package org.apache.hadoop.hbase.security.visibility;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CellScanner;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.DoNotRetryIOException;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.PrivateCellUtil;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.Tag;
import org.apache.hadoop.hbase.client.Admin;
import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.MasterSwitchType;
import org.apache.hadoop.hbase.client.Mutation;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.constraint.ConstraintException;
import org.apache.hadoop.hbase.coprocessor.CoprocessorException;
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.coprocessor.CoreCoprocessor;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessor;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.RegionObserver;
import org.apache.hadoop.hbase.exceptions.DeserializationException;
import org.apache.hadoop.hbase.filter.Filter;
import org.apache.hadoop.hbase.filter.FilterBase;
import org.apache.hadoop.hbase.filter.FilterList;
import org.apache.hadoop.hbase.io.hfile.HFile;
import org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.protobuf.generated.ClientProtos;
import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos;
import org.apache.hadoop.hbase.regionserver.BloomType;
import org.apache.hadoop.hbase.regionserver.DisabledRegionSplitPolicy;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.MiniBatchOperationInProgress;
import org.apache.hadoop.hbase.regionserver.OperationStatus;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.regionserver.RegionScanner;
import org.apache.hadoop.hbase.regionserver.querymatcher.DeleteTracker;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessChecker;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.util.StringUtils;
import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
import org.apache.hbase.thirdparty.com.google.common.collect.MapMaker;
import org.apache.phoenix.shaded.com.google.protobuf.ByteString;
import org.apache.phoenix.shaded.com.google.protobuf.RpcCallback;
import org.apache.phoenix.shaded.com.google.protobuf.RpcController;
import org.apache.phoenix.shaded.com.google.protobuf.Service;
import org.apache.phoenix.shaded.org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@CoreCoprocessor
@InterfaceAudience.LimitedPrivate({HBaseInterfaceAudience.CONFIG})
/* loaded from: input_file:org/apache/hadoop/hbase/security/visibility/VisibilityController.class */
public class VisibilityController implements MasterCoprocessor, RegionCoprocessor, VisibilityLabelsProtos.VisibilityLabelsService.Interface, MasterObserver, RegionObserver {
    private Configuration conf;
    private VisibilityLabelService visibilityLabelService;
    boolean authorizationEnabled;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) VisibilityController.class);
    private static final Logger AUDITLOG = LoggerFactory.getLogger("SecurityLogger." + VisibilityController.class.getName());
    private static ArrayList<Byte> RESERVED_VIS_TAG_TYPES = new ArrayList<>();
    private boolean labelsRegion = false;
    private boolean accessControllerAvailable = false;
    private volatile boolean initialized = false;
    private boolean checkAuths = false;
    private Map<InternalScanner, String> scannerOwners = new MapMaker().weakKeys().makeMap();

    /* loaded from: input_file:org/apache/hadoop/hbase/security/visibility/VisibilityController$DeleteVersionVisibilityExpressionFilter.class */
    private static class DeleteVersionVisibilityExpressionFilter extends FilterBase {
        private List<Tag> deleteCellVisTags;
        private Byte deleteCellVisTagsFormat;

        public DeleteVersionVisibilityExpressionFilter(List<Tag> list, Byte b) {
            this.deleteCellVisTags = list;
            this.deleteCellVisTagsFormat = b;
        }

        @Override // org.apache.hadoop.hbase.filter.FilterBase, org.apache.hadoop.hbase.filter.Filter
        public boolean filterRowKey(Cell cell) throws IOException {
            return false;
        }

        @Override // org.apache.hadoop.hbase.filter.Filter
        public Filter.ReturnCode filterCell(Cell cell) throws IOException {
            ArrayList arrayList = new ArrayList();
            Byte extractVisibilityTags = VisibilityUtils.extractVisibilityTags(cell, arrayList);
            if ((!arrayList.isEmpty() || !this.deleteCellVisTags.isEmpty()) && !VisibilityLabelServiceManager.getInstance().getVisibilityLabelService().matchVisibility(arrayList, extractVisibilityTags, this.deleteCellVisTags, this.deleteCellVisTagsFormat)) {
                return Filter.ReturnCode.SKIP;
            }
            return Filter.ReturnCode.INCLUDE;
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof DeleteVersionVisibilityExpressionFilter)) {
                return false;
            }
            if (this == obj) {
                return true;
            }
            DeleteVersionVisibilityExpressionFilter deleteVersionVisibilityExpressionFilter = (DeleteVersionVisibilityExpressionFilter) obj;
            return this.deleteCellVisTags.equals(deleteVersionVisibilityExpressionFilter.deleteCellVisTags) && this.deleteCellVisTagsFormat.equals(deleteVersionVisibilityExpressionFilter.deleteCellVisTagsFormat);
        }

