package org.sonar.python.checks.hotspots;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.ClassDef;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.ExpressionList;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringElement;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.Expressions;
import org.sonar.python.checks.cdk.ClearTextProtocolsCheckPart;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S5332")
/* loaded from: input_file:org/sonar/python/checks/hotspots/ClearTextProtocolsCheck.class */
public class ClearTextProtocolsCheck extends PythonSubscriptionCheck {
    private static final String SENSITIVE_HTTP_SERVER_START_FQN = "socketserver.BaseServer.serve_forever";
    private static final String SENSITIVE_HTTP_SERVER_BIND_FQN = "socketserver.BaseServer.server_bind";
    private static final List<String> SENSITIVE_PROTOCOLS = Arrays.asList("http://", "ftp://", "telnet://");
    private static final Pattern LOOPBACK = Pattern.compile("localhost|127(?:\\.[0-9]+){0,2}\\.[0-9]+$|^(?:0*\\:)*?:?0*1", 2);
    private static final Map<String, String> ALTERNATIVES = Map.of("http", "https", "ftp", "sftp, scp or ftps", "telnet", "ssh");
    private static final Set<String> SENSITIVE_HTTP_SERVER_METHOD_NAMES = Set.of("serve_forever", "server_bind");
    private static final Set<String> SENSITIVE_HTTP_SERVER_CLASSES = Set.of("http.server.HTTPServer", "http.server.ThreadingHTTPServer");

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.STRING_ELEMENT, subscriptionContext -> {
            StringElement syntaxNode = subscriptionContext.syntaxNode();
            unsafeProtocol(Expressions.unescape(syntaxNode)).map(str -> {
                return str.substring(0, str.length() - 3);
            }).ifPresent(str2 -> {
                subscriptionContext.addIssue(syntaxNode, message(str2));
            });
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext2 -> {
            CallExpression syntaxNode = subscriptionContext2.syntaxNode();
            Optional.ofNullable(syntaxNode.calleeSymbol()).map((v0) -> {
                return v0.fullyQualifiedName();
            }).flatMap(ClearTextProtocolsCheck::isUnsafeLib).ifPresent(str -> {
                subscriptionContext2.addIssue(syntaxNode, message(str));
            });
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, subscriptionContext3 -> {
            handleAssignmentStatement(subscriptionContext3.syntaxNode(), subscriptionContext3);
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.QUALIFIED_EXPR, ClearTextProtocolsCheck::checkServerCallFromSuper);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, ClearTextProtocolsCheck::checkServerBindCalls);
        new ClearTextProtocolsCheckPart().initialize(context);
    }

    private static void checkServerCallFromSuper(SubscriptionContext subscriptionContext) {
        Optional.of(subscriptionContext.syntaxNode()).filter(qualifiedExpression -> {
            return SENSITIVE_HTTP_SERVER_METHOD_NAMES.contains(qualifiedExpression.name().name());
        }).filter(ClearTextProtocolsCheck::isCallToSensitiveSuperClass).map(qualifiedExpression2 -> {
            return TreeUtils.firstAncestorOfKind(qualifiedExpression2, new Tree.Kind[]{Tree.Kind.CALL_EXPR});
        }).flatMap(TreeUtils.toOptionalInstanceOfMapper(CallExpression.class)).ifPresent(callExpression -> {
            subscriptionContext.addIssue(callExpression, message("http"));
        });
    }

    private static void checkServerBindCalls(SubscriptionContext subscriptionContext) {
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        Optional.ofNullable(syntaxNode.calleeSymbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        }).filter(str -> {
            return SENSITIVE_HTTP_SERVER_BIND_FQN.equals(str) && isParentClassExtendingSensitiveClass(syntaxNode);
        }).ifPresent(str2 -> {
            subscriptionContext.addIssue(syntaxNode, message("http"));
        });
    }

