package org.apache.jackrabbit.oak.security.authorization.permission;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.commons.iterator.AbstractLazyIterator;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.tree.TreeType;
import org.apache.jackrabbit.oak.plugins.tree.TreeTypeProvider;
import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.GroupPrincipals;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import p000slingmockoak.com.google.common.collect.ImmutableMap;
import p000slingmockoak.com.google.common.collect.Iterators;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.class */
public final class CompiledPermissionImpl implements CompiledPermissions, PermissionConstants {
    private static final Logger log = LoggerFactory.getLogger(CompiledPermissionImpl.class);
    private static final Map<Long, PrivilegeBits> READ_BITS = ImmutableMap.of(3L, PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_READ), 1L, PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_READ_NODES), 2L, PrivilegeBits.BUILT_IN.get(PrivilegeConstants.REP_READ_PROPERTIES), 128L, PrivilegeBits.BUILT_IN.get(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
    private final String workspaceName;
    private final ReadPolicy readPolicy;
    private final PermissionStore store;
    private final PermissionEntryProvider userStore;
    private final PermissionEntryProvider groupStore;
    private final TreeTypeProvider typeProvider;
    private final ProviderCtx providerCtx;
    private Root root;
    private ReadOnlyVersionManager versionManager;
    private PrivilegeBitsProvider bitsProvider;

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$DefaultReadPolicy.class */
    private static final class DefaultReadPolicy implements ReadPolicy {
        private final String[] readPaths;
        private final String[] altReadPaths;
        private final boolean isDefaultPaths;

        private DefaultReadPolicy(Set<String> set) {
            this.readPaths = (String[]) set.toArray(new String[0]);
            this.altReadPaths = new String[set.size()];
            int i = 0;
            for (String str : this.readPaths) {
                int i2 = i;
                i++;
                this.altReadPaths[i2] = str + '/';
            }
            this.isDefaultPaths = set.size() == PermissionConstants.DEFAULT_READ_PATHS.size() && set.containsAll(PermissionConstants.DEFAULT_READ_PATHS);
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl.ReadPolicy
        public boolean isReadableTree(@NotNull Tree tree, @Nullable TreePermissionImpl treePermissionImpl) {
            if (treePermissionImpl == null) {
                return isReadableTree(tree, true);
            }
            if (treePermissionImpl.isReadableTree) {
                return true;
            }
            if (!this.isDefaultPaths || treePermissionImpl.tree.getName().equals(JcrConstants.JCR_SYSTEM)) {
                return isReadableTree(tree, true);
            }
            return false;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl.ReadPolicy
        public boolean isReadableTree(@NotNull Tree tree, boolean z) {
            String path = tree.getPath();
            for (String str : this.readPaths) {
                if (path.equals(str)) {
                    return true;
                }
            }
            if (z) {
                return false;
            }
            for (String str2 : this.altReadPaths) {
                if (path.startsWith(str2)) {
                    return true;
                }
            }
            return false;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl.ReadPolicy
        public boolean isReadablePath(@Nullable String str, boolean z) {
            if (str == null) {
                return false;
            }
            for (String str2 : this.readPaths) {
                if (str.equals(str2)) {
                    return true;
                }
            }
            if (z) {
                return false;
            }
            for (String str3 : this.altReadPaths) {
                if (str.startsWith(str3)) {
                    return true;
                }
            }
            return false;
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EmptyReadPolicy.class */
    private static final class EmptyReadPolicy implements ReadPolicy {
        private static final ReadPolicy INSTANCE = new EmptyReadPolicy();

        private EmptyReadPolicy() {
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl.ReadPolicy
        public boolean isReadableTree(@NotNull Tree tree, @Nullable TreePermissionImpl treePermissionImpl) {
            return false;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl.ReadPolicy
        public boolean isReadableTree(@NotNull Tree tree, boolean z) {
            return false;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl.ReadPolicy
        public boolean isReadablePath(@Nullable String str, boolean z) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$LazyIterator.class */
    public static final class LazyIterator extends AbstractLazyIterator<PermissionEntry> {
        private final TreePermissionImpl treePermission;
        private final boolean isUser;
        private final EntryPredicate predicate;
        private Iterator<PermissionEntry> nextEntries;
        private TreePermissionImpl tp;

