package org.opends.server.authorization.dseecompat;

import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.TreeSet;
import org.forgerock.i18n.LocalizedIllegalArgumentException;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.ldap.AVA;
import org.forgerock.opendj.ldap.AttributeDescription;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.ModificationType;
import org.forgerock.opendj.ldap.RDN;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.forgerock.opendj.ldap.schema.Schema;
import org.forgerock.opendj.server.config.server.DseeCompatAccessControlHandlerCfg;
import org.opends.messages.AccessControlMessages;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.api.ClientConnection;
import org.opends.server.backends.pluggable.SuffixContainer;
import org.opends.server.config.ConfigConstants;
import org.opends.server.controls.GetEffectiveRightsRequestControl;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ExtendedOperation;
import org.opends.server.core.ModifyDNOperation;
import org.opends.server.core.SearchOperation;
import org.opends.server.protocols.ldap.LDAPControl;
import org.opends.server.schema.SchemaConstants;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeBuilder;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.Control;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.FilterType;
import org.opends.server.types.InitializationException;
import org.opends.server.types.Operation;
import org.opends.server.types.Privilege;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.types.SearchResultReference;
import org.opends.server.util.ServerConstants;
import org.opends.server.workflowelement.localbackend.LocalBackendAddOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendCompareOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendDeleteOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendModifyOperation;

/* loaded from: input_file:org/opends/server/authorization/dseecompat/AciHandler.class */
public final class AciHandler extends AccessControlHandler<DseeCompatAccessControlHandlerCfg> {
    static final String ALL_OP_ATTRS_MATCHED = "allOpAttrsMatched";
    static final String ALL_USER_ATTRS_MATCHED = "allUserAttrsMatched";
    static final String ORIG_AUTH_ENTRY = "origAuthorizationEntry";
    static AttributeType aciType;
    static AttributeType globalAciType;
    private static AttributeType debugSearchIndex;
    private static DN debugSearchIndexDN;
    private static AttributeType refAttrType;
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private AciList aciList;
    private AciListenerManager aciListenerMgr;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.opends.server.authorization.dseecompat.AciHandler$1, reason: invalid class name */
    /* loaded from: input_file:org/opends/server/authorization/dseecompat/AciHandler$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$forgerock$opendj$ldap$ModificationType$Enum;

        static {
            try {
                $SwitchMap$org$opends$server$types$FilterType[FilterType.AND.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$opends$server$types$FilterType[FilterType.OR.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$opends$server$types$FilterType[FilterType.NOT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$org$forgerock$opendj$ldap$ModificationType$Enum = new int[ModificationType.Enum.values().length];
            try {
                $SwitchMap$org$forgerock$opendj$ldap$ModificationType$Enum[ModificationType.Enum.ADD.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$forgerock$opendj$ldap$ModificationType$Enum[ModificationType.Enum.REPLACE.ordinal()] = 2;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$forgerock$opendj$ldap$ModificationType$Enum[ModificationType.Enum.DELETE.ordinal()] = 3;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$forgerock$opendj$ldap$ModificationType$Enum[ModificationType.Enum.INCREMENT.ordinal()] = 4;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    private static void initStatics() {
        Schema schema = DirectoryServer.getInstance().getServerContext().getSchema();
        aciType = schema.getAttributeType("aci");
        globalAciType = schema.getAttributeType(ConfigConstants.ATTR_AUTHZ_GLOBAL_ACI);
        debugSearchIndex = schema.getAttributeType(SuffixContainer.ATTR_DEBUG_SEARCH_INDEX);
        refAttrType = schema.getAttributeType(ServerConstants.ATTR_REFERRAL_URL);
        try {
            debugSearchIndexDN = DN.valueOf("cn=debugsearch");
        } catch (LocalizedIllegalArgumentException e) {
        }
    }

    @Override // org.opends.server.api.AccessControlHandler
    public void filterEntry(Operation operation, SearchResultEntry searchResultEntry, SearchResultEntry searchResultEntry2) {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(operation, 4, searchResultEntry);
        aciLDAPOperationContainer.setSeenEntry(true);
        boolean skipAccessCheck = skipAccessCheck(operation);
        if (!skipAccessCheck) {
            filterEntry(aciLDAPOperationContainer, searchResultEntry2);
        }
        if (aciLDAPOperationContainer.hasGetEffectiveRightsControl()) {
            AciEffectiveRights.addRightsToEntry(this, ((SearchOperation) operation).getAttributes(), aciLDAPOperationContainer, searchResultEntry2, skipAccessCheck);
        }
    }

