/**
 * @name Missing JWT signature check
 * @description Not checking the JWT signature allows an attacker to forge their own tokens.
 * @kind problem
 * @problem.severity error
 * @precision high
 * @id java/missing-jwt-signature-check
 * @tags security
 *       external/cwe/cwe-347
 */

import java
import semmle.code.java.dataflow.DataFlow

/** The interface `io.jsonwebtoken.JwtParser`. */
class TypeJwtParser extends Interface {
  TypeJwtParser() { this.hasQualifiedName("io.jsonwebtoken", "JwtParser") }
}

/** The interface `io.jsonwebtoken.JwtParser` or a type derived from it. */
class TypeDerivedJwtParser extends RefType {
  TypeDerivedJwtParser() { this.getASourceSupertype*() instanceof TypeJwtParser }
}

/** The interface `io.jsonwebtoken.JwtParserBuilder`. */
class TypeJwtParserBuilder extends Interface {
  TypeJwtParserBuilder() { this.hasQualifiedName("io.jsonwebtoken", "JwtParserBuilder") }
}

/** The interface `io.jsonwebtoken.JwtHandler`. */
class TypeJwtHandler extends Interface {
  TypeJwtHandler() { this.hasQualifiedName("io.jsonwebtoken", "JwtHandler") }
}

/** The class `io.jsonwebtoken.JwtHandlerAdapter`. */
class TypeJwtHandlerAdapter extends Class {
  TypeJwtHandlerAdapter() { this.hasQualifiedName("io.jsonwebtoken", "JwtHandlerAdapter") }
}

/** The `parse(token, handler)` method defined in `JwtParser`. */
private class JwtParserParseHandlerMethod extends Method {
  JwtParserParseHandlerMethod() {
    this.hasName("parse") and
    this.getDeclaringType() instanceof TypeJwtParser and
    this.getNumberOfParameters() = 2
  }
}

/** The `parse(token)`, `parseClaimsJwt(token)` and `parsePlaintextJwt(token)` methods defined in `JwtParser`. */
private class JwtParserInsecureParseMethod extends Method {
  JwtParserInsecureParseMethod() {
    this.hasName(["parse", "parseClaimsJwt", "parsePlaintextJwt"]) and
    this.getNumberOfParameters() = 1 and
    this.getDeclaringType() instanceof TypeJwtParser
  }
}

/** The `on(Claims|Plaintext)Jwt` methods defined in `JwtHandler`. */
private class JwtHandlerOnJwtMethod extends Method {
  JwtHandlerOnJwtMethod() {
    this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
    this.getNumberOfParameters() = 1 and
    this.getDeclaringType() instanceof TypeJwtHandler
  }
}

/** The `on(Claims|Plaintext)Jwt` methods defined in `JwtHandlerAdapter`. */
private class JwtHandlerAdapterOnJwtMethod extends Method {
  JwtHandlerAdapterOnJwtMethod() {
    this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
    this.getNumberOfParameters() = 1 and
    this.getDeclaringType() instanceof TypeJwtHandlerAdapter
  }
}

/**
 * Holds if `parseHandlerExpr` is an insecure `JwtHandler`.
 * That is, it overrides a method from `JwtHandlerOnJwtMethod` and the override is not defined on `JwtHandlerAdapter`.
 * `JwtHandlerAdapter`'s overrides are safe since they always throw an exception.
 */
private predicate isInsecureJwtHandler(Expr parseHandlerExpr) {
  exists(RefType t |
    parseHandlerExpr.getType() = t and
    t.getASourceSupertype*() instanceof TypeJwtHandler and
    exists(Method m |
      m = t.getAMethod() and
      m.getASourceOverriddenMethod+() instanceof JwtHandlerOnJwtMethod and
      not m.getSourceDeclaration() instanceof JwtHandlerAdapterOnJwtMethod
    )
  )
}

/**
 * An access to an insecure parsing method.
 * That is, either a call to a `parse(token)`, `parseClaimsJwt(token)` or `parsePlaintextJwt(token)` method or
 * a call to a `parse(token, handler)` method where the `handler` is considered insecure.
 */
private class JwtParserInsecureParseMethodAccess extends MethodAccess {
  JwtParserInsecureParseMethodAccess() {
    this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserInsecureParseMethod
    or
    this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserParseHandlerMethod and
    isInsecureJwtHandler(this.getArgument(1))
  }
}

