#!/usr/bin/env python3
# kandji2snipe
#
# ABOUT:
#   This python3 script leverages the Kandji and Snipe-IT APIs to sync device details
#   from Kandji to Snipe-IT and sync asset tags from Snipe-IT to Kandji.
#
#   https://kandji.io
#   https://snipeitapp.com
#
# LICENSE:
#   MIT
#
# CONFIGURATION:
#   kandji2snipe settings are set in the settings.conf file. For more detais please see
#   the README at https://github.com/grokability/kandji2snipe
#

version = "1.0.0"

# Standard Library Imports
import json
import time
import configparser
import argparse
import logging
import sys
import html
from datetime import datetime
import os

# 3rd Party Imports
try:
    import pytz
except ImportError as import_error:
    print(import_error)
    sys.exit(
        "Looks like you need to install the pytz module. Open a Terminal and run  "
        "\033[1m python3 -m pip install pytz\033[0m."
    )

try:
    import requests
except ImportError as import_error:
    print(import_error)
    sys.exit(
        "Looks like you need to install the requests module. Open a Terminal and run "
        "\033[1m python3 -m pip install requests\033[0m."
    )

from requests.adapters import HTTPAdapter

# Define runtime arguments
runtimeargs = argparse.ArgumentParser()
runtimeargs.add_argument("-l", "--logfile", help="Saves logging messages to kandji2snipe.log instead of displaying on screen.", action="store_true")
runtimeargs.add_argument("-v", "--verbose", help="Sets the logging level to INFO and gives you a better idea of what the script is doing.", action="store_true")
runtimeargs.add_argument("-d", "--debug", help="Sets logging to include additional DEBUG messages.", action="store_true")
runtimeargs.add_argument("--dryrun", help="This checks your config and tries to contact both the Kandji and Snipe-IT instances, but exits before updating or syncing any assets.", action="store_true")
runtimeargs.add_argument("--version", help="Prints the version of this script and exits.", action="store_true")
runtimeargs.add_argument("--auto_incrementing", help="You can use this if you have auto-incrementing enabled in your Snipe-IT instance to utilize that instead of using KANDJI-<SERIAL NUMBER> for the asset tag.", action="store_true")
runtimeargs.add_argument("--do_not_update_kandji", help="Does not update Kandji with the asset tags stored in Snipe-IT.", action="store_false")
runtimeargs.add_argument('--do_not_verify_ssl', help="Skips SSL verification for all Snipe-IT requests. Helpful when you use self-signed certificate.", action="store_false")
runtimeargs.add_argument("-r", "--ratelimited", help="Puts a half second delay between Snipe-IT API calls to adhere to the standard 120/minute rate limit", action="store_true")
runtimeargs.add_argument("-f", "--force", help="Updates the Snipe-IT asset with information from Kandji every time, despite what the timestamps indicate.", action="store_true")
runtimeargs.add_argument("-u", "--users", help="Checks in/out assets based on the user assignment in Kandji.", action="store_true")
runtimeargs.add_argument("-uns", "--users_no_search", help="Doesn't search for any users if the specified fields in Kandji and Snipe-IT don't match. (case insensitive)", action="store_true")
type_opts = runtimeargs.add_mutually_exclusive_group()
type_opts.add_argument("--mac", help="Runs against Kandji Mac computers only.", action="store_true")
type_opts.add_argument("--iphone", help="Runs against Kandji iPhones only.", action="store_true")
type_opts.add_argument("--ipad", help="Runs against Kandji iPads only.", action="store_true")
type_opts.add_argument("--appletv", help="Runs against Kandji Apple TVs only.", action="store_true")
user_args = runtimeargs.parse_args()

validarrays = [
        "general",
        "mdm",
        "activation_lock",
        "filevault",
        "automated_device_enrollment",
        "kandji_agent",
        "hardware_overview",
        "volumes",
        "network",
        "recovery_information",
        "users",
        "installed_profiles",
        "apple_business_manager",
        "security_information"
]

