package org.sonar.iac.terraform.checks.azure;

import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.common.checks.policy.IpRestrictedAdminAccessCheckUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.api.tree.TupleTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;
import org.sonar.iac.terraform.checks.IpRestrictedAdminAccessCheck;

/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/AzureIpRestrictedAdminAccessCheckPart.class */
public class AzureIpRestrictedAdminAccessCheckPart extends AbstractResourceCheck {
    private static final Set<String> SENSITIVE_PREFIXES = Set.of("*", "0.0.0.0/0", "::/0");

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void registerResourceChecks() {
        register(AzureIpRestrictedAdminAccessCheckPart::checkNetworkSecurityGroup, "azurerm_network_security_group");
        register(AzureIpRestrictedAdminAccessCheckPart::checkNetworkSecurityRule, "azurerm_network_security_rule");
    }

    public static void checkNetworkSecurityGroup(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.getAll(blockTree, "security_rule", BlockTree.class).forEach(blockTree2 -> {
            checkNetworkSecurityRule(checkContext, blockTree2);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkNetworkSecurityRule(CheckContext checkContext, BlockTree blockTree) {
        String str = "Inbound";
        if (hasAttributeWithMatchingValue(blockTree, "direction", (v1) -> {
            return r2.equals(v1);
        })) {
            String str2 = "Allow";
            if (hasAttributeWithMatchingValue(blockTree, "access", (v1) -> {
                return r2.equals(v1);
            }) && hasAttributeWithMatchingValue(blockTree, "protocol", str3 -> {
                return "Tcp".equals(str3) || "*".equals(str3);
            })) {
                checkSecurityRule(checkContext, blockTree);
            }
        }
    }

    private static void checkSecurityRule(CheckContext checkContext, BlockTree blockTree) {
        sensitiveDestinationPortRange(blockTree).ifPresent(expressionTree -> {
            sensitiveSourcePrefix(blockTree).ifPresent(expressionTree -> {
                checkContext.reportIssue(expressionTree, "Restrict IP addresses authorized to access administration services.", new SecondaryLocation(expressionTree, IpRestrictedAdminAccessCheck.SECONDARY_MSG));
            });
        });
    }

    private static Optional<ExpressionTree> sensitiveDestinationPortRange(BlockTree blockTree) {
        Predicate predicate = expressionTree -> {
            return TextUtils.getValue(expressionTree).filter(IpRestrictedAdminAccessCheckUtils::rangeContainsSshOrRdpPort).isPresent();
        };
        return PropertyUtils.get(blockTree, "destination_port_range", AttributeTree.class).map((v0) -> {
            return v0.mo0value();
        }).filter(predicate).or(() -> {
            return expressionInAttributeTuple(blockTree, "destination_port_ranges", predicate);
        });
    }

    private static Optional<ExpressionTree> sensitiveSourcePrefix(BlockTree blockTree) {
        Predicate predicate = expressionTree -> {
            Set<String> set = SENSITIVE_PREFIXES;
            Objects.requireNonNull(set);
            return TextUtils.matchesValue(expressionTree, (v1) -> {
                return r1.contains(v1);
            }).isTrue();
        };
        return PropertyUtils.get(blockTree, "source_address_prefix", AttributeTree.class).map((v0) -> {
            return v0.mo0value();
        }).filter(predicate).or(() -> {
            return expressionInAttributeTuple(blockTree, "source_address_prefixes", predicate);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<ExpressionTree> expressionInAttributeTuple(BlockTree blockTree, String str, Predicate<ExpressionTree> predicate) {
        Optional map = PropertyUtils.get(blockTree, str, AttributeTree.class).map((v0) -> {
            return v0.mo0value();
        });
        Class<TupleTree> cls = TupleTree.class;
        Objects.requireNonNull(TupleTree.class);
        Optional filter = map.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<TupleTree> cls2 = TupleTree.class;
        Objects.requireNonNull(TupleTree.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).flatMap(tupleTree -> {
            return tupleTree.elements().trees().stream().filter(predicate).findFirst();
        });
    }

    private static boolean hasAttributeWithMatchingValue(BlockTree blockTree, String str, Predicate<String> predicate) {
        return PropertyUtils.get(blockTree, str, AttributeTree.class).filter(attributeTree -> {
            return TextUtils.matchesValue(attributeTree.mo0value(), predicate).isTrue();
        }).isPresent();
    }
}
