package org.sonar.java.checks;

import java.util.Arrays;
import java.util.List;
import java.util.regex.Pattern;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;
import org.sonar.java.checks.helpers.RandomnessDetector;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.plugins.java.api.tree.AssignmentExpressionTree;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.LiteralTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.VariableTree;

@Rule(key = "S6418")
/* loaded from: input_file:WEB-INF/lib/sonar-java-plugin-7.23.0.32023.jar:org/sonar/java/checks/HardCodedSecretCheck.class */
public class HardCodedSecretCheck extends AbstractHardCodedCredentialChecker {
    private static final String DEFAULT_SECRET_WORDS = "api[_.-]?key,auth,credential,secret,token";
    private static final String DEFAULT_RANDOMNESS_SENSIBILITY = "5.0";
    private static final int MINIMUM_CREDENTIAL_LENGTH = 17;
    private static final String FIRST_ACCEPTED_CHARACTER = "[\\w.+/~$:&-]";
    private static final String FOLLOWING_ACCEPTED_CHARACTER = "[=\\w.+/~$:&-]";
    private static final Pattern SECRET_PATTERN = Pattern.compile("[\\w.+/~$:&-]([=\\w.+/~$:&-]|\\\\\\\\[=\\w.+/~$:&-])++");
    private static final Pattern IPV_6_PATTERN = Pattern.compile(HardcodedIpCheck.IP_V6_ALONE);
    private RandomnessDetector randomnessDetector;

    @RuleProperty(key = "secretWords", description = "Comma separated list of words identifying potential secrets", defaultValue = DEFAULT_SECRET_WORDS)
    public String secretWords = DEFAULT_SECRET_WORDS;

    @RuleProperty(key = "randomnessSensibility", description = "Allows to tune the Randomness Sensibility (from 0 to 10)", defaultValue = DEFAULT_RANDOMNESS_SENSIBILITY)
    public double randomnessSensibility = Double.parseDouble(DEFAULT_RANDOMNESS_SENSIBILITY);

    @Override // org.sonar.java.checks.AbstractHardCodedCredentialChecker
    protected String getCredentialWords() {
        return this.secretWords;
    }

    @Override // org.sonar.java.checks.AbstractHardCodedCredentialChecker
    protected boolean isCredentialContainingPattern(ExpressionTree expressionTree) {
        return false;
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public List<Tree.Kind> nodesToVisit() {
        return Arrays.asList(Tree.Kind.STRING_LITERAL, Tree.Kind.VARIABLE, Tree.Kind.ASSIGNMENT, Tree.Kind.METHOD_INVOCATION);
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public void visitNode(Tree tree) {
        if (tree.is(Tree.Kind.STRING_LITERAL)) {
            handleStringLiteral((LiteralTree) tree);
            return;
        }
        if (tree.is(Tree.Kind.VARIABLE)) {
            handleVariable((VariableTree) tree);
        } else if (tree.is(Tree.Kind.ASSIGNMENT)) {
            handleAssignment((AssignmentExpressionTree) tree);
        } else {
            handleMethodInvocation((MethodInvocationTree) tree);
        }
    }

    private void handleMethodInvocation(MethodInvocationTree methodInvocationTree) {
        ExpressionTree methodSelect = methodInvocationTree.methodSelect();
        if (EQUALS_MATCHER.matches(methodInvocationTree) && methodSelect.is(Tree.Kind.MEMBER_SELECT)) {
            handleEqualsMethod(methodInvocationTree, (MemberSelectExpressionTree) methodSelect);
        } else {
            isSettingCredential(methodInvocationTree).ifPresent(str -> {
                report(ExpressionUtils.methodName(methodInvocationTree), str);
            });
        }
    }

    @Override // org.sonar.java.checks.AbstractHardCodedCredentialChecker
    protected boolean isPotentialCredential(String str) {
        return str.length() >= 17 && SECRET_PATTERN.matcher(str).matches() && getRandomnessDetector().isRandom(str) && isNotIpV6(str);
    }

    private RandomnessDetector getRandomnessDetector() {
        if (this.randomnessDetector == null) {
            this.randomnessDetector = new RandomnessDetector(this.randomnessSensibility);
        }
        return this.randomnessDetector;
    }

    private static boolean isNotIpV6(String str) {
        return !IPV_6_PATTERN.matcher(str).matches();
    }

    @Override // org.sonar.java.checks.AbstractHardCodedCredentialChecker
    protected void report(Tree tree, String str) {
        reportIssue(tree, "'" + str + "' detected in this expression, review this potentially hard-coded secret.");
    }
}