        public int hashCode() {
            return Objects.hash(this.deleteCellVisTags, this.deleteCellVisTagsFormat);
        }
    }

    public static boolean isCellAuthorizationSupported(Configuration configuration) {
        return AccessChecker.isAuthorizationSupported(configuration);
    }

    @Override // org.apache.hadoop.hbase.Coprocessor
    public void start(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
        this.conf = coprocessorEnvironment.getConfiguration();
        this.authorizationEnabled = AccessChecker.isAuthorizationSupported(this.conf);
        if (!this.authorizationEnabled) {
            LOG.warn("The VisibilityController has been loaded with authorization checks disabled.");
        }
        if (HFile.getFormatVersion(this.conf) < 3) {
            throw new RuntimeException("A minimum HFile version of 3 is required to persist visibility labels. Consider setting hfile.format.version accordingly.");
        }
        if (coprocessorEnvironment instanceof MasterCoprocessorEnvironment) {
            return;
        }
        this.visibilityLabelService = VisibilityLabelServiceManager.getInstance().getVisibilityLabelService(this.conf);
    }

    @Override // org.apache.hadoop.hbase.Coprocessor
    public void stop(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionCoprocessor
    public Optional<RegionObserver> getRegionObserver() {
        return Optional.of(this);
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterCoprocessor
    public Optional<MasterObserver> getMasterObserver() {
        return Optional.of(this);
    }

    @Override // org.apache.hadoop.hbase.Coprocessor
    public Iterable<Service> getServices() {
        return Collections.singleton(VisibilityLabelsProtos.VisibilityLabelsService.newReflectiveService(this));
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        Admin admin = observerContext.getEnvironment().getConnection().getAdmin();
        Throwable th = null;
        try {
            try {
                if (!admin.tableExists(VisibilityConstants.LABELS_TABLE_NAME)) {
                    admin.createTable(TableDescriptorBuilder.newBuilder(VisibilityConstants.LABELS_TABLE_NAME).setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(VisibilityConstants.LABELS_TABLE_FAMILY).setBloomFilterType(BloomType.NONE).setBlockCacheEnabled(false).build()).setValue("SPLIT_POLICY", DisabledRegionSplitPolicy.class.getName()).build());
                }
                if (admin != null) {
                    if (0 == 0) {
                        admin.close();
                        return;
                    }
                    try {
                        admin.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (admin != null) {
                if (th != null) {
                    try {
                        admin.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    admin.close();
                }
            }
            throw th4;
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, TableDescriptor tableDescriptor, TableDescriptor tableDescriptor2) throws IOException {
        if (this.authorizationEnabled && VisibilityConstants.LABELS_TABLE_NAME.equals(tableName)) {
            throw new ConstraintException("Cannot alter " + VisibilityConstants.LABELS_TABLE_NAME);
        }
        return tableDescriptor2;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        if (this.authorizationEnabled && VisibilityConstants.LABELS_TABLE_NAME.equals(tableName)) {
            throw new ConstraintException("Cannot disable " + VisibilityConstants.LABELS_TABLE_NAME);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext) {
        if (!observerContext.getEnvironment().getRegion().getRegionInfo().getTable().equals(VisibilityConstants.LABELS_TABLE_NAME)) {
            this.checkAuths = observerContext.getEnvironment().getConfiguration().getBoolean(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION, false);
            initVisibilityLabelService(observerContext.getEnvironment());
        } else {
            this.labelsRegion = true;
            synchronized (this) {
                this.accessControllerAvailable = CoprocessorHost.getLoadedCoprocessors().contains(AccessController.class.getName());
            }
            initVisibilityLabelService(observerContext.getEnvironment());
        }
    }

