package org.sonar.iac.terraform.checks.aws;

import java.util.ArrayList;
import java.util.Optional;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.HasTextRange;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.common.checks.policy.IpRestrictedAdminAccessCheckUtils;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.PrefixExpressionTree;
import org.sonar.iac.terraform.api.tree.TupleTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;
import org.sonar.iac.terraform.checks.IpRestrictedAdminAccessCheck;

/* loaded from: input_file:org/sonar/iac/terraform/checks/aws/AwsIpRestrictedAdminAccessCheckPart.class */
public class AwsIpRestrictedAdminAccessCheckPart extends AbstractResourceCheck {
    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void registerResourceChecks() {
        register(AwsIpRestrictedAdminAccessCheckPart::checkSecurityGroup, "aws_security_group");
    }

    private static void checkSecurityGroup(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.getAll(blockTree, "ingress", BlockTree.class).forEach(blockTree2 -> {
            checkIngress(checkContext, blockTree2);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkIngress(CheckContext checkContext, BlockTree blockTree) {
        Optional<TupleTree> defaultRouteCidr = getDefaultRouteCidr(blockTree);
        if (defaultRouteCidr.isEmpty()) {
            return;
        }
        Optional value = PropertyUtils.value(blockTree, "protocol");
        if (value.isPresent() && isAllProtocols((Tree) value.get())) {
            checkContext.reportIssue(defaultRouteCidr.get(), "Restrict IP addresses authorized to access administration services.", new SecondaryLocation((HasTextRange) value.get(), IpRestrictedAdminAccessCheck.SECONDARY_MSG));
        } else if (value.isPresent() && TextUtils.isValue((Tree) value.get(), "tcp").isTrue()) {
            checkTcpPorts(checkContext, blockTree, defaultRouteCidr.get(), (Tree) value.get());
        }
    }

    private static void checkTcpPorts(CheckContext checkContext, Tree tree, Tree tree2, Tree tree3) {
        Optional value = PropertyUtils.value(tree, "from_port");
        Optional value2 = PropertyUtils.value(tree, "to_port");
        if (value.isPresent() && value2.isPresent() && rangeContainsSensitivePort((Tree) value.get(), (Tree) value2.get())) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(new SecondaryLocation(tree3, IpRestrictedAdminAccessCheck.SECONDARY_MSG));
            arrayList.add(new SecondaryLocation((HasTextRange) value.get(), "Port range start."));
            arrayList.add(new SecondaryLocation((HasTextRange) value2.get(), "Port range end."));
            checkContext.reportIssue(tree2, "Restrict IP addresses authorized to access administration services.", arrayList);
        }
    }

    private static boolean isAllProtocols(Tree tree) {
        return (tree instanceof PrefixExpressionTree) && "-".equals(((PrefixExpressionTree) tree).prefix().value()) && TextUtils.isValue(((PrefixExpressionTree) tree).expression(), "1").isTrue();
    }

    private static boolean rangeContainsSensitivePort(Tree tree, Tree tree2) {
        Optional intValue = TextUtils.getIntValue(tree);
        Optional intValue2 = TextUtils.getIntValue(tree2);
        return intValue.isPresent() && intValue2.isPresent() && ((((Integer) intValue.get()).intValue() == 0 && ((Integer) intValue2.get()).intValue() == 0) || IpRestrictedAdminAccessCheckUtils.rangeContainsSshOrRdpPort(((Integer) intValue.get()).intValue(), ((Integer) intValue2.get()).intValue()));
    }

    private static Optional<TupleTree> getDefaultRouteCidr(BlockTree blockTree) {
        Optional<TupleTree> filter = PropertyUtils.value(blockTree, "cidr_blocks", TupleTree.class).filter(tupleTree -> {
            return containsValue(tupleTree, "0.0.0.0/0");
        });
        return filter.isPresent() ? filter : PropertyUtils.value(blockTree, "ipv6_cidr_blocks", TupleTree.class).filter(tupleTree2 -> {
            return containsValue(tupleTree2, "::/0");
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean containsValue(TupleTree tupleTree, String str) {
        return tupleTree.elements().trees().stream().anyMatch(expressionTree -> {
            return TextUtils.isValue(expressionTree, str).isTrue();
        });
    }
}
