package org.sonar.iac.terraform.checks.azure;

import java.util.Optional;
import java.util.function.Predicate;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.HasTextRange;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;
import org.sonar.iac.terraform.checks.utils.PredicateUtils;

@Rule(key = "S6382")
/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/CertificateBasedAuthenticationCheck.class */
public class CertificateBasedAuthenticationCheck extends AbstractResourceCheck {
    private static final String MESSAGE_WHEN_DISABLED = "Make sure that disabling certificate-based authentication is safe here.";
    private static final String TEMPLATE_WHEN_MISSING = "Omitting %s disables certificate-based authentication. Make sure it is safe here.";
    private static final String CLIENT_CERT_MODE = "client_cert_mode";
    private static final String CLIENT_CERT_ENABLED = "client_cert_enabled";
    private static final Predicate<String> CONSUMPTION_PATTERN = PredicateUtils.exactMatchStringPredicate("Consumption_[0-9]+", 2);

    private static String messageWhenMissing(String str) {
        return String.format(TEMPLATE_WHEN_MISSING, str);
    }

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void registerResourceChecks() {
        register(CertificateBasedAuthenticationCheck::checkAppService, "azurerm_app_service");
        register(CertificateBasedAuthenticationCheck::checkApps, "azurerm_function_app", "azurerm_logic_app_standard");
        register(CertificateBasedAuthenticationCheck::checkWebApps, "azurerm_linux_web_app", "azurerm_windows_web_app");
        register(CertificateBasedAuthenticationCheck::checkApiManagement, "azurerm_api_management");
        register(CertificateBasedAuthenticationCheck::checkLinkedServices, "azurerm_data_factory_linked_service_sftp", "azurerm_data_factory_linked_service_web");
    }

    private static void checkAppService(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, CLIENT_CERT_ENABLED, AttributeTree.class).ifPresentOrElse(attributeTree -> {
            reportOnFalse(checkContext, attributeTree, MESSAGE_WHEN_DISABLED, new SecondaryLocation[0]);
        }, () -> {
            reportResource(checkContext, blockTree, messageWhenMissing(CLIENT_CERT_ENABLED));
        });
    }

    private static void checkApps(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, CLIENT_CERT_MODE, AttributeTree.class).ifPresentOrElse(attributeTree -> {
            reportSensitiveValue(checkContext, attributeTree, "Optional", MESSAGE_WHEN_DISABLED, new SecondaryLocation[0]);
        }, () -> {
            reportResource(checkContext, blockTree, messageWhenMissing(CLIENT_CERT_MODE));
        });
    }

    private static void checkWebApps(CheckContext checkContext, BlockTree blockTree) {
        Optional optional = PropertyUtils.get(blockTree, CLIENT_CERT_ENABLED, AttributeTree.class);
        if (optional.isEmpty()) {
            reportResource(checkContext, blockTree, messageWhenMissing(CLIENT_CERT_ENABLED));
        } else if (TextUtils.isValueFalse(((AttributeTree) optional.get()).mo0value())) {
            checkContext.reportIssue((HasTextRange) optional.get(), MESSAGE_WHEN_DISABLED);
        } else {
            PropertyUtils.get(blockTree, CLIENT_CERT_MODE, AttributeTree.class).ifPresentOrElse(attributeTree -> {
                reportSensitiveValue(checkContext, attributeTree, "Optional", MESSAGE_WHEN_DISABLED, new SecondaryLocation[0]);
            }, () -> {
                reportResource(checkContext, blockTree, messageWhenMissing(CLIENT_CERT_MODE));
            });
        }
    }

    private static void checkApiManagement(CheckContext checkContext, BlockTree blockTree) {
        Optional value = PropertyUtils.value(blockTree, "sku_name");
        if (value.isPresent() && TextUtils.matchesValue((Tree) value.get(), CONSUMPTION_PATTERN).isTrue()) {
            PropertyUtils.get(blockTree, "client_certificate_enabled", AttributeTree.class).ifPresentOrElse(attributeTree -> {
                reportOnFalse(checkContext, attributeTree, MESSAGE_WHEN_DISABLED, new SecondaryLocation[0]);
            }, () -> {
                reportResource(checkContext, blockTree, messageWhenMissing("client_certificate_enabled"));
            });
        }
    }

    private static void checkLinkedServices(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "authentication_type", AttributeTree.class).ifPresent(attributeTree -> {
            reportSensitiveValue(checkContext, attributeTree, "Basic", MESSAGE_WHEN_DISABLED, new SecondaryLocation[0]);
        });
    }
}
