package org.sonar.python.checks.cdk;

import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.ListLiteral;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.tree.TreeUtils;

/* loaded from: input_file:org/sonar/python/checks/cdk/ClearTextProtocolsCheckPart.class */
public class ClearTextProtocolsCheckPart extends AbstractCdkResourceCheck {
    private static final String LB_MESSAGE = "Make sure that using network protocols without an SSL/TLS underlay is safe here.";
    private static final String ELASTICACHE_MESSAGE = "Make sure that disabling transit encryption is safe here.";
    private static final String KINESIS_MESSAGE = "Make sure that disabling stream encryption is safe here.";
    private static final String OMITTING_MESSAGE = "Omitting `%s` causes %s encryption to be disabled. Make sure it is safe here.";
    private static final String PROTOCOL = "protocol";
    private static final String EXTERNAL_PROTOCOL_SNAKE_CASE = "external_protocol";
    private static final String EXTERNAL_PROTOCOL_CAMEL_CASE = "externalProtocol";
    private static final String LISTENERS = "listeners";
    private static final Set<Integer> HTTP_PROTOCOL_PORTS = Set.of(80, 8080, 8000, 8008);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/cdk/ClearTextProtocolsCheckPart$Elb.class */
    public static class Elb {
        private static final Set<String> SENSITIVE_TRANSPORT_PROTOCOL_FQNS = Set.of(prefix("LoadBalancingProtocol.TCP"), prefix("LoadBalancingProtocol.HTTP"));
        private static final Set<String> SENSITIVE_TRANSPORT_PROTOCOLS = Set.of("http", "tcp");

        private Elb() {
        }

        static String prefix(String str) {
            return "aws_cdk.aws_elasticloadbalancing." + str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/cdk/ClearTextProtocolsCheckPart$Elbv2.class */
    public static class Elbv2 {
        private static final String SENSITIVE_HTTP_PROTOCOL_FQN = prefix("ApplicationProtocol.HTTP");
        private static final Set<String> SENSITIVE_TRANSPORT_PROTOCOL_FQNS = Set.of(prefix("Protocol.TCP"), prefix("Protocol.UDP"), prefix("Protocol.TCP_UDP"));
        private static final Set<String> SENSITIVE_TRANSPORT_PROTOCOLS = Set.of("HTTP", "TCP", "UDP", "TCP_UDP");

        private Elbv2() {
        }

        static String prefix(String str) {
            return "aws_cdk.aws_elasticloadbalancingv2." + str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/python/checks/cdk/ClearTextProtocolsCheckPart$Kinesis.class */
    public static class Kinesis {
        private static final String SENSITIVE_STREAM_ENCRYPTION_FQN = prefix("StreamEncryption.UNENCRYPTED");

        private Kinesis() {
        }

        static String prefix(String str) {
            return "aws_cdk.aws_kinesis." + str;
        }
    }

