package io.jenkins.plugins.secone.security;

import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.StandardCredentials;
import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
import hudson.AbortException;
import hudson.EnvVars;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.Util;
import hudson.model.AbstractBuild;
import hudson.model.AbstractProject;
import hudson.model.Action;
import hudson.model.BuildListener;
import hudson.model.Cause;
import hudson.model.Item;
import hudson.model.Result;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.plugins.git.GitSCM;
import hudson.plugins.git.UserRemoteConfig;
import hudson.plugins.git.util.BuildData;
import hudson.security.ACL;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.Builder;
import hudson.util.ListBoxModel;
import io.jenkins.plugins.secone.security.pojo.Threshold;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import javax.inject.Inject;
import jenkins.model.Jenkins;
import jenkins.tasks.SimpleBuildStep;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.math.NumberUtils;
import org.jenkinsci.Symbol;
import org.jenkinsci.plugins.plaincredentials.StringCredentials;
import org.json.JSONObject;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.util.CollectionUtils;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:WEB-INF/lib/secone-security.jar:io/jenkins/plugins/secone/security/SecOneScannerPlugin.class */
public class SecOneScannerPlugin extends Builder implements SimpleBuildStep {
    private static final Logger logger = LoggerFactory.getLogger(SecOneScannerPlugin.class);
    private static final String API_CONTEXT = "/rest/foss";
    private static final String SCAN_API = "/scan";
    private static final String INSTANCE_URL = "SEC1_API_ENDPOINT";
    private static final String API_KEY = "SEC1_API_KEY";
    private static final String API_KEY_HEADER = "sec1-api-key";
    private String scmUrl;
    private String scm;
    private String credentialsId;
    private boolean applyThreshold;
    private String actionOnThresholdBreached;
    private String instanceUrl;
    private Threshold threshold;

    @Extension
    @Symbol({"sec1Security"})
    /* loaded from: input_file:WEB-INF/lib/secone-security.jar:io/jenkins/plugins/secone/security/SecOneScannerPlugin$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildStepDescriptor<Builder> {

        @Inject
        private UserRemoteConfig.DescriptorImpl delegate;

        @DataBoundConstructor
        public DescriptorImpl() {
            super(SecOneScannerPlugin.class);
        }

        @POST
        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item, @QueryParameter String str, @QueryParameter String str2) {
            return (item == null || item.hasPermission(Item.CONFIGURE)) ? this.delegate.doFillCredentialsIdItems(item, str, str2) : new ListBoxModel();
        }

        public boolean isApplicable(Class<? extends AbstractProject> cls) {
            return true;
        }

        public String getDisplayName() {
            return "Execute Sec1 Security Scanner";
        }
    }

    @DataBoundConstructor
    public SecOneScannerPlugin(String str, String str2) {
        this.scmUrl = str;
        this.scm = str2;
    }

    public String getScmUrl() {
        return this.scmUrl;
    }

    public String getScm() {
        return this.scm;
    }

    public String getCredentialsId() {
        return this.credentialsId;
    }

    @DataBoundSetter
    public void setCredentialsId(String str) {
        this.credentialsId = Util.fixEmpty(str);
    }

    public boolean isApplyThreshold() {
        return this.applyThreshold;
    }

    @DataBoundSetter
    public void setApplyThreshold(boolean z) {
        this.applyThreshold = z;
    }

    public Threshold getThreshold() {
        return this.threshold;
    }

    @DataBoundSetter
    public void setThreshold(Threshold threshold) {
        this.threshold = threshold;
    }

    public String getActionOnThresholdBreached() {
        return this.actionOnThresholdBreached;
    }

    @DataBoundSetter
    public void setActionOnThresholdBreached(String str) {
        this.actionOnThresholdBreached = str;
    }

    public boolean perform(AbstractBuild<?, ?> abstractBuild, Launcher launcher, BuildListener buildListener) throws IOException, InterruptedException {
        printStartMessage(buildListener);
        String instanceUrl = getInstanceUrl(abstractBuild.getEnvironment(buildListener), buildListener);
        String apiKey = getApiKey(abstractBuild, buildListener);
        if (this.threshold != null) {
            this.applyThreshold = true;
        }
        if (performScan(abstractBuild.getAllActions(), abstractBuild.getCauses(), abstractBuild.getProject(), buildListener, instanceUrl, apiKey, this.applyThreshold) != 0) {
            abstractBuild.setResult(Result.UNSTABLE);
        }
        printEndMessage(buildListener);
        return true;
    }

