package io.yupiik.bundlebee.core.command.impl.lint.builtin;

import io.yupiik.bundlebee.core.command.impl.lint.ContextualLintError;
import io.yupiik.bundlebee.core.command.impl.lint.LintError;
import io.yupiik.bundlebee.core.command.impl.lint.LintingCheck;
import io.yupiik.bundlebee.core.lang.Tuple2;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.json.JsonArray;
import javax.json.JsonObject;
import javax.json.JsonString;
import javax.json.JsonValue;

/* loaded from: input_file:io/yupiik/bundlebee/core/command/impl/lint/builtin/AccessToResources.class */
public abstract class AccessToResources extends CheckByKind {
    protected static final Tuple2<List<String>, List<String>> EMPTY_TUPLE2 = new Tuple2<>(List.of(), List.of());
    private final Set<String> resources;
    private final Set<String> verb;
    private final Map<String, LintingCheck.LintableDescriptor> roles;
    private final Map<String, LintingCheck.LintableDescriptor> clusterRoles;
    private final Collection<LintingCheck.LintableDescriptor> roleBindings;
    private final Collection<LintingCheck.LintableDescriptor> clusterRoleBindings;

    /* JADX INFO: Access modifiers changed from: protected */
    public AccessToResources(Set<String> set, Set<String> set2, Set<String> set3) {
        super(set3);
        this.roles = new ConcurrentHashMap();
        this.clusterRoles = new ConcurrentHashMap();
        this.roleBindings = new CopyOnWriteArrayList();
        this.clusterRoleBindings = new CopyOnWriteArrayList();
        this.resources = set;
        this.verb = set2;
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.builtin.CheckByKind, io.yupiik.bundlebee.core.command.impl.lint.SynchronousLintingCheck, io.yupiik.bundlebee.core.command.impl.lint.LintingCheck
    public boolean accept(LintingCheck.LintableDescriptor lintableDescriptor) {
        try {
            String kind = lintableDescriptor.kind();
            boolean z = -1;
            switch (kind.hashCode()) {
                case -2104222449:
                    if (kind.equals("RoleBinding")) {
                        z = 2;
                        break;
                    }
                    break;
                case 2552982:
                    if (kind.equals("Role")) {
                        z = false;
                        break;
                    }
                    break;
                case 526262640:
                    if (kind.equals("ClusterRole")) {
                        z = true;
                        break;
                    }
                    break;
                case 1358145269:
                    if (kind.equals("ClusterRoleBinding")) {
                        z = 3;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    this.roles.put(lintableDescriptor.namespace() + ":" + lintableDescriptor.name(), lintableDescriptor);
                    break;
                case true:
                    this.clusterRoles.put(lintableDescriptor.name(), lintableDescriptor);
                    break;
                case true:
                    this.roleBindings.add(lintableDescriptor);
                    break;
                case true:
                    this.clusterRoleBindings.add(lintableDescriptor);
                    break;
            }
            return false;
        } catch (RuntimeException e) {
            return false;
        }
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.SynchronousLintingCheck
    public Stream<LintError> validateSync(LintingCheck.LintableDescriptor lintableDescriptor) {
        return Stream.empty();
    }

    @Override // io.yupiik.bundlebee.core.command.impl.lint.SynchronousLintingCheck
    public Stream<ContextualLintError> afterAllSync() {
        return Stream.concat(this.clusterRoleBindings.stream(), this.roleBindings.stream()).flatMap(this::validateBinding);
    }

