package org.sonar.python.checks.hotspots;

import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.DictionaryLiteralElement;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.KeyValuePair;
import org.sonar.plugins.python.api.tree.ListLiteral;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.tree.UnpackingExpression;
import org.sonar.plugins.python.api.types.BuiltinTypes;
import org.sonar.plugins.python.api.types.v2.TriBool;
import org.sonar.python.checks.utils.Expressions;
import org.sonar.python.tree.TreeUtils;
import org.sonar.python.types.v2.TypeCheckBuilder;
import org.sonar.python.types.v2.TypeCheckMap;

@Rule(key = "S6377")
/* loaded from: input_file:org/sonar/python/checks/hotspots/XMLSignatureValidationCheck.class */
public class XMLSignatureValidationCheck extends PythonSubscriptionCheck {
    private static final List<String> VERIFY_REQUIRED_ONE_OF = List.of("x509_cert", "cert_subject_name", "cert_resolver", "ca_pem_file", "ca_path", "hmac_key");
    private static final String MESSAGE = "Change this code to only accept signatures computed from a trusted party.";
    private static final String MESSAGE_SECONDARY = "Unsafe parameter set here";
    private TypeCheckBuilder xmlVerifierVerifyTypeChecker;
    private TypeCheckBuilder dictTypeChecker;
    private TypeCheckBuilder signatureConfigurationTypeChecker;
    private TypeCheckMap<Boolean> signatureMethodTypeCheckMap;

    @Override // org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::registerTypeCheckers);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCallExpr);
    }

    private void registerTypeCheckers(SubscriptionContext subscriptionContext) {
        this.xmlVerifierVerifyTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.XMLVerifier");
        this.dictTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithName(BuiltinTypes.DICT);
        this.signatureConfigurationTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureConfiguration");
        this.signatureMethodTypeCheckMap = TypeCheckMap.ofEntries(Map.entry(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureMethod.HMAC_SHA224"), true), Map.entry(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureMethod.HMAC_SHA256"), true), Map.entry(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureMethod.HMAC_SHA384"), true), Map.entry(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureMethod.HMAC_SHA512"), true));
    }

    private void checkCallExpr(SubscriptionContext subscriptionContext) {
        CallExpression callExpression = (CallExpression) subscriptionContext.syntaxNode();
        QualifiedExpression qualifiedExpression = (QualifiedExpression) Optional.of(callExpression).map((v0) -> {
            return v0.callee();
        }).flatMap(TreeUtils.toOptionalInstanceOfMapper(QualifiedExpression.class)).orElse(null);
        if (qualifiedExpression != null && qualifiedExpressionIsVerifyCall(qualifiedExpression)) {
            HashMap hashMap = new HashMap();
            for (Argument argument : callExpression.arguments()) {
                if (argument instanceof RegularArgument) {
                    RegularArgument regularArgument = (RegularArgument) argument;
                    hashMap.put((String) Optional.ofNullable(regularArgument.keywordArgument()).map((v0) -> {
                        return v0.name();
                    }).orElse(""), regularArgument.expression());
                } else {
                    hashMap.putAll((Map) TreeUtils.toOptionalInstanceOf(UnpackingExpression.class, argument).map((v0) -> {
                        return v0.expression();
                    }).flatMap(TreeUtils.toOptionalInstanceOfMapper(Name.class)).flatMap(Expressions::singleAssignedNonNameValue).map(this::keysInUnpacking).orElseGet(Map::of));
                }
            }
            if (Collections.disjoint(hashMap.keySet(), VERIFY_REQUIRED_ONE_OF)) {
                subscriptionContext.addIssue(callExpression.callee(), MESSAGE);
            }
            Tree tree = (Tree) hashMap.get("expect_config");
            if (tree != null) {
                checkExpectConfig(subscriptionContext, tree, callExpression);
            }
        }
    }