    private void printStartMessage(TaskListener taskListener) {
        taskListener.getLogger().println("**************Sec1 Security scan start**************");
    }

    private void printEndMessage(TaskListener taskListener) {
        taskListener.getLogger().println("**************Sec1 Security scan end**************");
    }

    private String getInstanceUrl(EnvVars envVars, TaskListener taskListener) {
        String str = (String) envVars.get(INSTANCE_URL);
        if (StringUtils.isNotBlank(str)) {
            taskListener.getLogger().println("SEC1_INSTANCE_URL : " + str);
            return str;
        }
        taskListener.getLogger().println("No environment variable SEC1_INSTANCE_URL set. Using default : https://api.sec1.io");
        return "https://api.sec1.io";
    }

    public void perform(Run<?, ?> run, FilePath filePath, EnvVars envVars, Launcher launcher, TaskListener taskListener) throws InterruptedException, IOException {
        printStartMessage(taskListener);
        String instanceUrl = getInstanceUrl(envVars, taskListener);
        String apiKey = getApiKey(run, taskListener);
        if (StringUtils.isBlank(this.actionOnThresholdBreached)) {
            taskListener.getLogger().println("actionOnThresholdBreached is not set. Default action is fail.");
        } else if ((StringUtils.equalsIgnoreCase(this.actionOnThresholdBreached, "fail") || StringUtils.equalsIgnoreCase(this.actionOnThresholdBreached, "unstable") || StringUtils.equalsIgnoreCase(this.actionOnThresholdBreached, "continue")) && this.threshold != null) {
            getThreshold().setStatusAction(this.actionOnThresholdBreached);
        }
        if (performScan(run.getAllActions(), run.getCauses(), null, taskListener, instanceUrl, apiKey, this.applyThreshold) != 0) {
            run.setResult(Result.UNSTABLE);
        }
        printEndMessage(taskListener);
    }

    private String getApiKey(Run<?, ?> run, TaskListener taskListener) {
        StringCredentials findCredentialById = CredentialsProvider.findCredentialById(API_KEY, StringCredentials.class, run, Collections.emptyList());
        if (findCredentialById != null) {
            return findCredentialById.getSecret().getPlainText();
        }
        return null;
    }

