package io.jenkins.plugins.workfloworas;

import com.cloudbees.plugins.credentials.CredentialsMatcher;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.AbortException;
import hudson.Extension;
import hudson.FilePath;
import hudson.Util;
import hudson.model.Action;
import hudson.model.Computer;
import hudson.model.Item;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.model.TopLevelItem;
import hudson.security.ACL;
import hudson.slaves.WorkspaceList;
import hudson.util.ListBoxModel;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import jenkins.model.Jenkins;
import land.oras.ArtifactType;
import land.oras.ContainerRef;
import land.oras.Layer;
import land.oras.Manifest;
import land.oras.Registry;
import org.jenkinsci.Symbol;
import org.jenkinsci.plugins.workflow.cps.CpsFlowExecution;
import org.jenkinsci.plugins.workflow.cps.CpsFlowFactoryAction2;
import org.jenkinsci.plugins.workflow.flow.FlowDefinition;
import org.jenkinsci.plugins.workflow.flow.FlowDefinitionDescriptor;
import org.jenkinsci.plugins.workflow.flow.FlowExecution;
import org.jenkinsci.plugins.workflow.flow.FlowExecutionOwner;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:io/jenkins/plugins/workfloworas/CpsOrasFlowDefinition.class */
public class CpsOrasFlowDefinition extends FlowDefinition {
    public static final ArtifactType ARTIFACT_TYPE_SCRIPT = ArtifactType.from("application/vnd.jenkins.pipeline.manifest.v1+json");
    public static final ArtifactType ARTIFACT_TYPE_REPO = ArtifactType.from("application/vnd.jenkins.repo.manifest.v1+json");
    private String credentialsId;
    private final String containerRef;
    private String scriptPath;

    @Extension
    @Symbol({"cpsOras"})
    /* loaded from: input_file:io/jenkins/plugins/workfloworas/CpsOrasFlowDefinition$DescriptorImpl.class */
    public static class DescriptorImpl extends FlowDefinitionDescriptor {
        @NonNull
        public String getDisplayName() {
            return "Pipeline script from ORAS";
        }

        @POST
        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item, @QueryParameter String str) {
            StandardListBoxModel standardListBoxModel = new StandardListBoxModel();
            if (item == null) {
                if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
                    return standardListBoxModel.includeCurrentValue(str);
                }
            } else if (!item.hasPermission(Item.EXTENDED_READ) && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
                return standardListBoxModel.includeCurrentValue(str);
            }
            return standardListBoxModel.includeEmptyValue().includeMatchingAs(ACL.SYSTEM2, item, StandardUsernameCredentials.class, Collections.emptyList(), CredentialsMatchers.instanceOf(StandardUsernameCredentials.class)).includeCurrentValue(str);
        }
    }

    @DataBoundConstructor
    public CpsOrasFlowDefinition(String str) {
        this.containerRef = str;
    }

    public String getCredentialsId() {
        return this.credentialsId;
    }

    @DataBoundSetter
    public void setCredentialsId(String str) {
        this.credentialsId = str;
    }

    public String getContainerRef() {
        return this.containerRef;
    }

    public String getScriptPath() {
        return this.scriptPath;
    }

    @DataBoundSetter
    public void setScriptPath(String str) {
        this.scriptPath = str;
    }

