package org.sonar.iac.terraform.checks.azure;

import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.HasTextRange;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.common.extension.visitors.TreeContext;
import org.sonar.iac.common.extension.visitors.TreeVisitor;
import org.sonar.iac.terraform.api.tree.AttributeAccessTree;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.api.tree.FileTree;
import org.sonar.iac.terraform.api.tree.TerraformTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;

@Rule(key = "S6375")
/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/HigherPrivilegedRoleAssignmentCheck.class */
public class HigherPrivilegedRoleAssignmentCheck implements IacCheck {
    private static final Map<String, String> HIGHER_PRIVILEGED_ROLE = Map.of("9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "Application Administrator", "c4e39bd9-1100-46d3-8c65-fb160da0071f", "Authentication Administrator", "158c047a-c907-4556-b7ef-446551a6b5f7", "Cloud Application Administrator", "62e90394-69f5-4237-9190-012177145e10", "Global Administrator", "dd7a751-b60b-444a-984c-02652fe8fa1c", "Groups Administrator", "729827e3-9c14-49f7-bb1b-9608f156bbb8", "Helpdesk Administrator", "966707d0-3269-4727-9be2-8c3a10f19b9d", "Password Administrator", "7be44c8a-adaf-4e2a-84d6-ab2649e08a13", "Privileged Authentication Administrator", "e8611ab8-c189-46e8-94e1-60213ab1f814", "Privileged Role Administrator", "fe930be7-5e62-47db-91af-98c3a49a38b1", "User Administrator");
    private static final String MESSAGE = "Make sure that assigning the %s role is safe here.";
    private static final String SECONDARY_MESSAGE = "Role assigned here.";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/azure/HigherPrivilegedRoleAssignmentCheck$HigherPrivilegedRoleCollector.class */
    public static class HigherPrivilegedRoleCollector extends TreeVisitor<TreeContext> {
        private final Map<String, AttributeTree> higherPrivilegedRoles = new HashMap();
        private final Map<String, AttributeTree> roleMember = new HashMap();

        public HigherPrivilegedRoleCollector() {
            register(BlockTree.class, (treeContext, blockTree) -> {
                if (AbstractResourceCheck.isResource(blockTree, "azuread_directory_role") && AbstractResourceCheck.hasReferenceLabel(blockTree)) {
                    collectHigherPrivilegedRole(blockTree);
                } else if (AbstractResourceCheck.isResource(blockTree, "azuread_directory_role_member")) {
                    collectDirectoryRoleMember(blockTree);
                }
            });
        }

        private void collectHigherPrivilegedRole(BlockTree blockTree) {
            PropertyUtils.get(blockTree, "display_name", AttributeTree.class).filter(attributeTree -> {
                ExpressionTree mo0value = attributeTree.mo0value();
                Map<String, String> map = HigherPrivilegedRoleAssignmentCheck.HIGHER_PRIVILEGED_ROLE;
                Objects.requireNonNull(map);
                return TextUtils.matchesValue(mo0value, (v1) -> {
                    return r1.containsValue(v1);
                }).isTrue();
            }).ifPresent(attributeTree2 -> {
                this.higherPrivilegedRoles.putIfAbsent(AbstractResourceCheck.getReferenceLabel(blockTree), attributeTree2);
            });
            PropertyUtils.get(blockTree, "template_id", AttributeTree.class).filter(attributeTree3 -> {
                ExpressionTree mo0value = attributeTree3.mo0value();
                Map<String, String> map = HigherPrivilegedRoleAssignmentCheck.HIGHER_PRIVILEGED_ROLE;
                Objects.requireNonNull(map);
                return TextUtils.matchesValue(mo0value, (v1) -> {
                    return r1.containsKey(v1);
                }).isTrue();
            }).ifPresent(attributeTree4 -> {
                this.higherPrivilegedRoles.putIfAbsent(AbstractResourceCheck.getReferenceLabel(blockTree), attributeTree4);
            });
        }

        private void collectDirectoryRoleMember(BlockTree blockTree) {
            PropertyUtils.get(blockTree, "role_object_id", AttributeTree.class).filter(attributeTree -> {
                return attributeTree.mo0value().is(TerraformTree.Kind.ATTRIBUTE_ACCESS);
            }).filter(attributeTree2 -> {
                return isObjectIdReference((AttributeAccessTree) attributeTree2.mo0value());
            }).ifPresent(attributeTree3 -> {
                this.roleMember.putIfAbsent(getObjectReferenceLabel((AttributeAccessTree) attributeTree3.mo0value()), attributeTree3);
            });
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static boolean isObjectIdReference(AttributeAccessTree attributeAccessTree) {
            return "object_id".equals(attributeAccessTree.attribute().value()) && (attributeAccessTree.object() instanceof AttributeAccessTree);
        }

        private static String getObjectReferenceLabel(AttributeAccessTree attributeAccessTree) {
            return ((AttributeAccessTree) attributeAccessTree.object()).attribute().value();
        }

        public static HigherPrivilegedRoleCollector collect(FileTree fileTree) {
            HigherPrivilegedRoleCollector higherPrivilegedRoleCollector = new HigherPrivilegedRoleCollector();
            higherPrivilegedRoleCollector.scan(new TreeContext(), fileTree);
            return higherPrivilegedRoleCollector;
        }
    }

    public void initialize(InitContext initContext) {
        initContext.register(FileTree.class, (checkContext, fileTree) -> {
            checkAssignedRolePrivileges(checkContext, HigherPrivilegedRoleCollector.collect(fileTree));
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkAssignedRolePrivileges(CheckContext checkContext, HigherPrivilegedRoleCollector higherPrivilegedRoleCollector) {
        higherPrivilegedRoleCollector.roleMember.entrySet().stream().filter(entry -> {
            return higherPrivilegedRoleCollector.higherPrivilegedRoles.containsKey(entry.getKey());
        }).forEach(entry2 -> {
            AttributeTree attributeTree = higherPrivilegedRoleCollector.higherPrivilegedRoles.get(entry2.getKey());
            checkContext.reportIssue(attributeTree, message(attributeTree.mo0value().value()), new SecondaryLocation((HasTextRange) entry2.getValue(), SECONDARY_MESSAGE));
        });
    }

    private static String message(String str) {
        return String.format(MESSAGE, HIGHER_PRIVILEGED_ROLE.getOrDefault(str, str));
    }
}
