package org.sonar.iac.docker.checks;

import java.util.List;
import java.util.Set;
import java.util.function.Predicate;
import org.sonar.check.Rule;
import org.sonar.iac.common.api.checks.CheckContext;
import org.sonar.iac.common.api.checks.IacCheck;
import org.sonar.iac.common.api.checks.InitContext;
import org.sonar.iac.docker.checks.utils.CheckUtils;
import org.sonar.iac.docker.checks.utils.CommandDetector;
import org.sonar.iac.docker.symbols.ArgumentResolution;
import org.sonar.iac.docker.tree.api.RunInstruction;

@Rule(key = "S6506")
/* loaded from: input_file:org/sonar/iac/docker/checks/ClearTextProtocolDowngradeCheck.class */
public class ClearTextProtocolDowngradeCheck implements IacCheck {
    private static final String CURL_MESSAGE = "Not enforcing HTTPS here might allow for redirections to insecure websites. Make sure it is safe here.";
    private static final String WGET_MESSAGE = "Not disabling redirects might allow for redirections to insecure websites. Make sure it is safe here.";
    private static final String CURL_COMMAND = "curl";
    private static final String PROTO_FLAG_OPTION = "=https";
    private static final CommandDetector.Builder PROTO_FLAG_MISSING_OPTION_PREDICATES;
    private static final CommandDetector.Builder PROTO_FLAG_MISSING_PREDICATES;
    private static final CommandDetector.Builder PROTO_FLAG_WITH_WRONG_OPTION_PREDICATES;
    private static final CommandDetector SENSITIVE_CURL_COMMAND_FLAG_WITH_MISSING_OPTION;
    private static final CommandDetector SENSITIVE_CURL_COMMAND_FLAG_WITH_MISSING_OPTION_DIFF_ORDER;
    private static final CommandDetector SENSITIVE_CURL_COMMAND_MISSING_FLAG;
    private static final CommandDetector SENSITIVE_CURL_COMMAND_FLAG_WITH_WRONG_OPTION;
    private static final CommandDetector SENSITIVE_CURL_COMMAND_FLAG_WITH_WRONG_OPTION_DIFF_ORDER;
    private static final CommandDetector WGET_DETECTOR;
    private static final Set<CommandDetector> SENSITIVE_CURL_COMMAND_DETECTORS;
    private static final Set<String> REDIRECTION_FLAGS = Set.of("-L", "--location");
    private static final String PROTO_FLAG = "--proto";
    private static final Set<String> SENSITIVE_FLAGS = Set.of("-L", "--location", PROTO_FLAG);
    private static final Predicate<String> SENSITIVE_HTTPS_URL_BEGINNING = str -> {
        return str.startsWith("https");
    };
    private static final Predicate<String> OPTIONAL_OTHER_FLAGS = str -> {
        return str.startsWith("-") && !SENSITIVE_FLAGS.contains(str);
    };
    private static final CommandDetector.Builder REDIRECTION_PREDICATES = CommandDetector.builder().withOptional(OPTIONAL_OTHER_FLAGS).with(REDIRECTION_FLAGS).withOptional(OPTIONAL_OTHER_FLAGS);

    public void initialize(InitContext initContext) {
        initContext.register(RunInstruction.class, ClearTextProtocolDowngradeCheck::checkRunInstruction);
    }

    private static void checkRunInstruction(CheckContext checkContext, RunInstruction runInstruction) {
        List<ArgumentResolution> resolveInstructionArguments = CheckUtils.resolveInstructionArguments(runInstruction);
        SENSITIVE_CURL_COMMAND_DETECTORS.forEach(commandDetector -> {
            commandDetector.search(resolveInstructionArguments).forEach(command -> {
                checkContext.reportIssue(command, CURL_MESSAGE);
            });
        });
        WGET_DETECTOR.search(resolveInstructionArguments).forEach(command -> {
            checkContext.reportIssue(command, WGET_MESSAGE);
        });
    }

