package com.stackrox.jenkins.plugins;

import com.google.common.base.CharMatcher;
import com.google.common.base.Joiner;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.net.HttpHeaders;
import com.stackrox.jenkins.plugins.CVE;
import hudson.AbortException;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.model.AbstractProject;
import hudson.model.Descriptor;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.tasks.ArtifactArchiver;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.Builder;
import hudson.util.FormValidation;
import hudson.util.Secret;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import javax.json.Json;
import javax.json.JsonObject;
import javax.json.JsonString;
import jenkins.model.Jenkins;
import jenkins.tasks.SimpleBuildStep;
import net.sf.json.JSONObject;
import org.apache.commons.csv.CSVFormat;
import org.apache.commons.csv.CSVPrinter;
import org.apache.commons.csv.QuoteMode;
import org.apache.commons.validator.routines.RegexValidator;
import org.apache.commons.validator.routines.UrlValidator;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.cookie.ClientCookie;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:WEB-INF/lib/stackrox-container-image-scanner.jar:com/stackrox/jenkins/plugins/StackroxBuilder.class */
public class StackroxBuilder extends Builder implements SimpleBuildStep {
    private static String NOT_AVAILABLE = "-";
    private String portalAddress;
    private Secret apiToken = Secret.fromString("");
    private boolean failOnPolicyEvalFailure;
    private boolean failOnCriticalPluginError;
    private boolean enableTLSVerification;
    private String caCertPEM;
    private CloseableHttpClient httpClient;
    private RunConfig runConfig;
    private List<ImageCheckResults> results;

    @Extension
    @Symbol({"stackrox-container-image-security"})
    /* loaded from: input_file:WEB-INF/lib/stackrox-container-image-scanner.jar:com/stackrox/jenkins/plugins/StackroxBuilder$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildStepDescriptor<Builder> {
        public DescriptorImpl() {
            load();
        }

        public boolean isApplicable(Class<? extends AbstractProject> cls) {
            return true;
        }

        public String getDisplayName() {
            return Messages.StackroxBuilder_DescriptorImpl_DisplayName();
        }

        public boolean configure(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
            staplerRequest.bindJSON(this, jSONObject);
            save();
            return super.configure(staplerRequest, jSONObject);
        }

        public FormValidation doCheckPortalAddress(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            String[] strArr = {"https"};
            UrlValidator urlValidator = new UrlValidator(strArr, 8L);
            if ((Strings.isNullOrEmpty(str) || !urlValidator.isValid(str)) && !new UrlValidator(strArr, new RegexValidator("^([\\\\p{Alnum}\\\\-\\\\.]*)(:\\\\d*)?(.*)?"), 8L).isValid(str)) {
                return FormValidation.error(Messages.StackroxBuilder_InvalidPortalAddressError());
            }
            return FormValidation.ok();
        }

        public FormValidation doCheckApiToken(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return !Strings.isNullOrEmpty(str) ? FormValidation.ok() : FormValidation.error(Messages.StackroxBuilder_EmptyAPITokenError());
        }

        @POST
        public FormValidation doTestConnection(@QueryParameter("portalAddress") String str, @QueryParameter("apiToken") String str2, @QueryParameter("enableTLSVerification") boolean z, @QueryParameter("caCertPEM") String str3) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            try {
                return checkRoxAuthStatus(str, str2, z, str3) ? FormValidation.ok("Success") : FormValidation.error(Messages.StackroxBuilder_TestConnectionError());
            } catch (Exception e) {
                return FormValidation.error(Messages.StackroxBuilder_TestConnectionError());
            }
        }

        private boolean checkRoxAuthStatus(String str, String str2, boolean z, String str3) throws Exception {
            CloseableHttpClient closeableHttpClient = null;
            CloseableHttpResponse closeableHttpResponse = null;
            HttpGet httpGet = null;
            try {
                closeableHttpClient = HttpClientUtils.get(z, str3);
                httpGet = new HttpGet(Joiner.on("/").join(str, "v1/auth/status", new Object[0]));
                httpGet.addHeader("Accept", "application/json");
                httpGet.addHeader("Authorization", Joiner.on(" ").join("Bearer", str2, new Object[0]));
                closeableHttpResponse = closeableHttpClient.execute((HttpUriRequest) httpGet);
                int statusCode = closeableHttpResponse.getStatusLine().getStatusCode();
                HttpEntity entity = closeableHttpResponse.getEntity();
                if (statusCode != 200 || entity == null) {
                    if (httpGet != null) {
                        httpGet.releaseConnection();
                    }
                    if (closeableHttpResponse != null) {
                        closeableHttpResponse.close();
                    }
                    if (closeableHttpClient != null) {
                        closeableHttpClient.close();
                    }
                    return false;
                }
                JsonObject readObject = Json.createReader(new InputStreamReader(entity.getContent(), StandardCharsets.UTF_8)).readObject();
                EntityUtils.consume(entity);
                boolean z2 = !Strings.isNullOrEmpty(readObject.getString("userId"));
                if (httpGet != null) {
                    httpGet.releaseConnection();
                }
                if (closeableHttpResponse != null) {
                    closeableHttpResponse.close();
                }
                if (closeableHttpClient != null) {
                    closeableHttpClient.close();
                }
                return z2;
            } catch (Throwable th) {
                if (httpGet != null) {
                    httpGet.releaseConnection();
                }
                if (closeableHttpResponse != null) {
                    closeableHttpResponse.close();
                }
                if (closeableHttpClient != null) {
                    closeableHttpClient.close();
                }
                throw th;
            }
        }
    }

