package org.sonar.php.checks;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;
import org.sonar.php.checks.utils.CheckUtils;
import org.sonar.plugins.php.api.tree.Tree;
import org.sonar.plugins.php.api.tree.declaration.CallArgumentTree;
import org.sonar.plugins.php.api.tree.declaration.ParameterTree;
import org.sonar.plugins.php.api.tree.declaration.VariableDeclarationTree;
import org.sonar.plugins.php.api.tree.expression.ArrayPairTree;
import org.sonar.plugins.php.api.tree.expression.AssignmentExpressionTree;
import org.sonar.plugins.php.api.tree.expression.BinaryExpressionTree;
import org.sonar.plugins.php.api.tree.expression.ExpandableStringCharactersTree;
import org.sonar.plugins.php.api.tree.expression.ExpressionTree;
import org.sonar.plugins.php.api.tree.expression.FunctionCallTree;
import org.sonar.plugins.php.api.tree.expression.HeredocStringLiteralTree;
import org.sonar.plugins.php.api.tree.expression.LiteralTree;
import org.sonar.plugins.php.api.tree.expression.VariableIdentifierTree;
import org.sonar.plugins.php.api.visitors.PHPVisitorCheck;
import org.sonarsource.analyzer.commons.EntropyDetector;
import org.sonarsource.analyzer.commons.HumanLanguageDetector;

@Rule(key = "S6418")
/* loaded from: input_file:org/sonar/php/checks/HardCodedSecretCheck.class */
public class HardCodedSecretCheck extends PHPVisitorCheck {
    private static final String DEFAULT_SECRET_WORDS = "api[_.-]?key,auth,credential,secret,token";
    private static final String DEFAULT_RANDOMNESS_SENSIBILITY = "5.0";
    private static final double LANGUAGE_SCORE_INCREMENT = 0.3d;
    private static final int MAX_RANDOMNESS_SENSIBILITY = 10;
    private static final int MINIMUM_CREDENTIAL_LENGTH = 17;
    private static final String FIRST_ACCEPTED_CHARACTER = "[\\w.+/~$:&-]";
    private static final String FOLLOWING_ACCEPTED_CHARACTER = "[=\\w.+/~$:&-]";
    private static final Pattern SECRET_PATTERN = Pattern.compile("[\\w.+/~$:&-]([=\\w.+/~$:&-]|\\\\\\\\[=\\w.+/~$:&-])++");
    private static final Pattern IP_PATTERN = Pattern.compile("%s|%s".formatted(HardCodedIpAddressCheck.IP_V4, HardCodedIpAddressCheck.IP_V6));

    @RuleProperty(key = "secretWords", description = "Comma separated list of words identifying potential secrets", defaultValue = DEFAULT_SECRET_WORDS)
    public String secretWords = DEFAULT_SECRET_WORDS;

    @RuleProperty(key = "randomnessSensibility", description = "Allows to tune the Randomness Sensibility (from 0 to 10)", defaultValue = DEFAULT_RANDOMNESS_SENSIBILITY)
    public double randomnessSensibility = Double.parseDouble(DEFAULT_RANDOMNESS_SENSIBILITY);
    private List<Pattern> variablePatterns;
    private List<Pattern> literalPatterns;
    private EntropyDetector entropyDetector;
    private double maxLanguageScore;

    @Override // org.sonar.plugins.php.api.visitors.PHPVisitorCheck, org.sonar.plugins.php.api.visitors.VisitorCheck
    public void visitVariableDeclaration(VariableDeclarationTree variableDeclarationTree) {
        ExpressionTree initValue = variableDeclarationTree.initValue();
        if (initValue instanceof LiteralTree) {
            LiteralTree literalTree = (LiteralTree) initValue;
            detectSecret(variableDeclarationTree.identifier().text(), CheckUtils.trimQuotes(literalTree.value()), literalTree);
        }
        ExpressionTree initValue2 = variableDeclarationTree.initValue();
        if (initValue2 instanceof HeredocStringLiteralTree) {
            for (ExpandableStringCharactersTree expandableStringCharactersTree : ((HeredocStringLiteralTree) initValue2).strings()) {
                detectSecret(variableDeclarationTree.identifier().text(), expandableStringCharactersTree.value(), expandableStringCharactersTree);
            }
        }
        super.visitVariableDeclaration(variableDeclarationTree);
    }