    private static boolean isCallToSensitiveSuperClass(QualifiedExpression qualifiedExpression) {
        String str = "super";
        return Optional.of(qualifiedExpression.qualifier()).flatMap(TreeUtils.toOptionalInstanceOfMapper(CallExpression.class)).map((v0) -> {
            return v0.callee();
        }).flatMap(TreeUtils.toOptionalInstanceOfMapper(Name.class)).map((v0) -> {
            return v0.name();
        }).filter((v1) -> {
            return r1.equals(v1);
        }).filter(str2 -> {
            return isParentClassExtendingSensitiveClass(qualifiedExpression);
        }).isPresent();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isParentClassExtendingSensitiveClass(Tree tree) {
        Optional ofNullable = Optional.ofNullable(TreeUtils.firstAncestorOfKind(tree, new Tree.Kind[]{Tree.Kind.CLASSDEF}));
        Class<ClassDef> cls = ClassDef.class;
        Objects.requireNonNull(ClassDef.class);
        return ((Boolean) ofNullable.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.args();
        }).map((v0) -> {
            return v0.arguments();
        }).map(ClearTextProtocolsCheck::getClassFQNFromArgument).map(stream -> {
            Set<String> set = SENSITIVE_HTTP_SERVER_CLASSES;
            Objects.requireNonNull(set);
            return Boolean.valueOf(stream.anyMatch((v1) -> {
                return r1.contains(v1);
            }));
        }).orElse(false)).booleanValue();
    }

    public static Stream<String> getClassFQNFromArgument(List<Argument> list) {
        return list.stream().map(TreeUtils.toInstanceOfMapper(RegularArgument.class)).filter((v0) -> {
            return Objects.nonNull(v0);
        }).map((v0) -> {
            return v0.expression();
        }).map(TreeUtils.toInstanceOfMapper(Name.class)).filter((v0) -> {
            return Objects.nonNull(v0);
        }).map((v0) -> {
            return v0.symbol();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).map((v0) -> {
            return v0.fullyQualifiedName();
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void handleAssignmentStatement(AssignmentStatement assignmentStatement, SubscriptionContext subscriptionContext) {
        Symbol symbol;
        if (assignmentStatement.lhsExpressions().size() > 1) {
            return;
        }
        HasSymbol hasSymbol = (Expression) ((ExpressionList) assignmentStatement.lhsExpressions().get(0)).expressions().get(0);
        if (!(hasSymbol instanceof HasSymbol) || (symbol = hasSymbol.symbol()) == null || !hasSymbol.type().canOnlyBe("smtplib.SMTP") || symbol.usages().stream().anyMatch(usage -> {
            Symbol calleeSymbol;
            CallExpression firstAncestorOfKind = TreeUtils.firstAncestorOfKind(usage.tree(), new Tree.Kind[]{Tree.Kind.CALL_EXPR});
            return (firstAncestorOfKind == null || (calleeSymbol = firstAncestorOfKind.calleeSymbol()) == null || !"smtplib.SMTP.starttls".equals(calleeSymbol.fullyQualifiedName())) ? false : true;
        })) {
            return;
        }
        subscriptionContext.addIssue(assignmentStatement.assignedValue(), "Make sure STARTTLS is used to upgrade to a secure connection using SSL/TLS.");
    }

    private static Optional<String> unsafeProtocol(String str) {
        for (String str2 : SENSITIVE_PROTOCOLS) {
            if (str.startsWith(str2)) {
                try {
                    URI uri = new URI(str);
                    String host = uri.getHost();
                    if (host == null) {
                        host = uri.getAuthority();
                    }
                    if (host == null || LOOPBACK.matcher(host).matches()) {
                        return Optional.empty();
                    }
                } catch (URISyntaxException e) {
                    if (LOOPBACK.matcher(str.substring(str2.length())).find()) {
                        return Optional.empty();
                    }
                }
                return Optional.of(str2);
            }
        }
        return Optional.empty();
    }

    private static Optional<String> isUnsafeLib(String str) {
        return "telnetlib.Telnet".equals(str) ? Optional.of("telnet") : "ftplib.FTP".equals(str) ? Optional.of("ftp") : SENSITIVE_HTTP_SERVER_START_FQN.equals(str) ? Optional.of("http") : Optional.empty();
    }

    private static String message(String str) {
        return "Using " + str + " protocol is insecure. Use " + ALTERNATIVES.get(str) + " instead";
    }
}
