package com.sysdig.jenkins.plugins.sysdig.infrastructure.jenkins.iac.entrypoint;

import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.StandardCredentials;
import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
import com.sysdig.jenkins.plugins.sysdig.domain.SysdigLogger;
import com.sysdig.jenkins.plugins.sysdig.infrastructure.http.RetriableRemoteDownloader;
import com.sysdig.jenkins.plugins.sysdig.infrastructure.jenkins.RunContext;
import com.sysdig.jenkins.plugins.sysdig.infrastructure.scanner.SysdigIaCScanningProcessBuilder;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.AbortException;
import hudson.EnvVars;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.model.AbstractProject;
import hudson.model.Result;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.security.ACL;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.Builder;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Collections;
import java.util.Vector;
import jenkins.model.Jenkins;
import jenkins.tasks.SimpleBuildStep;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;

/* loaded from: input_file:com/sysdig/jenkins/plugins/sysdig/infrastructure/jenkins/iac/entrypoint/IaCScanningBuilder.class */
public class IaCScanningBuilder extends Builder implements SimpleBuildStep {
    private static final String FIXED_SCANNED_VERSION = "1.16.1";
    private String engineCredentialsId;
    private boolean listUnsupported = false;
    private boolean isRecursive = true;
    private String path = "";
    private String severityThreshold = "h";
    private String sysdigEnv = "";
    private String version = FIXED_SCANNED_VERSION;

    /* loaded from: input_file:com/sysdig/jenkins/plugins/sysdig/infrastructure/jenkins/iac/entrypoint/IaCScanningBuilder$BadParamCLIScan.class */
    public static class BadParamCLIScan extends Exception {
        public BadParamCLIScan(String str) {
            super(str);
        }
    }

    @Extension
    /* loaded from: input_file:com/sysdig/jenkins/plugins/sysdig/infrastructure/jenkins/iac/entrypoint/IaCScanningBuilder$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildStepDescriptor<Builder> {
        public static final boolean DEFAULT_IS_RECURSIVE = true;
        public static final String DEFAULT_CLI_VERSION = "latest";

        public FormValidation doCheckSysdigEnv(@QueryParameter String str, @QueryParameter boolean z) {
            return str.isEmpty() ? FormValidation.error("missing field") : str.length() < 4 ? FormValidation.warning("too") : FormValidation.ok();
        }

        public FormValidation doCheckSecureAPIToken(@QueryParameter String str, @QueryParameter boolean z) {
            return str.isEmpty() ? FormValidation.error("missing field") : str.length() < 4 ? FormValidation.warning("too") : FormValidation.ok();
        }

        public FormValidation doCheckPath(@QueryParameter String str, @QueryParameter boolean z) {
            return str.isEmpty() ? FormValidation.error("missing field") : FormValidation.ok();
        }

        public ListBoxModel doFillEngineCredentialsIdItems(@QueryParameter String str) {
            StandardListBoxModel standardListBoxModel = new StandardListBoxModel();
            return !Jenkins.get().hasPermission(Jenkins.ADMINISTER) ? standardListBoxModel.includeCurrentValue(str) : standardListBoxModel.includeEmptyValue().includeMatchingAs(ACL.SYSTEM2, Jenkins.get(), StandardUsernamePasswordCredentials.class, Collections.emptyList(), CredentialsMatchers.always());
        }

        public FormValidation doCheckCredentialsId(@QueryParameter String str) {
            return (str == null || str.trim().isEmpty()) ? FormValidation.error("Credentials ID must be provided.") : CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentialsInItemGroup(StandardCredentials.class, Jenkins.get(), ACL.SYSTEM2, Collections.emptyList()), CredentialsMatchers.withId(str)) == null ? FormValidation.error("No credentials found with the given ID.") : FormValidation.ok();
        }

        public boolean isApplicable(Class<? extends AbstractProject> cls) {
            return true;
        }

        @NonNull
        public String getDisplayName() {
            return "Sysdig Secure Code Scan";
        }
    }

    /* loaded from: input_file:com/sysdig/jenkins/plugins/sysdig/infrastructure/jenkins/iac/entrypoint/IaCScanningBuilder$FailedCLIScan.class */
    public static class FailedCLIScan extends Exception {
        public FailedCLIScan(String str) {
            super(str);
        }
    }

