package org.sonar.iac.terraform.checks.gcp;

import java.util.List;
import java.util.Set;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.extension.visitors.TreeContext;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.FileTree;
import org.sonar.iac.terraform.checks.AbstractNewResourceCheck;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.symbols.ResourceSymbol;

/* loaded from: input_file:org/sonar/iac/terraform/checks/gcp/GcpPrivilegePolicyCheckPart.class */
public class GcpPrivilegePolicyCheckPart extends AbstractNewResourceCheck {
    private static final String POLICY_MESSAGE = "Make sure it is safe to give all members full access.";
    private static final String MEMBER_MESSAGE = "Make sure it is safe to grant that member full access.";
    private static final String SECONDARY_MESSAGE = "The policy is used here.";
    private static final String SENSITIVE_ROLES = ".*(?:admin|manager|owner|superuser).*";
    private final PolicyReferenceCollector collector = new PolicyReferenceCollector(IAM_POLICY_RESOURCE_TYPES);
    private static final Set<String> IAM_POLICY_RESOURCE_TYPES = Set.of("google_project_iam_policy", "google_organization_iam_policy", "google_service_account_iam_policy", "google_folder_iam_policy");

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    public void initialize(InitContext initContext) {
        super.initialize(initContext);
        initContext.register(FileTree.class, (checkContext, fileTree) -> {
            this.collector.scan(new TreeContext(), fileTree);
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    public void provideResource(CheckContext checkContext, BlockTree blockTree) {
        super.provideResource(checkContext, blockTree);
        if (isDataOfType(blockTree, "google_iam_policy")) {
            this.collector.checkPolicy(ResourceSymbol.fromPresent(checkContext, blockTree), ExpressionPredicate.matchesPattern(SENSITIVE_ROLES), POLICY_MESSAGE, SECONDARY_MESSAGE);
        }
    }

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register(List.of("google_project_iam_binding", "google_organization_iam_binding", "google_service_account_iam_binding", "google_folder_iam_binding"), resourceSymbol -> {
            checkRole(resourceSymbol, POLICY_MESSAGE);
        });
        register(List.of("google_project_iam_member", "google_organization_iam_member", "google_service_account_iam_member", "google_folder_iam_member"), resourceSymbol2 -> {
            checkRole(resourceSymbol2, MEMBER_MESSAGE);
        });
    }

    private void checkRole(ResourceSymbol resourceSymbol, String str) {
        resourceSymbol.attribute("role").reportIf(ExpressionPredicate.matchesPattern(SENSITIVE_ROLES), str, new SecondaryLocation[0]);
    }
}
