package org.sonar.python.checks.cdk;

import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.ListLiteral;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.SubscriptionExpression;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.cdk.CdkUtils;
import org.sonar.python.checks.cdk.UnrestrictedAdministrationCheckPartCfnSecurity;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S6329")
/* loaded from: input_file:org/sonar/python/checks/cdk/PublicNetworkAccessToCloudResourcesCheck.class */
public class PublicNetworkAccessToCloudResourcesCheck extends AbstractCdkResourceCheck {
    public static final String PUBLICLY_ACCESSIBLE_ARG_NAME = "publicly_accessible";
    private static final String SUBNET_TYPE = "subnet_type";
    private static final String ASSOCIATE_PUBLIC_IP_ADDRESS = "associate_public_ip_address";
    private static final String MESSAGE = "Make sure allowing public network access is safe here.";
    private static final String SENSITIVE_SUBNET = "aws_cdk.aws_ec2.SubnetType.PUBLIC";
    private static final Set<String> SAFE_SUBNET_TYPES = Set.of("ISOLATED", "PRIVATE_ISOLATED", "PRIVATE", "PRIVATE_WITH_NAT");
    private static final Set<String> COMPLIANT_SUBNETS = Set.of("aws_cdk.aws_ec2.SubnetType.PRIVATE_ISOLATED", "aws_cdk.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS", "aws_cdk.aws_ec2.SubnetType.PRIVATE_WITH_NAT");

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqn("aws_cdk.aws_dms.CfnReplicationInstance", (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, PUBLICLY_ACCESSIBLE_ARG_NAME).ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isTrue(), MESSAGE, new IssueLocation[0]);
            }, () -> {
                subscriptionContext.addIssue(callExpression, MESSAGE);
            });
        });
        checkFqn("aws_cdk.aws_rds.DatabaseInstance", PublicNetworkAccessToCloudResourcesCheck::checkDatabaseInstance);
        checkFqn("aws_cdk.aws_rds.CfnDBInstance", (subscriptionContext2, callExpression2) -> {
            CdkUtils.getArgument(subscriptionContext2, callExpression2, PUBLICLY_ACCESSIBLE_ARG_NAME).ifPresent(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isTrue(), MESSAGE, new IssueLocation[0]);
            });
        });
        checkFqn("aws_cdk.aws_ec2.Instance", PublicNetworkAccessToCloudResourcesCheck::checkInstance);
        checkFqn("aws_cdk.aws_ec2.CfnInstance", PublicNetworkAccessToCloudResourcesCheck::checkCfnInstance);
    }

    private static void checkInstance(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        CdkUtils.getArgument(subscriptionContext, callExpression, "vpc_subnets").ifPresent(expressionFlow -> {
            checkVpcSubnetAsSensitiveSubnetSelectionCall(subscriptionContext, expressionFlow);
            checkVpcSubnetAsSensitiveDictionary(subscriptionContext, expressionFlow);
        });
    }

    private static void checkVpcSubnetAsSensitiveSubnetSelectionCall(SubscriptionContext subscriptionContext, CdkUtils.ExpressionFlow expressionFlow) {
        Optional<Expression> filter = expressionFlow.getExpression(CdkPredicate.isFqn("aws_cdk.aws_ec2.SubnetSelection")).filter(expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.CALL_EXPR});
        });
        Class<CallExpression> cls = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        filter.map((v1) -> {
            return r1.cast(v1);
        }).ifPresent(callExpression -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, SUBNET_TYPE).flatMap(expressionFlow2 -> {
                return expressionFlow2.getExpression(CdkPredicate.isFqn(SENSITIVE_SUBNET));
            }).ifPresent(expression2 -> {
                subscriptionContext.addIssue(callExpression.parent(), MESSAGE);
            });
        });
    }

    private static void checkVpcSubnetAsSensitiveDictionary(SubscriptionContext subscriptionContext, CdkUtils.ExpressionFlow expressionFlow) {
        CdkUtils.getDictionary(expressionFlow).flatMap(dictionaryLiteral -> {
            return CdkUtils.getDictionaryPair(subscriptionContext, dictionaryLiteral, SUBNET_TYPE);
        }).flatMap(resolvedKeyValuePair -> {
            return resolvedKeyValuePair.value.getExpression(CdkPredicate.isFqn(SENSITIVE_SUBNET));
        }).ifPresent(expression -> {
            raiseIssueOnParent(subscriptionContext, expression, Tree.Kind.REGULAR_ARGUMENT);
        });
    }

