package org.sonar.python.checks.cdk;

import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.NumericLiteral;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.python.checks.cdk.CdkUtils;

/* loaded from: input_file:org/sonar/python/checks/cdk/UnrestrictedAdministrationCheckPartCfnSecurity.class */
public class UnrestrictedAdministrationCheckPartCfnSecurity extends AbstractCdkResourceCheck {
    private static final String MESSAGE = "Change this IP range to a subset of trusted IP addresses.";
    private static final String IP_PROTOCOL = "ip_protocol";
    private static final String CIDR_IP = "cidr_ip";
    private static final String CIDR_IPV6 = "cidr_ipv6";
    private static final String IPPROTOCOL = "ipProtocol";
    private static final String CIDRIP = "cidrIp";
    private static final String CIDRIPV6 = "cidrIpv6";
    private static final String ANY_PROTOCOL = "-1";
    private static final String EMPTY_IPV4 = "0.0.0.0/0";
    private static final String EMPTY_IPV6 = "::/0";
    private static final Set<String> SENSITIVE_PROTOCOL = Set.of("tcp", "6");
    private static final long[] ADMIN_PORTS = {22, 3389};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/sonar/python/checks/cdk/UnrestrictedAdministrationCheckPartCfnSecurity$DictionaryAsMap.class */
    public static class DictionaryAsMap {
        Map<String, CdkUtils.ResolvedKeyValuePair> map = new HashMap();

        DictionaryAsMap() {
        }

        public static DictionaryAsMap build(SubscriptionContext subscriptionContext, DictionaryLiteral dictionaryLiteral) {
            DictionaryAsMap dictionaryAsMap = new DictionaryAsMap();
            for (CdkUtils.ResolvedKeyValuePair resolvedKeyValuePair : dictionaryLiteral.elements().stream().map(dictionaryLiteralElement -> {
                return CdkUtils.getKeyValuePair(subscriptionContext, dictionaryLiteralElement);
            }).filter((v0) -> {
                return v0.isPresent();
            }).map((v0) -> {
                return v0.get();
            }).toList()) {
                Optional<Expression> expression = resolvedKeyValuePair.key.getExpression(CdkPredicate.isStringLiteral());
                Class<StringLiteral> cls = StringLiteral.class;
                Objects.requireNonNull(StringLiteral.class);
                expression.map((v1) -> {
                    return r1.cast(v1);
                }).ifPresent(stringLiteral -> {
                    dictionaryAsMap.map.put(stringLiteral.trimmedQuotesValue(), resolvedKeyValuePair);
                });
            }
            return dictionaryAsMap;
        }

        public boolean hasKeyValuePair(String str, Predicate<Expression> predicate) {
            return this.map.containsKey(str) && this.map.get(str).value.hasExpression(predicate);
        }

        public Optional<Expression> get(String str, Predicate<Expression> predicate) {
            return !this.map.containsKey(str) ? Optional.empty() : this.map.get(str).value.getExpression(predicate);
        }

        public Optional<Expression> getKeyString(String str) {
            return Optional.ofNullable(this.map.get(str)).flatMap(resolvedKeyValuePair -> {
                return resolvedKeyValuePair.key.getExpression(CdkPredicate.isStringLiteral());
            });
        }

        public Optional<CdkUtils.ExpressionFlow> getValue(String str) {
            return Optional.ofNullable(this.map.get(str)).map(resolvedKeyValuePair -> {
                return resolvedKeyValuePair.value;
            });
        }

        public void addIssue(String str, String str2) {
            if (this.map.containsKey(str)) {
                this.map.get(str).value.addIssue(str2, new IssueLocation[0]);
            }
        }

        public Optional<Long> getArgumentAsLong(String str) {
            Optional<Expression> optional = get(str, CdkPredicate.isNumericLiteral());
            Class<NumericLiteral> cls = NumericLiteral.class;
            Objects.requireNonNull(NumericLiteral.class);
            return optional.map((v1) -> {
                return r1.cast(v1);
            }).map((v0) -> {
                return v0.valueAsLong();
            });
        }

