"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
from cfnlint.rules import CloudFormationLintRule, RuleMatch


class SecurityGroupIngress(CloudFormationLintRule):
    """Check if EC2 Security Group Ingress Properties"""

    id = "E2506"
    shortdesc = "Resource EC2 Security Group Ingress Properties"
    description = (
        "See if EC2 Security Group Ingress Properties are set correctly. "
        'Check that "SourceSecurityGroupId" or "SourceSecurityGroupName" are '
        " are exclusive and using the type of Ref or GetAtt "
    )
    source_url = "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html"
    tags = ["resources", "ec2", "securitygroup"]

    def check_ingress_rule(self, vpc_id, properties, path):
        """Check ingress rule"""

        matches = []
        if vpc_id:
            # Check that SourceSecurityGroupName isn't specified
            if properties.get("SourceSecurityGroupName", None):
                path_error = path[:] + ["SourceSecurityGroupName"]
                message = (
                    "SourceSecurityGroupName shouldn't be specified for "
                    "Vpc Security Group at {0}"
                )
                matches.append(
                    RuleMatch(
                        path_error, message.format("/".join(map(str, path_error)))
                    )
                )

        return matches

    def match(self, cfn):
        """Check EC2 Security Group Ingress Resource Parameters"""

        matches = []

        resources = cfn.get_resources(resource_type="AWS::EC2::SecurityGroup")
        for resource_name, resource_object in resources.items():
            properties = resource_object.get("Properties", {})
            if properties:
                vpc_id = properties.get("VpcId", None)
                ingress_rules = properties.get("SecurityGroupIngress")
                if isinstance(ingress_rules, list):
                    for index, ingress_rule in enumerate(ingress_rules):
                        path = [
                            "Resources",
                            resource_name,
                            "Properties",
                            "SecurityGroupIngress",
                            index,
                        ]
                        matches.extend(
                            self.check_ingress_rule(
                                vpc_id=vpc_id, properties=ingress_rule, path=path
                            )
                        )

        resources = None
        resources = cfn.get_resources(resource_type="AWS::EC2::SecurityGroupIngress")
        for resource_name, resource_object in resources.items():
            properties = resource_object.get("Properties", {})
            group_id = properties.get("GroupId", None)
            path = ["Resources", resource_name, "Properties"]
            if group_id:
                vpc_id = "vpc-1234567"
            else:
                vpc_id = None

            if properties:
                path = ["Resources", resource_name, "Properties"]
                matches.extend(
                    self.check_ingress_rule(
                        vpc_id=vpc_id, properties=properties, path=path
                    )
                )
        return matches