package com.datapipe.jenkins.vault;

import com.bettercloud.vault.VaultException;
import com.bettercloud.vault.json.Json;
import com.bettercloud.vault.response.LogicalResponse;
import com.bettercloud.vault.rest.RestResponse;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsUnavailableException;
import com.cloudbees.plugins.credentials.matchers.IdMatcher;
import com.datapipe.jenkins.vault.configuration.VaultConfigResolver;
import com.datapipe.jenkins.vault.configuration.VaultConfiguration;
import com.datapipe.jenkins.vault.credentials.VaultCredential;
import com.datapipe.jenkins.vault.exception.VaultPluginException;
import com.datapipe.jenkins.vault.log.MaskingConsoleLogFilter;
import com.datapipe.jenkins.vault.model.VaultSecret;
import com.datapipe.jenkins.vault.model.VaultSecretValue;
import com.google.common.annotations.VisibleForTesting;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.EnvVars;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.FilePath;
import hudson.Launcher;
import hudson.console.ConsoleLogFilter;
import hudson.model.AbstractProject;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.security.ACL;
import hudson.tasks.BuildWrapperDescriptor;
import java.io.PrintStream;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import jenkins.tasks.SimpleBuildWrapper;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;

/* loaded from: input_file:WEB-INF/lib/hashicorp-vault-plugin.jar:com/datapipe/jenkins/vault/VaultBuildWrapper.class */
public class VaultBuildWrapper extends SimpleBuildWrapper {
    private VaultConfiguration configuration;
    private List<VaultSecret> vaultSecrets;
    private List<String> valuesToMask = new ArrayList();
    private VaultAccessor vaultAccessor = new VaultAccessor();
    private PrintStream logger;

    @Extension
    @Symbol({"withVault"})
    /* loaded from: input_file:WEB-INF/lib/hashicorp-vault-plugin.jar:com/datapipe/jenkins/vault/VaultBuildWrapper$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildWrapperDescriptor {
        public DescriptorImpl() {
            super(VaultBuildWrapper.class);
            load();
        }

        public boolean isApplicable(AbstractProject<?, ?> abstractProject) {
            return true;
        }

        public String getDisplayName() {
            return "Vault Plugin";
        }
    }

    @DataBoundConstructor
    public VaultBuildWrapper(@CheckForNull List<VaultSecret> list) {
        this.vaultSecrets = list;
    }

    public void setUp(SimpleBuildWrapper.Context context, Run<?, ?> run, FilePath filePath, Launcher launcher, TaskListener taskListener, EnvVars envVars) {
        this.logger = taskListener.getLogger();
        pullAndMergeConfiguration(run);
        if (null == this.vaultSecrets || this.vaultSecrets.isEmpty()) {
            return;
        }
        provideEnvironmentVariablesFromVault(context, run, envVars);
    }

    public List<VaultSecret> getVaultSecrets() {
        return this.vaultSecrets;
    }

    @DataBoundSetter
    public void setConfiguration(VaultConfiguration vaultConfiguration) {
        this.configuration = vaultConfiguration;
    }

    public VaultConfiguration getConfiguration() {
        return this.configuration;
    }

    @VisibleForTesting
    public void setVaultAccessor(VaultAccessor vaultAccessor) {
        this.vaultAccessor = vaultAccessor;
    }

    private List<String> retrieveLeaseIds(List<LogicalResponse> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<LogicalResponse> it = list.iterator();
        while (it.hasNext()) {
            String leaseId = it.next().getLeaseId();
            if (leaseId != null && !leaseId.isEmpty()) {
                arrayList.add(leaseId);
            }
        }
        return arrayList;
    }

