package io.jenkins.plugins.gcr_scanner;

import com.google.gson.Gson;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import dnl.utils.text.table.TextTable;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.model.AbstractProject;
import hudson.model.Result;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.slaves.SlaveComputer;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.Builder;
import hudson.util.FormValidation;
import io.grafeas.v1.Occurrence;
import io.grafeas.v1.Severity;
import io.grafeas.v1.VulnerabilityOccurrence;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nonnull;
import javax.servlet.ServletException;
import jenkins.model.Jenkins;
import jenkins.tasks.SimpleBuildStep;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;

/* loaded from: input_file:io/jenkins/plugins/gcr_scanner/GcrVulnerabilityBuilder.class */
public class GcrVulnerabilityBuilder extends Builder implements SimpleBuildStep {
    private String imageName;

    @Extension
    @Symbol({"gcrImageVulnerabilityScanner"})
    /* loaded from: input_file:io/jenkins/plugins/gcr_scanner/GcrVulnerabilityBuilder$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildStepDescriptor<Builder> {
        private String opaRegoPolicy = "package gcr_scanner\n\ntest_severity(input_severity, expected_severity) {\n    input_severity == expected_severity\n}\n\ndeny_image {\n    test_severity(input.result[_].Severity, \"CRITICAL\")\n}\n\ndeny_image {\n    test_severity(input.result[_].Severity, \"HIGH\")\n}\n\nallow_image_with_warnings {\n    startswith(input.result[_].Status, \"Fixed\")\n    not deny_image\n}\n\nallow_image {\n    not deny_image\n    not allow_image_with_warnings\n}";

        public String getOpaRegoPolicy() {
            return this.opaRegoPolicy;
        }

        @DataBoundSetter
        public void setOpaRegoPolicy(String str) {
            if (str != null && !str.isEmpty()) {
                this.opaRegoPolicy = str;
            }
            save();
        }

        public FormValidation doCheckImageName(@QueryParameter String str) throws IOException, ServletException {
            String[] split = str.split("/");
            return (split.length < 3 || !split[0].contains("gcr.io")) ? FormValidation.error("Please specify gcr image only.") : split[split.length - 1].contains("sha256") ? FormValidation.ok() : FormValidation.error("Please specify gcr image with SHA256 digest. Tags not allowed.");
        }

        public boolean isApplicable(Class<? extends AbstractProject> cls) {
            return true;
        }

        public String getDisplayName() {
            return "GCR Image Vulnerability Scanner";
        }
    }

    @DataBoundConstructor
    public GcrVulnerabilityBuilder(String str) {
        this.imageName = str;
    }

    public String getImageName() {
        return this.imageName;
    }

    @DataBoundSetter
    public void setImageName(String str) {
        this.imageName = str;
    }

    public static DescriptorImpl descriptor() {
        Jenkins jenkins = Jenkins.getInstance();
        if (jenkins == null) {
            throw new IllegalStateException("Jenkins instance is not ready");
        }
        return jenkins.getDescriptorByType(DescriptorImpl.class);
    }

    public void perform(@Nonnull Run<?, ?> run, @Nonnull FilePath filePath, @Nonnull Launcher launcher, @Nonnull TaskListener taskListener) throws InterruptedException, IOException {
        taskListener.getLogger().printf("GCR Image Scanning for %s in progress...\n", this.imageName);
        String[] split = this.imageName.split("/");
        if (split.length < 3 || !split[0].contains("gcr.io") || !split[split.length - 1].contains("sha256")) {
            taskListener.error("The GCR image is invalid. Please specify gcr image only.");
            run.setResult(Result.FAILURE);
            return;
        }
        String str = split[1];
        String str2 = "https://" + this.imageName;
        taskListener.getLogger().println("ProjectName is " + str);
        taskListener.getLogger().println("ResourceUrl is " + str2);
        ArrayList<Occurrence> run2 = new GcrVulnerabilityScanner().run(str2, str, taskListener, launcher);
        if (run2.size() > 0) {
            taskListener.getLogger().println("The total vulnerabilities are " + run2.size());
            generateTable(run2, taskListener);
            FilePath filePath2 = new FilePath(filePath, "opa");
            FilePath filePath3 = new FilePath(filePath, "basic-policy.rego");
            filePath2.copyFrom(new FilePath(SlaveComputer.getChannelToMaster(), run.getEnvironment(taskListener).get("JENKINS_HOME", "/var/jenkins_home") + "/plugins/gcr-scanner/opa"));
            filePath3.write(descriptor().getOpaRegoPolicy(), "UTF-8");
            filePath2.chmod(511);
            String opaInputForEvaluation = getOpaInputForEvaluation(run2, taskListener, launcher);
            FilePath filePath4 = new FilePath(filePath, "input.json");
            filePath4.write(opaInputForEvaluation, "UTF-8");
            boolean executeOpaCommand = executeOpaCommand("data.gcr_scanner.deny_image", filePath2, filePath3, filePath4, launcher, taskListener);
            boolean executeOpaCommand2 = executeOpaCommand("data.gcr_scanner.allow_image", filePath2, filePath3, filePath4, launcher, taskListener);
            boolean executeOpaCommand3 = executeOpaCommand("data.gcr_scanner.allow_image_with_warnings", filePath2, filePath3, filePath4, launcher, taskListener);
            PrintStream logger = taskListener.getLogger();
            Object[] objArr = new Object[3];
            objArr[0] = executeOpaCommand2 ? "true" : "false";
            objArr[1] = executeOpaCommand ? "true" : "false";
            objArr[2] = executeOpaCommand3 ? "true" : "false";
            logger.printf("The status of OPA commands are allow_image: %s, deny_image:%s, allow_image_with_warnings:%s\n", objArr);
            if (executeOpaCommand) {
                taskListener.getLogger().println("The Image is denied as it doesn't satisfies the policy.");
                run.setResult(Result.FAILURE);
            } else if (executeOpaCommand3) {
                taskListener.getLogger().println("[WARNING]: The Image is allowed but needs a few fixes based on the policy.");
                run.setResult(Result.UNSTABLE);
            } else if (executeOpaCommand2) {
                taskListener.getLogger().println("The image looks clean and good to go based the policy.");
                run.setResult(Result.SUCCESS);
            } else {
                taskListener.error("The Image is denied as it doesn't satisfies the policy.");
                run.setResult(Result.FAILURE);
            }
        }
    }