    @Override // org.opends.server.api.AccessControlHandler
    public void finalizeAccessControlHandler() {
        this.aciListenerMgr.finalizeListenerManager();
        AciEffectiveRights.finalizeOnShutdown();
        DirectoryServer.deregisterSupportedControl(ServerConstants.OID_GET_EFFECTIVE_RIGHTS);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public void initializeAccessControlHandler(DseeCompatAccessControlHandlerCfg dseeCompatAccessControlHandlerCfg) throws ConfigException, InitializationException {
        initStatics();
        DN dn = dseeCompatAccessControlHandlerCfg.dn();
        this.aciList = new AciList(dn);
        this.aciListenerMgr = new AciListenerManager(this.aciList, dn);
        processGlobalAcis(dseeCompatAccessControlHandlerCfg);
        DirectoryServer.registerSupportedControl(ServerConstants.OID_GET_EFFECTIVE_RIGHTS);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(DN dn, Operation operation, Control control) throws DirectoryException {
        if (!skipAccessCheck(operation) && !accessAllowed(new AciLDAPOperationContainer(operation, new Entry(dn, null, null, null), control, 16388))) {
            return false;
        }
        if (ServerConstants.OID_PROXIED_AUTH_V2.equals(control.getOID()) || ServerConstants.OID_PROXIED_AUTH_V1.equals(control.getOID())) {
            operation.setAttachment(ORIG_AUTH_ENTRY, operation.getAuthorizationEntry());
            return true;
        }
        if (!ServerConstants.OID_GET_EFFECTIVE_RIGHTS.equals(control.getOID())) {
            return true;
        }
        operation.setAttachment(ServerConstants.OID_GET_EFFECTIVE_RIGHTS, control instanceof LDAPControl ? GetEffectiveRightsRequestControl.DECODER.decode(control.isCritical(), ((LDAPControl) control).getValue()) : (GetEffectiveRightsRequestControl) control);
        return true;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(ExtendedOperation extendedOperation) {
        if (skipAccessCheck(extendedOperation)) {
            return true;
        }
        return accessAllowed(new AciLDAPOperationContainer(extendedOperation, new Entry(extendedOperation.getAuthorizationDN(), null, null, null), 32772));
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendAddOperation localBackendAddOperation) throws DirectoryException {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(localBackendAddOperation, 32);
        return isAllowed(aciLDAPOperationContainer, localBackendAddOperation) && verifySyntax(localBackendAddOperation.getEntryToAdd(), localBackendAddOperation, aciLDAPOperationContainer.getClientDN());
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(BindOperation bindOperation) {
        return true;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendCompareOperation localBackendCompareOperation) {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(localBackendCompareOperation, 1);
        aciLDAPOperationContainer.setCurrentAttributeType(AttributeDescription.valueOf(localBackendCompareOperation.getRawAttributeType()).getAttributeType());
        aciLDAPOperationContainer.setCurrentAttributeValue(localBackendCompareOperation.getAssertionValue());
        return isAllowed(aciLDAPOperationContainer, localBackendCompareOperation);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendDeleteOperation localBackendDeleteOperation) {
        return isAllowed(new AciLDAPOperationContainer(localBackendDeleteOperation, 16), localBackendDeleteOperation);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(ModifyDNOperation modifyDNOperation) {
        if (skipAccessCheck(modifyDNOperation)) {
            return true;
        }
        RDN rdn = modifyDNOperation.getOriginalEntry().getName().rdn();
        RDN newRDN = modifyDNOperation.getNewRDN();
        DN newSuperior = modifyDNOperation.getNewSuperior();
        if (newSuperior != null && !aciCheckSuperiorEntry(newSuperior, modifyDNOperation)) {
            return false;
        }
        boolean aciCheckRDNs = aciCheckRDNs(modifyDNOperation, rdn, newRDN);
        if (!aciCheckRDNs || newSuperior == null) {
            return aciCheckRDNs;
        }
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(modifyDNOperation, 512, modifyDNOperation.getOriginalEntry());
        if (!rdn.equals(newRDN)) {
            aciLDAPOperationContainer.setSeenEntry(true);
        }
        return accessAllowed(aciLDAPOperationContainer);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(LocalBackendModifyOperation localBackendModifyOperation) throws DirectoryException {
        return aciCheckMods(new AciLDAPOperationContainer(localBackendModifyOperation, 0), localBackendModifyOperation, skipAccessCheck(localBackendModifyOperation));
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(SearchOperation searchOperation) {
        return true;
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean isAllowed(Operation operation, Entry entry, SearchFilter searchFilter) throws DirectoryException {
        if (skipAccessCheck(operation)) {
            return true;
        }
        return testFilter(new AciLDAPOperationContainer(operation, 4, entry), searchFilter);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean mayProxy(Entry entry, Entry entry2, Operation operation) {
        if (skipAccessCheck(entry)) {
            return true;
        }
        return accessAllowedEntry(new AciLDAPOperationContainer(operation, entry2, new AuthenticationInfo(entry, DirectoryServer.isRootDN(entry.getName())), 128));
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean maySend(DN dn, Operation operation, SearchResultReference searchResultReference) {
        if (skipAccessCheck(operation)) {
            return true;
        }
        AttributeBuilder attributeBuilder = new AttributeBuilder(refAttrType);
        attributeBuilder.addAllStrings(searchResultReference.getReferralURLs());
        Entry entry = new Entry(dn, null, null, null);
        entry.addAttribute(attributeBuilder.toAttribute(), (List<ByteString>) null);
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(operation, 4, new SearchResultEntry(entry));
        aciLDAPOperationContainer.setCurrentAttributeType(refAttrType);
        return accessAllowed(aciLDAPOperationContainer);
    }

