package org.sonar.iac.docker.checks;

import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.docker.tree.api.EnvInstruction;
import org.sonar.iac.docker.tree.api.KeyValuePair;
import org.sonar.iac.docker.utils.ArgumentUtils;

@Rule(key = "S6472")
/* loaded from: input_file:org/sonar/iac/docker/checks/EnvSecretCheck.class */
public class EnvSecretCheck implements IacCheck {
    private static final String MESSAGE = "Make sure that using ENV to handle a secret is safe here.";
    private static final String ROOT_PATH_PATTERN = "^/[a-z]*+($|/)";
    private static final String RELATIVE_PATH_PATTERN = "^./[a-zA-Z_-]*+($|/)";
    private static final String EXPANSION_PATH_PATTERN = "^\\$\\{[^}]+}/";
    private static final String PATH_WITH_EXPANSION_PATTERN = "/.*+\\.[a-z0-9]{2,4}$";
    private static final Set<String> ENTITIES = Set.of((Object[]) new String[]{"ACCESS", "AMPLITUDE", "ANSIBLE", "ADMIN", "API", "APP", "AUTH", "CLIENT", "CONFIG", "DATABASE", "DB", "ENCRYPTION", "ENV", "FACEBOOK", "FIREBASE", "FTP", "GIT", "GITHUB", "GITLAB", "HONEYCOMB", "JWT", "KEYCLOAK", "KEYRING", "LDAP", "MAIL", "MASTER", "MARIADB", "MSSQL", "MYSQL", "NPM", "OAUTH", "OAUTH2", "PG", "POSTGRES", "REDIS", "REFRESH", "REPLICATION", "ROOT", "RPC", "SA", "SECRET", "SERVER", "SIGN", "SIGNING", "SLACK", "SVN", "USER", "VNC", "WEBHOOK"});
    private static final Set<String> SECRETS = Set.of("CREDENTIALS", "KEY", "PASS", "PASSPHRASE", "PASSWD", "PASSWORD", "SECRET", "TOKEN");
    private static final Set<String> EXCLUSIONS = Set.of((Object[]) new String[]{"ALLOW", "DIR", "EXPIRE", "EXPIRY", "FILE", "ID", "LOCATION", "NAME", "OWNER", "PATH", "URL"});
    private static final Pattern UNDERSCORE_NAME_PATTERN = Pattern.compile("^\\w+$");
    private static final Pattern DASH_NAME_PATTERN = Pattern.compile("^[a-zA-Z0-9-]+$");
    private static final Pattern CAMELCASE_NAME_PATTERN = Pattern.compile("^[A-Za-z]+$");
    private static final Pattern CAMELCASE_SPLIT_PATTERN = Pattern.compile("(?<!(^|[A-Z]))(?=[A-Z])|(?<!^)(?=[A-Z][a-z])");
    private static final Pattern URL_PATTERN = Pattern.compile("^(http|ftp)s?://");
    private static final Pattern PATH_PATTERN = Pattern.compile("(^/[a-z]*+($|/)|^./[a-zA-Z_-]*+($|/)|^\\$\\{[^}]+}/|/.*+\\.[a-z0-9]{2,4}$)");

    public void initialize(InitContext initContext) {
        initContext.register(EnvInstruction.class, (checkContext, envInstruction) -> {
            envInstruction.environmentVariables().forEach(keyValuePair -> {
                checkEnvVariableAssignment(checkContext, keyValuePair);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkEnvVariableAssignment(CheckContext checkContext, KeyValuePair keyValuePair) {
        if (isSensitiveName(ArgumentUtils.resolve(keyValuePair.key()).value()) && isSensitiveValue(ArgumentUtils.resolve(keyValuePair.value()).value())) {
            checkContext.reportIssue(keyValuePair.key(), MESSAGE);
        }
    }

    private static boolean isSensitiveName(@Nullable String str) {
        if (str == null) {
            return false;
        }
        List<String> splitEnvVarName = splitEnvVarName(str);
        return isSecretWordOnly(splitEnvVarName) || containsSecretEntityWordCombination(splitEnvVarName);
    }

    private static List<String> splitEnvVarName(String str) {
        return (UNDERSCORE_NAME_PATTERN.matcher(str).matches() && str.contains("_")) ? toUpperCase(str.split("_")) : (DASH_NAME_PATTERN.matcher(str).matches() && str.contains("-")) ? toUpperCase(str.split("-")) : CAMELCASE_NAME_PATTERN.matcher(str).matches() ? toUpperCase(CAMELCASE_SPLIT_PATTERN.split(str)) : Collections.emptyList();
    }

    private static List<String> toUpperCase(String[] strArr) {
        return (List) Stream.of((Object[]) strArr).map(str -> {
            return str.toUpperCase(Locale.ROOT);
        }).collect(Collectors.toList());
    }

    private static boolean isSecretWordOnly(List<String> list) {
        return list.size() == 1 && SECRETS.contains(list.get(0));
    }

    private static boolean containsSecretEntityWordCombination(List<String> list) {
        Stream<String> stream = list.stream();
        Set<String> set = EXCLUSIONS;
        Objects.requireNonNull(set);
        if (stream.anyMatch((v1) -> {
            return r1.contains(v1);
        })) {
            return false;
        }
        for (int i = 0; i < list.size(); i++) {
            if (ENTITIES.contains(list.get(i)) && i < list.size() - 1 && SECRETS.contains(list.get(i + 1))) {
                return true;
            }
        }
        return false;
    }

    private static boolean isSensitiveValue(@Nullable String str) {
        return (str == null || str.isBlank() || isUrl(str) || isPath(str)) ? false : true;
    }

    private static boolean isUrl(String str) {
        return URL_PATTERN.matcher(str).find();
    }

    private static boolean isPath(String str) {
        return PATH_PATTERN.matcher(str).find();
    }
}
