package org.sonar.iac.terraform.checks.azure;

import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;

@Rule(key = "S6383")
/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/RoleBasedAccessControlCheck.class */
public class RoleBasedAccessControlCheck extends AbstractResourceCheck {
    private static final String MISSING_MESSAGE = "Omitting '%s' disables role-based access control for this resource. Make sure it is safe here.";
    private static final String DISABLED_MESSAGE = "Make sure that disabling role-based access control is safe here.";

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void registerResourceChecks() {
        register(RoleBasedAccessControlCheck::checkKubernetesCluster, "azurerm_kubernetes_cluster");
        register(RoleBasedAccessControlCheck::checkKeyVault, "azurerm_key_vault");
    }

    private static void checkKubernetesCluster(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "role_based_access_control", BlockTree.class).ifPresentOrElse(blockTree2 -> {
            checkRoleBasedAccessControl(checkContext, blockTree2);
        }, () -> {
            reportResource(checkContext, blockTree, String.format(MISSING_MESSAGE, "role_based_access_control"));
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkRoleBasedAccessControl(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "enabled", AttributeTree.class).filter(attributeTree -> {
            return TextUtils.isValueFalse(attributeTree.mo0value());
        }).ifPresentOrElse(attributeTree2 -> {
            checkContext.reportIssue(attributeTree2, DISABLED_MESSAGE);
        }, () -> {
            checkAzureActiveDirectory(checkContext, blockTree);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkAzureActiveDirectory(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "azure_active_directory", BlockTree.class).ifPresent(blockTree2 -> {
            PropertyUtils.get(blockTree2, "managed", AttributeTree.class).filter(attributeTree -> {
                return TextUtils.isValueTrue(attributeTree.mo0value());
            }).ifPresent(attributeTree2 -> {
                checkRbacEnabled(checkContext, blockTree2, attributeTree2);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkRbacEnabled(CheckContext checkContext, BlockTree blockTree, AttributeTree attributeTree) {
        PropertyUtils.get(blockTree, "azure_rbac_enabled", AttributeTree.class).ifPresentOrElse(attributeTree2 -> {
            reportOnFalse(checkContext, attributeTree2, DISABLED_MESSAGE, new SecondaryLocation[0]);
        }, () -> {
            checkContext.reportIssue(attributeTree, String.format(MISSING_MESSAGE, "azure_rbac_enabled"));
        });
    }

    private static void checkKeyVault(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "enable_rbac_authorization", AttributeTree.class).ifPresentOrElse(attributeTree -> {
            reportOnFalse(checkContext, attributeTree, DISABLED_MESSAGE, new SecondaryLocation[0]);
        }, () -> {
            reportResource(checkContext, blockTree, String.format(MISSING_MESSAGE, "enable_rbac_authorization"));
        });
    }
}
