package org.sonar.python.checks.hotspots;

import com.sonar.sslr.api.AstNode;
import com.sonar.sslr.api.AstNodeType;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.python.api.PythonGrammar;
import org.sonar.python.api.PythonPunctuator;
import org.sonar.python.checks.AbstractCallExpressionCheck;
import org.sonar.python.semantic.Symbol;

@Rule(key = HashingDataCheck.CHECK_KEY)
/* loaded from: input_file:org/sonar/python/checks/hotspots/HashingDataCheck.class */
public class HashingDataCheck extends AbstractCallExpressionCheck {
    public static final String CHECK_KEY = "S4790";
    private static final String MESSAGE = "Make sure that hashing data is safe here.";
    private static final Set<String> questionableFunctions = immutableSet("hashlib.new", "cryptography.hazmat.primitives.hashes.Hash", "django.contrib.auth.hashers.make_password", "werkzeug.security.generate_password_hash");
    private static final Set<String> questionableHashlibAlgorithm = (Set) Stream.of((Object[]) new String[]{"blake2b", "blake2s", "md5", "pbkdf2_hmac", "sha1", "sha224", "sha256", "sha384", "sha3_224", "sha3_256", "sha3_384", "sha3_512", "sha512", "shake_128", "shake_256", "scrypt"}).map(str -> {
        return "hashlib." + str;
    }).collect(Collectors.toSet());
    private static final Set<String> questionablePasslibAlgorithm = (Set) Stream.of((Object[]) new String[]{"apr_md5_crypt", "argon2", "atlassian_pbkdf2_sha1", "bcrypt", "bcrypt_sha256", "bigcrypt", "bsd_nthash", "bsdi_crypt", "cisco_asa", "cisco_pix", "cisco_type7", "crypt16", "cta_pbkdf2_sha1", "des_crypt", "django_argon2", "django_bcrypt", "django_bcrypt_sha256", "django_des_crypt", "django_disabled", "django_pbkdf2_sha1", "django_pbkdf2_sha256", "django_salted_md5", "django_salted_sha1", "dlitz_pbkdf2_sha1", "fshp", "grub_pbkdf2_sha512", "hex_md4", "hex_md5", "hex_sha1", "hex_sha256", "hex_sha512", "htdigest", "ldap_bcrypt", "ldap_bsdi_crypt", "ldap_des_crypt", "ldap_hex_md5", "ldap_hex_sha1", "ldap_md5", "ldap_md5_crypt", "ldap_pbkdf2_sha1", "ldap_pbkdf2_sha256", "ldap_pbkdf2_sha512", "ldap_plaintext", "ldap_salted_md5", "ldap_salted_sha1", "ldap_sha1", "ldap_sha1_crypt", "ldap_sha256_crypt", "ldap_sha512_crypt", "lmhash", "md5_crypt", "msdcc", "msdcc2", "mssql2000", "mssql2005", "mysql323", "mysql41", "nthash", "oracle10", "oracle11", "pbkdf2_sha1", "pbkdf2_sha256", "pbkdf2_sha512", "phpass", "plaintext", "postgres_md5", "roundup_plaintext", "scram", "scrypt", "sha1_crypt", "sha256_crypt", "sha512_crypt", "sun_md5_crypt", "unix_disabled", "unix_fallback"}).map(str -> {
        return "passlib.hash." + str;
    }).collect(Collectors.toSet());
    private static final Set<String> questionableDjangoHashers = (Set) Stream.of((Object[]) new String[]{"PBKDF2PasswordHasher", "PBKDF2SHA1PasswordHasher", "Argon2PasswordHasher", "BCryptSHA256PasswordHasher", "BasePasswordHasher", "BCryptPasswordHasher", "SHA1PasswordHasher", "MD5PasswordHasher", "UnsaltedSHA1PasswordHasher", "UnsaltedMD5PasswordHasher", "CryptPasswordHasher"}).map(str -> {
        return "django.contrib.auth.hashers." + str;
    }).collect(Collectors.toSet());

    /* renamed from: org.sonar.python.checks.hotspots.HashingDataCheck$1, reason: invalid class name */
    /* loaded from: input_file:org/sonar/python/checks/hotspots/HashingDataCheck$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$sonar$python$api$PythonGrammar = new int[PythonGrammar.values().length];