# Define Functions 

# Find and validate the settings.conf file  
def get_settings():
    # Find a valid settings.conf file.
    logging.info("Searching for a valid settings.conf file.")
    global config
    config = configparser.ConfigParser()
    logging.debug("Checking for a settings.conf in /opt/kandji2snipe ...")
    config.read("/opt/kandji2snipe/settings.conf")
    if 'snipe-it' not in set(config):
        logging.debug("No valid config found in: /opt Checking for a settings.conf in /etc/kandji2snipe ...")
        config.read('/etc/kandji2snipe/settings.conf')
    if 'snipe-it' not in set(config):
        logging.debug("No valid config found in /etc Checking for a settings.conf in current directory ...")
        config.read("settings.conf")
    if 'snipe-it' not in set(config):
        logging.debug("No valid config found in current folder.")
        logging.error("No valid settings.conf was found. Refer to the README for valid locations.")
        sys.exit(exit_error_message)

    logging.info("Settings.conf found.")

    # Settings.conf Value Validation - Ensuring some important settings are not empty or default values
    logging.debug("Checking the settings.conf file for valid values.")

    if config['kandji']['tenant'] == "TENANTNAME" or config['kandji']['tenant'] == "":
        logging.error('Error: Invalid Kandji Tenant, check your settings.conf and try again.')
        sys.exit(exit_error_message)

    if config['kandji']['region'] != "us" and config['kandji']['region'] != "eu":
        logging.error('Invalid Kandji Region, check your settings.conf and try again.')
        sys.exit(exit_error_message)

    if os.environ.get("KANDJI_APITOKEN") == "":
        if config['kandji']['apitoken'] == "kandji-api-bearer-token-here" or config['kandji']['apitoken'] == "" :
            logging.error('Invalid Kandji API Token, check your settings.conf or environment variables and try again.')
            sys.exit(exit_error_message)

    if config['snipe-it']['url'] == "https://your_snipe_instance.com"or config['snipe-it']['url'] == "":
        logging.error('Invalid Snipe-IT URL, check your settings.conf and try again.')
        sys.exit(exit_error_message)

    if os.environ.get("SNIPE_APIKEY") == "":
        if config['snipe-it']['apikey'] == "snipe-api-key-here" or config['snipe-it']['apikey'] == "" :
            logging.error('Invalid Snipe-IT API Key, check your settings.conf or environment variables and try again.')
            sys.exit(exit_error_message)

    if config['snipe-it']['mac_custom_fieldset_id'] != "":
        for key in config['mac-api-mapping']:
            kandjisplit = config['mac-api-mapping'][key].split()
            if kandjisplit[0] in validarrays:
                logging.debug('Found valid array: {}'.format(kandjisplit[0]))
                continue
            else:
                logging.error("Found invalid array: {} in the settings.conf file.\nThis is not in the acceptable list of arrays. Check your settings.conf\n Valid arrays are: {}".format(kandjisplit[0], ', '.join(validarrays)))
                sys.exit(exit_error_message)
    if config['snipe-it']['iphone_custom_fieldset_id'] != "":
        for key in config['iphone-api-mapping']:
            kandjisplit = config['iphone-api-mapping'][key].split()
            if kandjisplit[0] in validarrays:
                logging.debug('Found valid array: {}'.format(kandjisplit[0]))
                continue
            else:
                logging.error("Found invalid array: {} in the settings.conf file.\nThis is not in the acceptable list of arrays. Check your settings.conf\n Valid arrays are: {}".format(kandjisplit[0], ', '.join(validarrays)))
                sys.exit(exit_error_message)
    if config['snipe-it']['ipad_custom_fieldset_id'] != "":
        for key in config['ipad-api-mapping']:
            kandjisplit = config['ipad-api-mapping'][key].split()
            if kandjisplit[0] in validarrays:
                logging.debug('Found valid array: {}'.format(kandjisplit[0]))
                continue
            else:
                logging.error("Found invalid array: {} in the settings.conf file.\nThis is not in the acceptable list of arrays. Check your settings.conf\n Valid arrays are: {}".format(kandjisplit[0], ', '.join(validarrays)))
                sys.exit(exit_error_message)
    if config['snipe-it']['appletv_custom_fieldset_id'] != "":
        for key in config['appletv-api-mapping']:
            kandjisplit = config['appletv-api-mapping'][key].split()
            if kandjisplit[0] in validarrays:
                logging.debug('Found valid array: {}'.format(kandjisplit[0]))
                continue
            else:
                logging.error("Found invalid array: {} in the settings.conf file.\nThis is not in the acceptable list of arrays. Check your settings.conf\n Valid arrays are: {}".format(kandjisplit[0], ', '.join(validarrays)))
                sys.exit(exit_error_message)

