package org.graylog.plugins.threatintel.adapters.otx;

import com.codahale.metrics.Meter;
import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.Timer;
import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import com.google.auto.value.AutoValue;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Multimap;
import com.google.inject.assistedinject.Assisted;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.validation.constraints.Min;
import javax.validation.constraints.NotEmpty;
import okhttp3.Headers;
import okhttp3.HttpUrl;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.ResponseBody;
import org.apache.commons.validator.routines.InetAddressValidator;
import org.graylog.plugins.threatintel.adapters.otx.C$AutoValue_OTXDataAdapter_Config;
import org.graylog.schema.HttpFields;
import org.graylog.security.authservice.ldap.LDAPConnectorConfig;
import org.graylog2.lookup.adapters.dnslookup.PtrDnsAnswer;
import org.graylog2.plugin.lookup.LookupCachePurge;
import org.graylog2.plugin.lookup.LookupDataAdapter;
import org.graylog2.plugin.lookup.LookupDataAdapterConfiguration;
import org.graylog2.plugin.lookup.LookupResult;
import org.graylog2.rest.MoreMediaTypes;
import org.joda.time.Duration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog/plugins/threatintel/adapters/otx/OTXDataAdapter.class */
public class OTXDataAdapter extends LookupDataAdapter {
    public static final String NAME = "otx-api";
    private static final String OTX_SECTION = "general";
    private final Config config;
    private final OkHttpClient httpClient;
    private final Timer httpRequestTimer;
    private final Meter httpRequestErrors;
    private Headers httpHeaders;
    private HttpUrl parsedApiUrl;
    private static final Logger LOG = LoggerFactory.getLogger(OTXDataAdapter.class);
    private static final InetAddressValidator INET_ADDRESS_VALIDATOR = InetAddressValidator.getInstance();
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
    private static final TypeReference<Map<Object, Object>> MAP_TYPE_REFERENCE = new TypeReference<Map<Object, Object>>() { // from class: org.graylog.plugins.threatintel.adapters.otx.OTXDataAdapter.1
    };
    private static final String OTX_INDICATOR_IPV4 = "IPv4";
    private static final String OTX_INDICATOR_IPV6 = "IPv6";
    private static final ImmutableSet<String> OTX_IP_INDICATORS = ImmutableSet.of(OTX_INDICATOR_IPV4, OTX_INDICATOR_IPV6);
    private static final String OTX_INDICATOR_IP_AUTO_DETECT = "IPAutoDetect";
    private static final ImmutableSet<String> OTX_INDICATORS = ImmutableSet.builder().add(OTX_INDICATOR_IP_AUTO_DETECT).add(OTX_INDICATOR_IPV4).add(OTX_INDICATOR_IPV6).add(PtrDnsAnswer.FIELD_DOMAIN).add(LDAPConnectorConfig.LDAPServer.FIELD_HOSTNAME).add("file").add("url").add("cve").add("nids").add("correlation-rule").build();

    @JsonDeserialize(builder = Builder.class)
    @JsonAutoDetect
    @JsonInclude(JsonInclude.Include.NON_EMPTY)
    @AutoValue
    @JsonTypeName(OTXDataAdapter.NAME)
    /* loaded from: input_file:org/graylog/plugins/threatintel/adapters/otx/OTXDataAdapter$Config.class */
    public static abstract class Config implements LookupDataAdapterConfiguration {

        @AutoValue.Builder
        /* loaded from: input_file:org/graylog/plugins/threatintel/adapters/otx/OTXDataAdapter$Config$Builder.class */
        public static abstract class Builder {
            @JsonCreator
            public static Builder create() {
                return Config.builder().httpConnectTimeout(10000L).httpWriteTimeout(10000L).httpReadTimeout(60000L);
            }

            @JsonProperty("type")
            public abstract Builder type(String str);

            @JsonProperty("indicator")
            public abstract Builder indicator(String str);

            @JsonProperty("api_key")
            public abstract Builder apiKey(String str);

            @JsonProperty("api_url")
            public abstract Builder apiUrl(String str);

            @JsonProperty(HttpFields.HTTP_USER_AGENT)
            public abstract Builder httpUserAgent(String str);

            @JsonProperty("http_connect_timeout")
            public abstract Builder httpConnectTimeout(long j);

            @JsonProperty("http_write_timeout")
            public abstract Builder httpWriteTimeout(long j);

            @JsonProperty("http_read_timeout")
            public abstract Builder httpReadTimeout(long j);

            public abstract Config build();
        }

        @JsonProperty("indicator")
        @NotEmpty
        public abstract String indicator();

        @JsonProperty("api_key")
        @Nullable
        public abstract String apiKey();

        @JsonProperty("api_url")
        @NotEmpty
        public abstract String apiUrl();

        @JsonProperty(HttpFields.HTTP_USER_AGENT)
        @NotEmpty
        public abstract String httpUserAgent();

