package org.sonar.python.checks.cdk;

import java.util.function.BiConsumer;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;

@Rule(key = "S6245")
/* loaded from: input_file:org/sonar/python/checks/cdk/S3BucketServerEncryptionCheck.class */
public class S3BucketServerEncryptionCheck extends AbstractS3BucketCheck {
    private static final String S3_BUCKET_UNENCRYPTED_FQN = "aws_cdk.aws_s3.BucketEncryption.UNENCRYPTED";
    public static final String MESSAGE = "Objects in the bucket are not encrypted. Make sure it is safe here.";
    public static final String OMITTING_MESSAGE = "Omitting 'encryption' disables server-side encryption. Make sure it is safe here.";

    @Override // org.sonar.python.checks.cdk.AbstractS3BucketCheck
    BiConsumer<SubscriptionContext, CallExpression> visitBucketConstructor() {
        return (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, "encryption").ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isFqn(S3_BUCKET_UNENCRYPTED_FQN), MESSAGE);
            }, () -> {
                checkEncryptionKey(subscriptionContext, callExpression);
            });
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkEncryptionKey(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        if (CdkUtils.getArgument(subscriptionContext, callExpression, "encryption_key").isEmpty()) {
            subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE);
        }
    }
}
