package org.sonar.php.checks;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.TreeMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;
import org.sonar.php.checks.utils.CheckUtils;
import org.sonar.plugins.php.api.symbols.QualifiedName;
import org.sonar.plugins.php.api.tree.Tree;
import org.sonar.plugins.php.api.tree.declaration.CallArgumentTree;
import org.sonar.plugins.php.api.tree.declaration.NamespaceNameTree;
import org.sonar.plugins.php.api.tree.declaration.VariableDeclarationTree;
import org.sonar.plugins.php.api.tree.expression.AssignmentExpressionTree;
import org.sonar.plugins.php.api.tree.expression.ExpressionTree;
import org.sonar.plugins.php.api.tree.expression.FunctionCallTree;
import org.sonar.plugins.php.api.tree.expression.LiteralTree;
import org.sonar.plugins.php.api.tree.lexical.SyntaxToken;
import org.sonar.plugins.php.api.visitors.PHPVisitorCheck;

@Rule(key = HardCodedCredentialsCheck.KEY)
/* loaded from: input_file:org/sonar/php/checks/HardCodedCredentialsCheck.class */
public class HardCodedCredentialsCheck extends PHPVisitorCheck {
    public static final String KEY = "S2068";
    private static final String MESSAGE = "'%s' detected in this variable name, review this potentially hardcoded credential.";
    private static final String MESSAGE_ARGUMENTS = "Review this hardcoded credential.";
    private static final String MESSAGE_URI = "detected URI with password, review this potentially hardcoded credential.";
    private static final String DEFAULT_CREDENTIAL_WORDS = "password,passwd,pwd";
    private static final String LITERAL_PATTERN_SUFFIX = "=(?!([\\?:']|%s))..";
    private static final int LITERAL_PATTERN_SUFFIX_LENGTH = LITERAL_PATTERN_SUFFIX.length();
    private static final Map<String, Parameter> CONNECT_FUNCTIONS = initializeConnectFunctionsMap();
    private static final QualifiedName LARAVEL_ENCRYPTER = QualifiedName.qualifiedName("illuminate\\encryption\\encrypter");
    private static final String BIND_PASSWORD = "bind_password";
    private static final String PASSWD = "passwd";
    private static final String PASSWORD = "password";
    private static final String NEWPW = "newpw";
    private static final String ENCRYPTER_KEY = "key";

    @RuleProperty(key = "credentialWords", description = "Comma separated list of words identifying potential credentials", defaultValue = DEFAULT_CREDENTIAL_WORDS)
    public String credentialWords = DEFAULT_CREDENTIAL_WORDS;
    private List<Pattern> variablePatterns = null;
    private List<Pattern> literalPatterns = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/php/checks/HardCodedCredentialsCheck$Parameter.class */
    public static class Parameter {

        @Nullable
        private String name;
        private int position;

        public Parameter(String str, int i) {
            this.name = str;
            this.position = i;
        }
    }

    private static Map<String, Parameter> initializeConnectFunctionsMap() {
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        treeMap.put("ldap_bind", new Parameter(BIND_PASSWORD, 2));
        treeMap.put("pdo", new Parameter(PASSWD, 2));
        treeMap.put("mysqli", new Parameter(PASSWD, 2));
        treeMap.put("mysqli_connect", new Parameter(PASSWD, 2));
        treeMap.put("mysql_connect", new Parameter(PASSWORD, 2));
        treeMap.put("oci_connect", new Parameter(PASSWORD, 1));
        treeMap.put("ldap_exop_passwd", new Parameter(NEWPW, 3));
        treeMap.put("mssql_connect", new Parameter(PASSWORD, 2));
        treeMap.put("odbc_connect", new Parameter(PASSWORD, 2));
        treeMap.put("db2_connect", new Parameter(PASSWORD, 2));
        treeMap.put("cubrid_connect", new Parameter(PASSWD, 4));
        treeMap.put("maxdb_connect", new Parameter(PASSWD, 2));
        treeMap.put("maxdb_change_user", new Parameter(PASSWORD, 2));
        treeMap.put("imap_open", new Parameter(PASSWORD, 2));
        treeMap.put("ifx_connect", new Parameter(PASSWORD, 2));
        treeMap.put("dbx_connect", new Parameter(PASSWORD, 4));
        treeMap.put("fbsql_pconnect", new Parameter(PASSWORD, 2));
        return treeMap;
    }

    private Stream<Pattern> variablePatterns() {
        if (this.variablePatterns == null) {
            this.variablePatterns = toPatterns("");
        }
        return this.variablePatterns.stream();
    }