        @JsonProperty("http_connect_timeout")
        @Min(1)
        public abstract long httpConnectTimeout();

        @JsonProperty("http_write_timeout")
        @Min(1)
        public abstract long httpWriteTimeout();

        @JsonProperty("http_read_timeout")
        @Min(1)
        public abstract long httpReadTimeout();

        public static Builder builder() {
            return new C$AutoValue_OTXDataAdapter_Config.Builder();
        }

        public abstract Builder toBuilder();

        @Override // org.graylog2.plugin.lookup.LookupDataAdapterConfiguration
        public Optional<Multimap<String, String>> validate() {
            ArrayListMultimap create = ArrayListMultimap.create();
            if (!OTXDataAdapter.OTX_INDICATORS.contains(indicator())) {
                create.put("indicator", "Invalid value - allowed: " + String.join((CharSequence) ", ", (Iterable<? extends CharSequence>) OTXDataAdapter.OTX_INDICATORS));
            }
            if (HttpUrl.parse(apiUrl()) == null) {
                create.put("api_url", "Invalid URL");
            }
            if (httpConnectTimeout() < 1) {
                create.put("http_connect_timeout", "Value cannot be smaller than 1");
            }
            if (httpWriteTimeout() < 1) {
                create.put("http_write_timeout", "Value cannot be smaller than 1");
            }
            if (httpReadTimeout() < 1) {
                create.put("http_read_timeout", "Value cannot be smaller than 1");
            }
            return create.isEmpty() ? Optional.empty() : Optional.of(create);
        }
    }

    /* loaded from: input_file:org/graylog/plugins/threatintel/adapters/otx/OTXDataAdapter$Descriptor.class */
    public static class Descriptor extends LookupDataAdapter.Descriptor<Config> {
        public Descriptor() {
            super(OTXDataAdapter.NAME, Config.class);
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.graylog2.plugin.lookup.LookupDataAdapter.Descriptor
        public Config defaultConfiguration() {
            return Config.builder().type(OTXDataAdapter.NAME).indicator(OTXDataAdapter.OTX_INDICATOR_IP_AUTO_DETECT).apiUrl("https://otx.alienvault.com").httpUserAgent("Graylog Threat Intelligence Plugin - https://github.com/Graylog2/graylog-plugin-threatintel").httpConnectTimeout(10000L).httpWriteTimeout(10000L).httpReadTimeout(60000L).build();
        }
    }

    /* loaded from: input_file:org/graylog/plugins/threatintel/adapters/otx/OTXDataAdapter$Factory.class */
    public interface Factory extends LookupDataAdapter.Factory<OTXDataAdapter> {
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.graylog2.plugin.lookup.LookupDataAdapter.Factory
        OTXDataAdapter create(@Assisted("id") String str, @Assisted("name") String str2, LookupDataAdapterConfiguration lookupDataAdapterConfiguration);

        @Override // org.graylog2.plugin.lookup.LookupDataAdapter.Factory
        Descriptor getDescriptor();
    }

    @Inject
    protected OTXDataAdapter(@Assisted("id") String str, @Assisted("name") String str2, @Assisted LookupDataAdapterConfiguration lookupDataAdapterConfiguration, OkHttpClient okHttpClient, MetricRegistry metricRegistry) {
        super(str, str2, lookupDataAdapterConfiguration, metricRegistry);
        this.config = (Config) lookupDataAdapterConfiguration;
        this.httpClient = okHttpClient.newBuilder().connectTimeout(this.config.httpConnectTimeout(), TimeUnit.MILLISECONDS).writeTimeout(this.config.httpWriteTimeout(), TimeUnit.MILLISECONDS).readTimeout(this.config.httpReadTimeout(), TimeUnit.MILLISECONDS).build();
        this.httpRequestTimer = metricRegistry.timer(MetricRegistry.name(getClass(), new String[]{"httpRequestTime"}));
        this.httpRequestErrors = metricRegistry.meter(MetricRegistry.name(getClass(), new String[]{"httpRequestErrors"}));
    }

    @Override // org.graylog2.plugin.lookup.LookupDataAdapter
    protected void doStart() throws Exception {
        Headers.Builder builder = new Headers.Builder();
        String apiKey = this.config.apiKey();
        if (Strings.isNullOrEmpty(apiKey)) {
            LOG.warn("OTX API key is missing. Make sure to add the key to allow higher request limits.");
        } else {
            builder.add("X-OTX-API-KEY", apiKey);
        }
        if (Strings.isNullOrEmpty(this.config.indicator())) {
            throw new IllegalArgumentException("OTX indicator is missing");
        }
        if (!OTX_INDICATORS.contains(this.config.indicator())) {
            throw new IllegalArgumentException("Invalid OTX indicator value - allowed: " + String.join((CharSequence) ", ", (Iterable<? extends CharSequence>) OTX_INDICATORS));
        }
        if (Strings.isNullOrEmpty(this.config.httpUserAgent())) {
            throw new IllegalArgumentException("HTTP user-agent is missing");
        }
        if (Strings.isNullOrEmpty(this.config.apiUrl())) {
            throw new IllegalArgumentException("OTX API URL is missing");
        }
        HttpUrl parse = HttpUrl.parse(this.config.apiUrl());
        if (parse == null) {
            throw new IllegalArgumentException("OTX API URL is not valid");
        }
        this.parsedApiUrl = parse;
        this.httpHeaders = builder.add("User-Agent", this.config.httpUserAgent()).add("Accept", MoreMediaTypes.APPLICATION_JSON).build();
    }

