package org.sonar.iac.terraform.checks;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.common.checks.policy.Policy;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.BodyTree;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.api.tree.ObjectTree;
import org.sonar.iac.terraform.api.tree.StatementTree;
import org.sonar.iac.terraform.api.tree.TupleTree;
import org.sonar.iac.terraform.checks.utils.PolicyUtils;

@Rule(key = "S6270")
/* loaded from: input_file:org/sonar/iac/terraform/checks/AnonymousAccessPolicyCheck.class */
public class AnonymousAccessPolicyCheck extends AbstractResourceCheck {
    private static final String MESSAGE = "Make sure granting public access is safe here.";
    private static final String SECONDARY_MESSAGE = "Related effect.";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/AnonymousAccessPolicyCheck$InsecureStatement.class */
    public static class InsecureStatement {
        final Tree principal;
        final Tree effect;

        public InsecureStatement(Tree tree, Tree tree2) {
            this.principal = tree;
            this.effect = tree2;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/AnonymousAccessPolicyCheck$PolicyValidator.class */
    public static class PolicyValidator {
        private PolicyValidator() {
        }

        public static Collection<InsecureStatement> findInsecureStatements(Policy policy) {
            ArrayList arrayList = new ArrayList();
            for (Policy.Statement statement : policy.statement()) {
                statement.effect().filter(PolicyValidator::isAllowEffect).ifPresent(tree -> {
                    statement.principal().flatMap(PolicyValidator::findInsecurePrincipal).ifPresent(tree -> {
                        arrayList.add(new InsecureStatement(tree, tree));
                    });
                });
                statement.effect().filter(PolicyValidator::isDenyEffect).ifPresent(tree2 -> {
                    statement.notPrincipal().flatMap(PolicyValidator::findInsecurePrincipal).ifPresent(tree2 -> {
                        arrayList.add(new InsecureStatement(tree2, tree2));
                    });
                });
            }
            return arrayList;
        }

        public static Collection<InsecureStatement> findInsecureStatements(BlockTree blockTree) {
            ArrayList arrayList = new ArrayList();
            for (StatementTree statementTree : blockTree.properties()) {
                if ("statement".equalsIgnoreCase(statementTree.mo4key().value())) {
                    PropertyUtils.value(statementTree, "effect").filter(PolicyValidator::isAllowEffect).ifPresent(tree -> {
                        PropertyUtils.value(statementTree, "principals", BodyTree.class).map((v0) -> {
                            return v0.statements();
                        }).filter(PolicyValidator::hasAwsType).flatMap(PolicyValidator::findInsecurePrincipal).ifPresent(tree -> {
                            arrayList.add(new InsecureStatement(tree, tree));
                        });
                    });
                    PropertyUtils.value(statementTree, "effect").filter(PolicyValidator::isDenyEffect).ifPresent(tree2 -> {
                        PropertyUtils.value(statementTree, "not_principals", BodyTree.class).map((v0) -> {
                            return v0.statements();
                        }).filter(PolicyValidator::hasAwsType).flatMap(PolicyValidator::findInsecurePrincipal).ifPresent(tree2 -> {
                            arrayList.add(new InsecureStatement(tree2, tree2));
                        });
                    });
                }
            }
            return arrayList;
        }

        private static Optional<Tree> findInsecurePrincipal(Tree tree) {
            return tree instanceof ObjectTree ? findInsecurePrincipal((ObjectTree) tree) : tree instanceof TupleTree ? findInsecurePrincipal((TupleTree) tree) : applyToAnyPrincipal(tree) ? Optional.of(tree) : Optional.empty();
        }

        private static Optional<Tree> findInsecurePrincipal(TupleTree tupleTree) {
            Stream<ExpressionTree> filter = tupleTree.elements().trees().stream().filter((v0) -> {
                return applyToAnyPrincipal(v0);
            });
            Class<Tree> cls = Tree.class;
            Objects.requireNonNull(Tree.class);
            return filter.map((v1) -> {
                return r1.cast(v1);
            }).findAny();
        }

        private static Optional<Tree> findInsecurePrincipal(ObjectTree objectTree) {
            return PropertyUtils.get(objectTree, "AWS").map((v0) -> {
                return v0.value();
            }).flatMap(PolicyValidator::findInsecurePrincipal);
        }

        private static Optional<Tree> findInsecurePrincipal(List<StatementTree> list) {
            return list.stream().map(PolicyValidator::findInsercurePrincipal).filter((v0) -> {
                return v0.isPresent();
            }).map((v0) -> {
                return v0.get();
            }).findFirst();
        }

        private static Optional<Tree> findInsercurePrincipal(StatementTree statementTree) {
            return "identifiers".equalsIgnoreCase(statementTree.mo4key().value()) ? findInsecurePrincipal(statementTree.value()) : Optional.empty();
        }

        private static boolean applyToAnyPrincipal(Tree tree) {
            return hasTextValue(tree, "*");
        }

        private static boolean isAllowEffect(Tree tree) {
            return hasTextValue(tree, "Allow");
        }

        private static boolean isDenyEffect(Tree tree) {
            return hasTextValue(tree, "Deny");
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static boolean hasTextValue(Tree tree, String str) {
            return TextUtils.isValue(tree, str).isTrue();
        }

        private static boolean hasAwsType(List<StatementTree> list) {
            return list.stream().filter(statementTree -> {
                return "type".equalsIgnoreCase(statementTree.mo4key().value());
            }).map((v0) -> {
                return v0.value();
            }).anyMatch(tree -> {
                return hasTextValue(tree, "AWS");
            });
        }
    }

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    public void initialize(InitContext initContext) {
        super.initialize(initContext);
        initContext.register(BlockTree.class, (checkContext, blockTree) -> {
            if (isResource(blockTree)) {
                return;
            }
            checkInsecureStatementsOutsideResources(checkContext, blockTree);
        });
    }

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void checkResource(CheckContext checkContext, BlockTree blockTree) {
        PolicyUtils.getPolicies(blockTree).forEach(policy -> {
            checkInsecurePolicy(checkContext, policy);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkInsecurePolicy(CheckContext checkContext, Policy policy) {
        PolicyValidator.findInsecureStatements(policy).forEach(insecureStatement -> {
            checkContext.reportIssue(insecureStatement.principal, MESSAGE, new SecondaryLocation(insecureStatement.effect, SECONDARY_MESSAGE));
        });
    }

    private static void checkInsecureStatementsOutsideResources(CheckContext checkContext, BlockTree blockTree) {
        PolicyValidator.findInsecureStatements(blockTree).forEach(insecureStatement -> {
            checkContext.reportIssue(insecureStatement.principal, MESSAGE, new SecondaryLocation(insecureStatement.effect, SECONDARY_MESSAGE));
        });
    }
}