        private LazyIterator(@NotNull TreePermissionImpl treePermissionImpl, boolean z, @NotNull EntryPredicate entryPredicate) {
            this.nextEntries = Collections.emptyIterator();
            this.treePermission = treePermissionImpl;
            this.isUser = z;
            this.predicate = entryPredicate;
            this.tp = treePermissionImpl;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.apache.jackrabbit.commons.iterator.AbstractLazyIterator
        public PermissionEntry getNext() {
            PermissionEntry permissionEntry = null;
            while (permissionEntry == null) {
                if (this.nextEntries.hasNext()) {
                    PermissionEntry next = this.nextEntries.next();
                    if (this.predicate.apply(next)) {
                        permissionEntry = next;
                    } else {
                        this.treePermission.skipped = true;
                    }
                } else {
                    if (this.tp == null) {
                        break;
                    }
                    this.nextEntries = this.isUser ? this.tp.getUserEntries() : this.tp.getGroupEntries();
                    this.tp = this.tp.parent;
                }
            }
            return permissionEntry;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$ReadPolicy.class */
    public interface ReadPolicy {
        boolean isReadableTree(@NotNull Tree tree, @Nullable TreePermissionImpl treePermissionImpl);

        boolean isReadableTree(@NotNull Tree tree, boolean z);

        boolean isReadablePath(@Nullable String str, boolean z);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$TreePermissionImpl.class */
    public final class TreePermissionImpl implements TreePermission {
        private final Tree tree;
        private final TreePermissionImpl parent;
        private final TreeType type;
        private final boolean isReadableTree;
        private Collection<PermissionEntry> userEntries;
        private Collection<PermissionEntry> groupEntries;
        private boolean skipped;
        private ReadStatus readStatus;

        private TreePermissionImpl(Tree tree, TreeType treeType, TreePermission treePermission) {
            this.tree = tree;
            this.type = treeType;
            if (treePermission instanceof TreePermissionImpl) {
                this.parent = (TreePermissionImpl) treePermission;
            } else {
                this.parent = null;
            }
            this.isReadableTree = CompiledPermissionImpl.this.readPolicy.isReadableTree(tree, this.parent);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        @NotNull
        public TreePermission getChildPermission(@NotNull String str, @NotNull NodeState nodeState) {
            Tree createReadOnlyTree = CompiledPermissionImpl.this.providerCtx.getTreeProvider().createReadOnlyTree(this.tree, str, nodeState);
            return CompiledPermissionImpl.this.getTreePermission(createReadOnlyTree, CompiledPermissionImpl.this.typeProvider.getType(createReadOnlyTree, this.type), this);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canRead() {
            boolean isAcTree = isAcTree();
            if (!isAcTree && this.isReadableTree) {
                return true;
            }
            if (this.readStatus == null) {
                this.readStatus = ReadStatus.DENY_THIS;
                long j = isAcTree ? 128L : 1L;
                PrivilegeBits privilegeBits = (PrivilegeBits) CompiledPermissionImpl.READ_BITS.get(Long.valueOf(j));
                Iterator<PermissionEntry> iterator = getIterator(null, j);
                while (true) {
                    if (!iterator.hasNext()) {
                        break;
                    }
                    PermissionEntry next = iterator.next();
                    if (next.privilegeBits.includes(privilegeBits)) {
                        this.readStatus = ReadStatus.create(next, j, this.skipped);
                        break;
                    }
                    if (j == 1 && next.privilegeBits.includes((PrivilegeBits) CompiledPermissionImpl.READ_BITS.get(2L))) {
                        this.skipped = true;
                    }
                }
            }
            return this.readStatus.allowsThis();
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canRead(@NotNull PropertyState propertyState) {
            boolean isAcTree = isAcTree();
            if (!isAcTree && this.isReadableTree) {
                return true;
            }
            if (this.readStatus != null && this.readStatus.allowsProperties()) {
                return true;
            }
            long j = isAcTree ? 128L : 2L;
            Iterator<PermissionEntry> iterator = getIterator(propertyState, j);
            while (iterator.hasNext()) {
                PermissionEntry next = iterator.next();
                if (next.privilegeBits.includes((PrivilegeBits) CompiledPermissionImpl.READ_BITS.get(Long.valueOf(j)))) {
                    return next.isAllow;
                }
            }
            return false;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canReadAll() {
            return this.readStatus != null && this.readStatus.allowsAll();
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canReadProperties() {
            return this.readStatus != null && this.readStatus.allowsProperties();
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean isGranted(long j) {
            EntryPredicate create = EntryPredicate.create(this.tree, null, Permissions.respectParentPermissions(j));
            return CompiledPermissionImpl.this.hasPermissions(getIterator(create), create, j, this.tree.getPath());
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean isGranted(long j, @NotNull PropertyState propertyState) {
            EntryPredicate create = EntryPredicate.create(this.tree, propertyState, Permissions.respectParentPermissions(j));
            return CompiledPermissionImpl.this.hasPermissions(getIterator(create), create, j, this.tree.getPath());
        }

