DACLAssertor {
    private static final Logger LOG = LoggerFactory.getLogger(DACLAssertor.class);
    private String searchFilter;
    private LdapContext ldapContext;
    private final boolean searchGroups;
    private ACL dacl;
    private List<AceAssertion> unsatisfiedAssertions = new ArrayList();

    public DACLAssertor(String str, boolean z, LdapContext ldapContext) {
        this.searchFilter = str;
        this.searchGroups = z;
        this.ldapContext = ldapContext;
    }

    public DACLAssertor(ACL acl, boolean z) {
        this.dacl = acl;
        this.searchGroups = z;
    }

    public boolean doAssert(AdRoleAssertion adRoleAssertion) throws NamingException {
        if (adRoleAssertion.getPrincipal() == null) {
            LOG.warn("DACLAssertor.run, unable to run against a NULL principal specified in AdRoleAssertion");
            return false;
        }
        if (this.dacl == null) {
            getDACL();
        }
        this.unsatisfiedAssertions = findUnsatisfiedAssertions(adRoleAssertion);
        boolean z = this.unsatisfiedAssertions.isEmpty();
        LOG.info("doAssert, result: {}", Boolean.valueOf(z));
        return z;
    }

    public List<AceAssertion> getUnsatisfiedAssertions() {
        return this.unsatisfiedAssertions;
    }

    private void getDACL() throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"name", "nTSecurityDescriptor"});
        if (this.ldapContext == null) {
            LOG.warn("getDACL, cannot search for DACL with null ldapContext");
            throw new CommunicationException("NULL ldapContext");
        }
        this.ldapContext.setRequestControls(new Control[]{new SDFlagsControl(4)});
        LOG.debug("getDACL, attempting to fetch SD for searchFilter: {}, ldapContext: {}", this.searchFilter, this.ldapContext.getNameInNamespace());
        NamingEnumeration namingEnumeration = null;
        try {
            NamingEnumeration search = this.ldapContext.search("", this.searchFilter, searchControls);
            if (!search.hasMoreElements()) {
                LOG.warn("getDACL, searchFilter '{}' found nothing in context '{}'", this.searchFilter, this.ldapContext.getNameInNamespace());
                throw new NameNotFoundException("No results found for: " + this.searchFilter);
            }
            SearchResult searchResult = (SearchResult) search.next();
            if (search.hasMoreElements()) {
                throw new SizeLimitExceededException("The search filter '{}' matched more than one AD object");
            }
            this.dacl = new SDDL((byte[]) searchResult.getAttributes().get("nTSecurityDescriptor").get()).getDacl();
            LOG.debug("getDACL, fetched SD & parsed DACL for searchFilter: {}, ldapContext: {}", this.searchFilter, this.ldapContext.getNameInNamespace());
            if (search != null) {
                try {
                    search.close();
                } catch (NamingException e) {
                    LOG.debug("NamingException occurred while closing results: ", e);
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    namingEnumeration.close();
                } catch (NamingException e2) {
                    LOG.debug("NamingException occurred while closing results: ", e2);
                    throw th;
                }
            }
            throw th;
        }
    }

    private List<AceAssertion> findUnsatisfiedAssertions(AdRoleAssertion adRoleAssertion) {
        HashMap hashMap = new HashMap();
        for (int i = 0; i < this.dacl.getAceCount(); i++) {
            ACE ace = this.dacl.getAce(i);
            LOG.trace("ACE {}: {}", Integer.valueOf(i), ace);
            if (ace.getSid() != null) {
                if (!hashMap.containsKey(ace.getSid().toString())) {
                    hashMap.put(ace.getSid().toString(), new ArrayList());
                }
                ((List) hashMap.get(ace.getSid().toString())).add(ace);
            }
        }
        ArrayList arrayList = new ArrayList(adRoleAssertion.getAssertions());
        SID principal = adRoleAssertion.getPrincipal();
        List<ACE> list = (List) hashMap.get(principal.toString());
        if (list == null) {
            LOG.debug("findUnsatisfiedAssertions, no ACEs matching principal {} in DACL, will attempt to search member groups", principal);
        } else {
            findUnmatchedAssertions(list, arrayList);
            LOG.debug("findUnsatisfiedAssertions, {} unsatisfied assertion(s) remain after checking the DACL against principal {}, searching member groups if > 0", Integer.valueOf(arrayList.size()), principal);
        }
        if (!arrayList.isEmpty() && this.searchGroups) {
            if (adRoleAssertion.isGroup()) {
                LOG.warn("findUnsatisfiedAssertions, unresolved assertions exist and requested to search member groups, but the principal is a group - returning");
                return arrayList;
            }
            List<SID> tokenGroups = adRoleAssertion.getTokenGroups();
            if (tokenGroups == null) {
                LOG.debug("findUnsatisfiedAssertions, unresolved assertions exist and no token groups found in AdRoleAssertion - returning");
                return arrayList;
            }
            int i2 = 1;
            Iterator<SID> it = tokenGroups.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SID next = it.next();
                List<ACE> list2 = (List) hashMap.get(next.toString());
                if (list2 != null) {
                    LOG.debug("findUnsatisfiedAssertions, {} ACEs of group {}", Integer.valueOf(list2.size()), next);
                    findUnmatchedAssertions(list2, arrayList);
                    if (arrayList.isEmpty()) {
                        LOG.info("findUnsatisfiedAssertions, all role assertions found in the DACL after searching {} group(s)", Integer.valueOf(i2));
                        break;
                    }
                    i2++;
                }
            }
        }
        return arrayList;
    }