        boolean hasSensitivePortRange(String str, String str2) {
            Optional<Long> argumentAsLong = getArgumentAsLong(str);
            Optional<Long> argumentAsLong2 = getArgumentAsLong(str2);
            if (argumentAsLong.isEmpty() || argumentAsLong2.isEmpty()) {
                return false;
            }
            return UnrestrictedAdministrationCheckPartCfnSecurity.isInInterval(argumentAsLong.get().longValue(), argumentAsLong2.get().longValue(), UnrestrictedAdministrationCheckPartCfnSecurity.ADMIN_PORTS);
        }
    }

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqn("aws_cdk.aws_ec2.CfnSecurityGroup", UnrestrictedAdministrationCheckPartCfnSecurity::checkCfnSecurityGroup);
        checkFqn("aws_cdk.aws_ec2.CfnSecurityGroupIngress", UnrestrictedAdministrationCheckPartCfnSecurity::checkCallCfnSecuritySensitive);
    }

    private static void checkCfnSecurityGroup(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        ((List) CdkUtils.getArgument(subscriptionContext, callExpression, "security_group_ingress").flatMap(CdkUtils::getListExpression).map(listLiteral -> {
            return listLiteral.elements().expressions();
        }).orElse(Collections.emptyList())).stream().map(expression -> {
            return CdkUtils.ExpressionFlow.build(subscriptionContext, expression);
        }).forEach(expressionFlow -> {
            raiseIssueIfIngressPropertyCallWithSensitiveArgument(subscriptionContext, expressionFlow.getLast());
            raiseIssueIfDictionaryWithSensitiveArgument(subscriptionContext, expressionFlow.getLast());
        });
    }

    private static void raiseIssueIfIngressPropertyCallWithSensitiveArgument(SubscriptionContext subscriptionContext, Expression expression) {
        CdkUtils.getCall(expression, "aws_cdk.aws_ec2.CfnSecurityGroup.IngressProperty").ifPresent(callExpression -> {
            checkCallCfnSecuritySensitive(subscriptionContext, callExpression);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkCallCfnSecuritySensitive(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        if (isCallWithArgumentBadProtocolEmptyIpAddressAdminPort(subscriptionContext, callExpression) || isCallWithArgumentInvalidProtocolEmptyIpAddress(subscriptionContext, callExpression)) {
            CdkUtils.getArgument(subscriptionContext, callExpression, CIDR_IP).ifPresent(expressionFlow -> {
                expressionFlow.addIssue(MESSAGE, new IssueLocation[0]);
            });
            CdkUtils.getArgument(subscriptionContext, callExpression, CIDR_IPV6).ifPresent(expressionFlow2 -> {
                expressionFlow2.addIssue(MESSAGE, new IssueLocation[0]);
            });
        }
    }

    private static boolean isCallWithArgumentBadProtocolEmptyIpAddressAdminPort(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        return CdkUtils.getArgument(subscriptionContext, callExpression, IP_PROTOCOL).filter(expressionFlow -> {
            return expressionFlow.hasExpression(CdkPredicate.isString(SENSITIVE_PROTOCOL));
        }).isPresent() && (CdkUtils.getArgument(subscriptionContext, callExpression, CIDR_IP).filter(expressionFlow2 -> {
            return expressionFlow2.hasExpression(CdkPredicate.isString(EMPTY_IPV4));
        }).isPresent() || CdkUtils.getArgument(subscriptionContext, callExpression, CIDR_IPV6).filter(expressionFlow3 -> {
            return expressionFlow3.hasExpression(CdkPredicate.isString(EMPTY_IPV6));
        }).isPresent()) && hasSensitivePortRange(callExpression, "from_port", "to_port", ADMIN_PORTS);
    }

