#!/usr/bin/python3
# -*- coding: utf-8 -*-
"""
Part of RedELK

This check queries for calls to backends that have alarm in their name

Authors:
- Outflank B.V. / Mark Bergman (@xychix)
- Lorenzo Bernardi (@fastlorenzo)
"""
import logging

from modules.helpers import get_initial_alarm_result, get_query

info = {
    "version": 0.1,
    "name": "backend alarm module",
    "alarmmsg": "TRAFFIC TO ANY BACKEND WITH THE WORD ALARM IN THE NAME",
    "description": "This check queries for calls to backends that have alarm in their name",
    "type": "redelk_alarm",  # Could also contain redelk_enrich if it was an enrichment module
    "submodule": "alarm_backendalarm",
}


class Module:
    """backend alarm module
    This check queries for calls to backends that have alarm in their name
    """

    def __init__(self):
        self.logger = logging.getLogger(info["submodule"])

    def run(self):
        """Run the alarm module"""
        ret = get_initial_alarm_result()
        ret["info"] = info
        ret["fields"] = [
            "@timestamp",
            "source.ip",
            "http.headers.useragent",
            "source.cdn.ip",
            "redir.frontend.name",
            "redir.backend.name",
            "infra.attack_scenario",
        ]
        ret["groupby"] = ["source.ip", "http.headers.useragent"]
        report = self.alarm_check()
        ret["hits"]["hits"] = report["hits"]
        ret["hits"]["total"] = len(report["hits"])
        self.logger.info(
            "finished running module. result: %s hits", ret["hits"]["total"]
        )
        return ret

    # pylint: disable=no-self-use
    def alarm_check(self):
        """This check queries for calls to backends that have *alarm* in their name"""
        es_query = f'redir.backend.name:*alarm* AND NOT tags:{info["submodule"]}'
        es_results = get_query(es_query, 10000)
        report = {"hits": es_results}
        return report