        private Iterator<PermissionEntry> getIterator(@Nullable PropertyState propertyState, long j) {
            return getIterator(EntryPredicate.create(this.tree, propertyState, Permissions.respectParentPermissions(j)));
        }

        private Iterator<PermissionEntry> getIterator(@NotNull EntryPredicate entryPredicate) {
            return (CompiledPermissionImpl.this.userStore == null || CompiledPermissionImpl.this.groupStore == null) ? CompiledPermissionImpl.this.userStore != null ? new LazyIterator(this, true, entryPredicate) : CompiledPermissionImpl.this.groupStore != null ? new LazyIterator(this, false, entryPredicate) : Collections.emptyIterator() : Iterators.concat(new LazyIterator(this, true, entryPredicate), new LazyIterator(this, false, entryPredicate));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Iterator<PermissionEntry> getUserEntries() {
            if (this.userEntries == null) {
                this.userEntries = CompiledPermissionImpl.this.userStore != null ? CompiledPermissionImpl.this.userStore.getEntries(this.tree) : Collections.emptyList();
            }
            return this.userEntries.iterator();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Iterator<PermissionEntry> getGroupEntries() {
            if (this.groupEntries == null) {
                this.groupEntries = CompiledPermissionImpl.this.groupStore != null ? CompiledPermissionImpl.this.groupStore.getEntries(this.tree) : Collections.emptyList();
            }
            return this.groupEntries.iterator();
        }

        private boolean isAcTree() {
            return this.type == TreeType.ACCESS_CONTROL;
        }
    }

