package org.sonar.python.checks;

import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.PythonVersionUtils;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.BinaryExpression;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.CompoundAssignmentStatement;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.ExpressionList;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.types.v2.PythonType;
import org.sonar.plugins.python.api.types.v2.TriBool;
import org.sonar.python.checks.cdk.WeakSSLProtocolCheckPart;
import org.sonar.python.checks.utils.Expressions;
import org.sonar.python.semantic.v2.SymbolV2;
import org.sonar.python.tree.TreeUtils;
import org.sonar.python.types.v2.TypeCheckBuilder;

@Rule(key = "S4423")
/* loaded from: input_file:org/sonar/python/checks/WeakSSLProtocolCheck.class */
public class WeakSSLProtocolCheck extends PythonSubscriptionCheck {
    private static final List<String> WEAK_PROTOCOL_CONSTANTS = Arrays.asList("ssl.PROTOCOL_SSLv2", "ssl.PROTOCOL_SSLv3", "ssl.PROTOCOL_SSLv23", "ssl.PROTOCOL_TLSv1", "ssl.PROTOCOL_TLSv1_1", "OpenSSL.SSL.SSLv2_METHOD", "OpenSSL.SSL.SSLv3_METHOD", "OpenSSL.SSL.SSLv23_METHOD", "OpenSSL.SSL.TLSv1_METHOD", "OpenSSL.SSL.TLSv1_1_METHOD");
    private static final Set<String> SSL_CONTEXT_DEPENDENT_PROTOCOLS = Set.of("ssl.PROTOCOL_TLS_CLIENT", "ssl.PROTOCOL_TLS_SERVER", "ssl.PROTOCOL_TLS");
    private static final Set<String> OPENSSL_DEFAULT_TLS_METHODS = Set.of("OpenSSL.SSL.TLS_METHOD", "OpenSSL.SSL.TLS_SERVER_METHOD", "OpenSSL.SSL.TLS_CLIENT_METHOD");
    private static final Set<String> SAFE_VERSION_NAMES = Set.of("TLSv1_2", "TLSv1_3", "MAXIMUM_SUPPORTED");
    private static final Set<String> REQUIRED_SECURITY_FLAGS = Set.of("OP_NO_SSLv2", "OP_NO_SSLv3", "OP_NO_TLSv1", "OP_NO_TLSv1_1");
    private static final Set<String> DEFAULT_PURPOSES = Set.of("ssl.Purpose.CLIENT_AUTH", "ssl.Purpose.SERVER_AUTH");
    private static final String WEAK_PROTOCOL_MESSAGE = "Change this code to use a stronger protocol.";
    private static final String WEAK_PROTOCOL_MESSAGE_PYTHON_310 = "Use a stronger protocol, or upgrade to Python 3.10+ which uses secure defaults.";
    private TypeCheckBuilder createDefaultContextTypeCheckBuilder;
    private TypeCheckBuilder sslSSLContextTypeCheckBuilder;
    private TypeCheckBuilder openSSLContextTypeCheckBuilder;

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, subscriptionContext -> {
            this.createDefaultContextTypeCheckBuilder = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithName("ssl.create_default_context");
            this.sslSSLContextTypeCheckBuilder = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithName("ssl.SSLContext");
            this.openSSLContextTypeCheckBuilder = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithName("OpenSSL.SSL.Context");
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.NAME, WeakSSLProtocolCheck::checkName);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCallExpression);
        new WeakSSLProtocolCheckPart().initialize(context);
    }

    private static void checkName(SubscriptionContext subscriptionContext) {
        Name syntaxNode = subscriptionContext.syntaxNode();
        Optional map = Optional.of(syntaxNode).map((v0) -> {
            return v0.symbol();
        }).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        List<String> list = WEAK_PROTOCOL_CONSTANTS;
        Objects.requireNonNull(list);
        map.filter((v1) -> {
            return r1.contains(v1);
        }).ifPresent(str -> {
            subscriptionContext.addIssue(syntaxNode, WEAK_PROTOCOL_MESSAGE);
        });
    }

    private void checkCallExpression(SubscriptionContext subscriptionContext) {
        CallExpression callExpression = (CallExpression) subscriptionContext.syntaxNode();
        PythonType typeV2 = callExpression.callee().typeV2();
        if (isSslContextWithDefaultProtocols(typeV2, callExpression)) {
            checkSSLContext(subscriptionContext, callExpression);
        } else if (isOpenSSLContextWithDefaultTLSMethods(typeV2, callExpression)) {
            checkOpenSSLContext(subscriptionContext, callExpression);
        }
    }

