package org.sonar.python.checks;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.ArgList;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.types.BuiltinTypes;

@Rule(key = "S4433")
/* loaded from: input_file:org/sonar/python/checks/LdapAuthenticationCheck.class */
public class LdapAuthenticationCheck extends PythonSubscriptionCheck {
    private static final Set<String> LDAP_OBJECT_SENSITIVE_METHODS = new HashSet(Arrays.asList("ldap.ldapobject.SimpleLDAPObject.simple_bind", "ldap.ldapobject.SimpleLDAPObject.simple_bind_s", "ldap.ldapobject.SimpleLDAPObject.bind", "ldap.ldapobject.SimpleLDAPObject.bind_s"));

    @Override // org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext -> {
            CallExpression callExpression = (CallExpression) subscriptionContext.syntaxNode();
            Symbol calleeSymbol = callExpression.calleeSymbol();
            HashSet hashSet = new HashSet();
            if (calleeSymbol == null || !LDAP_OBJECT_SENSITIVE_METHODS.contains(calleeSymbol.fullyQualifiedName()) || isPasswordProvided(callExpression.argumentList(), hashSet)) {
                return;
            }
            PythonCheck.PreciseIssue addIssue = subscriptionContext.addIssue(callExpression.callee(), "Provide a password when authenticating to this LDAP server.");
            hashSet.forEach(tree -> {
                addIssue.secondary(tree, (String) null);
            });
        });
    }

    private static boolean isPasswordProvided(@Nullable ArgList argList, Set<Tree> set) {
        if (argList == null) {
            return false;
        }
        for (int i = 0; i < argList.arguments().size(); i++) {
            if (argList.arguments().get(i).is(Tree.Kind.UNPACKING_EXPR)) {
                return true;
            }
            RegularArgument regularArgument = (RegularArgument) argList.arguments().get(i);
            Name keywordArgument = regularArgument.keywordArgument();
            if ((keywordArgument == null && i == 1) || (keywordArgument != null && keywordArgument.name().equals("cred"))) {
                if (isValidPassword(regularArgument.expression(), set)) {
                    return true;
                }
                set.add(regularArgument.expression());
                return false;
            }
        }
        return false;
    }

    private static boolean isValidPassword(Expression expression, Set<Tree> set) {
        Expression singleAssignedValue;
        if (isNoneOrEmptyString(expression, set)) {
            return false;
        }
        return (expression.is(Tree.Kind.NAME) && (singleAssignedValue = Expressions.singleAssignedValue((Name) expression)) != null && isNoneOrEmptyString(singleAssignedValue, set)) ? false : true;
    }

    private static boolean isNoneOrEmptyString(Expression expression, Set<Tree> set) {
        if (!expression.type().canOnlyBe(BuiltinTypes.NONE_TYPE) && (!expression.is(Tree.Kind.STRING_LITERAL) || !((StringLiteral) expression).trimmedQuotesValue().isEmpty())) {
            return false;
        }
        set.add(expression);
        return true;
    }
}