    private static void checkCfnInstance(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        Optional<U> flatMap = CdkUtils.getArgument(subscriptionContext, callExpression, "network_interfaces").flatMap(expressionFlow -> {
            return expressionFlow.getExpression(CdkPredicate.isListLiteral());
        });
        Class<ListLiteral> cls = ListLiteral.class;
        Objects.requireNonNull(ListLiteral.class);
        ((List) flatMap.map((v1) -> {
            return r1.cast(v1);
        }).map(listLiteral -> {
            return listLiteral.elements().expressions();
        }).orElse(Collections.emptyList())).forEach(expression -> {
            checkNetworkInterfacesCallExpression(subscriptionContext, expression);
            checkNetworkInterfacesDictionary(subscriptionContext, expression);
        });
    }

    private static void checkNetworkInterfacesCallExpression(SubscriptionContext subscriptionContext, Expression expression) {
        Optional filter = Optional.of(expression).filter(CdkPredicate.isCallExpression());
        Class<CallExpression> cls = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        filter.map((v1) -> {
            return r1.cast(v1);
        }).filter(CdkPredicate.isFqn("aws_cdk.aws_ec2.CfnInstance.NetworkInterfaceProperty")).ifPresent(callExpression -> {
            checkSensitiveOptionWithoutCompliantSubnetDefined(subscriptionContext, callExpression);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkSensitiveOptionWithoutCompliantSubnetDefined(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        Optional<CdkUtils.ExpressionFlow> argument = CdkUtils.getArgument(subscriptionContext, callExpression, ASSOCIATE_PUBLIC_IP_ADDRESS);
        Optional<CdkUtils.ExpressionFlow> argument2 = CdkUtils.getArgument(subscriptionContext, callExpression, "subnet_id");
        if (argument.filter(expressionFlow -> {
            return expressionFlow.hasExpression(CdkPredicate.isTrue());
        }).isPresent() && argument2.filter(PublicNetworkAccessToCloudResourcesCheck::hasPrivateSubnetDefined).isEmpty()) {
            argument.get().addIssue(MESSAGE, new IssueLocation[0]);
        }
    }

    private static void checkNetworkInterfacesDictionary(SubscriptionContext subscriptionContext, Expression expression) {
        CdkUtils.getDictionary(expression).map(dictionaryLiteral -> {
            return UnrestrictedAdministrationCheckPartCfnSecurity.DictionaryAsMap.build(subscriptionContext, dictionaryLiteral);
        }).ifPresent(dictionaryAsMap -> {
            if (dictionaryAsMap.hasKeyValuePair(ASSOCIATE_PUBLIC_IP_ADDRESS, CdkPredicate.isTrue()) && dictionaryAsMap.getValue("subnet_id").filter(PublicNetworkAccessToCloudResourcesCheck::hasPrivateSubnetDefined).isEmpty()) {
                dictionaryAsMap.getKeyString(ASSOCIATE_PUBLIC_IP_ADDRESS).ifPresent(expression2 -> {
                    raiseIssueOnParent(subscriptionContext, expression2, Tree.Kind.KEY_VALUE_PAIR);
                });
            }
        });
    }

    private static boolean hasPrivateSubnetDefined(CdkUtils.ExpressionFlow expressionFlow) {
        Optional<Expression> expression = expressionFlow.getExpression(CdkPredicate.isSubscriptionExpression());
        Class<SubscriptionExpression> cls = SubscriptionExpression.class;
        Objects.requireNonNull(SubscriptionExpression.class);
        return expression.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.object();
        }).filter(PublicNetworkAccessToCloudResourcesCheck::isCompliantSubnet).isPresent();
    }

