package org.sonar.java.checks.security;

import java.util.Collections;
import java.util.List;
import org.eclipse.jdt.core.JavaCore;
import org.sonar.check.Rule;
import org.sonar.java.checks.helpers.MethodTreeUtils;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.VariableTree;

@Rule(key = "S5659")
/* loaded from: input_file:org/sonar/java/checks/security/JWTWithStrongCipherCheck.class */
public class JWTWithStrongCipherCheck extends IssuableSubscriptionVisitor {
    private static final String MESSAGE_STRONG_CIPHER = "Use only strong cipher algorithms when %s this JWT.";
    private static final String AUTH0_JWT_ALGORITHM = "com.auth0.jwt.algorithms.Algorithm";
    private static final MethodMatchers AUTH0_JWT_REQUIRE = MethodMatchers.create().ofTypes("com.auth0.jwt.JWT").names("require").addParametersMatcher(AUTH0_JWT_ALGORITHM).build();
    private static final MethodMatchers AUTH0_JWT_SIGN = MethodMatchers.create().ofTypes("com.auth0.jwt.JWTCreator$Builder").names("sign").addParametersMatcher(AUTH0_JWT_ALGORITHM).build();
    private static final MethodMatchers ALGORITHM_NONE = MethodMatchers.create().ofTypes(AUTH0_JWT_ALGORITHM).names("none").addWithoutParametersMatcher().build();
    private static final MethodMatchers JWTK_JJWT_PARSE = MethodMatchers.create().ofTypes("io.jsonwebtoken.JwtParser").names("parse").addParametersMatcher("java.lang.String").build();
    private static final MethodMatchers JWTK_JJWT_COMPACT = MethodMatchers.create().ofTypes("io.jsonwebtoken.JwtBuilder").names(JavaCore.COMPACT).addWithoutParametersMatcher().build();
    private static final MethodMatchers JWTK_JJWT_BUILDER = MethodMatchers.create().ofTypes("io.jsonwebtoken.Jwts").names("builder").addWithoutParametersMatcher().build();
    private static final MethodMatchers JWTK_JJWT_SIGN_WITH = MethodMatchers.create().ofTypes("io.jsonwebtoken.JwtBuilder").names("signWith").withAnyParameters().build();

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public List<Tree.Kind> nodesToVisit() {
        return Collections.singletonList(Tree.Kind.METHOD_INVOCATION);
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public void visitNode(Tree tree) {
        MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree;
        handleAuth0Jwt(methodInvocationTree);
        handleJwtkJwt(methodInvocationTree);
    }

    private void handleAuth0Jwt(MethodInvocationTree methodInvocationTree) {
        if (AUTH0_JWT_REQUIRE.matches(methodInvocationTree)) {
            reportIfAlgorithmIsNone((ExpressionTree) methodInvocationTree.arguments().get(0), "verifying the signature of");
        } else if (AUTH0_JWT_SIGN.matches(methodInvocationTree)) {
            reportIfAlgorithmIsNone((ExpressionTree) methodInvocationTree.arguments().get(0), "signing");
        }
    }

    private void reportIfAlgorithmIsNone(ExpressionTree expressionTree, String str) {
        if (expressionTree.is(Tree.Kind.METHOD_INVOCATION) && ALGORITHM_NONE.matches((MethodInvocationTree) expressionTree)) {
            reportIssue(expressionTree, String.format(MESSAGE_STRONG_CIPHER, str));
        }
    }

    private void handleJwtkJwt(MethodInvocationTree methodInvocationTree) {
        if (JWTK_JJWT_PARSE.matches(methodInvocationTree)) {
            reportIssue(ExpressionUtils.methodName(methodInvocationTree), "The JWT signature (JWS) should be verified before using this token.");
        } else {
            if (!JWTK_JJWT_COMPACT.matches(methodInvocationTree) || isSigned(methodInvocationTree)) {
                return;
            }
            reportIssue(ExpressionUtils.methodName(methodInvocationTree), "Sign this token using a strong cipher algorithm.");
        }
    }

    private static boolean isSigned(MethodInvocationTree methodInvocationTree) {
        if (JWTK_JJWT_SIGN_WITH.matches(methodInvocationTree)) {
            return true;
        }
        if (JWTK_JJWT_BUILDER.matches(methodInvocationTree)) {
            return false;
        }
        ExpressionTree methodSelect = methodInvocationTree.methodSelect();
        if (!methodSelect.is(Tree.Kind.MEMBER_SELECT)) {
            return true;
        }
        ExpressionTree expression = ((MemberSelectExpressionTree) methodSelect).expression();
        if (expression.is(Tree.Kind.METHOD_INVOCATION)) {
            return isSigned((MethodInvocationTree) expression);
        }
        if (!expression.is(Tree.Kind.IDENTIFIER)) {
            return true;
        }
        Symbol symbol = ((IdentifierTree) expression).symbol();
        return symbol.usages().stream().anyMatch(JWTWithStrongCipherCheck::canSignToken) || declarationIsSigned(symbol);
    }

    private static boolean canSignToken(IdentifierTree identifierTree) {
        Tree parent = identifierTree.parent();
        return (parent != null && parent.is(Tree.Kind.ARGUMENTS)) || MethodTreeUtils.subsequentMethodInvocation(identifierTree, JWTK_JJWT_SIGN_WITH).isPresent();
    }

    private static boolean declarationIsSigned(Symbol symbol) {
        if (!symbol.isLocalVariable()) {
            return true;
        }
        Tree declaration = symbol.declaration();
        if (!(declaration instanceof VariableTree)) {
            return true;
        }
        ExpressionTree initializer = ((VariableTree) declaration).initializer();
        return (initializer instanceof MethodInvocationTree) && isSigned((MethodInvocationTree) initializer);
    }
}
