package org.apache.hadoop.hbase.security.visibility;

import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.Tag;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.regionserver.OperationStatus;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.visibility.expression.ExpressionNode;
import org.apache.hadoop.hbase.security.visibility.expression.LeafExpressionNode;
import org.apache.hadoop.hbase.security.visibility.expression.NonLeafExpressionNode;
import org.apache.hadoop.hbase.security.visibility.expression.Operator;
import org.apache.hadoop.hbase.util.Bytes;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/visibility/ExpAsStringVisibilityLabelServiceImpl.class */
public class ExpAsStringVisibilityLabelServiceImpl implements VisibilityLabelService {
    private static final Log LOG;
    private static final byte[] DUMMY_VALUE;
    private static final byte STRING_SERIALIZATION_FORMAT = 2;
    private static final Tag STRING_SERIALIZATION_FORMAT_TAG;
    private final ExpressionParser expressionParser = new ExpressionParser();
    private final ExpressionExpander expressionExpander = new ExpressionExpander();
    private Configuration conf;
    private Region labelsRegion;
    private List<ScanLabelGenerator> scanLabelGenerators;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public OperationStatus[] addLabels(List<byte[]> list) throws IOException {
        OperationStatus[] operationStatusArr = new OperationStatus[list.size()];
        for (int i = 0; i < list.size(); i++) {
            operationStatusArr[i] = new OperationStatus(HConstants.OperationStatusCode.SUCCESS);
        }
        return operationStatusArr;
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public OperationStatus[] setAuths(byte[] bArr, List<byte[]> list) throws IOException {
        if (!$assertionsDisabled && this.labelsRegion == null) {
            throw new AssertionError();
        }
        OperationStatus[] operationStatusArr = new OperationStatus[list.size()];
        Put put = new Put(bArr);
        Iterator<byte[]> it = list.iterator();
        while (it.hasNext()) {
            put.addImmutable(VisibilityConstants.LABELS_TABLE_FAMILY, it.next(), DUMMY_VALUE);
        }
        this.labelsRegion.put(put);
        for (int i = 0; i < list.size(); i++) {
            operationStatusArr[i] = new OperationStatus(HConstants.OperationStatusCode.SUCCESS);
        }
        return operationStatusArr;
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public OperationStatus[] clearAuths(byte[] bArr, List<byte[]> list) throws IOException {
        if (!$assertionsDisabled && this.labelsRegion == null) {
            throw new AssertionError();
        }
        OperationStatus[] operationStatusArr = new OperationStatus[list.size()];
        List<String> groupAuths = AuthUtil.isGroupPrincipal(Bytes.toString(bArr)) ? getGroupAuths(new String[]{AuthUtil.getGroupName(Bytes.toString(bArr))}, true) : getUserAuths(bArr, true);
        Delete delete = new Delete(bArr);
        int i = 0;
        for (byte[] bArr2 : list) {
            String bytes = Bytes.toString(bArr2);
            if (groupAuths.contains(bytes)) {
                delete.deleteColumns(VisibilityConstants.LABELS_TABLE_FAMILY, bArr2);
            } else {
                operationStatusArr[i] = new OperationStatus(HConstants.OperationStatusCode.FAILURE, new InvalidLabelException("Label '" + bytes + "' is not set for the user " + Bytes.toString(bArr)));
            }
            i++;
        }
        this.labelsRegion.delete(delete);
        for (int i2 = 0; i2 < list.size(); i2++) {
            if (operationStatusArr[i2] == null) {
                operationStatusArr[i2] = new OperationStatus(HConstants.OperationStatusCode.SUCCESS);
            }
        }
        return operationStatusArr;
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    @Deprecated
    public List<String> getAuths(byte[] bArr, boolean z) throws IOException {
        return getUserAuths(bArr, z);
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public List<String> getUserAuths(byte[] bArr, boolean z) throws IOException {
        List<Cell> list;
        if (!$assertionsDisabled && this.labelsRegion == null && !z) {
            throw new AssertionError();
        }
        ArrayList arrayList = new ArrayList();
        Get get = new Get(bArr);
        if (this.labelsRegion == null) {
            HTable hTable = null;
            try {
                hTable = new HTable(this.conf, VisibilityConstants.LABELS_TABLE_NAME);
                list = hTable.get(get).listCells();
                if (hTable != null) {
                    hTable.close();
                }
            } catch (Throwable th) {
                if (hTable != null) {
                    hTable.close();
                }
                throw th;
            }
        } else {
            list = this.labelsRegion.get(get, false);
        }
        if (list != null) {
            for (Cell cell : list) {
                arrayList.add(Bytes.toString(cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength()));
            }
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public List<String> getGroupAuths(String[] strArr, boolean z) throws IOException {
        List<Cell> list;
        if (!$assertionsDisabled && this.labelsRegion == null && !z) {
            throw new AssertionError();
        }
        ArrayList arrayList = new ArrayList();
        if (strArr != null && strArr.length > 0) {
            for (String str : strArr) {
