package org.sonar.python.checks.hotspots;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.symbols.Usage;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.types.v2.TriBool;
import org.sonar.python.checks.utils.Expressions;
import org.sonar.python.semantic.v2.SymbolV2;
import org.sonar.python.tree.TreeUtils;
import org.sonar.python.types.v2.TypeCheckBuilder;

@Rule(key = "S5527")
/* loaded from: input_file:org/sonar/python/checks/hotspots/UnverifiedHostnameCheck.class */
public class UnverifiedHostnameCheck extends PythonSubscriptionCheck {
    private static final String MESSAGE = "Enable server hostname verification on this SSL/TLS connection.";
    private static final String SECONDARY_OPENSSL = "This context does not perform hostname verification.";
    private static final String SECONDARY_DISABLED = "Hostname verification is disabled here.";
    private static final Set<String> SECURE_BY_DEFAULT = new HashSet(Arrays.asList("ssl.create_default_context", "ssl._create_default_https_context"));
    private static final Set<String> UNSECURE_BY_DEFAULT = new HashSet(Arrays.asList("ssl._create_unverified_context", "ssl._create_stdlib_context"));
    private static final Set<String> UNSAFE_PROTOCOLS = Set.of("ssl.PROTOCOL_SSLv23", "ssl.PROTOCOL_TLS", "ssl.PROTOCOL_SSLv3", "ssl.PROTOCOL_TLSv1", "ssl.PROTOCOL_TLSv1_1", "ssl.PROTOCOL_TLSv1_2");
    private static Set<String> functionsToCheck;
    private TypeCheckBuilder openSSLConnectionTypeCheckBuilder;
    private TypeCheckBuilder openSSLContextTypeCheckBuilder;
    private TypeCheckBuilder sslContextTypeCheckBuilder;

    private static Set<String> functionsToCheck() {
        if (functionsToCheck == null) {
            functionsToCheck = new HashSet();
            functionsToCheck.addAll(SECURE_BY_DEFAULT);
            functionsToCheck.addAll(UNSECURE_BY_DEFAULT);
        }
        return Collections.unmodifiableSet(functionsToCheck);
    }

    private static void checkSuspiciousCall(CallExpression callExpression, Symbol symbol, SubscriptionContext subscriptionContext) {
        Symbol symbol2;
        Tree firstAncestorOfKind = TreeUtils.firstAncestorOfKind(callExpression, Tree.Kind.ASSIGNMENT_STMT, Tree.Kind.CALL_EXPR);
        if (firstAncestorOfKind == null) {
            return;
        }
        if (!firstAncestorOfKind.is(Tree.Kind.ASSIGNMENT_STMT)) {
            if (opensUnsecureConnection(symbol, (CallExpression) firstAncestorOfKind)) {
                subscriptionContext.addIssue(callExpression, MESSAGE);
            }
        } else {
            Expression expression = ((AssignmentStatement) firstAncestorOfKind).lhsExpressions().get(0).expressions().get(0);
            if ((expression instanceof HasSymbol) && (symbol2 = ((HasSymbol) expression).symbol()) != null && isUnsafeContext(symbol, symbol2)) {
                subscriptionContext.addIssue(callExpression, MESSAGE);
            }
        }
    }

    private static boolean isUnsafeContext(Symbol symbol, Symbol symbol2) {
        QualifiedExpression qualifiedExpression;
        AssignmentStatement assignmentStatement;
        for (Usage usage : symbol2.usages()) {
            if (usage.kind().equals(Usage.Kind.OTHER) && (qualifiedExpression = (QualifiedExpression) TreeUtils.firstAncestorOfKind(usage.tree(), Tree.Kind.QUALIFIED_EXPR)) != null && "check_hostname".equals(qualifiedExpression.name().name()) && (assignmentStatement = (AssignmentStatement) TreeUtils.firstAncestorOfKind(qualifiedExpression, Tree.Kind.ASSIGNMENT_STMT)) != null) {
                return Expressions.isFalsy(assignmentStatement.assignedValue());
            }
        }
        return UNSECURE_BY_DEFAULT.contains(symbol.fullyQualifiedName());
    }

    private static boolean opensUnsecureConnection(Symbol symbol, CallExpression callExpression) {
        Symbol calleeSymbol = callExpression.calleeSymbol();
        return calleeSymbol != null && "urllib.request.urlopen".equals(calleeSymbol.fullyQualifiedName()) && UNSECURE_BY_DEFAULT.contains(symbol.fullyQualifiedName());
    }

