package org.sonar.iac.docker.checks;

import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.docker.tree.api.AddTree;
import org.sonar.iac.docker.tree.api.CommandInstructionTree;
import org.sonar.iac.docker.tree.api.DockerTree;
import org.sonar.iac.docker.tree.api.LiteralListTree;
import org.sonar.iac.docker.tree.api.SyntaxToken;

@Rule(key = "S5332")
/* loaded from: input_file:org/sonar/iac/docker/checks/UnencryptedProtocolCheck.class */
public class UnencryptedProtocolCheck implements IacCheck {
    private static final String LOOPBACK_IPV4 = "^127(?:\\.\\d+){2}\\.\\d+";
    private static final String LOOPBACK_IPV6 = "^(?:0*:){7}:?0*1|^::1";
    private static final String MESSAGE = "Make sure that using clear-text protocols is safe here.";
    private static final Pattern UNENCRYPTED_PROTOCOLS = Pattern.compile("(http|ftp)://(?<rest>.+)", 2);
    private static final Pattern LOOPBACK = Pattern.compile("^localhost|^127(?:\\.\\d+){2}\\.\\d+|^(?:0*:){7}:?0*1|^::1", 2);

    public void initialize(InitContext initContext) {
        initContext.register(CommandInstructionTree.class, (checkContext, commandInstructionTree) -> {
            LiteralListTree arguments = commandInstructionTree.arguments();
            if (arguments == null || !commandInstructionTree.is(DockerTree.Kind.ADD, DockerTree.Kind.ENTRYPOINT, DockerTree.Kind.CMD, DockerTree.Kind.RUN)) {
                return;
            }
            checkUnencryptedProtocols(checkContext, arguments.literals());
        });
        initContext.register(AddTree.class, (checkContext2, addTree) -> {
            checkUnencryptedProtocols(checkContext2, addTree.srcs());
            checkUnencryptedProtocols(checkContext2, List.of(addTree.dest()));
        });
    }

    private static void checkUnencryptedProtocols(CheckContext checkContext, List<SyntaxToken> list) {
        for (SyntaxToken syntaxToken : list) {
            Matcher matcher = UNENCRYPTED_PROTOCOLS.matcher(syntaxToken.value());
            if (matcher.find() && !LOOPBACK.matcher(matcher.group("rest")).find()) {
                checkContext.reportIssue(syntaxToken, MESSAGE);
            }
        }
    }
}