                Get get = new Get(Bytes.toBytes(AuthUtil.toGroupEntry(str)));
                if (this.labelsRegion == null) {
                    HTable hTable = null;
                    try {
                        hTable = new HTable(this.conf, VisibilityConstants.LABELS_TABLE_NAME);
                        list = hTable.get(get).listCells();
                        if (hTable != null) {
                            hTable.close();
                        }
                    } catch (Throwable th) {
                        if (hTable != null) {
                            hTable.close();
                        }
                        throw th;
                    }
                } else {
                    list = this.labelsRegion.get(get, false);
                }
                if (list != null) {
                    for (Cell cell : list) {
                        arrayList.add(Bytes.toString(cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength()));
                    }
                }
            }
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public List<String> listLabels(String str) throws IOException {
        return new ArrayList();
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public List<Tag> createVisibilityExpTags(String str, boolean z, boolean z2) throws IOException {
        try {
            ExpressionNode expand = this.expressionExpander.expand(this.expressionParser.parse(str));
            ArrayList arrayList = new ArrayList();
            if (z) {
                arrayList.add(STRING_SERIALIZATION_FORMAT_TAG);
            }
            if ((expand instanceof NonLeafExpressionNode) && ((NonLeafExpressionNode) expand).getOperator() == Operator.OR) {
                Iterator<ExpressionNode> it = ((NonLeafExpressionNode) expand).getChildExps().iterator();
                while (it.hasNext()) {
                    arrayList.add(createTag(it.next()));
                }
            } else {
                arrayList.add(createTag(expand));
            }
            return arrayList;
        } catch (ParseException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public VisibilityExpEvaluator getVisibilityExpEvaluator(Authorizations authorizations) throws IOException {
        if (isReadFromSystemAuthUser()) {
            return new VisibilityExpEvaluator() { // from class: org.apache.hadoop.hbase.security.visibility.ExpAsStringVisibilityLabelServiceImpl.1
                @Override // org.apache.hadoop.hbase.security.visibility.VisibilityExpEvaluator
                public boolean evaluate(Cell cell) throws IOException {
                    return true;
                }
            };
        }
        List<String> list = null;
        Iterator<ScanLabelGenerator> it = this.scanLabelGenerators.iterator();
        while (it.hasNext()) {
            try {
                List<String> labels = it.next().getLabels(VisibilityUtils.getActiveUser(), authorizations);
                list = labels == null ? new ArrayList<>() : labels;
                authorizations = new Authorizations(list);
            } catch (Throwable th) {
                LOG.error(th);
                throw new IOException(th);
            }
        }
        final List<String> list2 = list;
        return new VisibilityExpEvaluator() { // from class: org.apache.hadoop.hbase.security.visibility.ExpAsStringVisibilityLabelServiceImpl.2
            @Override // org.apache.hadoop.hbase.security.visibility.VisibilityExpEvaluator
            public boolean evaluate(Cell cell) throws IOException {
                boolean z = false;
                if (cell.getTagsLength() > 0) {
                    Iterator<Tag> tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(), cell.getTagsLength());
                    while (tagsIterator.hasNext()) {
                        boolean z2 = true;
                        Tag next = tagsIterator.next();
                        if (next.getType() == 2) {
                            z = true;
                            int tagOffset = next.getTagOffset();
                            int tagLength = tagOffset + next.getTagLength();
                            while (true) {
                                if (tagOffset >= tagLength) {
                                    break;
                                }
                                short s = Bytes.toShort(next.getBuffer(), tagOffset);
                                int i = tagOffset + 2;
                                if (s < 0) {
                                    s = (short) ((-1) * s);
                                    if (list2.contains(Bytes.toString(next.getBuffer(), i, s))) {
                                        z2 = false;
                                        break;
                                    }
                                    tagOffset = i + s;
                                } else {
                                    if (!list2.contains(Bytes.toString(next.getBuffer(), i, s))) {
                                        z2 = false;
                                        break;
                                    }
                                    tagOffset = i + s;
                                }
                            }
                            if (z2) {
                                return true;
                            }
                        }
                    }
                }
                return !z;
            }
        };
    }

