package org.sonar.python.checks;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.ArgList;
import org.sonar.plugins.python.api.tree.Argument;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.plugins.python.api.tree.UnpackingExpression;
import org.sonar.plugins.python.api.types.v2.TriBool;
import org.sonar.python.checks.utils.Expressions;
import org.sonar.python.semantic.v2.SymbolV2;
import org.sonar.python.tree.TreeUtils;
import org.sonar.python.types.v2.TypeCheckBuilder;
import org.sonar.python.types.v2.TypeCheckMap;

@Rule(key = "S2053")
/* loaded from: input_file:org/sonar/python/checks/PredictableSaltCheck.class */
public class PredictableSaltCheck extends PythonSubscriptionCheck {
    private static final String MISSING_SALT_MESSAGE = "Add an unpredictable salt value to this hash.";
    private static final String PREDICTABLE_SALT_MESSAGE = "Make this salt unpredictable.";
    private static final String DIFFERENT_SALT_THAN_KEY_MATERIAL_MESSAGE = "Make this salt different than the derived key material.";
    private static final String SALT_IS_USED_HERE_MESSAGE = "The salt is used in the derive method here.";
    private static final String SALT_ARGUMENT_NAME = "salt";
    private static final String PASSWORD_ARGUMENT_NAME = "password";
    private static final Map<String, ArgumentInfo> SENSITIVE_ARGUMENT_BY_FQN = Map.ofEntries(Map.entry("hashlib.pbkdf2_hmac", new ArgumentInfo(2, SALT_ARGUMENT_NAME, new ArgumentInfo(1, PASSWORD_ARGUMENT_NAME))), Map.entry("hashlib.scrypt", new ArgumentInfo(4, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))), Map.entry("crypt.crypt", new ArgumentInfo(1, SALT_ARGUMENT_NAME)), Map.entry("cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC", new ArgumentInfo(2, SALT_ARGUMENT_NAME)), Map.entry("cryptography.hazmat.primitives.kdf.scrypt.Scrypt", new ArgumentInfo(0, SALT_ARGUMENT_NAME)), Map.entry("Cryptodome.Protocol.KDF.PBKDF2", new ArgumentInfo(1, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))), Map.entry("Cryptodome.Protocol.KDF.scrypt", new ArgumentInfo(1, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))), Map.entry("Cryptodome.Protocol.KDF.bcrypt", new ArgumentInfo(2, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))), Map.entry("Crypto.Protocol.KDF.PBKDF2", new ArgumentInfo(1, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))), Map.entry("Crypto.Protocol.KDF.scrypt", new ArgumentInfo(1, SALT_ARGUMENT_NAME, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))), Map.entry("Crypto.Protocol.KDF.bcrypt", new ArgumentInfo(2, SALT_ARGUMENT_NAME, false, new ArgumentInfo(0, PASSWORD_ARGUMENT_NAME))));
    private static final List<String> SENSITIVE_DERIVE_FUNCTIONS_FQN = List.of("cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC.derive", "cryptography.hazmat.primitives.kdf.scrypt.Scrypt.derive");
    private static final Map<String, ArgumentInfo> SALT_FUNCTION_ARGUMENTS_TO_CHECK = Map.of("bytes.fromhex", new ArgumentInfo(0, "__string"), "bytearray.fromhex", new ArgumentInfo(0, "__string"), "base64.b64decode", new ArgumentInfo(0, "s"), "base64.b64encode", new ArgumentInfo(0, "s"), "base64.b32encode", new ArgumentInfo(0, "s"), "base64.b32decode", new ArgumentInfo(0, "s"), "base64.b16encode", new ArgumentInfo(0, "s"), "base64.b16decode", new ArgumentInfo(0, "s"));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/PredictableSaltCheck$ArgumentInfo.class */
    public static final class ArgumentInfo extends Record {
        private final int position;
        private final String name;
        private final boolean required;

        @Nullable
        private final ArgumentInfo shouldNotBeSameAsArgument;

        private ArgumentInfo(int i, String str) {
            this(i, str, true, null);
        }

        private ArgumentInfo(int i, String str, ArgumentInfo argumentInfo) {
            this(i, str, true, argumentInfo);
        }

        private ArgumentInfo(int i, String str, boolean z, @Nullable ArgumentInfo argumentInfo) {
            this.position = i;
            this.name = str;
            this.required = z;
            this.shouldNotBeSameAsArgument = argumentInfo;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ArgumentInfo.class), ArgumentInfo.class, "position;name;required;shouldNotBeSameAsArgument", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->position:I", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->name:Ljava/lang/String;", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->required:Z", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->shouldNotBeSameAsArgument:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ArgumentInfo.class), ArgumentInfo.class, "position;name;required;shouldNotBeSameAsArgument", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->position:I", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->name:Ljava/lang/String;", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->required:Z", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->shouldNotBeSameAsArgument:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ArgumentInfo.class, Object.class), ArgumentInfo.class, "position;name;required;shouldNotBeSameAsArgument", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->position:I", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->name:Ljava/lang/String;", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->required:Z", "FIELD:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;->shouldNotBeSameAsArgument:Lorg/sonar/python/checks/PredictableSaltCheck$ArgumentInfo;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public int position() {
            return this.position;
        }

        public String name() {
            return this.name;
        }

        public boolean required() {
            return this.required;
        }

        @Nullable
        public ArgumentInfo shouldNotBeSameAsArgument() {
            return this.shouldNotBeSameAsArgument;
        }
    }

