package org.graylog.plugins.cef.pipelines.rules;

import com.codahale.metrics.MetricRegistry;
import com.google.common.collect.ImmutableMap;
import java.util.Collections;
import org.antlr.v4.runtime.CommonToken;
import org.graylog.plugins.pipelineprocessor.EvaluationContext;
import org.graylog.plugins.pipelineprocessor.ast.expressions.BooleanExpression;
import org.graylog.plugins.pipelineprocessor.ast.expressions.StringExpression;
import org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs;
import org.graylog2.plugin.MessageFactory;
import org.graylog2.plugin.TestMessageFactory;
import org.joda.time.DateTime;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/graylog/plugins/cef/pipelines/rules/CEFParserFunctionTest.class */
public class CEFParserFunctionTest {
    private CEFParserFunction function;
    private MessageFactory messageFactory = new TestMessageFactory();

    @Before
    public void setUp() {
        this.function = new CEFParserFunction(new MetricRegistry());
    }

    @Test
    public void evaluate_returns_null_for_missing_CEF_string() throws Exception {
        Assert.assertNull(this.function.evaluate(new FunctionArgs(this.function, Collections.emptyMap()), new EvaluationContext(this.messageFactory.createMessage("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z")))));
    }

    @Test
    public void evaluate_returns_null_for_empty_CEF_string() throws Exception {
        Assert.assertNull(this.function.evaluate(new FunctionArgs(this.function, Collections.singletonMap("cef_string", new StringExpression(new CommonToken(0), ""))), new EvaluationContext(this.messageFactory.createMessage("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z")))));
    }

    @Test
    public void evaluate_returns_null_for_invalid_CEF_string() throws Exception {
        Assert.assertNull(this.function.evaluate(new FunctionArgs(this.function, ImmutableMap.of("cef_string", new StringExpression(new CommonToken(0), "CEF:0|Foobar"), "use_full_names", new BooleanExpression(new CommonToken(0), false))), new EvaluationContext(this.messageFactory.createMessage("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z")))));
    }

    @Test
    public void evaluate_returns_result_for_valid_CEF_string() throws Exception {
        CEFParserResult evaluate = this.function.evaluate(new FunctionArgs(this.function, ImmutableMap.of("cef_string", new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com msg=Foobar"), "use_full_names", new BooleanExpression(new CommonToken(0), false))), new EvaluationContext(this.messageFactory.createMessage("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"))));
        Assert.assertNotNull(evaluate);
        Assert.assertEquals(0, evaluate.get("cef_version"));
        Assert.assertEquals("vendor", evaluate.get("device_vendor"));
        Assert.assertEquals("product", evaluate.get("device_product"));
        Assert.assertEquals("1.0", evaluate.get("device_version"));
        Assert.assertEquals("id", evaluate.get("device_event_class_id"));
        Assert.assertEquals("low", evaluate.get("severity"));
        Assert.assertEquals("example.com", evaluate.get("dvc"));
        Assert.assertEquals("Foobar", evaluate.get("msg"));
    }

    @Test
    public void evaluate_returns_result_for_valid_CEF_string_with_short_names_if_useFullNames_parameter_is_missing() throws Exception {
        CEFParserResult evaluate = this.function.evaluate(new FunctionArgs(this.function, Collections.singletonMap("cef_string", new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com msg=Foobar"))), new EvaluationContext(this.messageFactory.createMessage("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"))));
        Assert.assertNotNull(evaluate);
        Assert.assertEquals(0, evaluate.get("cef_version"));
        Assert.assertEquals("vendor", evaluate.get("device_vendor"));
        Assert.assertEquals("product", evaluate.get("device_product"));
        Assert.assertEquals("1.0", evaluate.get("device_version"));
        Assert.assertEquals("id", evaluate.get("device_event_class_id"));
        Assert.assertEquals("low", evaluate.get("severity"));
        Assert.assertEquals("example.com", evaluate.get("dvc"));
        Assert.assertEquals("Foobar", evaluate.get("msg"));
    }

    @Test
    public void evaluate_returns_result_for_valid_CEF_string_with_full_names() throws Exception {
        CEFParserFunction cEFParserFunction = new CEFParserFunction(new MetricRegistry());
        CEFParserResult evaluate = cEFParserFunction.evaluate(new FunctionArgs(cEFParserFunction, ImmutableMap.of("cef_string", new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com msg=Foobar"), "use_full_names", new BooleanExpression(new CommonToken(0), true))), new EvaluationContext(this.messageFactory.createMessage("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"))));
        Assert.assertNotNull(evaluate);
        Assert.assertEquals(0, evaluate.get("cef_version"));
        Assert.assertEquals("vendor", evaluate.get("device_vendor"));
        Assert.assertEquals("product", evaluate.get("device_product"));
        Assert.assertEquals("1.0", evaluate.get("device_version"));
        Assert.assertEquals("id", evaluate.get("device_event_class_id"));
        Assert.assertEquals("low", evaluate.get("severity"));
        Assert.assertEquals("example.com", evaluate.get("deviceAddress"));
        Assert.assertEquals("Foobar", evaluate.get("message"));
    }

    @Test
    public void evaluate_returns_result_without_message_field() throws Exception {
        CEFParserResult evaluate = this.function.evaluate(new FunctionArgs(this.function, ImmutableMap.of("cef_string", new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com"), "use_full_names", new BooleanExpression(new CommonToken(0), false))), new EvaluationContext(this.messageFactory.createMessage("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"))));
        Assert.assertNotNull(evaluate);
        Assert.assertEquals(0, evaluate.get("cef_version"));
        Assert.assertEquals("vendor", evaluate.get("device_vendor"));
        Assert.assertEquals("product", evaluate.get("device_product"));
        Assert.assertEquals("1.0", evaluate.get("device_version"));
        Assert.assertEquals("id", evaluate.get("device_event_class_id"));
        Assert.assertEquals("low", evaluate.get("severity"));
        Assert.assertEquals("example.com", evaluate.get("dvc"));
        Assert.assertFalse(evaluate.containsKey("message"));
    }
}
