package org.sonar.java.checks;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.apache.commons.lang.StringUtils;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;
import org.sonar.java.checks.helpers.ExpressionsHelper;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.java.model.LiteralUtils;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.tree.Arguments;
import org.sonar.plugins.java.api.tree.AssignmentExpressionTree;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.LiteralTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.NewClassTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.VariableTree;

@Rule(key = "S2068")
/* loaded from: input_file:org/sonar/java/checks/HardCodedCredentialsCheck.class */
public class HardCodedCredentialsCheck extends IssuableSubscriptionVisitor {
    private static final String DEFAULT_CREDENTIAL_WORDS = "password,passwd,pwd,passphrase,java.naming.security.credentials";
    private static final String JAVA_LANG_STRING = "java.lang.String";
    private static final int MINIMUM_PASSWORD_LENGTH = 1;
    private static final int GET_CONNECTION_PASSWORD_ARGUMENT = 2;

    @RuleProperty(key = "credentialWords", description = "Comma separated list of words identifying potential credentials", defaultValue = DEFAULT_CREDENTIAL_WORDS)
    public String credentialWords = DEFAULT_CREDENTIAL_WORDS;
    private List<Pattern> variablePatterns = null;
    private List<Pattern> literalPatterns = null;
    private static final Set<String> WHITE_LIST = Collections.singleton("anonymous");
    private static final Pattern URL_PREFIX = Pattern.compile("^\\w{1,8}://");
    private static final Pattern NON_EMPTY_URL_CREDENTIAL = Pattern.compile("(?<user>[^\\s:]*+):(?<password>\\S++)");
    private static final MethodMatchers PASSWORD_AUTHENTICATION_CONSTRUCTOR = MethodMatchers.create().ofTypes(new String[]{"java.net.PasswordAuthentication"}).constructor().addParametersMatcher(new String[]{"java.lang.String", "char[]"}).build();
    private static final MethodMatchers STRING_TO_CHAR_ARRAY = MethodMatchers.create().ofTypes(new String[]{"java.lang.String"}).names(new String[]{"toCharArray"}).addWithoutParametersMatcher().build();
    private static final String JAVA_LANG_OBJECT = "java.lang.Object";
    private static final MethodMatchers EQUALS_MATCHER = MethodMatchers.create().ofAnyType().names(new String[]{"equals"}).addParametersMatcher(new String[]{JAVA_LANG_OBJECT}).build();
    private static final MethodMatchers GET_CONNECTION_MATCHER = MethodMatchers.create().ofTypes(new String[]{"java.sql.DriverManager"}).names(new String[]{"getConnection"}).withAnyParameters().build();

    private Stream<Pattern> variablePatterns() {
        if (this.variablePatterns == null) {
            this.variablePatterns = toPatterns("");
        }
        return this.variablePatterns.stream();
    }

    private Stream<Pattern> literalPatterns() {
        if (this.literalPatterns == null) {
            this.literalPatterns = toPatterns("=\\S.");
        }
        return this.literalPatterns.stream();
    }

    private List<Pattern> toPatterns(String str) {
        return (List) Stream.of((Object[]) this.credentialWords.split(",")).map((v0) -> {
            return v0.trim();
        }).map(str2 -> {
            return Pattern.compile("(" + str2 + ")" + str, GET_CONNECTION_PASSWORD_ARGUMENT);
        }).collect(Collectors.toList());
    }

    public List<Tree.Kind> nodesToVisit() {
        return Arrays.asList(Tree.Kind.STRING_LITERAL, Tree.Kind.VARIABLE, Tree.Kind.ASSIGNMENT, Tree.Kind.NEW_CLASS, Tree.Kind.METHOD_INVOCATION);
    }

    public void visitNode(Tree tree) {
        if (tree.is(new Tree.Kind[]{Tree.Kind.STRING_LITERAL})) {
            handleStringLiteral((LiteralTree) tree);
            return;
        }
        if (tree.is(new Tree.Kind[]{Tree.Kind.VARIABLE})) {
            handleVariable((VariableTree) tree);
            return;
        }
        if (tree.is(new Tree.Kind[]{Tree.Kind.ASSIGNMENT})) {
            handleAssignment((AssignmentExpressionTree) tree);
        } else if (tree.is(new Tree.Kind[]{Tree.Kind.NEW_CLASS})) {
            handleConstructor((NewClassTree) tree);
        } else {
            handleMethodInvocation((MethodInvocationTree) tree);
        }
    }

    private Optional<String> isSettingPassword(MethodInvocationTree methodInvocationTree) {
        Arguments arguments = methodInvocationTree.arguments();
        return (arguments.size() == GET_CONNECTION_PASSWORD_ARGUMENT && isArgumentsSuperTypeOfString(arguments) && !isPasswordLikeName((ExpressionTree) arguments.get(MINIMUM_PASSWORD_LENGTH)) && isNotExcludedString((ExpressionTree) arguments.get(MINIMUM_PASSWORD_LENGTH))) ? isPassword((ExpressionTree) arguments.get(0)) : Optional.empty();
    }

