package org.sonar.python.checks;

import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.utils.Expressions;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S2053")
/* loaded from: input_file:org/sonar/python/checks/PredictableSaltCheck.class */
public class PredictableSaltCheck extends PythonSubscriptionCheck {
    private static final String MISSING_SALT_MESSAGE = "Add an unpredictable salt value to this hash.";
    private static final String PREDICTABLE_SALT_MESSAGE = "Make this salt unpredictable.";
    private Map<String, Integer> sensitiveArgumentByFQN;

    @Override // org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext -> {
            handleCallExpression((CallExpression) subscriptionContext.syntaxNode(), subscriptionContext);
        });
    }

    private void handleCallExpression(CallExpression callExpression, SubscriptionContext subscriptionContext) {
        Symbol calleeSymbol = callExpression.calleeSymbol();
        if (calleeSymbol != null && sensitiveArgumentByFQN().containsKey(calleeSymbol.fullyQualifiedName())) {
            checkArguments(callExpression, sensitiveArgumentByFQN().get(calleeSymbol.fullyQualifiedName()).intValue(), subscriptionContext);
        }
    }

    private static void checkArguments(CallExpression callExpression, int i, SubscriptionContext subscriptionContext) {
        if (callExpression.arguments().size() <= i) {
            subscriptionContext.addIssue(callExpression.callee(), MISSING_SALT_MESSAGE);
        }
        for (int i2 = 0; i2 < callExpression.arguments().size(); i2++) {
            Argument argument = callExpression.arguments().get(i2);
            if (argument.is(Tree.Kind.REGULAR_ARGUMENT)) {
                RegularArgument regularArgument = (RegularArgument) argument;
                Name keywordArgument = regularArgument.keywordArgument();
                if (keywordArgument != null) {
                    if (keywordArgument.name().equals("salt")) {
                        checkSensitiveArgument(regularArgument, subscriptionContext);
                    }
                } else if (i2 == i) {
                    checkSensitiveArgument(regularArgument, subscriptionContext);
                }
            }
        }
    }

    private static void checkSensitiveArgument(RegularArgument regularArgument, SubscriptionContext subscriptionContext) {
        if (regularArgument.expression().is(Tree.Kind.NAME)) {
            Expression singleAssignedValue = Expressions.singleAssignedValue((Name) regularArgument.expression());
            if (singleAssignedValue == null) {
                return;
            }
            if (singleAssignedValue.is(Tree.Kind.STRING_LITERAL)) {
                subscriptionContext.addIssue(regularArgument, PREDICTABLE_SALT_MESSAGE).secondary((AssignmentStatement) TreeUtils.firstAncestorOfKind(singleAssignedValue, Tree.Kind.ASSIGNMENT_STMT), (String) null);
            }
        }
        if (regularArgument.expression().is(Tree.Kind.STRING_LITERAL)) {
            subscriptionContext.addIssue(regularArgument, PREDICTABLE_SALT_MESSAGE);
        }
    }

    private Map<String, Integer> sensitiveArgumentByFQN() {
        if (this.sensitiveArgumentByFQN == null) {
            this.sensitiveArgumentByFQN = new HashMap();
            this.sensitiveArgumentByFQN.put("hashlib.pbkdf2_hmac", 2);
            this.sensitiveArgumentByFQN.put("hashlib.scrypt", 4);
            this.sensitiveArgumentByFQN.put("crypt.crypt", 1);
            this.sensitiveArgumentByFQN.put("cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC", 2);
            this.sensitiveArgumentByFQN.put("Cryptodome.Protocol.KDF.PBKDF2", 1);
            this.sensitiveArgumentByFQN.put("Cryptodome.Protocol.KDF.scrypt", 1);
            this.sensitiveArgumentByFQN.put("Cryptodome.Protocol.KDF.bcrypt", 2);
            this.sensitiveArgumentByFQN = Collections.unmodifiableMap(this.sensitiveArgumentByFQN);
        }
        return this.sensitiveArgumentByFQN;
    }
}
