package org.sonar.iac.terraform.checks;

import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.Policy;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.api.tree.TupleTree;
import org.sonar.iac.terraform.checks.utils.PolicyUtils;

@Rule(key = "S6304")
/* loaded from: input_file:org/sonar/iac/terraform/checks/ResourceAccessPolicyCheck.class */
public class ResourceAccessPolicyCheck extends AbstractResourceCheck {
    private static final String MESSAGE = "Make sure granting access to all resources is safe here.";
    private static final String SECONDARY_MESSAGE = "Related effect";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/ResourceAccessPolicyCheck$InsecureStatement.class */
    public static class InsecureStatement {
        final Tree resource;
        final Tree effect;

        public InsecureStatement(Tree tree, Tree tree2) {
            this.resource = tree;
            this.effect = tree2;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/iac/terraform/checks/ResourceAccessPolicyCheck$PolicyValidator.class */
    public static class PolicyValidator {
        private PolicyValidator() {
        }

        static List<InsecureStatement> findInsecureStatements(Policy policy) {
            ArrayList arrayList = new ArrayList();
            for (Policy.Statement statement : policy.statement()) {
                statement.resource().flatMap(PolicyValidator::findInsecureResource).ifPresent(tree -> {
                    statement.effect().filter(PolicyValidator::isAllowEffect).ifPresent(tree -> {
                        arrayList.add(new InsecureStatement(tree, tree));
                    });
                });
                statement.notResource().flatMap(PolicyValidator::findInsecureResource).ifPresent(tree2 -> {
                    statement.effect().filter(PolicyValidator::isDenyEffect).ifPresent(tree2 -> {
                        arrayList.add(new InsecureStatement(tree2, tree2));
                    });
                });
            }
            return arrayList;
        }

        private static Optional<Tree> findInsecureResource(Tree tree) {
            if (!(tree instanceof TupleTree)) {
                return applyToAnyResource(tree) ? Optional.of(tree) : Optional.empty();
            }
            Stream<ExpressionTree> filter = ((TupleTree) tree).elements().trees().stream().filter((v0) -> {
                return applyToAnyResource(v0);
            });
            Class<Tree> cls = Tree.class;
            Objects.requireNonNull(Tree.class);
            return filter.map((v1) -> {
                return r1.cast(v1);
            }).findAny();
        }

        private static boolean applyToAnyResource(Tree tree) {
            return TextUtils.isValue(tree, "*").isTrue();
        }

        private static boolean isAllowEffect(Tree tree) {
            return TextUtils.isValue(tree, "Allow").isTrue();
        }

        private static boolean isDenyEffect(Tree tree) {
            return TextUtils.isValue(tree, "Deny").isTrue();
        }
    }

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void checkResource(CheckContext checkContext, BlockTree blockTree) {
        if (isResource(blockTree, "aws_kms_key")) {
            return;
        }
        PolicyUtils.getPolicies(blockTree).forEach(policy -> {
            checkInsecurePolicy(checkContext, policy);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkInsecurePolicy(CheckContext checkContext, Policy policy) {
        for (InsecureStatement insecureStatement : PolicyValidator.findInsecureStatements(policy)) {
            checkContext.reportIssue(insecureStatement.resource, MESSAGE, new SecondaryLocation(insecureStatement.effect, SECONDARY_MESSAGE));
        }
    }
}
