parameters:
  enable: 'false'                                             # Whether the SDL validation job should execute or not
  overrideParameters: ''                                       # Optional: to override values for parameters.
  additionalParameters: ''                                     # Optional: parameters that need user specific values eg: '-SourceToolsList @("abc","def") -ArtifactToolsList @("ghi","jkl")'
  # Optional: if specified, restore and use this version of Guardian instead of the default.
  overrideGuardianVersion: ''
  # Optional: if true, publish the '.gdn' folder as a pipeline artifact. This can help with in-depth
  # diagnosis of problems with specific tool configurations.
  publishGuardianDirectoryToPipeline: false
  # The script to run to execute all SDL tools. Use this if you want to use a script to define SDL
  # parameters rather than relying on YAML. It may be better to use a local script, because you can
  # reproduce results locally without piecing together a command based on the YAML.
  executeAllSdlToolsScript: 'eng/common/sdl/execute-all-sdl-tools.ps1'
  # There is some sort of bug (has been reported) in Azure DevOps where if this parameter is named
  # 'continueOnError', the parameter value is not correctly picked up.
  # This can also be remedied by the caller (post-build.yml) if it does not use a nested parameter
  sdlContinueOnError: false                                    # optional: determines whether to continue the build if the step errors;
  # optional: determines if build artifacts should be downloaded.
  downloadArtifacts: true
  # optional: determines if this job should search the directory of downloaded artifacts for
  # 'tar.gz' and 'zip' archive files and extract them before running SDL validation tasks.
  extractArchiveArtifacts: false
  dependsOn: ''                                                # Optional: dependencies of the job
  artifactNames: ''                                            # Optional: patterns supplied to DownloadBuildArtifacts
                                                               # Usage:
                                                               #  artifactNames:
                                                               #    - 'BlobArtifacts'
                                                               #    - 'Artifacts_Windows_NT_Release'
  # Optional: download a list of pipeline artifacts. 'downloadArtifacts' controls build artifacts,
  # not pipeline artifacts, so doesn't affect the use of this parameter.
  pipelineArtifactNames: []
  # Optional: location and ID of the AzDO build that the build/pipeline artifacts should be
  # downloaded from. By default, uses runtime expressions to decide based on the variables set by
  # the 'setupMaestroVars' dependency. Overriding this parameter is necessary if SDL tasks are
  # running without Maestro++/BAR involved, or to download artifacts from a specific existing build
  # to iterate quickly on SDL changes.
  AzDOProjectName: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOProjectName'] ]
  AzDOPipelineId: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOPipelineId'] ]
  AzDOBuildId: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOBuildId'] ]

jobs:
- job: Run_SDL
  dependsOn: ${{ parameters.dependsOn }}
  displayName: Run SDL tool
  condition: eq( ${{ parameters.enable }}, 'true')
  variables:
    - group: DotNet-VSTS-Bot
    - name: AzDOProjectName
      value: ${{ parameters.AzDOProjectName }}
    - name: AzDOPipelineId
      value: ${{ parameters.AzDOPipelineId }}
    - name: AzDOBuildId
      value: ${{ parameters.AzDOBuildId }}
    # The Guardian version specified in 'eng/common/sdl/packages.config'. This value must be kept in
    # sync with the packages.config file.
    - name: DefaultGuardianVersion
      value: 0.53.3
    - name: GuardianVersion
      value: ${{ coalesce(parameters.overrideGuardianVersion, '$(DefaultGuardianVersion)') }}
    - name: GuardianPackagesConfigFile
      value: $(Build.SourcesDirectory)\eng\common\sdl\packages.config
  pool:
    # To extract archives (.tar.gz, .zip), we need access to "tar", added in Windows 10/2019.
    ${{ if eq(parameters.extractArchiveArtifacts, 'false') }}:
      name: Hosted VS2017
    ${{ if ne(parameters.extractArchiveArtifacts, 'false') }}:
      vmImage: windows-2019
  steps:
  - checkout: self
    clean: true

  - ${{ if ne(parameters.downloadArtifacts, 'false')}}:
    - ${{ if ne(parameters.artifactNames, '') }}:
      - ${{ each artifactName in parameters.artifactNames }}:
        - task: DownloadBuildArtifacts@0
          displayName: Download Build Artifacts
          inputs:
            buildType: specific
            buildVersionToDownload: specific
            project: $(AzDOProjectName)
            pipeline: $(AzDOPipelineId)
            buildId: $(AzDOBuildId)
            artifactName: ${{ artifactName }}
            downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
            checkDownloadedFiles: true
    - ${{ if eq(parameters.artifactNames, '') }}:
      - task: DownloadBuildArtifacts@0
        displayName: Download Build Artifacts
        inputs:
          buildType: specific
          buildVersionToDownload: specific
          project: $(AzDOProjectName)
          pipeline: $(AzDOPipelineId)
          buildId: $(AzDOBuildId)
          downloadType: specific files
          itemPattern: "**"
          downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
          checkDownloadedFiles: true

