package org.sonar.python.checks.cdk;

import java.util.Locale;
import java.util.Optional;
import java.util.function.Predicate;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.python.checks.cdk.CdkUtils;

@Rule(key = "S6304")
/* loaded from: input_file:org/sonar/python/checks/cdk/ResourceAccessPolicyCheck.class */
public class ResourceAccessPolicyCheck extends AbstractIamPolicyStatementCheck {
    private static final String MESSAGE = "Make sure granting access to all resources is safe here.";
    private static final String SECONDARY_MESSAGE = "Related effect";

    @Override // org.sonar.python.checks.cdk.AbstractIamPolicyStatementCheck
    protected void checkAllowingPolicyStatement(PolicyStatement policyStatement) {
        CdkUtils.ExpressionFlow actions = policyStatement.actions();
        CdkUtils.ExpressionFlow resources = policyStatement.resources();
        if (resources == null || actions == null || hasOnlyKmsActions(actions)) {
            return;
        }
        Optional.ofNullable(getSensitiveExpression(resources, CdkPredicate.isWildcard())).ifPresent(expressionFlow -> {
            reportWildcardResourceAndEffect(expressionFlow, policyStatement.effect());
        });
    }

    private static boolean hasOnlyKmsActions(CdkUtils.ExpressionFlow expressionFlow) {
        return getSensitiveExpression(expressionFlow, notStartsWith("kms:")) == null;
    }

    public static Predicate<Expression> notStartsWith(String str) {
        return expression -> {
            return CdkUtils.getString(expression).filter(str2 -> {
                return !str2.toLowerCase(Locale.ROOT).startsWith(str);
            }).isPresent();
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void reportWildcardResourceAndEffect(CdkUtils.ExpressionFlow expressionFlow, @Nullable CdkUtils.ExpressionFlow expressionFlow2) {
        PythonCheck.PreciseIssue addIssue = expressionFlow.ctx().addIssue(expressionFlow.getLast(), MESSAGE);
        if (expressionFlow2 != null) {
            addIssue.secondary(expressionFlow2.asSecondaryLocation(SECONDARY_MESSAGE));
        }
    }
}
