#!/usr/bin/python
import requests, sys, json, copy, fileinput

TR_SESSION = requests.session()


def get_config():
    global config
    config={}
    #options
    config['threat_response_token_file']='TR-token.txt'

    #credentials
    config['threat_response_api_client_id']="<INSERT YOUR API CLIENT ID HERE>"
    config['threat_response_api_client_pass']="<INSERT YOUR API CLIENT PASSWORD HERE>"

    #server (modify only to select region)
    config['threat_response_server']="visibility.amp.cisco.com"
    # EU - config['threat_response_server']="visibility.eu.amp.cisco.com
    # APJ - config['threat_response_server']="visibility.apjc.amp.cisco.com

    #paths (should not need to be modified)
    config['threat_response_api_root']="iroh/"
    config['threat_response_token_path']="oauth2/token"
    config['threat_response_inspect_path']="iroh-inspect/inspect"
    config['threat_response_deliberate_path']="iroh-enrich/deliberate/observables"
    config['threat_response_observe_path']="iroh-enrich/observe/observables"

    #make some useful variables now
    config['TRroot']='https://'+config['threat_response_server']+'/'+config['threat_response_api_root']
    config['inspect_url'] = config['TRroot']+config['threat_response_inspect_path']
    config['token_url']=config['TRroot']+config['threat_response_token_path']
    config['deliberate_url'] = config['TRroot']+config['threat_response_deliberate_path']
    config['observe_url'] = config['TRroot']+config['threat_response_observe_path']


    return(config)

def TR_generate_token():
    ''' Generate a new access token and write it to disk'''

    headers = {'Content-Type':'application/x-www-form-urlencoded', 'Accept':'application/json'}
    payload = {'grant_type':'client_credentials'}

    response = requests.post(config['token_url'], headers=headers,
                         auth=(config['threat_response_api_client_id'],
                               config['threat_response_api_client_pass']),
                         data=payload)

    if TR_unauthorized(response):
        sys.exit('Unable to generate new token!\nCheck your CLIENT_ID and CLIENT_PASSWORD')

    response_json = response.json()
    access_token = response_json['access_token']

    with open(config['threat_response_token_file'], 'w') as token_file:
        token_file.write(access_token)
    return(access_token)

def TR_get_token():
    ''' Get the access token from disk, or from auth API
    '''
    for i in range(2):
        while True:
            try:
                with open(config['threat_response_token_file'], 'r') as token_file:
                    access_token = token_file.read()
                    return access_token
            except FileNotFoundError:
                return TR_generate_token()
            break    

def TR_unauthorized(response):
    ''' Check the status code of the response
    '''
    if response.status_code == 401:
        return True
    return False

def TR_check_auth(function, param):
    ''' Query the API and validate authentication was successful
        If authentication fails, generate a new token and try again
    '''
    response = function(param)
    if TR_unauthorized(response):
        print('Auth failed, generating new token.')
        config['access_token']=TR_generate_token()
        return function(param)
    return response


def TR_query(text_block):
    ''' Pass the functions and parameters to check_auth to query the API
        Return the final response
    '''
    response = TR_check_auth(TR_inspect, text_block)
    inspect_output = response.text
    response = TR_check_auth(TR_enrich, inspect_output)  # TR_enrich() is undefined
    return response

def TR_inspect(text_block):
    '''Inspect the provided text block and extract observables
    '''

    headers = {'Authorization':'Bearer {}'.format(config['access_token']),
               'Content-Type':'application/json',
               'Accept':'application/json'}

    inspect_payload = {'content':text_block}
    inspect_payload = json.dumps(inspect_payload)

    response = TR_SESSION.post(config['inspect_url'], headers=headers, data=inspect_payload)
    return response

def TR_deliberate(observables):
    ''' Query the deliberate API for observable(s)
    '''
    headers = {'Authorization':'Bearer {}'.format(config['access_token']),
               'Content-Type':'application/json',
               'Accept':'application/json'}
    response = TR_SESSION.post(config['deliberate_url'], headers=headers, data=json.dumps(observables))
    return response

def TR_observe(observables):
    ''' Query the deliberate API for observable(s)
    '''
    headers = {'Authorization':'Bearer {}'.format(config['access_token']),
               'Content-Type':'application/json',
               'Accept':'application/json'}
    response = TR_SESSION.post(config['observe_url'], headers=headers, data=json.dumps(observables))
    return response

def uniq_observables(observables):
    uniqd=[]
    for obs in observables:
        if obs not in uniqd:
            uniqd.append(obs)
    return(uniqd)

def filter_cleans(results):
    cleans = [] #init list of observables with any clean verdict
    for obs in results: #loop through observables
        if 'verdicts' in obs: #if it has verdicts
            for verdict in obs['verdicts']: #loop through verdicts
                if verdict['verdict'] == "Clean": #if this one is clean
                    cleans.append(obs) # add the observable to list of cleans
                    break #and exit, since it takes only one 'clean' and we found one
    for obs in cleans: #go through our list
        results.remove(obs) #and for each entry, remove it from the initial dataset
    return(results) #return what's left

def main():