    private static boolean isCompliantSubnet(Expression expression) {
        return getCallSelectSubnets(expression).flatMap(callExpression -> {
            return CdkUtils.getArgument(null, callExpression, SUBNET_TYPE);
        }).filter(expressionFlow -> {
            return expressionFlow.hasExpression(CdkPredicate.isFqnOf(COMPLIANT_SUBNETS));
        }).isPresent();
    }

    private static Optional<CallExpression> getCallSelectSubnets(Expression expression) {
        if (expression.is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR})) {
            Optional<Expression> expression2 = CdkUtils.ExpressionFlow.build(null, ((QualifiedExpression) expression).qualifier()).getExpression(CdkPredicate.isCallExpression().and(CdkPredicate.isFqn("aws_cdk.aws_ec2.Vpc.select_subnets")));
            Class<CallExpression> cls = CallExpression.class;
            Objects.requireNonNull(CallExpression.class);
            return expression2.map((v1) -> {
                return r1.cast(v1);
            });
        }
        if (!expression.is(new Tree.Kind[]{Tree.Kind.NAME})) {
            return Optional.empty();
        }
        Optional<Expression> expression3 = CdkUtils.ExpressionFlow.build(null, expression).getExpression(isQualifiedExpression());
        Class<QualifiedExpression> cls2 = QualifiedExpression.class;
        Objects.requireNonNull(QualifiedExpression.class);
        Optional flatMap = expression3.map((v1) -> {
            return r1.cast(v1);
        }).map(qualifiedExpression -> {
            return CdkUtils.ExpressionFlow.build(null, qualifiedExpression.qualifier());
        }).flatMap(expressionFlow -> {
            return expressionFlow.getExpression(CdkPredicate.isCallExpression().and(CdkPredicate.isFqn("aws_cdk.aws_ec2.Vpc.select_subnets")));
        });
        Class<CallExpression> cls3 = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        return flatMap.map((v1) -> {
            return r1.cast(v1);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void raiseIssueOnParent(SubscriptionContext subscriptionContext, Expression expression, Tree.Kind kind) {
        subscriptionContext.addIssue((Tree) Optional.ofNullable(TreeUtils.firstAncestorOfKind(expression, new Tree.Kind[]{kind})).orElse(expression), MESSAGE);
    }

    private static void checkDatabaseInstance(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        Optional<U> flatMap = CdkUtils.getArgument(subscriptionContext, callExpression, "vpc_subnets").flatMap(expressionFlow -> {
            return expressionFlow.getExpression(CdkPredicate.isCallExpression().and(CdkPredicate.isFqn("aws_cdk.aws_ec2.SubnetSelection")));
        });
        Class<CallExpression> cls = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        Optional flatMap2 = flatMap.map((v1) -> {
            return r1.cast(v1);
        }).flatMap(callExpression2 -> {
            return CdkUtils.getArgument(subscriptionContext, callExpression2, SUBNET_TYPE);
        });
        if (flatMap2.filter(isSafeSubnetSelection()).isPresent()) {
            return;
        }
        CdkUtils.getArgument(subscriptionContext, callExpression, PUBLICLY_ACCESSIBLE_ARG_NAME).ifPresentOrElse(expressionFlow2 -> {
            expressionFlow2.addIssueIf(CdkPredicate.isTrue(), MESSAGE, new IssueLocation[0]);
        }, () -> {
            flatMap2.filter(isPublicSubnetSelection()).ifPresent(expressionFlow3 -> {
                expressionFlow3.addIssue(MESSAGE, new IssueLocation[0]);
            });
        });
    }

    private static Predicate<CdkUtils.ExpressionFlow> isSafeSubnetSelection() {
        return expressionFlow -> {
            return SAFE_SUBNET_TYPES.stream().anyMatch(str -> {
                return expressionFlow.hasExpression(CdkPredicate.isFqn("aws_cdk.aws_ec2.SubnetType." + str));
            });
        };
    }

    private static Predicate<CdkUtils.ExpressionFlow> isPublicSubnetSelection() {
        return expressionFlow -> {
            return expressionFlow.hasExpression(CdkPredicate.isFqn(SENSITIVE_SUBNET));
        };
    }

    private static Predicate<Expression> isQualifiedExpression() {
        return expression -> {
            return expression.is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR});
        };
    }
}