    protected boolean isReadFromSystemAuthUser() throws IOException {
        return havingSystemAuth(VisibilityUtils.getActiveUser());
    }

    private Tag createTag(ExpressionNode expressionNode) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        extractLabels(expressionNode, arrayList, arrayList2);
        Collections.sort(arrayList);
        Collections.sort(arrayList2);
        Iterator<String> it = arrayList2.iterator();
        while (it.hasNext()) {
            byte[] bytes = Bytes.toBytes(it.next());
            dataOutputStream.writeShort((short) ((-1) * ((short) bytes.length)));
            dataOutputStream.write(bytes);
        }
        Iterator<String> it2 = arrayList.iterator();
        while (it2.hasNext()) {
            byte[] bytes2 = Bytes.toBytes(it2.next());
            dataOutputStream.writeShort(bytes2.length);
            dataOutputStream.write(bytes2);
        }
        return new Tag((byte) 2, byteArrayOutputStream.toByteArray());
    }

    private void extractLabels(ExpressionNode expressionNode, List<String> list, List<String> list2) {
        if (expressionNode.isSingleNode()) {
            if (expressionNode instanceof NonLeafExpressionNode) {
                list2.add(((LeafExpressionNode) ((NonLeafExpressionNode) expressionNode).getChildExps().get(0)).getIdentifier());
                return;
            } else {
                list.add(((LeafExpressionNode) expressionNode).getIdentifier());
                return;
            }
        }
        NonLeafExpressionNode nonLeafExpressionNode = (NonLeafExpressionNode) expressionNode;
        if (!$assertionsDisabled && nonLeafExpressionNode.getOperator() != Operator.AND) {
            throw new AssertionError();
        }
        Iterator<ExpressionNode> it = nonLeafExpressionNode.getChildExps().iterator();
        while (it.hasNext()) {
            extractLabels(it.next(), list, list2);
        }
    }

