package org.sonar.python.checks.hotspots;

import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.python.SubscriptionCheck;
import org.sonar.python.SubscriptionContext;
import org.sonar.python.api.tree.PyArgListTree;
import org.sonar.python.api.tree.PyAssignmentStatementTree;
import org.sonar.python.api.tree.PyCallExpressionTree;
import org.sonar.python.api.tree.PyExpressionListTree;
import org.sonar.python.api.tree.PyExpressionTree;
import org.sonar.python.api.tree.PyNameTree;
import org.sonar.python.api.tree.PyParenthesizedExpressionTree;
import org.sonar.python.api.tree.PyQualifiedExpressionTree;
import org.sonar.python.api.tree.Tree;
import org.sonar.python.checks.AbstractCallExpressionCheck;
import org.sonar.python.semantic.Symbol;

@Rule(key = HashingDataCheck.CHECK_KEY)
/* loaded from: input_file:org/sonar/python/checks/hotspots/HashingDataCheck.class */
public class HashingDataCheck extends AbstractCallExpressionCheck {
    public static final String CHECK_KEY = "S4790";
    private static final String MESSAGE = "Make sure that hashing data is safe here.";
    private static final Set<String> questionableFunctions = immutableSet("hashlib.new", "cryptography.hazmat.primitives.hashes.Hash", "django.contrib.auth.hashers.make_password", "werkzeug.security.generate_password_hash");
    private static final Set<String> questionableHashlibAlgorithm = (Set) Stream.of((Object[]) new String[]{"blake2b", "blake2s", "md5", "pbkdf2_hmac", "sha1", "sha224", "sha256", "sha384", "sha3_224", "sha3_256", "sha3_384", "sha3_512", "sha512", "shake_128", "shake_256", "scrypt"}).map(str -> {
        return "hashlib." + str;
    }).collect(Collectors.toSet());
    private static final Set<String> questionablePasslibAlgorithm = (Set) Stream.of((Object[]) new String[]{"apr_md5_crypt", "argon2", "atlassian_pbkdf2_sha1", "bcrypt", "bcrypt_sha256", "bigcrypt", "bsd_nthash", "bsdi_crypt", "cisco_asa", "cisco_pix", "cisco_type7", "crypt16", "cta_pbkdf2_sha1", "des_crypt", "django_argon2", "django_bcrypt", "django_bcrypt_sha256", "django_des_crypt", "django_disabled", "django_pbkdf2_sha1", "django_pbkdf2_sha256", "django_salted_md5", "django_salted_sha1", "dlitz_pbkdf2_sha1", "fshp", "grub_pbkdf2_sha512", "hex_md4", "hex_md5", "hex_sha1", "hex_sha256", "hex_sha512", "htdigest", "ldap_bcrypt", "ldap_bsdi_crypt", "ldap_des_crypt", "ldap_hex_md5", "ldap_hex_sha1", "ldap_md5", "ldap_md5_crypt", "ldap_pbkdf2_sha1", "ldap_pbkdf2_sha256", "ldap_pbkdf2_sha512", "ldap_plaintext", "ldap_salted_md5", "ldap_salted_sha1", "ldap_sha1", "ldap_sha1_crypt", "ldap_sha256_crypt", "ldap_sha512_crypt", "lmhash", "md5_crypt", "msdcc", "msdcc2", "mssql2000", "mssql2005", "mysql323", "mysql41", "nthash", "oracle10", "oracle11", "pbkdf2_sha1", "pbkdf2_sha256", "pbkdf2_sha512", "phpass", "plaintext", "postgres_md5", "roundup_plaintext", "scram", "scrypt", "sha1_crypt", "sha256_crypt", "sha512_crypt", "sun_md5_crypt", "unix_disabled", "unix_fallback"}).map(str -> {
        return "passlib.hash." + str;
    }).collect(Collectors.toSet());
    private static final Set<String> questionableDjangoHashers = (Set) Stream.of((Object[]) new String[]{"PBKDF2PasswordHasher", "PBKDF2SHA1PasswordHasher", "Argon2PasswordHasher", "BCryptSHA256PasswordHasher", "BasePasswordHasher", "BCryptPasswordHasher", "SHA1PasswordHasher", "MD5PasswordHasher", "UnsaltedSHA1PasswordHasher", "UnsaltedMD5PasswordHasher", "CryptPasswordHasher"}).map(str -> {
        return "django.contrib.auth.hashers." + str;
    }).collect(Collectors.toSet());
    private SubscriptionContext ctx;