    private void provideEnvironmentVariablesFromVault(SimpleBuildWrapper.Context context, Run run, EnvVars envVars) {
        String vaultUrl = getConfiguration().getVaultUrl();
        if (StringUtils.isBlank(vaultUrl)) {
            throw new VaultPluginException("The vault url was not configured - please specify the vault url to use.");
        }
        this.vaultAccessor.init(vaultUrl, retrieveVaultCredentials(run), this.configuration.isSkipSslVerification());
        for (VaultSecret vaultSecret : this.vaultSecrets) {
            String expand = envVars.expand(vaultSecret.getPath());
            try {
                LogicalResponse read = this.vaultAccessor.read(expand, (Integer) Optional.ofNullable(vaultSecret.getEngineVersion()).orElse(this.configuration.getEngineVersion()));
                parseVaultErrorCodes(expand, read);
                Map<String, String> data = read.getData();
                for (VaultSecretValue vaultSecretValue : vaultSecret.getSecretValues()) {
                    String vaultKey = vaultSecretValue.getVaultKey();
                    String str = data.get(vaultKey);
                    if (StringUtils.isBlank(str)) {
                        throw new IllegalArgumentException("Vault Secret " + vaultKey + " at " + expand + " is either null or empty. Please check the Secret in Vault.");
                    }
                    this.valuesToMask.add(str);
                    context.env(vaultSecretValue.getEnvVar(), str);
                }
            } catch (VaultPluginException e) {
                VaultException vaultException = (VaultException) e.getCause();
                if (vaultException == null) {
                    throw e;
                }
                throw new VaultPluginException(String.format("Vault response returned %d for secret path %s", Integer.valueOf(vaultException.getHttpStatusCode()), expand), vaultException);
            }
        }
    }

    private void parseVaultErrorCodes(String str, LogicalResponse logicalResponse) {
        RestResponse restResponse = logicalResponse.getRestResponse();
        if (restResponse == null) {
            return;
        }
        int status = restResponse.getStatus();
        if (status == 403) {
            this.logger.printf("Access denied to Vault Secrets at %s%n", str);
            return;
        }
        if (status == 404) {
            if (this.configuration.isFailIfNotFound()) {
                throw new VaultPluginException(String.format("Vault credentials not found for %s", str));
            }
            this.logger.printf("Vault credentials not found for %s%n", str);
        } else if (status >= 400) {
            String str2 = (String) Optional.of(Json.parse(new String(restResponse.getBody(), StandardCharsets.UTF_8))).map((v0) -> {
                return v0.asObject();
            }).map(jsonObject -> {
                return jsonObject.get("errors");
            }).map((v0) -> {
                return v0.asArray();
            }).map((v0) -> {
                return v0.values();
            }).map(list -> {
                return (String) list.stream().map((v0) -> {
                    return v0.asString();
                }).collect(Collectors.joining("\n"));
            }).orElse("");
            this.logger.printf("Vault responded with %d error code.%n", Integer.valueOf(status));
            if (StringUtils.isNotBlank(str2)) {
                this.logger.printf("Vault responded with errors: %s%n", str2);
            }
        }
    }

    private VaultCredential retrieveVaultCredentials(Run run) {
        String vaultCredentialId = getConfiguration().getVaultCredentialId();
        if (StringUtils.isBlank(vaultCredentialId)) {
            throw new VaultPluginException("The credential id was not configured - please specify the credentials to use.");
        }
        VaultCredential firstOrNull = CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(VaultCredential.class, run.getParent(), ACL.SYSTEM, Collections.emptyList()), new IdMatcher(vaultCredentialId));
        if (firstOrNull == null) {
            throw new CredentialsUnavailableException(vaultCredentialId);
        }
        return firstOrNull;
    }

    private void pullAndMergeConfiguration(Run<?, ?> run) {
        Iterator it = ExtensionList.lookup(VaultConfigResolver.class).iterator();
        while (it.hasNext()) {
            VaultConfigResolver vaultConfigResolver = (VaultConfigResolver) it.next();
            if (this.configuration != null) {
                this.configuration = this.configuration.mergeWithParent(vaultConfigResolver.forJob(run.getParent()));
            } else {
                this.configuration = vaultConfigResolver.forJob(run.getParent());
            }
        }
        if (this.configuration == null) {
            throw new VaultPluginException("No configuration found - please configure the VaultPlugin.");
        }
        if (this.configuration.getEngineVersion() == null) {
            this.configuration.setEngineVersion(2);
        }
    }

    public ConsoleLogFilter createLoggerDecorator(@NonNull Run<?, ?> run) {
        return new MaskingConsoleLogFilter(run.getCharset().name(), this.valuesToMask);
    }
}