    @Override // org.graylog2.plugin.lookup.LookupDataAdapter
    protected void doStop() throws Exception {
    }

    @Override // org.graylog2.plugin.lookup.LookupDataAdapter
    public Duration refreshInterval() {
        return Duration.ZERO;
    }

    @Override // org.graylog2.plugin.lookup.LookupDataAdapter
    protected void doRefresh(LookupCachePurge lookupCachePurge) throws Exception {
    }

    @Override // org.graylog2.plugin.lookup.LookupDataAdapter
    protected LookupResult doGet(Object obj) {
        String valueOf = String.valueOf(obj);
        String indicator = this.config.indicator();
        if (OTX_INDICATOR_IP_AUTO_DETECT.equals(indicator)) {
            Optional<String> detectIpType = detectIpType(valueOf);
            if (!detectIpType.isPresent()) {
                LOG.warn("Unable to auto-detect IP address type for key <{}>", valueOf);
                return LookupResult.empty();
            }
            indicator = detectIpType.get();
        }
        if (OTX_IP_INDICATORS.contains(indicator) && isPrivateIPAddress(valueOf)) {
            LOG.debug("OTX API does not accept private IP address <{}>. Skipping lookup to avoid OTX API request.", valueOf);
            return LookupResult.empty();
        }
        Request build = new Request.Builder().get().url(new HttpUrl.Builder().scheme(this.parsedApiUrl.scheme()).host(this.parsedApiUrl.host()).port(this.parsedApiUrl.port()).addPathSegments("/api/v1/indicators").addPathSegment(indicator).addPathSegment(String.valueOf(valueOf)).addPathSegment(OTX_SECTION).build()).headers(this.httpHeaders).build();
        Timer.Context time = this.httpRequestTimer.time();
        try {
            try {
                Response execute = this.httpClient.newCall(build).execute();
                try {
                    if (execute.isSuccessful()) {
                        LookupResult parseResponse = parseResponse(execute.body());
                        if (execute != null) {
                            execute.close();
                        }
                        time.stop();
                        return parseResponse;
                    }
                    LOG.warn("OTX {} request for key <{}> failed: {}", new Object[]{indicator, valueOf, execute});
                    this.httpRequestErrors.mark();
                    LookupResult withError = LookupResult.withError(String.format(Locale.ENGLISH, "OTX %s request for key <%s> failed: %s", indicator, valueOf, Integer.valueOf(execute.code())));
                    if (execute != null) {
                        execute.close();
                    }
                    time.stop();
                    return withError;
                } catch (Throwable th) {
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (IOException e) {
                LOG.error("OTX {} request error for key <{}>", new Object[]{indicator, valueOf, e});
                this.httpRequestErrors.mark();
                LookupResult empty = LookupResult.empty();
                time.stop();
                return empty;
            }
        } catch (Throwable th3) {
            time.stop();
            throw th3;
        }
    }

    @VisibleForTesting
    LookupResult parseResponse(@Nullable ResponseBody responseBody) {
        if (responseBody != null) {
            try {
                JsonNode readTree = OBJECT_MAPPER.readTree(responseBody.string());
                return LookupResult.withoutTTL().single(Long.valueOf(readTree.path("pulse_info").path("count").asLong(0L))).multiValue((Map) OBJECT_MAPPER.convertValue(readTree, MAP_TYPE_REFERENCE)).build();
            } catch (IOException e) {
                LOG.warn("Couldn't parse OTX response as JSON", e);
            }
        }
        return LookupResult.empty();
    }

    @VisibleForTesting
    boolean isPrivateIPAddress(String str) {
        try {
            InetAddress byName = InetAddress.getByName(str);
            if (!byName.isSiteLocalAddress() && !byName.isLoopbackAddress()) {
                if (!byName.isAnyLocalAddress()) {
                    return false;
                }
            }
            return true;
        } catch (UnknownHostException e) {
            return false;
        }
    }

    private Optional<String> detectIpType(String str) {
        return INET_ADDRESS_VALIDATOR.isValidInet4Address(str) ? Optional.of(OTX_INDICATOR_IPV4) : INET_ADDRESS_VALIDATOR.isValidInet6Address(str) ? Optional.of(OTX_INDICATOR_IPV6) : Optional.empty();
    }

    @Override // org.graylog2.plugin.lookup.LookupDataAdapter
    public void set(Object obj, Object obj2) {
    }
}
