package org.sonar.python.checks.cdk;

import java.util.List;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.ListLiteral;
import org.sonar.python.checks.cdk.CdkUtils;

@Rule(key = "S6304")
/* loaded from: input_file:org/sonar/python/checks/cdk/ResourceAccessPolicyCheck.class */
public class ResourceAccessPolicyCheck extends AbstractCdkResourceCheck {
    private static final String MESSAGE = "Make sure granting access to all resources is safe here.";
    private static final String SECONDARY_MESSAGE = "Related effect";

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqn("aws_cdk.aws_iam.PolicyStatement", (subscriptionContext, callExpression) -> {
            CdkUtils.ExpressionFlow orElse = CdkUtils.getArgument(subscriptionContext, callExpression, "effect").orElse(null);
            if (hasOnlyKmsActions(subscriptionContext, callExpression) || CdkIamUtils.hasNotAllowEffect(orElse)) {
                return;
            }
            CdkUtils.getArgument(subscriptionContext, callExpression, "resources").flatMap(expressionFlow -> {
                return CdkIamUtils.getWildcard(subscriptionContext, expressionFlow);
            }).ifPresent(expressionFlow2 -> {
                reportWildcardResourceAndEffect(subscriptionContext, expressionFlow2, orElse);
            });
        });
        checkFqn("aws_cdk.aws_iam.PolicyStatement.from_json", (subscriptionContext2, callExpression2) -> {
            CdkIamUtils.getObjectFromJson(subscriptionContext2, callExpression2).ifPresent(dictionaryLiteral -> {
                checkPolicyStatement(subscriptionContext2, dictionaryLiteral);
            });
        });
        checkFqn("aws_cdk.aws_iam.PolicyDocument.from_json", (subscriptionContext3, callExpression3) -> {
            CdkIamUtils.getObjectFromJson(subscriptionContext3, callExpression3).ifPresent(dictionaryLiteral -> {
                CdkIamUtils.getPolicyStatements(subscriptionContext3, dictionaryLiteral).forEach(dictionaryLiteral -> {
                    checkPolicyStatement(subscriptionContext3, dictionaryLiteral);
                });
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkPolicyStatement(SubscriptionContext subscriptionContext, DictionaryLiteral dictionaryLiteral) {
        List<CdkUtils.ResolvedKeyValuePair> resolveDictionary = CdkUtils.resolveDictionary(subscriptionContext, dictionaryLiteral);
        CdkUtils.ExpressionFlow orElse = CdkUtils.getDictionaryValue(resolveDictionary, "Effect").orElse(null);
        if (hasOnlyKmsActions(subscriptionContext, resolveDictionary) || CdkIamUtils.hasNotAllowEffect(orElse)) {
            return;
        }
        CdkUtils.getDictionaryValue(resolveDictionary, "Resource").flatMap(expressionFlow -> {
            return CdkIamUtils.getWildcard(subscriptionContext, expressionFlow);
        }).ifPresent(expressionFlow2 -> {
            reportWildcardResourceAndEffect(subscriptionContext, expressionFlow2, orElse);
        });
    }

    private static boolean hasOnlyKmsActions(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        return CdkUtils.getArgument(subscriptionContext, callExpression, "actions").flatMap(CdkUtils::getList).filter(listLiteral -> {
            return hasOnlyKmsActions(subscriptionContext, listLiteral);
        }).isPresent();
    }

    private static boolean hasOnlyKmsActions(SubscriptionContext subscriptionContext, List<CdkUtils.ResolvedKeyValuePair> list) {
        return CdkUtils.getDictionaryValue(list, "Action").flatMap(CdkUtils::getList).filter(listLiteral -> {
            return hasOnlyKmsActions(subscriptionContext, listLiteral);
        }).isPresent();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean hasOnlyKmsActions(SubscriptionContext subscriptionContext, ListLiteral listLiteral) {
        return CdkUtils.getListElements(subscriptionContext, listLiteral).stream().allMatch(expressionFlow -> {
            return expressionFlow.hasExpression(CdkPredicate.startsWith("kms:"));
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void reportWildcardResourceAndEffect(SubscriptionContext subscriptionContext, CdkUtils.ExpressionFlow expressionFlow, CdkUtils.ExpressionFlow expressionFlow2) {
        PythonCheck.PreciseIssue addIssue = subscriptionContext.addIssue(expressionFlow.getLast(), MESSAGE);
        if (expressionFlow2 != null) {
            addIssue.secondary(expressionFlow2.asSecondaryLocation(SECONDARY_MESSAGE));
        }
    }
}
