package org.sonar.iac.docker.checks;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.CheckForNull;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.common.api.checks.SecondaryLocation;
import org.sonar.iac.common.api.tree.HasTextRange;
import org.sonar.iac.docker.checks.utils.CheckUtils;
import org.sonar.iac.docker.checks.utils.Chmod;
import org.sonar.iac.docker.symbols.ArgumentResolution;
import org.sonar.iac.docker.tree.api.Argument;
import org.sonar.iac.docker.tree.api.Flag;
import org.sonar.iac.docker.tree.api.TransferInstruction;

@Rule(key = "S6504")
/* loaded from: input_file:org/sonar/iac/docker/checks/ExecutableNotOwnedByRootCheck.class */
public class ExecutableNotOwnedByRootCheck implements IacCheck {
    private static final String MESSAGE = "Make sure no write permissions are assigned to the executable.";
    private static final String MESSAGE_SECONDARY_OTHER_EXEC = "Other executable file.";
    private static final String MESSAGE_SECONDARY_CHOWN = "Sensitive file owner.";
    private static final Set<String> SENSITIVE_FILE_EXTENSION = Set.of((Object[]) new String[]{"exe", "py", "rb", "pl", "lua", "js", "lisp", "sh", "jar", "war", "run", "bin", "bat", "ps1"});
    private static final Set<String> COMPLIANT_CHOWN_VALUES = Set.of("root", "0", "");

    public void initialize(InitContext initContext) {
        initContext.register(TransferInstruction.class, ExecutableNotOwnedByRootCheck::checkTransferInstruction);
    }

    private static void checkTransferInstruction(CheckContext checkContext, TransferInstruction transferInstruction) {
        Flag sensitiveChownFlag = getSensitiveChownFlag(transferInstruction);
        if (sensitiveChownFlag != null) {
            List<Argument> sensitiveFiles = getSensitiveFiles(transferInstruction.srcs());
            if (isNonRootUser(sensitiveChownFlag)) {
                reportIssue(checkContext, sensitiveChownFlag, sensitiveFiles);
            }
            Chmod chmod = getChmod(transferInstruction);
            if (chmod == null) {
                if (sensitiveFiles.isEmpty()) {
                    return;
                }
                reportIssue(checkContext, sensitiveChownFlag, sensitiveFiles);
            } else if (isSensitiveChmod(sensitiveChownFlag, sensitiveFiles, chmod)) {
                reportIssue(checkContext, sensitiveChownFlag, sensitiveFiles);
            }
        }
    }

    private static boolean isSensitiveChmod(Flag flag, List<Argument> list, Chmod chmod) {
        return !isRootUserAndGroupHasNoWritePermission(flag, chmod) && isSensitiveWriteChmod(chmod) && (isSensitiveExecuteChmod(chmod) || !list.isEmpty());
    }

    private static void reportIssue(CheckContext checkContext, Flag flag, List<Argument> list) {
        if (list.isEmpty()) {
            checkContext.reportIssue(flag, MESSAGE);
            return;
        }
        HasTextRange hasTextRange = list.get(0);
        ArrayList arrayList = new ArrayList();
        Iterator<Argument> it = list.subList(1, list.size()).iterator();
        while (it.hasNext()) {
            arrayList.add(new SecondaryLocation(it.next(), MESSAGE_SECONDARY_OTHER_EXEC));
        }
        arrayList.add(new SecondaryLocation(flag, MESSAGE_SECONDARY_CHOWN));
        checkContext.reportIssue(hasTextRange, MESSAGE, arrayList);
    }

    @CheckForNull
    private static Flag getSensitiveChownFlag(TransferInstruction transferInstruction) {
        return transferInstruction.options().stream().filter(flag -> {
            return flag.name().equals("chown");
        }).filter(ExecutableNotOwnedByRootCheck::isSensitiveUser).findFirst().orElse(null);
    }

    private static boolean isSensitiveUser(Flag flag) {
        ArgumentResolution of = ArgumentResolution.of(flag.value());
        return of.isResolved() && isNonRootChown(of.value());
    }

    @CheckForNull
    private static Chmod getChmod(TransferInstruction transferInstruction) {
        return (Chmod) transferInstruction.options().stream().filter(flag -> {
            return flag.name().equals("chmod");
        }).map(flag2 -> {
            return ArgumentResolution.of(flag2.value());
        }).filter((v0) -> {
            return v0.isResolved();
        }).map(argumentResolution -> {
            return new Chmod(null, null, argumentResolution.value());
        }).findFirst().orElse(null);
    }

    private static List<Argument> getSensitiveFiles(List<Argument> list) {
        return (List) list.stream().map(ArgumentResolution::of).filter(ExecutableNotOwnedByRootCheck::isSensitiveFile).map((v0) -> {
            return v0.argument();
        }).collect(Collectors.toList());
    }

    private static boolean isSensitiveFile(ArgumentResolution argumentResolution) {
        return argumentResolution.isResolved() && SENSITIVE_FILE_EXTENSION.contains(CheckUtils.getFileExtension(argumentResolution.value()));
    }

    private static boolean isSensitiveWriteChmod(Chmod chmod) {
        return chmod.hasPermission("u+w") || chmod.hasPermission("g+w");
    }

    private static boolean isSensitiveExecuteChmod(Chmod chmod) {
        return chmod.hasPermission("u+x") || chmod.hasPermission("g+x") || chmod.hasPermission("o+x");
    }

    private static boolean isRootUserAndGroupHasNoWritePermission(Flag flag, Chmod chmod) {
        ArgumentResolution of = ArgumentResolution.of(flag.value());
        return !chmod.hasPermission("g+w") && (!isNonRootAtId(of.value(), 0)) && isNonRootAtId(of.value(), 1);
    }

    private static boolean isNonRootUser(Flag flag) {
        return isNonRootAtId(ArgumentResolution.of(flag.value()).value(), 0);
    }

    private static boolean isNonRootChown(String str) {
        return isNonRootAtId(str, 0) || isNonRootAtId(str, 1);
    }

    static boolean isNonRootAtId(String str, int i) {
        String[] split = str.split(":");
        return split.length > i && !COMPLIANT_CHOWN_VALUES.contains(split[i]);
    }
}
