# Copyright (c) 2023 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'contrast/agent/assess/policy/policy_node'
require 'contrast/agent/reporting/reporting_events/finding_event_taint_range_tags'
require 'contrast/components/logger'

module Contrast
  module Agent
    module Assess
      module Policy
        # This class functions to translate our policy.json into an actionable
        # Ruby object, allowing for dynamic patching over hardcoded patching,
        # specifically for those methods which result in the transformation of
        # untrusted data (indicate points in the application where user
        # controlled input is modified).
        class PropagationNode < PolicyNode
          include Contrast::Components::Logger::InstanceMethods

          JSON_ACTION = 'action'
          JSON_UNTAGS = 'untags'
          JSON_PATCH_CLASS = 'patch_class'
          JSON_PATCH_METHOD = 'patch_method'

          # @return action [String] the action to be taken by this propagation
          #  node. This can be one of the following:
          # - 'CUSTOM' - the propagation node is a custom propagation node
          # - 'DB_WRITE' - the propagation node is a database write propagation
          #  node
          # - 'APPEND' - the propagation node is an append propagation node
          # - 'CENTER' - the propagation node is a center propagation node
          # - 'INSERT' - the propagation node is an insert propagation node
          # - 'KEEP' - the propagation node is a keep propagation node
          # - 'NEXT' - the propagation node is a next propagation node
          # - 'BUFFER' - the propagation node is a buffer propagation node
          # - 'NOOP' - the propagation node is a noop propagation node
          # - 'PREPEND' - the propagation node is a prepend propagation node
          # - 'REPLACE' - the propagation node is a replace propagation node
          # - 'REMOVE' - the propagation node is a remove propagation node
          # - 'REVERSE' - the propagation node is a reverse propagation node
          # - 'RESPONSE' - the propagation node is a response propagation node
          # - 'SPLAT' - the propagation node is a splat propagation node
          # - 'SPLIT' - the propagation node is a split propagation node
          attr_reader :action
          # @return untags [Array<String>] the tags to be removed from the
          # target of this propagation node.
          attr_reader :untags
          # @return patch_class [String] the class name of the class that
          # contains the method to be called for this propagation node.
          attr_reader :patch_method
          # @return patch_method [Symbol] the name of the method to be called
          # for this propagation node.
          attr_accessor :patch_class

          TAGGER = 'Tagger'
          PROPAGATOR = 'Propagator'
          # Most things here carry over from PolicyNode.
          # A couple things are new / have new rules
          #
          # Source - from where the tainted data flows, cannot be nil
          # Target - to where the tainted data flows, cannot be nil
          # Action - how the tainted data flows from source to target, should not be nil
          # Tags - array of tags to apply to the target, can be nil if no tags are added
          # Untags - array of tags to remove from the target, can be nil if not tags are removed
          # id, class_name, instance_method, method_name, source, target, action, tags = nil, untags = nil
          #
          # @param propagation_hash [Hash] the hash from which to build the
          #   propagation node.
          def initialize propagation_hash = {}
            super(propagation_hash)
            @action = propagation_hash[JSON_ACTION]
            @untags = Set.new(propagation_hash[JSON_UNTAGS])
            @patch_class = propagation_hash[JSON_PATCH_CLASS]
            @patch_method = propagation_hash[JSON_PATCH_METHOD]
            @patch_method = @patch_method.to_sym if @patch_method
            validate
          rescue ArgumentError => e
            logger.error('Propagation Node Initialization failed with: ', e)
            nil
          end

          # @return [String] class name
          def node_class
            @_node_class ||= tagger? ? TAGGER : PROPAGATOR
          end

          # Unlike the other agents, we don't have separate tag & propagation
          # events. To make TS happy, we need to have different types though.
          # Pretty straight forward: if there's a tag, this is a tagger
          #
          # @return [Symbol] the type of node.
          def node_type
            tagger? ? :TYPE_TAG : :TYPE_PROPAGATION
          end

          # Standard validation + TS trace version two rules:
          # Must have source, target, and action
          #
          # @raise[ArgumentError] raises if any of the required propagation node field is not valid, or is missing
          def validate
            super
            raise(ArgumentError, "Propagator #{ id } did not have a proper action. Unable to create.") unless action

            if @action == 'CUSTOM'
              unless patch_class
                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_class. Unable to create.")
              end
              unless patch_method.is_a?(Symbol)
                raise(ArgumentError, "Propagator #{ id } did not have a proper patch_method. Unable to create.")
              end
            else
              unless targets&.any?
                raise(ArgumentError, "Propagator #{ id } did not have a proper target. Unable to create.")
              end
              unless sources&.any?
                raise(ArgumentError, "Propagator #{ id } did not have a proper source. Unable to create.")
              end
            end
            validate_untags
          end

          # @raise[ArgumentError] raises if any of the tags is invalid
          def validate_untags
            return unless untags

            untags.each do |tag|
              unless Contrast::Agent::Reporting::FindingEventTaintRangeTags::VALID_TAGS.include?(tag)
                raise(ArgumentError,
                      "#{ node_type } #{ id } did not have a valid untag. #{ tag } is not a known value.")
              end
              if tags&.include?(tag)
                raise(ArgumentError, "#{ node_type } #{ id } had the same tag and untag, #{ tag }.")
              end
            end
          end

          # @return [Boolean]
          #  propagation node.
          def needs_object?
            if @_needs_object.nil?
              @_needs_object = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
                  action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
                  sources.any?(Contrast::Utils::ObjectShare::OBJECT_KEY) ||
                  targets.any?(Contrast::Utils::ObjectShare::OBJECT_KEY)
            end
            @_needs_object
          end

          # @return [Boolean]
          def needs_args?
            if @_needs_args.nil?
              @_needs_args = action == Contrast::Utils::Assess::PropagationMethodUtils::CUSTOM_ACTION ||
                  action == Contrast::Utils::Assess::PropagationMethodUtils::DB_WRITE_ACTION ||
                  sources.any? { |source| source.is_a?(Integer) || source.is_a?(Symbol) } ||
                  targets.any? { |target| target.is_a?(Integer) || target.is_a?(Symbol) }
            end
            @_needs_args
          end

          # This is a tagger if it has a tag or an untag.
          # It indicates this method is more than just a transformation,
          # it is an interesting security event that has a meaningful
          # change.
          #
          # @return [Boolean]
          def tagger?
            @_tagger = tags&.any? || untags&.any? if @_tagger.nil?
            @_tagger
          end
        end
      end
    end
  end
end