package io.jenkins.plugins.intotorecorder;

import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.model.AbstractBuild;
import hudson.model.AbstractProject;
import hudson.model.BuildListener;
import hudson.model.Item;
import hudson.remoting.VirtualChannel;
import hudson.security.ACL;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.BuildStepMonitor;
import hudson.tasks.Publisher;
import hudson.tasks.Recorder;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import io.github.in_toto.keys.Key;
import io.github.in_toto.keys.RSAKey;
import io.github.in_toto.models.Artifact;
import io.github.in_toto.models.Link;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.Reader;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import jenkins.MasterToSlaveFileCallable;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.plugins.plaincredentials.FileCredentials;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;

/* loaded from: input_file:io/jenkins/plugins/intotorecorder/InTotoRecorder.class */
public class InTotoRecorder extends Recorder {
    private String keyPath;
    private String credentialId;
    private String stepName;
    private String transport;
    private Link link;
    private Key key;
    private FilePath cwd;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/jenkins/plugins/intotorecorder/InTotoRecorder$ArtifactCollector.class */
    public static final class ArtifactCollector extends MasterToSlaveFileCallable<HashMap<String, Artifact.ArtifactHash>> {
        private static final long serialVersionUID = 1;

        private ArtifactCollector() {
        }

        /* renamed from: invoke, reason: merged with bridge method [inline-methods] */
        public HashMap<String, Artifact.ArtifactHash> m2invoke(File file, VirtualChannel virtualChannel) {
            HashMap<String, Artifact.ArtifactHash> hashMap = new HashMap<>();
            recurseAndCollect(file, hashMap);
            return hashMap;
        }

        private static void recurseAndCollect(File file, HashMap<String, Artifact.ArtifactHash> hashMap) {
            File[] listFiles;
            if (file.exists() && file.isFile()) {
                Artifact artifact = new Artifact(file.toString());
                hashMap.put(artifact.getURI(), artifact.getArtifactHashes());
            } else if (file.exists() && file.isDirectory() && (listFiles = file.listFiles()) != null) {
                for (File file2 : listFiles) {
                    recurseAndCollect(file2, hashMap);
                }
            }
        }
    }

    @Extension
    /* loaded from: input_file:io/jenkins/plugins/intotorecorder/InTotoRecorder$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildStepDescriptor<Publisher> {
        public boolean isApplicable(Class<? extends AbstractProject> cls) {
            return true;
        }

        public String getDisplayName() {
            return "in-toto provenance plugin";
        }

        public ListBoxModel doFillCredentialIdItems(@AncestorInPath Item item, @QueryParameter String str) {
            StandardListBoxModel standardListBoxModel = new StandardListBoxModel();
            if (item == null) {
                if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
                    return standardListBoxModel.includeCurrentValue(str);
                }
            } else if (!item.hasPermission(Item.EXTENDED_READ) && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
                return standardListBoxModel.includeCurrentValue(str);
            }
            return standardListBoxModel.includeEmptyValue().includeAs(ACL.SYSTEM, Jenkins.getInstance(), FileCredentials.class).includeCurrentValue(str);
        }

        public FormValidation doCheckCredentialId(@AncestorInPath Item item, @QueryParameter String str) {
            if (item == null) {
                if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
                    return FormValidation.ok();
                }
            } else if (!item.hasPermission(Item.EXTENDED_READ) && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
                return FormValidation.ok();
            }
            return StringUtils.isBlank(str) ? FormValidation.ok() : FormValidation.ok();
        }
    }

    @DataBoundConstructor
    public InTotoRecorder(String str, String str2, String str3, String str4) {
        this.stepName = (str3 == null || str3.length() == 0) ? "step" : str3;
        this.credentialId = str;
        this.keyPath = str2;
        if (str != null && str.length() != 0) {
            try {
                loadKey(new InputStreamReader(getCredentials().getContent(), "UTF-8"));
            } catch (IOException e) {
                throw new RuntimeException("credentialId '" + str + "' can't be read. ");
            }
        } else if (str2 != null && str2.length() != 0) {
            loadKey(str2);
        }
        this.transport = str4;
    }

    public boolean prebuild(AbstractBuild<?, ?> abstractBuild, BuildListener buildListener) {
        this.cwd = abstractBuild.getWorkspace();
        if (this.cwd == null) {
            throw new RuntimeException("[in-toto] Cannot get the build workspace");
        }
        buildListener.getLogger().println("[in-toto] Recording state before build " + this.cwd.toString());
        buildListener.getLogger().println("[in-toto] using step name: " + this.stepName);
        this.link = new Link((HashMap) null, (HashMap) null, this.stepName, (HashMap) null, (ArrayList) null, (HashMap) null);
        this.link.setMaterials(collectArtifacts(this.cwd));
        return true;
    }

    public boolean perform(AbstractBuild<?, ?> abstractBuild, Launcher launcher, BuildListener buildListener) {
        this.link.setProducts(collectArtifacts(this.cwd));
        if (this.credentialId != null && this.credentialId.length() != 0) {
            buildListener.getLogger().println("[in-toto] Signing with credentials '" + this.credentialId + "'  and keyid: " + this.key.computeKeyId());
            signLink();
        } else if (this.keyPath == null || this.keyPath.length() == 0) {
            buildListener.getLogger().println("[in-toto] Warning! no key specified. Not signing...");
        } else {
            buildListener.getLogger().println("[in-toto] Signing with keyPath '" + this.keyPath + "'  and keyid: " + this.key.computeKeyId());
            signLink();
        }
        if (this.transport == null || this.transport.length() == 0) {
            buildListener.getLogger().println("[in-toto] No transport specified (or transport not supported) Dumping metadata to local directory");
        } else {
            buildListener.getLogger().println("[in-toto] Dumping metadata to: " + this.transport);
        }
        dumpLink();
        return true;
    }

    private void dumpLink() {
        this.link.dump(this.cwd.toString() + "/" + this.stepName + ".xxxx.link");
    }

    private void signLink() {
        this.link.sign(this.key);
    }

    private void loadKey(Reader reader) {
        this.key = RSAKey.readPemBuffer(reader);
    }

    private void loadKey(String str) {
        if (!new File(str).exists()) {
            throw new RuntimeException("this Signing keypath (" + str + ")does not exist!");
        }
        this.key = RSAKey.read(str);
    }

    public String getCredentialId() {
        return this.credentialId;
    }

    public String getKeyPath() {
        return this.keyPath;
    }

    public String getStepName() {
        return this.stepName;
    }

    public String getTransport() {
        return this.transport;
    }

    protected final FileCredentials getCredentials() throws IOException {
        FileCredentials firstOrNull = CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(FileCredentials.class, Jenkins.getInstance(), ACL.SYSTEM, Collections.emptyList()), CredentialsMatchers.withId(this.credentialId));
        if (firstOrNull == null) {
            throw new RuntimeException(" Could not find credentials entry with ID '" + this.credentialId + "' ");
        }
        return firstOrNull;
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] and merged with bridge method [inline-methods] */
    public DescriptorImpl m1getDescriptor() {
        return (DescriptorImpl) super.getDescriptor();
    }

    private HashMap<String, Artifact.ArtifactHash> collectArtifacts(FilePath filePath) {
        try {
            return (HashMap) filePath.act(new ArtifactCollector());
        } catch (IOException | InterruptedException e) {
            throw new RuntimeException(e.toString());
        }
    }

    public BuildStepMonitor getRequiredMonitorService() {
        return BuildStepMonitor.NONE;
    }
}