    private CompiledPermissionImpl(@NotNull Set<Principal> set, @NotNull Root root, @NotNull String str, @NotNull PermissionStore permissionStore, @NotNull ConfigurationParameters configurationParameters, @NotNull Context context, @NotNull ProviderCtx providerCtx) {
        this.root = root;
        this.workspaceName = str;
        this.providerCtx = providerCtx;
        this.bitsProvider = new PrivilegeBitsProvider(root);
        Set set2 = (Set) configurationParameters.getConfigValue(PermissionConstants.PARAM_READ_PATHS, DEFAULT_READ_PATHS);
        this.readPolicy = set2.isEmpty() ? EmptyReadPolicy.INSTANCE : new DefaultReadPolicy(set2);
        this.store = permissionStore;
        HashSet hashSet = new HashSet(set.size());
        HashSet hashSet2 = new HashSet(set.size());
        for (Principal principal : set) {
            if (GroupPrincipals.isGroup(principal)) {
                hashSet2.add(principal.getName());
            } else {
                hashSet.add(principal.getName());
            }
        }
        if (hashSet.isEmpty()) {
            this.userStore = null;
        } else {
            this.userStore = new PermissionEntryProviderImpl(permissionStore, hashSet, configurationParameters);
        }
        if (hashSet2.isEmpty()) {
            this.groupStore = null;
        } else {
            this.groupStore = new PermissionEntryProviderImpl(permissionStore, hashSet2, configurationParameters);
        }
        this.typeProvider = new TreeTypeProvider(context);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static CompiledPermissions create(@NotNull Root root, @NotNull String str, @NotNull PermissionStore permissionStore, @NotNull Set<Principal> set, @NotNull ConfigurationParameters configurationParameters, @NotNull Context context, @NotNull ProviderCtx providerCtx) {
        return (!PermissionUtil.getPermissionsRoot(root, str).exists() || set.isEmpty()) ? NoPermissions.getInstance() : new CompiledPermissionImpl(set, root, str, permissionStore, configurationParameters, context, providerCtx);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public void refresh(@NotNull Root root, @NotNull String str) {
        this.root = root;
        this.bitsProvider = new PrivilegeBitsProvider(root);
        this.versionManager = null;
        this.store.flush(root);
        if (this.userStore != null) {
            this.userStore.flush();
        }
        if (this.groupStore != null) {
            this.groupStore.flush();
        }
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    @NotNull
    public RepositoryPermission getRepositoryPermission() {
        return new RepositoryPermission() { // from class: org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissionImpl.1
            @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission
            public boolean isGranted(long j) {
                EntryPredicate create = EntryPredicate.create();
                return CompiledPermissionImpl.this.hasPermissions(CompiledPermissionImpl.this.getEntryIterator(create), create, j, null);
            }
        };
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    @NotNull
    public TreePermission getTreePermission(@NotNull Tree tree, @NotNull TreePermission treePermission) {
        return getTreePermission(tree, this.typeProvider.getType(tree, getParentType(treePermission)), treePermission);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    @NotNull
    public TreePermission getTreePermission(@NotNull Tree tree, @NotNull TreeType treeType, @NotNull TreePermission treePermission) {
        if (tree.isRoot()) {
            return createRootPermission(tree);
        }
        if (treePermission instanceof VersionTreePermission) {
            return ((VersionTreePermission) treePermission).createChildPermission(tree);
        }
        if (treePermission instanceof RepoPolicyTreePermission) {
            return ((RepoPolicyTreePermission) treePermission).getChildPermission();
        }
        switch (treeType) {
            case HIDDEN:
                return TreePermission.ALL;
            case VERSION:
                if (ReadOnlyVersionManager.isVersionStoreTree(tree)) {
                    return new TreePermissionImpl(tree, TreeType.VERSION, treePermission);
                }
                Tree versionable = getVersionManager().getVersionable(tree, this.workspaceName);
                if (versionable != null) {
                    return new VersionTreePermission(tree, buildVersionDelegatee(versionable), this.providerCtx.getTreeProvider());
                }
                log.warn("Cannot retrieve versionable node for {}", tree.getPath());
                return TreePermission.EMPTY;
            case ACCESS_CONTROL:
                return AccessControlConstants.REP_REPO_POLICY.equals(tree.getName()) ? new RepoPolicyTreePermission(getRepositoryPermission()) : new TreePermissionImpl(tree, treeType, treePermission);
            case INTERNAL:
                return InternalTreePermission.INSTANCE;
            default:
                return new TreePermissionImpl(tree, treeType, treePermission);
        }
    }

    @NotNull
    private TreePermission buildVersionDelegatee(@NotNull Tree tree) {
        while (!tree.exists()) {
            tree = tree.getParent();
        }
        if (tree.isRoot()) {
            return createRootPermission(tree);
        }
        TreeType type = this.typeProvider.getType(tree);
        switch (type) {
            case HIDDEN:
                return TreePermission.ALL;
            case INTERNAL:
                return InternalTreePermission.INSTANCE;
            default:
                return new TreePermissionImpl(tree, type, buildParentPermission(tree));
        }
    }