    private boolean isSslContextWithDefaultProtocols(PythonType pythonType, CallExpression callExpression) {
        return (this.createDefaultContextTypeCheckBuilder.check(pythonType) == TriBool.TRUE && hasDefaultFirstArgument(callExpression, "purpose", DEFAULT_PURPOSES)) || (this.sslSSLContextTypeCheckBuilder.check(pythonType) == TriBool.TRUE && hasDefaultFirstArgument(callExpression, "protocol", SSL_CONTEXT_DEPENDENT_PROTOCOLS));
    }

    private boolean isOpenSSLContextWithDefaultTLSMethods(PythonType pythonType, CallExpression callExpression) {
        return this.openSSLContextTypeCheckBuilder.check(pythonType) == TriBool.TRUE && hasDefaultFirstArgument(callExpression, "method", OPENSSL_DEFAULT_TLS_METHODS);
    }

    private static boolean hasDefaultFirstArgument(CallExpression callExpression, String str, Set<String> set) {
        RegularArgument nthArgumentOrKeyword = TreeUtils.nthArgumentOrKeyword(0, str, callExpression.arguments());
        if (nthArgumentOrKeyword == null) {
            return true;
        }
        Optional of = Optional.of(nthArgumentOrKeyword.expression());
        Class<HasSymbol> cls = HasSymbol.class;
        Objects.requireNonNull(HasSymbol.class);
        Optional filter = of.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<HasSymbol> cls2 = HasSymbol.class;
        Objects.requireNonNull(HasSymbol.class);
        Optional map = filter.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.symbol();
        }).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        Objects.requireNonNull(set);
        return map.filter((v1) -> {
            return r1.contains(v1);
        }).isPresent();
    }

    private static void checkSSLContext(SubscriptionContext subscriptionContext, Tree tree) {
        getContextSymbol(tree).ifPresentOrElse(symbolV2 -> {
            checkSSLContextSymbol(subscriptionContext, symbolV2, tree);
        }, () -> {
            if (isSafePythonVersion(subscriptionContext)) {
                return;
            }
            subscriptionContext.addIssue(tree, WEAK_PROTOCOL_MESSAGE_PYTHON_310);
        });
    }

    private static void checkOpenSSLContext(SubscriptionContext subscriptionContext, Tree tree) {
        getContextSymbol(tree).ifPresentOrElse(symbolV2 -> {
            checkOpenSSLContextSymbol(subscriptionContext, symbolV2, tree);
        }, () -> {
            subscriptionContext.addIssue(tree, WEAK_PROTOCOL_MESSAGE);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkSSLContextSymbol(SubscriptionContext subscriptionContext, SymbolV2 symbolV2, Tree tree) {
        boolean isUnsafeDefaultContext = isUnsafeDefaultContext(subscriptionContext, symbolV2);
        Optional<AssignmentStatement> findUnsafeMaximumVersionStatement = findUnsafeMaximumVersionStatement(symbolV2);
        if (isUnsafeDefaultContext && findUnsafeMaximumVersionStatement.isPresent()) {
            subscriptionContext.addIssue(tree, WEAK_PROTOCOL_MESSAGE).secondary(findUnsafeMaximumVersionStatement.get(), "Unsafe maximum version specified here");
        } else if (findUnsafeMaximumVersionStatement.isPresent()) {
            subscriptionContext.addIssue(findUnsafeMaximumVersionStatement.get(), WEAK_PROTOCOL_MESSAGE);
        } else if (isUnsafeDefaultContext) {
            subscriptionContext.addIssue(tree, WEAK_PROTOCOL_MESSAGE_PYTHON_310);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkOpenSSLContextSymbol(SubscriptionContext subscriptionContext, SymbolV2 symbolV2, Tree tree) {
        if (isSecurelyConfiguredOpenSSLContext(symbolV2)) {
            return;
        }
        subscriptionContext.addIssue(tree, WEAK_PROTOCOL_MESSAGE);
    }

    private static boolean isUnsafeDefaultContext(SubscriptionContext subscriptionContext, SymbolV2 symbolV2) {
        return (isSafePythonVersion(subscriptionContext) || isSecurelyConfigured(symbolV2)) ? false : true;
    }

    private static boolean isSafePythonVersion(SubscriptionContext subscriptionContext) {
        return PythonVersionUtils.areSourcePythonVersionsGreaterOrEqualThan(subscriptionContext.sourcePythonVersions(), PythonVersionUtils.Version.V_310);
    }

