package org.sonar.java.checks.security;

import java.util.Arrays;
import java.util.List;
import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.NewClassTree;
import org.sonar.plugins.java.api.tree.Tree;

@Rule(key = "S5344")
/* loaded from: input_file:org/sonar/java/checks/security/PasswordEncoderCheck.class */
public class PasswordEncoderCheck extends IssuableSubscriptionVisitor {
    private static final MethodMatchers JDBC_AUTHENTICATION = MethodMatchers.create().ofSubTypes(new String[]{"org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder"}).names(new String[]{"jdbcAuthentication"}).addWithoutParametersMatcher().build();
    private static final MethodMatchers USER_DETAIL_SERVICE = MethodMatchers.create().ofSubTypes(new String[]{"org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder"}).names(new String[]{"userDetailsService"}).withAnyParameters().build();
    private static final MethodMatchers PASSWORD_ENCODER_SETTER = MethodMatchers.create().ofSubTypes(new String[]{"org.springframework.security.config.annotation.authentication.configurers.userdetails.AbstractDaoAuthenticationConfigurer"}).names(new String[]{"passwordEncoder"}).withAnyParameters().build();
    private static final MethodMatchers UNSAFE_PASSWORD_ENCODERS = MethodMatchers.create().ofTypes(new String[]{"org.springframework.security.authentication.encoding.ShaPasswordEncoder", "org.springframework.security.authentication.encoding.Md5PasswordEncoder", "org.springframework.security.crypto.password.LdapShaPasswordEncoder", "org.springframework.security.crypto.password.Md4PasswordEncoder", "org.springframework.security.crypto.password.MessageDigestPasswordEncoder", "org.springframework.security.crypto.password.NoOpPasswordEncoder", "org.springframework.security.crypto.password.StandardPasswordEncoder", "org.springframework.security.crypto.password.SCryptPasswordEncoder"}).constructor().withAnyParameters().build();

    /* loaded from: input_file:org/sonar/java/checks/security/PasswordEncoderCheck$MethodInvocationVisitor.class */
    static class MethodInvocationVisitor extends BaseTreeVisitor {
        private boolean hasAuthentication;
        private boolean setsPasswordEncoder;
        private MethodInvocationTree tree;

        MethodInvocationVisitor() {
        }

        public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
            if (PasswordEncoderCheck.JDBC_AUTHENTICATION.matches(methodInvocationTree) || PasswordEncoderCheck.USER_DETAIL_SERVICE.matches(methodInvocationTree)) {
                this.hasAuthentication = true;
                this.tree = methodInvocationTree;
            }
            if (PasswordEncoderCheck.PASSWORD_ENCODER_SETTER.matches(methodInvocationTree)) {
                this.setsPasswordEncoder = true;
            }
            super.visitMethodInvocation(methodInvocationTree);
        }
    }

    public List<Tree.Kind> nodesToVisit() {
        return Arrays.asList(Tree.Kind.METHOD, Tree.Kind.NEW_CLASS);
    }

    public void visitNode(Tree tree) {
        if (hasSemantic()) {
            if (tree.is(new Tree.Kind[]{Tree.Kind.NEW_CLASS}) && UNSAFE_PASSWORD_ENCODERS.matches((NewClassTree) tree)) {
                reportIssue(((NewClassTree) tree).identifier(), "Use secure \"PasswordEncoder\" implementation.");
                return;
            }
            if (tree.is(new Tree.Kind[]{Tree.Kind.METHOD})) {
                MethodInvocationVisitor methodInvocationVisitor = new MethodInvocationVisitor();
                tree.accept(methodInvocationVisitor);
                if (!methodInvocationVisitor.hasAuthentication || methodInvocationVisitor.setsPasswordEncoder) {
                    return;
                }
                reportIssue(methodInvocationVisitor.tree, "Don't use the default \"PasswordEncoder\" relying on plain-text.");
            }
        }
    }
}
