# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

cs__scoped_require 'contrast/agent/protect/rule/base'

module Contrast
  module Agent
    module Protect
      module Rule
        # Encapsulate common code for protect rules that do their
        # input analysis on Speedracer rather in ruby code
        class BaseService < Contrast::Agent::Protect::Rule::Base
          def name
            'base-service'
          end

          def block_message
            'Contrast Security Protect Rule Triggered. Response blocked.'
          end

          def infilter? context
            return false unless context&.speedracer_input_analysis&.results
            return false unless enabled?
            return false if protect_excluded_by_code?

            true
          end

          # Override for rules that need the response
          # Currently postfilter can be applied to streamed responses,
          # if any logic within postfilter changes to modify the response
          # streamed responses will break
          def postfilter context
            return unless enabled? && POSTFILTER_MODES.include?(mode)
            return if mode == :NO_ACTION || mode == :PERMIT

            result = find_postfilter_attacker(context, nil)
            return unless result&.samples&.any?

            append_to_activity(context, result)
            return unless result.response == :BLOCKED

            raise Contrast::SecurityException.new(self, "#{ name } triggered in postfilter. Response blocked.")
          end

          protected

          def gather_ia_results context
            context.speedracer_input_analysis.results.select do |ia_result|
              ia_result.rule_id == name
            end
          end

          def find_attacker context, potential_attack_string, **kwargs
            ia_results = gather_ia_results(context)
            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
          end

          # Allows for the InputAnalysis from service to be extracted early
          def find_attacker_with_results context, potential_attack_string, ia_results, **kwargs
            logger.trace('Checking vectors for attacks', rule: name, input: potential_attack_string)

            result = nil
            ia_results.each do |ia_result|
              if potential_attack_string
                idx = potential_attack_string.index(ia_result.value)
                next unless idx

                result = build_attack_with_match(context, ia_result, result, potential_attack_string, **kwargs)
              else
                result = build_attack_without_match(context, ia_result, result, **kwargs)
              end
            end
            result
          end

          private

          def find_postfilter_attacker context, potential_attack_string, **kwargs
            ia_results = gather_ia_results(context)
            ia_results.select! do |ia_result|
              ia_result.score_level == Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
            end
            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
          end
        end
      end
    end
  end
end