package org.sonar.python.checks.hotspots;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.CheckForNull;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.ClassDef;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.DictionaryLiteralElement;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.FileInput;
import org.sonar.plugins.python.api.tree.FunctionDef;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.KeyValuePair;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.Parameter;
import org.sonar.plugins.python.api.tree.ParameterList;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.SubscriptionExpression;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S2068")
/* loaded from: input_file:org/sonar/python/checks/hotspots/HardCodedCredentialsCheck.class */
public class HardCodedCredentialsCheck extends PythonSubscriptionCheck {
    private static final String DEFAULT_CREDENTIAL_WORDS = "password,passwd,pwd,passphrase";
    private static final String FLASK_CONFIG_ASSIGNMENT_FQN = "flask.app.Flask.config";
    private static final String FLASK_CONFIG_CREDENTIAL_KEY = "SECRET_KEY";
    public static final String MESSAGE = "\"%s\" detected here, review this potentially hard-coded credential.";
    private Map<String, Integer> sensitiveArgumentByFQN;

    @RuleProperty(key = "credentialWords", description = "Comma separated list of words identifying potential credentials", defaultValue = DEFAULT_CREDENTIAL_WORDS)
    public String credentialWords = DEFAULT_CREDENTIAL_WORDS;
    private List<Pattern> variablePatterns = null;
    private List<Pattern> literalPatterns = null;

    private Map<String, Integer> sensitiveArgumentByFQN() {
        if (this.sensitiveArgumentByFQN == null) {
            this.sensitiveArgumentByFQN = new HashMap();
            this.sensitiveArgumentByFQN.put("mysql.connector.connect", 2);
            this.sensitiveArgumentByFQN.put("mysql.connector.connection.MySQLConnection", 2);
            this.sensitiveArgumentByFQN.put("pymysql.connect", 2);
            this.sensitiveArgumentByFQN.put("pymysql.connections.Connection", 2);
            this.sensitiveArgumentByFQN.put("psycopg2.connect", 2);
            this.sensitiveArgumentByFQN.put("pgdb.connect", 2);
            this.sensitiveArgumentByFQN.put("pg.DB", 5);
            this.sensitiveArgumentByFQN.put("pg.connect", 5);
            this.sensitiveArgumentByFQN = Collections.unmodifiableMap(this.sensitiveArgumentByFQN);
        }
        return this.sensitiveArgumentByFQN;
    }

    private Stream<Pattern> variablePatterns() {
        if (this.variablePatterns == null) {
            this.variablePatterns = toPatterns("");
        }
        return this.variablePatterns.stream();
    }

    private Stream<Pattern> literalPatterns() {
        if (this.literalPatterns == null) {
            this.literalPatterns = toPatterns("=(?!.*(" + ((String) Stream.of((Object[]) this.credentialWords.split(",")).map((v0) -> {
                return v0.trim();
            }).collect(Collectors.joining("|"))) + "))[^:%'?{\\s]+");
        }
        return this.literalPatterns.stream();
    }

    @Override // org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, subscriptionContext -> {
            handleAssignmentStatement((AssignmentStatement) subscriptionContext.syntaxNode(), subscriptionContext);
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.STRING_LITERAL, subscriptionContext2 -> {
            handleStringLiteral((StringLiteral) subscriptionContext2.syntaxNode(), subscriptionContext2);
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext3 -> {
            handleCallExpression((CallExpression) subscriptionContext3.syntaxNode(), subscriptionContext3);
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.REGULAR_ARGUMENT, subscriptionContext4 -> {
            handleRegularArgument((RegularArgument) subscriptionContext4.syntaxNode(), subscriptionContext4);
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.PARAMETER_LIST, subscriptionContext5 -> {
            handleParameterList((ParameterList) subscriptionContext5.syntaxNode(), subscriptionContext5);
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.DICTIONARY_LITERAL, subscriptionContext6 -> {
            handleDictionaryLiteral((DictionaryLiteral) subscriptionContext6.syntaxNode(), subscriptionContext6);
        });
    }

    private void handleDictionaryLiteral(DictionaryLiteral dictionaryLiteral, SubscriptionContext subscriptionContext) {
        for (DictionaryLiteralElement dictionaryLiteralElement : dictionaryLiteral.elements()) {
            if (dictionaryLiteralElement.is(Tree.Kind.KEY_VALUE_PAIR)) {
                checkKeyValuePair((KeyValuePair) dictionaryLiteralElement, subscriptionContext);
            }
        }
    }

