package org.sonar.python.checks;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.symbols.Usage;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.BinaryExpression;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.KeyValuePair;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.NumericLiteral;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.Token;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.tree.UnpackingExpression;
import org.sonar.python.tree.RegularArgumentImpl;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S4830")
/* loaded from: input_file:org/sonar/python/checks/VerifiedSslTlsCertificateCheck.class */
public class VerifiedSslTlsCertificateCheck extends PythonSubscriptionCheck {
    private static final String MESSAGE = "Enable server certificate validation on this SSL/TLS connection.";
    private static final String VERIFY_NONE = Fqn.ssl("VERIFY_NONE");
    private static final String SET_VERIFY = Fqn.context("set_verify");
    public static final Set<String> VERIFY_ARG_NAME = Set.of("verify");
    public static final Set<String> VERIFY_SSL_ARG_NAMES = Set.of("verify_ssl", "ssl");
    private static final Set<String> CALLS_WHERE_TO_ENFORCE_TRUE_ARGUMENT = Set.of((Object[]) new String[]{"requests.api.request", "requests.api.get", "requests.api.head", "requests.api.post", "requests.api.put", "requests.api.delete", "requests.api.patch", "requests.api.options", "httpx.request", "httpx.stream", "httpx.get", "httpx.options", "httpx.head", "httpx.post", "httpx.put", "httpx.patch", "httpx.delete", "httpx.Client", "httpx.AsyncClient"});
    private static final Set<String> NO_ARG_FALSY_COLLECTION_CONSTRUCTORS = new HashSet(Arrays.asList("set", "list", "dict"));
    private static final Map<String, Boolean> VULNERABLE_CONTEXT_FACTORIES = Map.of("ssl._create_unverified_context", true, "ssl._create_stdlib_context", true, "ssl.create_default_context", false, "ssl._create_default_https_context", false);

    /* loaded from: input_file:org/sonar/python/checks/VerifiedSslTlsCertificateCheck$Fqn.class */
    private static class Fqn {
        private Fqn() {
        }

        private static String context(String str) {
            return ssl("Context." + str);
        }

        private static String ssl(String str) {
            return "OpenSSL.SSL." + str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/VerifiedSslTlsCertificateCheck$IssueReport.class */
    public static class IssueReport {
        final String message;
        final Token token;

        private IssueReport(String str, Token token) {
            this.message = str;
            this.token = token;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/VerifiedSslTlsCertificateCheck$VulnerabilityAndProblematicToken.class */
    public static class VulnerabilityAndProblematicToken {
        boolean isInvisibleDefaultPreset;
        boolean isVulnerable;
        Token token;

        VulnerabilityAndProblematicToken(boolean z, Token token, boolean z2) {
            this.isVulnerable = z;
            this.token = token;
            this.isInvisibleDefaultPreset = z2;
        }

        void overrideBy(VulnerabilityAndProblematicToken vulnerabilityAndProblematicToken) {
            this.isInvisibleDefaultPreset = false;
            this.isVulnerable = vulnerabilityAndProblematicToken.isVulnerable;
            this.token = vulnerabilityAndProblematicToken.token;
        }
    }

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.WITH_STMT, VerifiedSslTlsCertificateCheck::verifyAioHttpWithSession);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, VerifiedSslTlsCertificateCheck::sslSetVerifyCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, VerifiedSslTlsCertificateCheck::requestsCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.REGULAR_ARGUMENT, VerifiedSslTlsCertificateCheck::standardSslCheckForRegularArgument);
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, VerifiedSslTlsCertificateCheck::standardSslCheckForAssignmentStatement);
    }

    private static void verifyAioHttpWithSession(SubscriptionContext subscriptionContext) {
        subscriptionContext.syntaxNode().withItems().stream().filter(withItem -> {
            String str = "aiohttp.ClientSession";
            return Optional.of(withItem).map((v0) -> {
                return v0.test();
            }).flatMap(TreeUtils.toOptionalInstanceOfMapper(CallExpression.class)).map((v0) -> {
                return v0.calleeSymbol();
            }).map((v0) -> {
                return v0.fullyQualifiedName();
            }).filter((v1) -> {
                return r1.equals(v1);
            }).isPresent();
        }).map((v0) -> {
            return v0.expression();
        }).map(TreeUtils.toOptionalInstanceOfMapper(Name.class)).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).map((v0) -> {
            return v0.symbol();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(symbol -> {
            verifyAioHttpSessionSymbolUsages(subscriptionContext, symbol);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void verifyAioHttpSessionSymbolUsages(SubscriptionContext subscriptionContext, Symbol symbol) {
        symbol.usages().stream().filter(usage -> {
            return usage.kind() == Usage.Kind.OTHER;
        }).map((v0) -> {
            return v0.tree();
        }).map(tree -> {
            return TreeUtils.firstAncestorOfKind(tree, new Tree.Kind[]{Tree.Kind.CALL_EXPR});
        }).map(TreeUtils.toOptionalInstanceOfMapper(CallExpression.class)).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).forEach(callExpression -> {
            verifyVulnerableMethods(subscriptionContext, callExpression, VERIFY_SSL_ARG_NAMES);
        });
    }