    @Override // org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        TypeCheckMap typeCheckMap = new TypeCheckMap();
        TypeCheckMap typeCheckMap2 = new TypeCheckMap();
        ArrayList arrayList = new ArrayList();
        context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, subscriptionContext -> {
            initializeTypeChecks(subscriptionContext, typeCheckMap, typeCheckMap2, arrayList);
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, subscriptionContext2 -> {
            handleCallExpression((CallExpression) subscriptionContext2.syntaxNode(), subscriptionContext2, typeCheckMap, typeCheckMap2, arrayList);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void initializeTypeChecks(SubscriptionContext subscriptionContext, TypeCheckMap<ArgumentInfo> typeCheckMap, TypeCheckMap<ArgumentInfo> typeCheckMap2, List<TypeCheckBuilder> list) {
        SENSITIVE_ARGUMENT_BY_FQN.forEach((str, argumentInfo) -> {
            typeCheckMap.put(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn(str), argumentInfo);
        });
        SALT_FUNCTION_ARGUMENTS_TO_CHECK.forEach((str2, argumentInfo2) -> {
            typeCheckMap2.put(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn(str2), argumentInfo2);
        });
        SENSITIVE_DERIVE_FUNCTIONS_FQN.forEach(str3 -> {
            list.add(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn(str3));
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void handleCallExpression(CallExpression callExpression, SubscriptionContext subscriptionContext, TypeCheckMap<ArgumentInfo> typeCheckMap, TypeCheckMap<ArgumentInfo> typeCheckMap2, List<TypeCheckBuilder> list) {
        Optional map = Optional.of(callExpression).map((v0) -> {
            return v0.callee();
        }).map((v0) -> {
            return v0.typeV2();
        });
        Objects.requireNonNull(typeCheckMap);
        map.map(typeCheckMap::getForType).ifPresent(argumentInfo -> {
            checkArguments(callExpression, argumentInfo, subscriptionContext, typeCheckMap2, list);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkArguments(CallExpression callExpression, ArgumentInfo argumentInfo, SubscriptionContext subscriptionContext, TypeCheckMap<ArgumentInfo> typeCheckMap, List<TypeCheckBuilder> list) {
        RegularArgument nthArgumentOrKeyword = TreeUtils.nthArgumentOrKeyword(argumentInfo.position(), argumentInfo.name(), callExpression.arguments());
        if (nthArgumentOrKeyword != null) {
            if (hasRaisedOnSensitiveArgument(nthArgumentOrKeyword, subscriptionContext, typeCheckMap) || hasRaisedOnSameArgument(nthArgumentOrKeyword, argumentInfo, callExpression, subscriptionContext) || hasRaisedOnSameSaltAndDerivedKeyMaterial(nthArgumentOrKeyword, list, subscriptionContext)) {
                return;
            } else {
                return;
            }
        }
        if (argumentInfo.required()) {
            Stream<Argument> stream = callExpression.arguments().stream();
            Class<UnpackingExpression> cls = UnpackingExpression.class;
            Objects.requireNonNull(UnpackingExpression.class);
            if (stream.noneMatch((v1) -> {
                return r1.isInstance(v1);
            })) {
                subscriptionContext.addIssue(callExpression.callee(), MISSING_SALT_MESSAGE);
            }
        }
    }

