package org.sonar.iac.docker.checks;

import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.docker.tree.api.AddInstruction;
import org.sonar.iac.docker.tree.api.Argument;
import org.sonar.iac.docker.tree.api.CommandInstruction;
import org.sonar.iac.docker.tree.api.DockerTree;
import org.sonar.iac.docker.utils.ArgumentUtils;

@Rule(key = "S5332")
/* loaded from: input_file:org/sonar/iac/docker/checks/UnencryptedProtocolCheck.class */
public class UnencryptedProtocolCheck implements IacCheck {
    private static final String LOOPBACK_IPV4 = "^127(?:\\.\\d+){2}\\.\\d+";
    private static final String LOOPBACK_IPV6 = "^(?:0*:){7}:?0*1|^::1";
    private static final String MESSAGE = "Make sure that using clear-text protocols is safe here.";
    private static final Pattern UNENCRYPTED_PROTOCOLS = Pattern.compile("(http|ftp)://(?<rest>.+)", 2);
    private static final Pattern LOOPBACK = Pattern.compile("^localhost|^127(?:\\.\\d+){2}\\.\\d+|^(?:0*:){7}:?0*1|^::1", 2);

    public void initialize(InitContext initContext) {
        initContext.register(CommandInstruction.class, (checkContext, commandInstruction) -> {
            if (commandInstruction.is(DockerTree.Kind.ADD, DockerTree.Kind.ENTRYPOINT, DockerTree.Kind.CMD, DockerTree.Kind.RUN)) {
                checkUnencryptedProtocols(checkContext, commandInstruction.arguments());
            }
        });
        initContext.register(AddInstruction.class, (checkContext2, addInstruction) -> {
            checkUnencryptedProtocols(checkContext2, addInstruction.srcs());
            checkUnencryptedProtocols(checkContext2, List.of(addInstruction.dest()));
        });
    }

    private static void checkUnencryptedProtocols(CheckContext checkContext, List<Argument> list) {
        for (Argument argument : list) {
            String value = ArgumentUtils.resolve(argument).value();
            if (value != null) {
                Matcher matcher = UNENCRYPTED_PROTOCOLS.matcher(value);
                if (matcher.find() && !LOOPBACK.matcher(matcher.group("rest")).find()) {
                    checkContext.reportIssue(argument, MESSAGE);
                }
            }
        }
    }
}