    private void initVisibilityLabelService(RegionCoprocessorEnvironment regionCoprocessorEnvironment) {
        try {
            this.visibilityLabelService.init(regionCoprocessorEnvironment);
            this.initialized = true;
        } catch (IOException e) {
            LOG.error("Error while initializing VisibilityLabelService..", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postSetSplitOrMergeEnabled(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z, MasterSwitchType masterSwitchType) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> observerContext, MiniBatchOperationInProgress<Mutation> miniBatchOperationInProgress) throws IOException {
        if (observerContext.getEnvironment().getRegion().getRegionInfo().getTable().isSystemTable()) {
            return;
        }
        HashMap hashMap = new HashMap();
        for (int i = 0; i < miniBatchOperationInProgress.size(); i++) {
            Mutation operation = miniBatchOperationInProgress.getOperation(i);
            try {
                CellVisibility cellVisibility = operation.getCellVisibility();
                boolean z = false;
                boolean z2 = false;
                Pair<Boolean, Tag> pair = new Pair<>(false, null);
                CellScanner cellScanner = operation.cellScanner();
                while (true) {
                    if (!cellScanner.advance()) {
                        break;
                    }
                    pair = checkForReservedVisibilityTagPresence(cellScanner.current(), pair);
                    if (pair.getFirst().booleanValue()) {
                        Tag second = pair.getSecond();
                        if (cellVisibility == null && second != null) {
                            cellVisibility = new CellVisibility(Tag.getValueAsString(second));
                            z2 = true;
                        }
                    } else if (this.authorizationEnabled) {
                        miniBatchOperationInProgress.setOperationStatus(i, new OperationStatus(HConstants.OperationStatusCode.SANITY_CHECK_FAILURE, "Mutation contains cell with reserved type tag"));
                        z = true;
                    }
                }
                if (!z && (((operation instanceof Put) || (operation instanceof Delete)) && cellVisibility != null)) {
                    String expression = cellVisibility.getExpression();
                    List<Tag> list = (List) hashMap.get(expression);
                    if (list == null) {
                        try {
                            list = this.visibilityLabelService.createVisibilityExpTags(expression, true, this.authorizationEnabled && this.checkAuths && !isSystemOrSuperUser());
                        } catch (InvalidLabelException e) {
                            miniBatchOperationInProgress.setOperationStatus(i, new OperationStatus(HConstants.OperationStatusCode.SANITY_CHECK_FAILURE, e.getMessage()));
                        }
                        if (list != null) {
                            hashMap.put(expression, list);
                        }
                    }
                    if (list != null) {
                        ArrayList<Cell> arrayList = new ArrayList();
                        CellScanner cellScanner2 = operation.cellScanner();
                        while (cellScanner2.advance()) {
                            Cell current = cellScanner2.current();
                            List<Tag> tags = PrivateCellUtil.getTags(current);
                            if (z2) {
                                removeReplicationVisibilityTag(tags);
                            }
                            tags.addAll(list);
                            arrayList.add(PrivateCellUtil.createCell(current, tags));
                        }
                        operation.getFamilyCellMap().clear();
                        for (Cell cell : arrayList) {
                            if (operation instanceof Put) {
                                ((Put) operation).add(cell);
                            } else {
                                ((Delete) operation).add(cell);
                            }
                        }
                    }
                }
            } catch (DeserializationException e2) {
                miniBatchOperationInProgress.setOperationStatus(i, new OperationStatus(HConstants.OperationStatusCode.SANITY_CHECK_FAILURE, e2.getMessage()));
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void prePrepareTimeStampForDeleteVersion(ObserverContext<RegionCoprocessorEnvironment> observerContext, Mutation mutation, Cell cell, byte[] bArr, Get get) throws IOException {
        if (this.authorizationEnabled) {
            try {
                CellVisibility cellVisibility = mutation.getCellVisibility();
                List arrayList = new ArrayList();
                if (cellVisibility != null) {
                    String expression = cellVisibility.getExpression();
                    try {
                        arrayList = this.visibilityLabelService.createVisibilityExpTags(expression, false, false);
                    } catch (InvalidLabelException e) {
                        throw new IOException("Invalid cell visibility specified " + expression, e);
                    }
                }
                get.setFilter((Filter) new DeleteVersionVisibilityExpressionFilter(arrayList, (byte) 1));
                RegionScanner scanner = observerContext.getEnvironment().getRegion().getScanner(new Scan(get));
                Throwable th = null;
                try {
                    ArrayList arrayList2 = new ArrayList();
                    scanner.next(arrayList2);
                    if (arrayList2.size() < get.getMaxVersions()) {
                        PrivateCellUtil.updateLatestStamp(cell, bArr);
                        if (scanner != null) {
                            if (0 == 0) {
                                scanner.close();
                                return;
                            }
                            try {
                                scanner.close();
                                return;
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                                return;
                            }
                        }
                        return;
                    }
                    if (arrayList2.size() > get.getMaxVersions()) {
                        throw new RuntimeException("Unexpected size: " + arrayList2.size() + ". Results more than the max versions obtained.");
                    }
                    PrivateCellUtil.setTimestamp(cell, arrayList2.get(get.getMaxVersions() - 1).getTimestamp());
                    if (scanner != null) {
                        if (0 != 0) {
                            try {
                                scanner.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            scanner.close();
                        }
                    }
                    observerContext.bypass();
                } catch (Throwable th4) {
                    if (scanner != null) {
                        if (0 != 0) {
                            try {
                                scanner.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            scanner.close();
                        }
                    }
                    throw th4;
                }
            } catch (DeserializationException e2) {
                throw new IOException("Invalid cell visibility specified " + mutation, e2);
            }
        }
    }

