package com.android.tools.lint.checks;

import com.android.resources.ResourceFolderType;
import com.android.resources.ResourceUrl;
import com.android.tools.lint.detector.api.Category;
import com.android.tools.lint.detector.api.Context;
import com.android.tools.lint.detector.api.Implementation;
import com.android.tools.lint.detector.api.Issue;
import com.android.tools.lint.detector.api.LintFix;
import com.android.tools.lint.detector.api.Location;
import com.android.tools.lint.detector.api.LocationType;
import com.android.tools.lint.detector.api.ResourceXmlDetector;
import com.android.tools.lint.detector.api.Scope;
import com.android.tools.lint.detector.api.Severity;
import com.android.tools.lint.detector.api.XmlContext;
import com.android.utils.XmlUtils;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Maps;
import java.time.LocalDate;
import java.time.format.DateTimeFormatter;
import java.time.format.DateTimeParseException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import kotlin.text.StringsKt;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;

/* loaded from: input_file:com/android/tools/lint/checks/NetworkSecurityConfigDetector.class */
public class NetworkSecurityConfigDetector extends ResourceXmlDetector {
    public static final Implementation IMPLEMENTATION;
    public static final Issue ISSUE;
    public static final Issue PIN_SET_EXPIRY;
    public static final Issue MISSING_BACKUP_PIN;
    public static final Issue INSECURE_CONFIGURATION;
    public static final Issue ACCEPTS_USER_CERTIFICATES;
    public static final String ATTR_DIGEST = "digest";
    private static final String TAG_NETWORK_SECURITY_CONFIG = "network-security-config";
    private static final String TAG_BASE_CONFIG = "base-config";
    private static final String TAG_DOMAIN_CONFIG = "domain-config";
    private static final String TAG_DEBUG_OVERRIDES = "debug-overrides";
    private static final String TAG_DOMAIN = "domain";
    private static final String TAG_PIN_SET = "pin-set";
    private static final String TAG_TRUST_ANCHORS = "trust-anchors";
    private static final String TAG_CERTIFICATES = "certificates";
    private static final String TAG_PIN = "pin";
    private static final String ATTR_SRC = "src";
    private static final String ATTR_INCLUDE_SUBDOMAINS = "includeSubdomains";
    private static final String ATTR_EXPIRATION = "expiration";
    private static final String ATTR_CLEARTEXT_TRAFFIC_PERMITTED = "cleartextTrafficPermitted";
    private static final String PIN_DIGEST_ALGORITHM = "SHA-256";
    private static final int PIN_DECODED_DIGEST_LEN_SHA_256 = 32;
    private static final Set<String> VALID_CONFIG_TAGS;
    public static final Set<String> VALID_BASE_TAGS;
    private static final String UNEXPECTED_ELEMENT_MESSAGE = "Unexpected element `<%1$s>`";
    private static final String ALREADY_DECLARED_MESSAGE = "Already declared here";
    private Location.Handle mDebugOverridesHandle;
    static final /* synthetic */ boolean $assertionsDisabled;

    public boolean appliesTo(ResourceFolderType resourceFolderType) {
        return resourceFolderType == ResourceFolderType.XML;
    }

    public void beforeCheckRootProject(Context context) {
        this.mDebugOverridesHandle = null;
    }