    private void checkExpectConfig(SubscriptionContext subscriptionContext, Tree tree, CallExpression callExpression) {
        Tree replaceBySingleAssigned = replaceBySingleAssigned(tree);
        if (replaceBySingleAssigned instanceof CallExpression) {
            CallExpression callExpression2 = (CallExpression) replaceBySingleAssigned;
            if (this.signatureConfigurationTypeChecker.check(callExpression2.callee().typeV2()) == TriBool.TRUE) {
                TreeUtils.nthArgumentOrKeywordOptional(0, "require_x509", callExpression2.arguments()).filter(regularArgument -> {
                    return Expressions.isFalsy(regularArgument.expression());
                }).ifPresent(regularArgument2 -> {
                    subscriptionContext.addIssue(callExpression, MESSAGE).secondary(regularArgument2, MESSAGE_SECONDARY);
                });
                TreeUtils.nthArgumentOrKeywordOptional(3, "signature_methods", callExpression2.arguments()).map(this::getOffendingInList).filter(list -> {
                    return !list.isEmpty();
                }).ifPresent(list2 -> {
                    PythonCheck.PreciseIssue addIssue = subscriptionContext.addIssue(callExpression, MESSAGE);
                    list2.forEach(expression -> {
                        addIssue.secondary(expression, MESSAGE_SECONDARY);
                    });
                });
            }
        }
    }

    private static Tree replaceBySingleAssigned(Tree tree) {
        if (tree.is(Tree.Kind.NAME)) {
            tree = Expressions.singleAssignedNonNameValue((Name) tree).orElse(null);
        }
        return tree;
    }

    private List<Expression> getOffendingInList(RegularArgument regularArgument) {
        return TreeUtils.toOptionalInstanceOf(ListLiteral.class, replaceBySingleAssigned(regularArgument.expression())).map((v0) -> {
            return v0.elements();
        }).map((v0) -> {
            return v0.expressions();
        }).stream().flatMap((v0) -> {
            return v0.stream();
        }).filter(expression -> {
            return this.signatureMethodTypeCheckMap.getOptionalForType(expression.typeV2()).isEmpty();
        }).toList();
    }

    private Map<String, Tree> keysInUnpacking(Expression expression) {
        if (expression instanceof CallExpression) {
            CallExpression callExpression = (CallExpression) expression;
            if (this.dictTypeChecker.check(callExpression.callee().typeV2()) == TriBool.TRUE) {
                return (Map) callExpression.arguments().stream().flatMap(TreeUtils.toStreamInstanceOfMapper(RegularArgument.class)).filter(regularArgument -> {
                    return regularArgument.keywordArgument() != null;
                }).collect(Collectors.toMap(regularArgument2 -> {
                    return regularArgument2.keywordArgument().name();
                }, (v0) -> {
                    return v0.expression();
                }));
            }
        }
        if (!(expression instanceof DictionaryLiteral)) {
            return Map.of();
        }
        HashMap hashMap = new HashMap();
        for (DictionaryLiteralElement dictionaryLiteralElement : ((DictionaryLiteral) expression).elements()) {
            if (dictionaryLiteralElement instanceof KeyValuePair) {
                KeyValuePair keyValuePair = (KeyValuePair) dictionaryLiteralElement;
                String singleAssignedString = CommonValidationUtils.singleAssignedString(keyValuePair.key());
                if (!singleAssignedString.isEmpty()) {
                    hashMap.put(singleAssignedString, keyValuePair.value());
                }
            } else {
                hashMap.putAll((Map) TreeUtils.toOptionalInstanceOf(UnpackingExpression.class, dictionaryLiteralElement).map((v0) -> {
                    return v0.expression();
                }).flatMap(TreeUtils.toOptionalInstanceOfMapper(Name.class)).flatMap(Expressions::singleAssignedNonNameValue).map(this::keysInUnpacking).orElseGet(Map::of));
            }
        }
        return hashMap;
    }

    private boolean qualifiedExpressionIsVerifyCall(QualifiedExpression qualifiedExpression) {
        Expression qualifier = qualifiedExpression.qualifier();
        if (qualifier instanceof CallExpression) {
            return this.xmlVerifierVerifyTypeChecker.check(((CallExpression) qualifier).callee().typeV2()) == TriBool.TRUE;
        }
        Expression qualifier2 = qualifiedExpression.qualifier();
        if (qualifier2 instanceof Name) {
            return this.xmlVerifierVerifyTypeChecker.check(((Name) qualifier2).typeV2()) == TriBool.TRUE;
        }
        return false;
    }
}