    public boolean executeOpaCommand(String str, FilePath filePath, FilePath filePath2, FilePath filePath3, Launcher launcher, TaskListener taskListener) throws IOException, InterruptedException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(filePath.getRemote());
        stringBuffer.append(" eval -d ");
        stringBuffer.append(filePath2.getRemote());
        stringBuffer.append(" -i ");
        stringBuffer.append(filePath3.getRemote());
        stringBuffer.append(" '");
        stringBuffer.append(str);
        stringBuffer.append("'");
        if (launcher.launch().cmdAsSingleString(stringBuffer.toString()).stdout(byteArrayOutputStream).stderr(byteArrayOutputStream2).quiet(true).join() == 0) {
            return opaEvalStatus(byteArrayOutputStream.toString());
        }
        return false;
    }

    public boolean opaEvalStatus(String str) {
        JsonObject asJsonObject = JsonParser.parseString(str).getAsJsonObject();
        if (asJsonObject.has("result")) {
            return asJsonObject.get("result").getAsJsonArray().get(0).getAsJsonObject().get("expressions").getAsJsonArray().get(0).getAsJsonObject().get("value").getAsBoolean();
        }
        return false;
    }

    public String getOpaInputForEvaluation(ArrayList<Occurrence> arrayList, TaskListener taskListener, Launcher launcher) {
        Gson gson = new Gson();
        ArrayList arrayList2 = new ArrayList();
        for (int i = 0; i < arrayList.size(); i++) {
            Occurrence occurrence = arrayList.get(i);
            List<VulnerabilityOccurrence.PackageIssue> packageIssueList = occurrence.getVulnerability().getPackageIssueList();
            StringBuffer stringBuffer = new StringBuffer();
            StringBuffer stringBuffer2 = new StringBuffer();
            StringBuffer stringBuffer3 = new StringBuffer();
            String[] split = occurrence.getNoteName().split("/");
            for (VulnerabilityOccurrence.PackageIssue packageIssue : packageIssueList) {
                stringBuffer.append(packageIssue.getAffectedPackage());
                stringBuffer2.append(packageIssue.getAffectedVersion().getFullName());
                if (packageIssue.getFixAvailable()) {
                    stringBuffer3.append("Fixed in ");
                    stringBuffer3.append(packageIssue.getFixedVersion().getFullName());
                } else {
                    stringBuffer3.append("No Fix available");
                }
                arrayList2.add(new ScanOutput(split[split.length - 1], stringBuffer.toString(), stringBuffer2.toString(), Severity.forNumber(occurrence.getVulnerability().getSeverity().getNumber()).toString(), stringBuffer3.toString()));
            }
        }
        return "{ \"result\": " + gson.toJson(arrayList2) + " }";
    }

    public void generateTable(ArrayList<Occurrence> arrayList, TaskListener taskListener) {
        String[] strArr = {"CVE", "Package", "Version", "Severity", "Status"};
        Object[][] objArr = new Object[arrayList.size()][strArr.length];
        for (int i = 0; i < arrayList.size(); i++) {
            Occurrence occurrence = arrayList.get(i);
            List<VulnerabilityOccurrence.PackageIssue> packageIssueList = occurrence.getVulnerability().getPackageIssueList();
            StringBuffer stringBuffer = new StringBuffer();
            StringBuffer stringBuffer2 = new StringBuffer();
            StringBuffer stringBuffer3 = new StringBuffer();
            String[] split = occurrence.getNoteName().split("/");
            for (VulnerabilityOccurrence.PackageIssue packageIssue : packageIssueList) {
                stringBuffer.append(packageIssue.getAffectedPackage());
                stringBuffer2.append(packageIssue.getAffectedVersion().getFullName());
                if (packageIssue.getFixAvailable()) {
                    stringBuffer3.append("Fixed in ");
                    stringBuffer3.append(packageIssue.getFixedVersion().getFullName());
                } else {
                    stringBuffer3.append("No Fix available");
                }
                Object[] objArr2 = new Object[5];
                objArr2[0] = split[split.length - 1];
                objArr2[1] = stringBuffer.toString();
                objArr2[2] = stringBuffer2.toString();
                objArr2[3] = Severity.forNumber(occurrence.getVulnerability().getSeverity().getNumber());
                objArr2[4] = stringBuffer3.toString();
                objArr[i] = objArr2;
            }
        }
        TextTable textTable = new TextTable(strArr, objArr);
        textTable.setAddRowNumbering(true);
        textTable.printTable(taskListener.getLogger(), 0);
    }
}
