package org.sonar.iac.terraform.checks.gcp;

import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.common.checks.policy.IpRestrictedAdminAccessCheckUtils;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.checks.AbstractNewResourceCheck;
import org.sonar.iac.terraform.checks.IpRestrictedAdminAccessCheck;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.symbols.ResourceSymbol;

/* loaded from: input_file:org/sonar/iac/terraform/checks/gcp/GcpIpRestrictedAdminAccessCheckPart.class */
public class GcpIpRestrictedAdminAccessCheckPart extends AbstractNewResourceCheck {
    private static final Set<String> SENSITIVE_PREFIXES = Set.of("0.0.0.0/0", "::/0", "0::0/0", "::0/0");
    private static final Predicate<ExpressionTree> RANGE_CONTAINS_SENSITIVE_PORTS = expressionTree -> {
        return TextUtils.matchesValue(expressionTree, IpRestrictedAdminAccessCheckUtils::rangeContainsSshOrRdpPort).isTrue();
    };
    private static final Predicate<ExpressionTree> SENSITIVE_IP_RANGE = expressionTree -> {
        Set<String> set = SENSITIVE_PREFIXES;
        Objects.requireNonNull(set);
        return TextUtils.matchesValue(expressionTree, (v1) -> {
            return r1.contains(v1);
        }).isTrue();
    };

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register(List.of("google_compute_firewall"), this::checkFirewall);
    }

    private void checkFirewall(ResourceSymbol resourceSymbol) {
        if (resourceSymbol.attribute("direction").is(ExpressionPredicate.equalTo("EGRESS")) || resourceSymbol.attribute("source_tags").isPresent() || resourceSymbol.attribute("disabled").is(ExpressionPredicate.isTrue())) {
            return;
        }
        SecondaryLocation[] secondaryLocationArr = (SecondaryLocation[]) resourceSymbol.blocks("allow").filter(blockSymbol -> {
            return blockSymbol.attribute("protocol").is(ExpressionPredicate.equalTo("tcp"));
        }).flatMap(blockSymbol2 -> {
            return blockSymbol2.list("ports").getItemIf(RANGE_CONTAINS_SENSITIVE_PORTS);
        }).map(expressionTree -> {
            return new SecondaryLocation(expressionTree, IpRestrictedAdminAccessCheck.SECONDARY_MSG);
        }).toArray(i -> {
            return new SecondaryLocation[i];
        });
        if (secondaryLocationArr.length > 0) {
            resourceSymbol.list("source_ranges").reportItemIf(SENSITIVE_IP_RANGE, "Restrict IP addresses authorized to access administration services.", secondaryLocationArr);
        }
    }
}
