package org.sonar.java.checks.security;

import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.ClassTree;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.LambdaExpressionTree;
import org.sonar.plugins.java.api.tree.LiteralTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodTree;
import org.sonar.plugins.java.api.tree.ReturnStatementTree;
import org.sonar.plugins.java.api.tree.ThrowStatementTree;
import org.sonar.plugins.java.api.tree.Tree;

@Rule(key = "S5808")
/* loaded from: input_file:WEB-INF/lib/sonar-java-plugin-7.23.0.32023.jar:org/sonar/java/checks/security/AuthorizationsStrongDecisionsCheck.class */
public class AuthorizationsStrongDecisionsCheck extends IssuableSubscriptionVisitor {
    private static final String AUTHENTICATION = "org.springframework.security.core.Authentication";
    private static final String JAVA_OBJECT = "java.lang.Object";
    private static final MethodMatchers ACCESS_DECISION_VOTER_VOTE = MethodMatchers.create().ofSubTypes("org.springframework.security.access.AccessDecisionVoter").names("vote").addParametersMatcher(AUTHENTICATION, JAVA_OBJECT, "java.util.Collection").build();
    private static final MethodMatchers PERMISSION_EVALUATOR_HAS_PERMISSION = MethodMatchers.create().ofSubTypes("org.springframework.security.access.PermissionEvaluator").names("hasPermission").addParametersMatcher(AUTHENTICATION, JAVA_OBJECT, JAVA_OBJECT).addParametersMatcher(AUTHENTICATION, "java.io.Serializable", "java.lang.String", JAVA_OBJECT).build();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/sonar-java-plugin-7.23.0.32023.jar:org/sonar/java/checks/security/AuthorizationsStrongDecisionsCheck$ReturnStatementVisitor.class */
    public static class ReturnStatementVisitor extends BaseTreeVisitor {
        private final Predicate<ExpressionTree> isStrongDecision;
        private boolean takesStrongDecision = false;

        ReturnStatementVisitor(Predicate<ExpressionTree> predicate) {
            this.isStrongDecision = predicate;
        }

        public boolean takesStrongDecision() {
            return this.takesStrongDecision;
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitReturnStatement(ReturnStatementTree returnStatementTree) {
            ExpressionTree expression = returnStatementTree.expression();
            if (expression == null || !this.isStrongDecision.test(expression)) {
                return;
            }
            this.takesStrongDecision = true;
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitThrowStatement(ThrowStatementTree throwStatementTree) {
            this.takesStrongDecision = true;
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitLambdaExpression(LambdaExpressionTree lambdaExpressionTree) {
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitClass(ClassTree classTree) {
        }
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public List<Tree.Kind> nodesToVisit() {
        return Collections.singletonList(Tree.Kind.METHOD);
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public void visitNode(Tree tree) {
        MethodTree methodTree = (MethodTree) tree;
        if (ACCESS_DECISION_VOTER_VOTE.matches(methodTree)) {
            reportNoStrongDecision(methodTree, AuthorizationsStrongDecisionsCheck::isStrongVoteDecision, "vote", "ACCESS_DENIED");
        } else if (PERMISSION_EVALUATOR_HAS_PERMISSION.matches(methodTree)) {
            reportNoStrongDecision(methodTree, AuthorizationsStrongDecisionsCheck::isStrongHasPermissionDecision, "hasPermission", "false");
        }
    }

    private void reportNoStrongDecision(MethodTree methodTree, Predicate<ExpressionTree> predicate, String str, String str2) {
        ReturnStatementVisitor returnStatementVisitor = new ReturnStatementVisitor(predicate);
        methodTree.accept(returnStatementVisitor);
        if (returnStatementVisitor.takesStrongDecision()) {
            return;
        }
        reportIssue(methodTree.simpleName(), String.format("\"%s\" method should return at least one time %s.", str, str2));
    }

    private static boolean isStrongVoteDecision(ExpressionTree expressionTree) {
        if (expressionTree.is(Tree.Kind.MEMBER_SELECT)) {
            expressionTree = ((MemberSelectExpressionTree) expressionTree).identifier();
        }
        if ((expressionTree instanceof LiteralTree) || expressionTree.is(Tree.Kind.UNARY_MINUS, Tree.Kind.UNARY_PLUS)) {
            return false;
        }
        if (!expressionTree.is(Tree.Kind.IDENTIFIER)) {
            return true;
        }
        String name = ((IdentifierTree) expressionTree).name();
        if ("ACCESS_DENIED".equals(name)) {
            return true;
        }
        return ("ACCESS_GRANTED".equals(name) || "ACCESS_ABSTAIN".equals(name)) ? false : true;
    }

    private static boolean isStrongHasPermissionDecision(ExpressionTree expressionTree) {
        if (!(expressionTree instanceof LiteralTree)) {
            return true;
        }
        Optional asConstant = expressionTree.asConstant(Boolean.class);
        Boolean bool = Boolean.FALSE;
        Objects.requireNonNull(bool);
        return asConstant.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent();
    }
}
