package org.apache.directory.server.core.admin;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.naming.directory.SearchControls;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Modification;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
import org.apache.directory.api.ldap.model.exception.LdapNoSuchAttributeException;
import org.apache.directory.api.ldap.model.exception.LdapOperationException;
import org.apache.directory.api.ldap.model.exception.LdapUnwillingToPerformException;
import org.apache.directory.api.ldap.model.filter.PresenceNode;
import org.apache.directory.api.ldap.model.message.AliasDerefMode;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.subtree.AdministrativeRole;
import org.apache.directory.api.ldap.util.tree.DnNode;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.InterceptorEnum;
import org.apache.directory.server.core.api.administrative.AccessControlAAP;
import org.apache.directory.server.core.api.administrative.AccessControlAdministrativePoint;
import org.apache.directory.server.core.api.administrative.AccessControlIAP;
import org.apache.directory.server.core.api.administrative.AccessControlSAP;
import org.apache.directory.server.core.api.administrative.AdministrativePoint;
import org.apache.directory.server.core.api.administrative.CollectiveAttributeAAP;
import org.apache.directory.server.core.api.administrative.CollectiveAttributeAdministrativePoint;
import org.apache.directory.server.core.api.administrative.CollectiveAttributeIAP;
import org.apache.directory.server.core.api.administrative.CollectiveAttributeSAP;
import org.apache.directory.server.core.api.administrative.SubschemaAAP;
import org.apache.directory.server.core.api.administrative.SubschemaAdministrativePoint;
import org.apache.directory.server.core.api.administrative.SubschemaSAP;
import org.apache.directory.server.core.api.administrative.TriggerExecutionAAP;
import org.apache.directory.server.core.api.administrative.TriggerExecutionAdministrativePoint;
import org.apache.directory.server.core.api.administrative.TriggerExecutionIAP;
import org.apache.directory.server.core.api.administrative.TriggerExecutionSAP;
import org.apache.directory.server.core.api.entry.ClonedServerEntry;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
import org.apache.directory.server.core.api.interceptor.context.AddOperationContext;
import org.apache.directory.server.core.api.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.api.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.api.partition.PartitionNexus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/admin/AdministrativePointInterceptor.class */
public class AdministrativePointInterceptor extends BaseInterceptor {
    private PartitionNexus nexus;
    private static final Map<String, String> ROLES_OID;
    private static final Set<String> INNER_AREA_ROLES;
    private static final Set<String> SPECIFIC_AREA_ROLES;
    private ReentrantReadWriteLock mutex;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AdministrativePointInterceptor.class);
    private static final boolean IS_DEBUG = LOG.isDebugEnabled();
    private static final Set<String> ROLES = new HashSet();

    public AdministrativePointInterceptor() {
        super(InterceptorEnum.ADMINISTRATIVE_POINT_INTERCEPTOR);
        this.mutex = new ReentrantReadWriteLock();
    }

    public void lockRead() {
        this.mutex.readLock().lock();
    }

    public void lockWrite() {
        this.mutex.writeLock().lock();
    }

    public void unlock() {
        if (this.mutex.isWriteLockedByCurrentThread()) {
            this.mutex.writeLock().unlock();
        } else {
            this.mutex.readLock().unlock();
        }
    }

    private void createAdministrativePoints(Attribute attribute, Dn dn, String str) throws LdapException {
        if (isAAP(attribute)) {
            this.directoryService.getAccessControlAPCache().add(dn, new AccessControlAAP(dn, str));
            this.directoryService.getCollectiveAttributeAPCache().add(dn, new CollectiveAttributeAAP(dn, str));
            this.directoryService.getTriggerExecutionAPCache().add(dn, new TriggerExecutionAAP(dn, str));
            this.directoryService.getSubschemaAPCache().add(dn, new SubschemaAAP(dn, str));
            return;
        }
        Iterator<Value<?>> it = attribute.iterator();
        while (it.hasNext()) {
            String string = it.next().getString();
            if (isAccessControlSpecificRole(string)) {
                this.directoryService.getAccessControlAPCache().add(dn, new AccessControlSAP(dn, str));
            } else if (isAccessControlInnerRole(string)) {
                this.directoryService.getAccessControlAPCache().add(dn, new AccessControlIAP(dn, str));
            } else if (isCollectiveAttributeSpecificRole(string)) {
                this.directoryService.getCollectiveAttributeAPCache().add(dn, new CollectiveAttributeSAP(dn, str));
            } else if (isCollectiveAttributeInnerRole(string)) {
                this.directoryService.getCollectiveAttributeAPCache().add(dn, new CollectiveAttributeIAP(dn, str));
            } else if (isSubschemaSpecficRole(string)) {
                this.directoryService.getSubschemaAPCache().add(dn, new SubschemaSAP(dn, str));
            } else if (isTriggerExecutionSpecificRole(string)) {
                this.directoryService.getTriggerExecutionAPCache().add(dn, new TriggerExecutionSAP(dn, str));
            } else if (isTriggerExecutionInnerRole(string)) {
                this.directoryService.getTriggerExecutionAPCache().add(dn, new TriggerExecutionIAP(dn, str));
            }
        }
    }

