package org.sonar.python.checks;

import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.types.InferredType;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S5542")
/* loaded from: input_file:org/sonar/python/checks/SecureModeEncryptionAlgorithmsCheck.class */
public class SecureModeEncryptionAlgorithmsCheck extends PythonSubscriptionCheck {
    private static final String MESSAGE = "Use secure mode and padding scheme.";
    private static final Set<String> PYCA_RSA_KEY_METHODS = new HashSet(Arrays.asList("cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.decrypt", "cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.encrypt"));
    private static final Set<String> PYCA_VULNERABLE_MODES = new HashSet(Arrays.asList("cryptography.hazmat.primitives.ciphers.modes.CBC", "cryptography.hazmat.primitives.ciphers.modes.ECB"));
    private static final Map<String, List<String>> PYCRYPTO_VULNERABLE_MODES_BY_API = new HashMap();
    private static final Map<String, List<String>> CRYPTODOMEX_VULNERABLE_MODES_BY_API;

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext -> {
            CallExpression callExpression = (CallExpression) subscriptionContext.syntaxNode();
            Symbol calleeSymbol = callExpression.calleeSymbol();
            if (calleeSymbol == null) {
                return;
            }
            checkPycaLibrary(subscriptionContext, callExpression, calleeSymbol);
            checkPycryptoAndCryptodomeLibraries(subscriptionContext, callExpression, calleeSymbol);
            checkPydesLibrary(subscriptionContext, callExpression, calleeSymbol);
        });
    }

    private static void checkPydesLibrary(SubscriptionContext subscriptionContext, CallExpression callExpression, Symbol symbol) {
        if ("pyDes.des".equals(symbol.fullyQualifiedName())) {
            subscriptionContext.addIssue(callExpression.callee(), MESSAGE);
        }
    }

    private static void checkPycryptoAndCryptodomeLibraries(SubscriptionContext subscriptionContext, CallExpression callExpression, Symbol symbol) {
        RegularArgument nthArgumentOrKeyword;
        if ("Crypto.Cipher.PKCS1_v1_5.new".equals(symbol.fullyQualifiedName()) || "Cryptodome.Cipher.PKCS1_v1_5.new".equals(symbol.fullyQualifiedName())) {
            subscriptionContext.addIssue(callExpression.callee(), MESSAGE);
            return;
        }
        List<String> orDefault = PYCRYPTO_VULNERABLE_MODES_BY_API.getOrDefault(symbol.fullyQualifiedName(), CRYPTODOMEX_VULNERABLE_MODES_BY_API.get(symbol.fullyQualifiedName()));
        if (orDefault == null || (nthArgumentOrKeyword = TreeUtils.nthArgumentOrKeyword(1, "mode", callExpression.arguments())) == null) {
            return;
        }
        TreeUtils.getSymbolFromTree(nthArgumentOrKeyword.expression()).filter(symbol2 -> {
            return orDefault.contains(symbol2.fullyQualifiedName());
        }).ifPresent(symbol3 -> {
            subscriptionContext.addIssue(nthArgumentOrKeyword, MESSAGE);
        });
    }

    protected void checkPycaLibrary(SubscriptionContext subscriptionContext, CallExpression callExpression, Symbol symbol) {
        RegularArgument nthArgumentOrKeyword;
        if (!"cryptography.hazmat.primitives.ciphers.Cipher".equals(symbol.fullyQualifiedName())) {
            if (PYCA_RSA_KEY_METHODS.contains(symbol.fullyQualifiedName()) && (nthArgumentOrKeyword = TreeUtils.nthArgumentOrKeyword(1, "padding", callExpression.arguments())) != null && nthArgumentOrKeyword.expression().type().canOnlyBe("cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15")) {
                subscriptionContext.addIssue(nthArgumentOrKeyword, MESSAGE);
                return;
            }
            return;
        }
        RegularArgument nthArgumentOrKeyword2 = TreeUtils.nthArgumentOrKeyword(1, "mode", callExpression.arguments());
        if (nthArgumentOrKeyword2 != null) {
            InferredType type = nthArgumentOrKeyword2.expression().type();
            Stream<String> stream = PYCA_VULNERABLE_MODES.stream();
            Objects.requireNonNull(type);
            if (stream.anyMatch(type::canOnlyBe)) {
                subscriptionContext.addIssue(nthArgumentOrKeyword2, MESSAGE);
            }
        }
    }

    static {
        PYCRYPTO_VULNERABLE_MODES_BY_API.put("Crypto.Cipher.DES.new", Arrays.asList("Crypto.Cipher.DES.MODE_ECB", "Crypto.Cipher.DES.MODE_CBC"));
        PYCRYPTO_VULNERABLE_MODES_BY_API.put("Crypto.Cipher.CAST.new", Arrays.asList("Crypto.Cipher.CAST.MODE_ECB", "Crypto.Cipher.CAST.MODE_CBC"));
        PYCRYPTO_VULNERABLE_MODES_BY_API.put("Crypto.Cipher.DES3.new", Arrays.asList("Crypto.Cipher.DES3.MODE_ECB", "Crypto.Cipher.DES3.MODE_CBC"));
        PYCRYPTO_VULNERABLE_MODES_BY_API.put("Crypto.Cipher.ARC2.new", Arrays.asList("Crypto.Cipher.ARC2.MODE_ECB", "Crypto.Cipher.ARC2.MODE_CBC"));
        PYCRYPTO_VULNERABLE_MODES_BY_API.put("Crypto.Cipher.Blowfish.new", Arrays.asList("Crypto.Cipher.Blowfish.MODE_ECB", "Crypto.Cipher.Blowfish.MODE_CBC"));
        PYCRYPTO_VULNERABLE_MODES_BY_API.put("Crypto.Cipher.AES.new", Arrays.asList("Crypto.Cipher.AES.MODE_ECB", "Crypto.Cipher.AES.MODE_CBC"));
        CRYPTODOMEX_VULNERABLE_MODES_BY_API = new HashMap();
        CRYPTODOMEX_VULNERABLE_MODES_BY_API.put("Cryptodome.Cipher.DES.new", Arrays.asList("Cryptodome.Cipher.DES.MODE_ECB", "Cryptodome.Cipher.DES.MODE_CBC"));
        CRYPTODOMEX_VULNERABLE_MODES_BY_API.put("Cryptodome.Cipher.CAST.new", Arrays.asList("Cryptodome.Cipher.CAST.MODE_ECB", "Cryptodome.Cipher.CAST.MODE_CBC"));
        CRYPTODOMEX_VULNERABLE_MODES_BY_API.put("Cryptodome.Cipher.DES3.new", Arrays.asList("Cryptodome.Cipher.DES3.MODE_ECB", "Cryptodome.Cipher.DES3.MODE_CBC"));
        CRYPTODOMEX_VULNERABLE_MODES_BY_API.put("Cryptodome.Cipher.ARC2.new", Arrays.asList("Cryptodome.Cipher.ARC2.MODE_ECB", "Cryptodome.Cipher.ARC2.MODE_CBC"));
        CRYPTODOMEX_VULNERABLE_MODES_BY_API.put("Cryptodome.Cipher.Blowfish.new", Arrays.asList("Cryptodome.Cipher.Blowfish.MODE_ECB", "Cryptodome.Cipher.Blowfish.MODE_CBC"));
        CRYPTODOMEX_VULNERABLE_MODES_BY_API.put("Cryptodome.Cipher.AES.new", Arrays.asList("Cryptodome.Cipher.AES.MODE_ECB", "Cryptodome.Cipher.AES.MODE_CBC"));
    }
}
