#!/usr/bin/python3
# -*- coding: utf-8 -*-
"""
Part of RedELK

This check queries for UA\'s that are listed in any blacklist_useragents.conf and do talk to c2* paths on redirectors

Authors:
- Outflank B.V. / Mark Bergman (@xychix)
- Lorenzo Bernardi (@fastlorenzo)
"""
import logging

from modules.helpers import get_initial_alarm_result, get_query

info = {
    "version": 0.1,
    "name": "User-agent module",
    "alarmmsg": "VISIT FROM BLACKLISTED USERAGENT TO C2_*",
    "description": "This check queries for UA's that are listed in any blacklist_useragents.conf and do talk to c2* paths on redirectors",
    "type": "redelk_alarm",  # Could also contain redelk_enrich if it was an enrichment module
    "submodule": "alarm_useragent",
}


class Module:
    """User-agent module"""

    def __init__(self):
        self.logger = logging.getLogger(info["submodule"])

    def run(self):
        """Run the alarm module"""
        ret = get_initial_alarm_result()
        ret["info"] = info
        ret["fields"] = [
            "agent.hostname",
            "@timestamp",
            "source.ip",
            "http.headers.useragent",
            "source.cdn.ip",
            "redir.frontend.name",
            "redir.backend.name",
            "infra.attack_scenario",
        ]
        ret["groupby"] = ["source.ip", "http.headers.useragent"]
        report = self.alarm_check()
        ret["hits"]["hits"] = report["hits"]
        ret["hits"]["total"] = len(report["hits"])
        self.logger.info(
            "finished running module. result: %s hits", ret["hits"]["total"]
        )
        return ret

    def alarm_check(self):  # pylint: disable=no-self-use
        """This check queries for UA's that are listed in any blacklist_useragents.conf and do talk to c2* paths on redirectors
        We will dig trough ALL data finding specific IP related lines and tag them reading the useragents we trigger on."""
        file_name = "/etc/redelk/rogue_useragents.conf"
        with open(file_name, encoding="utf-8") as file:
            content = file.readlines()
        ua_list = []
        for line in content:
            if not line.startswith("#"):
                ua_list.append(line.strip())
        keywords = ua_list
        es_subquery = ""
        # add keywords (UA's) to query
        for keyword in keywords:
            if es_subquery == "":
                es_subquery = f"(http.headers.useragent:{keyword}"
            else:
                es_subquery = es_subquery + f" OR http.headers.useragent:{keyword}"
        es_subquery = es_subquery + ") "
        # q = "%s AND redir.backendname:c2* AND tags:enrich_* AND NOT tags:alarm_* "%qSub
        es_query = (
            f"{es_subquery} AND redir.backend.name:c2* AND NOT tags:alarm_useragent"
        )

        es_results = get_query(es_query, 10000)
        report = {}
        report["hits"] = es_results
        return report