    private void addRole(String str, Dn dn, String str2, DnNode<AccessControlAdministrativePoint> dnNode, DnNode<CollectiveAttributeAdministrativePoint> dnNode2, DnNode<TriggerExecutionAdministrativePoint> dnNode3, DnNode<SubschemaAdministrativePoint> dnNode4) throws LdapException {
        if (isAutonomousAreaRole(str)) {
            dnNode.add(dn, new AccessControlAAP(dn, str2));
            dnNode2.add(dn, new CollectiveAttributeAAP(dn, str2));
            dnNode3.add(dn, new TriggerExecutionAAP(dn, str2));
            dnNode4.add(dn, new SubschemaAAP(dn, str2));
            return;
        }
        if (isAccessControlSpecificRole(str)) {
            dnNode.add(dn, new AccessControlSAP(dn, str2));
            return;
        }
        if (isAccessControlInnerRole(str)) {
            dnNode.add(dn, new AccessControlIAP(dn, str2));
            return;
        }
        if (isCollectiveAttributeSpecificRole(str)) {
            dnNode2.add(dn, new CollectiveAttributeSAP(dn, str2));
            return;
        }
        if (isCollectiveAttributeInnerRole(str)) {
            dnNode2.add(dn, new CollectiveAttributeIAP(dn, str2));
            return;
        }
        if (isSubschemaSpecficRole(str)) {
            dnNode4.add(dn, new SubschemaSAP(dn, str2));
        } else if (isTriggerExecutionSpecificRole(str)) {
            dnNode3.add(dn, new TriggerExecutionSAP(dn, str2));
        } else if (isTriggerExecutionInnerRole(str)) {
            dnNode3.add(dn, new TriggerExecutionIAP(dn, str2));
        }
    }

    private void delRole(String str, Dn dn, String str2, DnNode<AccessControlAdministrativePoint> dnNode, DnNode<CollectiveAttributeAdministrativePoint> dnNode2, DnNode<TriggerExecutionAdministrativePoint> dnNode3, DnNode<SubschemaAdministrativePoint> dnNode4) throws LdapException {
        if (isAutonomousAreaRole(str)) {
            dnNode.remove(dn);
            dnNode2.remove(dn);
            dnNode3.remove(dn);
            dnNode4.remove(dn);
            return;
        }
        if (isAccessControlSpecificRole(str) || isAccessControlInnerRole(str)) {
            dnNode.remove(dn);
            return;
        }
        if (isCollectiveAttributeSpecificRole(str) || isCollectiveAttributeInnerRole(str)) {
            dnNode2.remove(dn);
            return;
        }
        if (isSubschemaSpecficRole(str)) {
            dnNode4.remove(dn);
        } else if (isTriggerExecutionSpecificRole(str) || isTriggerExecutionInnerRole(str)) {
            dnNode3.remove(dn);
        }
    }

    private AdministrativePoint getParent(AdministrativePoint administrativePoint, List<AdministrativePoint> list, AdministrativeRole administrativeRole, DnNode<List<AdministrativePoint>> dnNode) {
        AdministrativePoint administrativePoint2 = null;
        for (AdministrativePoint administrativePoint3 : list) {
            if (administrativePoint3.isAutonomous() || administrativePoint3.getRole() == administrativePoint.getRole()) {
                return administrativePoint3;
            }
            if (administrativePoint3.getRole() == administrativeRole) {
                administrativePoint2 = administrativePoint3;
            }
        }
        if (administrativePoint2 != null) {
            return administrativePoint2;
        }
        if (dnNode.hasParent()) {
            return findParent(administrativePoint, dnNode);
        }
        return null;
    }

