package org.sonar.iac.terraform.checks;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.common.extension.visitors.TreeContext;
import org.sonar.iac.common.extension.visitors.TreeVisitor;
import org.sonar.iac.terraform.api.tree.AttributeAccessTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.FileTree;
import org.sonar.iac.terraform.api.tree.LabelTree;
import org.sonar.iac.terraform.api.tree.LiteralExprTree;
import org.sonar.iac.terraform.api.tree.TerraformTree;

@Rule(key = "S6281")
/* loaded from: input_file:org/sonar/iac/terraform/checks/BucketsPublicAclOrPolicyCheck.class */
public class BucketsPublicAclOrPolicyCheck implements IacCheck {
    private static final String MESSAGE = "Make sure allowing public ACL/policies to be set is safe here.";
    private static final String OMITTING_MESSAGE = "No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here.";
    private static final String SECONDARY_MSG_PROPERTY = "Set this property to true";
    private static final String SECONDARY_MSG_BUCKET = "Related bucket";
    private static final String PAB = "aws_s3_bucket_public_access_block";
    private static final Set<String> PAB_STATEMENTS = new HashSet(Arrays.asList("block_public_policy", "block_public_acls", "ignore_public_acls", "restrict_public_buckets"));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/BucketsPublicAclOrPolicyCheck$BucketAndResourceCollector.class */
    public static class BucketAndResourceCollector extends TreeVisitor<TreeContext> {
        private final List<S3Bucket> buckets = new ArrayList();
        private final Set<BlockTree> publicAccessBlocks = new LinkedHashSet();
        private final List<BlockTree> resources = new ArrayList();

        public BucketAndResourceCollector() {
            register(BlockTree.class, (treeContext, blockTree) -> {
                if (AbstractResourceCheck.isS3BucketResource(blockTree)) {
                    this.buckets.add(new S3Bucket(blockTree));
                } else if (AbstractResourceCheck.isResource(blockTree)) {
                    if (AbstractResourceCheck.isResource(blockTree, BucketsPublicAclOrPolicyCheck.PAB)) {
                        this.publicAccessBlocks.add(blockTree);
                    }
                    this.resources.add(blockTree);
                }
            });
        }

        public static BucketAndResourceCollector collect(FileTree fileTree) {
            BucketAndResourceCollector bucketAndResourceCollector = new BucketAndResourceCollector();
            bucketAndResourceCollector.scan(new TreeContext(), fileTree);
            return bucketAndResourceCollector;
        }

        protected void after(TreeContext treeContext, Tree tree) {
            this.resources.stream().filter(blockTree -> {
                return !blockTree.labels().isEmpty();
            }).forEach(blockTree2 -> {
                PropertyUtils.value(blockTree2, "bucket", TerraformTree.class).ifPresent(terraformTree -> {
                    if (terraformTree.is(TerraformTree.Kind.STRING_LITERAL)) {
                        assignByBucketName((LiteralExprTree) terraformTree, blockTree2);
                    } else if (terraformTree.is(TerraformTree.Kind.ATTRIBUTE_ACCESS)) {
                        assignByResourceName((AttributeAccessTree) terraformTree, blockTree2);
                    }
                });
            });
        }

        private void assignByResourceName(AttributeAccessTree attributeAccessTree, BlockTree blockTree) {
            if (attributeAccessTree.object().is(TerraformTree.Kind.ATTRIBUTE_ACCESS)) {
                String value = ((AttributeAccessTree) attributeAccessTree.object()).attribute().value();
                this.buckets.stream().filter(s3Bucket -> {
                    return value.equals(s3Bucket.resourceName);
                }).forEach(s3Bucket2 -> {
                    s3Bucket2.assignResource(blockTree);
                });
            }
        }

        private void assignByBucketName(LiteralExprTree literalExprTree, BlockTree blockTree) {
            this.buckets.stream().filter(s3Bucket -> {
                return literalExprTree.value().equals(s3Bucket.bucketName);
            }).forEach(s3Bucket2 -> {
                s3Bucket2.assignResource(blockTree);
            });
        }

