package org.sonar.python.checks;

import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.apache.commons.lang.StringUtils;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.DictionaryLiteralElement;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.KeyValuePair;
import org.sonar.plugins.python.api.tree.ListLiteral;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.tree.Tuple;
import org.sonar.plugins.python.api.types.BuiltinTypes;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S5659")
/* loaded from: input_file:org/sonar/python/checks/JwtVerificationCheck.class */
public class JwtVerificationCheck extends PythonSubscriptionCheck {
    private static final String MESSAGE = "Don't use a JWT token without verifying its signature.";
    private static final Set<String> PROCESS_JWT_FQNS = Set.of("python_jwt.process_jwt", "jwt.process_jwt");
    private static final Set<String> VERIFY_JWT_FQNS = Set.of("python_jwt.verify_jwt", "jwt.verify_jwt");
    private static final Set<String> WHERE_VERIFY_KWARG_SHOULD_BE_TRUE_FQNS = Set.of("jwt.decode", "jose.jws.verify");
    private static final Set<String> UNVERIFIED_FQNS = Set.of("jose.jwt.get_unverified_header", "jose.jwt.get_unverified_headers", "jose.jws.get_unverified_header", "jose.jws.get_unverified_headers", "jose.jwt.get_unverified_claims", "jose.jws.get_unverified_claims");
    private static final String VERIFY_SIGNATURE_KEYWORD = "verify_signature";
    public static final String JOSE_JWT_DECODE_FQN = "jose.jwt.decode";

    @Override // org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, JwtVerificationCheck::verifyCallExpression);
    }

    private static void verifyCallExpression(SubscriptionContext subscriptionContext) {
        CallExpression callExpression = (CallExpression) subscriptionContext.syntaxNode();
        Symbol calleeSymbol = callExpression.calleeSymbol();
        if (calleeSymbol == null || calleeSymbol.fullyQualifiedName() == null) {
            return;
        }
        if (WHERE_VERIFY_KWARG_SHOULD_BE_TRUE_FQNS.contains(calleeSymbol.fullyQualifiedName())) {
            RegularArgument argumentByKeyword = TreeUtils.argumentByKeyword("verify", callExpression.arguments());
            if (argumentByKeyword == null || !Expressions.isFalsy(argumentByKeyword.expression())) {
                return;
            }
            subscriptionContext.addIssue(argumentByKeyword, MESSAGE);
            return;
        }
        if (PROCESS_JWT_FQNS.contains(calleeSymbol.fullyQualifiedName())) {
            Optional.ofNullable(TreeUtils.firstAncestorOfKind(callExpression, Tree.Kind.FILE_INPUT, Tree.Kind.FUNCDEF)).filter(tree -> {
                return !TreeUtils.hasDescendant(tree, JwtVerificationCheck::isCallToVerifyJwt);
            }).ifPresent(tree2 -> {
                subscriptionContext.addIssue(callExpression, MESSAGE);
            });
        } else if (UNVERIFIED_FQNS.contains(calleeSymbol.fullyQualifiedName())) {
            Optional.ofNullable(TreeUtils.nthArgumentOrKeyword(0, StringUtils.EMPTY, callExpression.arguments())).flatMap(TreeUtils.toOptionalInstanceOfMapper(RegularArgument.class)).map((v0) -> {
                return v0.expression();
            }).ifPresent(expression -> {
                subscriptionContext.addIssue(expression, MESSAGE);
            });
        } else if (JOSE_JWT_DECODE_FQN.equals(calleeSymbol.fullyQualifiedName())) {
            Optional.ofNullable(TreeUtils.argumentByKeyword("options", callExpression.arguments())).map((v0) -> {
                return v0.expression();
            }).filter(JwtVerificationCheck::isListOrDictWithSensitiveEntry).ifPresent(expression2 -> {
                subscriptionContext.addIssue(expression2, MESSAGE);
            });
        }
    }

    private static boolean isListOrDictWithSensitiveEntry(@Nullable Expression expression) {
        if (expression == null) {
            return false;
        }
        return expression.is(Tree.Kind.NAME) ? isListOrDictWithSensitiveEntry(Expressions.singleAssignedNonNameValue((Name) expression)) : expression.is(Tree.Kind.DICTIONARY_LITERAL) ? hasTrueVerifySignatureEntry((DictionaryLiteral) expression) : expression.is(Tree.Kind.LIST_LITERAL) ? hasTrueVerifySignatureEntry((ListLiteral) expression) : expression.is(Tree.Kind.CALL_EXPR) && isCallToDict((CallExpression) expression) && hasIllegalDictKWArgument((CallExpression) expression);
    }

    private static boolean hasIllegalDictKWArgument(CallExpression callExpression) {
        return Optional.of(callExpression).map((v0) -> {
            return v0.arguments();
        }).map(list -> {
            return TreeUtils.argumentByKeyword(VERIFY_SIGNATURE_KEYWORD, list);
        }).map((v0) -> {
            return v0.expression();
        }).filter(Expressions::isFalsy).isPresent();
    }

    private static boolean isCallToDict(CallExpression callExpression) {
        Optional map = Optional.of(callExpression).map((v0) -> {
            return v0.calleeSymbol();
        }).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        String str = BuiltinTypes.DICT;
        return map.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent();
    }

    private static boolean hasTrueVerifySignatureEntry(DictionaryLiteral dictionaryLiteral) {
        Stream<DictionaryLiteralElement> stream = dictionaryLiteral.elements().stream();
        Class<KeyValuePair> cls = KeyValuePair.class;
        Objects.requireNonNull(KeyValuePair.class);
        Stream<DictionaryLiteralElement> filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<KeyValuePair> cls2 = KeyValuePair.class;
        Objects.requireNonNull(KeyValuePair.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(keyValuePair -> {
            return isSensitiveKey(keyValuePair.key());
        }).map((v0) -> {
            return v0.value();
        }).anyMatch(Expressions::isFalsy);
    }

    private static boolean hasTrueVerifySignatureEntry(ListLiteral listLiteral) {
        Stream<Expression> stream = listLiteral.elements().expressions().stream();
        Class<Tuple> cls = Tuple.class;
        Objects.requireNonNull(Tuple.class);
        Stream<Expression> filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<Tuple> cls2 = Tuple.class;
        Objects.requireNonNull(Tuple.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.elements();
        }).filter(list -> {
            return list.size() == 2;
        }).filter(list2 -> {
            return isSensitiveKey((Expression) list2.get(0));
        }).map(list3 -> {
            return (Expression) list3.get(1);
        }).anyMatch(Expressions::isFalsy);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isSensitiveKey(Expression expression) {
        return expression.is(Tree.Kind.STRING_LITERAL) && VERIFY_SIGNATURE_KEYWORD.equals(((StringLiteral) expression).trimmedQuotesValue());
    }

    private static boolean isCallToVerifyJwt(Tree tree) {
        Optional map = TreeUtils.toOptionalInstanceOf(CallExpression.class, tree).map((v0) -> {
            return v0.calleeSymbol();
        }).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        Set<String> set = VERIFY_JWT_FQNS;
        Objects.requireNonNull(set);
        return map.filter((v1) -> {
            return r1.contains(v1);
        }).isPresent();
    }
}