    private AdministrativePoint findParent(AdministrativePoint administrativePoint, DnNode<List<AdministrativePoint>> dnNode) {
        List<AdministrativePoint> element = dnNode.getElement();
        if (element == null) {
            if (dnNode.hasParent()) {
                return findParent(administrativePoint, dnNode.getParent());
            }
            return null;
        }
        switch (administrativePoint.getRole()) {
            case AutonomousArea:
                AdministrativePoint administrativePoint2 = element.get(0);
                if (administrativePoint2.isAutonomous()) {
                    return administrativePoint2;
                }
                if (dnNode.hasParent()) {
                    return findParent(administrativePoint, dnNode);
                }
                return null;
            case AccessControlInnerArea:
                return getParent(administrativePoint, element, AdministrativeRole.AccessControlSpecificArea, dnNode);
            case CollectiveAttributeInnerArea:
                return getParent(administrativePoint, element, AdministrativeRole.CollectiveAttributeSpecificArea, dnNode);
            case TriggerExecutionInnerArea:
                return getParent(administrativePoint, element, AdministrativeRole.TriggerExecutionSpecificArea, dnNode);
            case AccessControlSpecificArea:
                return getParent(administrativePoint, element, AdministrativeRole.AccessControlSpecificArea, dnNode);
            case CollectiveAttributeSpecificArea:
                return getParent(administrativePoint, element, AdministrativeRole.CollectiveAttributeSpecificArea, dnNode);
            case SubSchemaSpecificArea:
                return getParent(administrativePoint, element, AdministrativeRole.SubSchemaSpecificArea, dnNode);
            case TriggerExecutionSpecificArea:
                return getParent(administrativePoint, element, AdministrativeRole.TriggerExecutionSpecificArea, dnNode);
            default:
                return null;
        }
    }

    private void checkAddRole(Value<?> value, Attribute attribute, Dn dn) throws LdapException {
        String lowerCaseAscii = Strings.toLowerCaseAscii(Strings.trim(value.getString()));
        if (!ROLES.contains(lowerCaseAscii)) {
            String str = "Cannot add the given role, it's not a valid one :" + value;
            LOG.error(str);
            throw new LdapUnwillingToPerformException(str);
        }
        if (isAutonomousAreaRole(lowerCaseAscii)) {
            if (attribute.size() > 1) {
                String str2 = "Cannot add an Autonomous Administratve Point when some other roles are added : " + attribute;
                LOG.error(str2);
                throw new LdapUnwillingToPerformException(str2);
            }
            return;
        }
        if (attribute.contains(SchemaConstants.AUTONOMOUS_AREA)) {
            String str3 = "Cannot add a role when an Autonomous Administratve Point is already present : " + attribute;
            LOG.error(str3);
            throw new LdapUnwillingToPerformException(str3);
        }
        checkInnerSpecificMix(lowerCaseAscii, attribute);
        if (isIAP(lowerCaseAscii)) {
            checkIAPHasParent(lowerCaseAscii, attribute, dn);
        }
    }

