package com.stackrox.jenkins.plugins;

import com.google.common.base.CharMatcher;
import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import com.stackrox.api.AuthServiceApi;
import com.stackrox.invoker.ApiClient;
import com.stackrox.invoker.ApiException;
import com.stackrox.jenkins.plugins.data.ImageCheckResults;
import com.stackrox.jenkins.plugins.jenkins.RunConfig;
import com.stackrox.jenkins.plugins.report.ReportGenerator;
import com.stackrox.jenkins.plugins.services.ApiClientFactory;
import com.stackrox.jenkins.plugins.services.DetectionService;
import com.stackrox.jenkins.plugins.services.ImageService;
import com.stackrox.jenkins.plugins.services.ServiceException;
import hudson.AbortException;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.model.AbstractProject;
import hudson.model.Descriptor;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.tasks.ArtifactArchiver;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.Builder;
import hudson.util.FormValidation;
import hudson.util.Secret;
import java.io.IOException;
import java.net.SocketException;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.faces.validator.BeanValidator;
import javax.net.ssl.SSLException;
import jenkins.model.Jenkins;
import jenkins.tasks.SimpleBuildStep;
import net.sf.json.JSONObject;
import org.apache.commons.validator.routines.RegexValidator;
import org.apache.commons.validator.routines.UrlValidator;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:WEB-INF/lib/stackrox-container-image-scanner.jar:com/stackrox/jenkins/plugins/StackroxBuilder.class */
public class StackroxBuilder extends Builder implements SimpleBuildStep {
    private String portalAddress;

    @DataBoundSetter
    private String imageNames;
    private Secret apiToken = Secret.fromString("");

    @DataBoundSetter
    private boolean failOnPolicyEvalFailure;

    @DataBoundSetter
    private boolean failOnCriticalPluginError;

    @DataBoundSetter
    private boolean enableTLSVerification;

    @DataBoundSetter
    private String caCertPEM;
    private RunConfig runConfig;

    @Extension
    @Symbol({"stackrox"})
    /* loaded from: input_file:WEB-INF/lib/stackrox-container-image-scanner.jar:com/stackrox/jenkins/plugins/StackroxBuilder$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildStepDescriptor<Builder> {
        public DescriptorImpl() {
            load();
        }

        public boolean isApplicable(Class<? extends AbstractProject> cls) {
            return true;
        }

        @Nonnull
        public String getDisplayName() {
            return Messages.StackroxBuilder_DescriptorImpl_DisplayName();
        }

        public boolean configure(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
            staplerRequest.bindJSON(this, jSONObject);
            save();
            return super.configure(staplerRequest, jSONObject);
        }

        public FormValidation doCheckPortalAddress(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            String[] strArr = {"https"};
            UrlValidator urlValidator = new UrlValidator(strArr, 8L);
            if ((Strings.isNullOrEmpty(str) || !urlValidator.isValid(str)) && !new UrlValidator(strArr, new RegexValidator("^([\\\\p{Alnum}\\\\-\\\\.]*)(:\\\\d*)?(.*)?"), 8L).isValid(str)) {
                return FormValidation.error(Messages.StackroxBuilder_InvalidPortalAddressError());
            }
            return FormValidation.ok();
        }

        public FormValidation doCheckApiToken(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return !Strings.isNullOrEmpty(str) ? FormValidation.ok() : FormValidation.error(Messages.StackroxBuilder_EmptyAPITokenError());
        }

        @POST
        public FormValidation doTestConnection(@QueryParameter("portalAddress") String str, @QueryParameter("apiToken") String str2, @QueryParameter("enableTLSVerification") boolean z, @QueryParameter("caCertPEM") String str3) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            try {
                return checkRoxAuthStatus(str, str2, z, str3) ? FormValidation.ok("Success") : FormValidation.error("Invalid credentials, user not authenticated");
            } catch (Exception e) {
                Throwable rootCause = Throwables.getRootCause(e);
                return rootCause instanceof ServiceException ? FormValidation.error(rootCause, "Invalid response from StackRox portal") : rootCause instanceof UnknownHostException ? FormValidation.error(rootCause, "Unknown host: " + str) : rootCause instanceof SSLException ? FormValidation.error(rootCause, "Could not validate TLS") : rootCause instanceof SocketException ? FormValidation.error(rootCause, "Connection error") : FormValidation.error(e, "Failed to connect to StackRox portal, please provide a valid portal address and API token");
            }
        }

        private boolean checkRoxAuthStatus(String str, String str2, boolean z, String str3) throws IOException {
            try {
                return !Strings.isNullOrEmpty(new AuthServiceApi(ApiClientFactory.newApiClient(str, str2, str3, validationMode(z))).authServiceGetAuthStatus().getUserId());
            } catch (ApiException e) {
                throw ServiceException.fromApiException("Could not get auth status", e);
            }
        }

        private ApiClientFactory.StackRoxTlsValidationMode validationMode(boolean z) {
            return z ? ApiClientFactory.StackRoxTlsValidationMode.VALIDATE : ApiClientFactory.StackRoxTlsValidationMode.INSECURE_ACCEPT_ANY;
        }
    }

    @DataBoundConstructor
    public StackroxBuilder() {
    }

    private ApiClientFactory.StackRoxTlsValidationMode getTLSValidationMode() {
        return this.enableTLSVerification ? ApiClientFactory.StackRoxTlsValidationMode.VALIDATE : ApiClientFactory.StackRoxTlsValidationMode.INSECURE_ACCEPT_ANY;
    }

    private List<String> getImages() {
        return ImmutableList.copyOf(Splitter.on(BeanValidator.VALIDATION_GROUPS_DELIMITER).omitEmptyStrings().trimResults().split(Strings.nullToEmpty(getImageNames())));
    }

