package apiaddicts.sonar.openapi.checks.security;

import apiaddicts.sonar.openapi.checks.BaseCheck;
import apiaddicts.sonar.openapi.utils.VerbPathMatcher;
import com.google.common.collect.ImmutableSet;
import com.sonar.sslr.api.AstNodeType;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.apiaddicts.apitools.dosonarapi.api.v2.OpenApi2Grammar;
import org.apiaddicts.apitools.dosonarapi.api.v3.OpenApi3Grammar;
import org.apiaddicts.apitools.dosonarapi.api.v31.OpenApi31Grammar;
import org.apiaddicts.apitools.dosonarapi.sslr.yaml.grammar.JsonNode;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;

@Rule(key = OAR035UnauthorizedResponseCheck.KEY)
/* loaded from: input_file:apiaddicts/sonar/openapi/checks/security/OAR035UnauthorizedResponseCheck.class */
public class OAR035UnauthorizedResponseCheck extends BaseCheck {
    public static final String KEY = "OAR035";
    public static final String MESSAGE = "OAR035.error";
    private static final String RESPONSE_CODES_STR = "401";
    private Set<String> expectedCodes;

    @RuleProperty(key = "expected-codes", description = "Expected response codes.", defaultValue = RESPONSE_CODES_STR)
    private String expectedCodesStr = RESPONSE_CODES_STR;
    private boolean hasGlobalSecurity = false;

    @Override // org.apiaddicts.apitools.dosonarapi.api.OpenApiCheck
    public Set<AstNodeType> subscribedKinds() {
        return ImmutableSet.of((OpenApi31Grammar) OpenApi2Grammar.OPERATION, (OpenApi31Grammar) OpenApi3Grammar.OPERATION, OpenApi31Grammar.OPERATION);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apiaddicts.apitools.dosonarapi.api.OpenApiVisitor
    public void visitFile(JsonNode jsonNode) {
        this.expectedCodes = (Set) Arrays.stream(this.expectedCodesStr.split(VerbPathMatcher.VALUE_SEPARATOR)).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toSet());
        this.hasGlobalSecurity = hasSecurity(jsonNode);
    }

    @Override // org.apiaddicts.apitools.dosonarapi.api.OpenApiVisitor
    public void visitNode(JsonNode jsonNode) {
        validateSecurityResponse(jsonNode);
    }

    private void validateSecurityResponse(JsonNode jsonNode) {
        JsonNode jsonNode2 = jsonNode.get("responses");
        Set set = (Set) jsonNode2.properties().stream().map((v0) -> {
            return v0.key();
        }).map((v0) -> {
            return v0.getTokenValue();
        }).collect(Collectors.toSet());
        Set<String> set2 = (Set) this.expectedCodes.stream().collect(Collectors.toSet());
        set2.removeAll(set);
        if (hasSecurity(jsonNode)) {
            validateExpectedCodes(set2, jsonNode2);
        } else if (this.hasGlobalSecurity) {
            validateExpectedCodes(set2, jsonNode2);
        }
    }

    private void validateExpectedCodes(Set<String> set, JsonNode jsonNode) {
        Iterator it = ((List) set.stream().sorted().collect(Collectors.toList())).iterator();
        while (it.hasNext()) {
            addIssue(KEY, translate(MESSAGE, (String) it.next()), jsonNode.key());
        }
    }

    private boolean hasSecurity(JsonNode jsonNode) {
        JsonNode jsonNode2 = jsonNode.get("security");
        return (jsonNode2.isMissing() || jsonNode2.isNull() || jsonNode2.elements() == null || jsonNode2.elements().isEmpty()) ? false : true;
    }
}
