from trustar import TruStar, datetime_to_millis
from datetime import datetime, timedelta
from keys import misp_url, misp_key, misp_verifycert
from pymisp import PyMISP, MISPEvent, MISPOrganisation, MISPObject

# enclave_ids = '7a33144f-aef3-442b-87d4-dbf70d8afdb0'  # RHISAC
enclave_ids = None

time_interval = {'days': 30, 'hours': 0}

distribution = None  # Optional, defaults to MISP.default_event_distribution in MISP config
threat_level_id = None  # Optional, defaults to MISP.default_event_threat_level in MISP config
analysis = None  # Optional, defaults to 0 (initial analysis)



tru = TruStar()

misp = PyMISP(misp_url, misp_key, misp_verifycert)

now = datetime.now()

# date range for pulling reports is last 4 hours when script is run
to_time = datetime.now()
from_time = to_time - timedelta(**time_interval)

# convert to millis since epoch
to_time = datetime_to_millis(to_time)
from_time = datetime_to_millis(from_time)

if not enclave_ids:
    reports = tru.get_reports(from_time=from_time,
                              to_time=to_time)
else:
    reports = tru.get_reports(from_time=from_time,
                          to_time=to_time,
                          is_enclave=True,
                          enclave_ids=enclave_ids)

# loop through each trustar report and create MISP events for each
for report in reports:
    # initialize and set MISPEvent()
    event = MISPEvent()
    event.info = report.title
    event.distribution = distribution
    event.threat_level_id = threat_level_id
    event.analysis = analysis

    # get tags for report
    for tag in tru.get_enclave_tags(report.id):
        event.add_tag(tag.name)

    obj = MISPObject('trustar_report', standalone=False, strict=True)
    # get indicators for report
    for indicator in tru.get_indicators_for_report(report.id):
        obj.add_attribute(indicator.type, indicator.value)
    event.add_object(obj)
    # post each event to MISP via API
    misp.add_event(event)