package org.sonar.iac.docker.checks;

import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.docker.checks.utils.CommandDetector;
import org.sonar.iac.docker.symbols.ArgumentResolution;
import org.sonar.iac.docker.tree.api.RunInstruction;

@Rule(key = "S4830")
/* loaded from: input_file:org/sonar/iac/docker/checks/UnsecureConnectionCheck.class */
public class UnsecureConnectionCheck implements IacCheck {
    private static final String MESSAGE = "Disabling TLS certificate verification is security-sensitive.";
    private static final Set<String> SENSITIVE_CURL_OPTION = Set.of("-k", "--insecure", "--proxy-insecure", "--doh-insecure");
    private static final CommandDetector SENSITIVE_CURL_COMMAND = CommandDetector.builder().with("curl").withAnyFlagFollowedBy(SENSITIVE_CURL_OPTION).build();
    private static final CommandDetector SENSITIVE_WGET_COMMAND = CommandDetector.builder().with("wget").withAnyFlagFollowedBy("--no-check-certificate").build();

    public void initialize(InitContext initContext) {
        initContext.register(RunInstruction.class, UnsecureConnectionCheck::checkRun);
    }

    private static void checkRun(CheckContext checkContext, RunInstruction runInstruction) {
        List<ArgumentResolution> list = (List) runInstruction.arguments().stream().map(ArgumentResolution::of).collect(Collectors.toList());
        SENSITIVE_CURL_COMMAND.search(list).forEach(command -> {
            checkContext.reportIssue(command, MESSAGE);
        });
        SENSITIVE_WGET_COMMAND.search(list).forEach(command2 -> {
            checkContext.reportIssue(command2, MESSAGE);
        });
    }
}