    @Override // org.opends.server.api.AccessControlHandler
    public boolean maySend(Operation operation, SearchResultEntry searchResultEntry) {
        if (skipAccessCheck(operation)) {
            return true;
        }
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(operation, 2, searchResultEntry);
        if (operation instanceof SearchOperation) {
            try {
                if (!testFilter(aciLDAPOperationContainer, ((SearchOperation) operation).getFilter())) {
                    return false;
                }
            } catch (DirectoryException e) {
                return false;
            }
        }
        aciLDAPOperationContainer.clearEvalAttributes(0);
        aciLDAPOperationContainer.setRights(4);
        if (!accessAllowedEntry(aciLDAPOperationContainer)) {
            return false;
        }
        if (!aciLDAPOperationContainer.hasEvalUserAttributes()) {
            operation.setAttachment(ALL_USER_ATTRS_MATCHED, ALL_USER_ATTRS_MATCHED);
        }
        if (aciLDAPOperationContainer.hasEvalOpAttributes()) {
            return true;
        }
        operation.setAttachment(ALL_OP_ATTRS_MATCHED, ALL_OP_ATTRS_MATCHED);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean accessAllowed(AciContainer aciContainer) {
        DN resourceDN = aciContainer.getResourceDN();
        if (aciContainer.hasRights(2048) || aciContainer.hasRights(1024)) {
            aciContainer.setRights(aciContainer.getRights() | 8);
        }
        if (aciContainer.getCurrentAttributeValue() != null && aciContainer.hasRights(8) && isAttributeDN(aciContainer.getCurrentAttributeType())) {
            String str = null;
            try {
                str = aciContainer.getCurrentAttributeValue().toString();
                if (DN.valueOf(str).equals(aciContainer.getClientDN())) {
                    aciContainer.setRights(aciContainer.getRights() | 64);
                }
            } catch (LocalizedIllegalArgumentException e) {
                logger.warn(AccessControlMessages.WARN_ACI_NOT_VALID_DN, str);
            }
        }
        createApplicableList(this.aciList.getCandidateAcis(resourceDN), aciContainer);
        boolean testApplicableLists = testApplicableLists(aciContainer);
        if (aciContainer.isGetEffectiveRightsEval()) {
            aciContainer.setEvalSummary(AciEffectiveRights.createSummary(aciContainer, testApplicableLists));
        }
        return testApplicableLists;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean accessAllowedEntry(AciContainer aciContainer) {
        aciContainer.setIsFirstAttribute(true);
        Iterator<AttributeType> it = getAllAttrs(aciContainer.getResourceEntry()).iterator();
        while (it.hasNext()) {
            aciContainer.setCurrentAttributeType(it.next());
            if (accessAllowed(aciContainer)) {
                if (!aciContainer.hasEntryTestRule()) {
                    return true;
                }
                aciContainer.setCurrentAttributeType(null);
                return accessAllowed(aciContainer) || !aciContainer.isDenyEval();
            }
        }
        return false;
    }