    private Pair<Boolean, Tag> checkForReservedVisibilityTagPresence(Cell cell, Pair<Boolean, Tag> pair) throws IOException {
        if (pair == null) {
            pair = new Pair<>(false, null);
        } else {
            pair.setFirst(false);
            pair.setSecond(null);
        }
        if (!isSystemOrSuperUser()) {
            Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cell);
            while (tagsIterator.hasNext()) {
                if (RESERVED_VIS_TAG_TYPES.contains(Byte.valueOf(tagsIterator.next().getType()))) {
                    return pair;
                }
            }
            pair.setFirst(true);
            return pair;
        }
        Tag tag = null;
        Iterator<Tag> tagsIterator2 = PrivateCellUtil.tagsIterator(cell);
        while (true) {
            if (!tagsIterator2.hasNext()) {
                break;
            }
            Tag next = tagsIterator2.next();
            if (next.getType() == 7) {
                tag = next;
                break;
            }
        }
        pair.setFirst(true);
        pair.setSecond(tag);
        return pair;
    }

    private void removeReplicationVisibilityTag(List<Tag> list) throws IOException {
        Iterator<Tag> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().getType() == 7) {
                it.remove();
                return;
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan) throws IOException {
        if (!this.initialized) {
            throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized!");
        }
        if (this.authorizationEnabled) {
            Region region = observerContext.getEnvironment().getRegion();
            try {
                Authorizations authorizations = scan.getAuthorizations();
                if (authorizations == null) {
                    TableName table = region.getRegionInfo().getTable();
                    if (table.isSystemTable() && !table.equals(VisibilityConstants.LABELS_TABLE_NAME)) {
                        return;
                    }
                }
                Filter createVisibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(region, authorizations);
                if (createVisibilityLabelFilter != null) {
                    Filter filter = scan.getFilter();
                    if (filter != null) {
                        scan.setFilter((Filter) new FilterList(filter, createVisibilityLabelFilter));
                    } else {
                        scan.setFilter(createVisibilityLabelFilter);
                    }
                }
            } catch (DeserializationException e) {
                throw new IOException(e);
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public DeleteTracker postInstantiateDeleteTracker(ObserverContext<RegionCoprocessorEnvironment> observerContext, DeleteTracker deleteTracker) throws IOException {
        if (this.authorizationEnabled && !observerContext.getEnvironment().getRegion().getRegionInfo().getTable().isSystemTable()) {
            return new VisibilityScanDeleteTracker(deleteTracker.getCellComparator());
        }
        return deleteTracker;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public RegionScanner postScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan, RegionScanner regionScanner) throws IOException {
        User activeUser = VisibilityUtils.getActiveUser();
        if (activeUser != null && activeUser.getShortName() != null) {
            this.scannerOwners.put(regionScanner, activeUser.getShortName());
        }
        return regionScanner;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public boolean preScannerNext(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner, List<Result> list, int i, boolean z) throws IOException {
        requireScannerOwner(internalScanner);
        return z;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        requireScannerOwner(internalScanner);
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        this.scannerOwners.remove(internalScanner);
    }