    public void visitDocument(XmlContext xmlContext, Document document) {
        Element documentElement = document.getDocumentElement();
        if (documentElement != null && TAG_NETWORK_SECURITY_CONFIG.equals(documentElement.getTagName())) {
            Location.Handle handle = null;
            HashMap newHashMap = Maps.newHashMap();
            for (Element element : XmlUtils.getSubTags(documentElement)) {
                String tagName = element.getTagName();
                if (TAG_BASE_CONFIG.equals(tagName)) {
                    if (handle != null) {
                        reportExceeded(xmlContext, TAG_BASE_CONFIG, element, handle);
                    } else {
                        handle = xmlContext.createLocationHandle(element);
                        handleConfigElement(xmlContext, element, newHashMap);
                        handleBaseConfigElement(xmlContext, element);
                    }
                } else if (TAG_DEBUG_OVERRIDES.equals(tagName)) {
                    if (this.mDebugOverridesHandle != null) {
                        reportExceeded(xmlContext, TAG_DEBUG_OVERRIDES, element, this.mDebugOverridesHandle);
                    } else {
                        this.mDebugOverridesHandle = xmlContext.createLocationHandle(element);
                        handleConfigElement(xmlContext, element, newHashMap);
                    }
                } else if (TAG_DOMAIN_CONFIG.equals(tagName)) {
                    handleConfigElement(xmlContext, element, newHashMap);
                } else if (!checkForTyposInTags(xmlContext, element, VALID_BASE_TAGS)) {
                    xmlContext.report(ISSUE, element, xmlContext.getNameLocation(element), String.format(UNEXPECTED_ELEMENT_MESSAGE, tagName));
                }
            }
        }
    }

    private void handleConfigElement(XmlContext xmlContext, Element element, Map<String, Node> map) {
        String tagName = element.getTagName();
        boolean equals = TAG_DOMAIN_CONFIG.equals(tagName);
        Element element2 = null;
        Element element3 = null;
        checkForTyposInAttributes(xmlContext, element, ATTR_CLEARTEXT_TRAFFIC_PERMITTED, false);
        for (Element element4 : XmlUtils.getSubTags(element)) {
            String tagName2 = element4.getTagName();
            if (TAG_DOMAIN.equals(tagName2)) {
                if (equals) {
                    checkForTyposInAttributes(xmlContext, element4, ATTR_INCLUDE_SUBDOMAINS, true);
                    String lowerCase = element4.getTextContent().trim().toLowerCase(Locale.US);
                    if (map.containsKey(lowerCase)) {
                        xmlContext.report(ISSUE, element4.getFirstChild(), xmlContext.getLocation(element4.getFirstChild()).withSecondary(xmlContext.getLocation(map.get(lowerCase)), ALREADY_DECLARED_MESSAGE), "Duplicate domain names are not allowed");
                    } else {
                        map.put(lowerCase, element4.getFirstChild());
                    }
                } else {
                    xmlContext.report(ISSUE, element4, xmlContext.getNameLocation(element4), String.format("`%1$s` element not allowed in `%2$s`", TAG_DOMAIN, tagName));
                }
            } else if (TAG_TRUST_ANCHORS.equals(tagName2)) {
                if (element2 != null) {
                    xmlContext.report(ISSUE, element4, xmlContext.getNameLocation(element4).withSecondary(xmlContext.getNameLocation(element2), ALREADY_DECLARED_MESSAGE), "Multiple `<trust-anchors>` elements are not allowed");
                } else {
                    element2 = element4;
                    handleTrustAnchors(xmlContext, element4);
                }
            } else if (TAG_DOMAIN_CONFIG.equals(tagName2)) {
                if (equals) {
                    handleConfigElement(xmlContext, element4, map);
                } else {
                    xmlContext.report(ISSUE, element4, xmlContext.getNameLocation(element4), String.format("Nested `<domain-config>` elements are not allowed in `%1$s`", tagName));
                }
            } else if (TAG_PIN_SET.equals(tagName2)) {
                if (!equals) {
                    xmlContext.report(ISSUE, element4, xmlContext.getNameLocation(element4), String.format("`%1$s` element not allowed in `%2$s`", TAG_PIN_SET, tagName));
                }
                if (element3 != null) {
                    xmlContext.report(ISSUE, element4, xmlContext.getNameLocation(element4).withSecondary(xmlContext.getNameLocation(element3), ALREADY_DECLARED_MESSAGE), "Multiple `<pin-set>` elements are not allowed");
                } else {
                    element3 = element4;
                    handlePinSet(xmlContext, element4);
                }
            } else {
                checkForTyposInTags(xmlContext, element4, VALID_CONFIG_TAGS);
            }
        }
        if (equals && map.isEmpty()) {
            xmlContext.report(ISSUE, element, xmlContext.getNameLocation(element), "No `<domain>` elements in `<domain-config>`");
        }
    }

