package io.yupiik.bundlebee.core.command.impl.lint.builtin;

import io.yupiik.bundlebee.core.command.impl.lint.LintError;
import io.yupiik.bundlebee.core.command.impl.lint.LintingCheck;
import java.util.Set;
import java.util.stream.Stream;
import javax.enterprise.context.Dependent;
import javax.json.JsonString;
import javax.json.JsonValue;

@Dependent
/* loaded from: input_file:io/yupiik/bundlebee/core/command/impl/lint/builtin/WildcardUsedInRules.class */
public class WildcardUsedInRules extends CheckByKind {
    public WildcardUsedInRules() {
        super(Set.of("Role", "ClusterRole"));
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String name() {
        return "wildcard-in-rules";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String description() {
        return "Indicate when a wildcard is used in Role or ClusterRole rules.\nCIS Benchmark 5.1.3 Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String remediation() {
        return "Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.SynchronousLintingCheck
    public Stream<LintError> validateSync(LintingCheck.LintableDescriptor lintableDescriptor) {
        return Stream.ofNullable(lintableDescriptor.getDescriptor().getJsonArray("rules")).flatMap((v0) -> {
            return v0.stream();
        }).map((v0) -> {
            return v0.asJsonObject();
        }).filter(jsonObject -> {
            return jsonObject.containsKey("verbs") && jsonObject.getJsonArray("verbs").stream().anyMatch(jsonValue -> {
                return jsonValue.getValueType() == JsonValue.ValueType.STRING && "*".equals(((JsonString) jsonValue).getString());
            });
        }).map(jsonObject2 -> {
            return new LintError(LintError.LintLevel.ERROR, "Wildcard verb used in rule " + jsonObject2);
        });
    }
}