    @DataBoundConstructor
    public IaCScanningBuilder(String str) {
        this.engineCredentialsId = str;
    }

    public boolean isListUnsupported() {
        return this.listUnsupported;
    }

    @DataBoundSetter
    public void setListUnsupported(boolean z) {
        this.listUnsupported = z;
    }

    public String getPath() {
        return this.path;
    }

    @DataBoundSetter
    public void setPath(String str) {
        this.path = str;
    }

    public boolean getIsRecursive() {
        return this.isRecursive;
    }

    @DataBoundSetter
    public void setIsRecursive(boolean z) {
        this.isRecursive = z;
    }

    public String getVersion() {
        return this.version;
    }

    @DataBoundSetter
    public void setVersion(String str) {
        this.version = str;
    }

    public String getSysdigEnv() {
        return this.sysdigEnv;
    }

    @DataBoundSetter
    public void setSysdigEnv(String str) {
        this.sysdigEnv = str;
    }

    @DataBoundSetter
    public void setSeverityThreshold(String str) {
        this.severityThreshold = str;
    }

    public String getEngineCredentialsId() {
        return this.engineCredentialsId;
    }

    @DataBoundSetter
    public void setEngineCredentialsId(String str) {
        this.engineCredentialsId = str;
    }

    private SysdigIaCScanningProcessBuilder buildCommand(RunContext runContext, String str) throws AbortException {
        SysdigIaCScanningProcessBuilder withStderrRedirectedTo = new SysdigIaCScanningProcessBuilder(str, runContext.getSysdigTokenFromCredentials(this.engineCredentialsId)).withRecursive(getIsRecursive()).withUnsupportedResources(isListUnsupported()).withSeverity(SysdigIaCScanningProcessBuilder.Severity.fromString(this.severityThreshold)).withPathsToScan(this.path).withStdoutRedirectedTo(runContext.getLogger()).withStderrRedirectedTo(runContext.getLogger());
        if (!this.sysdigEnv.isEmpty()) {
            withStderrRedirectedTo = withStderrRedirectedTo.withEngineURL(this.sysdigEnv);
        }
        return withStderrRedirectedTo;
    }

    private void severity(Vector<String> vector) {
        vector.add("-f");
        vector.add(this.severityThreshold);
    }

    public void perform(@NonNull Run<?, ?> run, @NonNull FilePath filePath, @NonNull EnvVars envVars, @NonNull Launcher launcher, @NonNull TaskListener taskListener) {
        RunContext runContext = new RunContext(run, filePath, envVars, launcher, taskListener);
        SysdigLogger logger = runContext.getLogger();
        logger.logInfo("Attempting to download CLI");
        try {
            FilePath downloadExecutable = new RetriableRemoteDownloader(runContext).downloadExecutable(sysdigCLIScannerURLForVersion(getVersion()), "sysdig-cli-scanner");
            logger.logInfo("Starting scan");
            try {
                SysdigIaCScanningProcessBuilder buildCommand = buildCommand(runContext, downloadExecutable.getRemote());
                logger.logDebug("Command to execute: " + String.join(" ", buildCommand.toCommandLineArguments()));
                int launchAndWait = buildCommand.launchAndWait(runContext.getLauncher());
                logger.logInfo(String.format("Process finished with status %d", Integer.valueOf(launchAndWait)));
                switch (launchAndWait) {
                    case 0:
                        run.setResult(Result.SUCCESS);
                        break;
                    case 1:
                        throw new FailedCLIScan("Scan failed");
                    case 2:
                        throw new BadParamCLIScan("Scan failed");
                    case 3:
                        throw new FailedCLIScan("Unable to complete scan, check if your token is valid");
                    default:
                        logger.logError("Unknown error");
                        run.setResult(Result.FAILURE);
                        break;
                }
            } catch (BadParamCLIScan e) {
                logger.logError(String.format("IaC scan failed due to missing parameters: %s", e.getMessage()));
                run.setResult(Result.FAILURE);
            } catch (FailedCLIScan e2) {
                logger.logError(String.format("IaC scan failed (status 1): %s", e2.getMessage()));
                run.setResult(Result.FAILURE);
            } catch (Exception e3) {
                logger.logError(String.format("Failed processing output: %s", e3.getMessage()), e3);
                run.setResult(Result.FAILURE);
            }
            logger.logInfo("Process completed");
        } catch (Exception e4) {
            logger.logError(String.format("Failed to download CLI version: %s", getVersion()), e4);
            run.setResult(Result.FAILURE);
        }
    }

    private static URL sysdigCLIScannerURLForVersion(String str) throws MalformedURLException {
        if (str.trim().equalsIgnoreCase(DescriptorImpl.DEFAULT_CLI_VERSION)) {
            str = FIXED_SCANNED_VERSION;
        }
        return new URL(String.format("https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/%s/%s/%s/sysdig-cli-scanner", str, System.getProperty("os.name").toLowerCase().startsWith("mac") ? "darwin" : "linux", System.getProperty("os.arch").toLowerCase().startsWith("aarch64") ? "arm64" : "amd64"));
    }
}
