package org.sonar.python.checks.cdk;

import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.function.Predicate;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.DictionaryLiteral;
import org.sonar.plugins.python.api.tree.DictionaryLiteralElement;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.KeyValuePair;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.cdk.CdkUtils;

@Rule(key = "S6308")
/* loaded from: input_file:org/sonar/python/checks/cdk/DisabledESDomainEncryptionCheck.class */
public class DisabledESDomainEncryptionCheck extends AbstractCdkResourceCheck {
    private static final String OMITTING_MESSAGE = "Omitting %s causes encryption of data at rest to be disabled for this %s domain. Make sure it is safe here.";
    private static final String UNENCRYPTED_MESSAGE = "Make sure that using unencrypted %s domains is safe here.";
    private static final String ENABLED = "enabled";
    private static final String OPENSEARCH = "OpenSearch";
    private static final String ELASTICSEARCH = "Elasticsearch";

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqn("aws_cdk.aws_opensearchservice.Domain", checkDomain("encryption_at_rest", "aws_cdk.aws_opensearchservice.EncryptionAtRestOptions", OPENSEARCH));
        checkFqn("aws_cdk.aws_opensearchservice.CfnDomain", checkDomain("encryption_at_rest_options", "aws_cdk.aws_opensearchservice.CfnDomain.EncryptionAtRestOptionsProperty", OPENSEARCH));
        checkFqn("aws_cdk.aws_elasticsearch.Domain", checkDomain("encryption_at_rest", "aws_cdk.aws_elasticsearch.EncryptionAtRestOptions", ELASTICSEARCH));
        checkFqn("aws_cdk.aws_elasticsearch.CfnDomain", checkDomain("encryption_at_rest_options", "aws_cdk.aws_elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty", ELASTICSEARCH));
    }

    private static BiConsumer<SubscriptionContext, CallExpression> checkDomain(String str, String str2, String str3) {
        return (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, str).ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(isSensitiveOptionObj(subscriptionContext, str2).or(isSensitiveOptionDict(subscriptionContext)), unencryptedMessage(str3), new IssueLocation[0]);
            }, () -> {
                subscriptionContext.addIssue(callExpression.callee(), omittingMessage(str, str3));
            });
        };
    }

    private static String omittingMessage(String str, String str2) {
        return String.format(OMITTING_MESSAGE, str, str2);
    }

    private static String unencryptedMessage(String str) {
        return String.format(UNENCRYPTED_MESSAGE, str);
    }

    private static Predicate<Expression> isSensitiveOptionObj(SubscriptionContext subscriptionContext, String str) {
        return expression -> {
            return CdkUtils.getCall(expression, str).map(callExpression -> {
                return CdkUtils.getArgument(subscriptionContext, callExpression, ENABLED);
            }).stream().anyMatch(optional -> {
                return optional.isEmpty() || optional.filter(expressionFlow -> {
                    return expressionFlow.hasExpression(CdkPredicate.isFalse());
                }).isPresent();
            });
        };
    }

    private static Predicate<Expression> isSensitiveOptionDict(SubscriptionContext subscriptionContext) {
        return expression -> {
            return expression.is(Tree.Kind.DICTIONARY_LITERAL) && asDictionaryKeyValuePairs(expression).filter(isKey(ENABLED)).allMatch(isValueFalse(subscriptionContext));
        };
    }

    private static Stream<KeyValuePair> asDictionaryKeyValuePairs(Expression expression) {
        Stream<DictionaryLiteralElement> filter = asDictionaryElements(expression).filter(dictionaryLiteralElement -> {
            return dictionaryLiteralElement.is(Tree.Kind.KEY_VALUE_PAIR);
        });
        Class<KeyValuePair> cls = KeyValuePair.class;
        Objects.requireNonNull(KeyValuePair.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        });
    }

    private static Stream<DictionaryLiteralElement> asDictionaryElements(Expression expression) {
        Optional filter = Optional.of(expression).filter(expression2 -> {
            return expression2.is(Tree.Kind.DICTIONARY_LITERAL);
        });
        Class<DictionaryLiteral> cls = DictionaryLiteral.class;
        Objects.requireNonNull(DictionaryLiteral.class);
        return ((List) filter.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.elements();
        }).orElse(Collections.emptyList())).stream();
    }

    private static Predicate<KeyValuePair> isKey(String str) {
        return keyValuePair -> {
            Optional filter = Optional.of(keyValuePair).map((v0) -> {
                return v0.key();
            }).filter(expression -> {
                return expression.is(Tree.Kind.STRING_LITERAL);
            });
            Class<StringLiteral> cls = StringLiteral.class;
            Objects.requireNonNull(StringLiteral.class);
            return filter.map((v1) -> {
                return r1.cast(v1);
            }).filter(stringLiteral -> {
                return stringLiteral.trimmedQuotesValue().equals(str);
            }).isPresent();
        };
    }

    private static Predicate<KeyValuePair> isValueFalse(SubscriptionContext subscriptionContext) {
        return keyValuePair -> {
            return CdkUtils.ExpressionFlow.build(subscriptionContext, keyValuePair.value()).hasExpression(CdkPredicate.isFalse());
        };
    }
}
