package org.sonar.python.checks.cdk;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Predicate;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.python.checks.cdk.CdkUtils;

@Rule(key = "S6304")
/* loaded from: input_file:org/sonar/python/checks/cdk/ResourceAccessPolicyCheck.class */
public class ResourceAccessPolicyCheck extends AbstractIamPolicyStatementCheck {
    private static final String MESSAGE = "Make sure granting access to all resources is safe here.";
    private static final String SECONDARY_MESSAGE = "Related effect";
    String resourceNameSensitiveAwsActions = "ResourceAccessPolicyCheck.txt";
    private Set<String> sensitiveAwsActions = null;
    private static final Logger LOG = LoggerFactory.getLogger(ResourceAccessPolicyCheck.class);
    private static final Map<String, Set<String>> CACHED_RESOURCES = new ConcurrentHashMap();

    void init() {
        this.sensitiveAwsActions = CACHED_RESOURCES.computeIfAbsent(this.resourceNameSensitiveAwsActions, ResourceAccessPolicyCheck::loadResourceWrapper);
    }

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    public void initialize(SubscriptionCheck.Context context) {
        super.initialize(context);
        init();
    }

    private static Set<String> loadResourceWrapper(String str) {
        try {
            return loadResource(str);
        } catch (IOException e) {
            LOG.error("Couldn't load resource '{}', rule [S6304] ResourceAccessPolicyCheck will be disabled.", str, e);
            return Set.of();
        }
    }

    private static Set<String> loadResource(String str) throws IOException {
        InputStream resourceAsStream = ResourceAccessPolicyCheck.class.getResourceAsStream(str);
        try {
            if (resourceAsStream == null) {
                throw new IOException("Cannot find resource file '" + str + "'");
            }
            InputStreamReader inputStreamReader = new InputStreamReader(resourceAsStream, StandardCharsets.UTF_8);
            try {
                BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
                try {
                    ArrayList arrayList = new ArrayList();
                    while (true) {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        }
                        arrayList.add(readLine);
                    }
                    HashSet hashSet = new HashSet(arrayList);
                    bufferedReader.close();
                    inputStreamReader.close();
                    if (resourceAsStream != null) {
                        resourceAsStream.close();
                    }
                    return hashSet;
                } catch (Throwable th) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (resourceAsStream != null) {
                try {
                    resourceAsStream.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Override // org.sonar.python.checks.cdk.AbstractIamPolicyStatementCheck
    protected void checkAllowingPolicyStatement(PolicyStatement policyStatement) {
        CdkUtils.ExpressionFlow actions = policyStatement.actions();
        CdkUtils.ExpressionFlow resources = policyStatement.resources();
        if (resources == null || actions == null || !isSensitiveAction(actions)) {
            return;
        }
        Optional.ofNullable(getSensitiveExpression(resources, CdkPredicate.isWildcard())).ifPresent(expressionFlow -> {
            reportWildcardResourceAndEffect(expressionFlow, policyStatement.effect());
        });
    }

    private boolean isSensitiveAction(CdkUtils.ExpressionFlow expressionFlow) {
        return getSensitiveExpression(expressionFlow, inSensitiveSet()) != null;
    }

    public Predicate<Expression> inSensitiveSet() {
        return expression -> {
            Optional<String> string = CdkUtils.getString(expression);
            Set<String> set = this.sensitiveAwsActions;
            Objects.requireNonNull(set);
            return string.filter((v1) -> {
                return r1.contains(v1);
            }).isPresent();
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void reportWildcardResourceAndEffect(CdkUtils.ExpressionFlow expressionFlow, @Nullable CdkUtils.ExpressionFlow expressionFlow2) {
        PythonCheck.PreciseIssue addIssue = expressionFlow.ctx().addIssue(expressionFlow.getLast(), MESSAGE);
        if (expressionFlow2 != null) {
            addIssue.secondary(expressionFlow2.asSecondaryLocation(SECONDARY_MESSAGE));
        }
    }
}