        private List<S3Bucket> getAssignedBuckets() {
            return this.buckets;
        }

        private Set<BlockTree> getPublicAccessBlocks() {
            return this.publicAccessBlocks;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/BucketsPublicAclOrPolicyCheck$S3Bucket.class */
    public static class S3Bucket {
        private final Map<String, BlockTree> resources = new HashMap();
        private final LabelTree label;
        private final String resourceName;
        private final String bucketName;

        private S3Bucket(BlockTree blockTree) {
            this.label = blockTree.labels().get(0);
            this.resourceName = blockTree.labels().size() >= 2 ? blockTree.labels().get(1).value() : null;
            Optional value = PropertyUtils.value(blockTree, "bucket");
            Class<LiteralExprTree> cls = LiteralExprTree.class;
            Objects.requireNonNull(LiteralExprTree.class);
            this.bucketName = (String) value.filter((v1) -> {
                return r2.isInstance(v1);
            }).map(tree -> {
                return ((LiteralExprTree) tree).value();
            }).orElse(null);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void assignResource(BlockTree blockTree) {
            this.resources.put(blockTree.labels().get(0).value(), blockTree);
        }

        public Optional<BlockTree> resource(String str) {
            return Optional.ofNullable(this.resources.getOrDefault(str, null));
        }

        public LabelTree label() {
            return this.label;
        }
    }

    public void initialize(InitContext initContext) {
        initContext.register(FileTree.class, (checkContext, fileTree) -> {
            BucketAndResourceCollector collect = BucketAndResourceCollector.collect(fileTree);
            collect.getAssignedBuckets().forEach(s3Bucket -> {
                checkS3Bucket(checkContext, s3Bucket, collect.getPublicAccessBlocks());
            });
            collect.getPublicAccessBlocks().forEach(blockTree -> {
                checkPublicAccessBlocks(checkContext, blockTree, null);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkS3Bucket(CheckContext checkContext, S3Bucket s3Bucket, Set<BlockTree> set) {
        Optional<BlockTree> resource = s3Bucket.resource(PAB);
        if (!resource.isPresent()) {
            checkContext.reportIssue(s3Bucket.label(), OMITTING_MESSAGE);
            return;
        }
        BlockTree blockTree = resource.get();
        set.remove(blockTree);
        checkPublicAccessBlocks(checkContext, blockTree, s3Bucket);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkPublicAccessBlocks(CheckContext checkContext, BlockTree blockTree, @Nullable S3Bucket s3Bucket) {
        List<SecondaryLocation> checkWrongConfiguration = checkWrongConfiguration(blockTree);
        if (!checkWrongConfiguration.isEmpty() || hasMissingStatement(blockTree)) {
            if (s3Bucket != null) {
                checkWrongConfiguration.add(new SecondaryLocation(s3Bucket.label(), SECONDARY_MSG_BUCKET));
            }
            checkContext.reportIssue(blockTree.labels().get(0), MESSAGE, checkWrongConfiguration);
        }
    }

    private static List<SecondaryLocation> checkWrongConfiguration(BlockTree blockTree) {
        return (List) PAB_STATEMENTS.stream().map(str -> {
            return PropertyUtils.value(blockTree, str);
        }).flatMap(optional -> {
            return (Stream) optional.map((v0) -> {
                return Stream.of(v0);
            }).orElseGet(Stream::empty);
        }).filter(TextUtils::isValueFalse).map(tree -> {
            return new SecondaryLocation(tree, SECONDARY_MSG_PROPERTY);
        }).collect(Collectors.toList());
    }

    private static boolean hasMissingStatement(BlockTree blockTree) {
        return PAB_STATEMENTS.stream().anyMatch(str -> {
            return PropertyUtils.isMissing(blockTree, str);
        });
    }
}
