package io.jenkins.plugins.google.analyze.code.security.accessor;

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.annotations.VisibleForTesting;
import hudson.model.BuildListener;
import hudson.util.Secret;
import io.jenkins.plugins.google.analyze.code.security.client.HttpClient;
import io.jenkins.plugins.google.analyze.code.security.client.OAuthClient;
import io.jenkins.plugins.google.analyze.code.security.commons.Config;
import io.jenkins.plugins.google.analyze.code.security.commons.CustomerMessage;
import io.jenkins.plugins.google.analyze.code.security.commons.ReportConstants;
import io.jenkins.plugins.google.analyze.code.security.exception.IACValidationException;
import io.jenkins.plugins.google.analyze.code.security.model.IACValidationService.ValidateIACParams;
import io.jenkins.plugins.google.analyze.code.security.model.IACValidationService.request.IAC;
import io.jenkins.plugins.google.analyze.code.security.model.IACValidationService.request.Request;
import io.jenkins.plugins.google.analyze.code.security.model.IACValidationService.response.Error;
import io.jenkins.plugins.google.analyze.code.security.model.IACValidationService.response.IaCValidationReport;
import io.jenkins.plugins.google.analyze.code.security.model.IACValidationService.response.Response;
import io.jenkins.plugins.google.analyze.code.security.model.IACValidationService.response.Severity;
import io.jenkins.plugins.google.analyze.code.security.model.IACValidationService.response.Violation;
import io.jenkins.plugins.google.analyze.code.security.utils.LogUtils;
import io.jenkins.plugins.google.analyze.code.security.utils.ValidationUtils;
import java.io.IOException;
import java.io.PrintStream;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import lombok.NonNull;
import org.apache.commons.lang.StringUtils;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.springframework.security.access.AccessDeniedException;

/* loaded from: input_file:io/jenkins/plugins/google/analyze/code/security/accessor/IACValidationService.class */
public class IACValidationService {
    private static final String VALIDATE_ENDPOINT_DOMAIN = "https://securityposture.googleapis.com/v1alpha";
    private static final String VALIDATE_ENDPOINT_PATH = "/organizations/{ORG_ID}/locations/global/reports:createIaCValidationReport";
    private static final String VALIDATE_URL = "https://securityposture.googleapis.com/v1alpha/organizations/{ORG_ID}/locations/global/reports:createIaCValidationReport";
    private static final String ORG_ID_PLACEHOLDER = "{ORG_ID}";
    private static final String GCP_AUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
    private static final ObjectMapper mapper = getObjectMapper();
    private static IACValidationService instance;
    private final HttpClient httpClient;
    private final OAuthClient oAuthClient;

    public static IACValidationService getInstance() {
        if (instance == null) {
            instance = new IACValidationService(HttpClient.getInstance(), OAuthClient.getInstance());
        }
        return instance;
    }

    @VisibleForTesting
    public IACValidationService(HttpClient httpClient, OAuthClient oAuthClient) {
        this.httpClient = httpClient;
        this.oAuthClient = oAuthClient;
    }

    public List<Violation> validateIAC(@NonNull ValidateIACParams validateIACParams) {
        if (validateIACParams == null) {
            throw new NullPointerException("validateIACParams is marked non-null but is null");
        }
        PrintStream logger = validateIACParams.getListener().getLogger();
        logger.print(LogUtils.info("Invoking IAC Validating Service for validating  Scan file"));
        validateIACValidationRequest(validateIACParams.getFile(), validateIACParams.getOrgID(), validateIACParams.getCredentials().getPlainText());
        String replace = StringUtils.replace(VALIDATE_URL, ORG_ID_PLACEHOLDER, validateIACParams.getOrgID());
        try {
            CloseableHttpClient build = this.httpClient.getHttpClientBuilder(3).build();
            try {
                HttpPost buildPOSTRequest = this.httpClient.buildPOSTRequest(replace, mapper.writeValueAsString(buildRequest(validateIACParams.getFile(), validateIACParams.getOrgID())), this.oAuthClient.generateAccessToken(validateIACParams.getCredentials().getPlainText(), Collections.singleton(GCP_AUTH_SCOPE)));
                logger.printf(LogUtils.info("Requesting Validation Service Polling Endpoint from : %s"), replace);
                Response response = (Response) mapper.readValue((String) build.execute(buildPOSTRequest, this::handleIACValidationResponse), Response.class);
                if (response == null || StringUtils.isBlank(response.getName())) {
                    throw new IACValidationException(500, "[Internal Error] Received Invalid Response while requesting Validation Service Polling Endpoint");
                }
                logger.print(LogUtils.info("Received Validation Service Polling Endpoint"));
                List<Violation> pollValidateEndpoint = pollValidateEndpoint("https://securityposture.googleapis.com/v1alpha/" + response.getName(), validateIACParams.getRequestReceiveInstant(), validateIACParams.getPluginTimeoutInMS(), validateIACParams.getListener(), validateIACParams.getCredentials().getPlainText());
                if (build != null) {
                    build.close();
                }
                return pollValidateEndpoint;
            } finally {
            }
        } catch (Exception e) {
            Integer num = 500;
            if (e instanceof IACValidationException) {
                num = ((IACValidationException) e).getStatusCode();
            }
            if (e instanceof IllegalArgumentException) {
                num = 400;
            }
            throw new IACValidationException(num, String.format(CustomerMessage.IAC_VALIDATION_EXCEPTION_MSG, e.getMessage()), e);
        }
    }

