package org.sonar.iac.terraform.checks.aws;

import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.PropertyTree;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.api.tree.ExpressionTree;
import org.sonar.iac.terraform.api.tree.LiteralExprTree;
import org.sonar.iac.terraform.api.tree.TerraformTree;
import org.sonar.iac.terraform.api.tree.TupleTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;
import org.sonar.iac.terraform.checks.DisabledLoggingCheck;

/* loaded from: input_file:org/sonar/iac/terraform/checks/aws/AwsDisabledLoggingCheckPart.class */
public class AwsDisabledLoggingCheckPart extends AbstractResourceCheck {
    private static final List<String> MSK_LOGGER = Arrays.asList("cloudwatch_logs", "firehose", "s3");

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void registerResourceChecks() {
        register(AwsDisabledLoggingCheckPart::checkS3Bucket, "aws_s3_bucket");
        register(AwsDisabledLoggingCheckPart::checkApiGatewayStage, "aws_api_gateway_stage");
        register(AwsDisabledLoggingCheckPart::checkApiGateway2Stage, "aws_api_gatewayv2_stage", "aws_api_gateway_stage");
        register(AwsDisabledLoggingCheckPart::checkMskCluster, "aws_msk_cluster");
        register(AwsDisabledLoggingCheckPart::checkNeptuneCluster, "aws_neptune_cluster");
        register(AwsDisabledLoggingCheckPart::checkDocDbCluster, "aws_docdb_cluster");
        register(AwsDisabledLoggingCheckPart::checkMqBroker, "aws_mq_broker");
        register(AwsDisabledLoggingCheckPart::checkRedshiftCluster, "aws_redshift_cluster");
        register(AwsDisabledLoggingCheckPart::checkGlobalAccelerator, "aws_globalaccelerator_accelerator");
        register(AwsDisabledLoggingCheckPart::checkElasticSearchDomain, "aws_elasticsearch_domain");
        register(AwsDisabledLoggingCheckPart::checkCloudfrontDistribution, "aws_cloudfront_distribution");
        register((checkContext, blockTree) -> {
            checkElasticLoadBalancing(checkContext, blockTree, false);
        }, "aws_lb");
        register((checkContext2, blockTree2) -> {
            checkElasticLoadBalancing(checkContext2, blockTree2, true);
        }, "aws_elb");
    }

    private static void checkS3Bucket(CheckContext checkContext, BlockTree blockTree) {
        if (isMaybeLoggingBucket(blockTree) || !PropertyUtils.isMissing(blockTree, "logging")) {
            return;
        }
        reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logging or acl=\"log-delivery-write\""));
    }

    private static boolean isMaybeLoggingBucket(BlockTree blockTree) {
        Optional optional = PropertyUtils.get(blockTree, "acl", AttributeTree.class);
        if (optional.isEmpty()) {
            return false;
        }
        ExpressionTree mo0value = ((AttributeTree) optional.get()).mo0value();
        if (mo0value.is(TerraformTree.Kind.STRING_LITERAL)) {
            return ((LiteralExprTree) mo0value).value().equals("log-delivery-write");
        }
        return true;
    }

    private static void checkApiGatewayStage(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "xray_tracing_enabled", AttributeTree.class).ifPresentOrElse(attributeTree -> {
            reportOnFalse(checkContext, attributeTree, DisabledLoggingCheck.MESSAGE, new SecondaryLocation[0]);
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "xray_tracing_enabled"));
        });
    }

    private static void checkApiGateway2Stage(CheckContext checkContext, BlockTree blockTree) {
        if (PropertyUtils.isMissing(blockTree, "access_log_settings")) {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "access_log_settings"));
        }
    }

    private static void checkMskCluster(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "logging_info", BlockTree.class).ifPresentOrElse(blockTree2 -> {
            PropertyUtils.get(blockTree2, "broker_logs", BlockTree.class).ifPresentOrElse(blockTree2 -> {
                checkMskLogs(checkContext, blockTree2);
            }, () -> {
                checkContext.reportIssue(blockTree2.mo4key(), String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "broker_logs"));
            });
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logging_info.broker_logs"));
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkMskLogs(CheckContext checkContext, Tree tree) {
        if (MSK_LOGGER.stream().noneMatch(str -> {
            return PropertyUtils.get(tree, str, BlockTree.class).filter(AwsDisabledLoggingCheckPart::isLogEnabled).isPresent();
        })) {
            checkContext.reportIssue(((PropertyTree) tree).key(), String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "cloudwatch_logs, firehose or s3"));
        }
    }