    private void checkDelRole(Value<?> value, Attribute attribute, Dn dn) throws LdapException {
        String lowerCaseAscii = Strings.toLowerCaseAscii(Strings.trim(value.getString()));
        if (!ROLES.contains(lowerCaseAscii)) {
            String str = "Cannot delete the given role, it's not a valid one :" + value;
            LOG.error(str);
            throw new LdapUnwillingToPerformException(str);
        }
        if (isAutonomousAreaRole(lowerCaseAscii)) {
            DnNode<AccessControlAdministrativePoint> accessControlAPCache = this.directoryService.getAccessControlAPCache();
            if (!accessControlAPCache.hasParent(dn)) {
                for (AccessControlAdministrativePoint accessControlAdministrativePoint : accessControlAPCache.getDescendantElements(dn)) {
                    if (accessControlAdministrativePoint.isInner()) {
                        String str2 = "Cannot delete the given role, the " + accessControlAdministrativePoint.getDn() + " AccessControl IAP will remain orphan";
                        LOG.error(str2);
                        throw new LdapUnwillingToPerformException(str2);
                    }
                }
            }
            DnNode<CollectiveAttributeAdministrativePoint> collectiveAttributeAPCache = this.directoryService.getCollectiveAttributeAPCache();
            if (!accessControlAPCache.hasParent(dn)) {
                for (CollectiveAttributeAdministrativePoint collectiveAttributeAdministrativePoint : collectiveAttributeAPCache.getDescendantElements(dn)) {
                    if (collectiveAttributeAdministrativePoint.isInner()) {
                        String str3 = "Cannot delete the given role, the " + collectiveAttributeAdministrativePoint.getDn() + " CollectiveAttribute IAP will remain orphan";
                        LOG.error(str3);
                        throw new LdapUnwillingToPerformException(str3);
                    }
                }
            }
            DnNode<TriggerExecutionAdministrativePoint> triggerExecutionAPCache = this.directoryService.getTriggerExecutionAPCache();
            if (accessControlAPCache.hasParent(dn)) {
                return;
            }
            for (TriggerExecutionAdministrativePoint triggerExecutionAdministrativePoint : triggerExecutionAPCache.getDescendantElements(dn)) {
                if (triggerExecutionAdministrativePoint.isInner()) {
                    String str4 = "Cannot delete the given role, the " + triggerExecutionAdministrativePoint.getDn() + " TriggerExecution IAP will remain orphan";
                    LOG.error(str4);
                    throw new LdapUnwillingToPerformException(str4);
                }
            }
        }
    }

    private List<Entry> getAdministrativePoints() throws LdapException {
        ArrayList arrayList = new ArrayList();
        new Dn(this.schemaManager, ServerDNConstants.ADMIN_SYSTEM_DN);
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{SchemaConstants.ADMINISTRATIVE_ROLE_AT, SchemaConstants.ENTRY_UUID_AT});
        SearchOperationContext searchOperationContext = new SearchOperationContext(this.directoryService.getAdminSession(), Dn.ROOT_DSE, new PresenceNode(this.directoryService.getAtProvider().getAdministrativeRole()), searchControls);
        searchOperationContext.setAliasDerefMode(AliasDerefMode.NEVER_DEREF_ALIASES);
        EntryFilteringCursor search = this.nexus.search(searchOperationContext);
        while (search.next()) {
            try {
                arrayList.add(search.get());
            } catch (Exception e) {
                throw new LdapOperationException(e.getMessage(), e);
            }
        }
        search.close();
        return arrayList;
    }

    private boolean isValidRole(String str) {
        return ROLES.contains(Strings.toLowerCaseAscii(Strings.trim(str)));
    }

    private void addAdminPointCache(List<Entry> list) throws LdapException {
        for (Entry entry : list) {
            createAdministrativePoints(entry.get(this.directoryService.getAtProvider().getAdministrativeRole()), entry.getDn(), entry.get(this.directoryService.getAtProvider().getEntryUUID()).getString());
        }
    }

    private void deleteAdminPointCache(Attribute attribute, DeleteOperationContext deleteOperationContext) throws LdapException {
        Dn dn = deleteOperationContext.getDn();
        Iterator<Value<?>> it = attribute.iterator();
        while (it.hasNext()) {
            String string = it.next().getString();
            if (isAutonomousAreaRole(string)) {
                this.directoryService.getAccessControlAPCache().remove(dn);
                this.directoryService.getCollectiveAttributeAPCache().remove(dn);
                this.directoryService.getTriggerExecutionAPCache().remove(dn);
                this.directoryService.getSubschemaAPCache().remove(dn);
                return;
            }
            if (isAccessControlSpecificRole(string) || isAccessControlInnerRole(string)) {
                this.directoryService.getAccessControlAPCache().remove(dn);
            } else if (isCollectiveAttributeSpecificRole(string) || isCollectiveAttributeInnerRole(string)) {
                this.directoryService.getCollectiveAttributeAPCache().remove(dn);
            } else if (isSubschemaSpecficRole(string)) {
                this.directoryService.getSubschemaAPCache().remove(dn);
            } else if (isTriggerExecutionSpecificRole(string) || isTriggerExecutionInnerRole(string)) {
                this.directoryService.getTriggerExecutionAPCache().remove(dn);
            }
        }
    }

    private boolean isAccessControlInnerRole(String str) {
        return str.equalsIgnoreCase(SchemaConstants.ACCESS_CONTROL_INNER_AREA) || str.equals(SchemaConstants.ACCESS_CONTROL_INNER_AREA_OID);
    }

