package org.sonar.java.checks.security;

import java.util.Objects;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.java.checks.helpers.ReassignmentFinder;
import org.sonar.java.checks.methods.AbstractMethodDetection;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.java.model.JUtils;
import org.sonar.java.model.Symbols;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.tree.AssignmentExpressionTree;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.MethodTree;
import org.sonar.plugins.java.api.tree.NewClassTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.VariableTree;

@Rule(key = "S3329")
/* loaded from: input_file:org/sonar/java/checks/security/CipherBlockChainingCheck.class */
public class CipherBlockChainingCheck extends AbstractMethodDetection {
    private static final MethodMatchers SECURE_RANDOM_GENERATE_SEED = MethodMatchers.create().ofTypes(new String[]{"java.security.SecureRandom"}).names(new String[]{"generateSeed"}).withAnyParameters().build();

    /* loaded from: input_file:org/sonar/java/checks/security/CipherBlockChainingCheck$MethodInvocationVisitor.class */
    private static class MethodInvocationVisitor extends BaseTreeVisitor {
        private boolean secureRandomFound = false;
        private final NewClassTree ivParameterSpecInstantiation;
        private final Symbol ivParameterSymbol;
        private static final MethodMatchers SECURE_RANDOM_NEXT_BYTES = MethodMatchers.create().ofTypes(new String[]{"java.security.SecureRandom"}).names(new String[]{"nextBytes"}).withAnyParameters().build();
        private static final MethodMatchers CIPHER_INIT = MethodMatchers.create().ofTypes(new String[]{"javax.crypto.Cipher"}).names(new String[]{"init"}).withAnyParameters().build();
        private static final MethodMatchers BYTEBUFFER_GET = MethodMatchers.create().ofTypes(new String[]{"java.nio.ByteBuffer"}).names(new String[]{"get"}).withAnyParameters().build();
        private static final int CIPHER_INIT_DECRYPT_MODE = 2;

        public MethodInvocationVisitor(NewClassTree newClassTree) {
            this.ivParameterSpecInstantiation = newClassTree;
            this.ivParameterSymbol = ivSymbol(newClassTree);
        }

        public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
            if (SECURE_RANDOM_NEXT_BYTES.matches(methodInvocationTree)) {
                Symbol symbol = symbol((ExpressionTree) this.ivParameterSpecInstantiation.arguments().get(0));
                if (!symbol.isUnknown() && symbol.equals(symbol((ExpressionTree) methodInvocationTree.arguments().get(0)))) {
                    this.secureRandomFound = true;
                }
            }
            if (CIPHER_INIT.matches(methodInvocationTree) && methodInvocationTree.arguments().size() > 2 && 2 == ((Integer) ((ExpressionTree) methodInvocationTree.arguments().get(0)).asConstant(Integer.class).orElse(-1)).intValue() && isPartOfArguments(methodInvocationTree)) {
                this.secureRandomFound = true;
            }
            if (isInitVectorCopiedFromByteBuffer(methodInvocationTree)) {
                this.secureRandomFound = true;
            }
            if (methodInvocationTree.methodSymbol().isUnknown()) {
                this.secureRandomFound = true;
            }
            super.visitMethodInvocation(methodInvocationTree);
        }

        private boolean isInitVectorCopiedFromByteBuffer(MethodInvocationTree methodInvocationTree) {
            if (!BYTEBUFFER_GET.matches(methodInvocationTree)) {
                return false;
            }
            Symbol symbol = symbol((ExpressionTree) this.ivParameterSpecInstantiation.arguments().get(0));
            Stream filter = methodInvocationTree.arguments().stream().map(MethodInvocationVisitor::symbol).filter(symbol2 -> {
                return symbol2.type().is("byte[]");
            });
            Objects.requireNonNull(symbol);
            return filter.anyMatch((v1) -> {
                return r1.equals(v1);
            });
        }

        private boolean isPartOfArguments(MethodInvocationTree methodInvocationTree) {
            return isPartOfArguments(methodInvocationTree, (ExpressionTree) this.ivParameterSpecInstantiation) || (!this.ivParameterSymbol.isUnknown() && isPartOfArguments(methodInvocationTree, this.ivParameterSymbol));
        }

