package org.apache.accumulo.core.iterators.user;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import org.apache.accumulo.core.client.IteratorSetting;
import org.apache.accumulo.core.data.ByteSequence;
import org.apache.accumulo.core.data.Key;
import org.apache.accumulo.core.data.Value;
import org.apache.accumulo.core.iterators.Filter;
import org.apache.accumulo.core.iterators.IteratorEnvironment;
import org.apache.accumulo.core.iterators.OptionDescriber;
import org.apache.accumulo.core.iterators.SortedKeyValueIterator;
import org.apache.accumulo.core.security.Authorizations;
import org.apache.accumulo.core.security.ColumnVisibility;
import org.apache.accumulo.core.security.VisibilityEvaluator;
import org.apache.accumulo.core.security.VisibilityParseException;
import org.apache.accumulo.core.util.BadArgumentException;
import org.apache.commons.collections.map.LRUMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/accumulo/core/iterators/user/VisibilityFilter.class */
public class VisibilityFilter extends Filter implements OptionDescriber {
    protected VisibilityEvaluator ve;
    protected LRUMap cache;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) VisibilityFilter.class);
    private static final String AUTHS = "auths";
    private static final String FILTER_INVALID_ONLY = "filterInvalid";
    private boolean filterInvalid;

    @Override // org.apache.accumulo.core.iterators.Filter, org.apache.accumulo.core.iterators.WrappingIterator, org.apache.accumulo.core.iterators.SortedKeyValueIterator
    public void init(SortedKeyValueIterator<Key, Value> sortedKeyValueIterator, Map<String, String> map, IteratorEnvironment iteratorEnvironment) throws IOException {
        super.init(sortedKeyValueIterator, map, iteratorEnvironment);
        validateOptions(map);
        this.filterInvalid = Boolean.parseBoolean(map.get(FILTER_INVALID_ONLY));
        if (!this.filterInvalid) {
            String str = map.get(AUTHS);
            this.ve = new VisibilityEvaluator((str == null || str.isEmpty()) ? new Authorizations() : new Authorizations(str.getBytes(StandardCharsets.UTF_8)));
        }
        this.cache = new LRUMap(1000);
    }

    @Override // org.apache.accumulo.core.iterators.Filter
    public boolean accept(Key key, Value value) {
        ByteSequence columnVisibilityData = key.getColumnVisibilityData();
        if (this.filterInvalid) {
            Boolean bool = (Boolean) this.cache.get(columnVisibilityData);
            if (bool != null) {
                return bool.booleanValue();
            }
            try {
                new ColumnVisibility(columnVisibilityData.toArray());
                this.cache.put(columnVisibilityData, true);
                return true;
            } catch (BadArgumentException e) {
                this.cache.put(columnVisibilityData, false);
                return false;
            }
        }
        if (columnVisibilityData.length() == 0) {
            return true;
        }
        Boolean bool2 = (Boolean) this.cache.get(columnVisibilityData);
        if (bool2 != null) {
            return bool2.booleanValue();
        }
        try {
            Boolean valueOf = Boolean.valueOf(this.ve.evaluate(new ColumnVisibility(columnVisibilityData.toArray())));
            this.cache.put(columnVisibilityData, valueOf);
            return valueOf.booleanValue();
        } catch (VisibilityParseException | BadArgumentException e2) {
            log.error("Parse Error", e2);
            return false;
        }
    }

    @Override // org.apache.accumulo.core.iterators.Filter, org.apache.accumulo.core.iterators.OptionDescriber
    public OptionDescriber.IteratorOptions describeOptions() {
        OptionDescriber.IteratorOptions describeOptions = super.describeOptions();
        describeOptions.setName("visibilityFilter");
        describeOptions.setDescription("The VisibilityFilter allows you to filter for key/value pairs by a set of authorizations or filter invalid labels from corrupt files.");
        describeOptions.addNamedOption(FILTER_INVALID_ONLY, "if 'true', the iterator is instructed to ignore the authorizations and only filter invalid visibility labels (default: false)");
        describeOptions.addNamedOption(AUTHS, "the serialized set of authorizations to filter against (default: empty string, accepts only entries visible by all)");
        return describeOptions;
    }

    public static void setAuthorizations(IteratorSetting iteratorSetting, Authorizations authorizations) {
        iteratorSetting.addOption(AUTHS, authorizations.serialize());
    }

    public static void filterInvalidLabelsOnly(IteratorSetting iteratorSetting, boolean z) {
        iteratorSetting.addOption(FILTER_INVALID_ONLY, Boolean.toString(z));
    }
}
