package org.sonar.python.checks.cdk;

import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.IssueLocation;
import org.sonar.plugins.python.api.PythonVisitorContext;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.FunctionDef;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.checks.cdk.CdkUtils;
import org.sonar.python.tree.FunctionDefImpl;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S6333")
/* loaded from: input_file:org/sonar/python/checks/cdk/PublicApiIsSecuritySensitiveCheck.class */
public class PublicApiIsSecuritySensitiveCheck extends AbstractCdkResourceCheck {
    private static final String MESSAGE = "Make sure that creating public APIs is safe here.";
    private static final String OMITTING_MESSAGE = "Omitting \"authorization_type\" disables authentication. Make sure it is safe here.";
    private static final String AUTHORIZATION_TYPE = "authorization_type";
    private static final String AUTHORIZATION_TYPE_NONE = "aws_cdk.aws_apigateway.AuthorizationType.NONE";
    private final Set<String> safeMethods = new HashSet();

    @Override // org.sonar.plugins.python.api.PythonSubscriptionCheck, org.sonar.plugins.python.api.PythonFileConsumer
    public void scanFile(PythonVisitorContext pythonVisitorContext) {
        super.scanFile(pythonVisitorContext);
        this.safeMethods.clear();
    }

    @Override // org.sonar.python.checks.cdk.AbstractCdkResourceCheck
    protected void registerFqnConsumer() {
        checkFqns(List.of("aws_cdk.aws_apigateway.CfnMethod", "aws_cdk.aws_apigatewayv2.CfnRoute"), (subscriptionContext, callExpression) -> {
            CdkUtils.getArgument(subscriptionContext, callExpression, AUTHORIZATION_TYPE).ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isString("NONE"), MESSAGE, new IssueLocation[0]);
            }, () -> {
                subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE);
            });
        });
        checkFqns(List.of("aws_cdk.aws_apigateway.RestApi", "aws_cdk.aws_apigateway.Resource.add_resource"), (subscriptionContext2, callExpression2) -> {
            CdkUtils.getArgument(subscriptionContext2, callExpression2, "default_method_options").ifPresent(expressionFlow -> {
                if (isArgumentSafe(subscriptionContext2, expressionFlow)) {
                    Optional<String> enclosingMethodFqn = enclosingMethodFqn(callExpression2);
                    Set<String> set = this.safeMethods;
                    Objects.requireNonNull(set);
                    enclosingMethodFqn.ifPresent((v1) -> {
                        r1.add(v1);
                    });
                }
            });
        });
        checkFqn("aws_cdk.aws_apigateway.Resource.add_method", (subscriptionContext3, callExpression3) -> {
            CdkUtils.getArgument(subscriptionContext3, callExpression3, AUTHORIZATION_TYPE).ifPresentOrElse(expressionFlow -> {
                expressionFlow.addIssueIf(CdkPredicate.isFqn(AUTHORIZATION_TYPE_NONE), MESSAGE, new IssueLocation[0]);
            }, () -> {
                enclosingMethodFqn(callExpression3).filter(str -> {
                    return !this.safeMethods.contains(str);
                }).ifPresent(str2 -> {
                    subscriptionContext3.addIssue(callExpression3.callee(), OMITTING_MESSAGE);
                });
            });
        });
    }

    private static Optional<String> enclosingMethodFqn(Tree tree) {
        Optional ofNullable = Optional.ofNullable((FunctionDef) TreeUtils.firstAncestorOfKind(tree, Tree.Kind.FUNCDEF));
        Class<FunctionDefImpl> cls = FunctionDefImpl.class;
        Objects.requireNonNull(FunctionDefImpl.class);
        return ofNullable.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.functionSymbol();
        }).map((v0) -> {
            return v0.fullyQualifiedName();
        });
    }

    private static boolean isArgumentSafe(SubscriptionContext subscriptionContext, CdkUtils.ExpressionFlow expressionFlow) {
        return (isUnsafeSafeDictionaryAuthorisationKey(subscriptionContext, expressionFlow.getLast()) || isUnsafeAuthorisationArgument(subscriptionContext, expressionFlow)) ? false : true;
    }

    private static boolean isUnsafeSafeDictionaryAuthorisationKey(SubscriptionContext subscriptionContext, Expression expression) {
        return CdkUtils.getDictionary(expression).flatMap(dictionaryLiteral -> {
            return CdkUtils.getDictionaryPair(subscriptionContext, dictionaryLiteral, AUTHORIZATION_TYPE);
        }).filter(resolvedKeyValuePair -> {
            return CdkPredicate.isFqn(AUTHORIZATION_TYPE_NONE).test(resolvedKeyValuePair.value.getLast());
        }).isPresent();
    }

    private static boolean isUnsafeAuthorisationArgument(SubscriptionContext subscriptionContext, CdkUtils.ExpressionFlow expressionFlow) {
        return expressionFlow.getExpression(isCallExpression().and(CdkPredicate.isFqn("aws_cdk.aws_apigateway.MethodOptions"))).flatMap(expression -> {
            return CdkUtils.getArgument(subscriptionContext, (CallExpression) expression, AUTHORIZATION_TYPE);
        }).filter(expressionFlow2 -> {
            return expressionFlow2.hasExpression(CdkPredicate.isFqn(AUTHORIZATION_TYPE_NONE));
        }).isPresent();
    }

    public static Predicate<Expression> isCallExpression() {
        return expression -> {
            return expression.is(Tree.Kind.CALL_EXPR);
        };
    }
}