    private void handleBaseConfigElement(XmlContext xmlContext, Element element) {
        Attr attributeNode;
        if (element.hasAttribute(ATTR_CLEARTEXT_TRAFFIC_PERMITTED)) {
            Attr attributeNode2 = element.getAttributeNode(ATTR_CLEARTEXT_TRAFFIC_PERMITTED);
            if (attributeNode2.getValue().equals("true")) {
                Location valueLocation = xmlContext.getValueLocation(attributeNode2);
                xmlContext.report(INSECURE_CONFIGURATION, element, valueLocation, "Insecure Base Configuration", fix().replace().range(valueLocation).with("false").build());
            }
        }
        for (Element element2 : XmlUtils.getSubTags(element)) {
            if (TAG_TRUST_ANCHORS.equals(element2.getTagName())) {
                for (Element element3 : XmlUtils.getSubTags(element2)) {
                    if (TAG_CERTIFICATES.equals(element3.getTagName()) && (attributeNode = element3.getAttributeNode(ATTR_SRC)) != null && "user".equals(attributeNode.getValue())) {
                        xmlContext.report(ACCEPTS_USER_CERTIFICATES, element3, xmlContext.getLocation(element3), "The Network Security Configuration allows the use of user certificates in the release version of your app");
                    }
                }
            }
        }
    }

    private static void handlePinSet(XmlContext xmlContext, Element element) {
        Node firstChild;
        if (element.hasAttribute(ATTR_EXPIRATION)) {
            Attr attributeNode = element.getAttributeNode(ATTR_EXPIRATION);
            String str = null;
            try {
                LocalDate parse = LocalDate.parse(attributeNode.getValue(), DateTimeFormatter.ISO_LOCAL_DATE);
                LocalDate now = LocalDate.now();
                if (parse.isBefore(now)) {
                    str = "`pin-set` has already expired";
                } else if (parse.isBefore(now.plusDays(10L))) {
                    str = "`pin-set` is expiring soon";
                }
            } catch (DateTimeParseException e) {
                xmlContext.report(ISSUE, attributeNode, xmlContext.getValueLocation(attributeNode), "Invalid expiration in `pin-set`");
            }
            if (str != null) {
                xmlContext.report(PIN_SET_EXPIRY, attributeNode, xmlContext.getValueLocation(attributeNode), str);
            }
        } else {
            checkForTyposInAttributes(xmlContext, element, ATTR_EXPIRATION, false);
        }
        int i = 0;
        boolean z = false;
        for (Element element2 : XmlUtils.getSubTags(element)) {
            if (TAG_PIN.equals(element2.getTagName())) {
                i++;
                if (element2.hasAttribute(ATTR_DIGEST)) {
                    Attr attributeNode2 = element2.getAttributeNode(ATTR_DIGEST);
                    if (!PIN_DIGEST_ALGORITHM.equalsIgnoreCase(attributeNode2.getValue())) {
                        String formatList = com.android.tools.lint.detector.api.Lint.formatList(getSupportedPinDigestAlgorithms(), 2);
                        LintFix.GroupBuilder group = LintFix.create().group();
                        for (String str2 : getSupportedPinDigestAlgorithms()) {
                            group.add(LintFix.create().name(String.format("Set digest to \"%1$s\"", str2)).replace().all().with(str2).build());
                        }
                        xmlContext.report(ISSUE, attributeNode2, xmlContext.getValueLocation(attributeNode2), String.format("Invalid digest algorithm. Supported digests: `%1$s`", formatList), group.build());
                    }
                } else {
                    checkForTyposInAttributes(xmlContext, element2, ATTR_DIGEST, true);
                }
                if (element2.hasChildNodes() && (firstChild = element2.getFirstChild()) != null && firstChild.getNodeType() == 3) {
                    try {
                        byte[] decode = Base64.getDecoder().decode(firstChild.getNodeValue());
                        if (decode.length != 32) {
                            xmlContext.report(ISSUE, firstChild, xmlContext.getLocation(firstChild), String.format(Locale.getDefault(), "Decoded digest length `%1$d` does not match expected length for `%2$s` of `%3$d`", Integer.valueOf(decode.length), PIN_DIGEST_ALGORITHM, 32));
                        }
                    } catch (Exception e2) {
                        xmlContext.report(ISSUE, firstChild, xmlContext.getLocation(firstChild), "Invalid pin digest");
                    }
                } else {
                    xmlContext.report(ISSUE, element2, xmlContext.getLocation(element2), "Missing pin digest");
                }
            } else {
                z |= checkForTyposInTags(xmlContext, element2, Collections.singleton(TAG_PIN));
            }
        }
        if (z) {
            return;
        }
        if (i == 0) {
            xmlContext.report(ISSUE, element, xmlContext.getNameLocation(element), "Missing `<pin>` element(s)");
        } else if (i == 1) {
            xmlContext.report(MISSING_BACKUP_PIN, element, xmlContext.getNameLocation(element), "A backup `<pin>` declaration is highly recommended");
        }
    }

