package org.sonar.python.checks.hotspots;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.ClassSymbol;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.symbols.Usage;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.ClassDef;
import org.sonar.plugins.python.api.tree.Decorator;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.KeyValuePair;
import org.sonar.plugins.python.api.tree.ListLiteral;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.SubscriptionExpression;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.Expressions;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S4502")
/* loaded from: input_file:org/sonar/python/checks/hotspots/CsrfDisabledCheck.class */
public class CsrfDisabledCheck extends PythonSubscriptionCheck {
    private static final String MESSAGE = "Make sure disabling CSRF protection is safe here.";
    private static final String CSRF_VIEW_MIDDLEWARE = "django.middleware.csrf.CsrfViewMiddleware";
    private static final Set<String> DANGEROUS_DECORATORS = new HashSet(Arrays.asList("django.views.decorators.csrf.csrf_exempt", "flask_wtf.csrf.CSRFProtect.exempt"));
    private static final List<Pattern> CSRF_INIT_APP_CALLEE_PATTERNS = Arrays.asList(Pattern.compile("(csrf|CSRF)"), Pattern.compile("init_app"));

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, CsrfDisabledCheck::djangoMiddlewareArrayCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.DECORATOR, CsrfDisabledCheck::decoratorCsrfExemptCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, CsrfDisabledCheck::functionCsrfExemptCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, CsrfDisabledCheck::flaskWtfCsrfEnabledFalseCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.CLASSDEF, CsrfDisabledCheck::metaCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, CsrfDisabledCheck::formInstantiationCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, CsrfDisabledCheck::improperlyConfiguredFlaskApp);
    }

    private static void djangoMiddlewareArrayCheck(SubscriptionContext subscriptionContext) {
        if ("settings.py".equals(subscriptionContext.pythonFile().fileName())) {
            AssignmentStatement syntaxNode = subscriptionContext.syntaxNode();
            if (isLhsCalled("MIDDLEWARE").test(syntaxNode) && isListAnyMatch(isStringSatisfying(str -> {
                return str.startsWith("django");
            })).test(syntaxNode.assignedValue())) {
                String str2 = CSRF_VIEW_MIDDLEWARE;
                if (isListAnyMatch(isStringSatisfying((v1) -> {
                    return r0.equals(v1);
                })).test(syntaxNode.assignedValue())) {
                    return;
                }
                subscriptionContext.addIssue(syntaxNode.lastToken(), MESSAGE);
            }
        }
    }

    private static Predicate<AssignmentStatement> isLhsCalled(String str) {
        return assignmentStatement -> {
            return assignmentStatement.lhsExpressions().stream().flatMap(expressionList -> {
                return expressionList.expressions().stream();
            }).anyMatch(expression -> {
                return expression.is(new Tree.Kind[]{Tree.Kind.NAME}) && str.equals(((Name) expression).name());
            });
        };
    }

    private static Predicate<Expression> isStringSatisfying(Predicate<String> predicate) {
        return expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.STRING_LITERAL}) && predicate.test(((StringLiteral) expression).trimmedQuotesValue());
        };
    }

    private static Predicate<Expression> isListAnyMatch(Predicate<Expression> predicate) {
        return expression -> {
            return Optional.ofNullable(expression).filter(expression -> {
                return expression.is(new Tree.Kind[]{Tree.Kind.LIST_LITERAL});
            }).flatMap(expression2 -> {
                return ((ListLiteral) expression2).elements().expressions().stream().filter(predicate).findFirst();
            }).isPresent();
        };
    }

    private static void decoratorCsrfExemptCheck(SubscriptionContext subscriptionContext) {
        Decorator syntaxNode = subscriptionContext.syntaxNode();
        List list = (List) syntaxNode.name().names().stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList());
        if (list.stream().anyMatch(str -> {
            return str.toLowerCase(Locale.US).contains("csrf");
        }) && list.stream().anyMatch(str2 -> {
            return str2.toLowerCase(Locale.US).contains("exempt");
        })) {
            subscriptionContext.addIssue(syntaxNode.lastToken(), MESSAGE);
        }
    }