    @DataBoundConstructor
    public StackroxBuilder() {
    }

    public String getPortalAddress() {
        return this.portalAddress;
    }

    @DataBoundSetter
    public void setPortalAddress(String str) {
        this.portalAddress = CharMatcher.is('/').trimTrailingFrom(str);
    }

    public Secret getApiToken() {
        return this.apiToken;
    }

    @DataBoundSetter
    public void setApiToken(String str) {
        this.apiToken = Secret.fromString(str);
    }

    public boolean isFailOnPolicyEvalFailure() {
        return this.failOnPolicyEvalFailure;
    }

    @DataBoundSetter
    public void setFailOnPolicyEvalFailure(boolean z) {
        this.failOnPolicyEvalFailure = z;
    }

    public boolean isFailOnCriticalPluginError() {
        return this.failOnCriticalPluginError;
    }

    @DataBoundSetter
    public void setFailOnCriticalPluginError(boolean z) {
        this.failOnCriticalPluginError = z;
    }

    public boolean isEnableTLSVerification() {
        return this.enableTLSVerification;
    }

    @DataBoundSetter
    public void setEnableTLSVerification(boolean z) {
        this.enableTLSVerification = z;
    }

    public String getCaCertPEM() {
        return this.caCertPEM;
    }

    @DataBoundSetter
    public void setCaCertPEM(String str) {
        this.caCertPEM = str;
    }

    public void perform(Run<?, ?> run, FilePath filePath, Launcher launcher, TaskListener taskListener) throws IOException, InterruptedException {
        this.runConfig = new RunConfig(run, filePath, launcher, taskListener);
        try {
            try {
                this.httpClient = HttpClientUtils.get(this.enableTLSVerification, this.caCertPEM);
                this.results = Lists.newArrayList();
                Iterator<String> it = this.runConfig.getImageNames().iterator();
                while (it.hasNext()) {
                    processImage(it.next());
                }
                Collections.sort(this.results, new Comparator<ImageCheckResults>() { // from class: com.stackrox.jenkins.plugins.StackroxBuilder.1
                    @Override // java.util.Comparator
                    public int compare(ImageCheckResults imageCheckResults, ImageCheckResults imageCheckResults2) {
                        return Boolean.compare(imageCheckResults.isImageCheckStatusPass(), imageCheckResults2.isImageCheckStatusPass());
                    }
                });
                generateBuildReport();
                ArtifactArchiver artifactArchiver = new ArtifactArchiver(this.runConfig.getArtifacts());
                artifactArchiver.setAllowEmptyArchive(true);
                artifactArchiver.perform(run, filePath, launcher, taskListener);
                run.addAction(new ViewStackroxResultsAction(this.results, run));
                cleanupJenkinsWorkspace();
                if (!enforcedPolicyViolationExists()) {
                    this.runConfig.getLog().println("No system policy violations found. Marking StackRox Image Security plugin build step as successful.");
                } else {
                    if (this.failOnPolicyEvalFailure) {
                        throw new AbortException("At least one image violated at least one enforced system policy. Marking StackRox Image Security plugin build step failed. Check the report for additional details.");
                    }
                    this.runConfig.getLog().println("Marking StackRox Image Security plugin build step as successful despite enforced policy violations.");
                }
                if (this.httpClient != null) {
                    this.httpClient.close();
                }
            } catch (IOException e) {
                if (this.failOnCriticalPluginError) {
                    throw new AbortException(String.format("Fatal error: %s. Aborting ...", e.getMessage()));
                }
                this.runConfig.getLog().println("Marking StackRox Image Security plugin build step as successful despite error.");
                if (this.httpClient != null) {
                    this.httpClient.close();
                }
            }
        } catch (Throwable th) {
            if (this.httpClient != null) {
                this.httpClient.close();
            }
            throw th;
        }
    }

