package org.sonar.python.checks.hotspots;

import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.CheckForNull;
import org.apache.commons.lang.StringUtils;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.ArgList;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.ClassDef;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.ExpressionList;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.ListLiteral;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.AbstractCallExpressionCheck;
import org.sonar.python.checks.Expressions;
import org.sonar.python.tree.TreeUtils;

@Rule(key = HashingDataCheck.CHECK_KEY)
/* loaded from: input_file:org/sonar/python/checks/hotspots/HashingDataCheck.class */
public class HashingDataCheck extends AbstractCallExpressionCheck {
    public static final String CHECK_KEY = "S4790";
    private static final String MESSAGE = "Make sure that hashing data is safe here.";
    private static final Set<String> questionableFunctions = immutableSet("hashlib.new", "cryptography.hazmat.primitives.hashes.SHA1", "cryptography.hazmat.primitives.hashes.MD5", "django.contrib.auth.hashers.make_password", "werkzeug.security.generate_password_hash", "Cryptodome.Hash.MD2.new", "Cryptodome.Hash.MD4.new", "Cryptodome.Hash.MD5.new", "Cryptodome.Hash.SHA1.new", "Cryptodome.Hash.SHA224.new", "Crypto.Hash.MD2.new", "Crypto.Hash.MD4.new", "Crypto.Hash.MD5.new", "Crypto.Hash.SHA1.new", "Crypto.Hash.SHA224.new");
    private static final Set<String> questionableHashlibAlgorithm = immutableSet("hashlib.md5", "hashlib.sha1", "hashlib.sha224");
    private static final Set<String> unsafeAlgorithms = immutableSet("sha1", "md5", "sha224");
    private static final Set<String> questionablePasslibAlgorithm = (Set) Stream.of((Object[]) new String[]{"apr_md5_crypt", "bigcrypt", "bsd_nthash", "bsdi_crypt", "cisco_asa", "cisco_pix", "cisco_type7", "crypt16", "des_crypt", "django_des_crypt", "django_salted_md5", "django_salted_sha1", "dlitz_pbkdf2_sha1", "hex_md4", "hex_md5", "hex_sha1", "ldap_bsdi_crypt", "ldap_des_crypt", "ldap_hex_md5", "ldap_plaintext", "ldap_salted_md5", "ldap_salted_sha1", "ldap_sha1", "ldap_sha1_crypt", "lmhash", "md5_crypt", "mssql2000", "mssql2005", "mysql323", "mysql41", "nthash", "oracle10", "plaintext", "postgres_md5", "roundup_plaintext", "sha1_crypt", "sun_md5_crypt"}).map(str -> {
        return "passlib.hash." + str;
    }).collect(Collectors.toSet());
    private static final Set<String> questionableDjangoHashers = (Set) Stream.of((Object[]) new String[]{"SHA1PasswordHasher", "MD5PasswordHasher", "UnsaltedSHA1PasswordHasher", "UnsaltedMD5PasswordHasher", "CryptPasswordHasher"}).map(str -> {
        return "django.contrib.auth.hashers." + str;
    }).collect(Collectors.toSet());
    private static final Set<String> questionableHashers = immutableSet("crypt", "unsalted_sha1", "unsalted_md5", "sha1", "md5");

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck, org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        super.initialize(context);
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, HashingDataCheck::checkOverwriteDjangoHashers);
        context.registerSyntaxNodeConsumer(Tree.Kind.CLASSDEF, HashingDataCheck::checkCreatingCustomHasher);
        context.registerSyntaxNodeConsumer(Tree.Kind.NAME, HashingDataCheck::checkQuestionableHashingAlgorithm);
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected boolean isException(CallExpression callExpression) {
        return hasSafeArgument(callExpression, "django.contrib.auth.hashers.make_password", 2, "hasher", questionableHashers) || hasSafeArgument(callExpression, "hashlib.new", 0, "name", unsafeAlgorithms) || hasSafeArgument(callExpression, "werkzeug.security.generate_password_hash", 1, "method", unsafeAlgorithms);
    }

    private static boolean hasSafeArgument(CallExpression callExpression, String str, int i, String str2, Set<String> set) {
        StringLiteral stringLiteral;
        Symbol calleeSymbol = callExpression.calleeSymbol();
        if (calleeSymbol == null || !str.equals(calleeSymbol.fullyQualifiedName())) {
            return false;
        }
        RegularArgument nthArgumentOrKeyword = TreeUtils.nthArgumentOrKeyword(i, str2, callExpression.arguments());
        return nthArgumentOrKeyword == null || (stringLiteral = (StringLiteral) getValue(nthArgumentOrKeyword.expression(), Tree.Kind.STRING_LITERAL)) == null || !set.contains(stringLiteral.trimmedQuotesValue());
    }