    @Override // org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCallExpression);
        context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, subscriptionContext -> {
            this.openSSLConnectionTypeCheckBuilder = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithName("OpenSSL.SSL.Connection");
            this.openSSLContextTypeCheckBuilder = subscriptionContext.typeChecker().typeCheckBuilder().isInstanceOf("OpenSSL.SSL.Context");
            this.sslContextTypeCheckBuilder = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithName("ssl.SSLContext");
        });
    }

    private void checkCallExpression(SubscriptionContext subscriptionContext) {
        CallExpression callExpression = (CallExpression) subscriptionContext.syntaxNode();
        Symbol calleeSymbol = callExpression.calleeSymbol();
        if (calleeSymbol != null && functionsToCheck().contains(calleeSymbol.fullyQualifiedName())) {
            checkSuspiciousCall(callExpression, calleeSymbol, subscriptionContext);
        }
        checkOpenSSLConnection(subscriptionContext, callExpression);
        checkSSLContext(subscriptionContext, callExpression);
    }

    private void checkSSLContext(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        String fullyQualifiedName;
        Expression callee = callExpression.callee();
        if (this.sslContextTypeCheckBuilder.check(callee.typeV2()) != TriBool.TRUE) {
            return;
        }
        Optional<Symbol> protocolSymbol = getProtocolSymbol(callExpression);
        if (protocolSymbol.isEmpty() || (fullyQualifiedName = protocolSymbol.get().fullyQualifiedName()) == null) {
            return;
        }
        Tree firstAncestorOfKind = TreeUtils.firstAncestorOfKind(callExpression, Tree.Kind.ASSIGNMENT_STMT);
        if (firstAncestorOfKind == null) {
            if (UNSAFE_PROTOCOLS.contains(fullyQualifiedName)) {
                subscriptionContext.addIssue(callExpression, MESSAGE);
                return;
            }
            return;
        }
        Optional<SymbolV2> contextSymbol = getContextSymbol((AssignmentStatement) firstAncestorOfKind);
        if (contextSymbol.isEmpty()) {
            return;
        }
        if (!UNSAFE_PROTOCOLS.contains(fullyQualifiedName)) {
            findCheckHostnameStatement(contextSymbol.get(), Expressions::isFalsy).ifPresent(assignmentStatement -> {
                subscriptionContext.addIssue(callee, MESSAGE).secondary(assignmentStatement, SECONDARY_DISABLED);
            });
        } else if (findCheckHostnameStatement(contextSymbol.get(), Expressions::isTruthy).isEmpty()) {
            subscriptionContext.addIssue(callExpression, MESSAGE);
        }
    }

    private static Optional<Symbol> getProtocolSymbol(CallExpression callExpression) {
        Optional map = Optional.ofNullable(TreeUtils.nthArgumentOrKeyword(0, "protocol", callExpression.arguments())).map((v0) -> {
            return v0.expression();
        });
        Class<HasSymbol> cls = HasSymbol.class;
        Objects.requireNonNull(HasSymbol.class);
        return map.filter((v1) -> {
            return r1.isInstance(v1);
        }).map(expression -> {
            return ((HasSymbol) expression).symbol();
        });
    }

    private static Optional<SymbolV2> getContextSymbol(AssignmentStatement assignmentStatement) {
        Optional ofNullable = Optional.ofNullable(assignmentStatement.lhsExpressions().get(0).expressions().get(0));
        Class<Name> cls = Name.class;
        Objects.requireNonNull(Name.class);
        return ofNullable.filter((v1) -> {
            return r1.isInstance(v1);
        }).map(expression -> {
            return ((Name) expression).symbolV2();
        });
    }

    private static Optional<AssignmentStatement> findCheckHostnameStatement(SymbolV2 symbolV2, Predicate<Expression> predicate) {
        Stream map = symbolV2.usages().stream().map((v0) -> {
            return v0.tree();
        }).map((v0) -> {
            return v0.parent();
        });
        Class<QualifiedExpression> cls = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Stream filter = map.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<QualifiedExpression> cls2 = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Stream filter2 = filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(qualifiedExpression -> {
            return "check_hostname".equals(qualifiedExpression.name().name());
        }).map(qualifiedExpression2 -> {
            return TreeUtils.firstAncestorOfKind(qualifiedExpression2, Tree.Kind.ASSIGNMENT_STMT);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        });
        Class<AssignmentStatement> cls3 = AssignmentStatement.class;
        Objects.requireNonNull(AssignmentStatement.class);
        return filter2.map((v1) -> {
            return r1.cast(v1);
        }).filter(assignmentStatement -> {
            return predicate.test(assignmentStatement.assignedValue());
        }).findFirst();
    }

    private void checkOpenSSLConnection(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        RegularArgument nthArgumentOrKeyword;
        Expression callee = callExpression.callee();
        if (this.openSSLConnectionTypeCheckBuilder.check(callee.typeV2()) == TriBool.TRUE && (nthArgumentOrKeyword = TreeUtils.nthArgumentOrKeyword(0, "context", callExpression.arguments())) != null) {
            Expression expression = nthArgumentOrKeyword.expression();
            if (this.openSSLContextTypeCheckBuilder.check(expression.typeV2()) == TriBool.TRUE) {
                PythonCheck.PreciseIssue addIssue = subscriptionContext.addIssue(callee, MESSAGE);
                Expressions.ifNameGetSingleAssignedNonNameValue(expression).ifPresentOrElse(expression2 -> {
                    addIssue.secondary(expression2, SECONDARY_OPENSSL);
                }, () -> {
                    addIssue.secondary(expression, SECONDARY_OPENSSL);
                });
            }
        }
    }
}