    private static void functionCsrfExemptCheck(SubscriptionContext subscriptionContext) {
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        Optional map = Optional.ofNullable(syntaxNode.calleeSymbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        Set<String> set = DANGEROUS_DECORATORS;
        Objects.requireNonNull(set);
        map.filter((v1) -> {
            return r1.contains(v1);
        }).ifPresent(str -> {
            subscriptionContext.addIssue(syntaxNode.callee().lastToken(), MESSAGE);
        });
    }

    private static void flaskWtfCsrfEnabledFalseCheck(SubscriptionContext subscriptionContext) {
        AssignmentStatement syntaxNode = subscriptionContext.syntaxNode();
        if (syntaxNode.lhsExpressions().stream().flatMap(expressionList -> {
            return expressionList.expressions().stream();
        }).filter(expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.SUBSCRIPTION});
        }).flatMap(expression2 -> {
            return ((SubscriptionExpression) expression2).subscripts().expressions().stream();
        }).anyMatch(isStringSatisfying(str -> {
            return "WTF_CSRF_ENABLED".equals(str) || "WTF_CSRF_CHECK_DEFAULT".equals(str);
        })) && Expressions.isFalsy(syntaxNode.assignedValue())) {
            subscriptionContext.addIssue(syntaxNode.assignedValue(), MESSAGE);
        }
    }

    private static void metaCheck(SubscriptionContext subscriptionContext) {
        ClassDef syntaxNode = subscriptionContext.syntaxNode();
        if ("Meta".equals(syntaxNode.name().name())) {
            Optional filter = Optional.ofNullable(TreeUtils.firstAncestorOfKind(syntaxNode, new Tree.Kind[]{Tree.Kind.CLASSDEF})).map(tree -> {
                return ((ClassDef) tree).name().symbol();
            }).filter(symbol -> {
                return symbol.is(new Symbol.Kind[]{Symbol.Kind.CLASS});
            });
            Class<ClassSymbol> cls = ClassSymbol.class;
            Objects.requireNonNull(ClassSymbol.class);
            if (filter.map((v1) -> {
                return r1.cast(v1);
            }).filter(classSymbol -> {
                return classSymbol.canBeOrExtend("flask_wtf.FlaskForm");
            }).isPresent()) {
                syntaxNode.body().statements().forEach(statement -> {
                    if (statement.is(new Tree.Kind[]{Tree.Kind.ASSIGNMENT_STMT})) {
                        AssignmentStatement assignmentStatement = (AssignmentStatement) statement;
                        if (isLhsCalled("csrf").test(assignmentStatement) && Expressions.isFalsy(assignmentStatement.assignedValue())) {
                            subscriptionContext.addIssue(assignmentStatement.assignedValue(), MESSAGE);
                        }
                    }
                });
            }
        }
    }

    private static void formInstantiationCheck(SubscriptionContext subscriptionContext) {
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        Optional filter = Optional.ofNullable(syntaxNode.calleeSymbol()).filter(symbol -> {
            return symbol.is(new Symbol.Kind[]{Symbol.Kind.CLASS});
        });
        Class<ClassSymbol> cls = ClassSymbol.class;
        Objects.requireNonNull(ClassSymbol.class);
        if (filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(classSymbol -> {
            return classSymbol.canBeOrExtend("flask_wtf.FlaskForm");
        }).isPresent()) {
            syntaxNode.arguments().forEach(argument -> {
                if (argument instanceof RegularArgument) {
                    searchForProblemsInFormInitializationArguments((RegularArgument) argument).ifPresent(expression -> {
                        subscriptionContext.addIssue(expression, MESSAGE);
                    });
                }
            });
        }
    }

    private static Optional<Expression> searchForProblemsInFormInitializationArguments(RegularArgument regularArgument) {
        String str = (String) Optional.ofNullable(regularArgument.keywordArgument()).map((v0) -> {
            return v0.name();
        }).orElse(null);
        if ("csrf_enabled".equals(str) && Expressions.isFalsy(regularArgument.expression())) {
            return Optional.of(regularArgument.expression());
        }
        if (!"meta".equals(str)) {
            return Optional.empty();
        }
        Optional filter = Optional.ofNullable(regularArgument.expression()).filter(expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.DICTIONARY_LITERAL});
        });
        Class<DictionaryLiteral> cls = DictionaryLiteral.class;
        Objects.requireNonNull(DictionaryLiteral.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).flatMap(CsrfDisabledCheck::searchForBadCsrfSettingInDictionary);
    }