    public boolean requiresWorkspace() {
        return true;
    }

    private int performScan(List<? extends Action> list, List<Cause> list2, AbstractProject<?, ?> abstractProject, TaskListener taskListener, String str, String str2, boolean z) throws AbortException {
        String str3 = StringUtils.isBlank(this.instanceUrl) ? str + "/rest/foss/scan" : this.instanceUrl + "/rest/foss/scan";
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setContentType(MediaType.APPLICATION_JSON);
        if (StringUtils.isBlank(str2)) {
            throw new AbortException("API Key not configured. Please check your configuration. Add SEC1_API_KEY in credentials if missing.");
        }
        httpHeaders.set(API_KEY_HEADER, str2);
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isBlank(this.scmUrl) && !CollectionUtils.isEmpty(list)) {
            list.forEach(action -> {
                if (action instanceof BuildData) {
                    BuildData buildData = (BuildData) action;
                    if (CollectionUtils.isEmpty(buildData.getRemoteUrls())) {
                        return;
                    }
                    arrayList.addAll(buildData.getRemoteUrls());
                }
            });
            if (!CollectionUtils.isEmpty(arrayList)) {
                this.scmUrl = (String) arrayList.get(0);
            }
        }
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("location", this.scmUrl);
        StringBuilder sb = new StringBuilder("system");
        StringBuilder sb2 = new StringBuilder();
        try {
            sb2.append(getSubUrl(this.scmUrl));
        } catch (Exception e) {
            logger.error("Error - extracting app name from url", e);
            logger.info("Issue extracting app name from url, setting it to default");
            sb2 = new StringBuilder(this.scmUrl);
        }
        jSONObject.put("urlType", this.scm);
        jSONObject.put("appName", sb2);
        jSONObject.put("source", "jenkins");
        if (list2 != null && list2.size() > 0) {
            list2.forEach(cause -> {
                if (cause instanceof Cause.UserIdCause) {
                    sb.setLength(0);
                    sb.append(((Cause.UserIdCause) cause).getUserId());
                }
            });
        }
        if (StringUtils.isBlank(this.scmUrl)) {
            throw new AbortException("SCM Url not configured. Please check your configuration.");
        }
        String credentials = StringUtils.isNotBlank(this.credentialsId) ? getCredentials(this.credentialsId, sb.toString(), abstractProject) : getCredentialsFromScm(this.scmUrl, abstractProject);
        if (StringUtils.isNotBlank(credentials)) {
            jSONObject.put("accessToken", credentials);
        }
        taskListener.getLogger().println("==================== SEC1 SCAN CONFIG ====================");
        taskListener.getLogger().println("SCM Url                " + this.scmUrl);
        taskListener.getLogger().println("Threshold Enabled      " + z);
        if (this.threshold != null && z) {
            taskListener.getLogger().println("Threshold Values       Critical " + (StringUtils.isNotBlank(this.threshold.getCriticalThreshold()) ? this.threshold.getCriticalThreshold() : "NA") + ", High " + (StringUtils.isNotBlank(this.threshold.getHighThreshold()) ? this.threshold.getHighThreshold() : "NA") + ", Medium " + (StringUtils.isNotBlank(this.threshold.getMediumThreshold()) ? this.threshold.getMediumThreshold() : "NA") + ", Low " + (StringUtils.isNotBlank(this.threshold.getLowThreshold()) ? this.threshold.getLowThreshold() : "NA"));
        }
        ResponseEntity exchange = new RestTemplate().exchange(str3, HttpMethod.POST, new HttpEntity(jSONObject.toString(), httpHeaders), String.class, new Object[0]);
        int i = 0;
        if (exchange.getStatusCodeValue() == 200) {
            JSONObject jSONObject2 = new JSONObject((String) exchange.getBody());
            if (jSONObject2.has("cveCountDetails")) {
                int optInt = jSONObject2.optJSONObject("cveCountDetails") != null ? jSONObject2.getJSONObject("cveCountDetails").optInt("CRITICAL") : 0;
                int optInt2 = jSONObject2.optJSONObject("cveCountDetails") != null ? jSONObject2.getJSONObject("cveCountDetails").optInt("HIGH") : 0;
                int optInt3 = jSONObject2.optJSONObject("cveCountDetails") != null ? jSONObject2.getJSONObject("cveCountDetails").optInt("MEDIUM") : 0;
                int optInt4 = jSONObject2.optJSONObject("cveCountDetails") != null ? jSONObject2.getJSONObject("cveCountDetails").optInt("LOW") : 0;
                taskListener.getLogger().println("==================== SEC1 SCAN RESULT ====================");
                if (StringUtils.isBlank(jSONObject2.optString("errorMessage"))) {
                    taskListener.getLogger().println("Vulnerabilities Found  Critical " + optInt + ", High " + optInt2 + ", Medium " + optInt3 + ", Low " + optInt4);
                    taskListener.getLogger().println("RAG Status             " + jSONObject2.optString("overallRagStatus"));
                    taskListener.getLogger().println("Report Url             " + jSONObject2.optString("reportUrl"));
                    if (z) {
                        if (optInt != 0) {
                            try {
                                if (this.threshold.getCriticalThreshold() != null && NumberUtils.isDigits(this.threshold.getCriticalThreshold()) && optInt >= Integer.parseInt(this.threshold.getCriticalThreshold())) {
                                    i = failBuildOnThresholdBreach("Critical Vulnerability Threshold breached.", taskListener, this.threshold);
                                }
                            } catch (NumberFormatException e2) {
                                throw new AbortException("Check values configured for vulnerability threshold. Only numbers are allowed.");
                            }
                        }
                        if (optInt2 != 0 && this.threshold.getHighThreshold() != null && NumberUtils.isDigits(this.threshold.getHighThreshold()) && optInt2 >= Integer.parseInt(this.threshold.getHighThreshold())) {
                            i = failBuildOnThresholdBreach("High Vulnerability Threshold breached.", taskListener, this.threshold);
                        }
                        if (optInt3 != 0 && this.threshold.getMediumThreshold() != null && NumberUtils.isDigits(this.threshold.getMediumThreshold()) && optInt3 >= Integer.parseInt(this.threshold.getMediumThreshold())) {
                            i = failBuildOnThresholdBreach("Medium Vulnerability Threshold breached.", taskListener, this.threshold);
                        }
                        if (optInt4 != 0 && this.threshold.getLowThreshold() != null && NumberUtils.isDigits(this.threshold.getLowThreshold()) && optInt4 >= Integer.parseInt(this.threshold.getLowThreshold())) {
                            i = failBuildOnThresholdBreach("Low Vulnerability Threshold breached.", taskListener, this.threshold);
                        }
                    }
                } else {
                    taskListener.error("Error Details : " + jSONObject2.optString("errorMessage"));
                    i = 2;
                }
            }
        }
        return i;
    }