    public Configuration getConf() {
        return this.conf;
    }

    public void setConf(Configuration configuration) {
        this.conf = configuration;
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public void init(RegionCoprocessorEnvironment regionCoprocessorEnvironment) throws IOException {
        this.scanLabelGenerators = VisibilityUtils.getScanLabelGenerators(this.conf);
        if (regionCoprocessorEnvironment.getRegion().getRegionInfo().getTable().equals(VisibilityConstants.LABELS_TABLE_NAME)) {
            this.labelsRegion = regionCoprocessorEnvironment.getRegion();
        }
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    @Deprecated
    public boolean havingSystemAuth(byte[] bArr) throws IOException {
        if (Superusers.isSuperUser(Bytes.toString(bArr))) {
            return true;
        }
        List<String> userAuths = getUserAuths(bArr, true);
        if (LOG.isTraceEnabled()) {
            LOG.trace("The auths for user " + Bytes.toString(bArr) + " are " + userAuths);
        }
        return userAuths.contains(VisibilityUtils.SYSTEM_LABEL);
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public boolean havingSystemAuth(User user) throws IOException {
        if (Superusers.isSuperUser(user)) {
            return true;
        }
        HashSet hashSet = new HashSet();
        hashSet.addAll(getUserAuths(Bytes.toBytes(user.getShortName()), true));
        hashSet.addAll(getGroupAuths(user.getGroupNames(), true));
        return hashSet.contains(VisibilityUtils.SYSTEM_LABEL);
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public boolean matchVisibility(List<Tag> list, Byte b, List<Tag> list2, Byte b2) throws IOException {
        if (!$assertionsDisabled && b.byteValue() != 2) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || b2.byteValue() == 2) {
            return checkForMatchingVisibilityTagsWithSortedOrder(list, list2);
        }
        throw new AssertionError();
    }

    private static boolean checkForMatchingVisibilityTagsWithSortedOrder(List<Tag> list, List<Tag> list2) {
        if (list.isEmpty() && list2.isEmpty()) {
            return true;
        }
        boolean z = false;
        if (list2.size() == list.size()) {
            for (Tag tag : list2) {
                z = false;
                Iterator<Tag> it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Tag next = it.next();
                    if (Bytes.equals(tag.getBuffer(), tag.getTagOffset(), tag.getTagLength(), next.getBuffer(), next.getTagOffset(), next.getTagLength())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    break;
                }
            }
        }
        return z;
    }

    @Override // org.apache.hadoop.hbase.security.visibility.VisibilityLabelService
    public byte[] encodeVisibilityForReplication(List<Tag> list, Byte b) throws IOException {
        if (list.size() <= 0) {
            return null;
        }
        if (b == null || b.byteValue() == 2) {
            return createModifiedVisExpression(list);
        }
        return null;
    }

    private byte[] createModifiedVisExpression(List<Tag> list) throws IOException {
        StringBuilder sb = new StringBuilder();
        for (Tag tag : list) {
            if (tag.getType() == 2) {
                if (sb.length() != 0) {
                    sb.append(")|");
                }
                int tagOffset = tag.getTagOffset();
                int tagLength = tagOffset + tag.getTagLength();
                boolean z = true;
                while (tagOffset < tagLength) {
                    short s = Bytes.toShort(tag.getBuffer(), tagOffset);
                    int i = tagOffset + 2;
                    if (s < 0) {
                        s = (short) ((-1) * s);
                        String bytes = Bytes.toString(tag.getBuffer(), i, s);
                        if (z) {
                            sb.append("(!" + CellVisibility.quote(bytes));
                        } else {
                            sb.append("&!" + CellVisibility.quote(bytes));
                        }
                    } else {
                        String bytes2 = Bytes.toString(tag.getBuffer(), i, s);
                        if (z) {
                            sb.append(VisibilityConstants.OPEN_PARAN + CellVisibility.quote(bytes2));
                        } else {
                            sb.append(VisibilityConstants.AND_OPERATOR + CellVisibility.quote(bytes2));
                        }
                    }
                    z = false;
                    tagOffset = i + s;
                }
            }
        }
        if (sb.length() == 0) {
            return null;
        }
        sb.append(VisibilityConstants.CLOSED_PARAN);
        return Bytes.toBytes(sb.toString());
    }

    static {
        $assertionsDisabled = !ExpAsStringVisibilityLabelServiceImpl.class.desiredAssertionStatus();
        LOG = LogFactory.getLog(ExpAsStringVisibilityLabelServiceImpl.class);
        DUMMY_VALUE = new byte[0];
        STRING_SERIALIZATION_FORMAT_TAG = new Tag((byte) 4, new byte[]{2});
    }
}