# Create variables based on setings.conf values
def create_variables():
    # Create Global Variables
    global kandji_base
    global kandji_apitoken
    global kandjiheaders
    global snipe_base
    global snipe_apikey
    global snipeheaders
    global defaultStatus
    global apple_manufacturer_id
    
    logging.info('Creating variables from settings.conf')

    # Kandji Base URL
    if config['kandji']['region'] == "eu":
        kandji_base = f"https://{config['kandji']['tenant']}.api.eu.kandji.io"
        logging.info("The Kandji base url is: {}".format(kandji_base))
    else:
        kandji_base = f"https://{config['kandji']['tenant']}.api.kandji.io"
        logging.info("The Kandji base url is: {}".format(kandji_base))

    # Kandji API Token
    kandji_apitoken = os.environ.get("KANDJI_APITOKEN", config['kandji']['apitoken'])
    logging.debug("The Kandji API token is: {}".format(kandji_apitoken))

    # Snipe-IT base URL, API key, default status, and Apple manufacturer ID
    snipe_base = config['snipe-it']['url']
    logging.info("The Snipe-IT base url is: {}".format(snipe_base))
    
    # Snipe API Key
    snipe_apikey = os.environ.get("SNIPE_APIKEY",config['snipe-it']['apikey'])
    logging.debug("The Snipe-IT API key is: {}".format(snipe_apikey))
    
    defaultStatus = config['snipe-it']['defaultStatus']
    logging.info("Status ID for new assets created in Snipe-IT: {}".format(defaultStatus))
    apple_manufacturer_id = config['snipe-it']['manufacturer_id']
    logging.info("The Snipe-IT manufacturer ID for Apple is: {}".format(apple_manufacturer_id))

    # Headers for the API calls
    logging.info("Creating the headers we'll need for API calls")
    kandjiheaders = {'Authorization': 'Bearer {}'.format(kandji_apitoken),'Accept': 'application/json','Content-Type':'application/json;charset=utf-8','Cache-Control': 'no-cache'}
    snipeheaders = {'Authorization': 'Bearer {}'.format(snipe_apikey),'Accept': 'application/json','Content-Type':'application/json'}
    logging.debug('Request headers for Kandji will be: {}\nRequest headers for Snipe-IT will be: {}'.format(kandjiheaders, snipeheaders))

# Configure logging and set logging level
def set_logging():
    global exit_error_message
    # Configure logging
    if user_args.logfile:
        log_file = 'kandji2snipe.log'
        exit_error_message = 'kandji2snipe exited due to an erorr. Please check kandji2snipe.log for details.'
    else:
        log_file = ''
        exit_error_message = 1


    log_format = '%(asctime)s - %(levelname)s - %(message)s'
    date_format = '%Y-%m-%d %H:%M:%S'

    # Set logging level
    if user_args.verbose:
        logging.basicConfig(level=logging.INFO,format=log_format,datefmt=date_format,filename=log_file)
        logging.info('Verbose Logging Enabled...')
    elif user_args.debug:
        logging.basicConfig(level=logging.DEBUG,format=log_format,datefmt=date_format,filename=log_file)
        logging.info('Debug Logging Enabled...')
    else:
        logging.basicConfig(level=logging.WARNING,format=log_format,datefmt=date_format,filename=log_file)

# Verify that Snipe-IT is accessible
def snipe_access_test():
    try:
        SNIPE_UP = True if requests.get(snipe_base, verify=user_args.do_not_verify_ssl).status_code == 200 else False
    except Exception as e:
        logging.exception(e)
        SNIPE_UP = False
    if not SNIPE_UP:
        logging.error('Snipe-IT cannot be reached from here. \nPlease check the Snipe-IT url in the settings.conf file.')
        sys.exit(exit_error_message)
    else:
        logging.info('We were able to get a good response from your Snipe-IT instance.')

# Verify that Kandji is accessible
def kandji_access_test():
    try:
        api_url = '{0}/api/v1/devices'.format(kandji_base)
        KANDJI_UP = True if requests.get(api_url).status_code in (200, 401) else False
    except Exception as e:
        logging.exception(e)
        KANDJI_UP = False
    if not KANDJI_UP:
        logging.error('Kandji cannot be reached from here. \nPlease check the Kandji tenant and region in the settings.conf file.')
        sys.exit(exit_error_message)
    else:
        logging.info('We were able to get a good response from your Kandji instance.')

