package io.yupiik.bundlebee.core.command.impl.lint.builtin;

import io.yupiik.bundlebee.core.command.impl.lint.LintError;
import io.yupiik.bundlebee.core.command.impl.lint.LintingCheck;
import java.util.Optional;
import java.util.stream.Stream;
import javax.enterprise.context.Dependent;
import javax.json.JsonArray;
import javax.json.JsonObject;

@Dependent
/* loaded from: input_file:io/yupiik/bundlebee/core/command/impl/lint/builtin/ReadSecretFromEnvVar.class */
public class ReadSecretFromEnvVar extends ContainerValueValidator {
    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String name() {
        return "read-secret-from-env-var";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String description() {
        return "Indicates when a deployment reads secret from environment variables.\nCIS Benchmark 5.4.1: \"Prefer using secrets as files over secrets as environment variables. \"";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String remediation() {
        return "If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables.\nRefer to https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets for details.";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.builtin.ContainerValueValidator
    protected boolean supportsInitContainers() {
        return true;
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.builtin.ContainerValueValidator
    protected Stream<LintError> validate(JsonObject jsonObject, LintingCheck.LintableDescriptor lintableDescriptor) {
        JsonArray jsonArray = jsonObject.getJsonArray("env");
        return jsonArray == null ? Stream.empty() : jsonArray.stream().map((v0) -> {
            return v0.asJsonObject();
        }).filter(jsonObject2 -> {
            return ((Boolean) Optional.ofNullable(jsonObject2.getJsonObject("valueFrom")).map(jsonObject2 -> {
                return Boolean.valueOf(jsonObject2.containsKey("secretKeyRef"));
            }).orElse(false)).booleanValue();
        }).map(jsonObject3 -> {
            return new LintError(LintError.LintLevel.ERROR, "Secret read from env for '" + jsonObject3.getString("name", "") + "' environment variable");
        });
    }
}
