package org.sonar.python.checks.cdk;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.cdk.CdkUtils;

@Rule(key = "S6281")
/* loaded from: input_file:org/sonar/python/checks/cdk/S3BucketBlockPublicAccessCheck.class */
public class S3BucketBlockPublicAccessCheck extends AbstractS3BucketCheck {
    private static final String MESSAGE = "Make sure allowing public ACL/policies to be set is safe here.";
    private static final String OMITTING_MESSAGE = "No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here.";
    private static final String BLOCK_PUBLIC_ACCESS_FQN = "aws_cdk.aws_s3.BlockPublicAccess";
    private static final String BLOCK_ACLS_FQN = "aws_cdk.aws_s3.BlockPublicAccess.BLOCK_ACLS";
    private static final List<String> BLOCK_PUBLIC_ACCESS_ARGUMENTS = List.of("block_public_acls", "ignore_public_acls", "block_public_policy", "restrict_public_buckets");

    @Override // org.sonar.python.checks.cdk.AbstractS3BucketCheck
    BiConsumer<SubscriptionContext, CallExpression> visitBucketConstructor() {
        return (subscriptionContext, callExpression) -> {
            Optional<CdkUtils.ExpressionFlow> argument = CdkUtils.getArgument(subscriptionContext, callExpression, "block_public_access");
            if (argument.isPresent()) {
                checkBlockPublicAccess(subscriptionContext, argument.get());
            } else {
                subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE);
            }
        };
    }

    private static void checkBlockPublicAccess(SubscriptionContext subscriptionContext, CdkUtils.ExpressionFlow expressionFlow) {
        expressionFlow.addIssueIf(S3BucketBlockPublicAccessCheck::blocksAclsOnly, MESSAGE, new IssueLocation[0]);
        Stream stream = expressionFlow.locations().stream();
        Class<CallExpression> cls = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        Stream filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<CallExpression> cls2 = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(S3BucketBlockPublicAccessCheck::isBlockPublicAccessConstructor).findAny().ifPresent(callExpression -> {
            visitBlockPublicAccessConstructor(subscriptionContext, callExpression);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void visitBlockPublicAccessConstructor(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        BLOCK_PUBLIC_ACCESS_ARGUMENTS.stream().map(str -> {
            return CdkUtils.getArgument(subscriptionContext, callExpression, str);
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).toList().forEach(expressionFlow -> {
            expressionFlow.addIssueIf(CdkPredicate.isFalse(), MESSAGE, new IssueLocation[0]);
        });
    }

    private static boolean blocksAclsOnly(Expression expression) {
        if (!expression.is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR})) {
            return false;
        }
        Optional map = Optional.ofNullable(((QualifiedExpression) expression).symbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        String str = BLOCK_ACLS_FQN;
        return map.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent();
    }

    private static boolean isBlockPublicAccessConstructor(CallExpression callExpression) {
        Optional map = Optional.ofNullable(callExpression.calleeSymbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        String str = BLOCK_PUBLIC_ACCESS_FQN;
        return map.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent();
    }
}