    private void requireScannerOwner(InternalScanner internalScanner) throws AccessDeniedException {
        if (RpcServer.isInRpcCallContext()) {
            String orElse = RpcServer.getRequestUserName().orElse(null);
            String str = this.scannerOwners.get(internalScanner);
            if (this.authorizationEnabled && str != null && !str.equals(orElse)) {
                throw new AccessDeniedException("User '" + orElse + "' is not the scanner owner!");
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> observerContext, Get get, List<Cell> list) throws IOException {
        if (!this.initialized) {
            throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized");
        }
        if (this.authorizationEnabled) {
            Region region = observerContext.getEnvironment().getRegion();
            try {
                Authorizations authorizations = get.getAuthorizations();
                if (authorizations == null) {
                    TableName table = region.getRegionInfo().getTable();
                    if (table.isSystemTable() && !table.equals(VisibilityConstants.LABELS_TABLE_NAME)) {
                        return;
                    }
                }
                Filter createVisibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(observerContext.getEnvironment().getRegion(), authorizations);
                if (createVisibilityLabelFilter != null) {
                    Filter filter = get.getFilter();
                    if (filter != null) {
                        get.setFilter((Filter) new FilterList(filter, createVisibilityLabelFilter));
                    } else {
                        get.setFilter(createVisibilityLabelFilter);
                    }
                }
            } catch (DeserializationException e) {
                throw new IOException(e);
            }
        }
    }

    private boolean isSystemOrSuperUser() throws IOException {
        return Superusers.isSuperUser(VisibilityUtils.getActiveUser());
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public List<Pair<Cell, Cell>> postIncrementBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> observerContext, Mutation mutation, List<Pair<Cell, Cell>> list) throws IOException {
        ArrayList arrayList = new ArrayList(list.size());
        for (Pair<Cell, Cell> pair : list) {
            arrayList.add(new Pair(pair.getFirst(), createNewCellWithTags(mutation, pair.getSecond())));
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.RegionObserver
    public List<Pair<Cell, Cell>> postAppendBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> observerContext, Mutation mutation, List<Pair<Cell, Cell>> list) throws IOException {
        ArrayList arrayList = new ArrayList(list.size());
        for (Pair<Cell, Cell> pair : list) {
            arrayList.add(new Pair(pair.getFirst(), createNewCellWithTags(mutation, pair.getSecond())));
        }
        return arrayList;
    }

    private Cell createNewCellWithTags(Mutation mutation, Cell cell) throws IOException {
        ArrayList newArrayList = Lists.newArrayList();
        try {
            CellVisibility cellVisibility = mutation.getCellVisibility();
            if (cellVisibility == null) {
                return cell;
            }
            newArrayList.addAll(this.visibilityLabelService.createVisibilityExpTags(cellVisibility.getExpression(), true, this.authorizationEnabled && this.checkAuths && !isSystemOrSuperUser()));
            Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cell);
            while (tagsIterator.hasNext()) {
                Tag next = tagsIterator.next();
                if (next.getType() != 2 && next.getType() != 4) {
                    newArrayList.add(next);
                }
            }
            return PrivateCellUtil.createCell(cell, newArrayList);
        } catch (DeserializationException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsService.Interface
    public synchronized void addLabels(RpcController rpcController, VisibilityLabelsProtos.VisibilityLabelsRequest visibilityLabelsRequest, RpcCallback<VisibilityLabelsProtos.VisibilityLabelsResponse> rpcCallback) {
        VisibilityLabelsProtos.VisibilityLabelsResponse.Builder newBuilder = VisibilityLabelsProtos.VisibilityLabelsResponse.newBuilder();
        List<VisibilityLabelsProtos.VisibilityLabel> visLabelList = visibilityLabelsRequest.getVisLabelList();
        if (this.initialized) {
            List<byte[]> arrayList = new ArrayList<>(visLabelList.size());
            try {
                if (this.authorizationEnabled) {
                    checkCallingUserAuth();
                }
                ClientProtos.RegionActionResult build = ClientProtos.RegionActionResult.newBuilder().build();
                Iterator<VisibilityLabelsProtos.VisibilityLabel> it = visLabelList.iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().getLabel().toByteArray());
                    newBuilder.addResult(build);
                }
                if (!arrayList.isEmpty()) {
                    OperationStatus[] addLabels = this.visibilityLabelService.addLabels(arrayList);
                    logResult(true, "addLabels", "Adding labels allowed", null, arrayList, null);
                    int i = 0;
                    for (OperationStatus operationStatus : addLabels) {
                        while (!Objects.equals(newBuilder.getResult(i), build)) {
                            i++;
                        }
                        if (operationStatus.getOperationStatusCode() != HConstants.OperationStatusCode.SUCCESS) {
                            ClientProtos.RegionActionResult.Builder newBuilder2 = ClientProtos.RegionActionResult.newBuilder();
                            newBuilder2.setException(buildException(new DoNotRetryIOException(operationStatus.getExceptionMsg())));
                            newBuilder.setResult(i, newBuilder2.build());
                        }
                        i++;
                    }
                }
            } catch (AccessDeniedException e) {
                logResult(false, "addLabels", e.getMessage(), null, arrayList, null);
                LOG.error("User is not having required permissions to add labels", (Throwable) e);
                setExceptionResults(visLabelList.size(), e, newBuilder);
            } catch (IOException e2) {
                LOG.error(e2.toString(), (Throwable) e2);
                setExceptionResults(visLabelList.size(), e2, newBuilder);
            }
        } else {
            setExceptionResults(visLabelList.size(), new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"), newBuilder);
        }
        rpcCallback.run(newBuilder.build());
    }

