package org.sonar.python.checks.cdk;

import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.Predicate;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.cdk.CdkUtils;

/* loaded from: input_file:org/sonar/python/checks/cdk/UnrestrictedAdministrationCheckPartConnections.class */
public class UnrestrictedAdministrationCheckPartConnections extends AbstractCdkResourceCheck {
    private static final String MESSAGE_BAD_PEER = "Change this IP range to a subset of trusted IP addresses.";
    private static final String MESSAGE_BAD_METHOD = "Change this method for `allow_from` and set `other` to a subset of trusted IP addresses.";
    private static final String OTHER = "other";
    private static final String PORT_RANGE = "port_range";
    private static final Set<Long> ADMIN_PORTS = Set.of(22L, 3389L);
    private static final Predicate<Expression> IS_SENSITIVE_PROTOCOL = CdkPredicate.isFqn("aws_cdk.aws_ec2.Protocol.ALL").or(CdkPredicate.isFqn("aws_cdk.aws_ec2.Protocol.TCP"));
    private static final Predicate<Expression> IS_SENSITIVE_PORT = CdkPredicate.isCallExpression().and(CdkPredicate.isFqn("aws_cdk.aws_ec2.Port.all_tcp").or(CdkPredicate.isFqn("aws_cdk.aws_ec2.Port.all_traffic")).or(CdkPredicate.isFqn("aws_cdk.aws_ec2.Port.tcp").and(CdkPredicate.hasArgument("port", 0, CdkPredicate.isNumeric(ADMIN_PORTS)))).or(CdkPredicate.isFqn("aws_cdk.aws_ec2.Port.tcp_range").and(CdkPredicate.hasIntervalArguments("start_port", 0, "end_port", 1, ADMIN_PORTS))).or(CdkPredicate.isFqn("aws_cdk.aws_ec2.Port").and(CdkPredicate.hasArgument("protocol", IS_SENSITIVE_PROTOCOL)).and(CdkPredicate.hasIntervalArguments("from_port", "to_port", ADMIN_PORTS))));
    private static final Predicate<Expression> IS_SENSITIVE_PEER = CdkPredicate.isFqn("aws_cdk.aws_ec2.Peer.any_ipv4").or(CdkPredicate.isFqn("aws_cdk.aws_ec2.Peer.any_ipv6")).or(CdkPredicate.isFqn("aws_cdk.aws_ec2.Peer.ipv4").and(CdkPredicate.hasArgument("cidr_ip", 0, CdkPredicate.isString("0.0.0.0/0")))).or(CdkPredicate.isFqn("aws_cdk.aws_ec2.Peer.ipv6").and(CdkPredicate.hasArgument("cidr_ip", 0, CdkPredicate.isString("::/0"))));

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqn("aws_cdk.aws_ec2.Connections.allow_from", checkPeerAndPortSensitivity(OTHER, PORT_RANGE));
        checkFqn("aws_cdk.aws_ec2.Connections.allow_from_any_ipv4", checkPortSensitivity(PORT_RANGE));
        checkFqn("aws_cdk.aws_ec2.Connections.allow_default_port_from", UnrestrictedAdministrationCheckPartConnections::checkPeerAndDefaultPortInConstructorCall);
        checkFqn("aws_cdk.aws_ec2.Connections.allow_default_port_from_any_ipv4", UnrestrictedAdministrationCheckPartConnections::checkDefaultPortInConstructorCall);
        checkFqn("aws_cdk.aws_ec2.SecurityGroup.add_ingress_rule", checkPeerAndPortSensitivity("peer", "connection"));
    }

    private static void checkPeerAndDefaultPortInConstructorCall(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        CdkUtils.getArgument(subscriptionContext, callExpression, OTHER, 0).filter(expressionFlow -> {
            return expressionFlow.hasExpression(IS_SENSITIVE_PEER);
        }).ifPresent(expressionFlow2 -> {
            checkDefaultPortInConstructorCall(subscriptionContext, callExpression);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkDefaultPortInConstructorCall(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        Expression callee = callExpression.callee();
        if (callee.is(Tree.Kind.QUALIFIED_EXPR)) {
            callee = ((QualifiedExpression) callee).qualifier();
        }
        Optional<Expression> expression = CdkUtils.ExpressionFlow.build(subscriptionContext, callee).getExpression(CdkPredicate.isCallExpression().and(CdkPredicate.isFqn("aws_cdk.aws_ec2.Connections")));
        Class<CallExpression> cls = CallExpression.class;
        Objects.requireNonNull(CallExpression.class);
        expression.map((v1) -> {
            return r1.cast(v1);
        }).flatMap(callExpression2 -> {
            return CdkUtils.getArgument(subscriptionContext, callExpression2, "default_port");
        }).filter(expressionFlow -> {
            return expressionFlow.hasExpression(IS_SENSITIVE_PORT);
        }).ifPresent(expressionFlow2 -> {
            subscriptionContext.addIssue(getMethodPrimaryLocation(callExpression), MESSAGE_BAD_METHOD);
        });
    }

    private static BiConsumer<SubscriptionContext, CallExpression> checkPeerAndPortSensitivity(String str, String str2) {
        return (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, str, 0).filter(expressionFlow -> {
                return expressionFlow.hasExpression(IS_SENSITIVE_PEER);
            }).flatMap(expressionFlow2 -> {
                return CdkUtils.getArgument(subscriptionContext, callExpression, str2, 1);
            }).filter(expressionFlow3 -> {
                return expressionFlow3.hasExpression(IS_SENSITIVE_PORT);
            }).flatMap(expressionFlow4 -> {
                return CdkUtils.getArgument(subscriptionContext, callExpression, str, 0);
            }).ifPresent(expressionFlow5 -> {
                expressionFlow5.addIssue(MESSAGE_BAD_PEER, new IssueLocation[0]);
            });
        };
    }

    private static BiConsumer<SubscriptionContext, CallExpression> checkPortSensitivity(String str) {
        return (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, str, 0).filter(expressionFlow -> {
                return expressionFlow.hasExpression(IS_SENSITIVE_PORT);
            }).ifPresent(expressionFlow2 -> {
                subscriptionContext.addIssue(getMethodPrimaryLocation(callExpression), MESSAGE_BAD_METHOD);
            });
        };
    }

    private static Expression getMethodPrimaryLocation(CallExpression callExpression) {
        Expression callee = callExpression.callee();
        return callee.is(Tree.Kind.QUALIFIED_EXPR) ? ((QualifiedExpression) callee).name() : callee;
    }
}