    private void filterEntry(AciContainer aciContainer, Entry entry) {
        for (AttributeType attributeType : getAllAttrs(entry)) {
            if (!aciContainer.hasAllUserAttributes() || attributeType.isOperational()) {
                if (!aciContainer.hasAllOpAttributes() || !attributeType.isOperational()) {
                    aciContainer.setCurrentAttributeType(attributeType);
                    if (!accessAllowed(aciContainer)) {
                        entry.removeAttribute(attributeType);
                    }
                }
            }
        }
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:43:0x0151. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:76:0x0220  */
    /* JADX WARN: Removed duplicated region for block: B:83:0x0236 A[Catch: AciException -> 0x0246, TryCatch #0 {AciException -> 0x0246, blocks: (B:81:0x022b, B:83:0x0236, B:84:0x023b), top: B:80:0x022b }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean aciCheckMods(org.opends.server.authorization.dseecompat.AciContainer r8, org.opends.server.workflowelement.localbackend.LocalBackendModifyOperation r9, boolean r10) throws org.opends.server.types.DirectoryException {
        /*
            Method dump skipped, instructions count: 616
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.opends.server.authorization.dseecompat.AciHandler.aciCheckMods(org.opends.server.authorization.dseecompat.AciContainer, org.opends.server.workflowelement.localbackend.LocalBackendModifyOperation, boolean):boolean");
    }

    private boolean aciCheckRDNs(ModifyDNOperation modifyDNOperation, RDN rdn, RDN rdn2) {
        AciLDAPOperationContainer aciLDAPOperationContainer = new AciLDAPOperationContainer(modifyDNOperation, 8, modifyDNOperation.getOriginalEntry());
        if (!accessAllowed(aciLDAPOperationContainer)) {
            return false;
        }
        boolean checkRDN = checkRDN(2048, rdn2, aciLDAPOperationContainer);
        if (checkRDN && modifyDNOperation.deleteOldRDN()) {
            checkRDN = checkRDN(1024, rdn, aciLDAPOperationContainer);
        }
        return checkRDN;
    }

    private boolean aciCheckSuperiorEntry(DN dn, ModifyDNOperation modifyDNOperation) {
        try {
            Entry entry = DirectoryServer.getEntry(dn);
            if (entry != null) {
                return accessAllowed(new AciLDAPOperationContainer(modifyDNOperation, 256, entry));
            }
            return false;
        } catch (DirectoryException e) {
            return false;
        }
    }

    private boolean checkRDN(int i, RDN rdn, AciContainer aciContainer) {
        aciContainer.setRights(i);
        Iterator it = rdn.iterator();
        while (it.hasNext()) {
            AVA ava = (AVA) it.next();
            aciContainer.setCurrentAttributeType(ava.getAttributeType());
            aciContainer.setCurrentAttributeValue(ava.getAttributeValue());
            if (!accessAllowed(aciContainer)) {
                return false;
            }
        }
        return true;
    }

    private void createApplicableList(List<Aci> list, AciTargetMatchContext aciTargetMatchContext) {
        LinkedList linkedList = new LinkedList();
        LinkedList linkedList2 = new LinkedList();
        for (Aci aci : list) {
            if (Aci.isApplicable(aci, aciTargetMatchContext)) {
                if (aci.hasAccessType(EnumAccessType.DENY)) {
                    linkedList.add(aci);
                }
                if (aci.hasAccessType(EnumAccessType.ALLOW)) {
                    linkedList2.add(aci);
                }
            }
            if (aciTargetMatchContext.getTargAttrFiltersMatch()) {
                aciTargetMatchContext.setTargAttrFiltersMatch(false);
            }
        }
        aciTargetMatchContext.setAllowList(linkedList2);
        aciTargetMatchContext.setDenyList(linkedList);
    }

    private List<AttributeType> getAllAttrs(Entry entry) {
        LinkedList linkedList = new LinkedList();
        Attribute objectClassAttribute = entry.getObjectClassAttribute();
        if (objectClassAttribute != null) {
            linkedList.add(objectClassAttribute.getAttributeDescription().getAttributeType());
        }
        linkedList.addAll(entry.getUserAttributes().keySet());
        linkedList.addAll(entry.getOperationalAttributes().keySet());
        return linkedList;
    }

    private boolean isAllowed(AciContainer aciContainer, Operation operation) {
        return skipAccessCheck(operation) || accessAllowed(aciContainer);
    }

    private boolean isAttributeDN(AttributeType attributeType) {
        return SchemaConstants.SYNTAX_DN_OID.equals(attributeType.getSyntax().getOID());
    }

    private void processGlobalAcis(DseeCompatAccessControlHandlerCfg dseeCompatAccessControlHandlerCfg) throws InitializationException {
        try {
            TreeSet treeSet = new TreeSet();
            Iterator it = dseeCompatAccessControlHandlerCfg.getGlobalACI().iterator();
            while (it.hasNext()) {
                treeSet.add(Aci.decode(ByteString.valueOfUtf8((String) it.next()), DN.rootDN()));
            }
            if (!treeSet.isEmpty()) {
                this.aciList.addAci(DN.rootDN(), treeSet);
                logger.debug(AccessControlMessages.INFO_ACI_ADD_LIST_GLOBAL_ACIS, Integer.valueOf(treeSet.size()));
            }
        } catch (Exception e) {
            logger.traceException(e);
            throw new InitializationException(AccessControlMessages.INFO_ACI_HANDLER_FAIL_PROCESS_GLOBAL_ACI.get(dseeCompatAccessControlHandlerCfg.dn()), e);
        }
    }

