package org.sonar.iac.terraform.checks;

import org.sonar.api.utils.Version;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.plugin.TerraformProviders;
import org.sonar.iac.terraform.symbols.AttributeSymbol;
import org.sonar.iac.terraform.symbols.BlockSymbol;

@Rule(key = "S6255")
/* loaded from: input_file:org/sonar/iac/terraform/checks/DisabledMfaBucketDeletionCheck.class */
public class DisabledMfaBucketDeletionCheck extends AbstractNewResourceCheck {
    private static final String MESSAGE = "Make sure allowing object deletion without MFA is safe here.";
    private static final String MESSAGE_SECONDARY = "Related bucket";
    private static final Version AWS_V_4 = Version.create(4, 0);

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register(AbstractResourceCheck.S3_BUCKET, resourceSymbol -> {
            BlockSymbol block = resourceSymbol.block("versioning");
            AttributeSymbol attributeSymbol = (AttributeSymbol) block.attribute("mfa_delete").reportIf(ExpressionPredicate.isFalse(), MESSAGE, new SecondaryLocation[]{resourceSymbol.toSecondary(MESSAGE_SECONDARY)});
            if (resourceSymbol.provider(TerraformProviders.Provider.Identifier.AWS).hasVersionLowerThan(AWS_V_4) && attributeSymbol.isAbsent()) {
                block.report(MESSAGE, new SecondaryLocation[]{resourceSymbol.toSecondary(MESSAGE_SECONDARY)});
            }
        });
        register("aws_s3_bucket_versioning", resourceSymbol2 -> {
            SecondaryLocation secondary = resourceSymbol2.toSecondary(MESSAGE_SECONDARY);
            ((AttributeSymbol) resourceSymbol2.block("versioning_configuration").attribute("mfa_delete").reportIf(ExpressionPredicate.equalTo("Disabled"), MESSAGE, new SecondaryLocation[]{secondary})).reportIfAbsent(MESSAGE, new SecondaryLocation[]{secondary});
        });
    }
}