    private void processImage(String str) throws IOException {
        this.runConfig.getLog().println(String.format("Checking image %s...", str));
        try {
            this.results.add(new ImageCheckResults(str, getImageScanResults(str), getPolicyViolations(str)));
        } catch (IOException e) {
            this.runConfig.getLog().println(String.format("Error processing image %s: %s", str, e.getMessage()));
            throw e;
        }
    }

    private List<ViolatedPolicy> getPolicyViolations(String str) throws IOException {
        ArrayList newArrayList = Lists.newArrayList();
        for (JsonObject jsonObject : runBuildTimeDetection(str).getJsonArray("alerts").getValuesAs(JsonObject.class)) {
            JsonObject jsonObject2 = jsonObject.getJsonObject("policy");
            boolean z = false;
            Iterator it = jsonObject2.getJsonArray("enforcementActions").getValuesAs(JsonString.class).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (ViolatedPolicy.FAIL_BUILD_ENFORCEMENT.equals(((JsonString) it.next()).getString())) {
                    z = true;
                    break;
                }
            }
            if (z) {
                ArrayList newArrayList2 = Lists.newArrayList();
                Iterator it2 = jsonObject.getJsonArray("violations").getValuesAs(JsonObject.class).iterator();
                while (it2.hasNext()) {
                    newArrayList2.add(((JsonObject) it2.next()).getString("message"));
                }
                newArrayList.add(new ViolatedPolicy(jsonObject2.getString("name"), jsonObject2.getString("description"), jsonObject2.getString("severity"), jsonObject2.getString("remediation"), newArrayList2));
            }
        }
        return newArrayList;
    }

    private JsonObject runBuildTimeDetection(String str) throws IOException {
        CloseableHttpResponse closeableHttpResponse = null;
        HttpRequestBase httpRequestBase = null;
        try {
            HttpPost httpPost = new HttpPost(Joiner.on("/").join(this.portalAddress, "v1/detect/build", new Object[0]));
            httpPost.setHeader("Accept", ContentType.APPLICATION_JSON.toString());
            httpPost.setHeader("Content-Type", ContentType.APPLICATION_JSON.toString());
            httpPost.addHeader("Authorization", Joiner.on(" ").join("Bearer", this.apiToken, new Object[0]));
            httpPost.setEntity(new StringEntity(Json.createObjectBuilder().add("imageName", str).build().toString(), StandardCharsets.UTF_8));
            CloseableHttpResponse execute = this.httpClient.execute((HttpUriRequest) httpPost);
            int statusCode = execute.getStatusLine().getStatusCode();
            HttpEntity entity = execute.getEntity();
            if (statusCode != 200 || entity == null) {
                Object[] objArr = new Object[2];
                objArr[0] = Integer.valueOf(statusCode);
                objArr[1] = entity == null ? "" : entity.toString();
                throw new IOException(String.format("Failed build time detection request. Status code: %d. Error: %s", objArr));
            }
            JsonObject readObject = Json.createReader(new InputStreamReader(entity.getContent(), StandardCharsets.UTF_8)).readObject();
            EntityUtils.consume(entity);
            if (httpPost != null) {
                httpPost.releaseConnection();
            }
            if (execute != null) {
                execute.close();
            }
            return readObject;
        } catch (Throwable th) {
            if (0 != 0) {
                httpRequestBase.releaseConnection();
            }
            if (0 != 0) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    private List<CVE> getImageScanResults(String str) throws IOException {
        ArrayList newArrayList = Lists.newArrayList();
        for (JsonObject jsonObject : runImageScan(str).getJsonArray("components").getValuesAs(JsonObject.class)) {
            for (JsonObject jsonObject2 : jsonObject.getJsonArray("vulns").getValuesAs(JsonObject.class)) {
                newArrayList.add(CVE.Builder.newInstance().withId(jsonObject2.getString("cve")).withCvssScore(jsonObject2.isNull("cvss") ? 0.0f : (float) jsonObject2.getJsonNumber("cvss").doubleValue()).withScoreType(jsonObject2.getString("scoreVersion", NOT_AVAILABLE)).withPublishDate(jsonObject2.getString("publishedOn", NOT_AVAILABLE)).withLink(jsonObject2.getString("link", NOT_AVAILABLE)).inPackage(jsonObject.getString("name", NOT_AVAILABLE)).inVersion(jsonObject.getString(ClientCookie.VERSION_ATTR, NOT_AVAILABLE)).build());
            }
        }
        return newArrayList;
    }