        static {
            try {
                $SwitchMap$org$sonar$python$api$PythonGrammar[PythonGrammar.ATTRIBUTE_REF.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$sonar$python$api$PythonGrammar[PythonGrammar.ATOM.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$sonar$python$api$PythonGrammar[PythonGrammar.EXPRESSION_STMT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$sonar$python$api$PythonGrammar[PythonGrammar.CLASSDEF.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$sonar$python$api$PythonGrammar[PythonGrammar.CALL_EXPR.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    public Set<AstNodeType> subscribedKinds() {
        return immutableSet(PythonGrammar.CALL_EXPR, PythonGrammar.ATTRIBUTE_REF, PythonGrammar.ATOM, PythonGrammar.EXPRESSION_STMT, PythonGrammar.CLASSDEF);
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    public void visitNode(AstNode astNode) {
        switch (AnonymousClass1.$SwitchMap$org$sonar$python$api$PythonGrammar[astNode.getType().ordinal()]) {
            case 1:
            case 2:
                checkQuestionableHashingAlgorithm(astNode);
                return;
            case 3:
                checkOverwriteDjangoHashers(astNode);
                return;
            case 4:
                checkCreatingCustomHasher(astNode);
                return;
            case 5:
                super.visitNode(astNode);
                return;
            default:
                return;
        }
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected boolean isException(AstNode astNode) {
        return isDjangoMakePasswordFunctionWithoutSaltAndHasher(astNode);
    }

    private boolean isDjangoMakePasswordFunctionWithoutSaltAndHasher(AstNode astNode) {
        AstNode firstChild;
        return getQualifiedName(astNode).equals("django.contrib.auth.hashers.make_password") && (firstChild = astNode.getFirstChild(new AstNodeType[]{PythonGrammar.ARGLIST})) != null && firstChild.getChildren(new AstNodeType[]{PythonGrammar.ARGUMENT}).size() == 1;
    }

    private void checkOverwriteDjangoHashers(AstNode astNode) {
        List<AstNode> lHSExpressions = getLHSExpressions(astNode);
        if (lHSExpressions == null) {
            return;
        }
        if (isOverwritingDjangoHashers(lHSExpressions)) {
            addIssue(astNode, MESSAGE);
        } else if (getContext().pythonFile().fileName().equals("global_settings.py") && lHSExpressions.stream().anyMatch(astNode2 -> {
            return astNode2.getTokenValue().equals("PASSWORD_HASHERS");
        })) {
            addIssue(astNode, MESSAGE);
        }
    }

    private boolean isOverwritingDjangoHashers(List<AstNode> list) {
        return list.stream().map(astNode -> {
            return astNode.getFirstDescendant(new AstNodeType[]{PythonGrammar.ATTRIBUTE_REF});
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).anyMatch(astNode2 -> {
            AstNode firstChild = astNode2.getFirstChild(new AstNodeType[]{PythonGrammar.ATOM});
            return firstChild != null && getQualifiedName(firstChild).equals("django.conf.settings") && astNode2.getLastChild(new AstNodeType[]{PythonGrammar.NAME}).getTokenValue().equals("PASSWORD_HASHERS");
        });
    }

    private void checkQuestionableHashingAlgorithm(AstNode astNode) {
        String qualifiedName = getQualifiedName(astNode);
        if (qualifiedName.equals("cryptography.hazmat.primitives.hashes") && isHashesFunctionCall(astNode.getParent())) {
            addIssue(astNode.getParent(), MESSAGE);
        } else if (questionableHashlibAlgorithm.contains(qualifiedName) || questionablePasslibAlgorithm.contains(qualifiedName)) {
            addIssue(astNode, MESSAGE);
        }
    }

    private static boolean isHashesFunctionCall(@Nullable AstNode astNode) {
        if (astNode == null || !astNode.is(new AstNodeType[]{PythonGrammar.ATTRIBUTE_REF})) {
            return false;
        }
        String tokenValue = astNode.getLastChild(new AstNodeType[]{PythonGrammar.NAME}).getTokenValue();
        AstNode parent = astNode.getParent();
        return tokenValue.equals("Hash") && parent != null && parent.is(new AstNodeType[]{PythonGrammar.CALL_EXPR});
    }

    @CheckForNull
    private static List<AstNode> getLHSExpressions(AstNode astNode) {
        if (astNode.hasDirectChildren(new AstNodeType[]{PythonPunctuator.ASSIGN})) {
            return astNode.getFirstChild(new AstNodeType[]{PythonGrammar.TESTLIST_STAR_EXPR}).getChildren(new AstNodeType[]{PythonGrammar.TEST});
        }
        return null;
    }

    private String getQualifiedName(AstNode astNode) {
        Symbol symbol = getContext().symbolTable().getSymbol(astNode);
        return symbol != null ? symbol.qualifiedName() : "";
    }

    private void checkCreatingCustomHasher(AstNode astNode) {
        AstNode firstChild = astNode.getFirstChild(new AstNodeType[]{PythonGrammar.ARGLIST});
        if (firstChild != null) {
            firstChild.getDescendants(new AstNodeType[]{PythonGrammar.ATOM}).stream().filter(astNode2 -> {
                return questionableDjangoHashers.contains(getQualifiedName(astNode2));
            }).forEach(astNode3 -> {
                addIssue(astNode3, MESSAGE);
            });
        }
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected Set<String> functionsToCheck() {
        return questionableFunctions;
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected String message() {
        return MESSAGE;
    }
}
