package org.graylog.plugins.threatintel.functions.global;

import com.google.common.eventbus.EventBus;
import com.google.common.eventbus.Subscribe;
import jakarta.inject.Inject;
import java.util.Map;
import org.graylog.plugins.pipelineprocessor.EvaluationContext;
import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs;
import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionDescriptor;
import org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor;
import org.graylog.plugins.threatintel.ThreatIntelPluginConfiguration;
import org.graylog.plugins.threatintel.functions.GenericLookupResult;
import org.graylog.plugins.threatintel.functions.IPFunctions;
import org.graylog.plugins.threatintel.functions.abusech.AbuseChRansomIpLookupFunction;
import org.graylog.plugins.threatintel.functions.misc.LookupTableFunction;
import org.graylog.plugins.threatintel.functions.otx.OTXIPLookupFunction;
import org.graylog.plugins.threatintel.functions.spamhaus.SpamhausIpLookupFunction;
import org.graylog.plugins.threatintel.functions.tor.TorExitNodeLookupFunction;
import org.graylog2.cluster.ClusterConfigChangedEvent;
import org.graylog2.plugin.cluster.ClusterConfigService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog/plugins/threatintel/functions/global/GlobalIpLookupFunction.class */
public class GlobalIpLookupFunction extends AbstractGlobalLookupFunction {
    private static final Logger LOG = LoggerFactory.getLogger(GlobalIpLookupFunction.class);
    public static final String NAME = "threat_intel_lookup_ip";
    private static final String VALUE = "ip_address";
    private static final String PREFIX = "prefix";
    private final ParameterDescriptor<String, String> valueParam;
    private final ParameterDescriptor<String, String> prefixParam;
    private Map<String, LookupTableFunction<? extends GenericLookupResult>> ipFunctions;

    @Inject
    public GlobalIpLookupFunction(@IPFunctions Map<String, LookupTableFunction<? extends GenericLookupResult>> map, ClusterConfigService clusterConfigService, EventBus eventBus) {
        super(clusterConfigService, eventBus);
        this.valueParam = ParameterDescriptor.string(VALUE).description("The IPv4 or IPv6 address to look up.").build();
        this.prefixParam = ParameterDescriptor.string(PREFIX).description("A prefix for results. For example \"src_addr\" will result in fields called \"src_addr_threat_indicated\".").build();
        this.ipFunctions = map;
    }

    @Override // org.graylog.plugins.pipelineprocessor.ast.functions.Function
    public GlobalLookupResult evaluate(FunctionArgs functionArgs, EvaluationContext evaluationContext) {
        String required = this.valueParam.required(functionArgs, evaluationContext);
        String required2 = this.prefixParam.required(functionArgs, evaluationContext);
        if (required == null) {
            LOG.error("NULL value parameter passed to global IP lookup.");
            return null;
        }
        if (required2 == null) {
            LOG.error("NULL prefix parameter passed to global IP lookup.");
            return null;
        }
        LOG.debug("Running global lookup for IP [{}] with prefix [{}].", required, required2);
        return matchEntityAgainstFunctions(this.ipFunctions, functionArgs, evaluationContext, required2);
    }

    @Override // org.graylog.plugins.threatintel.functions.global.AbstractGlobalLookupFunction
    boolean isEnabled(LookupTableFunction<? extends GenericLookupResult> lookupTableFunction) {
        ThreatIntelPluginConfiguration threatIntelPluginConfiguration = threatIntelPluginConfiguration();
        if (lookupTableFunction.getClass().equals(TorExitNodeLookupFunction.class)) {
            return threatIntelPluginConfiguration.torEnabled();
        }
        if (lookupTableFunction.getClass().equals(SpamhausIpLookupFunction.class)) {
            return threatIntelPluginConfiguration.spamhausEnabled();
        }
        if (lookupTableFunction.getClass().equals(AbuseChRansomIpLookupFunction.class)) {
            return threatIntelPluginConfiguration.abusechRansomEnabled();
        }
        if (lookupTableFunction.getClass().equals(OTXIPLookupFunction.class)) {
            return threatIntelPluginConfiguration.otxEnabled();
        }
        return true;
    }

    @Override // org.graylog.plugins.pipelineprocessor.ast.functions.Function
    public FunctionDescriptor<GlobalLookupResult> descriptor() {
        return FunctionDescriptor.builder().name(NAME).description("Match an IP address against all enabled threat intel sources. (except OTX)").params(this.valueParam, this.prefixParam).returnType(GlobalLookupResult.class).build();
    }

    @Override // org.graylog.plugins.threatintel.functions.global.AbstractGlobalLookupFunction
    @Subscribe
    public /* bridge */ /* synthetic */ void handleUpdatedClusterConfig(ClusterConfigChangedEvent clusterConfigChangedEvent) {
        super.handleUpdatedClusterConfig(clusterConfigChangedEvent);
    }
}