    private static boolean isLogEnabled(BlockTree blockTree) {
        return PropertyUtils.value(blockTree, "enabled").filter(TextUtils::isValueFalse).isEmpty();
    }

    private static void checkNeptuneCluster(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "enable_cloudwatch_logs_exports", AttributeTree.class).ifPresentOrElse(attributeTree -> {
            if ((attributeTree.mo0value() instanceof TupleTree) && ((TupleTree) attributeTree.mo0value()).elements().trees().isEmpty()) {
                checkContext.reportIssue(attributeTree, DisabledLoggingCheck.MESSAGE);
            }
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "enable_cloudwatch_logs_exports"));
        });
    }

    private static void checkDocDbCluster(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "enabled_cloudwatch_logs_exports", AttributeTree.class).ifPresentOrElse(attributeTree -> {
            if ((attributeTree.mo0value() instanceof TupleTree) && containsOnlyStringsWithoutAudit((TupleTree) attributeTree.mo0value())) {
                checkContext.reportIssue(attributeTree, DisabledLoggingCheck.MESSAGE);
            }
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "enabled_cloudwatch_logs_exports"));
        });
    }

    private static boolean containsOnlyStringsWithoutAudit(TupleTree tupleTree) {
        return tupleTree.elements().trees().stream().allMatch(expressionTree -> {
            return TextUtils.isValue(expressionTree, "audit").isFalse();
        });
    }

    private static void checkMqBroker(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "logs", BlockTree.class).ifPresentOrElse(blockTree2 -> {
            if (containsOnlyFalse(blockTree2)) {
                checkContext.reportIssue(blockTree2.mo4key(), DisabledLoggingCheck.MESSAGE);
            }
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logs.audit or logs.general"));
        });
    }

    private static boolean containsOnlyFalse(BlockTree blockTree) {
        return PropertyUtils.getAll(blockTree, AttributeTree.class).stream().map((v0) -> {
            return v0.mo0value();
        }).allMatch((v0) -> {
            return TextUtils.isValueFalse(v0);
        });
    }

    private static void checkRedshiftCluster(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "logging", BlockTree.class).ifPresentOrElse(blockTree2 -> {
            reportOnDisabled(checkContext, blockTree2, false, DisabledLoggingCheck.MESSAGE, "enable");
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logging.enable"));
        });
    }

    private static void checkGlobalAccelerator(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "attributes", BlockTree.class).ifPresentOrElse(blockTree2 -> {
            reportOnDisabled(checkContext, blockTree2, false, DisabledLoggingCheck.MESSAGE, "flow_logs_enabled");
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "attributes.flow_logs_enabled"));
        });
    }

    private static void checkElasticSearchDomain(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.getAll(blockTree, "log_publishing_options", BlockTree.class).stream().filter(AwsDisabledLoggingCheckPart::isAuditLog).findFirst().ifPresentOrElse(blockTree2 -> {
            reportOnDisabled(checkContext, blockTree2, true, DisabledLoggingCheck.MESSAGE);
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "log_publishing_options of type \"AUDIT_LOGS\""));
        });
    }

    private static boolean isAuditLog(BlockTree blockTree) {
        return PropertyUtils.value(blockTree, "log_type").filter(tree -> {
            return !TextUtils.isValue(tree, "AUDIT_LOGS").isFalse();
        }).isPresent();
    }

    private static void checkCloudfrontDistribution(CheckContext checkContext, BlockTree blockTree) {
        if (PropertyUtils.isMissing(blockTree, "logging_config")) {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "logging_config"));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkElasticLoadBalancing(CheckContext checkContext, BlockTree blockTree, boolean z) {
        PropertyUtils.get(blockTree, "access_logs", BlockTree.class).ifPresentOrElse(blockTree2 -> {
            reportOnDisabled(checkContext, blockTree2, z, DisabledLoggingCheck.MESSAGE);
        }, () -> {
            reportResource(checkContext, blockTree, String.format(DisabledLoggingCheck.MESSAGE_OMITTING, "access_logs"));
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void reportOnDisabled(CheckContext checkContext, BlockTree blockTree, boolean z, String str) {
        reportOnDisabled(checkContext, blockTree, z, str, "enabled");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void reportOnDisabled(CheckContext checkContext, BlockTree blockTree, boolean z, String str, String str2) {
        PropertyUtils.get(blockTree, str2, AttributeTree.class).ifPresentOrElse(attributeTree -> {
            reportOnFalse(checkContext, attributeTree, str, new SecondaryLocation[0]);
        }, () -> {
            if (z) {
                return;
            }
            checkContext.reportIssue(blockTree.mo4key(), str);
        });
    }
}