    @NotNull
    private TreePermission buildParentPermission(@NotNull Tree tree) {
        ArrayList<Tree> arrayList = new ArrayList();
        while (!tree.isRoot()) {
            tree = tree.getParent();
            arrayList.add(0, tree);
        }
        TreePermission treePermission = TreePermission.EMPTY;
        TreeType treeType = TreeType.DEFAULT;
        for (Tree tree2 : arrayList) {
            treeType = this.typeProvider.getType(tree2, treeType);
            treePermission = new TreePermissionImpl(tree2, treeType, treePermission);
        }
        return treePermission;
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean isGranted(@NotNull Tree tree, @Nullable PropertyState propertyState, long j) {
        switch (this.typeProvider.getType(tree)) {
            case HIDDEN:
                return true;
            case VERSION:
                Tree evaluationTree = getEvaluationTree(tree);
                if (evaluationTree == null) {
                    return false;
                }
                if (evaluationTree.exists()) {
                    return internalIsGranted(evaluationTree, propertyState, j);
                }
                String path = evaluationTree.getPath();
                if (propertyState != null) {
                    path = PathUtils.concat(path, propertyState.getName());
                }
                return isGranted(path, j);
            case ACCESS_CONTROL:
            default:
                return internalIsGranted(tree, propertyState, j);
            case INTERNAL:
                return false;
        }
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean isGranted(@NotNull String str, long j) {
        EntryPredicate create = EntryPredicate.create(str, Permissions.respectParentPermissions(j));
        return hasPermissions(getEntryIterator(create), create, j, str);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    @NotNull
    public Set<String> getPrivileges(@Nullable Tree tree) {
        return this.bitsProvider.getPrivilegeNames(internalGetPrivileges(tree));
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean hasPrivileges(@Nullable Tree tree, @NotNull String... strArr) {
        return internalGetPrivileges(tree).includes(this.bitsProvider.getBits(strArr));
    }

    private boolean internalIsGranted(@NotNull Tree tree, @Nullable PropertyState propertyState, long j) {
        EntryPredicate create = EntryPredicate.create(tree, propertyState, Permissions.respectParentPermissions(j));
        return hasPermissions(getEntryIterator(create), create, j, tree.getPath());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean hasPermissions(@NotNull Iterator<PermissionEntry> it, @NotNull EntryPredicate entryPredicate, long j, @Nullable String str) {
        PrivilegeBits privilegeBits;
        PrivilegeBits privilegeBits2;
        String str2;
        boolean z = Permissions.diff(3L, j) != 3 && this.readPolicy.isReadablePath(str, false);
        if (!it.hasNext() && !z) {
            return false;
        }
        boolean z2 = str != null && Permissions.respectParentPermissions(j);
        long j2 = z ? 3L : 0L;
        long j3 = 0;
        PrivilegeBits privilegeBits3 = PrivilegeBits.getInstance();
        if (z) {
            privilegeBits3.add(this.bitsProvider.getBits(PrivilegeConstants.JCR_READ));
        }
        PrivilegeBits privilegeBits4 = PrivilegeBits.getInstance();
        if (z2) {
            privilegeBits = PrivilegeBits.getInstance();
            privilegeBits2 = PrivilegeBits.getInstance();
            str2 = PermissionUtil.getParentPathOrNull(str);
        } else {
            privilegeBits = PrivilegeBits.EMPTY;
            privilegeBits2 = PrivilegeBits.EMPTY;
            str2 = null;
        }
        while (it.hasNext()) {
            PermissionEntry next = it.next();
            if (z2 && str2 != null && next.matchesParent(str2)) {
                if (next.isAllow) {
                    privilegeBits.addDifference(next.privilegeBits, privilegeBits2);
                } else {
                    privilegeBits2.addDifference(next.privilegeBits, privilegeBits);
                }
            }
            if (next.isAllow) {
                if (!z2 || entryPredicate.apply(next, false)) {
                    privilegeBits3.addDifference(next.privilegeBits, privilegeBits4);
                }
                j2 |= Permissions.diff(PrivilegeBits.calculatePermissions(privilegeBits3, privilegeBits, true), j3);
                if ((j2 | (j ^ (-1))) == -1) {
                    return true;
                }
            } else {
                if (!z2 || entryPredicate.apply(next, false)) {
                    privilegeBits4.addDifference(next.privilegeBits, privilegeBits3);
                }
                j3 |= Permissions.diff(PrivilegeBits.calculatePermissions(privilegeBits4, privilegeBits2, false), j2);
                if (Permissions.includes(j3, j)) {
                    return false;
                }
            }
        }
        return (j2 | (j ^ (-1))) == -1;
    }