    private void findUnmatchedAssertions(List<ACE> list, List<AceAssertion> list2) {
        if (list == null || list.isEmpty()) {
            return;
        }
        for (ACE ace : list) {
            long asUInt = ace.getRights().asUInt();
            ArrayList<AceAssertion> arrayList = new ArrayList(list2);
            LOG.debug("findUnmatchedAssertions, processing ACE: {}", ace);
            if (ace.getType().getValue() == AceType.ACCESS_ALLOWED_ACE_TYPE.getValue() || ace.getType().getValue() == AceType.ACCESS_ALLOWED_OBJECT_ACE_TYPE.getValue()) {
                for (AceAssertion aceAssertion : arrayList) {
                    long asUInt2 = aceAssertion.getAceRight().asUInt();
                    LOG.debug("findUnmatchedAssertions, assertRightMask: {}, aceRightsMask: {}", Long.valueOf(asUInt2), Long.valueOf(asUInt));
                    if ((asUInt & asUInt2) == asUInt2 && doObjectFlagsMatch(ace.getObjectFlags(), aceAssertion.getObjectFlags()) && doObjectTypesMatch(ace.getObjectType(), aceAssertion.getObjectType(), aceAssertion.getObjectFlags()) && doInheritedObjectTypesMatch(ace.getInheritedObjectType(), aceAssertion.getInheritedObjectType(), aceAssertion.getObjectFlags()) && doRequiredFlagsMatch(ace.getFlags(), aceAssertion.getRequiredFlag()) && !isAceExcluded(ace.getFlags(), aceAssertion.getExcludedFlag())) {
                        LOG.debug("findUnmatchedAssertions, found an assertion match for: {}", aceAssertion);
                        list2.remove(aceAssertion);
                    }
                }
            } else {
                LOG.debug("findUnmatchedAssertions, skipping ACE with non allowed object type: {}", Byte.valueOf(ace.getType().getValue()));
            }
        }
    }

    private boolean doObjectFlagsMatch(AceObjectFlags aceObjectFlags, AceObjectFlags aceObjectFlags2) {
        boolean z = true;
        if (aceObjectFlags2 != null) {
            z = aceObjectFlags != null && (aceObjectFlags.asUInt() & aceObjectFlags2.asUInt()) == aceObjectFlags2.asUInt();
        }
        LOG.debug("doObjectFlagsMatch, result: {}", Boolean.valueOf(z));
        return z;
    }

    private boolean doObjectTypesMatch(byte[] bArr, String str, AceObjectFlags aceObjectFlags) {
        boolean z = true;
        if (aceObjectFlags == null) {
            return true;
        }
        if ((aceObjectFlags.asUInt() & AceObjectFlags.Flag.ACE_OBJECT_TYPE_PRESENT.getValue()) == AceObjectFlags.Flag.ACE_OBJECT_TYPE_PRESENT.getValue() && (bArr == null || !GUID.getGuidAsString(bArr).equals(str))) {
            z = false;
        }
        LOG.debug("doObjectTypesMatch, result: {}", Boolean.valueOf(z));
        return z;
    }

    private boolean doInheritedObjectTypesMatch(byte[] bArr, String str, AceObjectFlags aceObjectFlags) {
        boolean z = true;
        if (aceObjectFlags == null) {
            return true;
        }
        if ((aceObjectFlags.asUInt() & AceObjectFlags.Flag.ACE_INHERITED_OBJECT_TYPE_PRESENT.getValue()) == AceObjectFlags.Flag.ACE_INHERITED_OBJECT_TYPE_PRESENT.getValue() && (bArr == null || !GUID.getGuidAsString(bArr).equals(str))) {
            z = false;
        }
        LOG.debug("doInheritedObjectTypesMatch, result: {}", Boolean.valueOf(z));
        return z;
    }

    private boolean doRequiredFlagsMatch(List<AceFlag> list, AceFlag aceFlag) {
        boolean z = true;
        if (aceFlag != null) {
            if (list == null || list.isEmpty() || !list.contains(aceFlag)) {
                z = false;
            }
        } else if (list != null && !list.isEmpty()) {
            z = false;
        }
        LOG.debug("doRequiredFlagsMatch, result: {}", Boolean.valueOf(z));
        return z;
    }

    private boolean isAceExcluded(List<AceFlag> list, AceFlag aceFlag) {
        boolean z = false;
        if (aceFlag != null && list != null && !list.isEmpty() && list.contains(aceFlag)) {
            z = true;
        }
        LOG.debug("isAceExcluded, result: {}", Boolean.valueOf(z));
        return z;
    }
}
