package org.sonar.iac.terraform.checks;

import java.util.regex.Pattern;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.tree.HasTextRange;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.Policy;
import org.sonar.iac.common.checks.PrivilegeEscalationVector;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.TupleTree;
import org.sonar.iac.terraform.checks.utils.PolicyUtils;

@Rule(key = "S6317")
/* loaded from: input_file:org/sonar/iac/terraform/checks/PrivilegeEscalationCheck.class */
public class PrivilegeEscalationCheck extends AbstractNewResourceCheck {
    private static final String MESSAGE = "Narrow these permissions to a smaller set of resources to avoid privilege escalation.";
    private static final Pattern RESOURCE_NAME_PATTERN = Pattern.compile("arn:[^:]*:[^:]*:[^:]*:[^:]*:(role|user|group)/\\*");

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register("aws_iam_policy", resourceSymbol -> {
            PolicyUtils.getPolicies(resourceSymbol.tree).forEach(policy -> {
                checkPrivilegeEscalation(resourceSymbol.ctx, policy);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkPrivilegeEscalation(CheckContext checkContext, Policy policy) {
        policy.statement().stream().filter(PrivilegeEscalationCheck::allowsPrivilegeEscalation).forEach(statement -> {
            checkContext.reportIssue((HasTextRange) statement.resource().get(), MESSAGE);
        });
    }

    private static boolean allowsPrivilegeEscalation(Policy.Statement statement) {
        return statement.effect().filter(PrivilegeEscalationCheck::isAllowEffect).isPresent() && statement.resource().filter(PrivilegeEscalationCheck::isSensitiveResource).isPresent() && statement.action().filter(PrivilegeEscalationCheck::isSensitiveAction).isPresent() && statement.condition().isEmpty() && statement.principal().isEmpty();
    }

    private static boolean isAllowEffect(Tree tree) {
        return TextUtils.isValue(tree, "Allow").isTrue();
    }

    private static boolean isSensitiveResource(Tree tree) {
        return TextUtils.matchesValue(tree, str -> {
            return str.equals("*") || RESOURCE_NAME_PATTERN.matcher(str).matches();
        }).isTrue();
    }

    private static boolean isSensitiveAction(Tree tree) {
        if (tree instanceof TupleTree) {
            return PrivilegeEscalationVector.isSupersetOfAnEscalationVector(((TupleTree) tree).elements().trees().stream().map((v0) -> {
                return TextUtils.getValue(v0);
            }).flatMap((v0) -> {
                return v0.stream();
            }));
        }
        return false;
    }
}
