package org.sonar.iac.docker.checks;

import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.CheckForNull;
import org.sonar.api.batch.fs.TextPointer;
import org.sonar.api.batch.fs.TextRange;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.tree.impl.TextRanges;
import org.sonar.iac.docker.tree.api.RunTree;
import org.sonar.iac.docker.tree.api.SyntaxToken;
import org.sonar.iac.docker.utils.CheckUtils;

@Rule(key = "S6469")
/* loaded from: input_file:org/sonar/iac/docker/checks/MountWorldPermissionCheck.class */
public class MountWorldPermissionCheck implements IacCheck {
    private static final String MESSAGE = "Remove world permissions for this sensitive %s.";
    private static final Pattern MOUNT_TYPE_PATTERN = Pattern.compile("type=(secret|ssh)");
    private static final Pattern MOUNT_MODE_PATTERN = Pattern.compile("mode=(\\d+)");
    private static final Map<String, String> DENOMINATION_BY_TYPE = Map.of("secret", "file", "ssh", "agent");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/sonar/iac/docker/checks/MountWorldPermissionCheck$MountOption.class */
    public static class MountOption {
        final String value;
        final TextRange textRange;

        private MountOption(String str, TextRange textRange) {
            this.value = str;
            this.textRange = textRange;
        }

        @CheckForNull
        public static MountOption creatFromMatcher(Matcher matcher, TextPointer textPointer) {
            if (!matcher.find()) {
                return null;
            }
            int line = textPointer.line();
            return new MountOption(matcher.group(1), TextRanges.range(line, textPointer.lineOffset() + matcher.start(), line, textPointer.lineOffset() + matcher.end()));
        }
    }

    public void initialize(InitContext initContext) {
        initContext.register(RunTree.class, (checkContext, runTree) -> {
            CheckUtils.getParamByName(runTree.options(), "mount").map((v0) -> {
                return v0.value();
            }).ifPresent(syntaxToken -> {
                checkMountParam(checkContext, syntaxToken);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkMountParam(CheckContext checkContext, SyntaxToken syntaxToken) {
        String value = syntaxToken.value();
        TextPointer start = syntaxToken.textRange().start();
        MountOption creatFromMatcher = MountOption.creatFromMatcher(MOUNT_TYPE_PATTERN.matcher(value), start);
        MountOption creatFromMatcher2 = MountOption.creatFromMatcher(MOUNT_MODE_PATTERN.matcher(value), start);
        if (creatFromMatcher == null || creatFromMatcher2 == null || !isModeSensitive(creatFromMatcher2.value)) {
            return;
        }
        checkContext.reportIssue(creatFromMatcher2.textRange, String.format(MESSAGE, DENOMINATION_BY_TYPE.get(creatFromMatcher.value)));
    }

    private static boolean isModeSensitive(String str) {
        return str.charAt(str.length() - 1) != '0';
    }
}