    private static void sslSetVerifyCheck(SubscriptionContext subscriptionContext) {
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        Optional map = Optional.ofNullable(syntaxNode.calleeSymbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        String str = SET_VERIFY;
        Objects.requireNonNull(str);
        if (map.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent()) {
            List arguments = syntaxNode.arguments();
            if (arguments.isEmpty()) {
                return;
            }
            RegularArgumentImpl regularArgumentImpl = (Tree) arguments.get(0);
            if (regularArgumentImpl.is(new Tree.Kind[]{Tree.Kind.REGULAR_ARGUMENT})) {
                checkFlagSettings(extractFlags(regularArgumentImpl.expression())).ifPresent(issueReport -> {
                    subscriptionContext.addIssue(issueReport.token, MESSAGE);
                });
            }
        }
    }

    private static HashSet<QualifiedExpression> extractFlags(Tree tree) {
        if (tree.is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR})) {
            return new HashSet<>(Collections.singletonList((QualifiedExpression) tree));
        }
        if (!tree.is(new Tree.Kind[]{Tree.Kind.BITWISE_OR})) {
            return new HashSet<>();
        }
        BinaryExpression binaryExpression = (BinaryExpression) tree;
        HashSet<QualifiedExpression> extractFlags = extractFlags(binaryExpression.leftOperand());
        extractFlags.addAll(extractFlags(binaryExpression.rightOperand()));
        return extractFlags;
    }

    private static Optional<IssueReport> checkFlagSettings(Set<QualifiedExpression> set) {
        for (QualifiedExpression qualifiedExpression : set) {
            Symbol symbol = qualifiedExpression.symbol();
            if (symbol != null) {
                if (VERIFY_NONE.equals(symbol.fullyQualifiedName())) {
                    return Optional.of(new IssueReport("Omitting the check of the peer certificate is dangerous.", qualifiedExpression.lastToken()));
                }
            }
        }
        return Optional.empty();
    }

    private static void requestsCheck(SubscriptionContext subscriptionContext) {
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        Optional map = Optional.ofNullable(syntaxNode.calleeSymbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        Set<String> set = CALLS_WHERE_TO_ENFORCE_TRUE_ARGUMENT;
        Objects.requireNonNull(set);
        if (map.filter((v1) -> {
            return r1.contains(v1);
        }).isPresent()) {
            verifyVulnerableMethods(subscriptionContext, syntaxNode, VERIFY_ARG_NAME);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void verifyVulnerableMethods(SubscriptionContext subscriptionContext, CallExpression callExpression, Set<String> set) {
        searchVerifyAssignment(callExpression, set).or(() -> {
            return searchVerifyInKwargs(callExpression, set);
        }).ifPresent(list -> {
            list.stream().filter(expression -> {
                return Expressions.isFalsy(expression) || isFalsyCollection(expression);
            }).findFirst().ifPresent(expression2 -> {
                addIssue(subscriptionContext, list, expression2);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void addIssue(SubscriptionContext subscriptionContext, List<Expression> list, Expression expression) {
        PythonCheck.PreciseIssue addIssue = subscriptionContext.addIssue(expression, MESSAGE);
        list.stream().filter(expression2 -> {
            return expression2 != expression;
        }).forEach(expression3 -> {
            addIssue.secondary(expression3, "Dictionary is passed here as **kwargs.");
        });
    }

