package org.sonar.iac.terraform.checks;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.HasTextRange;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.common.checks.policy.Policy;
import org.sonar.iac.common.extension.visitors.TreeContext;
import org.sonar.iac.common.extension.visitors.TreeVisitor;
import org.sonar.iac.terraform.api.tree.AttributeAccessTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.api.tree.FileTree;
import org.sonar.iac.terraform.api.tree.LiteralExprTree;
import org.sonar.iac.terraform.api.tree.ObjectTree;
import org.sonar.iac.terraform.api.tree.TemplateExpressionTree;
import org.sonar.iac.terraform.api.tree.TerraformTree;
import org.sonar.iac.terraform.api.tree.TupleTree;
import org.sonar.iac.terraform.checks.utils.PolicyUtils;

@Rule(key = "S6249")
/* loaded from: input_file:org/sonar/iac/terraform/checks/BucketsInsecureHttpCheck.class */
public class BucketsInsecureHttpCheck implements IacCheck {
    private static final String MESSAGE = "Make sure authorizing HTTP requests is safe here.";
    private static final String MESSAGE_SECONDARY_CONDITION = "HTTPS requests are denied.";
    private static final String MESSAGE_SECONDARY_EFFECT = "Non-conforming requests should be denied.";
    private static final String MESSAGE_SECONDARY_ACTION = "All S3 actions should be restricted.";
    private static final String MESSAGE_SECONDARY_PRINCIPAL = "All principals should be restricted.";
    private static final String MESSAGE_SECONDARY_RESOURCE = "All resources should be restricted.";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/BucketsInsecureHttpCheck$BucketsAndPoliciesCollector.class */
    public static class BucketsAndPoliciesCollector extends TreeVisitor<TreeContext> {
        private final List<BlockTree> buckets = new ArrayList();
        private final List<BlockTree> policies = new ArrayList();

        public BucketsAndPoliciesCollector() {
            register(BlockTree.class, (treeContext, blockTree) -> {
                if (AbstractResourceCheck.isS3BucketResource(blockTree)) {
                    this.buckets.add(blockTree);
                } else if (AbstractResourceCheck.isResource(blockTree, "aws_s3_bucket_policy")) {
                    this.policies.add(blockTree);
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/BucketsInsecureHttpCheck$PolicyValidator.class */
    public static class PolicyValidator {
        private PolicyValidator() {
        }

        public static Map<ExpressionTree, String> getInsecureValues(Policy policy) {
            HashMap hashMap = new HashMap();
            policy.statement().forEach(statement -> {
                statement.effect().filter(PolicyValidator::isInsecureEffect).ifPresent(tree -> {
                    hashMap.put((ExpressionTree) tree, BucketsInsecureHttpCheck.MESSAGE_SECONDARY_EFFECT);
                });
                statement.condition().filter(PolicyValidator::isInsecureCondition).ifPresent(tree2 -> {
                    hashMap.put((ExpressionTree) tree2, BucketsInsecureHttpCheck.MESSAGE_SECONDARY_CONDITION);
                });
                statement.action().filter(PolicyValidator::isInsecureAction).ifPresent(tree3 -> {
                    hashMap.put((ExpressionTree) tree3, BucketsInsecureHttpCheck.MESSAGE_SECONDARY_ACTION);
                });
                statement.principal().filter(PolicyValidator::isInsecurePrincipal).ifPresent(tree4 -> {
                    hashMap.put((ExpressionTree) tree4, BucketsInsecureHttpCheck.MESSAGE_SECONDARY_PRINCIPAL);
                });
                statement.resource().filter(PolicyValidator::isInsecureResource).ifPresent(tree5 -> {
                    hashMap.put((ExpressionTree) tree5, BucketsInsecureHttpCheck.MESSAGE_SECONDARY_RESOURCE);
                });
            });
            return hashMap;
        }

        private static boolean isInsecureResource(Tree tree) {
            ArrayList arrayList = new ArrayList();
            if ((tree instanceof LiteralExprTree) || (tree instanceof TemplateExpressionTree)) {
                arrayList.add(tree);
            } else if (tree instanceof TupleTree) {
                arrayList.addAll(((TupleTree) tree).elements().trees());
            }
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                if (isResourceIdentifierSecure((Tree) it.next())) {
                    return false;
                }
            }
            return !arrayList.isEmpty();
        }

        private static boolean isResourceIdentifierSecure(Tree tree) {
            if (tree instanceof LiteralExprTree) {
                return ((LiteralExprTree) tree).value().endsWith("*");
            }
            if (!(tree instanceof TemplateExpressionTree)) {
                return true;
            }
            List<ExpressionTree> parts = ((TemplateExpressionTree) tree).parts();
            return !parts.isEmpty() && isResourceIdentifierSecure(parts.get(parts.size() - 1));
        }

