package org.sonar.iac.terraform.checks;

import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.PrivilegeEscalationVector;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.common.checks.policy.Policy;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.api.tree.TupleTree;
import org.sonar.iac.terraform.checks.utils.PolicyUtils;
import org.sonar.iac.terraform.symbols.ResourceSymbol;

@Rule(key = "S6317")
/* loaded from: input_file:org/sonar/iac/terraform/checks/PrivilegeEscalationCheck.class */
public class PrivilegeEscalationCheck extends AbstractNewResourceCheck {
    private static final String MESSAGE = "This policy is vulnerable to the \"%s\" privilege escalation vector. Remove permissions or restrict the set of resources they apply to.";
    private static final String MESSAGE_ACTION_MULTIPLE = "When combined with others, this permission enables the \"%s\" escalation vector.";
    private static final String MESSAGE_ACTION_SINGLE = "This permission enables the \"%s\" escalation vector.";
    private static final String MESSAGE_STATEMENT_ALL = "Permissions are granted on all resources.";

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register("aws_iam_policy", resourceSymbol -> {
            PolicyUtils.getPolicies(resourceSymbol.tree).forEach(policy -> {
                checkPrivilegeEscalation(resourceSymbol, policy);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkPrivilegeEscalation(ResourceSymbol resourceSymbol, Policy policy) {
        for (Policy.Statement statement : policy.statement()) {
            Optional action = statement.action();
            if (action.isPresent() && (action.get() instanceof TupleTree)) {
                Stream<ExpressionTree> stream = ((TupleTree) action.get()).elements().trees().stream();
                Class<Tree> cls = Tree.class;
                Objects.requireNonNull(Tree.class);
                Optional statementEscalationVector = PrivilegeEscalationVector.getStatementEscalationVector(statement, (List) stream.map((v1) -> {
                    return r1.cast(v1);
                }).collect(Collectors.toList()));
                if (statementEscalationVector.isPresent()) {
                    PrivilegeEscalationVector privilegeEscalationVector = (PrivilegeEscalationVector) statementEscalationVector.get();
                    resourceSymbol.report(String.format(MESSAGE, privilegeEscalationVector.getName()), secondaryLocations(statement, privilegeEscalationVector));
                }
            }
        }
    }

    private static List<SecondaryLocation> secondaryLocations(Policy.Statement statement, PrivilegeEscalationVector privilegeEscalationVector) {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(retrieveSecondaryLocationsFromAction(statement, privilegeEscalationVector));
        arrayList.addAll(retrieveSecondaryLocationsFromResource(statement));
        return arrayList;
    }

    private static List<SecondaryLocation> retrieveSecondaryLocationsFromResource(Policy.Statement statement) {
        ArrayList arrayList = new ArrayList();
        statement.resource().ifPresent(tree -> {
            if (TextUtils.isValue(tree, "*").isTrue()) {
                arrayList.add(new SecondaryLocation(tree, MESSAGE_STATEMENT_ALL));
            }
        });
        return arrayList;
    }

    private static List<SecondaryLocation> retrieveSecondaryLocationsFromAction(Policy.Statement statement, PrivilegeEscalationVector privilegeEscalationVector) {
        ArrayList arrayList = new ArrayList();
        String format = privilegeEscalationVector.getPermissions().size() == 1 ? String.format(MESSAGE_ACTION_SINGLE, privilegeEscalationVector.getName()) : String.format(MESSAGE_ACTION_MULTIPLE, privilegeEscalationVector.getName());
        statement.action().ifPresent(tree -> {
            ((TupleTree) tree).elements().trees().stream().filter(expressionTree -> {
                return ((Boolean) TextUtils.getValue(expressionTree).map(str -> {
                    return Boolean.valueOf(PrivilegeEscalationVector.actionEnablesVector(privilegeEscalationVector, str));
                }).orElse(false)).booleanValue();
            }).forEach(expressionTree2 -> {
                arrayList.add(new SecondaryLocation(expressionTree2, format));
            });
        });
        return arrayList;
    }
}