    private Stream<ContextualLintError> validateBinding(LintingCheck.LintableDescriptor lintableDescriptor) {
        JsonObject jsonObject = lintableDescriptor.getDescriptor().getJsonObject("roleRef");
        if (jsonObject != null && "rbac.authorization.k8s.io".equals(jsonObject.getString("apiGroup", ""))) {
            String string = jsonObject.getString("name", "");
            if (string.isBlank()) {
                return Stream.empty();
            }
            String string2 = jsonObject.getString("kind", "");
            if (string2.isBlank() || !("ClusterRole".equals(string2) || "Role".equals(string2))) {
                return Stream.empty();
            }
            boolean z = -1;
            switch (string2.hashCode()) {
                case 2552982:
                    if (string2.equals("Role")) {
                        z = true;
                        break;
                    }
                    break;
                case 526262640:
                    if (string2.equals("ClusterRole")) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    LintingCheck.LintableDescriptor lintableDescriptor2 = this.clusterRoles.get(string);
                    if (lintableDescriptor2 != null) {
                        return validateRole(lintableDescriptor, lintableDescriptor2.getDescriptor());
                    }
                    lazyLogger().warning("ClusterRole '" + string + "' is assumed already deployed, skipping its validation");
                    return Stream.empty();
                case true:
                    LintingCheck.LintableDescriptor lintableDescriptor3 = this.roles.get(lintableDescriptor.namespace() + ":" + string);
                    if (lintableDescriptor3 != null) {
                        return validateRole(lintableDescriptor, lintableDescriptor3.getDescriptor());
                    }
                    lazyLogger().warning("Role '" + string + "' is assumed already deployed, skipping its validation");
                    return Stream.empty();
                default:
                    return Stream.empty();
            }
        }
        return Stream.empty();
    }

    private Stream<ContextualLintError> validateRole(LintingCheck.LintableDescriptor lintableDescriptor, JsonObject jsonObject) {
        return (Stream) Optional.ofNullable(jsonObject.getJsonArray("rules")).map(jsonArray -> {
            return jsonArray.stream().map((v0) -> {
                return v0.asJsonObject();
            }).filter(jsonObject2 -> {
                return "".equals(jsonObject2.getString("apiGroups", ""));
            }).map(jsonObject3 -> {
                JsonArray jsonArray = (JsonArray) Optional.ofNullable(jsonObject3.getJsonArray("resources")).orElse(JsonValue.EMPTY_JSON_ARRAY);
                Stream map = ((JsonArray) Optional.ofNullable(jsonObject3.getJsonArray("verbs")).orElse(JsonValue.EMPTY_JSON_ARRAY)).stream().filter(jsonValue -> {
                    return jsonValue.getValueType() == JsonValue.ValueType.STRING;
                }).map(jsonValue2 -> {
                    return ((JsonString) jsonValue2).getString();
                });
                Set<String> set = this.verb;
                Objects.requireNonNull(set);
                List list = (List) map.filter((v1) -> {
                    return r1.contains(v1);
                }).collect(Collectors.toList());
                if (list.isEmpty()) {
                    return EMPTY_TUPLE2;
                }
                Stream map2 = jsonArray.stream().filter(jsonValue3 -> {
                    return jsonValue3.getValueType() == JsonValue.ValueType.STRING;
                }).map(jsonValue4 -> {
                    return ((JsonString) jsonValue4).getString();
                });
                Set<String> set2 = this.resources;
                Objects.requireNonNull(set2);
                return new Tuple2(list, (List) map2.filter((v1) -> {
                    return r1.contains(v1);
                }).collect(Collectors.toList()));
            }).filter(tuple2 -> {
                return (((List) tuple2.getFirst()).isEmpty() || ((List) tuple2.getSecond()).isEmpty()) ? false : true;
            }).map(tuple22 -> {
                return new ContextualLintError(LintError.LintLevel.WARNING, lintableDescriptor.getDescriptor().getString("kind") + " '" + lintableDescriptor.name() + "' enables to " + String.join(",", (Iterable<? extends CharSequence>) tuple22.getFirst()) + " " + String.join(", ", (Iterable<? extends CharSequence>) tuple22.getSecond()), lintableDescriptor.getAlveolus(), lintableDescriptor.getName());
            });
        }).orElseGet(Stream::empty);
    }
}
