package org.sonar.python.checks;

import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.types.v2.PythonType;
import org.sonar.plugins.python.api.types.v2.TriBool;
import org.sonar.python.checks.utils.Expressions;
import org.sonar.python.tree.StringLiteralImpl;
import org.sonar.python.tree.TreeUtils;
import org.sonar.python.types.v2.TypeCheckBuilder;

@Rule(key = "S5547")
/* loaded from: input_file:org/sonar/python/checks/RobustCipherAlgorithmCheck.class */
public class RobustCipherAlgorithmCheck extends PythonSubscriptionCheck {
    private static final String MESSAGE = "Use a strong cipher algorithm.";
    private static final String INSECURE_CIPHERS_PREFIX = "cryptography.hazmat.decrepit.ciphers.";
    private static final Set<String> INSECURE_CIPHERS = Set.of((Object[]) new String[]{"NULL", "aNULL", "eNULL", "COMPLEMENTOFALL", "RC2", "RC4", "IDEA", "SEED", "DES", "3DES", "MD5", "SHA", "SHA1", "ADH", "AECDH", "CBC", "LOW", "@SECLEVEL=0", "@SECLEVEL=1", "DEFAULT@SECLEVEL=0", "DEFAULT@SECLEVEL=1"});
    public static final Set<String> SSL_SET_CIPHERS_FQN = Set.of("ssl.SSLContext.set_ciphers", "OpenSSL.SSL.Context.set_cipher_list");
    private static final Set<String> SENSITIVE_CALLEE_FQNS = Set.of((Object[]) new String[]{"Crypto.Cipher.ARC2.new", "Crypto.Cipher.ARC4.new", "Crypto.Cipher.Blowfish.new", "Crypto.Cipher.XOR.new", "Crypto.Cipher.CAST.new", "Crypto.Cipher.DES.new", "Crypto.Cipher.DES3.new", "Cryptodome.Cipher.ARC2.new", "Cryptodome.Cipher.ARC4.new", "Cryptodome.Cipher.Blowfish.new", "Cryptodome.Cipher.XOR.new", "Cryptodome.Cipher.CAST.new", "Cryptodome.Cipher.DES.new", "Cryptodome.Cipher.DES3.new", "cryptography.hazmat.primitives.ciphers.algorithms.ARC4", "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish", "cryptography.hazmat.primitives.ciphers.algorithms.IDEA", "cryptography.hazmat.primitives.ciphers.algorithms.CAST5", "cryptography.hazmat.primitives.ciphers.algorithms.TripleDES", "pyDes.des", "pyDes.triple_des"});
    private List<TypeCheckBuilder> sensitiveCalleesTypeCheckers;
    private List<TypeCheckBuilder> sslSetCipherTypeCheckers;
    private TypeCheckBuilder urllibSslContextTypeChecker;

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, subscriptionContext -> {
            this.sslSetCipherTypeCheckers = SSL_SET_CIPHERS_FQN.stream().map(str -> {
                return subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn(str);
            }).toList();
            this.sensitiveCalleesTypeCheckers = SENSITIVE_CALLEE_FQNS.stream().map(str2 -> {
                return subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn(str2);
            }).toList();
            this.urllibSslContextTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("urllib3.util.ssl_.create_urllib3_context");
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCallExpression);
    }

    private void checkCallExpression(SubscriptionContext subscriptionContext) {
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        PythonType typeV2 = syntaxNode.callee().typeV2();
        if (((String) Optional.ofNullable(syntaxNode.calleeSymbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        }).orElse("")).startsWith(INSECURE_CIPHERS_PREFIX)) {
            subscriptionContext.addIssue(syntaxNode.callee(), MESSAGE);
            return;
        }
        if (this.sensitiveCalleesTypeCheckers.stream().anyMatch(typeCheckBuilder -> {
            return typeCheckBuilder.check(typeV2) == TriBool.TRUE;
        })) {
            subscriptionContext.addIssue(syntaxNode.callee(), MESSAGE);
        } else if (this.sslSetCipherTypeCheckers.stream().anyMatch(typeCheckBuilder2 -> {
            return typeCheckBuilder2.check(typeV2) == TriBool.TRUE;
        })) {
            checkForInsecureCiphers(subscriptionContext, syntaxNode);
        } else if (this.urllibSslContextTypeChecker.check(typeV2) == TriBool.TRUE) {
            Optional.ofNullable(TreeUtils.nthArgumentOrKeyword(4, "ciphers", syntaxNode.arguments())).map((v0) -> {
                return v0.expression();
            }).ifPresent(expression -> {
                processCiphersArgument(subscriptionContext, syntaxNode, expression);
            });
        }
    }

    private static void checkForInsecureCiphers(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        Optional.of(callExpression.arguments()).filter(list -> {
            return list.size() == 1;
        }).map(list2 -> {
            return (Argument) list2.get(0);
        }).flatMap(TreeUtils.toOptionalInstanceOfMapper(RegularArgument.class)).map((v0) -> {
            return v0.expression();
        }).ifPresent(expression -> {
            processCiphersArgument(subscriptionContext, callExpression, expression);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void processCiphersArgument(SubscriptionContext subscriptionContext, CallExpression callExpression, Expression expression) {
        StringLiteral unpackArgument = unpackArgument(expression);
        Optional.ofNullable(unpackArgument).map((v0) -> {
            return v0.trimmedQuotesValue();
        }).map(RobustCipherAlgorithmCheck::findInsecureCiphers).filter(Predicate.not((v0) -> {
            return v0.isEmpty();
        })).ifPresent(set -> {
            subscriptionContext.addIssue(callExpression.callee(), MESSAGE).secondary(unpackArgument, (String) set.stream().collect(Collectors.joining("`, `", (set.size() > 1 ? "The following cipher strings are insecure: " : "The following cipher string is insecure: ") + "`", "`")));
        });
    }

    @CheckForNull
    private static StringLiteral unpackArgument(@Nullable Expression expression) {
        if (expression == null) {
            return null;
        }
        if (expression.is(new Tree.Kind[]{Tree.Kind.STRING_LITERAL})) {
            return (StringLiteralImpl) expression;
        }
        if (expression.is(new Tree.Kind[]{Tree.Kind.NAME})) {
            return unpackArgument(Expressions.singleAssignedValue((Name) expression));
        }
        return null;
    }

    private static Set<String> findInsecureCiphers(String str) {
        Stream flatMap = Stream.of(str).flatMap(str2 -> {
            return Stream.of((Object[]) str2.split(":"));
        }).filter(str3 -> {
            return (str3.startsWith("!") || str3.startsWith("-")) ? false : true;
        }).flatMap(str4 -> {
            return Stream.of((Object[]) str4.split("\\+"));
        }).flatMap(str5 -> {
            return Stream.of((Object[]) str5.split("-"));
        });
        Set<String> set = INSECURE_CIPHERS;
        Objects.requireNonNull(set);
        return (Set) flatMap.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toCollection(LinkedHashSet::new));
    }
}