    private void checkKeyValuePair(KeyValuePair keyValuePair, SubscriptionContext subscriptionContext) {
        String matchedCredential;
        if (keyValuePair.key().is(Tree.Kind.STRING_LITERAL) && keyValuePair.value().is(Tree.Kind.STRING_LITERAL) && (matchedCredential = matchedCredential(((StringLiteral) keyValuePair.key()).trimmedQuotesValue(), variablePatterns())) != null && isSuspiciousStringLiteral((StringLiteral) keyValuePair.value())) {
            subscriptionContext.addIssue(keyValuePair, String.format(MESSAGE, matchedCredential));
        }
    }

    private void handleParameterList(ParameterList parameterList, SubscriptionContext subscriptionContext) {
        for (Parameter parameter : parameterList.nonTuple()) {
            Name name = parameter.name();
            if (name != null) {
                Expression defaultValue = parameter.defaultValue();
                String matchedCredential = matchedCredential(name.name(), variablePatterns());
                if (matchedCredential != null && defaultValue != null && isSuspiciousStringLiteral(defaultValue)) {
                    subscriptionContext.addIssue(parameter, String.format(MESSAGE, matchedCredential));
                }
            }
        }
    }

    private void handleRegularArgument(RegularArgument regularArgument, SubscriptionContext subscriptionContext) {
        String matchedCredential;
        Name keywordArgument = regularArgument.keywordArgument();
        if (keywordArgument == null || (matchedCredential = matchedCredential(keywordArgument.name(), variablePatterns())) == null || !isSuspiciousStringLiteral(regularArgument.expression())) {
            return;
        }
        subscriptionContext.addIssue(regularArgument, String.format(MESSAGE, matchedCredential));
    }

    private void handleCallExpression(CallExpression callExpression, SubscriptionContext subscriptionContext) {
        Symbol calleeSymbol;
        if (callExpression.arguments().isEmpty() || (calleeSymbol = callExpression.calleeSymbol()) == null || !sensitiveArgumentByFQN().containsKey(calleeSymbol.fullyQualifiedName())) {
            return;
        }
        checkSensitiveArgument(callExpression, sensitiveArgumentByFQN().get(calleeSymbol.fullyQualifiedName()).intValue(), subscriptionContext);
    }

    private static void checkSensitiveArgument(CallExpression callExpression, int i, SubscriptionContext subscriptionContext) {
        for (int i2 = 0; i2 < callExpression.arguments().size(); i2++) {
            Argument argument = callExpression.arguments().get(i2);
            if (argument.is(Tree.Kind.REGULAR_ARGUMENT)) {
                RegularArgument regularArgument = (RegularArgument) argument;
                if (regularArgument.keywordArgument() != null) {
                    return;
                }
                if (i2 == i && regularArgument.expression().is(Tree.Kind.STRING_LITERAL) && !((StringLiteral) regularArgument.expression()).trimmedQuotesValue().isEmpty()) {
                    subscriptionContext.addIssue(regularArgument, "Review this potentially hard-coded credential.");
                }
            }
        }
    }

    private void handleStringLiteral(StringLiteral stringLiteral, SubscriptionContext subscriptionContext) {
        if (isDocString(stringLiteral) || stringLiteral.stringElements().stream().anyMatch((v0) -> {
            return v0.isInterpolated();
        })) {
            return;
        }
        String trimmedQuotesValue = stringLiteral.trimmedQuotesValue();
        if (isFlaskConfigAssignment(stringLiteral)) {
            if (FLASK_CONFIG_CREDENTIAL_KEY.equals(trimmedQuotesValue)) {
                subscriptionContext.addIssue(stringLiteral, String.format(MESSAGE, FLASK_CONFIG_CREDENTIAL_KEY));
            }
        } else {
            String matchedCredential = matchedCredential(trimmedQuotesValue, literalPatterns());
            if (matchedCredential != null) {
                subscriptionContext.addIssue(stringLiteral, String.format(MESSAGE, matchedCredential));
            }
            if (isURLWithCredentials(stringLiteral)) {
                subscriptionContext.addIssue(stringLiteral, "Review this hard-coded URL, which may contain a credential.");
            }
        }
    }

    private static boolean isFlaskConfigAssignment(Expression expression) {
        return expression.parent().is(Tree.Kind.ASSIGNMENT_STMT) ? ((AssignmentStatement) expression.parent()).lhsExpressions().stream().map((v0) -> {
            return v0.expressions();
        }).flatMap((v0) -> {
            return v0.stream();
        }).anyMatch((v0) -> {
            return isFlaskConfigSubscription(v0);
        }) : Optional.ofNullable(TreeUtils.firstAncestorOfKind(expression, Tree.Kind.SUBSCRIPTION)).filter(HardCodedCredentialsCheck::isFlaskConfigSubscription).isPresent();
    }

