From 14a304926b1e0897dc7e248e3bf39e86a785e844 Mon Sep 17 00:00:00 2001
From: Felix Ortmann <flx.ortmann@gmail.com>
Date: Mon, 19 Oct 2020 15:12:23 +0200
Subject: [PATCH 1/5] Allow startup without API connection

---
 plugins/apps/threatbus_misp/plugin.py | 45 +++++++++++++++++----------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/plugins/apps/threatbus_misp/plugin.py b/plugins/apps/threatbus_misp/plugin.py
index 80358b3e..aae107f3 100644
--- a/plugins/apps/threatbus_misp/plugin.py
+++ b/plugins/apps/threatbus_misp/plugin.py
@@ -143,6 +143,7 @@ def snapshot(snapshot_request: SnapshotRequest, result_q: Queue):
         logger.debug("Sighting snapshot feature not yet implemented.")
         return  # TODO sighting snapshot not yet implemented
     if not misp:
+        logger.debug("Cannot perform snapshot request. No MISP API connection.")
         return
 
     logger.info(f"Executing intel snapshot for time delta {snapshot_request.snapshot}")
@@ -200,7 +201,24 @@ def run(
         validate_config(config)
     except Exception as e:
         logger.fatal("Invalid config for plugin {}: {}".format(plugin_name, str(e)))
-    if config["api"].get():
+
+    filter_config = config["filter"].get(list)
+
+    # start Attribute-update receiver
+    if config["zmq"].get():
+        receiver_thread = threading.Thread(
+            target=receive_zmq, args=(config["zmq"], inq), daemon=True
+        )
+    elif config["kafka"].get():
+        receiver_thread = threading.Thread(
+            target=receive_kafka, args=(config["kafka"], inq), daemon=True
+        )
+
+    # bind to MISP
+    if config["api"].get(dict):
+        # TODO: MISP instances shall subscribe themselves to threatbus and each
+        # subscription shall have an individual outq and receiving thread for intel
+        # updates.
         host, key, ssl = (
             config["api"]["host"].get(),
             config["api"]["key"].get(),
@@ -215,23 +233,16 @@ def run(
             # TODO: log individual error per MISP subscriber
             logger.error(f"Cannot subscribe to MISP at {host}, using SSL: {ssl}")
             lock.release()
-    filter_config = config["filter"].get(list)
-    # TODO: MISP instances shall subscribe themselves to threatbus and each
-    # subscription shall have an individual outq and receiving thread for intel
-    # updates.
+        if not misp:
+            logger.error("Failed to start MISP plugin")
+            return
+    else:
+        logger.warning(
+            "Starting MISP plugin without API connection, cannot report back sightings or request snapshots."
+        )
+
     outq = Queue()
     subscribe_callback("threatbus/sighting", outq)
-
-    if not misp:
-        logger.error("Failed to start up MISP plugin")
-        return
     threading.Thread(target=publish_sightings, args=(outq,), daemon=True).start()
-    if config["zmq"].get():
-        threading.Thread(
-            target=receive_zmq, args=(config["zmq"], inq), daemon=True
-        ).start()
-    if config["kafka"].get():
-        threading.Thread(
-            target=receive_kafka, args=(config["kafka"], inq), daemon=True
-        ).start()
+    receiver_thread.start()
     logger.info("MISP plugin started")

From c6f887fd4a33617dea6f48e8c805aa8054f3f874 Mon Sep 17 00:00:00 2001
From: Felix Ortmann <flx.ortmann@gmail.com>
Date: Mon, 19 Oct 2020 15:16:46 +0200
Subject: [PATCH 2/5] Add changelog entry

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4740367d..b035f250 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,10 @@ Every entry has a category for which we use the following visual abbreviations:
 
 ## Unreleased
 
+- 🎁 The MISP plugin does not require an API connection anymore. If omitted, the
+  plugin can still receive IoCs normally, but it cannot report back Sightings or
+  request Snapshots.
+  [#55](https://github.com/tenzir/threatbus/pull/55)
 
 - 🎁 The MISP plugin now supports a whitelist-filtering mechanism. Users can
   specify required properties of IoCs (MISP attributes) in the configuration

From 566d24cd154eea2b0f626281035f5e99ae00ec12 Mon Sep 17 00:00:00 2001
From: Felix Ortmann <flx.ortmann@gmail.com>
Date: Tue, 20 Oct 2020 11:06:51 +0200
Subject: [PATCH 3/5] Apply suggestions from code review

Co-authored-by: Matthias Vallentin <matthias@tenzir.com>
---
 CHANGELOG.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b035f250..35cada33 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,8 +12,8 @@ Every entry has a category for which we use the following visual abbreviations:
 ## Unreleased
 
 - 🎁 The MISP plugin does not require an API connection anymore. If omitted, the
-  plugin can still receive IoCs normally, but it cannot report back Sightings or
-  request Snapshots.
+  plugin can still receive IoCs normally, but it cannot report back sightings or
+  request snapshots.
   [#55](https://github.com/tenzir/threatbus/pull/55)
 
 - 🎁 The MISP plugin now supports a whitelist-filtering mechanism. Users can

From 40e01b0e230a91687520c63636f4fb8238de40d3 Mon Sep 17 00:00:00 2001
From: Felix Ortmann <flx.ortmann@gmail.com>
Date: Wed, 21 Oct 2020 15:40:51 +0200
Subject: [PATCH 4/5] Apply suggestions from code review

Co-authored-by: Matthias Vallentin <matthias@tenzir.com>
---
 CHANGELOG.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 35cada33..3f03c2b2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,9 +11,7 @@ Every entry has a category for which we use the following visual abbreviations:
 
 ## Unreleased
 
-- 🎁 The MISP plugin does not require an API connection anymore. If omitted, the
-  plugin can still receive IoCs normally, but it cannot report back sightings or
-  request snapshots.
+- 🎁 The MISP plugin now works without a valid PyMISP API connection. If omitted in the configuration, the plugin can still receive indicators via ZeroMQ or Kafka, but it cannot report back sightings or request snapshots.
   [#55](https://github.com/tenzir/threatbus/pull/55)
 
 - 🎁 The MISP plugin now supports a whitelist-filtering mechanism. Users can

From 06505d89bea66e5dac28c2bfb64b924357e6e87b Mon Sep 17 00:00:00 2001
From: Felix Ortmann <flx.ortmann@gmail.com>
Date: Wed, 21 Oct 2020 15:39:22 +0200
Subject: [PATCH 5/5] Be explicit about unconfigured receivers

---
 plugins/apps/threatbus_misp/plugin.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/plugins/apps/threatbus_misp/plugin.py b/plugins/apps/threatbus_misp/plugin.py
index aae107f3..cc84721e 100644
--- a/plugins/apps/threatbus_misp/plugin.py
+++ b/plugins/apps/threatbus_misp/plugin.py
@@ -205,6 +205,7 @@ def run(
     filter_config = config["filter"].get(list)
 
     # start Attribute-update receiver
+    receiver_thread = None
     if config["zmq"].get():
         receiver_thread = threading.Thread(
             target=receive_zmq, args=(config["zmq"], inq), daemon=True
@@ -244,5 +245,6 @@ def run(
     outq = Queue()
     subscribe_callback("threatbus/sighting", outq)
     threading.Thread(target=publish_sightings, args=(outq,), daemon=True).start()
-    receiver_thread.start()
+    if receiver_thread is not None:
+        receiver_thread.start()
     logger.info("MISP plugin started")