package org.sonar.iac.terraform.checks.azure;

import java.util.ArrayList;
import java.util.List;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.terraform.checks.AbstractNewResourceCheck;
import org.sonar.iac.terraform.checks.azure.helper.RoleScopeHelper;
import org.sonar.iac.terraform.checks.utils.ExpressionPredicate;
import org.sonar.iac.terraform.checks.utils.PredicateUtils;

@Rule(key = "S6385")
/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/SubscriptionOwnerCapabilitiesCheck.class */
public class SubscriptionOwnerCapabilitiesCheck extends AbstractNewResourceCheck {
    private static final String MESSAGE = "Narrow the number of actions or the assignable scope of this custom role.";
    private static final String PERMISSION_MESSAGE = "Allows all actions.";
    private static final String SCOPE_MESSAGE = "High scope level.";
    private static final Predicate<String> REFERENCE_SCOPE_PREDICATE = PredicateUtils.exactMatchStringPredicate("data\\.azurerm_subscription\\.[^.]*(primary|current)[^.]*\\.id|data\\.azurerm_management_group\\.[^.]*(parent|root)[^.]*\\.id");
    private static final Predicate<String> PLAIN_SCOPE_PREDICATE = PredicateUtils.exactMatchStringPredicate("^/subscriptions/[^/]+/?$|^/providers/microsoft\\.management/.+");

    @Override // org.sonar.iac.terraform.checks.AbstractNewResourceCheck
    protected void registerResourceConsumer() {
        register("azurerm_role_definition", resourceSymbol -> {
            List list = (List) resourceSymbol.block("permissions").list("actions").getItemIf(ExpressionPredicate.equalTo("*")).map(expressionTree -> {
                return SecondaryLocation.of(expressionTree, PERMISSION_MESSAGE);
            }).collect(Collectors.toList());
            List list2 = (List) resourceSymbol.list("assignable_scopes").getItemIf(expressionTree2 -> {
                return RoleScopeHelper.isSensitiveScope(expressionTree2, REFERENCE_SCOPE_PREDICATE, PLAIN_SCOPE_PREDICATE);
            }).map(expressionTree3 -> {
                return SecondaryLocation.of(expressionTree3, SCOPE_MESSAGE);
            }).collect(Collectors.toList());
            if (list.isEmpty() || list2.isEmpty()) {
                return;
            }
            List<SecondaryLocation> arrayList = new ArrayList<>(list);
            arrayList.addAll(list2);
            resourceSymbol.report(MESSAGE, arrayList);
        });
    }
}
