package org.zalando.stups.fullstop.plugin.instance;

import com.amazonaws.AmazonClientException;
import com.amazonaws.regions.Region;
import com.amazonaws.services.cloudtrail.processinglibrary.model.CloudTrailEvent;
import com.amazonaws.services.ec2.AmazonEC2Client;
import com.amazonaws.services.ec2.model.DescribeSecurityGroupsRequest;
import com.amazonaws.services.ec2.model.IpPermission;
import com.amazonaws.services.ec2.model.SecurityGroup;
import com.google.common.collect.Sets;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.zalando.stups.fullstop.aws.ClientProvider;
import org.zalando.stups.fullstop.events.CloudTrailEventPredicate;
import org.zalando.stups.fullstop.events.CloudTrailEventSupport;
import org.zalando.stups.fullstop.plugin.AbstractFullstopPlugin;
import org.zalando.stups.fullstop.violation.ViolationSink;

@Component
/* loaded from: input_file:org/zalando/stups/fullstop/plugin/instance/RunInstancePlugin.class */
public class RunInstancePlugin extends AbstractFullstopPlugin {
    private static final Logger LOG = LoggerFactory.getLogger(RunInstancePlugin.class);
    private static final String EC2_SOURCE_EVENTS = "ec2.amazonaws.com";
    private static final String EVENT_NAME = "RunInstances";
    private final ViolationSink violationSink;
    private final ClientProvider clientProvider;
    private final CloudTrailEventPredicate eventFilter = CloudTrailEventPredicate.fromSource(EC2_SOURCE_EVENTS).andWith(CloudTrailEventPredicate.withName(EVENT_NAME));
    private final Function<SecurityGroup, String> transformer = new SecurityGroupToString();
    Predicate<IpPermission> filter = IpPermissionPredicates.withToPort(443).negate().and(IpPermissionPredicates.withToPort(22).negate());

    @Autowired
    public RunInstancePlugin(ClientProvider clientProvider, ViolationSink violationSink) {
        this.clientProvider = clientProvider;
        this.violationSink = violationSink;
    }

    public boolean supports(CloudTrailEvent cloudTrailEvent) {
        return this.eventFilter.test(cloudTrailEvent);
    }

    public void processEvent(CloudTrailEvent cloudTrailEvent) {
        for (String str : CloudTrailEventSupport.getInstances(cloudTrailEvent)) {
            if (Bool.not(hasPublicIp(cloudTrailEvent))) {
                return;
            }
            Optional<List<SecurityGroup>> securityGroupsForInstance = getSecurityGroupsForInstance(str, cloudTrailEvent);
            if (Bool.not(securityGroupsForInstance.isPresent())) {
                return;
            }
            if (securityGroupsForInstance.get().stream().anyMatch(SecurityGroupPredicates.anyMatch(this.filter))) {
                this.violationSink.put(CloudTrailEventSupport.violationFor(cloudTrailEvent).withInstanceId(CloudTrailEventSupport.getInstanceId(str)).withType("SECURITY_GROUPS_PORT_NOT_ALLOWED").withPluginFullyQualifiedClassName(RunInstancePlugin.class).withMetaInfo(getPorts(securityGroupsForInstance.get())).build());
            }
        }
    }

    protected Set<String> getPorts(List<SecurityGroup> list) {
        HashSet newHashSet = Sets.newHashSet();
        Iterator<SecurityGroup> it = list.iterator();
        while (it.hasNext()) {
            Iterator it2 = it.next().getIpPermissions().iterator();
            while (it2.hasNext()) {
                newHashSet.add(((IpPermission) it2.next()).getToPort().toString());
            }
        }
        return newHashSet;
    }

    protected boolean hasPublicIp(CloudTrailEvent cloudTrailEvent) {
        return !CloudTrailEventSupport.read(cloudTrailEvent, "$.instancesSet.items[*].publicIpAddress", true).isEmpty();
    }

    protected List<String> transformSecurityGroupsIntoStrings(List<SecurityGroup> list) {
        return (List) list.stream().map(this.transformer).collect(Collectors.toList());
    }

    protected List<String> readSecurityGroupIds(String str) {
        return CloudTrailEventSupport.read(str, "$.groupSet.items[*].groupId", true);
    }

    protected Optional<List<SecurityGroup>> getSecurityGroupsForInstance(String str, CloudTrailEvent cloudTrailEvent) {
        return getSecurityGroupsForIds(readSecurityGroupIds(str), cloudTrailEvent);
    }

    protected Optional<List<SecurityGroup>> getSecurityGroupsForIds(List<String> list, CloudTrailEvent cloudTrailEvent) {
        Region region = CloudTrailEventSupport.getRegion(cloudTrailEvent);
        String accountId = CloudTrailEventSupport.getAccountId(cloudTrailEvent);
        AmazonEC2Client client = getClient(accountId, region);
        if (client == null) {
            throw new RuntimeException(String.format("Somehow we could not create an Client with accountId: %s and region: %s", accountId, region.toString()));
        }
        try {
            DescribeSecurityGroupsRequest describeSecurityGroupsRequest = new DescribeSecurityGroupsRequest();
            describeSecurityGroupsRequest.setGroupIds(list);
            return Optional.of(client.describeSecurityGroups(describeSecurityGroupsRequest).getSecurityGroups());
        } catch (AmazonClientException e) {
            LOG.warn("Unable to get SecurityGroups for SecurityGroupIds [{}] | {}", list.toString(), e.getMessage());
            return Optional.empty();
        }
    }

    protected AmazonEC2Client getClient(String str, Region region) {
        return (AmazonEC2Client) this.clientProvider.getClient(AmazonEC2Client.class, str, region);
    }
}