    private void setExceptionResults(int i, IOException iOException, VisibilityLabelsProtos.VisibilityLabelsResponse.Builder builder) {
        ClientProtos.RegionActionResult.Builder newBuilder = ClientProtos.RegionActionResult.newBuilder();
        newBuilder.setException(buildException(iOException));
        ClientProtos.RegionActionResult build = newBuilder.build();
        for (int i2 = 0; i2 < i; i2++) {
            builder.addResult(i2, build);
        }
    }

    @Override // org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsService.Interface
    public synchronized void setAuths(RpcController rpcController, VisibilityLabelsProtos.SetAuthsRequest setAuthsRequest, RpcCallback<VisibilityLabelsProtos.VisibilityLabelsResponse> rpcCallback) {
        VisibilityLabelsProtos.VisibilityLabelsResponse.Builder newBuilder = VisibilityLabelsProtos.VisibilityLabelsResponse.newBuilder();
        List<ByteString> authList = setAuthsRequest.getAuthList();
        if (this.initialized) {
            byte[] byteArray = setAuthsRequest.getUser().toByteArray();
            List<byte[]> arrayList = new ArrayList<>(authList.size());
            try {
                if (this.authorizationEnabled) {
                    checkCallingUserAuth();
                }
                Iterator<ByteString> it = authList.iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().toByteArray());
                }
                OperationStatus[] auths = this.visibilityLabelService.setAuths(byteArray, arrayList);
                logResult(true, "setAuths", "Setting authorization for labels allowed", byteArray, arrayList, null);
                ClientProtos.RegionActionResult build = ClientProtos.RegionActionResult.newBuilder().build();
                for (OperationStatus operationStatus : auths) {
                    if (operationStatus.getOperationStatusCode() == HConstants.OperationStatusCode.SUCCESS) {
                        newBuilder.addResult(build);
                    } else {
                        ClientProtos.RegionActionResult.Builder newBuilder2 = ClientProtos.RegionActionResult.newBuilder();
                        newBuilder2.setException(buildException(new DoNotRetryIOException(operationStatus.getExceptionMsg())));
                        newBuilder.addResult(newBuilder2.build());
                    }
                }
            } catch (AccessDeniedException e) {
                logResult(false, "setAuths", e.getMessage(), byteArray, arrayList, null);
                LOG.error("User is not having required permissions to set authorization", (Throwable) e);
                setExceptionResults(authList.size(), e, newBuilder);
            } catch (IOException e2) {
                LOG.error(e2.toString(), (Throwable) e2);
                setExceptionResults(authList.size(), e2, newBuilder);
            }
        } else {
            setExceptionResults(authList.size(), new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"), newBuilder);
        }
        rpcCallback.run(newBuilder.build());
    }