    private static Optional<List<Expression>> searchVerifyAssignment(CallExpression callExpression, Set<String> set) {
        Stream stream = callExpression.arguments().stream();
        Class<RegularArgument> cls = RegularArgument.class;
        Objects.requireNonNull(RegularArgument.class);
        Stream filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<RegularArgument> cls2 = RegularArgument.class;
        Objects.requireNonNull(RegularArgument.class);
        return Optional.of((List) filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(regularArgument -> {
            Optional map = Optional.of(regularArgument).map((v0) -> {
                return v0.keywordArgument();
            }).map((v0) -> {
                return v0.name();
            });
            Objects.requireNonNull(set);
            return map.filter((v1) -> {
                return r1.contains(v1);
            }).isPresent();
        }).map((v0) -> {
            return v0.expression();
        }).collect(Collectors.toList())).filter(Predicate.not((v0) -> {
            return v0.isEmpty();
        }));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<List<Expression>> searchVerifyInKwargs(CallExpression callExpression, Set<String> set) {
        Stream stream = callExpression.arguments().stream();
        Class<UnpackingExpression> cls = UnpackingExpression.class;
        Objects.requireNonNull(UnpackingExpression.class);
        Stream map = stream.filter((v1) -> {
            return r1.isInstance(v1);
        }).map(argument -> {
            return ((UnpackingExpression) argument).expression();
        });
        Class<Name> cls2 = Name.class;
        Objects.requireNonNull(Name.class);
        return map.filter((v1) -> {
            return r1.isInstance(v1);
        }).findFirst().flatMap(expression -> {
            Optional ofNullable = Optional.ofNullable(Expressions.singleAssignedValue((Name) expression));
            Class<DictionaryLiteral> cls3 = DictionaryLiteral.class;
            Objects.requireNonNull(DictionaryLiteral.class);
            return ofNullable.filter((v1) -> {
                return r1.isInstance(v1);
            }).flatMap(expression -> {
                return searchDangerousVerifySettingInDictionary((DictionaryLiteral) expression, set).map(expression -> {
                    return Arrays.asList(expression, expression);
                });
            });
        });
    }

    private static Optional<Expression> searchDangerousVerifySettingInDictionary(DictionaryLiteral dictionaryLiteral, Set<String> set) {
        Stream stream = dictionaryLiteral.elements().stream();
        Class<KeyValuePair> cls = KeyValuePair.class;
        Objects.requireNonNull(KeyValuePair.class);
        Stream filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<KeyValuePair> cls2 = KeyValuePair.class;
        Objects.requireNonNull(KeyValuePair.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(keyValuePair -> {
            Optional of = Optional.of(keyValuePair.key());
            Class<StringLiteral> cls3 = StringLiteral.class;
            Objects.requireNonNull(StringLiteral.class);
            Optional filter2 = of.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<StringLiteral> cls4 = StringLiteral.class;
            Objects.requireNonNull(StringLiteral.class);
            Optional map = filter2.map((v1) -> {
                return r1.cast(v1);
            }).map((v0) -> {
                return v0.trimmedQuotesValue();
            });
            Objects.requireNonNull(set);
            return map.filter((v1) -> {
                return r1.contains(v1);
            }).isPresent();
        }).findFirst().map((v0) -> {
            return v0.value();
        });
    }

    private static boolean isFalsyCollection(Expression expression) {
        if (!(expression instanceof CallExpression)) {
            return false;
        }
        CallExpression callExpression = (CallExpression) expression;
        Optional map = Optional.ofNullable(callExpression.calleeSymbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        if (!map.isPresent()) {
            return false;
        }
        String str = (String) map.get();
        return isFalsyNoArgCollectionConstruction(callExpression, str) || isFalsyRange(callExpression, str);
    }

    private static boolean isFalsyNoArgCollectionConstruction(CallExpression callExpression, String str) {
        return NO_ARG_FALSY_COLLECTION_CONSTRUCTORS.contains(str) && callExpression.arguments().isEmpty();
    }

    private static boolean isFalsyRange(CallExpression callExpression, String str) {
        if (!"range".equals(str) || callExpression.arguments().size() != 1) {
            return false;
        }
        RegularArgument regularArgument = (Argument) callExpression.arguments().get(0);
        if (!(regularArgument instanceof RegularArgument)) {
            return false;
        }
        NumericLiteral expression = regularArgument.expression();
        return expression.is(new Tree.Kind[]{Tree.Kind.NUMERIC_LITERAL}) && expression.valueAsLong() == 0;
    }

