package org.owasp.appsensor.analysis;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.PriorityQueue;
import java.util.Queue;
import javax.inject.Inject;
import javax.inject.Named;
import org.joda.time.DateTime;
import org.owasp.appsensor.core.AppSensorServer;
import org.owasp.appsensor.core.Attack;
import org.owasp.appsensor.core.DetectionPoint;
import org.owasp.appsensor.core.Event;
import org.owasp.appsensor.core.Interval;
import org.owasp.appsensor.core.Threshold;
import org.owasp.appsensor.core.User;
import org.owasp.appsensor.core.analysis.EventAnalysisEngine;
import org.owasp.appsensor.core.criteria.SearchCriteria;
import org.owasp.appsensor.core.logging.Loggable;
import org.owasp.appsensor.core.rule.Clause;
import org.owasp.appsensor.core.rule.Expression;
import org.owasp.appsensor.core.rule.Notification;
import org.owasp.appsensor.core.rule.Rule;
import org.owasp.appsensor.core.util.DateUtils;
import org.slf4j.Logger;

@Loggable
@Named
/* loaded from: input_file:org/owasp/appsensor/analysis/AggregateEventAnalysisEngine.class */
public class AggregateEventAnalysisEngine extends EventAnalysisEngine {
    private Logger logger;

    @Inject
    private AppSensorServer appSensorServer;

    public void analyze(Event event) {
        for (Rule rule : this.appSensorServer.getConfiguration().findRules(event)) {
            if (checkRule(event, rule)) {
                generateAttack(event, rule);
            }
        }
    }

    protected boolean checkRule(Event event, Rule rule) {
        LinkedList<Notification> notifications = getNotifications(event, rule);
        Queue<Notification> priorityQueue = new PriorityQueue(1, Notification.getStartTimeAscendingComparator());
        Iterator it = rule.getExpressions().iterator();
        Expression expression = (Expression) it.next();
        while (!notifications.isEmpty()) {
            Notification poll = notifications.poll();
            priorityQueue.add(poll);
            trim(priorityQueue, poll.getEndTime().minus(expression.getWindow().toMillis()));
            if (checkExpression(expression, priorityQueue)) {
                if (!it.hasNext()) {
                    return true;
                }
                expression = (Expression) it.next();
                priorityQueue = new LinkedList();
                trim(notifications, poll.getEndTime());
            }
        }
        return false;
    }

    protected boolean checkExpression(Expression expression, Queue<Notification> queue) {
        Iterator it = expression.getClauses().iterator();
        while (it.hasNext()) {
            if (checkClause((Clause) it.next(), queue)) {
                return true;
            }
        }
        return false;
    }

    protected boolean checkClause(Clause clause, Queue<Notification> queue) {
        HashSet hashSet = new HashSet();
        Iterator<Notification> it = queue.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getMonitorPoint());
        }
        Iterator it2 = clause.getMonitorPoints().iterator();
        while (it2.hasNext()) {
            if (!hashSet.contains((DetectionPoint) it2.next())) {
                return false;
            }
        }
        return true;
    }

    protected void trim(Queue<Notification> queue, DateTime dateTime) {
        while (!queue.isEmpty() && !queue.peek().getStartTime().isAfter(dateTime)) {
            queue.poll();
        }
    }

    protected LinkedList<Notification> getNotifications(Event event, Rule rule) {
        LinkedList<Notification> linkedList = new LinkedList<>();
        ArrayList<Event> applicableEvents = getApplicableEvents(event, rule);
        for (DetectionPoint detectionPoint : rule.getAllDetectionPoints()) {
            LinkedList linkedList2 = new LinkedList();
            for (Event event2 : applicableEvents) {
                if (event2.getDetectionPoint().typeAndThresholdMatches(detectionPoint)) {
                    linkedList2.add(event2);
                    if (isThresholdViolated(linkedList2, event2, detectionPoint.getThreshold())) {
                        linkedList.add(new Notification((int) getQueueInterval(linkedList2, event2).toMillis(), "milliseconds", DateUtils.fromString(linkedList2.peek().getTimestamp()), detectionPoint));
                    }
                    if (linkedList2.size() >= detectionPoint.getThreshold().getCount()) {
                        linkedList2.poll();
                    }
                }
            }
        }
        Collections.sort(linkedList, Notification.getEndTimeAscendingComparator());
        return linkedList;
    }

    public boolean isThresholdViolated(Queue<Event> queue, Event event, Threshold threshold) {
        return queue.size() >= threshold.getCount() && getQueueInterval(queue, event).toMillis() <= threshold.getInterval().toMillis();
    }

    public Interval getQueueInterval(Queue<Event> queue, Event event) {
        return new Interval((int) DateUtils.fromString(event.getTimestamp()).minus(DateUtils.fromString(queue.peek().getTimestamp()).getMillis()).getMillis(), "milliseconds");
    }

    public void generateAttack(Event event, Rule rule) {
        this.logger.info("Attack generated on rule: " + rule.getGuid() + ", by user: " + event.getUser().getUsername());
        this.appSensorServer.getAttackStore().addAttack(new Attack().setUser(new User(event.getUser().getUsername())).setRule(rule).setTimestamp(event.getTimestamp()).setDetectionSystem(event.getDetectionSystem()).setResource(event.getResource()));
    }

    protected ArrayList<Event> getApplicableEvents(Event event, Rule rule) {
        new ArrayList();
        DateTime minus = DateUtils.fromString(event.getTimestamp()).minus(rule.getWindow().toMillis());
        DateTime findMostRecentAttackTime = findMostRecentAttackTime(event, rule);
        ArrayList<Event> arrayList = (ArrayList) this.appSensorServer.getEventStore().findEvents(new SearchCriteria().setUser(event.getUser()).setEarliest((minus.isAfter(findMostRecentAttackTime) ? minus : findMostRecentAttackTime).plus(1L).toString()).setRule(rule).setDetectionSystemIds(this.appSensorServer.getConfiguration().getRelatedDetectionSystems(event.getDetectionSystem())));
        Collections.sort(arrayList, Event.getTimeAscendingComparator());
        return arrayList;
    }

    protected DateTime findMostRecentAttackTime(Event event, Rule rule) {
        DateTime epoch = DateUtils.epoch();
        for (Attack attack : this.appSensorServer.getAttackStore().findAttacks(new SearchCriteria().setUser(new User(event.getUser().getUsername())).setRule(rule).setDetectionSystemIds(this.appSensorServer.getConfiguration().getRelatedDetectionSystems(event.getDetectionSystem())))) {
            if (attack.getRule().guidMatches(rule) && DateUtils.fromString(attack.getTimestamp()).isAfter(epoch)) {
                epoch = DateUtils.fromString(attack.getTimestamp());
            }
        }
        return epoch;
    }
}
