package org.sonar.iac.docker.checks;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.sonar.check.Rule;
import org.sonar.check.RuleProperty;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.tree.Tree;
import org.sonar.iac.docker.plugin.DockerExtension;
import org.sonar.iac.docker.tree.TreeUtils;
import org.sonar.iac.docker.tree.api.Body;
import org.sonar.iac.docker.tree.api.DockerImage;
import org.sonar.iac.docker.tree.api.DockerTree;
import org.sonar.iac.docker.tree.api.FromInstruction;
import org.sonar.iac.docker.tree.api.UserInstruction;
import org.sonar.iac.docker.utils.ArgumentUtils;

@Rule(key = "S6471")
/* loaded from: input_file:org/sonar/iac/docker/checks/PrivilegedUserCheck.class */
public class PrivilegedUserCheck implements IacCheck {
    private static final Set<String> UNSAFE_IMAGES = Set.of((Object[]) new String[]{"aerospike", "almalinux", "alpine", "alt", "amazoncorretto", "amazonlinux", "arangodb", "archlinux", "backdrop", "bash", "buildpack-deps", "busybox", "caddy", "cirros", "clearlinux", "clefos", "clojure", "composer", "consul", "couchdb", "crate", "dart", "debian", "drupal", "eclipse-temurin", "elixir", "erlang", "express-gateway", "fedora", "friendica", "gazebo", "gcc", "golang", "haskell", "haxe", "hitch", "httpd", "hylang", "ibmjava", "influxdb", "joomla", "jruby", "julia", "kapacitor", "mageia", "matomo", "maven", "mediawiki", "monica", "mono", "nats", "nats-streaming", "neurodebian", "nextcloud", "nginx", "notary", "openjdk", "oraclelinux", "orientdb", "perl", "photon", "php", "phpmyadmin", "php-zendserver", "plone", "postfixadmin", "pypy", "python", "redmine", "registry", "rethinkdb", "rockylinux", "ros", "ruby", "rust", "r-base", "sapmachine", "satosa", "silverpeas", "sl", "spiped", "swipl", "telegraf", "tomcat", "tomee", "traefik", "ubuntu", "xwiki", "yourls", "bonita", "cassandra", "centos", "chronograf", "convertigo", "couchbase", DockerExtension.REPOSITORY_KEY, "eclipse-mosquitto", "eggdrop", "ghost", "gradle", "mariadb", "mongo", "mongo-express", "mysql", "node", "postgres", "rabbitmq", "rakudo-star", "redis", "sonarqube", "storm", "swift", "teamspeak", "zookeeper"});
    private static final Set<String> UNSAFE_USERS = Set.of("root", "containerAdministrator");
    private static final String SAFE_IMAGES = "adminer, api-firewall, elasticsearch, emqx, flink, fluentd, geonetwork, groovy, haproxy, ibm-semeru-runtimes, irssi, jetty, jobber, kibana, kong, lightstreamer, logstash, memcached, neo4j, odoo, open-liberty, percona, rocket.chat, solr, swift, varnish, vault, websphere-liberty, znc, nginxinc/nginx-unprivileged";

    @RuleProperty(key = "safeImages", description = "Comma separated list of safe images (no default root user).", defaultValue = "")
    public String safeImages = "";
    private Set<String> safeImagesSet;
    private static final String MESSAGE_SCRATCH = "Scratch images run as root by default. Make sure it is safe here.";
    private static final String MESSAGE_UNSAFE_DEFAULT_ROOT = "The %s image runs with root as the default user. Make sure it is safe here.";
    private static final String MESSAGE_MICROSOFT_DEFAULT_ROOT = "This image runs with root or containerAdministrator as the default user. Make sure it is safe here.";
    private static final String MESSAGE_OTHER_IMAGE = "This image might run with root as the default user. Make sure it is safe here.";
    private static final String MESSAGE_ROOT_USER = "Setting the default user as %s might unnecessarily make the application unsafe. Make sure it is safe here.";

    private Set<String> userSafeImages() {
        if (this.safeImagesSet == null) {
            this.safeImagesSet = (Set) Stream.of((Object[]) this.safeImages.split(",")).map((v0) -> {
                return v0.trim();
            }).collect(Collectors.toSet());
        }
        return this.safeImagesSet;
    }

    public void initialize(InitContext initContext) {
        initContext.register(DockerImage.class, this::handle);
    }

    private void handle(CheckContext checkContext, DockerImage dockerImage) {
        String imageName;
        if (isLastDockerImageInFile(dockerImage) && (imageName = getImageName(dockerImage.from())) != null) {
            Optional<UserInstruction> lastUser = getLastUser(dockerImage);
            if (!lastUser.isEmpty()) {
                String value = ArgumentUtils.resolveAndMerge(lastUser.get()).value();
                if (UNSAFE_USERS.contains(value)) {
                    checkContext.reportIssue(lastUser.get(), String.format(MESSAGE_ROOT_USER, value));
                    return;
                }
                return;
            }
            if (isScratchImage(imageName)) {
                checkContext.reportIssue(dockerImage.from(), MESSAGE_SCRATCH);
                return;
            }
            if (isUnsafeImage(imageName) && !isUserSafeImage(imageName)) {
                checkContext.reportIssue(dockerImage.from(), String.format(MESSAGE_UNSAFE_DEFAULT_ROOT, imageName));
            } else if (isMicrosoftUnsafeImage(imageName)) {
                checkContext.reportIssue(dockerImage.from(), MESSAGE_MICROSOFT_DEFAULT_ROOT);
            } else {
                if (isSafeImage(imageName)) {
                    return;
                }
                checkContext.reportIssue(dockerImage.from(), MESSAGE_OTHER_IMAGE);
            }
        }
    }

    private static String getImageName(FromInstruction fromInstruction) {
        String value = ArgumentUtils.resolve(fromInstruction.image()).value();
        if (value == null) {
            return null;
        }
        return value.contains(":") ? value.split(":")[0] : value.contains("@") ? value.split("@")[0] : value;
    }

    private static boolean isLastDockerImageInFile(DockerImage dockerImage) {
        List<DockerImage> dockerImages = ((Body) dockerImage.parent()).dockerImages();
        return dockerImages.get(dockerImages.size() - 1) == dockerImage;
    }

    private static Optional<UserInstruction> getLastUser(DockerImage dockerImage) {
        Optional<Tree> lastDescendant = TreeUtils.getLastDescendant(dockerImage, tree -> {
            return ((DockerTree) tree).is(DockerTree.Kind.USER);
        });
        Class<UserInstruction> cls = UserInstruction.class;
        Objects.requireNonNull(UserInstruction.class);
        return lastDescendant.map((v1) -> {
            return r1.cast(v1);
        });
    }

    private static boolean isScratchImage(String str) {
        return str.equals("scratch");
    }

    private static boolean isUnsafeImage(String str) {
        return UNSAFE_IMAGES.contains(str);
    }

    private boolean isSafeImage(String str) {
        return SAFE_IMAGES.contains(str) || str.startsWith("bitnami/") || isUserSafeImage(str);
    }

    private boolean isUserSafeImage(String str) {
        return userSafeImages().contains(str);
    }

    private static boolean isMicrosoftUnsafeImage(String str) {
        return str.startsWith("mcr.microsoft.com/");
    }
}