        private static boolean isPartOfArguments(MethodInvocationTree methodInvocationTree, ExpressionTree expressionTree) {
            Stream map = methodInvocationTree.arguments().stream().map(ExpressionUtils::skipParentheses);
            Objects.requireNonNull(expressionTree);
            return map.anyMatch((v1) -> {
                return r1.equals(v1);
            });
        }

        private static boolean isPartOfArguments(MethodInvocationTree methodInvocationTree, Symbol symbol) {
            Stream map = methodInvocationTree.arguments().stream().map(ExpressionUtils::skipParentheses).map(MethodInvocationVisitor::symbol);
            Objects.requireNonNull(symbol);
            return map.anyMatch((v1) -> {
                return r1.equals(v1);
            });
        }

        private static Symbol symbol(ExpressionTree expressionTree) {
            return expressionTree.is(new Tree.Kind[]{Tree.Kind.IDENTIFIER}) ? ((IdentifierTree) expressionTree).symbol() : expressionTree.is(new Tree.Kind[]{Tree.Kind.MEMBER_SELECT}) ? ((MemberSelectExpressionTree) expressionTree).identifier().symbol() : Symbols.unknownSymbol;
        }

        private static Symbol ivSymbol(NewClassTree newClassTree) {
            VariableTree parent = newClassTree.parent();
            return parent.is(new Tree.Kind[]{Tree.Kind.VARIABLE}) ? parent.symbol() : parent.is(new Tree.Kind[]{Tree.Kind.ASSIGNMENT}) ? symbol(((AssignmentExpressionTree) parent).variable()) : Symbols.unknownSymbol;
        }
    }

    @Override // org.sonar.java.checks.methods.AbstractMethodDetection
    protected MethodMatchers getMethodInvocationMatchers() {
        return MethodMatchers.create().ofTypes(new String[]{"javax.crypto.spec.IvParameterSpec"}).constructor().addParametersMatcher(list -> {
            return !list.isEmpty();
        }).build();
    }

    @Override // org.sonar.java.checks.methods.AbstractMethodDetection
    protected void onConstructorFound(NewClassTree newClassTree) {
        MethodTree enclosingMethod;
        if (newClassTree.arguments().isEmpty() || isDynamicallyGenerated((ExpressionTree) newClassTree.arguments().get(0)) || (enclosingMethod = ExpressionUtils.getEnclosingMethod(newClassTree)) == null) {
            return;
        }
        MethodInvocationVisitor methodInvocationVisitor = new MethodInvocationVisitor(newClassTree);
        enclosingMethod.accept(methodInvocationVisitor);
        if (methodInvocationVisitor.secureRandomFound) {
            return;
        }
        reportIssue(newClassTree, "Use a dynamically-generated, random IV.");
    }

    private static boolean isDynamicallyGenerated(ExpressionTree expressionTree) {
        if (!expressionTree.is(new Tree.Kind[]{Tree.Kind.IDENTIFIER})) {
            return isSecureRandomGenerateSeed(expressionTree);
        }
        Symbol.VariableSymbol symbol = ((IdentifierTree) expressionTree).symbol();
        if (JUtils.isParameter(symbol)) {
            return true;
        }
        VariableTree declaration = symbol.isVariableSymbol() ? symbol.declaration() : null;
        return declaration != null && (isSecureRandomGenerateSeed(declaration.initializer()) || ReassignmentFinder.getReassignments(declaration, symbol.usages()).stream().map((v0) -> {
            return v0.expression();
        }).anyMatch(CipherBlockChainingCheck::isSecureRandomGenerateSeed));
    }

    private static boolean isSecureRandomGenerateSeed(@Nullable ExpressionTree expressionTree) {
        return expressionTree != null && expressionTree.is(new Tree.Kind[]{Tree.Kind.METHOD_INVOCATION}) && SECURE_RANDOM_GENERATE_SEED.matches((MethodInvocationTree) expressionTree);
    }
}