    private boolean isAccessControlSpecificRole(String str) {
        return str.equalsIgnoreCase(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA) || str.equals(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA_OID);
    }

    private boolean isCollectiveAttributeInnerRole(String str) {
        return str.equalsIgnoreCase(SchemaConstants.COLLECTIVE_ATTRIBUTE_INNER_AREA) || str.equals(SchemaConstants.COLLECTIVE_ATTRIBUTE_INNER_AREA_OID);
    }

    private boolean isCollectiveAttributeSpecificRole(String str) {
        return str.equalsIgnoreCase(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA) || str.equals(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA_OID);
    }

    private boolean isTriggerExecutionInnerRole(String str) {
        return str.equalsIgnoreCase(SchemaConstants.TRIGGER_EXECUTION_INNER_AREA) || str.equals(SchemaConstants.TRIGGER_EXECUTION_INNER_AREA_OID);
    }

    private boolean isTriggerExecutionSpecificRole(String str) {
        return str.equalsIgnoreCase(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA) || str.equals(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA_OID);
    }

    private boolean isSubschemaSpecficRole(String str) {
        return str.equalsIgnoreCase(SchemaConstants.SUB_SCHEMA_ADMIN_SPECIFIC_AREA) || str.equals(SchemaConstants.SUB_SCHEMA_ADMIN_SPECIFIC_AREA_OID);
    }

    private boolean isAutonomousAreaRole(String str) {
        return str.equalsIgnoreCase(SchemaConstants.AUTONOMOUS_AREA) || str.equals(SchemaConstants.AUTONOMOUS_AREA_OID);
    }

    private boolean isAAP(Attribute attribute) {
        return attribute.contains(SchemaConstants.AUTONOMOUS_AREA) || attribute.contains(SchemaConstants.AUTONOMOUS_AREA_OID);
    }

    private boolean hasAccessControlSpecificRole(Attribute attribute) {
        return attribute.contains(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA) || attribute.contains(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA_OID);
    }

    private boolean isIAP(String str) {
        return INNER_AREA_ROLES.contains(str);
    }

    private boolean hasCollectiveAttributeSpecificRole(Attribute attribute) {
        return attribute.contains(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA) || attribute.contains(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA_OID);
    }

    private boolean hasTriggerExecutionSpecificRole(Attribute attribute) {
        return attribute.contains(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA) || attribute.contains(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA_OID);
    }

    private void checkInnerSpecificMix(String str, Attribute attribute) throws LdapUnwillingToPerformException {
        if (isAccessControlInnerRole(str)) {
            if (hasAccessControlSpecificRole(attribute)) {
                String str2 = "Cannot add a specific Administrative Point and the same inner Administrative point at the same time : " + attribute;
                LOG.error(str2);
                throw new LdapUnwillingToPerformException(str2);
            }
            return;
        }
        if (isCollectiveAttributeInnerRole(str)) {
            if (hasCollectiveAttributeSpecificRole(attribute)) {
                String str3 = "Cannot add a specific Administrative Point and the same inner Administrative point at the same time : " + attribute;
                LOG.error(str3);
                throw new LdapUnwillingToPerformException(str3);
            }
            return;
        }
        if (isTriggerExecutionInnerRole(str) && hasTriggerExecutionSpecificRole(attribute)) {
            String str4 = "Cannot add a specific Administrative Point and the same inner Administrative point at the same time : " + attribute;
            LOG.error(str4);
            throw new LdapUnwillingToPerformException(str4);
        }
    }

