package org.sonar.iac.terraform.checks.aws;

import java.util.Objects;
import java.util.Set;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;
import org.sonar.iac.terraform.checks.ClearTextProtocolsCheck;

/* loaded from: input_file:org/sonar/iac/terraform/checks/aws/AwsClearTextProtocolsCheckPart.class */
public class AwsClearTextProtocolsCheckPart extends AbstractResourceCheck {
    private static final Set<String> SENSITIVE_LB_DEFAULT_ACTION_TYPES = Set.of("fixed-response", "forward");

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void registerResourceChecks() {
        register(AwsClearTextProtocolsCheckPart::checkMskCluster, "aws_msk_cluster");
        register(AwsClearTextProtocolsCheckPart::checkESDomain, "aws_elasticsearch_domain");
        register(AwsClearTextProtocolsCheckPart::checkLbListener, "aws_lb_listener");
        register(AwsClearTextProtocolsCheckPart::checkESReplicationGroup, "aws_elasticache_replication_group");
        register(AwsClearTextProtocolsCheckPart::checkEcsTaskDefinition, "aws_ecs_task_definition");
        register(AwsClearTextProtocolsCheckPart::checkKinesisStream, "aws_kinesis_stream");
    }

    private static void checkMskCluster(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "encryption_info", BlockTree.class).flatMap(blockTree2 -> {
            return PropertyUtils.get(blockTree2, "encryption_in_transit", BlockTree.class);
        }).ifPresent(blockTree3 -> {
            checkMskClientBroker(checkContext, blockTree3);
            reportOnFalseProperty(checkContext, blockTree3, "in_cluster", ClearTextProtocolsCheck.MESSAGE_CLEAR_TEXT);
        });
    }

    private static void checkMskClientBroker(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "client_broker", AttributeTree.class).filter(attributeTree -> {
            return TextUtils.isValue(attributeTree.mo0value(), "TLS").isFalse();
        }).ifPresent(attributeTree2 -> {
            checkContext.reportIssue(attributeTree2, ClearTextProtocolsCheck.MESSAGE_CLEAR_TEXT);
        });
    }

    private static void checkESDomain(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "domain_endpoint_options", BlockTree.class).ifPresent(blockTree2 -> {
            reportOnFalseProperty(checkContext, blockTree2, "enforce_https", ClearTextProtocolsCheck.MESSAGE_CLEAR_TEXT);
        });
        PropertyUtils.get(blockTree, "node_to_node_encryption", BlockTree.class).ifPresentOrElse(blockTree3 -> {
            reportOnFalseProperty(checkContext, blockTree3, "enabled", ClearTextProtocolsCheck.MESSAGE_CLEAR_TEXT);
        }, () -> {
            reportResource(checkContext, blockTree, String.format(ClearTextProtocolsCheck.MESSAGE_OMITTING, "node_to_node_encryption"));
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void reportOnFalseProperty(CheckContext checkContext, Tree tree, String str, String str2) {
        PropertyUtils.get(tree, str, AttributeTree.class).ifPresent(attributeTree -> {
            reportOnFalse(checkContext, attributeTree, str2, new SecondaryLocation[0]);
        });
    }

    private static void checkLbListener(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "protocol", AttributeTree.class).filter(attributeTree -> {
            return TextUtils.isValue(attributeTree.mo0value(), "HTTP").isTrue();
        }).ifPresent(attributeTree2 -> {
            checkLbDefaultAction(checkContext, blockTree, attributeTree2);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkLbDefaultAction(CheckContext checkContext, BlockTree blockTree, Tree tree) {
        if (PropertyUtils.getAll(blockTree, "default_action", BlockTree.class).stream().anyMatch(blockTree2 -> {
            return isInsecureRedirect(blockTree2) || isSensitiveAction(blockTree2);
        })) {
            checkContext.reportIssue(tree, ClearTextProtocolsCheck.MESSAGE_CLEAR_TEXT);
        }
    }

    private static boolean isInsecureRedirect(BlockTree blockTree) {
        return PropertyUtils.get(blockTree, "redirect", BlockTree.class).flatMap(blockTree2 -> {
            return PropertyUtils.value(blockTree2, "protocol");
        }).filter(tree -> {
            return TextUtils.isValue(tree, "HTTP").isTrue();
        }).isPresent();
    }

    private static boolean isSensitiveAction(BlockTree blockTree) {
        return PropertyUtils.value(blockTree, "type").filter(tree -> {
            Set<String> set = SENSITIVE_LB_DEFAULT_ACTION_TYPES;
            Objects.requireNonNull(set);
            return TextUtils.matchesValue(tree, (v1) -> {
                return r1.contains(v1);
            }).isTrue();
        }).isPresent();
    }

    private static void checkESReplicationGroup(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "transit_encryption_enabled", AttributeTree.class).ifPresentOrElse(attributeTree -> {
            reportOnFalse(checkContext, attributeTree, ClearTextProtocolsCheck.MESSAGE_CLEAR_TEXT, new SecondaryLocation[0]);
        }, () -> {
            reportResource(checkContext, blockTree, String.format(ClearTextProtocolsCheck.MESSAGE_OMITTING, "transit_encryption_enabled"));
        });
    }

    private static void checkEcsTaskDefinition(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.getAll(blockTree, "volume", BlockTree.class).forEach(blockTree2 -> {
            PropertyUtils.get(blockTree2, "efs_volume_configuration", BlockTree.class).ifPresent(blockTree2 -> {
                checkEscVolumeConfig(checkContext, blockTree2);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkEscVolumeConfig(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "transit_encryption", AttributeTree.class).ifPresentOrElse(attributeTree -> {
            reportSensitiveValue(checkContext, attributeTree, "DISABLED", ClearTextProtocolsCheck.MESSAGE_CLEAR_TEXT, new SecondaryLocation[0]);
        }, () -> {
            checkContext.reportIssue(blockTree.mo4key(), String.format(ClearTextProtocolsCheck.MESSAGE_OMITTING, "transit_encryption"));
        });
    }

    private static void checkKinesisStream(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "encryption_type", AttributeTree.class).ifPresentOrElse(attributeTree -> {
            reportSensitiveValue(checkContext, attributeTree, "NONE", ClearTextProtocolsCheck.MESSAGE_CLEAR_TEXT, new SecondaryLocation[0]);
        }, () -> {
            reportResource(checkContext, blockTree, String.format(ClearTextProtocolsCheck.MESSAGE_OMITTING, "encryption_type"));
        });
    }
}