    private boolean skipAccessCheck(Entry entry) {
        return ClientConnection.hasPrivilege(entry, Privilege.BYPASS_ACL);
    }

    private boolean skipAccessCheck(Operation operation) {
        return operation.getClientConnection().hasPrivilege(Privilege.BYPASS_ACL, operation);
    }

    private boolean testApplicableLists(AciEvalContext aciEvalContext) {
        aciEvalContext.setEvaluationResult(EnumEvalReason.NO_REASON, null);
        if (aciEvalContext.getAllowList().isEmpty() && (!aciEvalContext.isGetEffectiveRightsEval() || aciEvalContext.hasRights(64) || !aciEvalContext.isTargAttrFilterMatchAciEmpty())) {
            aciEvalContext.setEvaluationResult(EnumEvalReason.NO_ALLOW_ACIS, null);
            return false;
        }
        for (Aci aci : aciEvalContext.getDenyList()) {
            EnumEvalResult evaluate = Aci.evaluate(aciEvalContext, aci);
            if (EnumEvalResult.FAIL.equals(evaluate)) {
                aciEvalContext.setEvaluationResult(EnumEvalReason.EVALUATED_DENY_ACI, aci);
                return false;
            }
            if (EnumEvalResult.TRUE.equals(evaluate) && !testAndSetTargAttrOperationMatches(aciEvalContext, aci, true)) {
                aciEvalContext.setEvaluationResult(EnumEvalReason.EVALUATED_DENY_ACI, aci);
                return false;
            }
        }
        for (Aci aci2 : aciEvalContext.getAllowList()) {
            if (EnumEvalResult.TRUE.equals(Aci.evaluate(aciEvalContext, aci2)) && !testAndSetTargAttrOperationMatches(aciEvalContext, aci2, false)) {
                aciEvalContext.setEvaluationResult(EnumEvalReason.EVALUATED_ALLOW_ACI, aci2);
                return true;
            }
        }
        aciEvalContext.setEvaluationResult(EnumEvalReason.NO_MATCHED_ALLOWS_ACIS, null);
        return false;
    }

    private boolean testAndSetTargAttrOperationMatches(AciEvalContext aciEvalContext, Aci aci, boolean z) {
        return aciEvalContext.isGetEffectiveRightsEval() && !aciEvalContext.hasRights(64) && !aciEvalContext.isTargAttrFilterMatchAciEmpty() && AciEffectiveRights.setTargAttrAci(aciEvalContext, aci, z);
    }

    private boolean testFilter(AciContainer aciContainer, SearchFilter searchFilter) throws DirectoryException {
        if (debugSearchIndexDN.equals(aciContainer.getResourceDN()) && aciContainer.getResourceEntry().hasAttribute(debugSearchIndex)) {
            return true;
        }
        switch (searchFilter.getFilterType()) {
            case AND:
            case OR:
                Iterator<SearchFilter> it = searchFilter.getFilterComponents().iterator();
                while (it.hasNext()) {
                    if (!testFilter(aciContainer, it.next())) {
                        return false;
                    }
                }
                return true;
            case NOT:
                return testFilter(aciContainer, searchFilter.getNotComponent());
            default:
                aciContainer.setCurrentAttributeType(searchFilter.getAttributeType());
                return accessAllowed(aciContainer);
        }
    }

    private boolean verifySyntax(Entry entry, Operation operation, DN dn) throws DirectoryException {
        if (!entry.hasOperationalAttribute(aciType)) {
            return true;
        }
        if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
            logger.debug(AccessControlMessages.INFO_ACI_ADD_FAILED_PRIVILEGE, entry.getName(), dn);
            return false;
        }
        Iterator<Attribute> it = entry.getOperationalAttribute(AttributeDescription.create(aciType)).iterator();
        while (it.hasNext()) {
            Iterator<ByteString> it2 = it.next().iterator();
            while (it2.hasNext()) {
                try {
                    Aci.decode(it2.next(), entry.getName());
                } catch (AciException e) {
                    throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, AccessControlMessages.WARN_ACI_ADD_FAILED_DECODE.get(entry.getName(), e.getMessage()));
                }
            }
        }
        return true;
    }

    static {
        initStatics();
    }
}
