package org.sonar.python.checks.hotspots;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.symbols.Usage;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.Expressions;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S5527")
/* loaded from: input_file:org/sonar/python/checks/hotspots/UnverifiedHostnameCheck.class */
public class UnverifiedHostnameCheck extends PythonSubscriptionCheck {
    private static final String MESSAGE = "Enable server hostname verification on this SSL/TLS connection.";
    private static final Set<String> SECURE_BY_DEFAULT = new HashSet(Arrays.asList("ssl.create_default_context", "ssl._create_default_https_context"));
    private static final Set<String> UNSECURE_BY_DEFAULT = new HashSet(Arrays.asList("ssl._create_unverified_context", "ssl._create_stdlib_context"));
    private static Set<String> functionsToCheck;

    private static Set<String> functionsToCheck() {
        if (functionsToCheck == null) {
            functionsToCheck = new HashSet();
            functionsToCheck.addAll(SECURE_BY_DEFAULT);
            functionsToCheck.addAll(UNSECURE_BY_DEFAULT);
        }
        return Collections.unmodifiableSet(functionsToCheck);
    }

    private static void checkSuspiciousCall(CallExpression callExpression, Symbol symbol, SubscriptionContext subscriptionContext) {
        Symbol symbol2;
        Tree firstAncestorOfKind = TreeUtils.firstAncestorOfKind(callExpression, Tree.Kind.ASSIGNMENT_STMT, Tree.Kind.CALL_EXPR);
        if (firstAncestorOfKind == null) {
            return;
        }
        if (!firstAncestorOfKind.is(Tree.Kind.ASSIGNMENT_STMT)) {
            if (opensUnsecureConnection(symbol, (CallExpression) firstAncestorOfKind)) {
                subscriptionContext.addIssue(callExpression, MESSAGE);
            }
        } else {
            Expression expression = ((AssignmentStatement) firstAncestorOfKind).lhsExpressions().get(0).expressions().get(0);
            if ((expression instanceof HasSymbol) && (symbol2 = ((HasSymbol) expression).symbol()) != null && isUnsafeContext(symbol, symbol2)) {
                subscriptionContext.addIssue(callExpression, MESSAGE);
            }
        }
    }

    private static boolean isUnsafeContext(Symbol symbol, Symbol symbol2) {
        QualifiedExpression qualifiedExpression;
        AssignmentStatement assignmentStatement;
        for (Usage usage : symbol2.usages()) {
            if (usage.kind().equals(Usage.Kind.OTHER) && (qualifiedExpression = (QualifiedExpression) TreeUtils.firstAncestorOfKind(usage.tree(), Tree.Kind.QUALIFIED_EXPR)) != null && qualifiedExpression.name().name().equals("check_hostname") && (assignmentStatement = (AssignmentStatement) TreeUtils.firstAncestorOfKind(qualifiedExpression, Tree.Kind.ASSIGNMENT_STMT)) != null) {
                return Expressions.isFalsy(assignmentStatement.assignedValue());
            }
        }
        return UNSECURE_BY_DEFAULT.contains(symbol.fullyQualifiedName());
    }

    private static boolean opensUnsecureConnection(Symbol symbol, CallExpression callExpression) {
        Symbol calleeSymbol = callExpression.calleeSymbol();
        return calleeSymbol != null && "urllib.request.urlopen".equals(calleeSymbol.fullyQualifiedName()) && UNSECURE_BY_DEFAULT.contains(symbol.fullyQualifiedName());
    }

    @Override // org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, UnverifiedHostnameCheck::checkCallExpression);
    }

    private static void checkCallExpression(SubscriptionContext subscriptionContext) {
        CallExpression callExpression = (CallExpression) subscriptionContext.syntaxNode();
        Symbol calleeSymbol = callExpression.calleeSymbol();
        if (calleeSymbol != null && functionsToCheck().contains(calleeSymbol.fullyQualifiedName())) {
            checkSuspiciousCall(callExpression, calleeSymbol, subscriptionContext);
        }
    }
}
