package org.sonar.iac.terraform.checks.azure;

import java.util.List;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.checks.PropertyUtils;
import org.sonar.iac.common.checks.TextUtils;
import org.sonar.iac.terraform.api.tree.AttributeTree;
import org.sonar.iac.terraform.api.tree.BlockTree;
import org.sonar.iac.terraform.checks.AbstractResourceCheck;

@Rule(key = "S6380")
/* loaded from: input_file:org/sonar/iac/terraform/checks/azure/AnonymousAccessToResourceCheck.class */
public class AnonymousAccessToResourceCheck extends AbstractResourceCheck {
    private static final String APP_AUTH_MISSING_MESSAGE = "Omitting 'auth_settings' disables authentication. Make sure it is safe here.";
    private static final String DISABLED_AUTH_MESSAGE = "Make sure that disabling authentication is safe here.";
    private static final String API_MANAGEMENT_API_MESSAGE = "Omitting 'openid_authentication' disables authentication. Make sure it is safe here.";
    private static final String API_MANAGEMENT_MISSING_MESSAGE = "Omitting 'sign_in' authorizes anonymous access. Make sure it is safe here.";
    private static final String API_MANAGEMENT_DISABLED_MESSAGE = "Make sure that giving anonymous access without enforcing sign-in is safe here.";
    private static final String DATA_FACTORY_LINKED_SERVICE_ODATA_MESSAGE = "Omitting the 'basic_authentication' block disables authentication. Make sure it is safe here.";
    private static final String AUTHORIZING_ANONYMOUS_MESSAGE = "Make sure that authorizing anonymous access is safe here.";
    private static final String AUTHORIZING_POTENTIAL_ANONYMOUS_MESSAGE = "Make sure that authorizing potential anonymous access is safe here.";

    @Override // org.sonar.iac.terraform.checks.AbstractResourceCheck
    protected void registerResourceChecks() {
        register(AnonymousAccessToResourceCheck::checkResourceAuthSettings, "azurerm_app_service", "azurerm_app_service_slot", "azurerm_function_app", "azurerm_function_app_slot", "azurerm_windows_web_app", "azurerm_linux_web_app");
        register(AnonymousAccessToResourceCheck::checkApiManagementApi, "azurerm_api_management_api");
        register(AnonymousAccessToResourceCheck::checkApiManagement, "azurerm_api_management");
        register(AnonymousAccessToResourceCheck::checkDataFactorLinkServiceOdata, "azurerm_data_factory_linked_service_odata");
        register(AnonymousAccessToResourceCheck::checkDataFactorLinkServiceWebAndSftp, "azurerm_data_factory_linked_service_sftp", "azurerm_data_factory_linked_service_web");
        register(AnonymousAccessToResourceCheck::checkRedisCache, "azurerm_redis_cache");
        register(AnonymousAccessToResourceCheck::checkStorageAccount, "azurerm_storage_account");
        register(AnonymousAccessToResourceCheck::checkStorageContainer, "azurerm_storage_container");
    }

    private static void checkResourceAuthSettings(CheckContext checkContext, BlockTree blockTree) {
        List all = PropertyUtils.getAll(blockTree, "auth_settings", BlockTree.class);
        if (all.isEmpty()) {
            reportResource(checkContext, blockTree, APP_AUTH_MISSING_MESSAGE);
        } else {
            all.forEach(blockTree2 -> {
                checkAuthSettings(checkContext, blockTree2);
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkAuthSettings(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "enabled", AttributeTree.class).filter(attributeTree -> {
            return TextUtils.isValueFalse(attributeTree.mo0value());
        }).ifPresentOrElse(attributeTree2 -> {
            checkContext.reportIssue(attributeTree2, DISABLED_AUTH_MESSAGE);
        }, () -> {
            PropertyUtils.get(blockTree, "unauthenticated_client_action", AttributeTree.class).ifPresentOrElse(attributeTree3 -> {
                reportSensitiveValue(checkContext, attributeTree3, "AllowAnonymous", AUTHORIZING_ANONYMOUS_MESSAGE, new SecondaryLocation[0]);
            }, () -> {
                checkContext.reportIssue(blockTree, AUTHORIZING_ANONYMOUS_MESSAGE);
            });
        });
    }

    private static void checkApiManagementApi(CheckContext checkContext, BlockTree blockTree) {
        if (PropertyUtils.isMissing(blockTree, "openid_authentication")) {
            reportResource(checkContext, blockTree, API_MANAGEMENT_API_MESSAGE);
        }
    }

    private static void checkApiManagement(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "sign_in", BlockTree.class).ifPresentOrElse(blockTree2 -> {
            PropertyUtils.get(blockTree2, "enabled", AttributeTree.class).ifPresent(attributeTree -> {
                reportOnFalse(checkContext, attributeTree, API_MANAGEMENT_DISABLED_MESSAGE, new SecondaryLocation[0]);
            });
        }, () -> {
            reportResource(checkContext, blockTree, API_MANAGEMENT_MISSING_MESSAGE);
        });
    }

    private static void checkDataFactorLinkServiceOdata(CheckContext checkContext, BlockTree blockTree) {
        if (PropertyUtils.isMissing(blockTree, "basic_authentication")) {
            reportResource(checkContext, blockTree, DATA_FACTORY_LINKED_SERVICE_ODATA_MESSAGE);
        }
    }

    private static void checkDataFactorLinkServiceWebAndSftp(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "authentication_type", AttributeTree.class).ifPresent(attributeTree -> {
            reportSensitiveValue(checkContext, attributeTree, "Anonymous", AUTHORIZING_ANONYMOUS_MESSAGE, new SecondaryLocation[0]);
        });
    }

    private static void checkRedisCache(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "redis_configuration", BlockTree.class).flatMap(blockTree2 -> {
            return PropertyUtils.get(blockTree2, "enable_authentication", AttributeTree.class);
        }).ifPresent(attributeTree -> {
            reportOnFalse(checkContext, attributeTree, DISABLED_AUTH_MESSAGE, new SecondaryLocation[0]);
        });
    }

    private static void checkStorageAccount(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "allow_blob_public_access", AttributeTree.class).ifPresent(attributeTree -> {
            reportOnTrue(checkContext, attributeTree, AUTHORIZING_POTENTIAL_ANONYMOUS_MESSAGE, new SecondaryLocation[0]);
        });
    }

    private static void checkStorageContainer(CheckContext checkContext, BlockTree blockTree) {
        PropertyUtils.get(blockTree, "container_access_type", AttributeTree.class).ifPresent(attributeTree -> {
            reportUnexpectedValue(checkContext, attributeTree, "private", AUTHORIZING_POTENTIAL_ANONYMOUS_MESSAGE, new SecondaryLocation[0]);
        });
    }
}