    @Override // org.sonar.plugins.php.api.visitors.PHPVisitorCheck, org.sonar.plugins.php.api.visitors.VisitorCheck
    public void visitFunctionCall(FunctionCallTree functionCallTree) {
        String lowerCaseFunctionName = CheckUtils.getLowerCaseFunctionName(functionCallTree);
        if ("define".equals(lowerCaseFunctionName)) {
            visitDefineFunctionCall(functionCallTree);
        } else if ("strcasecmp".equals(lowerCaseFunctionName) || "strcmp".equals(lowerCaseFunctionName)) {
            visitStringCompareFunctionCall(functionCallTree);
        } else if (functionCallTree.callArguments().size() == 2) {
            visitTwoArgumentsFunctionCall(functionCallTree);
        }
        super.visitFunctionCall(functionCallTree);
    }

    private void visitDefineFunctionCall(FunctionCallTree functionCallTree) {
        Optional<ExpressionTree> filter = CheckUtils.argumentValue(functionCallTree, "constant_name", 0).filter(expressionTree -> {
            return expressionTree.is(Tree.Kind.REGULAR_STRING_LITERAL);
        });
        Class<LiteralTree> cls = LiteralTree.class;
        Objects.requireNonNull(LiteralTree.class);
        filter.map((v1) -> {
            return r1.cast(v1);
        }).ifPresent(literalTree -> {
            Optional<ExpressionTree> filter2 = CheckUtils.argumentValue(functionCallTree, "value", 1).filter(expressionTree2 -> {
                return expressionTree2.is(Tree.Kind.REGULAR_STRING_LITERAL);
            });
            Class<LiteralTree> cls2 = LiteralTree.class;
            Objects.requireNonNull(LiteralTree.class);
            filter2.map((v1) -> {
                return r1.cast(v1);
            }).ifPresent(literalTree -> {
                detectSecret(CheckUtils.trimQuotes(literalTree.value()), CheckUtils.trimQuotes(literalTree.value()), literalTree);
            });
        });
    }

    private void visitStringCompareFunctionCall(FunctionCallTree functionCallTree) {
        Optional<LiteralTree> resolvedArgumentLiteral = CheckUtils.resolvedArgumentLiteral(functionCallTree, "string1", 0);
        Optional<LiteralTree> resolvedArgumentLiteral2 = CheckUtils.resolvedArgumentLiteral(functionCallTree, "string2", 1);
        if (resolvedArgumentLiteral.isPresent() && functionCallTree.callArguments().size() == 2) {
            ExpressionTree value = ((CallArgumentTree) functionCallTree.callArguments().get(1)).value();
            if (value instanceof VariableIdentifierTree) {
                detectSecret(((VariableIdentifierTree) value).text(), resolvedArgumentLiteral.get().value(), resolvedArgumentLiteral.get());
            }
        }
        if (resolvedArgumentLiteral2.isPresent() && functionCallTree.callArguments().size() == 2) {
            ExpressionTree value2 = ((CallArgumentTree) functionCallTree.callArguments().get(0)).value();
            if (value2 instanceof VariableIdentifierTree) {
                detectSecret(((VariableIdentifierTree) value2).text(), resolvedArgumentLiteral2.get().value(), resolvedArgumentLiteral2.get());
            }
        }
    }

    private void visitTwoArgumentsFunctionCall(FunctionCallTree functionCallTree) {
        ExpressionTree value = ((CallArgumentTree) functionCallTree.callArguments().get(0)).value();
        ExpressionTree value2 = ((CallArgumentTree) functionCallTree.callArguments().get(1)).value();
        if (value instanceof LiteralTree) {
            LiteralTree literalTree = (LiteralTree) value;
            if (value2 instanceof LiteralTree) {
                LiteralTree literalTree2 = (LiteralTree) value2;
                detectSecret(literalTree.value(), literalTree2.value(), literalTree2);
                detectSecret(literalTree2.value(), literalTree.value(), literalTree);
            }
        }
    }

    @Override // org.sonar.plugins.php.api.visitors.PHPVisitorCheck, org.sonar.plugins.php.api.visitors.VisitorCheck
    public void visitAssignmentExpression(AssignmentExpressionTree assignmentExpressionTree) {
        ExpressionTree variable = assignmentExpressionTree.variable();
        if (variable instanceof VariableIdentifierTree) {
            VariableIdentifierTree variableIdentifierTree = (VariableIdentifierTree) variable;
            ExpressionTree value = assignmentExpressionTree.value();
            if (value instanceof LiteralTree) {
                LiteralTree literalTree = (LiteralTree) value;
                detectSecret(variableIdentifierTree.text(), literalTree.value(), literalTree);
            }
        }
        super.visitAssignmentExpression(assignmentExpressionTree);
    }

    @Override // org.sonar.plugins.php.api.visitors.PHPVisitorCheck, org.sonar.plugins.php.api.visitors.VisitorCheck
    public void visitParameter(ParameterTree parameterTree) {
        ExpressionTree initValue = parameterTree.initValue();
        if (initValue instanceof LiteralTree) {
            LiteralTree literalTree = (LiteralTree) initValue;
            detectSecret(parameterTree.variableIdentifier().text(), literalTree.value(), literalTree);
        }
        super.visitParameter(parameterTree);
    }

