package org.sonar.iac.terraform.checks.gcp;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.CheckForNull;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.FileTree;
import org.sonar.iac.terraform.api.tree.StatementTree;
import org.sonar.iac.terraform.api.tree.TerraformTree;
import org.sonar.iac.terraform.checks.AbstractNewResourceCheck;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.symbols.AttributeSymbol;
import org.sonar.iac.terraform.symbols.BlockSymbol;
import org.sonar.iac.terraform.symbols.ReferenceSymbol;
import org.sonar.iac.terraform.symbols.ResourceSymbol;

@Rule(key = "S6404")
/* loaded from: input_file:org/sonar/iac/terraform/checks/gcp/PublicAccessCheck.class */
public class PublicAccessCheck extends AbstractNewResourceCheck {
    private static final String MESSAGE = "Ensure that granting public access to this resource is safe here.";
    private static final String SECONDARY_MESSAGE = "Excessive granting of permissions.";
    private static final String OMITTING_DNS = "Omitting %s will grant public access to this managed zone. Ensure it is safe here.";
    private static final String OMITTING_KUBERNETES = "Omitting %s grants public access to parts of this cluster. Make sure it is safe here.";
    private static final String MESSAGE_KUBERNETES = "Ensure that granting public access is safe here.";
    private static final String GCP_RESOURCE_PREFIX = "google_";
    private static final List<String> IAM_RESOURCES = List.of((Object[]) new String[]{"apigee_environment", "api_gateway_api_config", "api_gateway_api", "api_gateway_gateway", "artifact_registry_repository", "bigquery_dataset", "bigquery_table", "bigtable_instance", "bigtable_table", "billing_account", "binary_authorization_attestor", "cloudfunctions_function", "cloud_run_service", "compute_disk", "compute_image", "compute_instance", "compute_machine_image", "compute_region_disk", "compute_subnetwork", "dataproc_cluster", "dataproc_job", "data_catalog_entry_group", "data_catalog_policy_tag", "data_catalog_tag_template", "data_catalog_taxonomy", "endpoints_service", "kms_crypto_key", "kms_key_ring", "healthcare_consent_store", "healthcare_dataset", "healthcare_dicom_store", "healthcare_fhir_store", "healthcare_hl7_v2_store", "iap_app_engine_service", "iap_app_engine_version", "iap_tunnel", "iap_tunnel_instance", "iap_web_backend_service", "iap_web", "iap_web_type_app_engine", "iap_web_type_compute", "notebooks_instance", "notebooks_runtime", "privateca_ca_pool", "pubsub_subscription", "pubsub_topic", "runtimeconfig_config", "secret_manager_secret", "service_directory_namespace", "service_directory_service", "sourcerepo_repository", "spanner_database", "spanner_instance", "storage_bucket", "tags_tag_key", "tags_tag_value", "project", "organization", "service_account", "folder"});
    private static final String CONTAINS_SENSITIVE_MEMBER = ".*all(Authenticated)?Users.*";
    private Map<String, BlockSymbol> policyDataCollection = new HashMap();

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    public void initialize(InitContext initContext) {
        initContext.register(FileTree.class, this::collectPolicyData);
        super.initialize(initContext);
    }

    private void collectPolicyData(CheckContext checkContext, FileTree fileTree) {
        Stream<StatementTree> filter = fileTree.properties().stream().filter(PublicAccessCheck::isPolicyDataBlock);
        Class<BlockTree> cls = BlockTree.class;
        Objects.requireNonNull(BlockTree.class);
        this.policyDataCollection = (Map) filter.map((v1) -> {
            return r2.cast(v1);
        }).collect(Collectors.toMap(blockTree -> {
            return String.format("data.google_iam_policy.%s.policy_data", getName(blockTree));
        }, blockTree2 -> {
            return ResourceSymbol.fromPresent(checkContext, blockTree2);
        }));
    }