    private static void handleTrustAnchors(XmlContext xmlContext, Element element) {
        for (Element element2 : XmlUtils.getSubTags(element)) {
            if (!TAG_CERTIFICATES.equals(element2.getTagName())) {
                checkForTyposInTags(xmlContext, element2, Collections.singleton(TAG_CERTIFICATES));
            } else if (element2.hasAttribute(ATTR_SRC)) {
                Attr attributeNode = element2.getAttributeNode(ATTR_SRC);
                String value = attributeNode.getValue();
                if (ResourceUrl.parse(value) == null && !"user".equals(value) && !"system".equals(value)) {
                    xmlContext.report(ISSUE, attributeNode, xmlContext.getValueLocation(attributeNode), "Unknown certificates `src` attribute. Expecting `system`, `user` or an @resource value");
                }
            } else {
                checkForTyposInAttributes(xmlContext, element2, ATTR_SRC, true);
            }
        }
    }

    private static boolean checkForTyposInTags(XmlContext xmlContext, Element element, Collection<String> collection) {
        String tagName = element.getTagName();
        List<String> generateTypoSuggestions = generateTypoSuggestions(tagName, collection);
        if (generateTypoSuggestions == null) {
            return false;
        }
        if (!$assertionsDisabled && generateTypoSuggestions.isEmpty()) {
            throw new AssertionError();
        }
        String format = String.format("Misspelled tag `<%1$s>`: Did you mean `%2$s`?", tagName, generateTypoSuggestions.size() == 1 ? generateTypoSuggestions.get(0) : generateTypoSuggestions.size() == 2 ? String.format("%1$s or %2$s", generateTypoSuggestions.get(0), generateTypoSuggestions.get(1)) : com.android.tools.lint.detector.api.Lint.formatList(generateTypoSuggestions, -1));
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = generateTypoSuggestions.iterator();
        while (it.hasNext()) {
            arrayList.add(LintFix.create().renameTag(tagName, it.next(), xmlContext.getLocation(element, LocationType.ALL)).build());
        }
        xmlContext.report(ISSUE, element, xmlContext.getNameLocation(element), format, LintFix.create().alternatives((LintFix[]) arrayList.toArray(new LintFix[0])));
        return true;
    }

    private static void checkForTyposInAttributes(XmlContext xmlContext, Element element, String str, boolean z) {
        if (element.hasAttribute(str)) {
            return;
        }
        List<String> list = null;
        NamedNodeMap attributes = element.getAttributes();
        boolean z2 = false;
        Set singleton = Collections.singleton(str);
        for (int i = 0; i < attributes.getLength(); i++) {
            Node item = attributes.item(i);
            String nodeName = item.getNodeName();
            if (!StringsKt.isBlank(nodeName)) {
                list = generateTypoSuggestions(nodeName, singleton);
            }
            if (list != null && list.size() == 1) {
                String str2 = list.get(0);
                xmlContext.report(ISSUE, item, xmlContext.getNameLocation(item), String.format("Misspelled attribute `%1$s`: Did you mean `%2$s`?", nodeName, str), LintFix.create().replaceAttribute((Attr) item, (String) null, str2, item.getNodeValue()).name("Replace with `" + str2 + "`").build());
                z2 = true;
            }
        }
        if (z2 || !z) {
            return;
        }
        xmlContext.report(ISSUE, element, xmlContext.getNameLocation(element), String.format("Missing `%1$s` attribute", str), LintFix.create().set().todo((String) null, str).build());
    }