  - ${{ each artifactName in parameters.pipelineArtifactNames }}:
    - task: DownloadPipelineArtifact@2
      displayName: Download Pipeline Artifacts
      inputs:
        buildType: specific
        buildVersionToDownload: specific
        project: $(AzDOProjectName)
        pipeline: $(AzDOPipelineId)
        buildId: $(AzDOBuildId)
        artifactName: ${{ artifactName }}
        downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
        checkDownloadedFiles: true

  - powershell: eng/common/sdl/extract-artifact-packages.ps1
      -InputPath $(Build.ArtifactStagingDirectory)\artifacts\BlobArtifacts
      -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts\BlobArtifacts
    displayName: Extract Blob Artifacts
    continueOnError: ${{ parameters.sdlContinueOnError }}

  - powershell: eng/common/sdl/extract-artifact-packages.ps1
      -InputPath $(Build.ArtifactStagingDirectory)\artifacts\PackageArtifacts
      -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts\PackageArtifacts
    displayName: Extract Package Artifacts
    continueOnError: ${{ parameters.sdlContinueOnError }}

  - ${{ if ne(parameters.extractArchiveArtifacts, 'false') }}:
    - powershell: eng/common/sdl/extract-artifact-archives.ps1
        -InputPath $(Build.ArtifactStagingDirectory)\artifacts
        -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts
      displayName: Extract Archive Artifacts
      continueOnError: ${{ parameters.sdlContinueOnError }}
  
  - ${{ if ne(parameters.overrideGuardianVersion, '') }}:
    - powershell: |
        $content = Get-Content $(GuardianPackagesConfigFile)

        Write-Host "packages.config content was:`n$content"

        $content = $content.Replace('$(DefaultGuardianVersion)', '$(GuardianVersion)')
        $content | Set-Content $(GuardianPackagesConfigFile)

        Write-Host "packages.config content updated to:`n$content"
      displayName: Use overridden Guardian version ${{ parameters.overrideGuardianVersion }}

  - task: NuGetToolInstaller@1
    displayName: 'Install NuGet.exe'
  - task: NuGetCommand@2
    displayName: 'Install Guardian'
    inputs:
      restoreSolution: $(Build.SourcesDirectory)\eng\common\sdl\packages.config
      feedsToUse: config
      nugetConfigPath: $(Build.SourcesDirectory)\eng\common\sdl\NuGet.config
      externalFeedCredentials: GuardianConnect
      restoreDirectory: $(Build.SourcesDirectory)\.packages

  - ${{ if ne(parameters.overrideParameters, '') }}:
    - powershell: ${{ parameters.executeAllSdlToolsScript }} ${{ parameters.overrideParameters }}
      displayName: Execute SDL
      continueOnError: ${{ parameters.sdlContinueOnError }}
  - ${{ if eq(parameters.overrideParameters, '') }}:
    - powershell: ${{ parameters.executeAllSdlToolsScript }}
        -GuardianPackageName Microsoft.Guardian.Cli.$(GuardianVersion)
        -NugetPackageDirectory $(Build.SourcesDirectory)\.packages
        -AzureDevOpsAccessToken $(dn-bot-dotnet-build-rw-code-rw)
        ${{ parameters.additionalParameters }}
      displayName: Execute SDL
      continueOnError: ${{ parameters.sdlContinueOnError }}

  - ${{ if ne(parameters.publishGuardianDirectoryToPipeline, 'false') }}:
    # We want to publish the Guardian results and configuration for easy diagnosis. However, the
    # '.gdn' dir is a mix of configuration, results, extracted dependencies, and Guardian default
    # tooling files. Some of these files are large and aren't useful during an investigation, so
    # exclude them by simply deleting them before publishing. (As of writing, there is no documented
    # way to selectively exclude a dir from the pipeline artifact publish task.)
    - task: DeleteFiles@1
      displayName: Delete Guardian dependencies to avoid uploading
      inputs:
        SourceFolder: $(Agent.BuildDirectory)/.gdn
        Contents: |
          c
          i
      condition: succeededOrFailed()
    - publish: $(Agent.BuildDirectory)/.gdn
      artifact: GuardianConfiguration
      displayName: Publish GuardianConfiguration
      condition: succeededOrFailed()