package org.sonar.iac.docker.checks;

import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.docker.checks.utils.CheckUtils;
import org.sonar.iac.docker.checks.utils.CommandDetector;
import org.sonar.iac.docker.symbols.ArgumentResolution;
import org.sonar.iac.docker.tree.api.RunInstruction;

@Rule(key = "S6437")
/* loaded from: input_file:org/sonar/iac/docker/checks/SecretsGenerationCheck.class */
public class SecretsGenerationCheck implements IacCheck {
    private static final String MESSAGE = "Change this code not to store a secret in the image.";
    private static final Set<String> SSH_KEYGEN_COMPLIANT_FLAGS = Set.of("-l", "-F", "-H", "-R", "-r", "-k", "-Q");
    private static final CommandDetector SSH_DETECTOR;
    private static final Set<String> SENSITIVE_KEYTOOL_FLAGS;
    private static final CommandDetector KEYTOOL_DETECTOR;
    private static final Set<String> SENSITIVE_OPENSSL_SUBCOMMANDS;
    private static final CommandDetector SENSITIVE_OPENSSL_COMMANDS;
    private static final Set<CommandDetector> DETECTORS;

    public void initialize(InitContext initContext) {
        initContext.register(RunInstruction.class, SecretsGenerationCheck::checkRunInstruction);
    }

    private static void checkRunInstruction(CheckContext checkContext, RunInstruction runInstruction) {
        List<ArgumentResolution> resolveInstructionArguments = CheckUtils.resolveInstructionArguments(runInstruction);
        DETECTORS.forEach(commandDetector -> {
            commandDetector.search(resolveInstructionArguments).forEach(command -> {
                checkContext.reportIssue(command, MESSAGE);
            });
        });
    }

    static {
        CommandDetector.Builder withOptionalRepeatingExcept = CommandDetector.builder().with("ssh-keygen").withOptionalRepeatingExcept(SSH_KEYGEN_COMPLIANT_FLAGS);
        Set<String> set = SSH_KEYGEN_COMPLIANT_FLAGS;
        Objects.requireNonNull(set);
        SSH_DETECTOR = withOptionalRepeatingExcept.notWith((v1) -> {
            return r1.contains(v1);
        }).build();
        SENSITIVE_KEYTOOL_FLAGS = Set.of("-gencert", "-genkeypair", "-genseckey", "-genkey");
        KEYTOOL_DETECTOR = CommandDetector.builder().with("keytool").withAnyOptionExcluding(SENSITIVE_KEYTOOL_FLAGS).with(SENSITIVE_KEYTOOL_FLAGS).withAnyOptionExcluding(SENSITIVE_KEYTOOL_FLAGS).build();
        SENSITIVE_OPENSSL_SUBCOMMANDS = Set.of("req", "genrsa", "rsa", "gendsa", "ec", "ecparam", "x509", "genpkey", "pkey");
        SENSITIVE_OPENSSL_COMMANDS = CommandDetector.builder().with("openssl").with(SENSITIVE_OPENSSL_SUBCOMMANDS).withAnyOptionExcluding(Collections.emptyList()).build();
        DETECTORS = Set.of(SSH_DETECTOR, KEYTOOL_DETECTOR, SENSITIVE_OPENSSL_COMMANDS);
    }
}