    private Stream<Pattern> literalPatterns() {
        if (this.literalPatterns == null) {
            this.literalPatterns = toPatterns(LITERAL_PATTERN_SUFFIX);
        }
        return this.literalPatterns.stream();
    }

    private List<Pattern> toPatterns(String str) {
        return (List) Stream.of((Object[]) this.credentialWords.split(",")).map((v0) -> {
            return v0.trim();
        }).map(str2 -> {
            return Pattern.compile(str2 + str, 2);
        }).collect(Collectors.toList());
    }

    public void visitFunctionCall(FunctionCallTree functionCallTree) {
        ExpressionTree callee = functionCallTree.callee();
        String obj = callee.toString();
        if (isLaravelEncryptConstructorCall(callee)) {
            checkArgument(functionCallTree, new Parameter(ENCRYPTER_KEY, 0));
        }
        if (CONNECT_FUNCTIONS.containsKey(obj)) {
            checkArgument(functionCallTree, CONNECT_FUNCTIONS.get(obj));
        }
        super.visitFunctionCall(functionCallTree);
    }

    private boolean isLaravelEncryptConstructorCall(ExpressionTree expressionTree) {
        return expressionTree.is(new Tree.Kind[]{Tree.Kind.NAMESPACE_NAME}) && getFullyQualifiedName((NamespaceNameTree) expressionTree).equals(LARAVEL_ENCRYPTER);
    }

    private void checkArgument(FunctionCallTree functionCallTree, Parameter parameter) {
        Optional<CallArgumentTree> argument = CheckUtils.argument(functionCallTree, parameter.name, parameter.position);
        if (argument.isPresent()) {
            LiteralTree value = argument.get().value();
            if (!value.is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL}) || isEmptyStringLiteral(value)) {
                return;
            }
            context().newIssue(this, value, MESSAGE_ARGUMENTS);
        }
    }

    public void visitLiteral(LiteralTree literalTree) {
        checkForCredentialQuery(literalTree);
        checkForCredentialUri(literalTree);
        super.visitLiteral(literalTree);
    }

    private void checkForCredentialQuery(LiteralTree literalTree) {
        literalPatterns().filter(pattern -> {
            return pattern.matcher(literalTree.token().text()).find();
        }).findAny().ifPresent(pattern2 -> {
            addIssue(pattern2, literalTree);
        });
    }

    private void checkForCredentialUri(LiteralTree literalTree) {
        try {
            URI uri = new URI(CheckUtils.trimQuotes(literalTree.value()));
            if (uri.getUserInfo() != null) {
                String userInfo = uri.getUserInfo();
                Matcher matcher = Pattern.compile("(\\S+):(\\S+)").matcher(userInfo);
                if (!matcher.find() || matcher.group(1).equals(matcher.group(2)) || userInfo.equals("user:password") || userInfo.equals("username:password")) {
                    return;
                }
                context().newIssue(this, literalTree, MESSAGE_URI);
            }
        } catch (URISyntaxException e) {
        }
    }

    public void visitVariableDeclaration(VariableDeclarationTree variableDeclarationTree) {
        checkVariable(variableDeclarationTree.identifier().token(), variableDeclarationTree.initValue());
        super.visitVariableDeclaration(variableDeclarationTree);
    }

    public void visitAssignmentExpression(AssignmentExpressionTree assignmentExpressionTree) {
        checkVariable(assignmentExpressionTree.variable().getLastToken(), assignmentExpressionTree.value());
        super.visitAssignmentExpression(assignmentExpressionTree);
    }

    private void checkVariable(SyntaxToken syntaxToken, @Nullable Tree tree) {
        if (tree == null || !tree.is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL}) || isEmptyStringLiteral((LiteralTree) tree)) {
            return;
        }
        variablePatterns().filter(pattern -> {
            return pattern.matcher(syntaxToken.text()).find();
        }).findAny().ifPresent(pattern2 -> {
            checkAssignedValue(pattern2, syntaxToken, tree);
        });
    }

    private void checkAssignedValue(Pattern pattern, SyntaxToken syntaxToken, Tree tree) {
        if (pattern.matcher(tree.toString()).find()) {
            return;
        }
        addIssue(pattern, syntaxToken);
    }

    private static boolean isEmptyStringLiteral(LiteralTree literalTree) {
        return literalTree.value().substring(1, literalTree.value().length() - 1).isEmpty();
    }

    private void addIssue(Pattern pattern, Tree tree) {
        context().newIssue(this, tree, String.format(MESSAGE, cleanedPattern(pattern.pattern())));
    }

    private static String cleanedPattern(String str) {
        return str.endsWith(LITERAL_PATTERN_SUFFIX) ? str.substring(0, str.length() - LITERAL_PATTERN_SUFFIX_LENGTH) : str;
    }
}
