package org.sonar.iac.terraform.checks.azure;

import java.util.function.Predicate;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;
import org.sonar.iac.terraform.checks.azure.helper.RoleScopeHelper;
import org.sonar.iac.terraform.checks.utils.PredicateUtils;

@Rule(key = "S6387")
/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/SubscriptionRoleAssignmentCheck.class */
public class SubscriptionRoleAssignmentCheck extends AbstractResourceCheck {
    private static final String SUBSCRIPTION_MESSAGE = "Make sure assigning this role with a Subscription scope is safe here.";
    private static final String MANAGEMENT_GROUP_MESSAGE = "Make sure assigning this role with a Management Group scope is safe here.";
    private static final Predicate<String> REFERENCE_SUBSCRIPTION_SCOPE_PREDICATE = PredicateUtils.exactMatchStringPredicate(RoleScopeHelper.REFERENCE_SUBSCRIPTION_SCOPE_PATTERN);
    private static final Predicate<String> REFERENCE_MANAGEMENT_GROUP_SCOPE_PREDICATE = PredicateUtils.exactMatchStringPredicate(RoleScopeHelper.REFERENCE_MANAGEMENT_GROUP_SCOPE_PATTERN);
    private static final Predicate<String> PLAIN_SUBSCRIPTION_SCOPE_PREDICATE = PredicateUtils.exactMatchStringPredicate(RoleScopeHelper.PLAIN_SUBSCRIPTION_SCOPE_PATTERN);
    private static final Predicate<String> PLAIN_MANAGEMENT_GROUP_SCOPE_PREDICATE = PredicateUtils.exactMatchStringPredicate(RoleScopeHelper.PLAIN_MANAGEMENT_GROUP_SCOPE_PATTERN);

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void registerResourceChecks() {
        register(SubscriptionRoleAssignmentCheck::checkRoleAssignment, "azurerm_role_assignment");
    }

    private static void checkRoleAssignment(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "scope", AttributeTree.class).ifPresent(attributeTree -> {
            if (RoleScopeHelper.isSensitiveScope(attributeTree.mo0value(), REFERENCE_SUBSCRIPTION_SCOPE_PREDICATE, PLAIN_SUBSCRIPTION_SCOPE_PREDICATE)) {
                checkContext.reportIssue(attributeTree, SUBSCRIPTION_MESSAGE);
            } else if (RoleScopeHelper.isSensitiveScope(attributeTree.mo0value(), REFERENCE_MANAGEMENT_GROUP_SCOPE_PREDICATE, PLAIN_MANAGEMENT_GROUP_SCOPE_PREDICATE)) {
                checkContext.reportIssue(attributeTree, MANAGEMENT_GROUP_MESSAGE);
            }
        });
    }
}