    private Optional<String> isPassword(ExpressionTree expressionTree) {
        String value = ExpressionsHelper.getConstantValueAsString(expressionTree).value();
        return StringUtils.isEmpty(value) ? Optional.empty() : variablePatterns().map(pattern -> {
            return pattern.matcher(value);
        }).filter((v0) -> {
            return v0.matches();
        }).map(matcher -> {
            return matcher.group(MINIMUM_PASSWORD_LENGTH);
        }).findAny();
    }

    private Optional<String> isPasswordVariableName(IdentifierTree identifierTree) {
        return isPasswordLikeName(identifierTree.name());
    }

    private boolean isPasswordLikeName(ExpressionTree expressionTree) {
        if (expressionTree.is(new Tree.Kind[]{Tree.Kind.STRING_LITERAL})) {
            return isPasswordLikeName(LiteralUtils.trimQuotes(((LiteralTree) expressionTree).value())).isPresent();
        }
        return false;
    }

    private Optional<String> isPasswordLikeName(String str) {
        return variablePatterns().map(pattern -> {
            return pattern.matcher(str);
        }).filter((v0) -> {
            return v0.find();
        }).map(matcher -> {
            return matcher.group(MINIMUM_PASSWORD_LENGTH);
        }).findAny();
    }

    private Optional<String> isPasswordVariable(ExpressionTree expressionTree) {
        return expressionTree.is(new Tree.Kind[]{Tree.Kind.MEMBER_SELECT}) ? isPasswordVariableName(((MemberSelectExpressionTree) expressionTree).identifier()) : expressionTree.is(new Tree.Kind[]{Tree.Kind.IDENTIFIER}) ? isPasswordVariableName((IdentifierTree) expressionTree) : Optional.empty();
    }

    private static boolean isCallOnStringLiteral(ExpressionTree expressionTree) {
        return expressionTree.is(new Tree.Kind[]{Tree.Kind.MEMBER_SELECT}) && isNotExcludedString(((MemberSelectExpressionTree) expressionTree).expression());
    }

    private void handleStringLiteral(LiteralTree literalTree) {
        String trimQuotes = LiteralUtils.trimQuotes(literalTree.value());
        if (isURLWithCredentials(trimQuotes)) {
            reportIssue(literalTree, "Review this hard-coded URL, which may contain a credential.");
        } else {
            if (isPartOfConstantPasswordDeclaration(literalTree)) {
                return;
            }
            literalPatterns().map(pattern -> {
                return pattern.matcher(trimQuotes);
            }).filter((v0) -> {
                return v0.find();
            }).map(matcher -> {
                return matcher.group(MINIMUM_PASSWORD_LENGTH);
            }).filter(str -> {
                return !isExcludedLiteral(trimQuotes, str);
            }).findAny().ifPresent(str2 -> {
                report(literalTree, str2);
            });
        }
    }

    private static boolean isURLWithCredentials(String str) {
        if (!URL_PREFIX.matcher(str).find()) {
            return false;
        }
        try {
            String userInfo = new URL(str).getUserInfo();
            if (userInfo == null) {
                return false;
            }
            Matcher matcher = NON_EMPTY_URL_CREDENTIAL.matcher(userInfo);
            if (matcher.matches()) {
                if (!matcher.group("user").equals(matcher.group("password"))) {
                    return true;
                }
            }
            return false;
        } catch (MalformedURLException e) {
            return false;
        }
    }

    private boolean isPartOfConstantPasswordDeclaration(LiteralTree literalTree) {
        VariableTree parent = literalTree.parent();
        return parent != null && parent.is(new Tree.Kind[]{Tree.Kind.VARIABLE}) && isPasswordVariableName(parent.simpleName()).isPresent();
    }

    private static boolean isExcludedLiteral(String str, String str2) {
        String substring = str.substring(str.indexOf(str2) + str2.length() + MINIMUM_PASSWORD_LENGTH);
        return !isNotExcludedString(substring) || substring.startsWith("?") || substring.startsWith(":") || substring.startsWith("\\\"") || substring.contains("%s");
    }

    private void handleVariable(VariableTree variableTree) {
        IdentifierTree simpleName = variableTree.simpleName();
        isPasswordVariableName(simpleName).filter(str -> {
            ExpressionTree initializer = variableTree.initializer();
            return initializer != null && isNotExcluded(initializer) && isNotPasswordConst(initializer);
        }).ifPresent(str2 -> {
            report(simpleName, str2);
        });
    }

    private void handleAssignment(AssignmentExpressionTree assignmentExpressionTree) {
        ExpressionTree variable = assignmentExpressionTree.variable();
        isPasswordVariable(variable).filter(str -> {
            return isNotExcluded(assignmentExpressionTree.expression());
        }).ifPresent(str2 -> {
            report(variable, str2);
        });
    }