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    public void initialize(SubscriptionCheck.Context context) {
        super.initialize(context);
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, this::checkOverwriteDjangoHashers);
        context.registerSyntaxNodeConsumer(Tree.Kind.CLASSDEF, this::checkCreatingCustomHasher);
        context.registerSyntaxNodeConsumer(Tree.Kind.NAME, this::checkQuestionableHashingAlgorithm);
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected boolean isException(PyCallExpressionTree pyCallExpressionTree) {
        return isDjangoMakePasswordFunctionWithoutSaltAndHasher(pyCallExpressionTree);
    }

    private boolean isDjangoMakePasswordFunctionWithoutSaltAndHasher(PyCallExpressionTree pyCallExpressionTree) {
        return getQualifiedName(pyCallExpressionTree, this.ctx).equals("django.contrib.auth.hashers.make_password") && pyCallExpressionTree.arguments().size() == 1;
    }

    private void checkOverwriteDjangoHashers(SubscriptionContext subscriptionContext) {
        this.ctx = subscriptionContext;
        PyAssignmentStatementTree syntaxNode = subscriptionContext.syntaxNode();
        if (isOverwritingDjangoHashers(syntaxNode.lhsExpressions())) {
            subscriptionContext.addIssue(syntaxNode, MESSAGE);
        } else if (subscriptionContext.pythonFile().fileName().equals("global_settings.py") && syntaxNode.lhsExpressions().stream().flatMap(pyExpressionListTree -> {
            return pyExpressionListTree.expressions().stream();
        }).anyMatch(pyExpressionTree -> {
            return pyExpressionTree.firstToken().getValue().equals("PASSWORD_HASHERS");
        })) {
            subscriptionContext.addIssue(syntaxNode, MESSAGE);
        }
    }

    private boolean isOverwritingDjangoHashers(List<PyExpressionListTree> list) {
        Iterator<PyExpressionListTree> it = list.iterator();
        while (it.hasNext()) {
            Iterator it2 = it.next().expressions().iterator();
            while (it2.hasNext()) {
                PyQualifiedExpressionTree removeParenthesis = removeParenthesis((PyExpressionTree) it2.next());
                if (removeParenthesis.lastToken().getValue().equals("PASSWORD_HASHERS")) {
                    return removeParenthesis.is(Tree.Kind.QUALIFIED_EXPR) && getQualifiedName(removeParenthesis.qualifier(), this.ctx).equals("django.conf.settings");
                }
            }
        }
        return false;
    }

    private static PyExpressionTree removeParenthesis(PyExpressionTree pyExpressionTree) {
        PyExpressionTree pyExpressionTree2 = pyExpressionTree;
        while (true) {
            PyExpressionTree pyExpressionTree3 = pyExpressionTree2;
            if (!pyExpressionTree3.is(Tree.Kind.PARENTHESIZED)) {
                return pyExpressionTree3;
            }
            pyExpressionTree2 = ((PyParenthesizedExpressionTree) pyExpressionTree3).expression();
        }
    }

    private void checkQuestionableHashingAlgorithm(SubscriptionContext subscriptionContext) {
        this.ctx = subscriptionContext;
        PyNameTree syntaxNode = subscriptionContext.syntaxNode();
        if (isWithinImport(syntaxNode)) {
            return;
        }
        String qualifiedName = getQualifiedName(syntaxNode, subscriptionContext);
        if (qualifiedName.equals("cryptography.hazmat.primitives.hashes") && isHashesFunctionCall(syntaxNode)) {
            subscriptionContext.addIssue(syntaxNode.parent(), MESSAGE);
        } else if (questionableHashlibAlgorithm.contains(qualifiedName) || questionablePasslibAlgorithm.contains(qualifiedName)) {
            subscriptionContext.addIssue(syntaxNode, MESSAGE);
        }
    }

    private static boolean isHashesFunctionCall(PyNameTree pyNameTree) {
        Tree parent = pyNameTree.parent();
        while (true) {
            Tree tree = parent;
            if (tree == null) {
                return false;
            }
            if (tree.is(Tree.Kind.CALL_EXPR)) {
                PyCallExpressionTree pyCallExpressionTree = (PyCallExpressionTree) tree;
                if (pyCallExpressionTree.callee().is(Tree.Kind.QUALIFIED_EXPR)) {
                    return pyCallExpressionTree.callee().name().name().equals("Hash");
                }
                return false;
            }
            parent = tree.parent();
        }
    }

    private static String getQualifiedName(PyExpressionTree pyExpressionTree, SubscriptionContext subscriptionContext) {
        Symbol symbol = subscriptionContext.symbolTable().getSymbol(pyExpressionTree);
        return symbol != null ? symbol.qualifiedName() : "";
    }

    private void checkCreatingCustomHasher(SubscriptionContext subscriptionContext) {
        this.ctx = subscriptionContext;
        PyArgListTree args = subscriptionContext.syntaxNode().args();
        if (args != null) {
            args.arguments().stream().filter(pyArgumentTree -> {
                return questionableDjangoHashers.contains(getQualifiedName(pyArgumentTree.expression(), subscriptionContext));
            }).forEach(pyArgumentTree2 -> {
                subscriptionContext.addIssue(pyArgumentTree2, MESSAGE);
            });
        }
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected Set<String> functionsToCheck() {
        return questionableFunctions;
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected String message() {
        return MESSAGE;
    }
}
