package org.sonar.python.checks.cdk;

import java.util.List;
import java.util.Optional;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.python.checks.cdk.CdkUtils;

@Rule(key = "S6303")
/* loaded from: input_file:org/sonar/python/checks/cdk/DisabledRDSEncryptionCheck.class */
public class DisabledRDSEncryptionCheck extends AbstractCdkResourceCheck {
    private static final String UNENCRYPTED_MESSAGE = "Make sure that using unencrypted databases is safe here.";
    private static final String ARG_ENCRYPTED = "storage_encrypted";
    private static final String ARG_ENCRYPTION_KEY = "storage_encryption_key";
    private static final String DB_OMITTING_MESSAGE = "Omitting \"storage_encrypted\" and \"storage_encryption_key\" disables RDS encryption. Make sure it is safe here.";
    private static final String CFNDB_OMITTING_MESSAGE = "Omitting \"storage_encrypted\" disables RDS encryption. Make sure it is safe here.";

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqns(List.of("aws_cdk.aws_rds.DatabaseCluster", "aws_cdk.aws_rds.DatabaseInstance", "aws_cdk.aws_rds.CfnDBCluster"), this::checkDatabaseArguments);
        checkFqn("aws_cdk.aws_rds.CfnDBInstance", (subscriptionContext, callExpression) -> {
            if (isEngineAurora(subscriptionContext, callExpression)) {
                return;
            }
            checkCfnDatabaseArguments(subscriptionContext, callExpression);
        });
    }

    protected void checkDatabaseArguments(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        Optional<CdkUtils.ExpressionFlow> argument = CdkUtils.getArgument(subscriptionContext, callExpression, ARG_ENCRYPTED);
        Optional<CdkUtils.ExpressionFlow> argument2 = CdkUtils.getArgument(subscriptionContext, callExpression, ARG_ENCRYPTION_KEY);
        if (argument.isEmpty() && argument2.isEmpty()) {
            subscriptionContext.addIssue(callExpression.callee(), DB_OMITTING_MESSAGE);
            return;
        }
        if (argument.isEmpty()) {
            argument2.get().addIssueIf(CdkPredicate.isNone(), UNENCRYPTED_MESSAGE, new IssueLocation[0]);
            return;
        }
        if (argument2.isEmpty()) {
            argument.get().addIssueIf(CdkPredicate.isFalse(), UNENCRYPTED_MESSAGE, new IssueLocation[0]);
        } else if (argument2.get().hasExpression(CdkPredicate.isNone()) && argument.get().hasExpression(CdkPredicate.isFalse())) {
            argument.get().addIssue(UNENCRYPTED_MESSAGE, new IssueLocation[0]);
        }
    }

    protected void checkCfnDatabaseArguments(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        CdkUtils.getArgument(subscriptionContext, callExpression, ARG_ENCRYPTED).ifPresentOrElse(expressionFlow -> {
            expressionFlow.addIssueIf(CdkPredicate.isFalse(), UNENCRYPTED_MESSAGE, new IssueLocation[0]);
        }, () -> {
            subscriptionContext.addIssue(callExpression.callee(), CFNDB_OMITTING_MESSAGE);
        });
    }

    protected boolean isEngineAurora(SubscriptionContext subscriptionContext, CallExpression callExpression) {
        return CdkUtils.getArgument(subscriptionContext, callExpression, "engine").filter(expressionFlow -> {
            return expressionFlow.hasExpression(CdkPredicate.startsWith("aurora"));
        }).isPresent();
    }
}
