package org.sonar.plugins.xml.checks.security;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.xml.xpath.XPathExpression;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;
import org.sonarsource.analyzer.commons.xml.XPathBuilder;
import org.sonarsource.analyzer.commons.xml.XmlFile;
import org.sonarsource.analyzer.commons.xml.checks.SimpleXPathBasedCheck;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

@Rule(key = "S2068")
/* loaded from: input_file:org/sonar/plugins/xml/checks/security/HardcodedCredentialsCheck.class */
public class HardcodedCredentialsCheck extends SimpleXPathBasedCheck {
    private static final String VALUE = "value";
    private static final Set<String> VALUE_ATTRIBUTE = Collections.singleton(VALUE);
    private static final Pattern VALID_CREDENTIAL_VALUES = Pattern.compile("[\\{$#]\\{.*", 32);
    private static final String DEFAULT_CREDENTIAL_WORDS = "password,passwd,pwd,passphrase";

    @RuleProperty(key = "credentialWords", description = "Comma separated list of words identifying potential credentials", defaultValue = DEFAULT_CREDENTIAL_WORDS)
    public String credentialWords = DEFAULT_CREDENTIAL_WORDS;
    private Set<String> cleanedCredentialWords = null;
    private final List<SpecialCase> specialCases = Arrays.asList(new SpecialCase("/FileZilla3/Servers/Server/Pass|/FileZilla3/RecentServers/Server/Pass", HardcodedCredentialsCheck::getTextValueSafe, false), new SpecialCase("/jenkins.plugins.publish_over_ssh.BapSshHostConfiguration/secretPassword|/jenkins.plugins.publish_over_ssh.BapSshHostConfiguration/commonConfig/secretPassphrase|/jenkins.plugins.publish_over_ssh.BapSshHostConfiguration/keyInfo/secretPassphrase", HardcodedCredentialsCheck::getTextValueSafe, false), new SpecialCase("/SonarQubeAnalysisProperties/Property[@Name='sonar.login']|project/properties/sonar.login", HardcodedCredentialsCheck::getTextValueSafe, false), new SpecialCase("/beans/bean/property/list/bean[@class='org.springframework.social.facebook.connect.FacebookConnectionFactory' or @class='org.springframework.social.github.connect.GitHubConnectionFactory' or @class='org.springframework.social.google.connect.GoogleConnectionFactory' or @class='org.springframework.social.linkedin.connect.LinkedinConnectionFactory' or @class='org.springframework.social.twitter.connect.TwitterConnectionFactory']/constructor-arg[2]", node -> {
        return getAttributeSafe(node, VALUE);
    }, false), new SpecialCase(XPathBuilder.forExpression("/b:beans/f:config|/b:beans/gh:config|/b:beans/gg:config|/b:beans/l:config|/b:beans/t:config").withNamespace("b", "http://www.springframework.org/schema/beans").withNamespace("f", "http://www.springframework.org/schema/social/facebook").withNamespace("gh", "http://www.springframework.org/schema/social/github").withNamespace("gg", "http://www.springframework.org/schema/social/google").withNamespace("l", "http://www.springframework.org/schema/social/linkedin").withNamespace("t", "http://www.springframework.org/schema/social/twitter").build(), node2 -> {
        return getAttributeSafe(node2, "app-secret");
    }, true), new SpecialCase("/security-domain/authentication/login-module/module-option[@name='consumer-key' or @name='consumer-secret'or @name='access-key'or @name='access-secret']", node3 -> {
        return getAttributeSafe(node3, VALUE);
    }, false));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/plugins/xml/checks/security/HardcodedCredentialsCheck$SpecialCase.class */
    public class SpecialCase implements Consumer<XmlFile> {
        private final XPathExpression xpathExpression;
        private final Function<Node, Optional<Node>> credentialGetter;
        private final boolean usesNamespaces;
        private final boolean reportOnAttribute;

        private SpecialCase(String str, Function<Node, Optional<Node>> function, boolean z) {
            this.xpathExpression = HardcodedCredentialsCheck.this.getXPathExpression(str);
            this.usesNamespaces = false;
            this.credentialGetter = function;
            this.reportOnAttribute = z;
        }

        private SpecialCase(XPathExpression xPathExpression, Function<Node, Optional<Node>> function, boolean z) {
            this.xpathExpression = xPathExpression;
            this.usesNamespaces = true;
            this.credentialGetter = function;
            this.reportOnAttribute = z;
        }

