/**
* Construit, valide et publie (optionnellement) une image Docker sur le registre Cadoles (par défaut)
*
* Options disponibles:
*
* - dockerfile - String - Chemin vers le fichier Dockerfile à utiliser pour construire l'image, par défaut "./Dockerfile"
* - contextDir - String - Répertoire servant de "contexte" pour la construction de l'image, par défault "./"
* - imageName - String - Nom de l'image à construire, par défaut ""
* - imageTags - String - Tag(s) apposé(s) sur l'image après construction, par défaut tags générés par la méthode utils.getProjectVersionTags()
* - gitCredentialsId - String - Identifiant des "credentials" Jenkins utilisés pour cloner le dépôt Git, par défaut "forge-jenkins"
* - dockerRepository - String - Nom d'hôte du registre Docker sur lequel publier l'image, par défaut "reg.cadoles.com"
* - dockerRepositoryCredentialsId - String - Identifiant des "credentials" Jenkins utilisés pour déployer l'image sur le registre Docker, par défault "reg.cadoles.com-jenkins"
* - dryRun - Boolean - Désactiver/activer la publication de l'image sur le registre Docker, par défaut "true"
* - skipVerifications - Boolean - Désactiver/activer les étapes de vérifications de qualité/sécurité de l'image Docker, par défaut "false"
*/
String buildAndPublishImage(Map options = [:]) {
    String dockerfile = options.get('dockerfile', './Dockerfile')
    String contextDir = options.get('contextDir', '.')
    String imageName = options.get('imageName', '')
    String gitRef = sh(returnStdout: true, script: 'git describe --always').trim()

    List<String> defaultImageTags = utils.getProjectVersionTags() + [ "${utils.getProjectVersionDefaultChannel()}-latest" ]
    List<String> imageTags = options.get('imageTags', defaultImageTags)
    // Handle legacy imageTag parameter
    if (options.containsKey('imageTag')) {
        imageTags = [ options.get("imageTag", gitRef) ]
    }

    String gitCredentialsId = options.get('gitCredentialsId', 'forge-jenkins')
    String dockerRepository = options.get('dockerRepository', 'reg.cadoles.com')
    String dockerRepositoryCredentialsId = options.get('dockerRepositoryCredentialsId', 'reg.cadoles.com-jenkins')
    Boolean dryRun = options.get('dryRun', true)
    Boolean skipVerifications = options.get('skipVerification', false)

    String projectRepository = env.JOB_NAME
    if (env.BRANCH_NAME ==~ /^PR-.*$/) {
        projectRepository = env.JOB_NAME - "/${env.JOB_BASE_NAME}"
    }
    projectRepository = options.get('projectRepository', projectRepository)

    withCredentials([
        usernamePassword([
            credentialsId: dockerRepositoryCredentialsId,
            usernameVariable: 'HUB_USERNAME',
            passwordVariable: 'HUB_PASSWORD'
        ]),
    ]) {
        stage('Validate Dockerfile with Hadolint') {
            utils.when(!skipVerifications) {
                runHadolintCheck(dockerfile, projectRepository)
            }
        }

        String primaryImageTag = imageTags[0]

        stage("Build image '${imageName}:${primaryImageTag}'") {
            git.withHTTPCredentials(gitCredentialsId) {
                sh """
                docker build \
                    --build-arg="GIT_USERNAME=${env.GIT_USERNAME}" \
                    --build-arg="GIT_PASSWORD=${env.GIT_PASSWORD}" \
                    -t '${imageName}:${primaryImageTag}' \
                    -f '${dockerfile}' \
                    '${contextDir}'
                """
            }
        }

        stage('Validate image with Trivy') {
            utils.when(!skipVerifications) {
                runTrivyCheck("${imageName}:${primaryImageTag}", projectRepository)
            }
        }

       stage("Login with image repository") {
            utils.when(!dryRun) {
                sh """
                echo ${env.HUB_PASSWORD} | docker login -u '${env.HUB_USERNAME}' --password-stdin '${dockerRepository}'
                """
            }
       }

        imageTags.each { imageTag ->
            stage("Publish image '${imageName}:${imageTag}'") {
                utils.when(!dryRun) {
                    sh """
                    docker tag "${imageName}:${primaryImageTag}" "${imageName}:${imageTag}"
                    """
                    retry(2) {
                        sh """
                        docker push '${imageName}:${imageTag}'
                        """
                    }
                }
            }
        }    

    }
}

void runHadolintCheck(String dockerfile, String projectRepository) {
    String reportFile = ".hadolint-report-${currentBuild.startTimeInMillis}.txt"

    try {
        validateDockerfileWithHadolint(dockerfile, ['reportFile': reportFile])
    } catch (err) {
        unstable("Dockerfile '${dockerfile}' failed linting !")
    } finally {
        String lintReport = ''

        if (fileExists(reportFile)) {
            String report = readFile(reportFile)

            lintReport = """${lintReport}
            |
            |```
            |${report.trim() ? report : "Rien à signaler."}
            |```"""
        } else {
            lintReport = """${lintReport}
            |
            |_Vérification échouée mais aucun rapport trouvé !?_ :thinking:"""
        }