    private static boolean isFlaskConfigSubscription(Tree tree) {
        if (!tree.is(Tree.Kind.SUBSCRIPTION)) {
            return false;
        }
        Optional<String> subscriptionFqn = getSubscriptionFqn((SubscriptionExpression) tree);
        String str = FLASK_CONFIG_ASSIGNMENT_FQN;
        return subscriptionFqn.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent();
    }

    private static Optional<String> getSubscriptionFqn(SubscriptionExpression subscriptionExpression) {
        Optional of = Optional.of(subscriptionExpression.object());
        Class<QualifiedExpression> cls = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        return of.filter((v1) -> {
            return r1.isInstance(v1);
        }).map(expression -> {
            return ((QualifiedExpression) expression).name().symbol();
        }).map((v0) -> {
            return v0.fullyQualifiedName();
        });
    }

    private static boolean isDocString(StringLiteral stringLiteral) {
        return ((Boolean) Optional.ofNullable(TreeUtils.firstAncestorOfKind(stringLiteral, Tree.Kind.FILE_INPUT, Tree.Kind.CLASSDEF, Tree.Kind.FUNCDEF)).map(tree -> {
            return Boolean.valueOf((tree.is(Tree.Kind.FILE_INPUT) && stringLiteral.equals(((FileInput) tree).docstring())) || (tree.is(Tree.Kind.CLASSDEF) && stringLiteral.equals(((ClassDef) tree).docstring())) || (tree.is(Tree.Kind.FUNCDEF) && stringLiteral.equals(((FunctionDef) tree).docstring())));
        }).orElse(false)).booleanValue();
    }

    private static boolean isURLWithCredentials(StringLiteral stringLiteral) {
        if (!stringLiteral.trimmedQuotesValue().contains("://")) {
            return false;
        }
        try {
            String userInfo = new URL(stringLiteral.trimmedQuotesValue()).getUserInfo();
            if (userInfo != null) {
                return userInfo.matches("\\S+:\\S+");
            }
            return false;
        } catch (MalformedURLException e) {
            return false;
        }
    }

    private void handleAssignmentStatement(AssignmentStatement assignmentStatement, SubscriptionContext subscriptionContext) {
        String matchedCredential;
        String credentialSymbolName;
        Expression expression = assignmentStatement.lhsExpressions().get(0).expressions().get(0);
        if ((expression instanceof HasSymbol) && (credentialSymbolName = credentialSymbolName(((HasSymbol) expression).symbol())) != null) {
            checkAssignedValue(assignmentStatement, credentialSymbolName, subscriptionContext);
        }
        if (expression.is(Tree.Kind.SUBSCRIPTION)) {
            for (Expression expression2 : ((SubscriptionExpression) expression).subscripts().expressions()) {
                if (expression2.is(Tree.Kind.STRING_LITERAL) && (matchedCredential = matchedCredential(((StringLiteral) expression2).trimmedQuotesValue(), variablePatterns())) != null) {
                    checkAssignedValue(assignmentStatement, matchedCredential, subscriptionContext);
                }
            }
        }
    }

    private void checkAssignedValue(AssignmentStatement assignmentStatement, String str, SubscriptionContext subscriptionContext) {
        Expression assignedValue = assignmentStatement.assignedValue();
        if (!isSuspiciousStringLiteral(assignedValue) || isFlaskConfigAssignment(assignedValue)) {
            return;
        }
        subscriptionContext.addIssue(assignmentStatement, String.format(MESSAGE, str));
    }

    private String credentialSymbolName(@CheckForNull Symbol symbol) {
        if (symbol != null) {
            return matchedCredential(symbol.name(), variablePatterns());
        }
        return null;
    }

    private boolean isSuspiciousStringLiteral(Tree tree) {
        return (!tree.is(Tree.Kind.STRING_LITERAL) || ((StringLiteral) tree).trimmedQuotesValue().isEmpty() || isCredential(((StringLiteral) tree).trimmedQuotesValue(), variablePatterns())) ? false : true;
    }

    private static boolean isCredential(String str, Stream<Pattern> stream) {
        return stream.anyMatch(pattern -> {
            return pattern.matcher(str).find();
        });
    }

    private static String matchedCredential(String str, Stream<Pattern> stream) {
        Optional<Pattern> findFirst = stream.filter(pattern -> {
            return pattern.matcher(str).find();
        }).findFirst();
        if (!findFirst.isPresent()) {
            return null;
        }
        String pattern2 = findFirst.get().pattern();
        int indexOf = pattern2.indexOf(61);
        return indexOf > 0 ? pattern2.substring(0, indexOf) : pattern2;
    }

    private List<Pattern> toPatterns(String str) {
        return Stream.of((Object[]) this.credentialWords.split(",")).map((v0) -> {
            return v0.trim();
        }).map(str2 -> {
            return Pattern.compile(str2 + str, 2);
        }).toList();
    }
}