    private static void checkOverwriteDjangoHashers(SubscriptionContext subscriptionContext) {
        AssignmentStatement assignmentStatement = (AssignmentStatement) subscriptionContext.syntaxNode();
        if (isOverwritingDjangoHashers(assignmentStatement.lhsExpressions(), subscriptionContext.pythonFile().fileName())) {
            List<Expression> weakHashers = getWeakHashers(assignmentStatement.assignedValue());
            if (weakHashers.isEmpty()) {
                return;
            }
            PythonCheck.PreciseIssue addIssue = subscriptionContext.addIssue(assignmentStatement, MESSAGE);
            weakHashers.forEach(expression -> {
                addIssue.secondary(expression, (String) null);
            });
        }
    }

    private static List<Expression> getWeakHashers(Expression expression) {
        ListLiteral listLiteral = (ListLiteral) getValue(expression, Tree.Kind.LIST_LITERAL);
        return listLiteral != null ? (List) listLiteral.elements().expressions().stream().filter(HashingDataCheck::isWeakHasher).collect(Collectors.toList()) : Collections.emptyList();
    }

    private static boolean isWeakHasher(Expression expression) {
        StringLiteral stringLiteral = (StringLiteral) getValue(expression, Tree.Kind.STRING_LITERAL);
        return stringLiteral != null && questionableDjangoHashers.contains(stringLiteral.trimmedQuotesValue());
    }

    @CheckForNull
    private static Expression getValue(Expression expression, Tree.Kind kind) {
        Expression expression2 = expression;
        if (expression.is(Tree.Kind.NAME)) {
            expression2 = Expressions.singleAssignedValue((Name) expression);
        }
        if (expression2 == null || !expression2.is(kind)) {
            return null;
        }
        return expression2;
    }

    private static boolean isOverwritingDjangoHashers(List<ExpressionList> list, String str) {
        Symbol symbol;
        if (str.equals("global_settings.py") && list.stream().flatMap(expressionList -> {
            return expressionList.expressions().stream();
        }).anyMatch(expression -> {
            return expression.firstToken().value().equals("PASSWORD_HASHERS");
        })) {
            return true;
        }
        Iterator<ExpressionList> it = list.iterator();
        while (it.hasNext()) {
            Iterator<Expression> it2 = it.next().expressions().iterator();
            while (it2.hasNext()) {
                Expression removeParentheses = Expressions.removeParentheses(it2.next());
                if (removeParentheses.is(Tree.Kind.QUALIFIED_EXPR) && (symbol = ((QualifiedExpression) removeParentheses).symbol()) != null && "django.conf.settings.PASSWORD_HASHERS".equals(symbol.fullyQualifiedName())) {
                    return true;
                }
            }
        }
        return false;
    }

    private static void checkQuestionableHashingAlgorithm(SubscriptionContext subscriptionContext) {
        Name name = (Name) subscriptionContext.syntaxNode();
        if (isWithinImport(name)) {
            return;
        }
        String fullyQualifiedName = name.symbol() != null ? name.symbol().fullyQualifiedName() : StringUtils.EMPTY;
        if (questionableHashlibAlgorithm.contains(fullyQualifiedName) || questionablePasslibAlgorithm.contains(fullyQualifiedName)) {
            subscriptionContext.addIssue(name, MESSAGE);
        }
    }

    private static String getQualifiedName(Expression expression) {
        Symbol symbol;
        return (!(expression instanceof HasSymbol) || (symbol = ((HasSymbol) expression).symbol()) == null) ? StringUtils.EMPTY : symbol.fullyQualifiedName();
    }

    private static void checkCreatingCustomHasher(SubscriptionContext subscriptionContext) {
        ArgList args = ((ClassDef) subscriptionContext.syntaxNode()).args();
        if (args != null) {
            Stream<Argument> filter = args.arguments().stream().filter(argument -> {
                return argument.is(Tree.Kind.REGULAR_ARGUMENT);
            });
            Class<RegularArgument> cls = RegularArgument.class;
            Objects.requireNonNull(RegularArgument.class);
            filter.map((v1) -> {
                return r1.cast(v1);
            }).filter(regularArgument -> {
                return questionableDjangoHashers.contains(getQualifiedName(regularArgument.expression()));
            }).forEach(regularArgument2 -> {
                subscriptionContext.addIssue(regularArgument2, MESSAGE);
            });
        }
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected Set<String> functionsToCheck() {
        return questionableFunctions;
    }

    @Override // org.sonar.python.checks.AbstractCallExpressionCheck
    protected String message() {
        return MESSAGE;
    }
}