    private JsonObject runImageScan(String str) throws IOException {
        CloseableHttpResponse closeableHttpResponse = null;
        HttpRequestBase httpRequestBase = null;
        try {
            HttpPost httpPost = new HttpPost(Joiner.on("/").join(this.portalAddress, "v1/images/scan", new Object[0]));
            httpPost.setHeader("Accept", ContentType.APPLICATION_JSON.toString());
            httpPost.setHeader("Content-Type", ContentType.APPLICATION_JSON.toString());
            httpPost.addHeader("Authorization", Joiner.on(" ").join("Bearer", this.apiToken, new Object[0]));
            httpPost.setEntity(new StringEntity(Json.createObjectBuilder().add("imageName", str).add("force", true).build().toString(), StandardCharsets.UTF_8));
            CloseableHttpResponse execute = this.httpClient.execute((HttpUriRequest) httpPost);
            int statusCode = execute.getStatusLine().getStatusCode();
            HttpEntity entity = execute.getEntity();
            if (statusCode != 200 || entity == null) {
                throw new IOException(String.format("Failed image scan request. Status code: %d. Error: %s", Integer.valueOf(statusCode), String.valueOf(entity)));
            }
            JsonObject readObject = Json.createReader(new InputStreamReader(entity.getContent(), StandardCharsets.UTF_8)).readObject();
            EntityUtils.consume(entity);
            JsonObject jsonObject = readObject.getJsonObject("scan");
            if (httpPost != null) {
                httpPost.releaseConnection();
            }
            if (execute != null) {
                execute.close();
            }
            return jsonObject;
        } catch (Throwable th) {
            if (0 != 0) {
                httpRequestBase.releaseConnection();
            }
            if (0 != 0) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    private void generateBuildReport() throws AbortException {
        CSVPrinter cSVPrinter;
        this.runConfig.getLog().println("Generating report...");
        try {
            for (ImageCheckResults imageCheckResults : this.results) {
                FilePath filePath = new FilePath(this.runConfig.getReportsDir(), CharMatcher.is(':').replaceFrom((CharSequence) imageCheckResults.getImageName(), '.'));
                filePath.mkdirs();
                FilePath filePath2 = new FilePath(filePath, "cves.csv");
                FilePath filePath3 = new FilePath(filePath, "policyViolations.csv");
                if (!imageCheckResults.getCves().isEmpty()) {
                    cSVPrinter = new CSVPrinter(new OutputStreamWriter(filePath2.write(), StandardCharsets.UTF_8), CSVFormat.EXCEL.withQuoteMode(QuoteMode.NON_NUMERIC));
                    Throwable th = null;
                    try {
                        try {
                            cSVPrinter.printRecord("CVE ID", "CVSS Score", "Score Type", "Package Name", "Package Version", "Fixable", "Publish Date", HttpHeaders.LINK);
                            for (CVE cve : imageCheckResults.getCves()) {
                                cSVPrinter.printRecord(cve.getId(), Float.valueOf(cve.getCvssScore()), cve.getScoreType(), cve.getPackageName(), cve.getPackageVersion(), Boolean.valueOf(cve.isFixable()), cve.getPublishDate(), cve.getLink());
                            }
                            if (cSVPrinter != null) {
                                if (0 != 0) {
                                    try {
                                        cSVPrinter.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    cSVPrinter.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                    }
                }
                if (!imageCheckResults.getViolatedPolicies().isEmpty()) {
                    cSVPrinter = new CSVPrinter(new OutputStreamWriter(filePath3.write(), StandardCharsets.UTF_8), CSVFormat.EXCEL.withQuoteMode(QuoteMode.NON_NUMERIC));
                    Throwable th3 = null;
                    try {
                        try {
                            cSVPrinter.printRecord("Policy Name", "Policy Description", "Severity", "Remediation");
                            for (ViolatedPolicy violatedPolicy : imageCheckResults.getViolatedPolicies()) {
                                cSVPrinter.printRecord(violatedPolicy.getName(), violatedPolicy.getDescription(), violatedPolicy.getSeverity(), violatedPolicy.getRemediation());
                            }
                            if (cSVPrinter != null) {
                                if (0 != 0) {
                                    try {
                                        cSVPrinter.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    cSVPrinter.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                    }
                }
            }
        } catch (IOException | InterruptedException e) {
            throw new AbortException(String.format("Failed to write image scan results. Error: %s", e.getMessage()));
        }
    }

    private boolean enforcedPolicyViolationExists() {
        Iterator<ImageCheckResults> it = this.results.iterator();
        while (it.hasNext()) {
            if (!it.next().getViolatedPolicies().isEmpty()) {
                return true;
            }
        }
        return false;
    }

    private void cleanupJenkinsWorkspace() {
        this.runConfig.getLog().println(String.format("Cleaning up the workspace ...", new Object[0]));
        try {
            this.runConfig.getImagesToScanFilePath().delete();
            this.runConfig.getBaseWorkDir().deleteRecursive();
        } catch (IOException | InterruptedException e) {
            this.runConfig.getLog().println("WARN: Failed to cleanup.");
        }
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DescriptorImpl m262getDescriptor() {
        return super.getDescriptor();
    }
}
