package org.sonar.iac.terraform.checks.gcp;

import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.checks.AbstractNewResourceCheck;
import org.sonar.iac.terraform.symbols.ListSymbol;

@Rule(key = "S6406")
/* loaded from: input_file:org/sonar/iac/terraform/checks/gcp/ExcessivePermissionsCheck.class */
public class ExcessivePermissionsCheck extends AbstractNewResourceCheck {
    private static final String MESSAGE = "This role grants more than %d sensitive permissions. Make sure they are all required.";
    private static final String SECONDARY_MESSAGE = "Sensitive permission";
    public static final int DEFAULT = 5;
    private static final List<String> SENSITIVE_ACTION_PREFIXES = List.of((Object[]) new String[]{"abort", "access", "add", "allocate", "analyze", "apply", "approve", "associate", "attach", "begin", "bind", "call", "cancel", "clear", "close", "compute", "connect", "create", "delete", "deploy", "destroy", "detach", "disable", "drop", "enable", "evict", "exec", "import", "install", "invoke", "listVulnerabilities", "manage", "migrate", "move", "mutate", "patch", "pause", "proxy", "publish", "purchase", "purge", "put", "reject", "remove", "reopen", "replace", "rerun", "reset", "resize", "restart", "restore", "resume", "rollback", "rotate", "run", "sample", "scan", "send", "set", "sign", "sourceCodeGet", "sourceCodeSet", "start", "stop", "suspend", "undelete", "undeploy", "update", "upload", "use", "validate", "write"});
    private static final List<String> SENSITIVE_ACTION_ELEMENTS = List.of("login", "create", "delete", "set");

    @RuleProperty(key = "max", defaultValue = "5")
    public int max = 5;

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register(Set.of("google_organization_iam_custom_role", "google_project_iam_custom_role"), resourceSymbol -> {
            ListSymbol list = resourceSymbol.list("permissions");
            List list2 = (List) resourceSymbol.list("permissions").getItemIf(isSensitivePermission()).collect(Collectors.toList());
            if (list2.size() > this.max) {
                list.report(String.format(MESSAGE, Integer.valueOf(this.max)), (List) list2.stream().map(expressionTree -> {
                    return new SecondaryLocation(expressionTree, SECONDARY_MESSAGE);
                }).collect(Collectors.toList()));
            }
        });
    }

    private static Predicate<ExpressionTree> isSensitivePermission() {
        return expressionTree -> {
            return TextUtils.getValue(expressionTree).map((v0) -> {
                return v0.toLowerCase();
            }).map(ExcessivePermissionsCheck::getPermissionSuffix).filter(str -> {
                return !str.contains("readonly");
            }).filter(ExcessivePermissionsCheck::isSensitiveSuffix).isPresent();
        };
    }

    private static String getPermissionSuffix(String str) {
        return str.substring(str.lastIndexOf(".") + 1);
    }

    private static boolean isSensitiveSuffix(String str) {
        Stream<String> stream = SENSITIVE_ACTION_PREFIXES.stream();
        Objects.requireNonNull(str);
        if (!stream.anyMatch(str::startsWith)) {
            Stream<String> stream2 = SENSITIVE_ACTION_ELEMENTS.stream();
            Objects.requireNonNull(str);
            if (!stream2.anyMatch((v1) -> {
                return r1.contains(v1);
            })) {
                return false;
            }
        }
        return true;
    }
}