    #collect settings dict
    get_config()
    # get the token to use to start
    config['access_token']=TR_get_token()

    # process input
    # init some vars
    [text_chunk,observables, judgements, sightings]=['',[],[],[]]
    line_idx=0
    #chunking loop
    for line in fileinput.input():
         line_idx=line_idx+1
         text_chunk=text_chunk+line
         if len(text_chunk) > 2000: #if we hit the 2000 char max guideline, send the chunk for inspection
            these_observables = json.loads(TR_check_auth(TR_inspect,text_chunk).text)
            #append results to existing data
            observables=observables+these_observables
            # clear the chunk for reuse
            text_chunk=''

    #if we're here, we ran out of lines
    #inspect the last chunk if it has content
    if text_chunk != '':
        these_observables = json.loads(TR_check_auth(TR_inspect,text_chunk).text)
        #append results to existing data
        observables=observables+these_observables
    #uniq our observables
    observables= uniq_observables(observables)

    if len(observables) >50: # semi-arbitrary limit for performance reasons.
        # This is a cop-out. We could break the enrichment process into segments the same way we did the Inspection process
        # for this example, we'll keep it simple.   
        sys.exit('NOT doing enrichment! {} is too many observables. Break that input up.'.format(len(observables)))

    # init results data structure
    results = copy.deepcopy(observables)

    # Deliberate
    deliberations=json.loads(TR_check_auth(TR_deliberate,observables).text)
    for module_results in deliberations['data']:
        #add deliberations to results
        if 'verdicts' in module_results['data']:
            for verdict in module_results['data']['verdicts']['docs']: #loop through the verdicts in this module's output
                try:
                    for obs in results: #loop through our list of observables
                        if obs['value'] == verdict['observable']['value'] and obs['type'] == verdict['observable']['type']: #if this observable is the same as the one for the current verdict
                            this_verdict= {'module_name': module_results['module'], 'verdict': verdict['disposition_name'] }
                            if 'verdicts' not in obs: #if this is the first verdict on this observable,
                                obs['verdicts']=[] # then make a new blank list of verdicts
                            obs['verdicts'].append(this_verdict)
                            break
                except Exception as e:
                    print('{}:{}'.format(str(e)), json.dumps(obs, indent=4))

    #filter out anything with any "Clean" verdict
    results=filter_cleans(results)

    # Observe

    observations=json.loads(TR_check_auth(TR_observe,observables).text)#make the observe API call
    for observation in observations['data']:#parse the results one observation at a time; actually each module's output at a time
       if 'sightings' in observation['data']:#if it had any sightings
            for sighting in observation['data']['sightings']['docs']:#go through those sightings
                if 'targets' in sighting: # we are only interested in sightings with targets
                    for sighted_observable in sighting['observables']:#for each observable that was sighted
                        for obs in results:# look at each observable in our initial list
                            if obs['value'] == sighted_observable['value'] and obs['type'] == sighted_observable['type']: #if this observable is the same as the one for the current verdict
                                this_sighting= {'module_name': sighting['source'], 'sighting_count': sighting['count']} #create a new data element in our results set for this sighting
                                if 'sightings' not in obs: #if this is the first sighting on this observable,
                                    obs['sightings']=[] # then make a new blank list of sightings
                                obs['sightings'].append(this_sighting) # add this sighting to the list for this observable
                                break #found our match in a uniq'd list; no need to continue


    #summarizing/aggregating
    for item in results:
        #aggregate verdicts
        item['verdicts_count']=0 #init counter
        item['verdicts_module_list']=[] #init list of modules
        if 'verdicts' in item: #if there are verdicts
           for verdict in item['verdicts']: #for each one
               item['verdicts_count']=item['verdicts_count']+1 #increment counter
               item['verdicts_module_list'].append(verdict['module_name']) #add modulename to list
           item['verdicts_module_list']=list(set(item['verdicts_module_list'])) #when done, uniq list of modules

        #aggregate sightings
        item['sightings_count']=0#init counter
        item['sightings_module_list']=[]#init list of modules
        if 'sightings' in item: #if there are sightings
            for sighting in item['sightings']:#for each one
                    item['sightings_count']=item['sightings_count']+sighting['sighting_count']#increment counter
                    item['sightings_module_list'].append(sighting['module_name'])#add modulename to list
            item['sightings_module_list']=list(set(item['sightings_module_list']))#when done, uniq list of modules

    #filter out unseen observables
    results[:]= [item for item in results if item['sightings_count'] > 0] #make new list using only elements where there is at least one sighting

    if len(results)>0: #if there are 1+ entries left in the list of results
        print('the following observables were found in the input and were seen in your environment:')
        url='https://{}/#/investigate?q='.format(config['threat_response_server'])#init url
        for item in results: #for each remaining observable
            print('{} ({}): {} sightings, {} verdicts'.format(item['value'],item['type'],item['sightings_count'],item['verdicts_count'])) #print the sumamry information
            url=url+'{}%3A{}%0A'.format(item['type'], item['value']) #and add it to the CTR URL for an investigation
        print('To get more information and investigate these observables in Threat Response, go to the following location:')
        print(url)


if __name__ == '__main__':
    main()