package org.sonar.python.checks.hotspots;

import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.KeyValuePair;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.SubscriptionExpression;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.Expressions;

@Rule(key = "S3330")
/* loaded from: input_file:org/sonar/python/checks/hotspots/HttpOnlyCookieCheck.class */
public class HttpOnlyCookieCheck extends AbstractCookieFlagCheck {
    private static Map<String, Integer> sensitiveArgumentByFQN;
    private static final String SESSION_COOKIE_HTTPONLY = "SESSION_COOKIE_HTTPONLY";

    @Override // org.sonar.python.checks.hotspots.AbstractCookieFlagCheck
    String flagName() {
        return "httponly";
    }

    @Override // org.sonar.python.checks.hotspots.AbstractCookieFlagCheck
    String message() {
        return "Make sure creating this cookie without the \"HttpOnly\" flag is safe.";
    }

    @Override // org.sonar.python.checks.hotspots.AbstractCookieFlagCheck
    Map<String, Integer> sensitiveArgumentByFQN() {
        return sensitiveArgumentByFQN;
    }

    @Override // org.sonar.python.checks.hotspots.AbstractCookieFlagCheck
    public void initialize(SubscriptionCheck.Context context) {
        super.initialize(context);
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, this::subscriptionSessionCookieHttponlyCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.DICTIONARY_LITERAL, this::dictionarySessionCookieHttponlyCheck);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::dictConstructorSessionCookieHttponlyCheck);
    }

    private void subscriptionSessionCookieHttponlyCheck(SubscriptionContext subscriptionContext) {
        AssignmentStatement syntaxNode = subscriptionContext.syntaxNode();
        if (syntaxNode.lhsExpressions().stream().flatMap(expressionList -> {
            return expressionList.expressions().stream();
        }).filter(expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.SUBSCRIPTION});
        }).flatMap(expression2 -> {
            return ((SubscriptionExpression) expression2).subscripts().expressions().stream();
        }).anyMatch(HttpOnlyCookieCheck::isSessionCookieHttponlyStringLiteral) && Expressions.isFalsy(syntaxNode.assignedValue())) {
            subscriptionContext.addIssue(syntaxNode.assignedValue(), message());
        }
    }

    private void dictionarySessionCookieHttponlyCheck(SubscriptionContext subscriptionContext) {
        searchForFalsySessionCookieHttponlyInDictionary(subscriptionContext.syntaxNode()).ifPresent(expression -> {
            subscriptionContext.addIssue(expression, message());
        });
    }

    private static Optional<Expression> searchForFalsySessionCookieHttponlyInDictionary(DictionaryLiteral dictionaryLiteral) {
        Stream filter = dictionaryLiteral.elements().stream().filter(dictionaryLiteralElement -> {
            return dictionaryLiteralElement.is(new Tree.Kind[]{Tree.Kind.KEY_VALUE_PAIR});
        });
        Class<KeyValuePair> cls = KeyValuePair.class;
        Objects.requireNonNull(KeyValuePair.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(keyValuePair -> {
            return Optional.ofNullable(keyValuePair.key()).filter(HttpOnlyCookieCheck::isSessionCookieHttponlyStringLiteral).isPresent();
        }).findFirst().filter(keyValuePair2 -> {
            return Expressions.isFalsy(keyValuePair2.value());
        }).map((v0) -> {
            return v0.value();
        });
    }

    private void dictConstructorSessionCookieHttponlyCheck(SubscriptionContext subscriptionContext) {
        searchForFalsySessionCookieHttponlyInDictCons(subscriptionContext.syntaxNode()).ifPresent(expression -> {
            subscriptionContext.addIssue(expression, message());
        });
    }

    private static Optional<Expression> searchForFalsySessionCookieHttponlyInDictCons(CallExpression callExpression) {
        RegularArgument regularArgument;
        Name keywordArgument;
        Symbol calleeSymbol = callExpression.calleeSymbol();
        if (calleeSymbol != null && "dict".equals(calleeSymbol.fullyQualifiedName())) {
            for (RegularArgument regularArgument2 : callExpression.arguments()) {
                if (regularArgument2.is(new Tree.Kind[]{Tree.Kind.REGULAR_ARGUMENT}) && (keywordArgument = (regularArgument = regularArgument2).keywordArgument()) != null && SESSION_COOKIE_HTTPONLY.equals(keywordArgument.name()) && Expressions.isFalsy(regularArgument.expression())) {
                    return Optional.of(regularArgument.expression());
                }
            }
        }
        return Optional.empty();
    }

    private static boolean isSessionCookieHttponlyStringLiteral(Expression expression) {
        return expression.is(new Tree.Kind[]{Tree.Kind.STRING_LITERAL}) && SESSION_COOKIE_HTTPONLY.equals(((StringLiteral) expression).trimmedQuotesValue());
    }

    static {
        sensitiveArgumentByFQN = new HashMap();
        sensitiveArgumentByFQN.put("django.http.response.HttpResponseBase.set_cookie", 7);
        sensitiveArgumentByFQN.put("django.http.response.HttpResponseBase.set_signed_cookie", 8);
        sensitiveArgumentByFQN.put("flask.wrappers.Response.set_cookie", 7);
        sensitiveArgumentByFQN.put("werkzeug.wrappers.BaseResponse.set_cookie", 7);
        sensitiveArgumentByFQN.put("werkzeug.sansio.response.Response.set_cookie", 7);
        sensitiveArgumentByFQN = Collections.unmodifiableMap(sensitiveArgumentByFQN);
    }
}