    private static List<String> generateTypoSuggestions(String str, Collection<String> collection) {
        ArrayList arrayList = null;
        for (String str2 : collection) {
            if (com.android.tools.lint.detector.api.Lint.isEditableTo(str2, str, 3)) {
                if (arrayList == null) {
                    arrayList = new ArrayList(collection.size());
                }
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    private static void reportExceeded(XmlContext xmlContext, String str, Element element, Location.Handle handle) {
        xmlContext.report(ISSUE, element, xmlContext.getNameLocation(element).withSecondary(handle.resolve(), ALREADY_DECLARED_MESSAGE), String.format("Expecting at most 1 `<%1$s>`", str));
    }

    public static List<String> getSupportedPinDigestAlgorithms() {
        return Collections.singletonList(PIN_DIGEST_ALGORITHM);
    }

    static {
        $assertionsDisabled = !NetworkSecurityConfigDetector.class.desiredAssertionStatus();
        IMPLEMENTATION = new Implementation(NetworkSecurityConfigDetector.class, Scope.RESOURCE_FILE_SCOPE);
        ISSUE = Issue.create("NetworkSecurityConfig", "Valid Network Security Config File", "Ensures that a `<network-security-config>` file, which is pointed to by an `android:networkSecurityConfig` attribute in the manifest file, is valid", Category.CORRECTNESS, 5, Severity.FATAL, IMPLEMENTATION).addMoreInfo("https://developer.android.com/preview/features/security-config.html");
        PIN_SET_EXPIRY = Issue.create("PinSetExpiry", "Validate `<pin-set>` expiration attribute", "Ensures that the `expiration` attribute of the `<pin-set>` element is valid and has not already expired or is expiring soon", Category.CORRECTNESS, 6, Severity.WARNING, IMPLEMENTATION).addMoreInfo("https://developer.android.com/preview/features/security-config.html");
        MISSING_BACKUP_PIN = Issue.create("MissingBackupPin", "Missing Backup Pin", "It is highly recommended to declare a backup `<pin>` element. Not having a second pin defined can cause connection failures when the particular site certificate is rotated and the app has not yet been updated.", Category.CORRECTNESS, 6, Severity.WARNING, IMPLEMENTATION).addMoreInfo("https://developer.android.com/preview/features/security-config.html");
        INSECURE_CONFIGURATION = Issue.create("InsecureBaseConfiguration", "Insecure Base Configuration", "Permitting cleartext traffic could allow eavesdroppers to intercept data sent by your app, which impacts the privacy of your users. Consider only allowing encrypted traffic by setting the `cleartextTrafficPermitted` tag to `false`.", Category.SECURITY, 5, Severity.WARNING, IMPLEMENTATION).addMoreInfo("https://goo.gle/InsecureBaseConfiguration").addMoreInfo("https://developer.android.com/preview/features/security-config.html");
        ACCEPTS_USER_CERTIFICATES = Issue.create("AcceptsUserCertificates", "Allowing User Certificates", "Allowing user certificates could allow eavesdroppers to intercept data sent by your app, which could impact the privacy of your users. Consider nesting your app's `trust-anchors` inside a `<debug-overrides>` element to make sure they are only available when `android:debuggable` is set to `true`.", Category.SECURITY, 5, Severity.WARNING, IMPLEMENTATION).addMoreInfo("https://goo.gle/AcceptsUserCertificates").addMoreInfo("https://developer.android.com/training/articles/security-config#TrustingDebugCa");
        VALID_CONFIG_TAGS = ImmutableSet.of(TAG_DOMAIN, TAG_TRUST_ANCHORS, TAG_PIN_SET, TAG_DOMAIN_CONFIG);
        VALID_BASE_TAGS = ImmutableSet.of(TAG_DOMAIN_CONFIG, TAG_BASE_CONFIG, TAG_DEBUG_OVERRIDES);
    }
}
