package org.sonar.python.checks;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.utils.Expressions;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S3329")
/* loaded from: input_file:org/sonar/python/checks/CipherBlockChainingCheck.class */
public class CipherBlockChainingCheck extends PythonSubscriptionCheck {
    private static final HashSet<String> PYCRYPTO_SENSITIVE_FQNS = new HashSet<>();
    private static final String CRYPTOGRAPHY_SENSITIVE_FQN = "cryptography.hazmat.primitives.ciphers.Cipher";
    private static final String MESSAGE = "Use a dynamically-generated, random IV.";

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, CipherBlockChainingCheck::checkCallExpression);
    }

    private static void checkCallExpression(SubscriptionContext subscriptionContext) {
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        Symbol calleeSymbol = syntaxNode.calleeSymbol();
        if (calleeSymbol == null || calleeSymbol.fullyQualifiedName() == null) {
            return;
        }
        if (PYCRYPTO_SENSITIVE_FQNS.contains(calleeSymbol.fullyQualifiedName())) {
            checkPyCryptoCall(syntaxNode, subscriptionContext);
        }
        if (CRYPTOGRAPHY_SENSITIVE_FQN.equals(calleeSymbol.fullyQualifiedName())) {
            checkCrypographyCall(syntaxNode, subscriptionContext);
        }
    }

    private static void checkCrypographyCall(CallExpression callExpression, SubscriptionContext subscriptionContext) {
        CallExpression callExpression2;
        Symbol calleeSymbol;
        RegularArgument nthArgumentOrKeyword;
        AssignmentStatement firstAncestorOfKind;
        RegularArgument nthArgumentOrKeyword2 = TreeUtils.nthArgumentOrKeyword(1, "mode", callExpression.arguments());
        if (nthArgumentOrKeyword2 == null) {
            return;
        }
        CallExpression expression = nthArgumentOrKeyword2.expression();
        if (expression.is(new Tree.Kind[]{Tree.Kind.CALL_EXPR}) && (calleeSymbol = (callExpression2 = expression).calleeSymbol()) != null && "CBC".equals(calleeSymbol.name()) && (nthArgumentOrKeyword = TreeUtils.nthArgumentOrKeyword(0, "initialization_vector", callExpression2.arguments())) != null && isStaticInitializationVector(nthArgumentOrKeyword.expression(), new HashSet()) && (firstAncestorOfKind = TreeUtils.firstAncestorOfKind(callExpression, new Tree.Kind[]{Tree.Kind.ASSIGNMENT_STMT})) != null && firstAncestorOfKind.assignedValue() == callExpression) {
            checkAssignmentStatement(firstAncestorOfKind, callExpression, "encryptor", subscriptionContext);
        }
    }

    private static void checkPyCryptoCall(CallExpression callExpression, SubscriptionContext subscriptionContext) {
        Symbol symbol;
        RegularArgument nthArgumentOrKeyword;
        AssignmentStatement firstAncestorOfKind;
        RegularArgument nthArgumentOrKeyword2 = TreeUtils.nthArgumentOrKeyword(1, "mode", callExpression.arguments());
        if (nthArgumentOrKeyword2 == null) {
            return;
        }
        HasSymbol expression = nthArgumentOrKeyword2.expression();
        if ((expression instanceof HasSymbol) && (symbol = expression.symbol()) != null && "MODE_CBC".equals(symbol.name()) && (nthArgumentOrKeyword = TreeUtils.nthArgumentOrKeyword(2, "iv", callExpression.arguments())) != null && isStaticInitializationVector(nthArgumentOrKeyword.expression(), new HashSet()) && (firstAncestorOfKind = TreeUtils.firstAncestorOfKind(callExpression, new Tree.Kind[]{Tree.Kind.ASSIGNMENT_STMT})) != null && firstAncestorOfKind.assignedValue() == callExpression) {
            checkAssignmentStatement(firstAncestorOfKind, callExpression, "encrypt", subscriptionContext);
        }
    }

    private static void checkAssignmentStatement(AssignmentStatement assignmentStatement, CallExpression callExpression, String str, SubscriptionContext subscriptionContext) {
        assignmentStatement.lhsExpressions().stream().filter(expressionList -> {
            return expressionList.expressions().size() == 1;
        }).flatMap(expressionList2 -> {
            return expressionList2.expressions().stream();
        }).filter(expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.NAME});
        }).forEach(expression2 -> {
            Symbol symbol = ((Name) expression2).symbol();
            if (symbol == null) {
                return;
            }
            symbol.usages().stream().map((v0) -> {
                return v0.tree();
            }).filter(tree -> {
                return isWithinCallTo(tree, str);
            }).findFirst().ifPresent(tree2 -> {
                subscriptionContext.addIssue(tree2, MESSAGE).secondary(callExpression, (String) null);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isWithinCallTo(Tree tree, String str) {
        CallExpression firstAncestorOfKind = TreeUtils.firstAncestorOfKind(tree, new Tree.Kind[]{Tree.Kind.CALL_EXPR});
        return firstAncestorOfKind != null && firstAncestorOfKind.callee().is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR}) && firstAncestorOfKind.callee().name().name().equals(str);
    }

    private static boolean isStaticInitializationVector(Expression expression, Set<Expression> set) {
        if (set.contains(expression)) {
            return false;
        }
        set.add(expression);
        if (expression.is(new Tree.Kind[]{Tree.Kind.CALL_EXPR}) || TreeUtils.hasDescendant(expression, tree -> {
            return tree.is(new Tree.Kind[]{Tree.Kind.CALL_EXPR});
        })) {
            return false;
        }
        if (!expression.is(new Tree.Kind[]{Tree.Kind.NAME})) {
            return true;
        }
        Expression singleAssignedValue = Expressions.singleAssignedValue((Name) expression);
        if (singleAssignedValue == null) {
            return false;
        }
        return isStaticInitializationVector(singleAssignedValue, set);
    }

    static {
        for (String str : Arrays.asList("Cryptodome", "Crypto")) {
            Iterator it = Arrays.asList("AES", "ARC2", "Blowfish", "CAST", "DES", "DES3").iterator();
            while (it.hasNext()) {
                PYCRYPTO_SENSITIVE_FQNS.add(String.format("%s.Cipher.%s.new", str, (String) it.next()));
            }
        }
    }
}
