package org.sonar.java.checks.security;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.sonar.check.Rule;
import org.sonar.java.checks.AbstractHashAlgorithmChecker;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.JavaFileScannerContext;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.NewClassTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.VariableTree;

@Rule(key = "S5344")
/* loaded from: input_file:org/sonar/java/checks/security/PasswordEncoderCheck.class */
public class PasswordEncoderCheck extends IssuableSubscriptionVisitor {
    private static final String JAVAX_CRYPTO_MESSAGE_FORMAT = "Use at least %d PBKDF2 iterations.";
    private static final Map<String, Integer> MIN_ITERATIONS_BY_ALGORITHM = Map.of("PBKDF2withHmacSHA1", 1300000, "PBKDF2withHmacSHA256", 600000, "PBKDF2withHmacSHA512", 210000);
    private static final MethodMatchers JDBC_AUTHENTICATION = MethodMatchers.create().ofSubTypes("org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder").names("jdbcAuthentication").addWithoutParametersMatcher().build();
    private static final MethodMatchers USER_DETAIL_SERVICE = MethodMatchers.create().ofSubTypes("org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder").names("userDetailsService").withAnyParameters().build();
    private static final MethodMatchers PASSWORD_ENCODER_SETTER = MethodMatchers.create().ofSubTypes("org.springframework.security.config.annotation.authentication.configurers.userdetails.AbstractDaoAuthenticationConfigurer").names("passwordEncoder").withAnyParameters().build();
    private static final MethodMatchers UNSAFE_PASSWORD_ENCODER_CONSTRUCTORS = MethodMatchers.create().ofTypes("org.springframework.security.authentication.encoding.ShaPasswordEncoder", "org.springframework.security.authentication.encoding.Md5PasswordEncoder", "org.springframework.security.crypto.password.LdapShaPasswordEncoder", "org.springframework.security.crypto.password.Md4PasswordEncoder", "org.springframework.security.crypto.password.MessageDigestPasswordEncoder", "org.springframework.security.crypto.password.StandardPasswordEncoder", "org.springframework.security.crypto.scrypt.SCryptPasswordEncoder").constructor().withAnyParameters().build();
    private static final MethodMatchers UNSAFE_PASSWORD_ENCODER_METHODS = MethodMatchers.create().ofTypes("org.springframework.security.crypto.password.NoOpPasswordEncoder").names(AbstractHashAlgorithmChecker.GET_INSTANCE).addWithoutParametersMatcher().build();
    private static final MethodMatchers SECRET_KEY_FACTORY_GENERATE_SECRET_METHOD = MethodMatchers.create().ofTypes("javax.crypto.SecretKeyFactory").names("generateSecret").addParametersMatcher("java.security.spec.KeySpec").build();
    private static final MethodMatchers SECRET_KEY_FACTORY_GET_INSTANCE_METHOD = MethodMatchers.create().ofTypes("javax.crypto.SecretKeyFactory").names(AbstractHashAlgorithmChecker.GET_INSTANCE).addParametersMatcher("java.lang.String").build();
    private static final MethodMatchers PBE_KEY_SPEC_CONSTRUCTOR = MethodMatchers.create().ofTypes("javax.crypto.spec.PBEKeySpec").constructor().addParametersMatcher("char[]", "byte[]", "int").addParametersMatcher("char[]", "byte[]", "int", "int").build();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue.class */
    public static final class ExpressionsAndValue<T> extends Record {
        private final ExpressionTree expression;
        private final ExpressionTree initializerExpression;
        private final T value;

        private ExpressionsAndValue(ExpressionTree expressionTree, ExpressionTree expressionTree2, T t) {
            this.expression = expressionTree;
            this.initializerExpression = expressionTree2;
            this.value = t;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ExpressionsAndValue.class), ExpressionsAndValue.class, "expression;initializerExpression;value", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->expression:Lorg/sonar/plugins/java/api/tree/ExpressionTree;", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->initializerExpression:Lorg/sonar/plugins/java/api/tree/ExpressionTree;", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->value:Ljava/lang/Object;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ExpressionsAndValue.class), ExpressionsAndValue.class, "expression;initializerExpression;value", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->expression:Lorg/sonar/plugins/java/api/tree/ExpressionTree;", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->initializerExpression:Lorg/sonar/plugins/java/api/tree/ExpressionTree;", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->value:Ljava/lang/Object;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ExpressionsAndValue.class, Object.class), ExpressionsAndValue.class, "expression;initializerExpression;value", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->expression:Lorg/sonar/plugins/java/api/tree/ExpressionTree;", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->initializerExpression:Lorg/sonar/plugins/java/api/tree/ExpressionTree;", "FIELD:Lorg/sonar/java/checks/security/PasswordEncoderCheck$ExpressionsAndValue;->value:Ljava/lang/Object;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public ExpressionTree expression() {
            return this.expression;
        }

