package org.sonar.java.checks.security;

import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.sonar.check.Rule;
import org.sonar.java.checks.helpers.ExpressionsHelper;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.java.model.LiteralUtils;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.tree.Arguments;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.BlockTree;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.LambdaExpressionTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.MethodTree;
import org.sonar.plugins.java.api.tree.ReturnStatementTree;
import org.sonar.plugins.java.api.tree.StatementTree;
import org.sonar.plugins.java.api.tree.Tree;

@Rule(key = "S5527")
/* loaded from: input_file:WEB-INF/lib/sonar-java-plugin-7.23.0.32023.jar:org/sonar/java/checks/security/VerifiedServerHostnamesCheck.class */
public class VerifiedServerHostnamesCheck extends IssuableSubscriptionVisitor {
    private static final String ISSUE_MESSAGE = "Enable server hostname verification on this SSL/TLS connection.";
    private static final String APACHE_EMAIL = "org.apache.commons.mail.Email";
    private static final MethodMatchers ENABLING_SSL_METHODS;
    private static final MethodMatchers HASHTABLE_PUT;
    private static final String JAVAX_NET_SSL_HOSTNAME_VERIFIER = "javax.net.ssl.HostnameVerifier";
    private static final MethodMatchers HOSTNAME_VERIFIER = MethodMatchers.create().ofSubTypes(JAVAX_NET_SSL_HOSTNAME_VERIFIER).names("verify").addParametersMatcher("java.lang.String", "javax.net.ssl.SSLSession").build();
    private static final Set<String> ENABLING_SSL_METHOD_NAMES = new HashSet(Arrays.asList("setSSL", "setSSLOnConnect", "setTLS", "setStartTLSEnabled", "setStartTLSRequired"));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/sonar-java-plugin-7.23.0.32023.jar:org/sonar/java/checks/security/VerifiedServerHostnamesCheck$MethodBodyApacheVisitor.class */
    public static class MethodBodyApacheVisitor extends BaseTreeVisitor {
        private boolean isSecured = false;
        private Symbol variable;
        private static final MethodMatchers SET_SSL_CHECK_SERVER_ID = MethodMatchers.create().ofSubTypes(VerifiedServerHostnamesCheck.APACHE_EMAIL).names("setSSLCheckServerIdentity").addParametersMatcher(SchemaSymbols.ATTVAL_BOOLEAN).build();

        MethodBodyApacheVisitor(@Nullable Symbol symbol) {
            this.variable = symbol;
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
            if (ExpressionUtils.isInvocationOnVariable(methodInvocationTree, this.variable, true) && SET_SSL_CHECK_SERVER_ID.matches(methodInvocationTree) && VerifiedServerHostnamesCheck.isNotFalse((ExpressionTree) methodInvocationTree.arguments().get(0))) {
                this.isSecured = true;
            }
            super.visitMethodInvocation(methodInvocationTree);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/sonar-java-plugin-7.23.0.32023.jar:org/sonar/java/checks/security/VerifiedServerHostnamesCheck$MethodBodyHashtableVisitor.class */
    public static class MethodBodyHashtableVisitor extends BaseTreeVisitor {
        private boolean isSecured = false;
        private Symbol variable;

        MethodBodyHashtableVisitor(@Nullable Symbol symbol) {
            this.variable = symbol;
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
            if (ExpressionUtils.isInvocationOnVariable(methodInvocationTree, this.variable, true)) {
                Arguments arguments = methodInvocationTree.arguments();
                if (VerifiedServerHostnamesCheck.HASHTABLE_PUT.matches(methodInvocationTree) && "mail.smtp.ssl.checkserveridentity".equals(ExpressionsHelper.getConstantValueAsString((ExpressionTree) arguments.get(0)).value()) && VerifiedServerHostnamesCheck.isNotFalse((ExpressionTree) arguments.get(1))) {
                    this.isSecured = true;
                }
            }
            super.visitMethodInvocation(methodInvocationTree);
        }
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public List<Tree.Kind> nodesToVisit() {
        return Arrays.asList(Tree.Kind.METHOD_INVOCATION, Tree.Kind.METHOD, Tree.Kind.LAMBDA_EXPRESSION);
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public void visitNode(Tree tree) {
        switch (tree.kind()) {
            case METHOD:
                checkMethodDefinition((MethodTree) tree);
                return;
            case LAMBDA_EXPRESSION:
                checkLambdaDefinition((LambdaExpressionTree) tree);
                return;
            case METHOD_INVOCATION:
                checkMethodInvocation((MethodInvocationTree) tree);
                return;
            default:
                return;
        }
    }

    private void checkMethodDefinition(MethodTree methodTree) {
        BlockTree block = methodTree.block();
        if (block != null && HOSTNAME_VERIFIER.matches(methodTree)) {
            checkBlock(block);
        }
    }