    public void validateCredentials(String str, Secret secret) throws IOException {
        byte[] bytes = ReportConstants.DUMMY_INVALID_IAC_FILE.getBytes(StandardCharsets.UTF_8);
        validateIACValidationRequest(bytes, str, secret.getPlainText());
        Request buildRequest = buildRequest(bytes, str);
        String replace = StringUtils.replace(VALIDATE_URL, ORG_ID_PLACEHOLDER, buildRequest.getParent());
        CloseableHttpClient build = this.httpClient.getHttpClientBuilder(1).build();
        try {
            build.execute(this.httpClient.buildPOSTRequest(replace, mapper.writeValueAsString(buildRequest), this.oAuthClient.generateAccessToken(secret.getPlainText(), Collections.singleton(GCP_AUTH_SCOPE))), this::handleCredentialValidationResponse);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private List<Violation> pollValidateEndpoint(String str, @NonNull Instant instant, @NonNull Integer num, @NonNull BuildListener buildListener, @NonNull String str2) {
        CloseableHttpClient build;
        if (instant == null) {
            throw new NullPointerException("requestReceiveInstant is marked non-null but is null");
        }
        if (num == null) {
            throw new NullPointerException("pluginTimeoutInMS is marked non-null but is null");
        }
        if (buildListener == null) {
            throw new NullPointerException("listener is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("credentials is marked non-null but is null");
        }
        Response response = null;
        int i = 0;
        ExponentialBackoffRetryHandler exponentialBackoffRetryHandler = ExponentialBackoffRetryHandler.getDefault(Config.VALIDATE_ENDPOINT_POLL_MAX_ATTEMPT.intValue());
        Instant plusMillis = instant.plusMillis(num.intValue());
        while (true) {
            if (plusMillis.compareTo(Instant.now().plusMillis(Config.POLL_ATTEMPT_BUFFER_TIME_MILLIS.intValue())) <= 0) {
                break;
            }
            try {
                try {
                    build = this.httpClient.getHttpClientBuilder(1).build();
                } catch (Exception e) {
                    buildListener.getLogger().printf(LogUtils.error("Received Error while polling Validation Service Endpoint : [%s]"), e);
                    i++;
                    if (!exponentialBackoffRetryHandler.retryRequestWithDelay(i)) {
                        break;
                    }
                }
                try {
                    HttpGet buildGETRequest = this.httpClient.buildGETRequest(str, this.oAuthClient.generateAccessToken(str2, Collections.singleton(GCP_AUTH_SCOPE)));
                    buildListener.getLogger().printf(LogUtils.info("Polling Validation Service Endpoint, Attempt Count : [%s]"), Integer.valueOf(i));
                    response = (Response) mapper.readValue((String) build.execute(buildGETRequest, this::handleIACValidationResponse), Response.class);
                    buildListener.getLogger().print(LogUtils.info("Received Response from Validation Service Endpoint"));
                    if (response == null || response.getDone() == null || !response.getDone().equals(Boolean.TRUE)) {
                        if (build != null) {
                            build.close();
                        }
                        i++;
                        if (!exponentialBackoffRetryHandler.retryRequestWithDelay(i)) {
                            break;
                        }
                    } else {
                        if (build != null) {
                            build.close();
                        }
                        if (!exponentialBackoffRetryHandler.retryRequestWithDelay(i + 1)) {
                        }
                    }
                } catch (Throwable th) {
                    if (build != null) {
                        try {
                            build.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (exponentialBackoffRetryHandler.retryRequestWithDelay(i + 1)) {
                    throw th3;
                }
            }
        }
        validatePollResponse(response);
        return processResponse(response.getResult().getValidationReport().getViolations());
    }