        @Override // java.util.function.Consumer
        public void accept(XmlFile xmlFile) {
            for (Node node : HardcodedCredentialsCheck.this.evaluateAsList(this.xpathExpression, this.usesNamespaces ? xmlFile.getNamespaceAwareDocument() : xmlFile.getNamespaceUnawareDocument())) {
                this.credentialGetter.apply(node).ifPresent(node2 -> {
                    if (HardcodedCredentialsCheck.isValidCredential(node2.getNodeValue())) {
                        return;
                    }
                    HardcodedCredentialsCheck.this.reportIssue(this.reportOnAttribute ? node2 : node, "Make sure this is not a hard-coded credential.");
                });
            }
        }
    }

    private Set<String> credentialWordsSet() {
        if (this.cleanedCredentialWords == null) {
            this.cleanedCredentialWords = (Set) Stream.of((Object[]) this.credentialWords.split(",")).map((v0) -> {
                return v0.trim();
            }).map(str -> {
                return str.toLowerCase(Locale.ROOT);
            }).collect(Collectors.toSet());
        }
        return this.cleanedCredentialWords;
    }

    @Override // org.sonarsource.analyzer.commons.xml.checks.SonarXmlCheck
    public void scanFile(XmlFile xmlFile) {
        checkElements(xmlFile.getDocument());
        checkSpecialCases(xmlFile);
    }

    private void checkElements(Node node) {
        checkNode(node);
        checkAttributes(node, credentialWordsSet(), true);
        NodeList childNodes = node.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            checkElements(childNodes.item(i));
        }
    }

    private void checkNode(Node node) {
        NodeList childNodes = node.getChildNodes();
        if (childNodes.getLength() == 0) {
            checkAttributes(node, VALUE_ATTRIBUTE, false);
        } else {
            if (childNodes.getLength() != 1) {
                return;
            }
            Node item = childNodes.item(0);
            if (item.getNodeType() != 3) {
                return;
            }
            checkCredential(node, item.getTextContent());
        }
    }

    private void checkAttributes(Node node, Set<String> set, boolean z) {
        if (node.hasAttributes()) {
            NamedNodeMap attributes = node.getAttributes();
            for (int i = 0; i < attributes.getLength(); i++) {
                Node item = attributes.item(i);
                if (isCredentialNode(item, set)) {
                    checkCredential(z ? item : node, item.getTextContent());
                    return;
                }
            }
        }
    }

    private static boolean isCredentialNode(Node node, Set<String> set) {
        String localName = node.getLocalName();
        return localName != null && set.contains(localName.toLowerCase(Locale.ROOT));
    }

    private void checkCredential(Node node, String str) {
        if (!isValidCredential(str) && isCredentialNode(node, credentialWordsSet())) {
            reportIssue(node, String.format("\"%s\" detected here, make sure this is not a hard-coded credential.", node.getLocalName()));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isValidCredential(String str) {
        String trim = str.trim();
        return trim.isEmpty() || VALID_CREDENTIAL_VALUES.matcher(trim).matches();
    }

    private void checkSpecialCases(XmlFile xmlFile) {
        this.specialCases.forEach(specialCase -> {
            specialCase.accept(xmlFile);
        });
    }

    private static Optional<Node> getTextValueSafe(Node node) {
        return Optional.ofNullable(node.getFirstChild());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<Node> getAttributeSafe(Node node, String str) {
        return node.hasAttributes() ? Optional.ofNullable(node.getAttributes().getNamedItem(str)) : Optional.empty();
    }
}