    static {
        CommandDetector.Builder with = CommandDetector.builder().withOptional(OPTIONAL_OTHER_FLAGS).with(PROTO_FLAG);
        String str = PROTO_FLAG_OPTION;
        PROTO_FLAG_MISSING_OPTION_PREDICATES = with.notWith((v1) -> {
            return r1.equals(v1);
        }).withOptional(OPTIONAL_OTHER_FLAGS);
        CommandDetector.Builder withOptional = CommandDetector.builder().withOptional(OPTIONAL_OTHER_FLAGS);
        String str2 = PROTO_FLAG;
        PROTO_FLAG_MISSING_PREDICATES = withOptional.notWith((v1) -> {
            return r1.equals(v1);
        }).withOptional(OPTIONAL_OTHER_FLAGS);
        PROTO_FLAG_WITH_WRONG_OPTION_PREDICATES = CommandDetector.builder().withOptional(OPTIONAL_OTHER_FLAGS).with(PROTO_FLAG).with(str3 -> {
            return !str3.equals(PROTO_FLAG_OPTION);
        }).withOptional(OPTIONAL_OTHER_FLAGS);
        SENSITIVE_CURL_COMMAND_FLAG_WITH_MISSING_OPTION = CommandDetector.builder().with(CURL_COMMAND).withPredicatesFrom(REDIRECTION_PREDICATES).withPredicatesFrom(PROTO_FLAG_MISSING_OPTION_PREDICATES).with(SENSITIVE_HTTPS_URL_BEGINNING).build();
        SENSITIVE_CURL_COMMAND_FLAG_WITH_MISSING_OPTION_DIFF_ORDER = CommandDetector.builder().with(CURL_COMMAND).withPredicatesFrom(PROTO_FLAG_MISSING_OPTION_PREDICATES).withPredicatesFrom(REDIRECTION_PREDICATES).with(SENSITIVE_HTTPS_URL_BEGINNING).build();
        SENSITIVE_CURL_COMMAND_MISSING_FLAG = CommandDetector.builder().with(CURL_COMMAND).withPredicatesFrom(REDIRECTION_PREDICATES).withPredicatesFrom(PROTO_FLAG_MISSING_PREDICATES).with(SENSITIVE_HTTPS_URL_BEGINNING).build();
        SENSITIVE_CURL_COMMAND_FLAG_WITH_WRONG_OPTION = CommandDetector.builder().with(CURL_COMMAND).withPredicatesFrom(REDIRECTION_PREDICATES).withPredicatesFrom(PROTO_FLAG_WITH_WRONG_OPTION_PREDICATES).with(SENSITIVE_HTTPS_URL_BEGINNING).build();
        SENSITIVE_CURL_COMMAND_FLAG_WITH_WRONG_OPTION_DIFF_ORDER = CommandDetector.builder().with(CURL_COMMAND).withPredicatesFrom(PROTO_FLAG_WITH_WRONG_OPTION_PREDICATES).withPredicatesFrom(REDIRECTION_PREDICATES).with(SENSITIVE_HTTPS_URL_BEGINNING).build();
        WGET_DETECTOR = CommandDetector.builder().with("wget").with(SENSITIVE_HTTPS_URL_BEGINNING).withAnyFlagExcept("--max-redirect=0").build();
        SENSITIVE_CURL_COMMAND_DETECTORS = Set.of(SENSITIVE_CURL_COMMAND_FLAG_WITH_MISSING_OPTION, SENSITIVE_CURL_COMMAND_FLAG_WITH_MISSING_OPTION_DIFF_ORDER, SENSITIVE_CURL_COMMAND_MISSING_FLAG, SENSITIVE_CURL_COMMAND_FLAG_WITH_WRONG_OPTION, SENSITIVE_CURL_COMMAND_FLAG_WITH_WRONG_OPTION_DIFF_ORDER);
    }
}