    private void checkIAPHasParent(String str, Attribute attribute, Dn dn) throws LdapUnwillingToPerformException {
        if (isAccessControlInnerRole(str)) {
            if (this.directoryService.getAccessControlAPCache().getNode(dn) == null) {
                String str2 = "Cannot add an IAP with no parent : " + attribute;
                LOG.error(str2);
                throw new LdapUnwillingToPerformException(str2);
            }
            return;
        }
        if (isCollectiveAttributeInnerRole(str)) {
            if (this.directoryService.getCollectiveAttributeAPCache().hasParentElement(dn)) {
                return;
            }
            String str3 = "Cannot add an IAP with no parent : " + attribute;
            LOG.error(str3);
            throw new LdapUnwillingToPerformException(str3);
        }
        if (!isTriggerExecutionInnerRole(str)) {
            String str4 = "This is not an IAP : " + str;
            LOG.error(str4);
            throw new LdapUnwillingToPerformException(str4);
        }
        if (this.directoryService.getTriggerExecutionAPCache().getNode(dn) == null) {
            String str5 = "Cannot add an IAP with no parent : " + attribute;
            LOG.error(str5);
            throw new LdapUnwillingToPerformException(str5);
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void init(DirectoryService directoryService) throws LdapException {
        LOG.debug("Initializing the AdministrativeInterceptor");
        super.init(directoryService);
        this.nexus = directoryService.getPartitionNexus();
        new Dn(this.schemaManager, ServerDNConstants.ADMIN_SYSTEM_DN);
        List<Entry> administrativePoints = getAdministrativePoints();
        lockWrite();
        try {
            addAdminPointCache(administrativePoints);
            unlock();
        } catch (Throwable th) {
            unlock();
            throw th;
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void destroy() {
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void add(AddOperationContext addOperationContext) throws LdapException {
        LOG.debug(">>> Entering into the Administrative Interceptor, addRequest");
        Entry entry = addOperationContext.getEntry();
        Dn dn = entry.getDn();
        Attribute attribute = entry.get(this.directoryService.getAtProvider().getAdministrativeRole());
        if (attribute == null) {
            next(addOperationContext);
            LOG.debug("Exit from Administrative Interceptor, no AP in the added entry");
            return;
        }
        LOG.debug("Addition of an administrative point at {} for the role {}", dn, attribute);
        lockWrite();
        try {
            Iterator<Value<?>> it = attribute.iterator();
            while (it.hasNext()) {
                checkAddRole(it.next(), attribute, dn);
            }
            next(addOperationContext);
            createAdministrativePoints(attribute, dn, entry.get(this.directoryService.getAtProvider().getEntryUUID()).getString());
            unlock();
            LOG.debug("Added an Administrative Point at {}", dn);
        } catch (Throwable th) {
            unlock();
            throw th;
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void delete(DeleteOperationContext deleteOperationContext) throws LdapException {
        LOG.debug(">>> Entering into the Administrative Interceptor, delRequest");
        Entry entry = deleteOperationContext.getEntry();
        Dn dn = entry.getDn();
        Attribute attribute = entry.get(this.directoryService.getAtProvider().getAdministrativeRole());
        if (attribute == null) {
            next(deleteOperationContext);
            LOG.debug("Exit from Administrative Interceptor");
            return;
        }
        LOG.debug("Deletion of an administrative point at {} for the role {}", dn, attribute);
        lockWrite();
        try {
            for (Value<?> value : attribute) {
                if (!isValidRole(value.getString())) {
                    String str = "Cannot remove the given role, it's not a valid one :" + value;
                    LOG.error(str);
                    throw new LdapUnwillingToPerformException(str);
                }
            }
            next(deleteOperationContext);
            deleteAdminPointCache(attribute, deleteOperationContext);
            unlock();
            LOG.debug("Deleted an Administrative Point at {}", dn);
        } catch (Throwable th) {
            unlock();
            throw th;
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void modify(ModifyOperationContext modifyOperationContext) throws LdapException {
        LOG.debug(">>> Entering into the Administrative Interceptor, modifyRequest");
        List<Modification> modItems = modifyOperationContext.getModItems();
        Dn dn = modifyOperationContext.getDn();
        String string = modifyOperationContext.getEntry().get(this.directoryService.getAtProvider().getEntryUUID()).getString();
        boolean z = false;
        Iterator<Modification> it = modItems.iterator();
        while (true) {
            if (it.hasNext()) {
                if (it.next().getAttribute().getAttributeType() == this.directoryService.getAtProvider().getAdministrativeRole()) {
                    z = true;
                    break;
                }
            } else {
                break;
            }
        }
        if (z) {
            Attribute attribute = ((ClonedServerEntry) modifyOperationContext.getEntry()).getOriginalEntry().get(this.directoryService.getAtProvider().getAdministrativeRole());
            Attribute defaultAttribute = attribute == null ? new DefaultAttribute(this.directoryService.getAtProvider().getAdministrativeRole()) : attribute.m1323clone();
            try {
                lockWrite();
                DnNode<AccessControlAdministrativePoint> accessControlAPCache = this.directoryService.getAccessControlAPCache();