    private int failBuildOnThresholdBreach(String str, TaskListener taskListener, Threshold threshold) throws AbortException {
        if (!StringUtils.isNotBlank(threshold.getStatusAction())) {
            throw new AbortException(str + " Failing the build.");
        }
        if (StringUtils.equalsIgnoreCase(threshold.getStatusAction(), "fail")) {
            throw new AbortException(str + " Failing the build.");
        }
        if (StringUtils.equalsIgnoreCase(threshold.getStatusAction(), "unstable")) {
            taskListener.getLogger().println(str);
            return 2;
        }
        taskListener.getLogger().println(str);
        return 0;
    }

    public static String getCredentialsFromScm(String str, AbstractProject<?, ?> abstractProject) {
        UsernamePasswordCredentialsImpl usernamePasswordCredentialsImpl;
        if (abstractProject != null && (abstractProject.getScm() instanceof GitSCM)) {
            for (UserRemoteConfig userRemoteConfig : abstractProject.getScm().getUserRemoteConfigs()) {
                if (userRemoteConfig != null && StringUtils.equals(userRemoteConfig.getUrl(), str)) {
                    logger.info("Getting creds for : {}", userRemoteConfig.getCredentialsId());
                    String credentialsId = userRemoteConfig.getCredentialsId();
                    if (StringUtils.isNotBlank(credentialsId) && (usernamePasswordCredentialsImpl = (StandardCredentials) CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(StandardCredentials.class, abstractProject, ACL.SYSTEM, Collections.emptyList()), CredentialsMatchers.withId(credentialsId))) != null && (usernamePasswordCredentialsImpl instanceof UsernamePasswordCredentialsImpl)) {
                        UsernamePasswordCredentialsImpl usernamePasswordCredentialsImpl2 = usernamePasswordCredentialsImpl;
                        return getBase64EncodedCreds(usernamePasswordCredentialsImpl2.getUsername(), usernamePasswordCredentialsImpl2.getPassword().getPlainText());
                    }
                }
            }
        }
        return "";
    }

    private static String getBase64EncodedCreds(String str, String str2) {
        return Base64.getEncoder().encodeToString((str + ":" + str2).getBytes(Charset.forName("UTF-8")));
    }

    private String getCredentials(String str, String str2, AbstractProject<?, ?> abstractProject) {
        if (StringUtils.isNotBlank(str)) {
            UsernamePasswordCredentialsImpl usernamePasswordCredentialsImpl = (StandardCredentials) CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(StandardCredentials.class, Jenkins.get(), ACL.SYSTEM, Collections.emptyList()), CredentialsMatchers.withId(str));
            if (usernamePasswordCredentialsImpl instanceof UsernamePasswordCredentialsImpl) {
                UsernamePasswordCredentialsImpl usernamePasswordCredentialsImpl2 = usernamePasswordCredentialsImpl;
                return getBase64EncodedCreds(usernamePasswordCredentialsImpl2.getUsername(), usernamePasswordCredentialsImpl2.getPassword().getPlainText());
            }
        }
        return "";
    }

    private boolean isValidUrl(String str) {
        if (!StringUtils.isNotBlank(str)) {
            return false;
        }
        try {
            new URL(str).toURI();
            return true;
        } catch (MalformedURLException e) {
            return false;
        } catch (URISyntaxException e2) {
            return false;
        }
    }

    private String getSubUrl(String str) throws MalformedURLException {
        URL url = new URL(str);
        int indexOf = StringUtils.indexOf(str, url.getHost()) + url.getHost().length() + 1;
        if (url.getPort() != -1) {
            indexOf = StringUtils.indexOf(str, url.getHost()) + url.getHost().length() + String.valueOf(url.getPort()).length() + 1;
        }
        return StringUtils.substring(str, indexOf);
    }
}
