package org.sonar.python.checks;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.tree.StringLiteralImpl;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S5547")
/* loaded from: input_file:org/sonar/python/checks/RobustCipherAlgorithmCheck.class */
public class RobustCipherAlgorithmCheck extends PythonSubscriptionCheck {
    private static final String MESSAGE = "Use a strong cipher algorithm.";
    private static final HashSet<String> sensitiveCalleeFqns = new HashSet<>();
    private static final Set<String> INSECURE_CIPHERS = Set.of("NULL", "RC2", "RC4", "DES", "3DES", "MD5", "SHA");
    public static final String SSL_SET_CIPHERS_FQN = "ssl.SSLContext.set_ciphers";

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext -> {
            CallExpression syntaxNode = subscriptionContext.syntaxNode();
            Optional.ofNullable(syntaxNode).map((v0) -> {
                return v0.calleeSymbol();
            }).map((v0) -> {
                return v0.fullyQualifiedName();
            }).filter(str -> {
                return sensitiveCalleeFqns.contains(str) || (SSL_SET_CIPHERS_FQN.equals(str) && hasArgumentWithSensitiveAlgorithm(syntaxNode));
            }).ifPresent(str2 -> {
                subscriptionContext.addIssue(syntaxNode.callee(), MESSAGE);
            });
        });
    }

    private static boolean hasArgumentWithSensitiveAlgorithm(CallExpression callExpression) {
        return Optional.of(callExpression.arguments()).filter(list -> {
            return list.size() == 1;
        }).map(list2 -> {
            return (Argument) list2.get(0);
        }).flatMap(TreeUtils.toOptionalInstanceOfMapper(RegularArgument.class)).map((v0) -> {
            return v0.expression();
        }).map(RobustCipherAlgorithmCheck::unpackArgument).filter(RobustCipherAlgorithmCheck::containsInsecureCipher).isPresent();
    }

    @CheckForNull
    private static String unpackArgument(@Nullable Expression expression) {
        if (expression == null) {
            return null;
        }
        if (expression.is(new Tree.Kind[]{Tree.Kind.STRING_LITERAL})) {
            return ((StringLiteralImpl) expression).trimmedQuotesValue();
        }
        if (expression.is(new Tree.Kind[]{Tree.Kind.NAME})) {
            return unpackArgument(Expressions.singleAssignedValue((Name) expression));
        }
        return null;
    }

    private static boolean containsInsecureCipher(String str) {
        Stream flatMap = Stream.of(str).flatMap(str2 -> {
            return Arrays.stream(str2.split(":"));
        }).flatMap(str3 -> {
            return Arrays.stream(str3.split("-"));
        });
        Set<String> set = INSECURE_CIPHERS;
        Objects.requireNonNull(set);
        return flatMap.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    static {
        for (String str : Arrays.asList("Cryptodome", "Crypto")) {
            Iterator it = Arrays.asList("DES", "DES3", "ARC2", "ARC4", "Blowfish").iterator();
            while (it.hasNext()) {
                sensitiveCalleeFqns.add(String.format("%s.Cipher.%s.new", str, (String) it.next()));
            }
        }
        Iterator it2 = Arrays.asList("TripleDES", "Blowfish", "ARC4", "IDEA").iterator();
        while (it2.hasNext()) {
            sensitiveCalleeFqns.add(String.format("cryptography.hazmat.primitives.ciphers.algorithms.%s", (String) it2.next()));
        }
        sensitiveCalleeFqns.add("pyDes.des");
        sensitiveCalleeFqns.add("pyDes.triple_des");
    }
}