    @Override // org.sonar.plugins.php.api.visitors.PHPVisitorCheck, org.sonar.plugins.php.api.visitors.VisitorCheck
    public void visitArrayPair(ArrayPairTree arrayPairTree) {
        ExpressionTree key = arrayPairTree.key();
        if (key instanceof LiteralTree) {
            LiteralTree literalTree = (LiteralTree) key;
            ExpressionTree value = arrayPairTree.value();
            if (value instanceof LiteralTree) {
                LiteralTree literalTree2 = (LiteralTree) value;
                detectSecret(literalTree.value(), literalTree2.value(), literalTree2);
            }
        }
        super.visitArrayPair(arrayPairTree);
    }

    @Override // org.sonar.plugins.php.api.visitors.PHPVisitorCheck, org.sonar.plugins.php.api.visitors.VisitorCheck
    public void visitBinaryExpression(BinaryExpressionTree binaryExpressionTree) {
        ExpressionTree leftOperand = binaryExpressionTree.leftOperand();
        ExpressionTree rightOperand = binaryExpressionTree.rightOperand();
        if (rightOperand instanceof LiteralTree) {
            LiteralTree literalTree = (LiteralTree) rightOperand;
            if (leftOperand instanceof VariableIdentifierTree) {
                detectSecret(((VariableIdentifierTree) leftOperand).text(), literalTree.value(), rightOperand);
            }
        }
        if (leftOperand instanceof LiteralTree) {
            LiteralTree literalTree2 = (LiteralTree) leftOperand;
            if (rightOperand instanceof VariableIdentifierTree) {
                detectSecret(((VariableIdentifierTree) rightOperand).text(), literalTree2.value(), leftOperand);
            }
        }
        super.visitBinaryExpression(binaryExpressionTree);
    }

    @Override // org.sonar.plugins.php.api.visitors.PHPVisitorCheck, org.sonar.plugins.php.api.visitors.VisitorCheck
    public void visitLiteral(LiteralTree literalTree) {
        String trimQuotes = CheckUtils.trimQuotes(literalTree.value());
        literalPatterns().map(pattern -> {
            return pattern.matcher(trimQuotes);
        }).filter((v0) -> {
            return v0.find();
        }).filter(matcher -> {
            return !isExcludedLiteral(matcher.group("suffix"));
        }).findAny().ifPresent(matcher2 -> {
            reportIssue(literalTree, matcher2.group(1));
        });
        super.visitLiteral(literalTree);
    }

    private void detectSecret(String str, String str2, Tree tree) {
        String trimQuotes = CheckUtils.trimQuotes(str);
        String trimQuotes2 = CheckUtils.trimQuotes(str2);
        getSecretLikeName(trimQuotes).ifPresent(str3 -> {
            if (isSecret(trimQuotes2)) {
                reportIssue(tree, str3);
            }
        });
    }

    private void reportIssue(Tree tree, String str) {
        newIssue(tree, "'%s' detected in this expression, review this potentially hard-coded secret.".formatted(str));
    }

    private Optional<String> getSecretLikeName(String str) {
        return str.isBlank() ? Optional.empty() : variableSecretPatterns().map(pattern -> {
            return pattern.matcher(str);
        }).filter((v0) -> {
            return v0.find();
        }).map(matcher -> {
            return matcher.group(1);
        }).findAny();
    }

    private Stream<Pattern> variableSecretPatterns() {
        if (this.variablePatterns == null) {
            this.variablePatterns = toPatterns("");
        }
        return this.variablePatterns.stream();
    }

    private Stream<Pattern> literalPatterns() {
        if (this.literalPatterns == null) {
            this.literalPatterns = toPatterns("=\\s*+(?<suffix>[^\\\\ &;#,|]+)");
        }
        return this.literalPatterns.stream();
    }

    private List<Pattern> toPatterns(String str) {
        return Stream.of((Object[]) this.secretWords.split(",")).map((v0) -> {
            return v0.trim();
        }).map(str2 -> {
            return Pattern.compile("(" + str2 + ")" + str, 2);
        }).toList();
    }

    private boolean isSecret(String str) {
        return str.length() >= 17 && SECRET_PATTERN.matcher(str).matches() && isRandom(str) && isNotIpV6(str);
    }

    private boolean isRandom(String str) {
        return entropyDetector().hasEnoughEntropy(str) && HumanLanguageDetector.humanLanguageScore(str) < maxLanguageScore();
    }

    private static boolean isNotIpV6(String str) {
        return !IP_PATTERN.matcher(str).matches();
    }

    private static boolean isExcludedLiteral(String str) {
        return !isPotentialCredential(str) || str.startsWith("?") || str.startsWith(":") || str.contains("%s");
    }

    private static boolean isPotentialCredential(String str) {
        return str.trim().length() >= 17;
    }

    private EntropyDetector entropyDetector() {
        if (this.entropyDetector == null) {
            this.entropyDetector = new EntropyDetector(this.randomnessSensibility);
        }
        return this.entropyDetector;
    }

    private double maxLanguageScore() {
        if (this.maxLanguageScore == 0.0d) {
            this.maxLanguageScore = (10.0d - this.randomnessSensibility) * LANGUAGE_SCORE_INCREMENT;
        }
        return this.maxLanguageScore;
    }
}