        public ExpressionTree initializerExpression() {
            return this.initializerExpression;
        }

        public T value() {
            return this.value;
        }
    }

    /* loaded from: input_file:org/sonar/java/checks/security/PasswordEncoderCheck$MethodInvocationVisitor.class */
    static class MethodInvocationVisitor extends BaseTreeVisitor {
        private boolean hasAuthentication;
        private boolean setsPasswordEncoder;
        private MethodInvocationTree tree;

        MethodInvocationVisitor() {
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
            if (PasswordEncoderCheck.JDBC_AUTHENTICATION.matches(methodInvocationTree) || PasswordEncoderCheck.USER_DETAIL_SERVICE.matches(methodInvocationTree)) {
                this.hasAuthentication = true;
                this.tree = methodInvocationTree;
            }
            if (PasswordEncoderCheck.PASSWORD_ENCODER_SETTER.matches(methodInvocationTree)) {
                this.setsPasswordEncoder = true;
            }
            super.visitMethodInvocation(methodInvocationTree);
        }
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public List<Tree.Kind> nodesToVisit() {
        return Arrays.asList(Tree.Kind.METHOD, Tree.Kind.NEW_CLASS, Tree.Kind.METHOD_INVOCATION);
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public void visitNode(Tree tree) {
        if (tree instanceof NewClassTree) {
            NewClassTree newClassTree = (NewClassTree) tree;
            if (UNSAFE_PASSWORD_ENCODER_CONSTRUCTORS.matches(newClassTree)) {
                reportIssue(newClassTree.identifier(), "Use secure \"PasswordEncoder\" implementation.");
                return;
            }
        }
        if (tree instanceof MethodInvocationTree) {
            MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree;
            if (UNSAFE_PASSWORD_ENCODER_METHODS.matches(methodInvocationTree)) {
                reportIssue(ExpressionUtils.methodName(methodInvocationTree), "Use secure \"PasswordEncoder\" implementation.");
                return;
            }
        }
        if (tree instanceof MethodInvocationTree) {
            MethodInvocationTree methodInvocationTree2 = (MethodInvocationTree) tree;
            if (SECRET_KEY_FACTORY_GENERATE_SECRET_METHOD.matches(methodInvocationTree2)) {
                checkJavaxCrypto(methodInvocationTree2);
                return;
            }
        }
        if (tree.is(Tree.Kind.METHOD)) {
            MethodInvocationVisitor methodInvocationVisitor = new MethodInvocationVisitor();
            tree.accept(methodInvocationVisitor);
            if (!methodInvocationVisitor.hasAuthentication || methodInvocationVisitor.setsPasswordEncoder) {
                return;
            }
            reportIssue(methodInvocationVisitor.tree, "Don't use the default \"PasswordEncoder\" relying on plain-text.");
        }
    }

    private void checkJavaxCrypto(MethodInvocationTree methodInvocationTree) {
        Optional filter = Optional.of(methodInvocationTree.methodSelect()).filter(expressionTree -> {
            return expressionTree.is(Tree.Kind.MEMBER_SELECT);
        });
        Class<MemberSelectExpressionTree> cls = MemberSelectExpressionTree.class;
        Objects.requireNonNull(MemberSelectExpressionTree.class);
        Optional flatMap = filter.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.expression();
        }).flatMap(PasswordEncoderCheck::extractAlgorithm);
        if (flatMap.isEmpty()) {
            return;
        }
        ExpressionTree initializerExpression = ((ExpressionsAndValue) flatMap.get()).initializerExpression();
        String str = (String) ((ExpressionsAndValue) flatMap.get()).value();
        if (MIN_ITERATIONS_BY_ALGORITHM.containsKey(str)) {
            Optional<ExpressionsAndValue<Integer>> extractIterationCount = extractIterationCount((ExpressionTree) methodInvocationTree.arguments().get(0));
            if (extractIterationCount.isEmpty()) {
                return;
            }
            Tree expression = extractIterationCount.get().expression();
            ExpressionTree initializerExpression2 = extractIterationCount.get().initializerExpression();
            Integer value = extractIterationCount.get().value();
            Integer num = MIN_ITERATIONS_BY_ALGORITHM.get(str);
            if (value.intValue() < num.intValue()) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(new JavaFileScannerContext.Location("", initializerExpression));
                if (!Objects.equals(initializerExpression2.firstToken(), expression.firstToken())) {
                    arrayList.add(new JavaFileScannerContext.Location("", initializerExpression2));
                }
                reportIssue(expression, JAVAX_CRYPTO_MESSAGE_FORMAT.formatted(num), arrayList, null);
            }
        }
    }