    public FlowExecution create(FlowExecutionOwner flowExecutionOwner, TaskListener taskListener, List<? extends Action> list) throws Exception {
        Iterator<? extends Action> it = list.iterator();
        while (it.hasNext()) {
            CpsFlowFactoryAction2 cpsFlowFactoryAction2 = (Action) it.next();
            if (cpsFlowFactoryAction2 instanceof CpsFlowFactoryAction2) {
                return cpsFlowFactoryAction2.create(this, flowExecutionOwner, list);
            }
        }
        Run executable = flowExecutionOwner.getExecutable();
        if (!(executable instanceof Run)) {
            throw new IOException("Can only pull a Jenkinsfile in a run");
        }
        Run run = executable;
        Registry buildRegistry = buildRegistry(run.getParent(), this.credentialsId);
        StandardUsernamePasswordCredentials credentials = getCredentials(run.getParent(), this.credentialsId);
        if (credentials != null) {
            CredentialsProvider.track(run, credentials);
        }
        ContainerRef parse = ContainerRef.parse(this.containerRef);
        Manifest manifest = buildRegistry.getManifest(parse);
        ensureArtifactType(this.scriptPath, manifest);
        String digest = ((Layer) manifest.getLayers().get(0)).getDigest();
        if (digest == null || digest.isEmpty()) {
            throw new IllegalArgumentException("No digest found for the container reference: " + String.valueOf(parse));
        }
        if (!hasScriptPath(this.scriptPath)) {
            taskListener.getLogger().printf("Using pipeline script from container %s with digest %s%n", this.containerRef, digest);
            InputStream fetchBlob = buildRegistry.fetchBlob(parse.withDigest(digest));
            try {
                CpsFlowExecution cpsFlowExecution = new CpsFlowExecution(new String(fetchBlob.readAllBytes(), StandardCharsets.UTF_8), true, flowExecutionOwner);
                if (fetchBlob != null) {
                    fetchBlob.close();
                }
                return cpsFlowExecution;
            } catch (Throwable th) {
                if (fetchBlob != null) {
                    try {
                        fetchBlob.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        FilePath downloadFolder = getDownloadFolder(flowExecutionOwner);
        Computer computer = Jenkins.get().toComputer();
        if (computer == null) {
            throw new IOException(Jenkins.get().getDisplayName() + " may be offline");
        }
        taskListener.getLogger().printf("Using pipeline script %s from container %s with digest %s%n", this.scriptPath, this.containerRef, digest);
        WorkspaceList.Lease allocate = computer.getWorkspaceList().allocate(downloadFolder);
        try {
            Path normalize = Path.of(this.scriptPath, new String[0]).normalize();
            Path of = Path.of(allocate.path.getRemote(), new String[0]);
            Path normalize2 = of.resolve(normalize).normalize();
            if (!normalize2.startsWith(of)) {
                throw new SecurityException("Only script path inside archive can be selected: " + String.valueOf(normalize));
            }
            buildRegistry.pullArtifact(parse, of, true);
            if (!Files.exists(normalize2, new LinkOption[0])) {
                throw new IOException("Script path does not exist in the container: " + String.valueOf(normalize));
            }
            String readString = Files.readString(normalize2);
            Util.deleteRecursive(of.toFile());
            CpsFlowExecution cpsFlowExecution2 = new CpsFlowExecution(readString, true, flowExecutionOwner);
            if (allocate != null) {
                allocate.close();
            }
            return cpsFlowExecution2;
        } catch (Throwable th3) {
            if (allocate != null) {
                try {
                    allocate.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    private static boolean hasScriptPath(String str) {
        return (str == null || str.isEmpty()) ? false : true;
    }

    private FilePath getDownloadFolder(FlowExecutionOwner flowExecutionOwner) throws IOException {
        if (!(flowExecutionOwner.getExecutable().getParent() instanceof TopLevelItem)) {
            throw new AbortException("Cannot check out in non-top-level build");
        }
        FilePath workspaceFor = Jenkins.get().getWorkspaceFor(flowExecutionOwner.getExecutable().getParent());
        if (workspaceFor == null) {
            throw new IOException(Jenkins.get().getDisplayName() + " may be offline");
        }
        return workspaceFor.withSuffix(getFilePathSuffix() + "cps");
    }

    private static String getFilePathSuffix() {
        return System.getProperty(WorkspaceList.class.getName(), "@");
    }

    private static Registry buildRegistry(Item item, String str) {
        Registry.Builder builder = Registry.builder();
        if (str == null || str.isEmpty()) {
            return builder.insecure().build();
        }
        StandardUsernamePasswordCredentials credentials = getCredentials(item, str);
        if (credentials == null) {
            throw new IllegalArgumentException("No credentials found with ID: " + str);
        }
        return builder.defaults(credentials.getUsername(), credentials.getPassword().getPlainText()).build();
    }

    @Nullable
    public static StandardUsernamePasswordCredentials getCredentials(Item item, String str) {
        if (str == null || str.isEmpty()) {
            return null;
        }
        return CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentialsInItem(StandardUsernamePasswordCredentials.class, item, ACL.SYSTEM2, Collections.emptyList()), CredentialsMatchers.allOf(new CredentialsMatcher[]{CredentialsMatchers.withId(str), CredentialsMatchers.instanceOf(StandardUsernamePasswordCredentials.class)}));
    }

    private static void ensureArtifactType(String str, Manifest manifest) {
        if (!hasScriptPath(str) && !Objects.equals(ARTIFACT_TYPE_SCRIPT.getMediaType(), manifest.getArtifactType().getMediaType())) {
            throw new IllegalArgumentException("The container reference does not point to a valid pipeline manifest. Make sure to set %s artifact type when pushing the artifact. Found artifact type %s instead".formatted(ARTIFACT_TYPE_SCRIPT, manifest.getArtifactType()));
        }
        if (hasScriptPath(str) && !Objects.equals(ARTIFACT_TYPE_REPO.getMediaType(), manifest.getArtifactType().getMediaType())) {
            throw new IllegalArgumentException("The container reference does not point to a valid repository manifest. Make sure to set %s artifact type when pushing the artifact. Found artifact type %s instead".formatted(ARTIFACT_TYPE_REPO, manifest.getArtifactType()));
        }
    }
}