/**
 * Holds if `signingMa` directly or indirectly sets a signing key for `expr`, which is a `JwtParser`.
 * The `setSigningKey` and `setSigningKeyResolver` methods set a signing key for a `JwtParser`.
 * Directly means code like this:
 * ```java
 * Jwts.parser().setSigningKey(key).parse(token);
 * ```
 * Here the signing key is set directly on a `JwtParser`.
 * Indirectly means code like this:
 * ```java
 * Jwts.parserBuilder().setSigningKey(key).build().parse(token);
 * ```
 * In this case, the signing key is set on a `JwtParserBuilder` indirectly setting the key of `JwtParser` that is created by the call to `build`.
 */
private predicate isSigningKeySetter(Expr expr, MethodAccess signingMa) {
  any(SigningToInsecureMethodAccessDataFlow s)
      .hasFlow(DataFlow::exprNode(signingMa), DataFlow::exprNode(expr))
}

/**
 * An expr that is a (sub-type of) `JwtParser` for which a signing key has been set and which is used as
 * the qualifier to a `JwtParserInsecureParseMethodAccess`.
 */
private class JwtParserWithSigningKeyExpr extends Expr {
  MethodAccess signingMa;

  JwtParserWithSigningKeyExpr() {
    this.getType() instanceof TypeDerivedJwtParser and
    isSigningKeySetter(this, signingMa)
  }

  /** Gets the method access that sets the signing key for this parser. */
  MethodAccess getSigningMethodAccess() { result = signingMa }
}

/**
 * Models flow from `SigningKeyMethodAccess`es to qualifiers of `JwtParserInsecureParseMethodAccess`es.
 * This is used to determine whether a `JwtParser` has a signing key set.
 */
private class SigningToInsecureMethodAccessDataFlow extends DataFlow::Configuration {
  SigningToInsecureMethodAccessDataFlow() { this = "SigningToExprDataFlow" }

  override predicate isSource(DataFlow::Node source) {
    source.asExpr() instanceof SigningKeyMethodAccess
  }

  override predicate isSink(DataFlow::Node sink) {
    any(JwtParserInsecureParseMethodAccess ma).getQualifier() = sink.asExpr()
  }

  /** Models the builder style of `JwtParser` and `JwtParserBuilder`. */
  override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
    (
      pred.asExpr().getType() instanceof TypeDerivedJwtParser or
      pred.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParserBuilder
    ) and
    succ.asExpr().(MethodAccess).getQualifier() = pred.asExpr()
  }
}

/** An access to the `setSigningKey` or `setSigningKeyResolver` method (or an overridden method) defined in `JwtParser` and `JwtParserBuilder`. */
private class SigningKeyMethodAccess extends MethodAccess {
  SigningKeyMethodAccess() {
    exists(Method m |
      m.hasName(["setSigningKey", "setSigningKeyResolver"]) and
      m.getNumberOfParameters() = 1 and
      (
        m.getDeclaringType() instanceof TypeJwtParser or
        m.getDeclaringType() instanceof TypeJwtParserBuilder
      )
    |
      m = this.getMethod().getASourceOverriddenMethod*()
    )
  }
}

/**
 * Holds if the `MethodAccess` `ma` occurs in a test file. A test file is any file that
 * is a direct or indirect child of a directory named `test`, ignoring case.
 */
private predicate isInTestFile(MethodAccess ma) {
  exists(string lowerCasedAbsolutePath |
    lowerCasedAbsolutePath = ma.getLocation().getFile().getAbsolutePath().toLowerCase()
  |
    lowerCasedAbsolutePath.matches("%/test/%") and
    not lowerCasedAbsolutePath
        .matches("%/ql/test/experimental/query-tests/security/CWE-347/%".toLowerCase())
  )
}

from JwtParserInsecureParseMethodAccess ma, JwtParserWithSigningKeyExpr parserExpr
where ma.getQualifier() = parserExpr and not isInTestFile(ma)
select ma, "A signing key is set $@, but the signature is not verified.",
  parserExpr.getSigningMethodAccess(), "here"