package com.palantir.baseline.errorprone;

import com.google.auto.service.AutoService;
import com.google.errorprone.BugPattern;
import com.google.errorprone.VisitorState;
import com.google.errorprone.bugpatterns.BugChecker;
import com.google.errorprone.matchers.Description;
import com.google.errorprone.matchers.Matcher;
import com.google.errorprone.matchers.Matchers;
import com.google.errorprone.matchers.method.MethodMatchers;
import com.sun.source.tree.ExpressionTree;
import com.sun.source.tree.MethodInvocationTree;

@BugPattern(name = "PreventTokenLogging", link = "https://github.com/palantir/gradle-baseline#baseline-error-prone-checks", linkType = BugPattern.LinkType.CUSTOM, severity = BugPattern.SeverityLevel.ERROR, summary = "Authentication token information should never be logged as it poses a security risk. Prevents AuthHeader and BearerToken information from being passed to common logging calls.")
@AutoService({BugChecker.class})
/* loaded from: input_file:com/palantir/baseline/errorprone/PreventTokenLogging.class */
public final class PreventTokenLogging extends BugChecker implements BugChecker.MethodInvocationTreeMatcher {
    private static final Matcher<ExpressionTree> METHOD_MATCHER = Matchers.anyOf(new Matcher[]{MethodMatchers.instanceMethod().onDescendantOf("org.slf4j.Logger"), MethodMatchers.staticMethod().onClassAny(new String[]{"com.palantir.logsafe.SafeArg", "com.palantir.logsafe.UnsafeArg"}).named("of")});
    private static final Matcher<ExpressionTree> AUTH_MATCHER = Matchers.anyOf(new Matcher[]{MoreMatchers.isSubtypeOf("com.palantir.tokens.auth.AuthHeader"), MoreMatchers.isSubtypeOf("com.palantir.tokens.auth.BearerToken")});

    public Description matchMethodInvocation(MethodInvocationTree methodInvocationTree, VisitorState visitorState) {
        if (METHOD_MATCHER.matches(methodInvocationTree, visitorState)) {
            for (ExpressionTree expressionTree : methodInvocationTree.getArguments()) {
                if (AUTH_MATCHER.matches(expressionTree, visitorState)) {
                    return buildDescription(expressionTree).setMessage("Authentication information is not allowed to be logged.").build();
                }
            }
        }
        return Description.NO_MATCH;
    }
}
