package org.sonar.java.checks.security;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.java.matcher.MethodMatcher;
import org.sonar.java.matcher.MethodMatcherCollection;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.java.resolve.ClassJavaType;
import org.sonar.java.resolve.JavaType;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.Type;
import org.sonar.plugins.java.api.tree.ClassTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.MethodTree;
import org.sonar.plugins.java.api.tree.ModifiersTree;
import org.sonar.plugins.java.api.tree.NewClassTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.TypeTree;

@Rule(key = "S4834")
/* loaded from: input_file:org/sonar/java/checks/security/ControllingPermissionsCheck.class */
public class ControllingPermissionsCheck extends IssuableSubscriptionVisitor {
    private static final String GLOBAL_METHOD_SECURITY_CONFIGURATION = "org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration";
    private static final List<String> ANNOTATIONS = Collections.unmodifiableList(Arrays.asList("org.springframework.security.access.prepost.PostAuthorize", "org.springframework.security.access.prepost.PostFilter", "org.springframework.security.access.prepost.PreAuthorize", "org.springframework.security.access.prepost.PreFilter", "org.springframework.security.access.annotation.Secured"));
    private static final List<String> JSR_250_ANNOTATIONS = Collections.unmodifiableList(Arrays.asList("javax.annotation.security.RolesAllowed", "javax.annotation.security.PermitAll", "javax.annotation.security.DenyAll"));
    private static final String ORG_SPRINGFRAMEWORK_SECURITY_CORE_GRANTED_AUTHORITY = "org.springframework.security.core.GrantedAuthority";
    private static final List<String> INTERFACES = Collections.unmodifiableList(Arrays.asList("org.springframework.security.access.AccessDecisionVoter", "org.springframework.security.access.AccessDecisionManager", "org.springframework.security.access.AfterInvocationProvider", "org.springframework.security.access.PermissionEvaluator", "org.springframework.security.access.expression.SecurityExpressionOperations", "org.springframework.security.access.expression.method.MethodSecurityExpressionHandler", ORG_SPRINGFRAMEWORK_SECURITY_CORE_GRANTED_AUTHORITY, "org.springframework.security.acls.model.PermissionGrantingStrategy"));
    private static final String MUTABLE_ACL_SERVICE = "org.springframework.security.acls.model.MutableAclService";
    private static final MethodMatcherCollection METHOD_MATCHERS = MethodMatcherCollection.create(MethodMatcher.create().typeDefinition(MUTABLE_ACL_SERVICE).name("createAcl").withAnyParameters(), MethodMatcher.create().typeDefinition(MUTABLE_ACL_SERVICE).name("deleteAcl").withAnyParameters(), MethodMatcher.create().typeDefinition(MUTABLE_ACL_SERVICE).name("updateAcl").withAnyParameters(), MethodMatcher.create().typeDefinition("org.springframework.security.config.annotation.web.builders.HttpSecurity").name("authorizeRequests").withAnyParameters());

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public List<Tree.Kind> nodesToVisit() {
        return Arrays.asList(Tree.Kind.CLASS, Tree.Kind.ENUM, Tree.Kind.INTERFACE, Tree.Kind.NEW_CLASS, Tree.Kind.METHOD, Tree.Kind.METHOD_INVOCATION);
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public void visitNode(Tree tree) {
        if (hasSemantic()) {
            switch (tree.kind()) {
                case CLASS:
                case ENUM:
                case INTERFACE:
                    handleClassTree((ClassTree) tree);
                    return;
                case NEW_CLASS:
                    handleNewClassTree((NewClassTree) tree);
                    return;
                case METHOD:
                    handleMethodTree((MethodTree) tree);
                    return;
                case METHOD_INVOCATION:
                    handleMethodInvocationTree((MethodInvocationTree) tree);
                    return;
                default:
                    return;
            }
        }
    }

    private void handleMethodTree(MethodTree methodTree) {
        ModifiersTree modifiers = methodTree.modifiers();
        checkAnnotations(modifiers, ANNOTATIONS);
        checkAnnotations(modifiers, JSR_250_ANNOTATIONS);
    }

    private void handleClassTree(ClassTree classTree) {
        classTree.superInterfaces().stream().filter(typeTree -> {
            Stream<String> stream = INTERFACES.stream();
            Type symbolType = typeTree.symbolType();
            Objects.requireNonNull(symbolType);
            return stream.anyMatch(symbolType::is);
        }).forEach((v1) -> {
            reportIssue(v1);
        });
        TypeTree superClass = classTree.superClass();
        if (superClass != null && superClass.symbolType().is(GLOBAL_METHOD_SECURITY_CONFIGURATION)) {
            reportIssue(superClass);
        }
        checkAnnotations(classTree.modifiers(), JSR_250_ANNOTATIONS);
    }

    private void checkAnnotations(ModifiersTree modifiersTree, List<String> list) {
        modifiersTree.annotations().stream().filter(annotationTree -> {
            Stream stream = list.stream();
            Type symbolType = annotationTree.symbolType();
            Objects.requireNonNull(symbolType);
            return stream.anyMatch(symbolType::is);
        }).forEach((v1) -> {
            reportIssue(v1);
        });
    }

    private void handleNewClassTree(NewClassTree newClassTree) {
        ((JavaType) newClassTree.symbolType()).directSuperTypes().stream().filter(classJavaType -> {
            return isGrantedAuthority(classJavaType) || isForbiddenForAnonymousClass(newClassTree, classJavaType);
        }).findFirst().ifPresent(classJavaType2 -> {
            reportIssue(newClassTree.identifier());
        });
    }

    private static boolean isGrantedAuthority(ClassJavaType classJavaType) {
        return classJavaType.is(ORG_SPRINGFRAMEWORK_SECURITY_CORE_GRANTED_AUTHORITY);
    }

    private static boolean isForbiddenForAnonymousClass(NewClassTree newClassTree, ClassJavaType classJavaType) {
        if (newClassTree.classBody() != null) {
            Stream<String> stream = INTERFACES.stream();
            Objects.requireNonNull(classJavaType);
            if (stream.anyMatch(classJavaType::is) || classJavaType.is(GLOBAL_METHOD_SECURITY_CONFIGURATION)) {
                return true;
            }
        }
        return false;
    }

    private void handleMethodInvocationTree(MethodInvocationTree methodInvocationTree) {
        if (METHOD_MATCHERS.anyMatch(methodInvocationTree)) {
            reportIssue(ExpressionUtils.methodName(methodInvocationTree));
        }
    }

    private void reportIssue(Tree tree) {
        reportIssue(tree, "Make sure that Permissions are controlled safely here.");
    }
}
