package org.sonar.iac.terraform.checks.aws;

import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import org.sonar.api.utils.Version;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.api.tree.LiteralExprTree;
import org.sonar.iac.terraform.api.tree.TerraformTree;
import org.sonar.iac.terraform.checks.AbstractNewResourceCheck;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;
import org.sonar.iac.terraform.checks.DisabledLoggingCheck;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.plugin.TerraformProviders;
import org.sonar.iac.terraform.symbols.AttributeSymbol;
import org.sonar.iac.terraform.symbols.BlockSymbol;
import org.sonar.iac.terraform.symbols.ListSymbol;

/* loaded from: input_file:org/sonar/iac/terraform/checks/aws/AwsDisabledLoggingCheckPart.class */
public class AwsDisabledLoggingCheckPart extends AbstractNewResourceCheck {
    private static final Version AWS_V_4 = Version.create(4, 0);

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register(AbstractResourceCheck.S3_BUCKET, resourceSymbol -> {
            BlockTree blockTree = (BlockTree) resourceSymbol.tree;
            if (resourceSymbol.provider(TerraformProviders.Provider.Identifier.AWS).hasVersionLowerThan(AWS_V_4) && !isMaybeLoggingBucket(blockTree) && PropertyUtils.isMissing(blockTree, "logging")) {
                resourceSymbol.report(String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logging or acl=\"log-delivery-write\""), new SecondaryLocation[0]);
            }
        });
        register("aws_api_gateway_stage", resourceSymbol2 -> {
            ((AttributeSymbol) resourceSymbol2.attribute("xray_tracing_enabled").reportIf(ExpressionPredicate.isFalse(), DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0])).reportIfAbsent(DisabledLoggingCheck.MESSAGE_OMITTING, new SecondaryLocation[0]);
        });
        register(Set.of("aws_apigatewayv2_stage", "aws_api_gateway_stage"), resourceSymbol3 -> {
            resourceSymbol3.block("access_log_settings").reportIfAbsent(DisabledLoggingCheck.MESSAGE_OMITTING, new SecondaryLocation[0]);
        });
        register("aws_msk_cluster", resourceSymbol4 -> {
            BlockSymbol blockSymbol = (BlockSymbol) ((BlockSymbol) resourceSymbol4.block("logging_info").reportIfAbsent(String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logging_info.broker_logs"), new SecondaryLocation[0])).block("broker_logs").reportIfAbsent(DisabledLoggingCheck.MESSAGE_OMITTING, new SecondaryLocation[0]);
            Stream of = Stream.of((Object[]) new String[]{"cloudwatch_logs", "firehose", "s3"});
            Objects.requireNonNull(blockSymbol);
            if (of.map(blockSymbol::block).filter((v0) -> {
                return v0.isPresent();
            }).map(blockSymbol2 -> {
                return blockSymbol2.attribute("enabled");
            }).noneMatch(attributeSymbol -> {
                return attributeSymbol.is(ExpressionPredicate.isFalse().negate());
            })) {
                blockSymbol.report(String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "cloudwatch_logs, firehose or s3"), new SecondaryLocation[0]);
            }
        });
        register("aws_neptune_cluster", resourceSymbol5 -> {
            ((ListSymbol) resourceSymbol5.list("enable_cloudwatch_logs_exports").reportIfEmpty(DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0])).reportIfAbsent(DisabledLoggingCheck.MESSAGE_OMITTING, new SecondaryLocation[0]);
        });
        register("aws_docdb_cluster", resourceSymbol6 -> {
            ListSymbol reportIfAbsent = resourceSymbol6.list("enabled_cloudwatch_logs_exports").reportIfAbsent(DisabledLoggingCheck.MESSAGE_OMITTING, new SecondaryLocation[0]);
            if (reportIfAbsent.isByReference() || !reportIfAbsent.getItemIf(ExpressionPredicate.equalTo("audit")).findAny().isEmpty()) {
                return;
            }
            reportIfAbsent.report(DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0]);
        });
        register("aws_mq_broker", resourceSymbol7 -> {
            BlockSymbol blockSymbol = (BlockSymbol) resourceSymbol7.block("logs").reportIfAbsent(String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logs.audit or logs.general"), new SecondaryLocation[0]);
            AttributeSymbol attribute = blockSymbol.attribute("audit");
            AttributeSymbol attribute2 = blockSymbol.attribute("general");
            if ((attribute.isAbsent() && attribute2.isAbsent()) || (attribute.is(ExpressionPredicate.isFalse()) && attribute2.is(ExpressionPredicate.isFalse()))) {
                blockSymbol.report(DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0]);
            }
        });
        register("aws_redshift_cluster", resourceSymbol8 -> {
            ((AttributeSymbol) ((BlockSymbol) resourceSymbol8.block("logging").reportIfAbsent(String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logging.enable"), new SecondaryLocation[0])).attribute("enable").reportIf(ExpressionPredicate.isFalse(), DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0])).reportIfAbsent(DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0]);
        });
        register("aws_globalaccelerator_accelerator", resourceSymbol9 -> {
            ((AttributeSymbol) ((BlockSymbol) resourceSymbol9.block("attributes").reportIfAbsent(String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "attributes.flow_logs_enabled"), new SecondaryLocation[0])).attribute("flow_logs_enabled").reportIf(ExpressionPredicate.isFalse(), DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0])).reportIfAbsent(DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0]);
        });
        register("aws_elasticsearch_domain", resourceSymbol10 -> {
            resourceSymbol10.blocks("log_publishing_options").filter(blockSymbol -> {
                return blockSymbol.attribute("log_type").is(ExpressionPredicate.notEqualTo("AUDIT_LOGS").negate());
            }).findFirst().ifPresentOrElse(blockSymbol2 -> {
                blockSymbol2.attribute("enabled").reportIf(ExpressionPredicate.isFalse(), DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0]);
            }, () -> {
                resourceSymbol10.report(String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "log_publishing_options of type \"AUDIT_LOGS\""), new SecondaryLocation[0]);
            });
        });
        register("aws_cloudfront_distribution", resourceSymbol11 -> {
            resourceSymbol11.block("logging_config").reportIfAbsent(DisabledLoggingCheck.MESSAGE_OMITTING, new SecondaryLocation[0]);
        });
        register("aws_lb", resourceSymbol12 -> {
            ((AttributeSymbol) ((BlockSymbol) resourceSymbol12.block("access_logs").reportIfAbsent(DisabledLoggingCheck.MESSAGE_OMITTING, new SecondaryLocation[0])).attribute("enabled").reportIf(ExpressionPredicate.isFalse(), DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0])).reportIfAbsent(DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0]);
        });
        register("aws_elb", resourceSymbol13 -> {
            ((BlockSymbol) resourceSymbol13.block("access_logs").reportIfAbsent(DisabledLoggingCheck.MESSAGE_OMITTING, new SecondaryLocation[0])).attribute("enabled").reportIf(ExpressionPredicate.isFalse(), DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0]);
        });
    }

    private static boolean isMaybeLoggingBucket(BlockTree blockTree) {
        Optional optional = PropertyUtils.get(blockTree, "acl", AttributeTree.class);
        if (optional.isEmpty()) {
            return false;
        }
        ExpressionTree mo0value = ((AttributeTree) optional.get()).mo0value();
        if (mo0value.is(TerraformTree.Kind.STRING_LITERAL)) {
            return ((LiteralExprTree) mo0value).value().equals("log-delivery-write");
        }
        return true;
    }
}