        private static boolean isInsecurePrincipal(Tree tree) {
            return PropertyUtils.value(tree, "AWS", ExpressionTree.class).filter(expressionTree -> {
                return expressionTree.is(TerraformTree.Kind.TUPLE) || TextUtils.isValue(expressionTree, "*").isFalse();
            }).isPresent();
        }

        private static boolean isInsecureAction(Tree tree) {
            return TextUtils.isValue(tree, "*").isFalse() && TextUtils.isValue(tree, "s3:*").isFalse();
        }

        private static boolean isInsecureEffect(Tree tree) {
            return TextUtils.isValue(tree, "Deny").isFalse();
        }

        private static boolean isInsecureCondition(Tree tree) {
            Optional value = PropertyUtils.value(tree, "Bool");
            if (value.isPresent() && (value.get() instanceof ObjectTree)) {
                return PropertyUtils.value((Tree) value.get(), "aws:SecureTransport").filter(tree2 -> {
                    return !TextUtils.isValueFalse(tree2);
                }).isPresent();
            }
            return false;
        }
    }

    public void initialize(InitContext initContext) {
        initContext.register(FileTree.class, (checkContext, fileTree) -> {
            BucketsAndPoliciesCollector bucketsAndPoliciesCollector = new BucketsAndPoliciesCollector();
            bucketsAndPoliciesCollector.scan(new TreeContext(), fileTree);
            checkBucketsAndPolicies(checkContext, bucketsToPolicies(bucketsAndPoliciesCollector.buckets, bucketsAndPoliciesCollector.policies));
        });
    }

    private static void checkBucketsAndPolicies(CheckContext checkContext, Map<BlockTree, Policy> map) {
        for (Map.Entry<BlockTree, Policy> entry : map.entrySet()) {
            if (entry.getValue() == null) {
                checkContext.reportIssue(entry.getKey().labels().get(0), MESSAGE);
            } else {
                checkBucketPolicy(checkContext, entry.getKey(), entry.getValue());
            }
        }
    }

    private static void checkBucketPolicy(CheckContext checkContext, BlockTree blockTree, Policy policy) {
        Map<ExpressionTree, String> insecureValues = PolicyValidator.getInsecureValues(policy);
        if (insecureValues.isEmpty()) {
            return;
        }
        checkContext.reportIssue(blockTree.labels().get(0), MESSAGE, (List) insecureValues.entrySet().stream().filter(entry -> {
            return entry.getKey() != null;
        }).map(entry2 -> {
            return new SecondaryLocation((HasTextRange) entry2.getKey(), (String) entry2.getValue());
        }).collect(Collectors.toList()));
    }

    private static Map<BlockTree, Policy> bucketsToPolicies(List<BlockTree> list, List<BlockTree> list2) {
        HashMap hashMap = new HashMap();
        for (BlockTree blockTree : list2) {
            PropertyUtils.value(blockTree, "bucket").ifPresent(tree -> {
                hashMap.put(tree, blockTree);
            });
        }
        HashMap hashMap2 = new HashMap();
        for (BlockTree blockTree2 : list) {
            List<Policy> policies = PolicyUtils.getPolicies(blockTree2);
            if (policies.isEmpty()) {
                hashMap2.put(blockTree2, (Policy) hashMap.entrySet().stream().filter(entry -> {
                    return correspondsToBucket((Tree) entry.getKey(), blockTree2);
                }).map((v0) -> {
                    return v0.getValue();
                }).map(blockTree3 -> {
                    return PolicyUtils.getPolicies(blockTree3).stream().findFirst();
                }).filter((v0) -> {
                    return v0.isPresent();
                }).map((v0) -> {
                    return v0.get();
                }).findFirst().orElse(null));
            } else {
                hashMap2.put(blockTree2, policies.get(0));
            }
        }
        return hashMap2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean correspondsToBucket(Tree tree, BlockTree blockTree) {
        if (tree instanceof LiteralExprTree) {
            return ((Boolean) PropertyUtils.value(blockTree, "bucket").map(tree2 -> {
                return Boolean.valueOf(TextUtils.isValue(tree2, ((LiteralExprTree) tree).value()).isTrue());
            }).orElse(false)).booleanValue();
        }
        if ((tree instanceof AttributeAccessTree) && (((AttributeAccessTree) tree).object() instanceof AttributeAccessTree) && blockTree.labels().size() >= 2) {
            return ((AttributeAccessTree) ((AttributeAccessTree) tree).object()).attribute().value().equals(blockTree.labels().get(1).value());
        }
        return false;
    }
}