                DnNode<CollectiveAttributeAdministrativePoint> collectiveAttributeAPCache = this.directoryService.getCollectiveAttributeAPCache();
                DnNode<TriggerExecutionAdministrativePoint> triggerExecutionAPCache = this.directoryService.getTriggerExecutionAPCache();
                DnNode<SubschemaAdministrativePoint> subschemaAPCache = this.directoryService.getSubschemaAPCache();
                for (Modification modification : modItems) {
                    Attribute attribute2 = modification.getAttribute();
                    if (attribute2.getAttributeType() == this.directoryService.getAtProvider().getAdministrativeRole()) {
                        switch (modification.getOperation()) {
                            case ADD_ATTRIBUTE:
                                for (Value<?> value : attribute2) {
                                    addRole(value.getString(), dn, string, accessControlAPCache, collectiveAttributeAPCache, triggerExecutionAPCache, subschemaAPCache);
                                    defaultAttribute.add(value);
                                }
                                break;
                            case REMOVE_ATTRIBUTE:
                                if (attribute2.size() == 0) {
                                    Iterator<Value<?>> it2 = defaultAttribute.iterator();
                                    while (it2.hasNext()) {
                                        delRole(it2.next().getString(), dn, string, accessControlAPCache, collectiveAttributeAPCache, triggerExecutionAPCache, subschemaAPCache);
                                    }
                                    defaultAttribute.clear();
                                    break;
                                } else {
                                    for (Value<?> value2 : attribute2) {
                                        if (!isValidRole(value2.getString())) {
                                            String str = "Invalid role : " + value2.getString();
                                            LOG.error(str);
                                            throw new LdapInvalidAttributeValueException(ResultCodeEnum.INVALID_ATTRIBUTE_SYNTAX, str);
                                        }
                                        if (!defaultAttribute.contains(value2)) {
                                            String str2 = "Cannot remove the administrative role value" + value2 + ", it does not exist";
                                            LOG.error(str2);
                                            throw new LdapNoSuchAttributeException(str2);
                                        }
                                        defaultAttribute.remove(value2);
                                        delRole(value2.getString(), dn, string, accessControlAPCache, collectiveAttributeAPCache, triggerExecutionAPCache, subschemaAPCache);
                                    }
                                    break;
                                }
                            case REPLACE_ATTRIBUTE:
                                if (!modifyOperationContext.isReplEvent() || !modifyOperationContext.getSession().isAdministrator()) {
                                    LOG.error("Cannot replace an administrative role, the opertion is not supported");
                                    throw new LdapUnwillingToPerformException("Cannot replace an administrative role, the opertion is not supported");
                                }
                                break;
                            default:
                                throw new IllegalArgumentException("Unexpected modify operation " + modification.getOperation());
                        }
                    }
                }
            } finally {
                unlock();
            }
        }
        next(modifyOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void move(MoveOperationContext moveOperationContext) throws LdapException {
        LOG.debug(">>> Entering into the Administrative Interceptor, moveRequest");
        if (moveOperationContext.getOriginalEntry().get(this.directoryService.getAtProvider().getAdministrativeRole()) != null) {
            LOG.error("Cannot move an Administrative Point in the current version");
            throw new LdapUnwillingToPerformException("Cannot move an Administrative Point in the current version");
        }
        next(moveOperationContext);
        LOG.debug("Exit from Administrative Interceptor");
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void moveAndRename(MoveAndRenameOperationContext moveAndRenameOperationContext) throws LdapException {
        LOG.debug(">>> Entering into the Administrative Interceptor, moveAndRenameRequest");
        if (moveAndRenameOperationContext.getOriginalEntry().get(this.directoryService.getAtProvider().getAdministrativeRole()) != null) {
            LOG.error("Cannot move and rename an Administrative Point in the current version");
            throw new LdapUnwillingToPerformException("Cannot move and rename an Administrative Point in the current version");
        }
        next(moveAndRenameOperationContext);
        LOG.debug("Exit from Administrative Interceptor");
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void rename(RenameOperationContext renameOperationContext) throws LdapException {
        LOG.debug(">>> Entering into the Administrative Interceptor, renameRequest");
        if (renameOperationContext.getEntry().get(this.directoryService.getAtProvider().getAdministrativeRole()) != null) {
            LOG.error("Cannot rename an Administrative Point in the current version");
            throw new LdapUnwillingToPerformException("Cannot rename an Administrative Point in the current version");
        }
        next(renameOperationContext);
        LOG.debug("Exit from Administrative Interceptor");
    }