    @DataBoundSetter
    public void setPortalAddress(String str) {
        this.portalAddress = CharMatcher.is('/').trimTrailingFrom(str);
    }

    @DataBoundSetter
    public void setApiToken(String str) {
        this.apiToken = Secret.fromString(str);
    }

    public void perform(@Nonnull Run<?, ?> run, @Nonnull FilePath filePath, @Nonnull Launcher launcher, @Nonnull TaskListener taskListener) throws IOException, InterruptedException {
        List<ImageCheckResults> checkImages;
        this.runConfig = RunConfig.create(taskListener.getLogger(), (String) run.getCharacteristicEnvVars().get("BUILD_TAG"), filePath, getImages());
        try {
            checkImages = checkImages();
            ReportGenerator.generateBuildReport(checkImages, this.runConfig.getReportsDir());
            prepareArtifacts(run, filePath, launcher, taskListener);
            run.addAction(new ViewStackroxResultsAction(checkImages, run));
            cleanupJenkinsWorkspace();
        } catch (PolicyEvalException e) {
            if (this.failOnPolicyEvalFailure) {
                throw new AbortException(e.getMessage());
            }
            this.runConfig.getLog().println("Marking StackRox Image Security plugin build step as successful despite enforced policy violations.");
        } catch (IOException e2) {
            if (this.failOnCriticalPluginError) {
                throw new AbortException(String.format("Fatal error: %s. Aborting ...", e2.getMessage()));
            }
            this.runConfig.getLog().println("Marking StackRox Image Security plugin build step as successful despite error.");
        }
        if (enforcedPolicyViolationExists(checkImages)) {
            throw new PolicyEvalException("At least one image violated at least one enforced system policy. Marking StackRox Image Security plugin build step failed. Check the report for additional details.");
        }
        this.runConfig.getLog().println("No system policy violations found. Marking StackRox Image Security plugin build step as successful.");
    }

    private void prepareArtifacts(Run<?, ?> run, FilePath filePath, Launcher launcher, TaskListener taskListener) throws IOException, InterruptedException {
        ArtifactArchiver artifactArchiver = new ArtifactArchiver(this.runConfig.getArtifactsRelativePath());
        artifactArchiver.setAllowEmptyArchive(true);
        artifactArchiver.perform(run, filePath, launcher, taskListener);
    }

    private List<ImageCheckResults> checkImages() throws IOException {
        ArrayList newArrayList = Lists.newArrayList();
        ApiClient newApiClient = ApiClientFactory.newApiClient(getPortalAddress(), getApiToken().getPlainText(), getCaCertPEM(), getTLSValidationMode());
        ImageService imageService = new ImageService(newApiClient);
        DetectionService detectionService = new DetectionService(newApiClient);
        for (String str : this.runConfig.getImageNames()) {
            this.runConfig.getLog().printf("Checking image %s...%n", str);
            newArrayList.add(new ImageCheckResults(str, imageService.getImageScanResults(str), detectionService.getPolicyViolations(str)));
        }
        newArrayList.sort((imageCheckResults, imageCheckResults2) -> {
            return Boolean.compare(imageCheckResults.isStatusPass(), imageCheckResults2.isStatusPass());
        });
        return newArrayList;
    }

    private boolean enforcedPolicyViolationExists(List<ImageCheckResults> list) {
        Iterator<ImageCheckResults> it = list.iterator();
        while (it.hasNext()) {
            if (!it.next().isStatusPass()) {
                return true;
            }
        }
        return false;
    }

    private void cleanupJenkinsWorkspace() {
        this.runConfig.getLog().println("Cleaning up the workspace ...");
        try {
            this.runConfig.getBaseWorkDir().deleteRecursive();
            this.runConfig.getReportsDir().deleteRecursive();
        } catch (IOException | InterruptedException e) {
            this.runConfig.getLog().println("WARN: Failed to cleanup.");
        }
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DescriptorImpl m602getDescriptor() {
        return super.getDescriptor();
    }

    public String getPortalAddress() {
        return this.portalAddress;
    }

    public String getImageNames() {
        return this.imageNames;
    }

    public Secret getApiToken() {
        return this.apiToken;
    }

    public boolean isFailOnPolicyEvalFailure() {
        return this.failOnPolicyEvalFailure;
    }

    public boolean isFailOnCriticalPluginError() {
        return this.failOnCriticalPluginError;
    }

    public boolean isEnableTLSVerification() {
        return this.enableTLSVerification;
    }

    public String getCaCertPEM() {
        return this.caCertPEM;
    }

    public RunConfig getRunConfig() {
        return this.runConfig;
    }

    public void setImageNames(String str) {
        this.imageNames = str;
    }

    public void setFailOnPolicyEvalFailure(boolean z) {
        this.failOnPolicyEvalFailure = z;
    }

    public void setFailOnCriticalPluginError(boolean z) {
        this.failOnCriticalPluginError = z;
    }

    public void setEnableTLSVerification(boolean z) {
        this.enableTLSVerification = z;
    }

    public void setCaCertPEM(String str) {
        this.caCertPEM = str;
    }

    public void setRunConfig(RunConfig runConfig) {
        this.runConfig = runConfig;
    }
}