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register(iamResourceNameList("_iam_binding"), resourceSymbol -> {
            resourceSymbol.list("members").reportItemIf(ExpressionPredicate.matchesPattern(CONTAINS_SENSITIVE_MEMBER), MESSAGE, new SecondaryLocation[0]);
        });
        register(iamResourceNameList("_iam_member"), resourceSymbol2 -> {
            resourceSymbol2.attribute("member").reportIf(ExpressionPredicate.matchesPattern(CONTAINS_SENSITIVE_MEMBER), MESSAGE, new SecondaryLocation[0]);
        });
        register(List.of("google_storage_default_object_access_control", "google_storage_object_access_control"), resourceSymbol3 -> {
            resourceSymbol3.attribute("entity").reportIf(ExpressionPredicate.matchesPattern("all(Authenticated)?Users"), MESSAGE, new SecondaryLocation[0]);
        });
        register("google_bigquery_dataset_access", resourceSymbol4 -> {
            resourceSymbol4.attribute("special_group").reportIf(ExpressionPredicate.matchesPattern("all(Authenticated)?Users"), MESSAGE, new SecondaryLocation[0]);
        });
        register(List.of("google_storage_bucket_acl", "google_storage_default_object_acl", "google_storage_object_acl"), resourceSymbol5 -> {
            resourceSymbol5.list("role_entity").reportItemIf(ExpressionPredicate.matchesPattern(".*:all(Authenticated)?Users"), MESSAGE, new SecondaryLocation[0]);
        });
        register("google_dns_managed_zone", resourceSymbol6 -> {
            ((AttributeSymbol) resourceSymbol6.attribute("visibility").reportIf(ExpressionPredicate.equalTo("public"), MESSAGE, new SecondaryLocation[0])).reportIfAbsent(OMITTING_DNS, new SecondaryLocation[0]);
        });
        register("google_container_cluster", resourceSymbol7 -> {
            BlockSymbol block = resourceSymbol7.block("private_cluster_config");
            block.reportIfAbsent(OMITTING_KUBERNETES, new SecondaryLocation[0]);
            AttributeSymbol attribute = block.attribute("enable_private_nodes");
            AttributeSymbol attribute2 = block.attribute("enable_private_endpoint");
            if (attribute.isAbsent() && attribute2.isAbsent()) {
                block.report(String.format(OMITTING_KUBERNETES, "enable_private_nodes and enable_private_endpoint"), new SecondaryLocation[0]);
            } else if (attribute.is(ExpressionPredicate.isFalse()) && attribute2.is(ExpressionPredicate.isFalse())) {
                attribute.report(MESSAGE_KUBERNETES, new SecondaryLocation[]{attribute2.toSecondary(MESSAGE_KUBERNETES)});
            } else {
                Stream.of((Object[]) new AttributeSymbol[]{attribute, attribute2}).forEach(attributeSymbol -> {
                    ((AttributeSymbol) attributeSymbol.reportIf(ExpressionPredicate.isFalse(), MESSAGE_KUBERNETES, new SecondaryLocation[0])).reportIfAbsent(OMITTING_KUBERNETES, new SecondaryLocation[0]);
                });
            }
        });
        register(iamResourceNameList("_iam_policy"), resourceSymbol8 -> {
            ReferenceSymbol reference = resourceSymbol8.reference("policy_data");
            ArrayList arrayList = new ArrayList();
            reference.resolve(this.policyDataCollection).blocks("binding").forEach(blockSymbol -> {
                blockSymbol.list("members").getItemIf(ExpressionPredicate.matchesPattern(CONTAINS_SENSITIVE_MEMBER)).forEach(expressionTree -> {
                    arrayList.add(new SecondaryLocation(expressionTree, SECONDARY_MESSAGE));
                });
            });
            if (arrayList.isEmpty()) {
                return;
            }
            reference.report(MESSAGE, arrayList);
        });
    }

    private static List<String> iamResourceNameList(String str) {
        return (List) IAM_RESOURCES.stream().map(str2 -> {
            return "google_" + str2 + str;
        }).collect(Collectors.toList());
    }

    private static boolean isPolicyDataBlock(StatementTree statementTree) {
        return statementTree.is(TerraformTree.Kind.BLOCK) && isDataOfType((BlockTree) statementTree, "google_iam_policy") && getName((BlockTree) statementTree) != null;
    }

    @CheckForNull
    private static String getName(BlockTree blockTree) {
        if (blockTree.labels().size() >= 2) {
            return blockTree.labels().get(1).value();
        }
        return null;
    }
}