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqns(List.of(Elb.prefix("LoadBalancerListener"), Elb.prefix("LoadBalancer.add_listener")), (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, EXTERNAL_PROTOCOL_SNAKE_CASE).ifPresent(expressionFlow -> {
                expressionFlow.addIssueIf(isSensitiveTransportProtocolFqn(Elb.SENSITIVE_TRANSPORT_PROTOCOL_FQNS), LB_MESSAGE, new IssueLocation[0]);
            });
        });
        checkFqn(Elb.prefix("LoadBalancer"), (subscriptionContext2, callExpression2) -> {
            CdkUtils.getArgument(subscriptionContext2, callExpression2, LISTENERS).flatMap(CdkUtils::getList).ifPresent(listLiteral -> {
                CdkUtils.getDictionaryInList(subscriptionContext2, listLiteral).forEach(dictionaryLiteral -> {
                    checkLoadBalancerListenerDict(subscriptionContext2, dictionaryLiteral);
                });
            });
        });
        checkFqn(Elb.prefix("CfnLoadBalancer"), (subscriptionContext3, callExpression3) -> {
            CdkUtils.getArgument(subscriptionContext3, callExpression3, LISTENERS).flatMap(CdkUtils::getList).ifPresent(listLiteral -> {
                CdkUtils.getDictionaryInList(subscriptionContext3, listLiteral).forEach(dictionaryLiteral -> {
                    checkCfnLoadBalancerListenerDict(subscriptionContext3, dictionaryLiteral);
                });
            });
        });
        checkFqn(Elb.prefix("CfnLoadBalancer.ListenersProperty"), (subscriptionContext4, callExpression4) -> {
            CdkUtils.getArgument(subscriptionContext4, callExpression4, PROTOCOL).ifPresent(expressionFlow -> {
                expressionFlow.addIssueIf(isSensitiveTransportProtocol(Elb.SENSITIVE_TRANSPORT_PROTOCOLS), LB_MESSAGE, new IssueLocation[0]);
            });
        });
        checkFqns(List.of(Elbv2.prefix("ApplicationListener"), Elbv2.prefix("ApplicationLoadBalancer.add_listener")), (subscriptionContext5, callExpression5) -> {
            CdkUtils.getArgument(subscriptionContext5, callExpression5, PROTOCOL).ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isFqn(Elbv2.SENSITIVE_HTTP_PROTOCOL_FQN), LB_MESSAGE, new IssueLocation[0]);
            }, () -> {
                CdkUtils.getArgument(subscriptionContext5, callExpression5, "port").ifPresent(expressionFlow2 -> {
                    expressionFlow2.addIssueIf(isSensitiveHttpProtocolPort(), LB_MESSAGE, new IssueLocation[0]);
                });
            });
        });
        checkFqns(List.of(Elbv2.prefix("NetworkListener"), Elbv2.prefix("NetworkLoadBalancer.add_listener")), (subscriptionContext6, callExpression6) -> {
            CdkUtils.getArgument(subscriptionContext6, callExpression6, PROTOCOL).ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(isSensitiveTransportProtocolFqn(Elbv2.SENSITIVE_TRANSPORT_PROTOCOL_FQNS), LB_MESSAGE, new IssueLocation[0]);
            }, () -> {
                CdkUtils.getArgument(subscriptionContext6, callExpression6, "certificates").ifPresentOrElse(expressionFlow2 -> {
                    expressionFlow2.addIssueIf(isEmpty(), LB_MESSAGE, callExpression6);
                }, () -> {
                    subscriptionContext6.addIssue(callExpression6, LB_MESSAGE);
                });
            });
        });
        checkFqn(Elbv2.prefix("CfnListener"), (subscriptionContext7, callExpression7) -> {
            CdkUtils.getArgument(subscriptionContext7, callExpression7, PROTOCOL).ifPresent(expressionFlow -> {
                expressionFlow.addIssueIf(isSensitiveTransportProtocol(Elbv2.SENSITIVE_TRANSPORT_PROTOCOLS), LB_MESSAGE, new IssueLocation[0]);
            });
        });
        checkFqn("aws_cdk.aws_elasticache.CfnReplicationGroup", (subscriptionContext8, callExpression8) -> {
            CdkUtils.getArgument(subscriptionContext8, callExpression8, "transit_encryption_enabled").ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isFalse(), ELASTICACHE_MESSAGE, new IssueLocation[0]);
            }, () -> {
                subscriptionContext8.addIssue(callExpression8.callee(), String.format(OMITTING_MESSAGE, "transit_encryption_enabled", "transit"));
            });
        });
        checkFqn(Kinesis.prefix("CfnStream"), (subscriptionContext9, callExpression9) -> {
            CdkUtils.getArgument(subscriptionContext9, callExpression9, "stream_encryption").ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isNone(), KINESIS_MESSAGE, new IssueLocation[0]);
            }, () -> {
                subscriptionContext9.addIssue(callExpression9.callee(), String.format(OMITTING_MESSAGE, "stream_encryption", "stream"));
            });
        });
        checkFqn(Kinesis.prefix("Stream"), (subscriptionContext10, callExpression10) -> {
            CdkUtils.getArgument(subscriptionContext10, callExpression10, "encryption").ifPresent(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isFqn(Kinesis.SENSITIVE_STREAM_ENCRYPTION_FQN), KINESIS_MESSAGE, new IssueLocation[0]);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkLoadBalancerListenerDict(SubscriptionContext subscriptionContext, DictionaryLiteral dictionaryLiteral) {
        checkKeyValuePair(subscriptionContext, dictionaryLiteral, (Set<String>) Set.of(EXTERNAL_PROTOCOL_SNAKE_CASE, EXTERNAL_PROTOCOL_CAMEL_CASE), isSensitiveTransportProtocolFqn(Elb.SENSITIVE_TRANSPORT_PROTOCOL_FQNS));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkCfnLoadBalancerListenerDict(SubscriptionContext subscriptionContext, DictionaryLiteral dictionaryLiteral) {
        checkKeyValuePair(subscriptionContext, dictionaryLiteral, PROTOCOL, isSensitiveTransportProtocol(Elb.SENSITIVE_TRANSPORT_PROTOCOLS));
    }

    private static void checkKeyValuePair(SubscriptionContext subscriptionContext, DictionaryLiteral dictionaryLiteral, String str, Predicate<Expression> predicate) {
        checkKeyValuePair(subscriptionContext, dictionaryLiteral, (Set<String>) Set.of(str), predicate);
    }

    private static void checkKeyValuePair(SubscriptionContext subscriptionContext, DictionaryLiteral dictionaryLiteral, Set<String> set, Predicate<Expression> predicate) {
        set.stream().map(str -> {
            return CdkUtils.getDictionaryPair(subscriptionContext, dictionaryLiteral, str);
        }).filter((v0) -> {
            return v0.isPresent();
        }).findFirst().map((v0) -> {
            return v0.get();
        }).ifPresent(resolvedKeyValuePair -> {
            resolvedKeyValuePair.value.addIssueIf((Predicate<Expression>) predicate, LB_MESSAGE, new IssueLocation[0]);
        });
    }

    private static Predicate<Expression> isEmpty() {
        return expression -> {
            return expression.is(Tree.Kind.LIST_LITERAL) && ((ListLiteral) expression).elements().expressions().isEmpty();
        };
    }

    private static Predicate<Expression> isSensitiveTransportProtocol(Collection<String> collection) {
        return expression -> {
            Optional<String> string = CdkUtils.getString(expression);
            Objects.requireNonNull(collection);
            return string.filter((v1) -> {
                return r1.contains(v1);
            }).isPresent();
        };
    }

    private static Predicate<Expression> isSensitiveTransportProtocolFqn(Collection<String> collection) {
        return expression -> {
            Optional ofNullable = Optional.ofNullable(TreeUtils.fullyQualifiedNameFromExpression(expression));
            Objects.requireNonNull(collection);
            return ofNullable.filter((v1) -> {
                return r1.contains(v1);
            }).isPresent();
        };
    }

    private static Predicate<Expression> isSensitiveHttpProtocolPort() {
        return expression -> {
            Optional<Integer> optional = CdkUtils.getInt(expression);
            Set<Integer> set = HTTP_PROTOCOL_PORTS;
            Objects.requireNonNull(set);
            return optional.filter((v1) -> {
                return r1.contains(v1);
            }).isPresent();
        };
    }
}