    @NotNull
    private PrivilegeBits internalGetPrivileges(@Nullable Tree tree) {
        switch (tree == null ? TreeType.DEFAULT : this.typeProvider.getType(tree)) {
            case HIDDEN:
                return PrivilegeBits.EMPTY;
            case VERSION:
                Tree evaluationTree = getEvaluationTree(tree);
                return (evaluationTree == null || !evaluationTree.exists()) ? PrivilegeBits.EMPTY : getPrivilegeBits(evaluationTree);
            case ACCESS_CONTROL:
            default:
                return getPrivilegeBits(tree);
            case INTERNAL:
                return PrivilegeBits.EMPTY;
        }
    }

    @NotNull
    private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) {
        Iterator<PermissionEntry> entryIterator = getEntryIterator(tree == null ? EntryPredicate.create() : EntryPredicate.create(tree, null, false));
        PrivilegeBits privilegeBits = PrivilegeBits.getInstance();
        PrivilegeBits privilegeBits2 = PrivilegeBits.getInstance();
        while (entryIterator.hasNext()) {
            PermissionEntry next = entryIterator.next();
            if (next.isAllow) {
                privilegeBits.addDifference(next.privilegeBits, privilegeBits2);
            } else {
                privilegeBits2.addDifference(next.privilegeBits, privilegeBits);
            }
        }
        if (tree != null && this.readPolicy.isReadableTree(tree, false)) {
            privilegeBits.add(this.bitsProvider.getBits(PrivilegeConstants.JCR_READ));
        }
        return privilegeBits;
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NotNull
    public Iterator<PermissionEntry> getEntryIterator(@NotNull EntryPredicate entryPredicate) {
        return (this.userStore == null || this.groupStore == null) ? this.userStore != null ? this.userStore.getEntryIterator(entryPredicate) : this.groupStore != null ? this.groupStore.getEntryIterator(entryPredicate) : Collections.emptyIterator() : Iterators.concat(this.userStore.getEntryIterator(entryPredicate), this.groupStore.getEntryIterator(entryPredicate));
    }

    @Nullable
    private Tree getEvaluationTree(@NotNull Tree tree) {
        return ReadOnlyVersionManager.isVersionStoreTree(tree) ? tree : getVersionManager().getVersionable(tree, this.workspaceName);
    }

    @NotNull
    private ReadOnlyVersionManager getVersionManager() {
        if (this.versionManager == null) {
            this.versionManager = ReadOnlyVersionManager.getInstance(this.root, NamePathMapper.DEFAULT);
        }
        return this.versionManager;
    }

    private static TreeType getParentType(@NotNull TreePermission treePermission) {
        if (treePermission instanceof TreePermissionImpl) {
            return ((TreePermissionImpl) treePermission).type;
        }
        if (treePermission == TreePermission.EMPTY) {
            return TreeType.DEFAULT;
        }
        if (treePermission == InternalTreePermission.INSTANCE) {
            return TreeType.INTERNAL;
        }
        if (treePermission instanceof VersionTreePermission) {
            return TreeType.VERSION;
        }
        if (treePermission instanceof RepoPolicyTreePermission) {
            return TreeType.ACCESS_CONTROL;
        }
        throw new IllegalArgumentException("Illegal TreePermission implementation.");
    }

    private TreePermissionImpl createRootPermission(@NotNull Tree tree) {
        return new TreePermissionImpl(tree, TreeType.DEFAULT, TreePermission.EMPTY);
    }
}