    private void checkLambdaDefinition(LambdaExpressionTree lambdaExpressionTree) {
        Tree body = lambdaExpressionTree.body();
        if (isHostnameVerifierSignature(lambdaExpressionTree)) {
            if (body.is(Tree.Kind.BLOCK)) {
                checkBlock((BlockTree) body);
            } else if (isTrueLiteral(body)) {
                reportIssue(body, ISSUE_MESSAGE);
            }
        }
    }

    private void checkBlock(BlockTree blockTree) {
        List<StatementTree> list;
        List<StatementTree> body = blockTree.body();
        while (true) {
            list = body;
            if (list.size() != 1 || !list.get(0).is(Tree.Kind.BLOCK)) {
                break;
            } else {
                body = ((BlockTree) list.get(0)).body();
            }
        }
        List list2 = (List) list.stream().filter(statementTree -> {
            return !statementTree.is(Tree.Kind.EMPTY_STATEMENT);
        }).collect(Collectors.toList());
        if (isReturnTrueStatement(list2)) {
            reportIssue((Tree) list2.get(0), ISSUE_MESSAGE);
        }
    }

    private static boolean isHostnameVerifierSignature(LambdaExpressionTree lambdaExpressionTree) {
        return lambdaExpressionTree.symbolType().isSubtypeOf(JAVAX_NET_SSL_HOSTNAME_VERIFIER);
    }

    private static boolean isReturnTrueStatement(List<StatementTree> list) {
        if (list.size() == 1 && list.get(0).is(Tree.Kind.RETURN_STATEMENT)) {
            return isTrueLiteral(((ReturnStatementTree) list.get(0)).expression());
        }
        return false;
    }

    private static boolean isTrueLiteral(Tree tree) {
        if (tree.is(Tree.Kind.PARENTHESIZED_EXPRESSION) || tree.is(Tree.Kind.BOOLEAN_LITERAL)) {
            return LiteralUtils.isTrue(ExpressionUtils.skipParentheses((ExpressionTree) tree));
        }
        return false;
    }

    private void checkMethodInvocation(MethodInvocationTree methodInvocationTree) {
        MethodTree enclosingMethod = ExpressionUtils.getEnclosingMethod(methodInvocationTree);
        if (enclosingMethod == null) {
            return;
        }
        ExpressionTree methodSelect = methodInvocationTree.methodSelect();
        if (methodSelect.is(Tree.Kind.MEMBER_SELECT)) {
            Symbol orElse = ExpressionUtils.extractIdentifierSymbol(((MemberSelectExpressionTree) methodSelect).expression()).orElse(null);
            if (ENABLING_SSL_METHODS.matches(methodInvocationTree) && LiteralUtils.isTrue((Tree) methodInvocationTree.arguments().get(0))) {
                MethodBodyApacheVisitor methodBodyApacheVisitor = new MethodBodyApacheVisitor(orElse);
                enclosingMethod.accept(methodBodyApacheVisitor);
                if (methodBodyApacheVisitor.isSecured) {
                    return;
                }
                reportIssue(methodInvocationTree, ISSUE_MESSAGE);
                return;
            }
            if (HASHTABLE_PUT.matches(methodInvocationTree) && isSettingSSL(methodInvocationTree.arguments())) {
                MethodBodyHashtableVisitor methodBodyHashtableVisitor = new MethodBodyHashtableVisitor(orElse);
                enclosingMethod.accept(methodBodyHashtableVisitor);
                if (methodBodyHashtableVisitor.isSecured) {
                    return;
                }
                reportIssue(methodInvocationTree, "Enable server hostname verification on this SSL/TLS connection, by setting \"mail.smtp.ssl.checkserveridentity\" to true.");
            }
        }
    }

    private static boolean isSettingSSL(Arguments arguments) {
        return "mail.smtp.socketFactory.class".equals(ExpressionsHelper.getConstantValueAsString((ExpressionTree) arguments.get(0)).value()) && "javax.net.ssl.SSLSocketFactory".equals(ExpressionsHelper.getConstantValueAsString((ExpressionTree) arguments.get(1)).value());
    }

    private static boolean isNotFalse(ExpressionTree expressionTree) {
        return !LiteralUtils.isFalse(expressionTree);
    }

    static {
        MethodMatchers.NameBuilder ofSubTypes = MethodMatchers.create().ofSubTypes(APACHE_EMAIL);
        Set<String> set = ENABLING_SSL_METHOD_NAMES;
        Objects.requireNonNull(set);
        ENABLING_SSL_METHODS = ofSubTypes.name((v1) -> {
            return r1.contains(v1);
        }).addParametersMatcher(SchemaSymbols.ATTVAL_BOOLEAN).build();
        HASHTABLE_PUT = MethodMatchers.create().ofSubTypes("java.util.Hashtable").names("put").withAnyParameters().build();
    }
}