    private void validatePollResponse(Response response) {
        if (response == null || response.getDone() == null || response.getDone().equals(false)) {
            throw new IACValidationException(500, "[Internal Error]  Polling Validation Service Endpoint Timed Out");
        }
        if (response.getError() != null) {
            throw new IACValidationException(response.getError().getCode(), String.format("Validation Service Endpoint Returned Error Response with following error : [%s]", response.getError().getMessage()));
        }
        List<Violation> violations = getViolations(response);
        if (violations == null) {
            return;
        }
        for (Violation violation : violations) {
            if (violation.getPolicyId() == null || violation.getAssetId() == null) {
                throw new IACValidationException(500, String.format("[Internal Error] Validation Service Endpoint Returned Invalid violations with one or more missing key Attributes, policyID : [%s], assetId : [%s]", violation.getPolicyId(), violation.getAssetId()));
            }
        }
    }

    private List<Violation> getViolations(Response response) {
        if (response.getResult() == null) {
            throw new IACValidationException(500, "[Internal Error] Validation Polling Endpoint Returned Null Response");
        }
        IaCValidationReport validationReport = response.getResult().getValidationReport();
        if (validationReport == null) {
            throw new IACValidationException(500, "[Internal Error] Validation Endpoint Returned Response with Invalid validationReport");
        }
        return validationReport.getViolations();
    }

    private void validateIACValidationRequest(byte[] bArr, String str, String str2) {
        validateScanFile(bArr);
        if (!ValidationUtils.isValidOrgId(str)) {
            throw new IllegalArgumentException(String.format(CustomerMessage.INVALID_REQUEST, CustomerMessage.INVALID_ORG_ID));
        }
        if (!ValidationUtils.isValidJSON(str2)) {
            throw new IllegalArgumentException(String.format(CustomerMessage.INVALID_REQUEST, String.format(CustomerMessage.INVALID_SCC_CREDENTIAL, str)));
        }
    }

    private Request buildRequest(byte[] bArr, String str) {
        return Request.builder().parent(str).iac(IAC.builder().file(bArr).build()).build();
    }

    private List<Violation> processResponse(List<Violation> list) {
        if (list == null) {
            return new ArrayList();
        }
        for (Violation violation : list) {
            if (violation.getSeverity() == null) {
                violation.setSeverity(Severity.SEVERITY_UNSPECIFIED);
            }
        }
        return list;
    }

    private void validateScanFile(byte[] bArr) {
        if (bArr.length > Config.SCAN_FILE_MAX_SIZE_BYTES.intValue()) {
            throw new IllegalArgumentException(String.format(CustomerMessage.INVALID_REQUEST, String.format(CustomerMessage.INVALID_SCAN_FILE_SIZE, Integer.valueOf(bArr.length), Config.SCAN_FILE_MAX_SIZE_BYTES)));
        }
        if (!ValidationUtils.isValidJSONFile(bArr)) {
            throw new IllegalArgumentException(String.format(CustomerMessage.INVALID_REQUEST, CustomerMessage.MALFORMED_SCAN_FILE));
        }
    }

    private static ObjectMapper getObjectMapper() {
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
        objectMapper.enable(DeserializationFeature.ACCEPT_SINGLE_VALUE_AS_ARRAY);
        return objectMapper;
    }

    private String handleCredentialValidationResponse(HttpResponse httpResponse) {
        StatusLine statusLine = httpResponse.getStatusLine();
        HttpEntity entity = httpResponse.getEntity();
        if (statusLine.getStatusCode() == 403) {
            throw new AccessDeniedException(String.format("Received Access Denied Exception with status Code : %s & Reason : %s", Integer.valueOf(statusLine.getStatusCode()), getErrorMessage(entity, statusLine.getReasonPhrase())));
        }
        return "SuccessFully Validated Credentials";
    }

    private String handleIACValidationResponse(HttpResponse httpResponse) throws IOException {
        StatusLine statusLine = httpResponse.getStatusLine();
        HttpEntity entity = httpResponse.getEntity();
        if (statusLine.getStatusCode() == 200) {
            if (entity == null) {
                throw new ClientProtocolException("Response contains no content");
            }
            return EntityUtils.toString(entity);
        }
        String reasonPhrase = statusLine.getReasonPhrase();
        if (entity != null) {
            reasonPhrase = EntityUtils.toString(entity);
        }
        throw new IACValidationException(Integer.valueOf(statusLine.getStatusCode()), reasonPhrase);
    }

    private String getErrorMessage(HttpEntity httpEntity, String str) {
        if (httpEntity == null) {
            return str;
        }
        try {
            Error error = ((Response) mapper.readValue(EntityUtils.toString(httpEntity), Response.class)).getError();
            return error == null ? str : String.format("status: [%s], message : [%s]", error.getCode(), error.getMessage());
        } catch (Exception e) {
            return str;
        }
    }
}