    private static Optional<SymbolV2> getContextSymbol(Tree tree) {
        Optional ofNullable = Optional.ofNullable(TreeUtils.firstAncestorOfKind(tree, new Tree.Kind[]{Tree.Kind.ASSIGNMENT_STMT}));
        Class<AssignmentStatement> cls = AssignmentStatement.class;
        Objects.requireNonNull(AssignmentStatement.class);
        Optional map = ofNullable.map((v1) -> {
            return r1.cast(v1);
        }).map(assignmentStatement -> {
            return (Expression) ((ExpressionList) assignmentStatement.lhsExpressions().get(0)).expressions().get(0);
        });
        Class<Name> cls2 = Name.class;
        Objects.requireNonNull(Name.class);
        Optional filter = map.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<Name> cls3 = Name.class;
        Objects.requireNonNull(Name.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.symbolV2();
        });
    }

    private static boolean isSecurelyConfigured(SymbolV2 symbolV2) {
        return symbolV2.usages().stream().anyMatch(usageV2 -> {
            return isSettingSafeMinimumVersion(usageV2.tree());
        }) || collectSecurityFlags(symbolV2, "options").containsAll(REQUIRED_SECURITY_FLAGS);
    }

    private static boolean isSecurelyConfiguredOpenSSLContext(SymbolV2 symbolV2) {
        return isSecureThroughMinProtoVersion(symbolV2) || isSecureThroughSetOptions(symbolV2);
    }

    private static boolean isSecureThroughMinProtoVersion(SymbolV2 symbolV2) {
        return symbolV2.usages().stream().anyMatch(usageV2 -> {
            Symbol calleeSymbol;
            CallExpression firstAncestorOfKind = TreeUtils.firstAncestorOfKind(usageV2.tree(), new Tree.Kind[]{Tree.Kind.CALL_EXPR});
            if (firstAncestorOfKind == null || (calleeSymbol = firstAncestorOfKind.calleeSymbol()) == null || !"set_min_proto_version".equals(calleeSymbol.name())) {
                return false;
            }
            Stream stream = firstAncestorOfKind.arguments().stream();
            Class<RegularArgument> cls = RegularArgument.class;
            Objects.requireNonNull(RegularArgument.class);
            Stream filter = stream.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<RegularArgument> cls2 = RegularArgument.class;
            Objects.requireNonNull(RegularArgument.class);
            Stream map = filter.map((v1) -> {
                return r1.cast(v1);
            }).map((v0) -> {
                return v0.expression();
            });
            Class<HasSymbol> cls3 = HasSymbol.class;
            Objects.requireNonNull(HasSymbol.class);
            Stream filter2 = map.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<HasSymbol> cls4 = HasSymbol.class;
            Objects.requireNonNull(HasSymbol.class);
            return filter2.map((v1) -> {
                return r1.cast(v1);
            }).map((v0) -> {
                return v0.symbol();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).map((v0) -> {
                return v0.fullyQualifiedName();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).anyMatch(str -> {
                return str.contains("TLS1_2_VERSION") || str.contains("TLS1_3_VERSION");
            });
        });
    }

    private static boolean isSecureThroughSetOptions(SymbolV2 symbolV2) {
        return collectOpenSSLSecurityFlags(symbolV2).containsAll(REQUIRED_SECURITY_FLAGS);
    }

    private static Set<String> collectOpenSSLSecurityFlags(SymbolV2 symbolV2) {
        HashSet hashSet = new HashSet();
        Stream map = symbolV2.usages().stream().map((v0) -> {
            return v0.tree();
        }).map((v0) -> {
            return v0.parent();
        });
        Class<QualifiedExpression> cls = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Stream filter = map.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<QualifiedExpression> cls2 = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Stream map2 = filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(qualifiedExpression -> {
            return "set_options".equals(qualifiedExpression.name().name());
        }).map((v0) -> {
            return v0.parent();
        });
        Class<CallExpression> cls3 = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        Stream filter2 = map2.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<CallExpression> cls4 = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        filter2.map((v1) -> {
            return r1.cast(v1);
        }).forEach(callExpression -> {
            if (callExpression.arguments().isEmpty()) {
                return;
            }
            TreeUtils.nthArgumentOrKeywordOptional(0, "options", callExpression.arguments()).map((v0) -> {
                return v0.expression();
            }).ifPresent(expression -> {
                collectSecurityFlagsFromExpression(expression, hashSet);
            });
        });
        return hashSet;
    }

