package org.sonar.php.checks;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.php.checks.utils.CheckUtils;
import org.sonar.php.tree.visitors.AssignmentExpressionVisitor;
import org.sonar.plugins.php.api.tree.CompilationUnitTree;
import org.sonar.plugins.php.api.tree.Tree;
import org.sonar.plugins.php.api.tree.declaration.CallArgumentTree;
import org.sonar.plugins.php.api.tree.declaration.NamespaceNameTree;
import org.sonar.plugins.php.api.tree.expression.ArrayInitializerTree;
import org.sonar.plugins.php.api.tree.expression.BinaryExpressionTree;
import org.sonar.plugins.php.api.tree.expression.ExpressionTree;
import org.sonar.plugins.php.api.tree.expression.FunctionCallTree;
import org.sonar.plugins.php.api.visitors.PHPVisitorCheck;

@Rule(key = WeakSSLProtocolCheck.KEY)
/* loaded from: input_file:org/sonar/php/checks/WeakSSLProtocolCheck.class */
public class WeakSSLProtocolCheck extends PHPVisitorCheck {
    public static final String KEY = "S4423";
    private static final String CURL_SETOPT = "curl_setopt";
    private static final String MESSAGE = "Change this code to use a stronger protocol.";
    private AssignmentExpressionVisitor assignmentExpressionVisitor;
    private static final String STREAM_CONTEXT_CREATE = "stream_context_create";
    private static final String STREAM_SOCKET_ENABLE_CRYPTO = "stream_socket_enable_crypto";
    private static final Map<String, List<String>> STREAM_WEAK_PROTOCOLS = ImmutableMap.of(STREAM_CONTEXT_CREATE, Arrays.asList("STREAM_CRYPTO_METHOD_ANY_CLIENT", "STREAM_CRYPTO_METHOD_ANY_SERVER", "STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT", "STREAM_CRYPTO_METHOD_TLSv1_0_SERVER", "STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT", "STREAM_CRYPTO_METHOD_TLSv1_1_SERVER"), STREAM_SOCKET_ENABLE_CRYPTO, Arrays.asList("STREAM_CRYPTO_METHOD_SSLv2_CLIENT", "STREAM_CRYPTO_METHOD_SSLv3_CLIENT", "STREAM_CRYPTO_METHOD_SSLv23_CLIENT", "STREAM_CRYPTO_METHOD_ANY_CLIENT", "STREAM_CRYPTO_METHOD_TLS_CLIENT", "STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT", "STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT", "STREAM_CRYPTO_METHOD_SSLv2_SERVER", "STREAM_CRYPTO_METHOD_SSLv3_SERVER", "STREAM_CRYPTO_METHOD_SSLv23_SERVER", "STREAM_CRYPTO_METHOD_ANY_SERVER", "STREAM_CRYPTO_METHOD_TLS_SERVER", "STREAM_CRYPTO_METHOD_TLSv1_0_SERVER", "STREAM_CRYPTO_METHOD_TLSv1_1_SERVER"));
    private static final List<String> CURL_WEAK_PROTOCOLS = ImmutableList.of("CURL_SSLVERSION_TLSv1", "CURL_SSLVERSION_SSLv2", "CURL_SSLVERSION_SSLv3", "CURL_SSLVERSION_TLSv1_0", "CURL_SSLVERSION_TLSv1_1");

    public void visitCompilationUnit(CompilationUnitTree compilationUnitTree) {
        this.assignmentExpressionVisitor = new AssignmentExpressionVisitor(context().symbolTable());
        compilationUnitTree.accept(this.assignmentExpressionVisitor);
        super.visitCompilationUnit(compilationUnitTree);
    }

