package org.sonar.python.checks.cdk;

import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.StringLiteral;
import org.sonar.python.checks.cdk.CdkUtils;

@Rule(key = "S6317")
/* loaded from: input_file:org/sonar/python/checks/cdk/IamPrivilegeEscalationCheck.class */
public class IamPrivilegeEscalationCheck extends AbstractIamPolicyStatementCheck {
    private static final String ISSUE_MESSAGE_FORMAT = "This policy is vulnerable to the \"%s\" privilege escalation vector. Remove permissions or restrict the set of resources they apply to.";
    private static final String SECONDARY_MESSAGE = "Permissions are granted on all resources.";
    private static final Pattern SENSITIVE_RESOURCE_PATTERN = Pattern.compile("(^\\*$)|(arn:.*:(role|user|group)/\\*)");
    private static final Set<String> SENSITIVE_ACTIONS = Set.of((Object[]) new String[]{"iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "sts:AssumeRole", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:PassRole", "ec2:RunInstances", "lambda:CreateFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:CreateEventSourceMapping", "cloudformation:CreateStack", "datapipeline:CreatePipeline", "datapipeline:PutPipelineDefinition", "glue:CreateDevEndpoint", "glue:UpdateDevEndpoint", "lambda:UpdateFunctionCode"});
    private static final Map<String, String> ATTACK_VECTOR_NAMES = Map.of("iam:CreatePolicyVersion", "Create Policy Version", "iam:SetDefaultPolicyVersion", "Set Default Policy Version", "iam:CreateAccessKey", "Create Access Key", "iam:CreateLoginProfile", "Create Login Profile", "iam:UpdateLoginProfile", "Update Login Profile ", "iam:AttachUserPolicy", "Attach User Policy", "iam:AttachGroupPolicy", "Attach Group Policy", "iam:AttachRolePolicy", "Attach Role Policy", "sts:AssumeRole", "Attach Role Policy");

    @Override // org.sonar.python.checks.cdk.AbstractIamPolicyStatementCheck
    protected void checkAllowingPolicyStatement(PolicyStatement policyStatement) {
        CdkUtils.ExpressionFlow actions = policyStatement.actions();
        CdkUtils.ExpressionFlow resources = policyStatement.resources();
        if (actions == null || resources == null || policyStatement.principals() != null || policyStatement.conditions() != null) {
            return;
        }
        CdkUtils.ExpressionFlow sensitiveExpression = getSensitiveExpression(actions, CdkPredicate.isString(SENSITIVE_ACTIONS));
        CdkUtils.ExpressionFlow sensitiveExpression2 = getSensitiveExpression(resources, CdkPredicate.matches(SENSITIVE_RESOURCE_PATTERN));
        if (sensitiveExpression == null || sensitiveExpression2 == null) {
            return;
        }
        reportSensitiveActionAndResource(sensitiveExpression, sensitiveExpression2);
    }

    private static Optional<String> getAttackVectorName(CdkUtils.ExpressionFlow expressionFlow) {
        Optional<Expression> expression = expressionFlow.getExpression(CdkPredicate.isStringLiteral());
        Class<StringLiteral> cls = StringLiteral.class;
        Objects.requireNonNull(StringLiteral.class);
        return expression.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.trimmedQuotesValue();
        }).map(str -> {
            return ATTACK_VECTOR_NAMES.getOrDefault(str, null);
        });
    }

    private static void reportSensitiveActionAndResource(CdkUtils.ExpressionFlow expressionFlow, CdkUtils.ExpressionFlow expressionFlow2) {
        expressionFlow2.addIssue(String.format(ISSUE_MESSAGE_FORMAT, getAttackVectorName(expressionFlow).orElse(StringUtils.EMPTY)), expressionFlow.asSecondaryLocation(SECONDARY_MESSAGE));
    }
}