    private static boolean isCallWithArgumentInvalidProtocolEmptyIpAddress(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        return CdkUtils.getArgument(subscriptionContext, callExpression, IP_PROTOCOL).filter(expressionFlow -> {
            return expressionFlow.hasExpression(CdkPredicate.isString(ANY_PROTOCOL));
        }).isPresent() && (CdkUtils.getArgument(subscriptionContext, callExpression, CIDR_IP).filter(expressionFlow2 -> {
            return expressionFlow2.hasExpression(CdkPredicate.isString(EMPTY_IPV4));
        }).isPresent() || CdkUtils.getArgument(subscriptionContext, callExpression, CIDR_IPV6).filter(expressionFlow3 -> {
            return expressionFlow3.hasExpression(CdkPredicate.isString(EMPTY_IPV6));
        }).isPresent());
    }

    private static void raiseIssueIfDictionaryWithSensitiveArgument(SubscriptionContext subscriptionContext, Expression expression) {
        CdkUtils.getDictionary(expression).ifPresent(dictionaryLiteral -> {
            DictionaryAsMap build = DictionaryAsMap.build(subscriptionContext, dictionaryLiteral);
            if (isDictionaryWithAttributeBadProtocolEmptyIpAddressAdminPort(build) || isDictionaryWithAttributeInvalidProtocolEmptyIpAddress(build)) {
                build.addIssue(CIDRIP, MESSAGE);
                build.addIssue(CIDRIPV6, MESSAGE);
            }
        });
    }

    private static boolean isDictionaryWithAttributeBadProtocolEmptyIpAddressAdminPort(DictionaryAsMap dictionaryAsMap) {
        return dictionaryAsMap.hasKeyValuePair(IPPROTOCOL, CdkPredicate.isString(SENSITIVE_PROTOCOL)) && (dictionaryAsMap.hasKeyValuePair(CIDRIP, CdkPredicate.isString(EMPTY_IPV4)) || dictionaryAsMap.hasKeyValuePair(CIDRIPV6, CdkPredicate.isString(EMPTY_IPV6))) && dictionaryAsMap.hasSensitivePortRange("fromPort", "toPort");
    }

    private static boolean isDictionaryWithAttributeInvalidProtocolEmptyIpAddress(DictionaryAsMap dictionaryAsMap) {
        return dictionaryAsMap.hasKeyValuePair(IPPROTOCOL, CdkPredicate.isString(ANY_PROTOCOL)) && (dictionaryAsMap.hasKeyValuePair(CIDRIP, CdkPredicate.isString(EMPTY_IPV4)) || dictionaryAsMap.hasKeyValuePair(CIDRIPV6, CdkPredicate.isString(EMPTY_IPV6)));
    }

    private static Optional<Long> getArgumentAsLong(CallExpression callExpression, String str) {
        Optional<U> flatMap = CdkUtils.getArgument(null, callExpression, str).flatMap(expressionFlow -> {
            return expressionFlow.getExpression(CdkPredicate.isNumericLiteral());
        });
        Class<NumericLiteral> cls = NumericLiteral.class;
        Objects.requireNonNull(NumericLiteral.class);
        return flatMap.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.valueAsLong();
        });
    }

    private static boolean hasSensitivePortRange(CallExpression callExpression, String str, String str2, long[] jArr) {
        Optional<Long> argumentAsLong = getArgumentAsLong(callExpression, str);
        Optional<Long> argumentAsLong2 = getArgumentAsLong(callExpression, str2);
        if (argumentAsLong.isEmpty() || argumentAsLong2.isEmpty()) {
            return false;
        }
        return isInInterval(argumentAsLong.get().longValue(), argumentAsLong2.get().longValue(), jArr);
    }

    public static boolean isInInterval(long j, long j2, long[] jArr) {
        for (long j3 : jArr) {
            if (j <= j3 && j3 <= j2) {
                return true;
            }
        }
        return false;
    }
}