    private void logResult(boolean z, String str, String str2, byte[] bArr, List<byte[]> list, String str3) {
        if (AUDITLOG.isTraceEnabled()) {
            ArrayList arrayList = new ArrayList();
            if (list != null) {
                int size = list.size();
                arrayList = new ArrayList(size);
                for (int i = 0; i < size; i++) {
                    arrayList.add(Bytes.toString(list.get(i)));
                }
            }
            User user = null;
            try {
                user = VisibilityUtils.getActiveUser();
            } catch (IOException e) {
                LOG.warn("Failed to get active system user.");
                LOG.debug("Details on failure to get active system user.", (Throwable) e);
            }
            AUDITLOG.trace("Access " + (z ? "allowed" : "denied") + " for user " + (user != null ? user.getShortName() : "UNKNOWN") + "; reason: " + str2 + "; remote address: " + ((String) RpcServer.getRemoteAddress().map((v0) -> {
                return v0.toString();
            }).orElse("")) + "; request: " + str + "; user: " + (bArr != null ? Short.valueOf(Bytes.toShort(bArr)) : "null") + "; labels: " + arrayList + "; regex: " + str3);
        }
    }

    @Override // org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsService.Interface
    public synchronized void getAuths(RpcController rpcController, VisibilityLabelsProtos.GetAuthsRequest getAuthsRequest, RpcCallback<VisibilityLabelsProtos.GetAuthsResponse> rpcCallback) {
        VisibilityLabelsProtos.GetAuthsResponse.Builder newBuilder = VisibilityLabelsProtos.GetAuthsResponse.newBuilder();
        if (this.initialized) {
            byte[] byteArray = getAuthsRequest.getUser().toByteArray();
            List<String> list = null;
            try {
            } catch (AccessDeniedException e) {
                logResult(false, "getAuths", e.getMessage(), byteArray, null, null);
                CoprocessorRpcUtils.setControllerException(rpcController, e);
            } catch (IOException e2) {
                CoprocessorRpcUtils.setControllerException(rpcController, e2);
            }
            if (this.authorizationEnabled && this.accessControllerAvailable && !isSystemOrSuperUser()) {
                User activeUser = VisibilityUtils.getActiveUser();
                throw new AccessDeniedException("User '" + (activeUser != null ? activeUser.getShortName() : "null") + "' is not authorized to perform this action.");
            }
            list = AuthUtil.isGroupPrincipal(Bytes.toString(byteArray)) ? this.visibilityLabelService.getGroupAuths(new String[]{AuthUtil.getGroupName(Bytes.toString(byteArray))}, false) : this.visibilityLabelService.getUserAuths(byteArray, false);
            logResult(true, "getAuths", "Get authorizations for user allowed", byteArray, null, null);
            newBuilder.setUser(getAuthsRequest.getUser());
            if (list != null) {
                Iterator<String> it = list.iterator();
                while (it.hasNext()) {
                    newBuilder.addAuth(ByteString.copyFrom(Bytes.toBytes(it.next())));
                }
            }
        } else {
            rpcController.setFailed("VisibilityController not yet initialized");
        }
        rpcCallback.run(newBuilder.build());
    }

