package org.sonar.iac.terraform.checks;

import org.sonar.api.utils.Version;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.ObjectElementTree;
import org.sonar.iac.terraform.api.tree.TerraformTree;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.plugin.TerraformProviders;
import org.sonar.iac.terraform.symbols.AttributeSymbol;
import org.sonar.iac.terraform.symbols.BlockSymbol;

@Rule(key = "S6252")
/* loaded from: input_file:org/sonar/iac/terraform/checks/UnversionedS3BucketCheck.class */
public class UnversionedS3BucketCheck extends AbstractNewResourceCheck {
    private static final String OMITTING_MESSAGE = "Omitting \"versioning\" disables S3 bucket versioning. Make sure it is safe here.";
    private static final String SECONDARY_MESSAGE = "Related bucket";
    private static final String MESSAGE = "Make sure using %s S3 bucket is safe here.";
    private static final String UNVERSIONED_MSG = String.format(MESSAGE, "unversioned");
    private static final String SUSPENDED_MSG = String.format(MESSAGE, "suspended versioned");
    private static final Version AWS_V_4 = Version.create(4, 0);

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register(AbstractResourceCheck.S3_BUCKET, resourceSymbol -> {
            SecondaryLocation secondary = resourceSymbol.toSecondary(SECONDARY_MESSAGE);
            BlockSymbol block = resourceSymbol.block("versioning");
            ((AttributeSymbol) block.attribute("enabled").reportIf(ExpressionPredicate.isFalse(), SUSPENDED_MSG, new SecondaryLocation[]{secondary})).reportIfAbsent(UNVERSIONED_MSG, new SecondaryLocation[]{secondary});
            AttributeSymbol attribute = resourceSymbol.attribute("versioning");
            if (attribute.isPresent()) {
                checkVersionAttribute(attribute, secondary);
            }
            if (resourceSymbol.provider(TerraformProviders.Provider.Identifier.AWS).hasVersionLowerThan(AWS_V_4) && block.isAbsent() && attribute.isAbsent()) {
                resourceSymbol.report(OMITTING_MESSAGE, new SecondaryLocation[0]);
            }
        });
        register("aws_s3_bucket_versioning", resourceSymbol2 -> {
            SecondaryLocation secondary = resourceSymbol2.toSecondary(SECONDARY_MESSAGE);
            ((AttributeSymbol) resourceSymbol2.block("versioning_configuration").attribute("status").reportIf(ExpressionPredicate.equalTo("Disabled"), UNVERSIONED_MSG, new SecondaryLocation[]{secondary})).reportIf(ExpressionPredicate.equalTo("Suspended"), SUSPENDED_MSG, new SecondaryLocation[]{secondary});
        });
    }

    private static void checkVersionAttribute(AttributeSymbol attributeSymbol, SecondaryLocation secondaryLocation) {
        if (((AttributeTree) attributeSymbol.tree).mo0value().is(TerraformTree.Kind.OBJECT)) {
            PropertyUtils.get(((AttributeTree) attributeSymbol.tree).mo0value(), "enabled", ObjectElementTree.class).ifPresentOrElse(objectElementTree -> {
                if (TextUtils.isValueFalse(objectElementTree.mo2value())) {
                    attributeSymbol.ctx.reportIssue(objectElementTree, SUSPENDED_MSG, secondaryLocation);
                }
            }, () -> {
                attributeSymbol.ctx.reportIssue(((AttributeTree) attributeSymbol.tree).mo4key(), UNVERSIONED_MSG, secondaryLocation);
            });
        }
    }
}
