package org.sonar.python.checks.cdk;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiConsumer;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.ImportFrom;
import org.sonar.plugins.python.api.tree.QualifiedExpression;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.cdk.CdkUtils;

@Rule(key = "S6265")
/* loaded from: input_file:org/sonar/python/checks/cdk/S3BucketGrantedAccessCheck.class */
public class S3BucketGrantedAccessCheck extends AbstractS3BucketCheck {
    public static final String MESSAGE_POLICY = "Make sure granting %s access is safe here.";
    public static final String MESSAGE_GRANT = "Make sure allowing unrestricted access to objects from this bucket is safe here.";
    private boolean isAwsCdkImported = false;
    private static final String S3_BUCKET_DEPLOYMENT_FQN = "aws_cdk.aws_s3_deployment.BucketDeployment";
    private static final List<String> S3_BUCKET_FQNS = List.of("aws_cdk.aws_s3.Bucket", S3_BUCKET_DEPLOYMENT_FQN);
    private static final String S3_BUCKET_AUTHENTICATED_READ = "aws_cdk.aws_s3.BucketAccessControl.AUTHENTICATED_READ";
    private static final String S3_BUCKET_PUBLIC_READ = "aws_cdk.aws_s3.BucketAccessControl.PUBLIC_READ";
    private static final String S3_BUCKET_PUBLIC_READ_WRITE = "aws_cdk.aws_s3.BucketAccessControl.PUBLIC_READ_WRITE";
    private static final List<String> S3_BUCKET_SENSITIVE_POLICIES = List.of(S3_BUCKET_AUTHENTICATED_READ, S3_BUCKET_PUBLIC_READ, S3_BUCKET_PUBLIC_READ_WRITE);

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck, org.sonar.plugins.python.api.SubscriptionCheck
    public void initialize(SubscriptionCheck.Context context) {
        super.initialize(context);
        context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, subscriptionContext -> {
            this.isAwsCdkImported = false;
        });
        context.registerSyntaxNodeConsumer(Tree.Kind.IMPORT_FROM, this::checkAWSImport);
    }

    private void checkAWSImport(SubscriptionContext subscriptionContext) {
        Optional.ofNullable(((ImportFrom) subscriptionContext.syntaxNode()).module()).filter(dottedName -> {
            String str = "aws_cdk";
            return dottedName.names().stream().map((v0) -> {
                return v0.name();
            }).anyMatch((v1) -> {
                return r1.equals(v1);
            });
        }).ifPresent(dottedName2 -> {
            this.isAwsCdkImported = true;
        });
    }

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void visitNode(SubscriptionContext subscriptionContext) {
        CallExpression callExpression = (CallExpression) subscriptionContext.syntaxNode();
        Optional ofNullable = Optional.ofNullable(callExpression.calleeSymbol());
        Optional map = ofNullable.map((v0) -> {
            return v0.fullyQualifiedName();
        });
        List<String> list = S3_BUCKET_FQNS;
        Objects.requireNonNull(list);
        map.filter((v1) -> {
            return r1.contains(v1);
        }).ifPresent(str -> {
            visitBucketConstructor().accept(subscriptionContext, callExpression);
        });
        if (this.isAwsCdkImported) {
            String str2 = "grant_public_access";
            ofNullable.map((v0) -> {
                return v0.name();
            }).filter((v1) -> {
                return r1.equals(v1);
            }).ifPresent(str3 -> {
                subscriptionContext.addIssue(callExpression.callee(), MESSAGE_GRANT);
            });
        }
    }

    @Override // org.sonar.python.checks.cdk.AbstractS3BucketCheck
    BiConsumer<SubscriptionContext, CallExpression> visitBucketConstructor() {
        return (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, "access_control").ifPresent(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isFqnOf(S3_BUCKET_SENSITIVE_POLICIES), getSensitivePolicyMessage(expressionFlow), new IssueLocation[0]);
            });
        };
    }

    private static String getSensitivePolicyMessage(CdkUtils.ExpressionFlow expressionFlow) {
        return String.format(MESSAGE_POLICY, ((QualifiedExpression) expressionFlow.locations().getLast()).name().name());
    }
}