    @Override // org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsService.Interface
    public synchronized void clearAuths(RpcController rpcController, VisibilityLabelsProtos.SetAuthsRequest setAuthsRequest, RpcCallback<VisibilityLabelsProtos.VisibilityLabelsResponse> rpcCallback) {
        VisibilityLabelsProtos.VisibilityLabelsResponse.Builder newBuilder = VisibilityLabelsProtos.VisibilityLabelsResponse.newBuilder();
        List<ByteString> authList = setAuthsRequest.getAuthList();
        if (this.initialized) {
            byte[] byteArray = setAuthsRequest.getUser().toByteArray();
            List<byte[]> arrayList = new ArrayList<>(authList.size());
            try {
                if (this.authorizationEnabled && this.accessControllerAvailable && !isSystemOrSuperUser()) {
                    User activeUser = VisibilityUtils.getActiveUser();
                    throw new AccessDeniedException("User '" + (activeUser != null ? activeUser.getShortName() : "null") + " is not authorized to perform this action.");
                }
                if (this.authorizationEnabled) {
                    checkCallingUserAuth();
                }
                Iterator<ByteString> it = authList.iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().toByteArray());
                }
                OperationStatus[] clearAuths = this.visibilityLabelService.clearAuths(byteArray, arrayList);
                logResult(true, "clearAuths", "Removing authorization for labels allowed", byteArray, arrayList, null);
                ClientProtos.RegionActionResult build = ClientProtos.RegionActionResult.newBuilder().build();
                for (OperationStatus operationStatus : clearAuths) {
                    if (operationStatus.getOperationStatusCode() == HConstants.OperationStatusCode.SUCCESS) {
                        newBuilder.addResult(build);
                    } else {
                        ClientProtos.RegionActionResult.Builder newBuilder2 = ClientProtos.RegionActionResult.newBuilder();
                        newBuilder2.setException(buildException(new DoNotRetryIOException(operationStatus.getExceptionMsg())));
                        newBuilder.addResult(newBuilder2.build());
                    }
                }
            } catch (AccessDeniedException e) {
                logResult(false, "clearAuths", e.getMessage(), byteArray, arrayList, null);
                LOG.error("User is not having required permissions to clear authorization", (Throwable) e);
                setExceptionResults(authList.size(), e, newBuilder);
            } catch (IOException e2) {
                LOG.error(e2.toString(), (Throwable) e2);
                setExceptionResults(authList.size(), e2, newBuilder);
            }
        } else {
            setExceptionResults(authList.size(), new CoprocessorException("VisibilityController not yet initialized"), newBuilder);
        }
        rpcCallback.run(newBuilder.build());
    }

    @Override // org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsService.Interface
    public synchronized void listLabels(RpcController rpcController, VisibilityLabelsProtos.ListLabelsRequest listLabelsRequest, RpcCallback<VisibilityLabelsProtos.ListLabelsResponse> rpcCallback) {
        VisibilityLabelsProtos.ListLabelsResponse.Builder newBuilder = VisibilityLabelsProtos.ListLabelsResponse.newBuilder();
        if (this.initialized) {
            List<String> list = null;
            String regex = listLabelsRequest.hasRegex() ? listLabelsRequest.getRegex() : null;
            try {
            } catch (AccessDeniedException e) {
                logResult(false, "listLabels", e.getMessage(), null, null, regex);
                CoprocessorRpcUtils.setControllerException(rpcController, e);
            } catch (IOException e2) {
                CoprocessorRpcUtils.setControllerException(rpcController, e2);
            }
            if (this.authorizationEnabled && this.accessControllerAvailable && !isSystemOrSuperUser()) {
                User activeUser = VisibilityUtils.getActiveUser();
                throw new AccessDeniedException("User '" + (activeUser != null ? activeUser.getShortName() : "null") + "' is not authorized to perform this action.");
            }
            list = this.visibilityLabelService.listLabels(regex);
            logResult(true, "listLabels", "Listing labels allowed", null, null, regex);
            if (list != null && !list.isEmpty()) {
                Iterator<String> it = list.iterator();
                while (it.hasNext()) {
                    newBuilder.addLabel(ByteString.copyFrom(Bytes.toBytes(it.next())));
                }
            }
        } else {
            rpcController.setFailed("VisibilityController not yet initialized");
        }
        rpcCallback.run(newBuilder.build());
    }

    private void checkCallingUserAuth() throws IOException {
        if (this.authorizationEnabled && !this.accessControllerAvailable) {
            User activeUser = VisibilityUtils.getActiveUser();
            if (activeUser == null) {
                throw new IOException("Unable to retrieve calling user");
            }
            if (!this.visibilityLabelService.havingSystemAuth(activeUser)) {
                throw new AccessDeniedException("User '" + activeUser.getShortName() + "' is not authorized to perform this action.");
            }
        }
    }

    private static HBaseProtos.NameBytesPair buildException(Throwable th) {
        HBaseProtos.NameBytesPair.Builder newBuilder = HBaseProtos.NameBytesPair.newBuilder();
        newBuilder.setName(th.getClass().getName());
        newBuilder.setValue(ByteString.copyFromUtf8(StringUtils.stringifyException(th)));
        return newBuilder.build();
    }

    static {
        RESERVED_VIS_TAG_TYPES.add((byte) 2);
        RESERVED_VIS_TAG_TYPES.add((byte) 4);
        RESERVED_VIS_TAG_TYPES.add((byte) 7);
    }
}