    private static void standardSslCheckForAssignmentStatement(SubscriptionContext subscriptionContext) {
        AssignmentStatement syntaxNode = subscriptionContext.syntaxNode();
        isVulnerableMethodCall(syntaxNode.assignedValue()).ifPresent(vulnerabilityAndProblematicToken -> {
            Optional findFirst = syntaxNode.lhsExpressions().stream().flatMap(expressionList -> {
                return expressionList.expressions().stream();
            }).findFirst();
            Class<Name> cls = Name.class;
            Objects.requireNonNull(Name.class);
            findFirst.filter((v1) -> {
                return r1.isInstance(v1);
            }).map(expression -> {
                return ((Name) expression).symbol();
            }).ifPresent(symbol -> {
                Iterator<Usage> it = selectRelevantModifyingUsages(symbol.usages(), vulnerabilityAndProblematicToken.token.line()).iterator();
                while (it.hasNext()) {
                    Optional<VulnerabilityAndProblematicToken> searchForVerifyModeOverride = searchForVerifyModeOverride(it.next());
                    Objects.requireNonNull(vulnerabilityAndProblematicToken);
                    searchForVerifyModeOverride.ifPresent(vulnerabilityAndProblematicToken::overrideBy);
                }
                if (vulnerabilityAndProblematicToken.isVulnerable) {
                    subscriptionContext.addIssue(vulnerabilityAndProblematicToken.token, MESSAGE);
                }
            });
        });
    }

    private static void standardSslCheckForRegularArgument(SubscriptionContext subscriptionContext) {
        isVulnerableMethodCall(subscriptionContext.syntaxNode().expression()).ifPresent(vulnerabilityAndProblematicToken -> {
            subscriptionContext.addIssue(vulnerabilityAndProblematicToken.token, MESSAGE);
        });
    }

    private static int findNextAssignmentLine(List<Usage> list, int i) {
        int line;
        int i2 = Integer.MAX_VALUE;
        for (Usage usage : list) {
            if (usage.isBindingUsage() && (line = usage.tree().firstToken().line()) > i && line <= i2) {
                i2 = line;
            }
        }
        return i2;
    }

    private static List<Usage> selectRelevantModifyingUsages(List<Usage> list, int i) {
        int findNextAssignmentLine = findNextAssignmentLine(list, i);
        ArrayList arrayList = new ArrayList();
        list.stream().filter(usage -> {
            int line = usage.tree().firstToken().line();
            return !usage.isBindingUsage() && line > i && line < findNextAssignmentLine;
        }).forEach(usage2 -> {
            arrayList.add(usage2);
        });
        arrayList.sort(Comparator.comparing(usage3 -> {
            return Integer.valueOf(usage3.tree().firstToken().line());
        }));
        return arrayList;
    }

    private static Optional<VulnerabilityAndProblematicToken> isVulnerableMethodCall(Expression expression) {
        CallExpression callExpression;
        Symbol calleeSymbol;
        String fullyQualifiedName;
        return (!(expression instanceof CallExpression) || (calleeSymbol = (callExpression = (CallExpression) expression).calleeSymbol()) == null || (fullyQualifiedName = calleeSymbol.fullyQualifiedName()) == null || !VULNERABLE_CONTEXT_FACTORIES.containsKey(fullyQualifiedName)) ? Optional.empty() : Optional.of(new VulnerabilityAndProblematicToken(VULNERABLE_CONTEXT_FACTORIES.get(fullyQualifiedName).booleanValue(), callExpression.callee().lastToken(), true));
    }

    private static Optional<VulnerabilityAndProblematicToken> searchForVerifyModeOverride(Usage usage) {
        if (usage.isBindingUsage()) {
            return Optional.empty();
        }
        Optional map = Optional.of(usage).map((v0) -> {
            return v0.tree();
        }).map((v0) -> {
            return v0.parent();
        });
        Class<QualifiedExpression> cls = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Optional filter = map.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<QualifiedExpression> cls2 = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Optional map2 = filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(qualifiedExpression -> {
            return "verify_mode".equals(qualifiedExpression.name().name());
        }).map((v0) -> {
            return v0.parent();
        }).map((v0) -> {
            return v0.parent();
        });
        Class<AssignmentStatement> cls3 = AssignmentStatement.class;
        Objects.requireNonNull(AssignmentStatement.class);
        Optional map3 = map2.filter((v1) -> {
            return r1.isInstance(v1);
        }).map(tree -> {
            return ((AssignmentStatement) tree).assignedValue();
        });
        Class<QualifiedExpression> cls4 = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        return map3.filter((v1) -> {
            return r1.isInstance(v1);
        }).flatMap(expression -> {
            return Optional.ofNullable(((QualifiedExpression) expression).symbol()).map(symbol -> {
                return new VulnerabilityAndProblematicToken("ssl.CERT_NONE".equals(symbol.fullyQualifiedName()), expression.lastToken(), false);
            });
        });
    }
}