    static {
        ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.AUTONOMOUS_AREA));
        ROLES.add(SchemaConstants.AUTONOMOUS_AREA_OID);
        ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA));
        ROLES.add(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA_OID);
        ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.ACCESS_CONTROL_INNER_AREA));
        ROLES.add(SchemaConstants.ACCESS_CONTROL_INNER_AREA_OID);
        ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA));
        ROLES.add(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA_OID);
        ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.COLLECTIVE_ATTRIBUTE_INNER_AREA));
        ROLES.add(SchemaConstants.COLLECTIVE_ATTRIBUTE_INNER_AREA_OID);
        ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.SUB_SCHEMA_ADMIN_SPECIFIC_AREA));
        ROLES.add(SchemaConstants.SUB_SCHEMA_ADMIN_SPECIFIC_AREA_OID);
        ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA));
        ROLES.add(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA_OID);
        ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.TRIGGER_EXECUTION_INNER_AREA));
        ROLES.add(SchemaConstants.TRIGGER_EXECUTION_INNER_AREA_OID);
        ROLES_OID = new HashMap();
        ROLES_OID.put(Strings.toLowerCaseAscii(SchemaConstants.AUTONOMOUS_AREA), SchemaConstants.AUTONOMOUS_AREA_OID);
        ROLES_OID.put(Strings.toLowerCaseAscii(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA), SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA_OID);
        ROLES_OID.put(Strings.toLowerCaseAscii(SchemaConstants.ACCESS_CONTROL_INNER_AREA), SchemaConstants.ACCESS_CONTROL_INNER_AREA_OID);
        ROLES_OID.put(Strings.toLowerCaseAscii(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA), SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA_OID);
        ROLES_OID.put(Strings.toLowerCaseAscii(SchemaConstants.COLLECTIVE_ATTRIBUTE_INNER_AREA), SchemaConstants.COLLECTIVE_ATTRIBUTE_INNER_AREA_OID);
        ROLES_OID.put(Strings.toLowerCaseAscii(SchemaConstants.SUB_SCHEMA_ADMIN_SPECIFIC_AREA), SchemaConstants.SUB_SCHEMA_ADMIN_SPECIFIC_AREA_OID);
        ROLES_OID.put(Strings.toLowerCaseAscii(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA), SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA_OID);
        ROLES_OID.put(Strings.toLowerCaseAscii(SchemaConstants.TRIGGER_EXECUTION_INNER_AREA), SchemaConstants.TRIGGER_EXECUTION_INNER_AREA_OID);
        INNER_AREA_ROLES = new HashSet();
        INNER_AREA_ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.ACCESS_CONTROL_INNER_AREA));
        INNER_AREA_ROLES.add(SchemaConstants.ACCESS_CONTROL_INNER_AREA_OID);
        INNER_AREA_ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.COLLECTIVE_ATTRIBUTE_INNER_AREA));
        INNER_AREA_ROLES.add(SchemaConstants.COLLECTIVE_ATTRIBUTE_INNER_AREA_OID);
        INNER_AREA_ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.TRIGGER_EXECUTION_INNER_AREA));
        INNER_AREA_ROLES.add(SchemaConstants.TRIGGER_EXECUTION_INNER_AREA_OID);
        SPECIFIC_AREA_ROLES = new HashSet();
        SPECIFIC_AREA_ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA));
        SPECIFIC_AREA_ROLES.add(SchemaConstants.ACCESS_CONTROL_SPECIFIC_AREA_OID);
        SPECIFIC_AREA_ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA));
        SPECIFIC_AREA_ROLES.add(SchemaConstants.COLLECTIVE_ATTRIBUTE_SPECIFIC_AREA_OID);
        SPECIFIC_AREA_ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.SUB_SCHEMA_ADMIN_SPECIFIC_AREA));
        SPECIFIC_AREA_ROLES.add(SchemaConstants.SUB_SCHEMA_ADMIN_SPECIFIC_AREA_OID);
        SPECIFIC_AREA_ROLES.add(Strings.toLowerCaseAscii(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA));
        SPECIFIC_AREA_ROLES.add(SchemaConstants.TRIGGER_EXECUTION_SPECIFIC_AREA_OID);
    }
}