    private static Optional<Expression> searchForBadCsrfSettingInDictionary(DictionaryLiteral dictionaryLiteral) {
        Stream filter = dictionaryLiteral.elements().stream().filter(dictionaryLiteralElement -> {
            return dictionaryLiteralElement.is(new Tree.Kind[]{Tree.Kind.KEY_VALUE_PAIR});
        });
        Class<KeyValuePair> cls = KeyValuePair.class;
        Objects.requireNonNull(KeyValuePair.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(keyValuePair -> {
            return Optional.ofNullable(keyValuePair.key()).filter(expression -> {
                return expression.is(new Tree.Kind[]{Tree.Kind.STRING_LITERAL}) && "csrf".equals(((StringLiteral) expression).trimmedQuotesValue());
            }).isPresent();
        }).findFirst().filter(keyValuePair2 -> {
            return Expressions.isFalsy(keyValuePair2.value());
        }).map((v0) -> {
            return v0.value();
        });
    }

    private static void improperlyConfiguredFlaskApp(SubscriptionContext subscriptionContext) {
        AssignmentStatement syntaxNode = subscriptionContext.syntaxNode();
        if (!isFlaskAppInstantiation(syntaxNode.assignedValue()) || syntaxNode.lhsExpressions().stream().flatMap(expressionList -> {
            return expressionList.expressions().stream();
        }).findFirst().filter(expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.NAME});
        }).flatMap(expression2 -> {
            return Optional.of((Name) expression2).map((v0) -> {
                return v0.symbol();
            }).map((v0) -> {
                return v0.usages();
            }).flatMap(list -> {
                return list.stream().filter(CsrfDisabledCheck::isWithinCsrfEnablingStatement).findFirst();
            });
        }).isPresent()) {
            return;
        }
        subscriptionContext.addIssue(syntaxNode.assignedValue(), MESSAGE);
    }

    private static boolean isFlaskAppInstantiation(Expression expression) {
        Symbol calleeSymbol;
        return expression.is(new Tree.Kind[]{Tree.Kind.CALL_EXPR}) && (calleeSymbol = ((CallExpression) expression).calleeSymbol()) != null && "flask.Flask".equals(calleeSymbol.fullyQualifiedName());
    }

    private static Optional<ArrayList<String>> extractQualifiedNameComponents(Expression expression) {
        if (expression.is(new Tree.Kind[]{Tree.Kind.NAME})) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(((Name) expression).name());
            return Optional.of(arrayList);
        }
        if (!expression.is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR})) {
            return Optional.empty();
        }
        QualifiedExpression qualifiedExpression = (QualifiedExpression) expression;
        return extractQualifiedNameComponents(qualifiedExpression.qualifier()).map(arrayList2 -> {
            arrayList2.add(qualifiedExpression.name().name());
            return arrayList2;
        });
    }

    private static boolean checkNestedQualifiedExpressions(List<Pattern> list, Expression expression) {
        return extractQualifiedNameComponents(expression).filter(arrayList -> {
            if (arrayList.size() != list.size()) {
                return false;
            }
            for (int i = 0; i < arrayList.size(); i++) {
                if (!((Pattern) list.get(i)).matcher((String) arrayList.get(i)).matches()) {
                    return false;
                }
            }
            return true;
        }).isPresent();
    }

    private static boolean isWithinCsrfEnablingStatement(Usage usage) {
        return isWithinCall(new HashSet(Arrays.asList("flask_wtf.csrf.CSRFProtect", "flask_wtf.csrf.CSRFProtect.init_app", "flask_wtf.CSRFProtect", "flask_wtf.CSRFProtect.init_app")), CSRF_INIT_APP_CALLEE_PATTERNS, usage.tree());
    }

    private static boolean isWithinCall(Set<String> set, List<Pattern> list, Tree tree) {
        CallExpression firstAncestorOfKind = TreeUtils.firstAncestorOfKind(tree, new Tree.Kind[]{Tree.Kind.CALL_EXPR});
        if (firstAncestorOfKind == null) {
            return false;
        }
        Symbol calleeSymbol = firstAncestorOfKind.calleeSymbol();
        if (calleeSymbol == null || !set.contains(calleeSymbol.fullyQualifiedName())) {
            return checkNestedQualifiedExpressions(list, firstAncestorOfKind.callee());
        }
        return true;
    }
}