    private static Optional<ExpressionsAndValue<Integer>> extractIterationCount(ExpressionTree expressionTree) {
        Optional<ExpressionTree> filter = getInitializerIfExpressionIsVariableIdentifier(expressionTree).or(() -> {
            return Optional.of(expressionTree);
        }).filter(expressionTree2 -> {
            return expressionTree2.is(Tree.Kind.NEW_CLASS);
        });
        Class<NewClassTree> cls = NewClassTree.class;
        Objects.requireNonNull(NewClassTree.class);
        Optional<U> map = filter.map((v1) -> {
            return r1.cast(v1);
        });
        MethodMatchers methodMatchers = PBE_KEY_SPEC_CONSTRUCTOR;
        Objects.requireNonNull(methodMatchers);
        return map.filter(methodMatchers::matches).map(newClassTree -> {
            return (ExpressionTree) newClassTree.arguments().get(2);
        }).flatMap(expressionTree3 -> {
            return getValueIfExpressionIsVariableIdentifier(expressionTree3, Integer.class);
        });
    }

    private static Optional<ExpressionsAndValue<String>> extractAlgorithm(ExpressionTree expressionTree) {
        Optional<ExpressionTree> filter = getInitializerIfExpressionIsVariableIdentifier(expressionTree).or(() -> {
            return Optional.of(expressionTree);
        }).filter(expressionTree2 -> {
            return expressionTree2.is(Tree.Kind.METHOD_INVOCATION);
        });
        Class<MethodInvocationTree> cls = MethodInvocationTree.class;
        Objects.requireNonNull(MethodInvocationTree.class);
        Optional<U> map = filter.map((v1) -> {
            return r1.cast(v1);
        });
        MethodMatchers methodMatchers = SECRET_KEY_FACTORY_GET_INSTANCE_METHOD;
        Objects.requireNonNull(methodMatchers);
        return map.filter(methodMatchers::matches).map(methodInvocationTree -> {
            return (ExpressionTree) methodInvocationTree.arguments().get(0);
        }).flatMap(expressionTree3 -> {
            return getValueIfExpressionIsVariableIdentifier(expressionTree3, String.class);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <T> Optional<ExpressionsAndValue<T>> getValueIfExpressionIsVariableIdentifier(ExpressionTree expressionTree, Class<T> cls) {
        Optional<ExpressionTree> initializerIfExpressionIsVariableIdentifier = getInitializerIfExpressionIsVariableIdentifier(expressionTree);
        return initializerIfExpressionIsVariableIdentifier.flatMap(expressionTree2 -> {
            return expressionTree2.asConstant(cls);
        }).map(obj -> {
            return new ExpressionsAndValue(expressionTree, (ExpressionTree) initializerIfExpressionIsVariableIdentifier.get(), obj);
        }).or(() -> {
            return expressionTree.asConstant(cls).map(obj2 -> {
                return new ExpressionsAndValue(expressionTree, expressionTree, obj2);
            });
        });
    }

    private static Optional<ExpressionTree> getInitializerIfExpressionIsVariableIdentifier(ExpressionTree expressionTree) {
        Optional filter = Optional.of(expressionTree).filter(expressionTree2 -> {
            return expressionTree2.is(Tree.Kind.IDENTIFIER);
        });
        Class<IdentifierTree> cls = IdentifierTree.class;
        Objects.requireNonNull(IdentifierTree.class);
        Optional filter2 = filter.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.symbol();
        }).map((v0) -> {
            return v0.declaration();
        }).filter(tree -> {
            return tree.is(Tree.Kind.VARIABLE);
        });
        Class<VariableTree> cls2 = VariableTree.class;
        Objects.requireNonNull(VariableTree.class);
        return filter2.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.initializer();
        });
    }
}