    private static boolean hasRaisedOnSameSaltAndDerivedKeyMaterial(RegularArgument regularArgument, List<TypeCheckBuilder> list, SubscriptionContext subscriptionContext) {
        SymbolV2 symbolV2;
        if (!regularArgument.expression().is(Tree.Kind.NAME) || (symbolV2 = ((Name) regularArgument.expression()).symbolV2()) == null) {
            return false;
        }
        List list2 = symbolV2.usages().stream().map(usageV2 -> {
            return usageV2.tree().parent();
        }).flatMap(TreeUtils.toStreamInstanceOfMapper(RegularArgument.class)).filter(regularArgument2 -> {
            return !regularArgument2.equals(regularArgument);
        }).filter(regularArgument3 -> {
            return isUsedInDeriveCall(regularArgument3, list);
        }).map((v0) -> {
            return v0.expression();
        }).toList();
        if (list2.isEmpty()) {
            return false;
        }
        PythonCheck.PreciseIssue addIssue = subscriptionContext.addIssue(regularArgument, DIFFERENT_SALT_THAN_KEY_MATERIAL_MESSAGE);
        list2.stream().forEach(expression -> {
            addIssue.secondary(expression, SALT_IS_USED_HERE_MESSAGE);
        });
        return true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isUsedInDeriveCall(RegularArgument regularArgument, List<TypeCheckBuilder> list) {
        return ((Boolean) Optional.ofNullable(regularArgument.parent()).flatMap(TreeUtils.toOptionalInstanceOfMapper(ArgList.class)).map((v0) -> {
            return v0.parent();
        }).flatMap(TreeUtils.toOptionalInstanceOfMapper(CallExpression.class)).map((v0) -> {
            return v0.callee();
        }).flatMap(TreeUtils.toOptionalInstanceOfMapper(QualifiedExpression.class)).map(qualifiedExpression -> {
            return Boolean.valueOf(list.stream().anyMatch(typeCheckBuilder -> {
                return typeCheckBuilder.check(qualifiedExpression.name().typeV2()) == TriBool.TRUE;
            }));
        }).orElse(false)).booleanValue();
    }

    private static boolean hasRaisedOnSameArgument(RegularArgument regularArgument, ArgumentInfo argumentInfo, CallExpression callExpression, SubscriptionContext subscriptionContext) {
        return ((Boolean) Optional.ofNullable(argumentInfo.shouldNotBeSameAsArgument()).map(argumentInfo2 -> {
            return TreeUtils.nthArgumentOrKeyword(argumentInfo2.position(), argumentInfo2.name(), callExpression.arguments());
        }).map(regularArgument2 -> {
            return Boolean.valueOf(raisedOnSameArgument(regularArgument, regularArgument2, subscriptionContext));
        }).orElseGet(() -> {
            return false;
        })).booleanValue();
    }

    private static boolean raisedOnSameArgument(RegularArgument regularArgument, RegularArgument regularArgument2, SubscriptionContext subscriptionContext) {
        Expression expression = regularArgument.expression();
        Expression expression2 = regularArgument2.expression();
        if (!(expression instanceof Name)) {
            return false;
        }
        Name name = (Name) expression;
        if (!(expression2 instanceof Name)) {
            return false;
        }
        if (name.symbolV2() != ((Name) expression2).symbolV2()) {
            return false;
        }
        subscriptionContext.addIssue(regularArgument, PREDICTABLE_SALT_MESSAGE).secondary(regularArgument2, "");
        return true;
    }

    private static boolean hasRaisedOnSensitiveArgument(RegularArgument regularArgument, SubscriptionContext subscriptionContext, TypeCheckMap<ArgumentInfo> typeCheckMap) {
        ArrayList arrayList = new ArrayList();
        Expression expression = regularArgument.expression();
        while (true) {
            Expression expression2 = expression;
            if (expression2 == null) {
                return false;
            }
            if (expression2 instanceof Name) {
                expression = getNameAssignedValueToCheck((Name) expression2, arrayList);
            } else if (expression2 instanceof CallExpression) {
                expression = getCallExpressionArgumentValueToCheck(typeCheckMap, (CallExpression) expression2, expression2);
            } else {
                if (expression2 instanceof StringLiteral) {
                    PythonCheck.PreciseIssue addIssue = subscriptionContext.addIssue(regularArgument, PREDICTABLE_SALT_MESSAGE);
                    arrayList.forEach(tree -> {
                        addIssue.secondary(tree, "");
                    });
                    return true;
                }
                expression = null;
            }
        }
    }

    private static Expression getNameAssignedValueToCheck(Name name, ArrayList<Tree> arrayList) {
        Expression singleAssignedValue = Expressions.singleAssignedValue(name);
        if (singleAssignedValue != null) {
            arrayList.add(TreeUtils.firstAncestorOfKind(singleAssignedValue, Tree.Kind.ASSIGNMENT_STMT));
        }
        return singleAssignedValue;
    }

    private static Expression getCallExpressionArgumentValueToCheck(TypeCheckMap<ArgumentInfo> typeCheckMap, CallExpression callExpression, Expression expression) {
        Optional map = Optional.of(callExpression).map((v0) -> {
            return v0.callee();
        }).map((v0) -> {
            return v0.typeV2();
        });
        Objects.requireNonNull(typeCheckMap);
        return (Expression) map.map(typeCheckMap::getForType).map(argumentInfo -> {
            return (Expression) Optional.ofNullable(TreeUtils.nthArgumentOrKeyword(argumentInfo.position(), argumentInfo.name(), callExpression.arguments())).map((v0) -> {
                return v0.expression();
            }).orElse(expression);
        }).orElse(null);
    }
}