    public void visitFunctionCall(FunctionCallTree functionCallTree) {
        String lowerCaseFunctionName = CheckUtils.getLowerCaseFunctionName(functionCallTree);
        functionCallTree.arguments();
        if (STREAM_CONTEXT_CREATE.equals(lowerCaseFunctionName)) {
            CheckUtils.argument(functionCallTree, "options", 0).ifPresent(callArgumentTree -> {
                checkStreamSSLConfig(callArgumentTree.value());
            });
        }
        if (STREAM_SOCKET_ENABLE_CRYPTO.equals(lowerCaseFunctionName)) {
            CheckUtils.argument(functionCallTree, "crypto_type", 2).ifPresent(callArgumentTree2 -> {
                checkStreamWeakProtocol(getAssignedValue(callArgumentTree2.value()), STREAM_SOCKET_ENABLE_CRYPTO);
            });
        }
        if (CURL_SETOPT.equals(lowerCaseFunctionName)) {
            Optional<CallArgumentTree> argument = CheckUtils.argument(functionCallTree, "option", 1);
            Optional<CallArgumentTree> argument2 = CheckUtils.argument(functionCallTree, "value", 2);
            if (argument.isPresent() && argument2.isPresent()) {
                NamespaceNameTree value = argument.get().value();
                if (value.is(new Tree.Kind[]{Tree.Kind.NAMESPACE_NAME}) && "CURLOPT_SSLVERSION".equals(value.name().text())) {
                    checkCURLWeakProtocol(getAssignedValue(argument2.get().value()));
                }
            }
        }
        super.visitFunctionCall(functionCallTree);
    }

    private void checkStreamSSLConfig(ExpressionTree expressionTree) {
        ExpressionTree assignedValue = getAssignedValue(expressionTree);
        if (isArrayInitializer(assignedValue)) {
            getProperty((ArrayInitializerTree) assignedValue, "SSL").flatMap(expressionTree2 -> {
                return isArrayInitializer(expressionTree2) ? getProperty((ArrayInitializerTree) expressionTree2, "crypto_method") : Optional.empty();
            }).ifPresent(expressionTree3 -> {
                checkStreamWeakProtocol(expressionTree3, STREAM_CONTEXT_CREATE);
            });
        }
    }

    private static boolean isArrayInitializer(ExpressionTree expressionTree) {
        return expressionTree.is(new Tree.Kind[]{Tree.Kind.ARRAY_INITIALIZER_BRACKET, Tree.Kind.ARRAY_INITIALIZER_FUNCTION});
    }

    private void checkStreamWeakProtocol(ExpressionTree expressionTree, String str) {
        Stream<ExpressionTree> operands = expressionTree.is(new Tree.Kind[]{Tree.Kind.BITWISE_OR}) ? getOperands((BinaryExpressionTree) expressionTree) : Stream.of(expressionTree);
        List<String> list = STREAM_WEAK_PROTOCOLS.get(str);
        if (list != null) {
            operands.forEach(expressionTree2 -> {
                if (expressionTree2.is(new Tree.Kind[]{Tree.Kind.NAMESPACE_NAME})) {
                    NamespaceNameTree namespaceNameTree = (NamespaceNameTree) expressionTree2;
                    if (list.contains(namespaceNameTree.name().text())) {
                        context().newIssue(this, namespaceNameTree, MESSAGE);
                    }
                }
            });
        }
    }

    private void checkCURLWeakProtocol(ExpressionTree expressionTree) {
        if (expressionTree.is(new Tree.Kind[]{Tree.Kind.NAMESPACE_NAME})) {
            NamespaceNameTree namespaceNameTree = (NamespaceNameTree) expressionTree;
            CURL_WEAK_PROTOCOLS.forEach(str -> {
                if (str.equals(namespaceNameTree.name().text())) {
                    context().newIssue(this, namespaceNameTree, MESSAGE);
                }
            });
        }
    }

    private static Stream<ExpressionTree> getOperands(BinaryExpressionTree binaryExpressionTree) {
        return binaryExpressionTree.leftOperand().is(new Tree.Kind[]{Tree.Kind.BITWISE_OR}) ? Stream.concat(Stream.of(binaryExpressionTree.rightOperand()), getOperands(binaryExpressionTree.leftOperand())) : Stream.of((Object[]) new ExpressionTree[]{binaryExpressionTree.leftOperand(), binaryExpressionTree.rightOperand()});
    }

    private Optional<ExpressionTree> getProperty(ArrayInitializerTree arrayInitializerTree, String str) {
        return arrayInitializerTree.arrayPairs().stream().filter(arrayPairTree -> {
            return CheckUtils.isStringLiteralWithValue(arrayPairTree.key(), str);
        }).map(arrayPairTree2 -> {
            return getAssignedValue(arrayPairTree2.value());
        }).findFirst();
    }

    private ExpressionTree getAssignedValue(ExpressionTree expressionTree) {
        return expressionTree.is(new Tree.Kind[]{Tree.Kind.VARIABLE_IDENTIFIER}) ? (ExpressionTree) this.assignmentExpressionVisitor.getUniqueAssignedValue(context().symbolTable().getSymbol(expressionTree)).orElse(expressionTree) : expressionTree;
    }
}
