"Normalize" visibilities on ingest and after merge

[rfecher]

Originally it was pointed out that in DataStoreUtils.mergeVisibilities we should make it more robust:

Are we worried about something like vis1 being (a)&(b) as a result of a previous merge and vis2 being a? After a few calls of passing a as vis2 with the result of the previous call as vis1, you'd end up with something like ((((a)&(b))&(a))&(a))&(a). Perhaps it would be best to implement the merging logic into the VisibilityExpression class and only merge when vis2 is not already satisfied by vis1.

However when dealing with 2 visibilities with arbitrarily complex boolean logic expressions we may need something more robust. Here's a suggestion:

I think the correct way of handling this is to always normalize all visibility expressions all the time following some consistent and repeatable criteria. Accumulo I think has a pretty good way of normalizing expressions: https://github.com/apache/accumulo/blob/2b1c4d008a7e868f0cb54f79c7b1613685b98921/core/src/main/java/org/apache/accumulo/core/security/ColumnVisibility.java#L217-L247 I'd say we normalize expressions as they come in and before they are stored, and normalize expressions after they are merged. That would seem to solve the problem here in both the easy case where you can find one visibility thats a single token as well as the more complex generic case.