    private static Set<String> collectSecurityFlags(SymbolV2 symbolV2, String str) {
        HashSet hashSet = new HashSet();
        Stream map = symbolV2.usages().stream().map((v0) -> {
            return v0.tree();
        }).map((v0) -> {
            return v0.parent();
        });
        Class<QualifiedExpression> cls = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Stream filter = map.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<QualifiedExpression> cls2 = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Stream map2 = filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(qualifiedExpression -> {
            return str.equals(qualifiedExpression.name().name());
        }).map(qualifiedExpression2 -> {
            return TreeUtils.firstAncestorOfKind(qualifiedExpression2, new Tree.Kind[]{Tree.Kind.COMPOUND_ASSIGNMENT});
        });
        Class<CompoundAssignmentStatement> cls3 = CompoundAssignmentStatement.class;
        Objects.requireNonNull(CompoundAssignmentStatement.class);
        Stream filter2 = map2.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<CompoundAssignmentStatement> cls4 = CompoundAssignmentStatement.class;
        Objects.requireNonNull(CompoundAssignmentStatement.class);
        filter2.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.rhsExpression();
        }).forEach(expression -> {
            collectSecurityFlagsFromExpression(expression, hashSet);
        });
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void collectSecurityFlagsFromExpression(Expression expression, Set<String> set) {
        HasSymbol removeParentheses = Expressions.removeParentheses(expression);
        if (removeParentheses instanceof HasSymbol) {
            Optional.ofNullable(removeParentheses.symbol()).map((v0) -> {
                return v0.fullyQualifiedName();
            }).ifPresent(str -> {
                Stream<String> stream = REQUIRED_SECURITY_FLAGS.stream();
                Objects.requireNonNull(str);
                Stream<String> filter = stream.filter((v1) -> {
                    return r1.contains(v1);
                });
                Objects.requireNonNull(set);
                filter.forEach((v1) -> {
                    r1.add(v1);
                });
            });
        } else if (removeParentheses instanceof BinaryExpression) {
            BinaryExpression binaryExpression = (BinaryExpression) removeParentheses;
            collectSecurityFlagsFromExpression(binaryExpression.leftOperand(), set);
            collectSecurityFlagsFromExpression(binaryExpression.rightOperand(), set);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isSettingSafeMinimumVersion(Tree tree) {
        return findVersionStatement(tree, "minimum_version", WeakSSLProtocolCheck::containsSafeVersion).isPresent();
    }

    private static Optional<AssignmentStatement> findUnsafeMaximumVersionStatement(SymbolV2 symbolV2) {
        return symbolV2.usages().stream().map(usageV2 -> {
            return findVersionStatement(usageV2.tree(), "maximum_version", str -> {
                return !containsSafeVersion(str);
            });
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).findFirst();
    }

    private static boolean containsSafeVersion(String str) {
        Stream<String> stream = SAFE_VERSION_NAMES.stream();
        Objects.requireNonNull(str);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<AssignmentStatement> findVersionStatement(Tree tree, String str, Predicate<String> predicate) {
        Optional ofNullable = Optional.ofNullable(TreeUtils.firstAncestorOfKind(tree, new Tree.Kind[]{Tree.Kind.ASSIGNMENT_STMT}));
        Class<AssignmentStatement> cls = AssignmentStatement.class;
        Objects.requireNonNull(AssignmentStatement.class);
        return ofNullable.map((v1) -> {
            return r1.cast(v1);
        }).filter(assignmentStatement -> {
            return isSettingVersionProperty(assignmentStatement, str);
        }).filter(assignmentStatement2 -> {
            Optional of = Optional.of(assignmentStatement2.assignedValue());
            Class<HasSymbol> cls2 = HasSymbol.class;
            Objects.requireNonNull(HasSymbol.class);
            Optional filter = of.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<HasSymbol> cls3 = HasSymbol.class;
            Objects.requireNonNull(HasSymbol.class);
            return filter.map((v1) -> {
                return r1.cast(v1);
            }).map((v0) -> {
                return v0.symbol();
            }).map((v0) -> {
                return v0.fullyQualifiedName();
            }).filter(predicate).isPresent();
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isSettingVersionProperty(AssignmentStatement assignmentStatement, String str) {
        Stream filter = assignmentStatement.lhsExpressions().stream().flatMap(expressionList -> {
            return expressionList.expressions().stream();
        }).filter(expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR});
        });
        Class<QualifiedExpression> cls = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).anyMatch(qualifiedExpression -> {
            return str.equals(qualifiedExpression.name().name());
        });
    }
}
