package io.yupiik.bundlebee.core.command.impl.lint.builtin;

import io.yupiik.bundlebee.core.command.impl.lint.LintError;
import io.yupiik.bundlebee.core.command.impl.lint.LintingCheck;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import javax.enterprise.context.Dependent;
import javax.json.JsonValue;

@Dependent
/* loaded from: input_file:io/yupiik/bundlebee/core/command/impl/lint/builtin/DockerSock.class */
public class DockerSock extends CheckValue {
    public DockerSock() {
        super((Set<String>) Set.of("DeploymentConfig", "Deployment", "CronJob", "Pod", "Job"), (Map<String, String>) Map.of("DeploymentConfig", "/spec/template/spec/volumes", "Deployment", "/spec/template/spec/volumes", "CronJob", "/spec/jobTemplate/template/spec/volumes", "Job", "/spec/template/spec/volumes", "Pod", "/spec/volumes"), true);
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String name() {
        return "docker-sock";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String description() {
        return "Alert on deployments with docker.sock mounted in containers.";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public String remediation() {
        return "Ensure the Docker socket is not mounted inside any containers by removing the associated \nVolume and VolumeMount in deployment yaml specification.\nIf the Docker socket is mounted inside a container it could allow processes running within \nthe container to execute Docker commands which would effectively allow for full control of the host.";
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.builtin.CheckValue
    protected Stream<LintError> doValidate(LintingCheck.LintableDescriptor lintableDescriptor, JsonValue jsonValue) {
        return (jsonValue.getValueType() == JsonValue.ValueType.ARRAY && jsonValue.asJsonArray().stream().map((v0) -> {
            return v0.asJsonObject();
        }).map(jsonObject -> {
            return jsonObject.getJsonObject("hostPath");
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).anyMatch(jsonObject2 -> {
            return jsonObject2.getString("path", "").endsWith("docker.sock");
        })) ? Stream.of(new LintError(LintError.LintLevel.ERROR, "docker.sock shouldn't be bound from the host")) : Stream.empty();
    }
}
