package org.sonar.iac.terraform.checks.azure;

import org.sonar.api.utils.Version;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.terraform.checks.AbstractNewResourceCheck;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.plugin.TerraformProviders;
import org.sonar.iac.terraform.symbols.AttributeSymbol;
import org.sonar.iac.terraform.symbols.BlockSymbol;

@Rule(key = "S6383")
/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/RoleBasedAccessControlCheck.class */
public class RoleBasedAccessControlCheck extends AbstractNewResourceCheck {
    private static final String MISSING_MESSAGE = "Omitting '%s' disables role-based access control for this resource. Make sure it is safe here.";
    private static final String DISABLED_MESSAGE = "Make sure that disabling role-based access control is safe here.";
    private static final Version AZURE_V_3 = Version.create(3, 0);

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register("azurerm_kubernetes_cluster", resourceSymbol -> {
            BlockSymbol block = resourceSymbol.block("role_based_access_control");
            if (resourceSymbol.provider(TerraformProviders.Provider.Identifier.AZURE).hasVersionLowerThan(AZURE_V_3)) {
                block.reportIfAbsent(MISSING_MESSAGE, new SecondaryLocation[0]);
            }
            if (!((AttributeSymbol) block.attribute("enabled").reportIf(ExpressionPredicate.isFalse(), DISABLED_MESSAGE, new SecondaryLocation[0])).is(ExpressionPredicate.isFalse())) {
                checkActiveDirectoryRoleBasedAccessControl(block.block("azure_active_directory"));
            }
            checkActiveDirectoryRoleBasedAccessControl(resourceSymbol.block("azure_active_directory_role_based_access_control"));
            resourceSymbol.attribute("role_based_access_control_enabled").reportIf(ExpressionPredicate.isFalse(), DISABLED_MESSAGE, new SecondaryLocation[0]);
        });
        register("azurerm_key_vault", resourceSymbol2 -> {
            ((AttributeSymbol) resourceSymbol2.attribute("enable_rbac_authorization").reportIf(ExpressionPredicate.isFalse(), DISABLED_MESSAGE, new SecondaryLocation[0])).reportIfAbsent(MISSING_MESSAGE, new SecondaryLocation[0]);
        });
    }

    private static void checkActiveDirectoryRoleBasedAccessControl(BlockSymbol blockSymbol) {
        AttributeSymbol attribute = blockSymbol.attribute("managed");
        if (attribute.is(ExpressionPredicate.isTrue()) && ((AttributeSymbol) blockSymbol.attribute("azure_rbac_enabled").reportIf(ExpressionPredicate.isFalse(), DISABLED_MESSAGE, new SecondaryLocation[0])).isAbsent()) {
            attribute.report(String.format(MISSING_MESSAGE, "azure_rbac_enabled"), new SecondaryLocation[0]);
        }
    }
}
