package org.sonar.iac.terraform.checks.azure;

import java.util.List;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Predicate;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.checks.AbstractNewResourceCheck;
import org.sonar.iac.terraform.checks.PublicNetworkAccessCheck;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.checks.utils.PredicateUtils;
import org.sonar.iac.terraform.checks.utils.TerraformUtils;
import org.sonar.iac.terraform.symbols.ResourceSymbol;

/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/AzurePublicNetworkAccessCheckPart.class */
public class AzurePublicNetworkAccessCheckPart extends AbstractNewResourceCheck {
    private static final Predicate<String> STARTS_WITH_AZURERM_PUBLIC_IP = PredicateUtils.exactMatchStringPredicate("azurerm_public_ip.*", 2);
    private static final Predicate<ExpressionTree> IS_PUBLIC_IP_ADDRESS = PredicateUtils.treePredicate(PredicateUtils.exactMatchStringPredicate("(10|172[.]16|192[.]168)[.].*|0[.]0[.]0[.]0/32").negate());

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register(List.of((Object[]) new String[]{"azurerm_batch_account", "azurerm_cognitive_account", "azurerm_container_registry", "azurerm_cosmosdb_account", "azurerm_databricks_workspace", "azurerm_eventgrid_domain", "azurerm_eventgrid_topic", "azurerm_healthcare_service", "azurerm_iothub", "azurerm_managed_disk", "azurerm_mariadb_server", "azurerm_mssql_server", "azurerm_mysql_server", "azurerm_postgresql_server", "azurerm_redis_cache", "azurerm_search_service", "azurerm_synapse_workspace"}), checkEnabledPublicIp("public_network_access_enabled"));
        register(List.of("azurerm_data_factory", "azurerm_purview_account"), checkEnabledPublicIp("public_network_enabled"));
        register("azurerm_application_gateway", checkPublicIpConfiguration("frontend_ip_configuration"));
        register("azurerm_network_interface", checkPublicIpConfiguration("ip_configuration"));
        register(List.of("azurerm_dev_test_linux_virtual_machine", "azurerm_dev_test_windows_virtual_machine"), resourceSymbol -> {
            resourceSymbol.attribute("disallow_public_ip_address").reportIf(ExpressionPredicate.isFalse(), PublicNetworkAccessCheck.NETWORK_ACCESS_MESSAGE, new SecondaryLocation[0]).reportIfAbsent2(PublicNetworkAccessCheck.OMITTING_MESSAGE, new SecondaryLocation[0]);
        });
        register("azurerm_dev_test_virtual_network", resourceSymbol2 -> {
            resourceSymbol2.block("subnet").attribute("use_public_ip_address").reportIf(ExpressionPredicate.notEqualTo("Deny"), PublicNetworkAccessCheck.NETWORK_ACCESS_MESSAGE, new SecondaryLocation[0]);
        });
        register("azurerm_kubernetes_cluster_node_pool", resourceSymbol3 -> {
            resourceSymbol3.attribute("enable_node_public_ip").reportIf(ExpressionPredicate.isTrue(), PublicNetworkAccessCheck.NETWORK_ACCESS_MESSAGE, new SecondaryLocation[0]);
        });
        register("azurerm_application_insights", resourceSymbol4 -> {
            Set.of("internet_ingestion_enabled", "internet_query_enabled").forEach(str -> {
                resourceSymbol4.attribute(str).reportIf(ExpressionPredicate.isTrue(), PublicNetworkAccessCheck.NETWORK_ACCESS_MESSAGE, new SecondaryLocation[0]).reportIfAbsent2(PublicNetworkAccessCheck.OMITTING_MESSAGE, new SecondaryLocation[0]);
            });
        });
        register("azurerm_sql_managed_instance", resourceSymbol5 -> {
            resourceSymbol5.attribute("public_data_endpoint_enabled").reportIf(ExpressionPredicate.isTrue(), PublicNetworkAccessCheck.NETWORK_ACCESS_MESSAGE, new SecondaryLocation[0]);
        });
        register("azurerm_kubernetes_cluster", resourceSymbol6 -> {
            resourceSymbol6.block("default_node_pool").attribute("enable_node_public_ip").reportIf(ExpressionPredicate.isTrue(), PublicNetworkAccessCheck.NETWORK_ACCESS_MESSAGE, new SecondaryLocation[0]);
            resourceSymbol6.list("api_server_authorized_ip_ranges").reportItemIf(IS_PUBLIC_IP_ADDRESS, PublicNetworkAccessCheck.FIREWALL_MESSAGE, new SecondaryLocation[0]);
        });
        register("azurerm_machine_learning_workspace", resourceSymbol7 -> {
            resourceSymbol7.attribute("public_network_access_enabled").reportIf(ExpressionPredicate.isTrue(), PublicNetworkAccessCheck.NETWORK_ACCESS_MESSAGE, new SecondaryLocation[0]);
        });
    }

    private static Consumer<ResourceSymbol> checkEnabledPublicIp(String str) {
        return resourceSymbol -> {
            resourceSymbol.attribute(str).reportIf(ExpressionPredicate.isTrue(), PublicNetworkAccessCheck.NETWORK_ACCESS_MESSAGE, new SecondaryLocation[0]).reportIfAbsent2(PublicNetworkAccessCheck.OMITTING_MESSAGE, new SecondaryLocation[0]);
        };
    }

    private static Consumer<ResourceSymbol> checkPublicIpConfiguration(String str) {
        return resourceSymbol -> {
            resourceSymbol.blocks(str).forEach(blockSymbol -> {
                blockSymbol.attribute("public_ip_address_id").reportIf(expressionTree -> {
                    return TerraformUtils.attributeAccessMatches(expressionTree, STARTS_WITH_AZURERM_PUBLIC_IP).isTrue();
                }, PublicNetworkAccessCheck.GATEWAYS_AND_INTERFACE_MESSAGE, new SecondaryLocation[0]);
            });
        };
    }
}
