package io.jenkins.plugins.slsa;

import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.EnvVars;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.model.AbstractProject;
import hudson.model.Item;
import hudson.model.Result;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.BuildStepMonitor;
import hudson.tasks.Publisher;
import hudson.tasks.Recorder;
import hudson.util.FormValidation;
import io.jenkins.plugins.slsa.generator.ProvenanceV0_2Generator;
import io.jenkins.plugins.slsa.model.BuildInfo;
import io.jenkins.plugins.slsa.model.SubjectInfo;
import java.io.IOException;
import java.io.OutputStream;
import java.io.PrintStream;
import java.util.Collection;
import java.util.HashSet;
import java.util.stream.Stream;
import jenkins.tasks.SimpleBuildStep;
import org.eclipsefdn.security.slsa.attestation.io.AttestationWriter;
import org.eclipsefdn.security.slsa.attestation.model.SignedAttestation;
import org.eclipsefdn.security.slsa.attestation.util.Json;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:io/jenkins/plugins/slsa/ProvenanceRecorder.class */
public class ProvenanceRecorder extends Recorder implements SimpleBuildStep {
    private String artifactFilter;
    private String targetDirectory;

    @Extension
    @Symbol({"provenanceRecorder"})
    /* loaded from: input_file:io/jenkins/plugins/slsa/ProvenanceRecorder$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildStepDescriptor<Publisher> {
        @POST
        public FormValidation doCheckArtifactFilter(@QueryParameter String str, @AncestorInPath Item item) {
            if (item == null) {
                return FormValidation.ok();
            }
            item.checkPermission(Item.CONFIGURE);
            return str.length() == 0 ? FormValidation.error(Messages.ProvenanceRecorder_DescriptorImpl_errors_missingArtifactFilter()) : FormValidation.ok();
        }

        @POST
        public FormValidation doCheckTargetDirectory(@QueryParameter String str, @AncestorInPath Item item) {
            if (item == null) {
                return FormValidation.ok();
            }
            item.checkPermission(Item.CONFIGURE);
            return str.length() == 0 ? FormValidation.error(Messages.ProvenanceRecorder_DescriptorImpl_errors_missingTargetDirectory()) : FormValidation.ok();
        }

        public boolean isApplicable(Class<? extends AbstractProject> cls) {
            return true;
        }

        public String getDisplayName() {
            return Messages.ProvenanceRecorder_DescriptorImpl_DisplayName();
        }
    }

    @DataBoundConstructor
    public ProvenanceRecorder(String str, String str2) {
        setArtifactFilter(str);
        setTargetDirectory(str2);
    }

    public String getArtifactFilter() {
        return this.artifactFilter;
    }

    @DataBoundSetter
    public void setArtifactFilter(String str) {
        this.artifactFilter = str;
    }

    public String getTargetDirectory() {
        return this.targetDirectory;
    }

    @DataBoundSetter
    public void setTargetDirectory(String str) {
        this.targetDirectory = str;
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] and merged with bridge method [inline-methods] */
    public DescriptorImpl m2getDescriptor() {
        return (DescriptorImpl) super.getDescriptor();
    }

    public BuildStepMonitor getRequiredMonitorService() {
        return BuildStepMonitor.NONE;
    }

    public void perform(@NonNull Run<?, ?> run, @NonNull FilePath filePath, @NonNull EnvVars envVars, @NonNull Launcher launcher, @NonNull TaskListener taskListener) throws InterruptedException, IOException {
        PrintStream logger = taskListener.getLogger();
        if (run.getResult() != Result.SUCCESS) {
            logger.println("[slsa] - build not successful, not generating provenance attestations");
            return;
        }
        ProvenanceAction provenanceAction = new ProvenanceAction();
        run.addAction(provenanceAction);
        FilePath[] list = filePath.list(envVars.expand(this.artifactFilter));
        logger.println("[slsa] collecting artifacts");
        for (FilePath filePath2 : list) {
            logger.println(" > " + filePath2.getName());
            provenanceAction.addSubject(SubjectInfo.of(filePath2, filePath));
        }
        Collection<SubjectInfo> subjects = provenanceAction.getSubjects();
        if (subjects.isEmpty()) {
            logger.println(" > found no artifacts, not generating any provenance attestation");
            return;
        }
        if (!areAllSubjectsUnique(provenanceAction.getSubjects())) {
            logger.println(" > found artifacts with duplicate names:");
            for (SubjectInfo subjectInfo : subjects) {
                logger.println("   > " + subjectInfo.getArtifactName() + " -> " + subjectInfo.getWorkspacePath());
            }
            logger.println(" > not generating attestation");
            return;
        }
        logger.println("[slsa] generating attestation");
        SignedAttestation generateAttestation = new ProvenanceV0_2Generator().generateAttestation(subjects, BuildInfo.of(run, envVars));
        FilePath filePath3 = new FilePath(filePath, envVars.expand(this.targetDirectory));
        filePath3.mkdirs();
        FilePath filePath4 = new FilePath(filePath3, subjects.size() > 1 ? "multiple.intoto.jsonl" : subjects.stream().findFirst().get().getArtifactName() + ".intoto.jsonl");
        OutputStream write = filePath4.write();
        try {
            new AttestationWriter(write).writeAttestation(generateAttestation);
            if (write != null) {
                write.close();
            }
            provenanceAction.addProvenanceAttestation(filePath4.getName(), Json.dumpWithPrettyPrinting(generateAttestation.getStatement()));
            logger.println(" > written attestation to " + filePath4.getRemote());
        } catch (Throwable th) {
            if (write != null) {
                try {
                    write.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public static boolean areAllSubjectsUnique(Collection<SubjectInfo> collection) {
        Stream<R> map = collection.stream().map((v0) -> {
            return v0.getArtifactName();
        });
        HashSet hashSet = new HashSet();
        return map.allMatch((v1) -> {
            return r1.add(v1);
        });
    }
}