        String defaultReport = '_Rien à signaler !_ :thumbsup:'
        String report = """## Rapport d'analyse du fichier `${dockerfile}` avec [Hadolint](https://github.com/hadolint/hadolint)
        |
        |${lintReport ?: defaultReport}
        """.stripMargin()

        print report

        if (env.CHANGE_ID) {
            gitea.commentPullRequest(projectRepository, env.CHANGE_ID, report)
        }
    }
}

String validateDockerfileWithHadolint(String dockerfile, Map options = [:]) {
    String hadolintBin = getOrInstallHadolint(options)
    String hadolintArgs = options.get('hadolintArgs', '--no-color')
    String reportFile = options.get('reportFile', ".hadolint-report-${currentBuild.startTimeInMillis}.txt")

    sh("""#!/bin/bash
    set -eo pipefail
    '${hadolintBin}' '${dockerfile}' ${hadolintArgs} | tee '${reportFile}'
    """)

    return reportFile
}

void runTrivyCheck(String imageName, String projectRepository, Map options = [:]) {
    String reportFile = ".trivy-report-${currentBuild.startTimeInMillis}.txt"

    try {
        validateImageWithTrivy(imageName, ['reportFile': reportFile])
    } catch (err) {
        unstable("Image '${imageName}' failed validation !")
    } finally {
        String lintReport = ''

        if (fileExists(reportFile)) {
            lintReport = """${lintReport}
            |
            |${readFile(reportFile)}
            |"""
        } else {
            lintReport = """${lintReport}
            |
            |_Vérification échouée mais aucun rapport trouvé !?_ :thinking:"""
        }

        String defaultReport = '_Rien à signaler !_ :thumbsup:'
        String report = """## Rapport d'analyse de l'image avec [Trivy](https://github.com/aquasecurity/trivy)
        |
        |${lintReport ?: defaultReport}
        """.stripMargin()

        print report

        if (env.CHANGE_ID) {
            gitea.commentPullRequest(projectRepository, env.CHANGE_ID, report)
        }
    }
}

String validateImageWithTrivy(String imageName, Map options = [:]) {
    String trivyBin = getOrInstallTrivy(options)
    String trivyArgs = options.get('trivyArgs', '--exit-code 1')
    String cacheDirectory = options.get('cacheDirectory', '.trivy/.cache')
    String cacheDefaultBranch = options.get('cacheDefaultBranch', 'develop')
    Integer cacheMaxSize = options.get('cacheMaxSize', 250)
    String reportFile = options.get('reportFile', ".trivy-report-${currentBuild.startTimeInMillis}.txt")
    
    String markdownTemplate = libraryResource 'com/cadoles/trivy/templates/markdown.tpl'
    writeFile file:'.trivy-markdown.tpl', text: markdownTemplate
    
    cache(maxCacheSize: cacheMaxSize, defaultBranch: cacheDefaultBranch, caches: [
        [$class: 'ArbitraryFileCache', path: cacheDirectory, compressionMethod: 'TARGZ']
    ]) {
        sh("'${trivyBin}' --cache-dir '${cacheDirectory}' image --ignorefile .trivyignore.yaml --format template --template '@.trivy-markdown.tpl' -o '${reportFile}' ${trivyArgs} '${imageName}'")
    }

    return reportFile
}

String getOrInstallHadolint(Map options = [:]) {
    String installDir = options.get('installDir', '/usr/local/bin')
    String version = options.get('version', '2.12.0')
    String forceDownload = options.get('forceDownload', false)
    String downloadUrl = options.get('downloadUrl', "https://github.com/hadolint/hadolint/releases/download/v${version}/hadolint-Linux-x86_64")

    String hadolintBin = sh(returnStdout: true, script: 'which hadolint || exit 0').trim()
    if (hadolintBin == '' || forceDownload) {
        sh("""
        mkdir -p '${installDir}'
        curl -o '${installDir}/hadolint' -sSL '${downloadUrl}'
        chmod +x '${installDir}/hadolint'
        """)

        hadolintBin = "${installDir}/hadolint"
    }

    return hadolintBin
}

String getOrInstallTrivy(Map options = [:]) {
    String installDir = options.get('installDir', '/usr/local/bin')
    String version = options.get('version', '0.47.0')
    String forceDownload = options.get('forceDownload', false)
    String installScriptDownloadUrl = options.get('downloadUrl', 'https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh')

    String trivyBin = sh(returnStdout: true, script: 'which trivy || exit 0').trim()
    if (trivyBin == '' || forceDownload) {
        sh("""
        mkdir -p '${installDir}'
        curl -sfL '${installScriptDownloadUrl}'  | sh -s -- -b '${installDir}' v${version}
        chmod +x '${installDir}/trivy'
        """)

        trivyBin = "${installDir}/trivy"
    }

    return trivyBin
}