    private static boolean isArgumentsSuperTypeOfString(List<ExpressionTree> list) {
        return list.stream().allMatch(expressionTree -> {
            return expressionTree.symbolType().is("java.lang.String") || expressionTree.symbolType().is(JAVA_LANG_OBJECT);
        });
    }

    private boolean isNotPasswordConst(ExpressionTree expressionTree) {
        if (expressionTree.is(new Tree.Kind[]{Tree.Kind.METHOD_INVOCATION})) {
            MemberSelectExpressionTree methodSelect = ((MethodInvocationTree) expressionTree).methodSelect();
            return methodSelect.is(new Tree.Kind[]{Tree.Kind.MEMBER_SELECT}) && isNotPasswordConst(methodSelect.expression());
        }
        String value = ExpressionsHelper.getConstantValueAsString(expressionTree).value();
        return value == null || variablePatterns().map(pattern -> {
            return pattern.matcher(value);
        }).noneMatch((v0) -> {
            return v0.find();
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isNotExcluded(ExpressionTree expressionTree) {
        if (!expressionTree.is(new Tree.Kind[]{Tree.Kind.METHOD_INVOCATION})) {
            return isNotExcludedString(expressionTree);
        }
        MethodInvocationTree methodInvocationTree = (MethodInvocationTree) expressionTree;
        return STRING_TO_CHAR_ARRAY.matches(methodInvocationTree) && isCallOnStringLiteral(methodInvocationTree.methodSelect());
    }

    private static boolean isNotExcludedString(ExpressionTree expressionTree) {
        return isNotExcludedString(ExpressionsHelper.getConstantValueAsString(expressionTree).value());
    }

    private static boolean isNotExcludedString(@Nullable String str) {
        return (str == null || str.trim().isEmpty() || str.length() <= MINIMUM_PASSWORD_LENGTH || WHITE_LIST.contains(str)) ? false : true;
    }

    private void handleConstructor(NewClassTree newClassTree) {
        if (PASSWORD_AUTHENTICATION_CONSTRUCTOR.matches(newClassTree)) {
            MethodInvocationTree methodInvocationTree = (ExpressionTree) newClassTree.arguments().get(MINIMUM_PASSWORD_LENGTH);
            if (methodInvocationTree.is(new Tree.Kind[]{Tree.Kind.METHOD_INVOCATION})) {
                MethodInvocationTree methodInvocationTree2 = methodInvocationTree;
                if (STRING_TO_CHAR_ARRAY.matches(methodInvocationTree2) && isCallOnStringLiteral(methodInvocationTree2.methodSelect())) {
                    reportIssue(newClassTree, "Remove this hard-coded password.");
                }
            }
        }
    }

    private void handleMethodInvocation(MethodInvocationTree methodInvocationTree) {
        ExpressionTree methodSelect = methodInvocationTree.methodSelect();
        if (EQUALS_MATCHER.matches(methodInvocationTree) && methodSelect.is(new Tree.Kind[]{Tree.Kind.MEMBER_SELECT})) {
            handleEqualsMethod(methodInvocationTree, (MemberSelectExpressionTree) methodSelect);
        } else if (GET_CONNECTION_MATCHER.matches(methodInvocationTree)) {
            handleGetConnectionMethod(methodInvocationTree);
        } else {
            isSettingPassword(methodInvocationTree).ifPresent(str -> {
                report(ExpressionUtils.methodName(methodInvocationTree), str);
            });
        }
    }

    private void handleEqualsMethod(MethodInvocationTree methodInvocationTree, MemberSelectExpressionTree memberSelectExpressionTree) {
        ExpressionTree expression = memberSelectExpressionTree.expression();
        ExpressionTree expressionTree = (ExpressionTree) methodInvocationTree.arguments().get(0);
        isPasswordVariable(expression).filter(str -> {
            return isNotExcludedString(expressionTree) && !isPasswordLikeName(expressionTree);
        }).ifPresent(str2 -> {
            report(expression, str2);
        });
        isPasswordVariable(expressionTree).filter(str3 -> {
            return isNotExcludedString(expression) && !isPasswordLikeName(expression);
        }).ifPresent(str4 -> {
            report(expressionTree, str4);
        });
    }

    private void handleGetConnectionMethod(MethodInvocationTree methodInvocationTree) {
        if (methodInvocationTree.arguments().size() > GET_CONNECTION_PASSWORD_ARGUMENT) {
            ExpressionTree expressionTree = (ExpressionTree) methodInvocationTree.arguments().get(GET_CONNECTION_PASSWORD_ARGUMENT);
            if (isNotExcludedString(expressionTree)) {
                reportIssue(expressionTree, "Remove this hard-coded password.");
            }
        }
    }

    private void report(Tree tree, String str) {
        reportIssue(tree, "'" + str + "' detected in this expression, review this potentially hard-coded credential.");
    }
}
