package org.sonar.python.checks.cdk;

import java.util.Objects;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.function.Predicate;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.Tree;

/* loaded from: input_file:org/sonar/python/checks/cdk/WeakSSLProtocolCheckPart.class */
public class WeakSSLProtocolCheckPart extends AbstractCdkResourceCheck {
    private static final String ENFORCE_MESSAGE = "Change this code to enforce TLS 1.2 or above.";
    private static final String OMITTING_MESSAGE = "Omitting \"tls_security_policy\" enables a deprecated version of TLS. Set it to enforce TLS 1.2 or above.";
    private static final String APIGATEWAY_FQN = "aws_cdk.aws_apigateway.";
    private static final String APIGATEWAYV2_FQN = "aws_cdk.aws_apigatewayv2.";
    private static final String OPENSEARCH_FQN = "aws_cdk.aws_opensearchservice.";
    private static final String ELASTICSEARCH_FQN = "aws_cdk.aws_elasticsearch.";
    private static final String TLS_SECURITY_POLICY = "tls_security_policy";
    private static final String SENSITIVE_TLS_SECURITY_POLICY = "Policy-Min-TLS-1-0-2019-07";

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqn("aws_cdk.aws_apigateway.DomainName", checkDomainName(CdkPredicate.isFqn("aws_cdk.aws_apigateway.SecurityPolicy.TLS_1_0")));
        checkFqn("aws_cdk.aws_apigatewayv2.DomainName", checkDomainName(CdkPredicate.isFqn("aws_cdk.aws_apigatewayv2.SecurityPolicy.TLS_1_0")));
        checkFqn("aws_cdk.aws_apigateway.CfnDomainName", checkDomainName(CdkPredicate.isString("TLS_1_0")));
        checkFqn("aws_cdk.aws_opensearchservice.Domain", checkDomain(CdkPredicate.isFqn("aws_cdk.aws_opensearchservice.TLSSecurityPolicy.TLS_1_0")));
        checkFqn("aws_cdk.aws_elasticsearch.Domain", checkDomain(CdkPredicate.isFqn("aws_cdk.aws_elasticsearch.TLSSecurityPolicy.TLS_1_0")));
        checkFqn("aws_cdk.aws_opensearchservice.CfnDomain", checkCfnDomain("aws_cdk.aws_opensearchservice.CfnDomain.DomainEndpointOptionsProperty"));
        checkFqn("aws_cdk.aws_elasticsearch.CfnDomain", checkCfnDomain("aws_cdk.aws_elasticsearch.CfnDomain.DomainEndpointOptionsProperty"));
    }

    private static BiConsumer<SubscriptionContext, CallExpression> checkDomainName(Predicate<Expression> predicate) {
        return (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, "security_policy").ifPresent(expressionFlow -> {
                expressionFlow.addIssueIf(predicate, ENFORCE_MESSAGE);
            });
        };
    }

    private static BiConsumer<SubscriptionContext, CallExpression> checkDomain(Predicate<Expression> predicate) {
        return (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, TLS_SECURITY_POLICY).ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(predicate, ENFORCE_MESSAGE);
            }, () -> {
                subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE);
            });
        };
    }

    private static BiConsumer<SubscriptionContext, CallExpression> checkCfnDomain(String str) {
        return (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, "domain_endpoint_options").ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(isSensitiveOptionObj(subscriptionContext, str).or(isSensitiveDictionaryTls(subscriptionContext)), ENFORCE_MESSAGE);
            }, () -> {
                subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE);
            });
        };
    }

    private static Predicate<Expression> isSensitiveOptionObj(SubscriptionContext subscriptionContext, String str) {
        return expression -> {
            return CdkUtils.getCall(expression, str).map(callExpression -> {
                return CdkUtils.getArgument(subscriptionContext, callExpression, TLS_SECURITY_POLICY);
            }).stream().anyMatch(optional -> {
                return optional.isEmpty() || optional.filter(expressionFlow -> {
                    return expressionFlow.hasExpression(CdkPredicate.isString(SENSITIVE_TLS_SECURITY_POLICY));
                }).isPresent();
            });
        };
    }

    private static Predicate<Expression> isSensitiveDictionaryTls(SubscriptionContext subscriptionContext) {
        return expression -> {
            Optional filter = Optional.of(expression).filter(expression -> {
                return expression.is(Tree.Kind.DICTIONARY_LITERAL);
            });
            Class<DictionaryLiteral> cls = DictionaryLiteral.class;
            Objects.requireNonNull(DictionaryLiteral.class);
            return filter.map((v1) -> {
                return r1.cast(v1);
            }).filter(hasDictionaryKeyValue(subscriptionContext, TLS_SECURITY_POLICY, CdkPredicate.isString(SENSITIVE_TLS_SECURITY_POLICY))).isPresent();
        };
    }

    private static Predicate<DictionaryLiteral> hasDictionaryKeyValue(SubscriptionContext subscriptionContext, String str, Predicate<Expression> predicate) {
        return dictionaryLiteral -> {
            return dictionaryLiteral.elements().stream().map(dictionaryLiteralElement -> {
                return CdkUtils.getKeyValuePair(subscriptionContext, dictionaryLiteralElement);
            }).flatMap((v0) -> {
                return v0.stream();
            }).filter(resolvedKeyValuePair -> {
                return resolvedKeyValuePair.key.hasExpression(CdkPredicate.isString(str));
            }).allMatch(resolvedKeyValuePair2 -> {
                return resolvedKeyValuePair2.value.hasExpression(predicate);
            });
        };
    }
}