# This function is run every time a request is made, handles rate limiting for Snipe-IT.
def request_handler(r, *args, **kwargs):
    global snipe_api_count
    global first_snipe_call
    snipe_api_count = 0
    first_snipe_call = None

    if (snipe_base in r.url) and user_args.ratelimited:
        if '"messages":429' in r.text:
            logging.warning("Despite respecting the rate limit of Snipe-IT, we've still been limited. Trying again after sleeping for 2 seconds.")
            time.sleep(2)
            re_req = r.request
            s = requests.Session()
            return s.send(re_req)
        if snipe_api_count == 0:
            first_snipe_call = time.time()
            time.sleep(0.5)
        snipe_api_count += 1
        time_elapsed = (time.time() - first_snipe_call)
        snipe_api_rate = snipe_api_count / time_elapsed
        if snipe_api_rate > 1.95:
            sleep_time = 0.5 + (snipe_api_rate - 1.95)
            logging.debug('Going over Snipe-IT rate limit of 120/minute ({}/minute), sleeping for {}'.format(snipe_api_rate,sleep_time))
            time.sleep(sleep_time)
        logging.debug("Made {} requests to Snipe-IT in {} seconds, with a request being sent every {} seconds".format(snipe_api_count, time_elapsed, snipe_api_rate))
    if '"messages":429' in r.text:
        logging.error(r.content)
        logging.error("We've been rate limited. Use option -r to respect the built in Snipe-IT API rate limit of 120/minute.")
        sys.exit(exit_error_message)
    return r

# Kandji API Error Handling
def kandji_error_handling(resp, resp_code, err_msg):
    """Handle HTTP errors."""
    # 400
    if resp_code == requests.codes["bad_request"]:
        logging.error(f"{err_msg}")
        logging.error(f"\tResponse msg: {resp.text}\n")
        sys.exit(exit_error_message)
    # 401
    elif resp_code == requests.codes["unauthorized"]:
        logging.error(f"{err_msg}")
        logging.error(
            "This error can occur if the token is incorrect, was revoked, the required "
            "permissions are missing, or the token has expired.")
        sys.exit(exit_error_message)
    # 403
    elif resp_code == requests.codes["forbidden"]:
        logging.error(f"{err_msg}")
        logging.error("The api key may be invalid or missing.")
        sys.exit(exit_error_message)
    # 404
    elif resp_code == requests.codes["not_found"]:
        logging.error("\nWe cannot find the one that you are looking for...")
        logging.error(f"\tError: {err_msg}")
        logging.error(f"\tResponse msg: {resp}")
        logging.error(
            "\tPossible reason: If this is a device it could be because the device is "
            "no longer\n"
            "\t\t\t enrolled in Kandji. This would prevent the MDM command from being\n"
            "\t\t\t sent successfully.\n"
        )
        sys.exit(exit_error_message)
    # 429
    elif resp_code == requests.codes["too_many_requests"]:
        logging.error(f"{err_msg}")
        logging.error("You have reached the rate limit ...")
        print("Try again later ...")
        sys.exit(exit_error_message)
    # 500
    elif resp_code == requests.codes["internal_server_error"]:
        logging.error(f"{err_msg}")
        logging.error("The service is having a problem...")
        sys.exit(exit_error_message)
    # 503
    elif resp_code == requests.codes["service_unavailable"]:
        logging.error(f"{err_msg}")
        logging.error("Unable to reach the service. Try again later...")
        sys.exit(exit_error_message)
    else:
        logging.error("Something really bad must have happened...")
        logging.error(f"{err_msg}")
        sys.exit(exit_error_message)

# Function to use the Kandji API
def kandji_api(method, endpoint, params=None, payload=None):
    """Make an API request and return data.
    method   - an HTTP Method (GET, POST, PATCH, DELETE).
    endpoint - the API URL endpoint to target.
    params   - optional parameters can be passed as a dict.
    payload  - optional payload is passed as a dict and used with PATCH and POST
               methods.
    Returns a JSON data object.
    """
    attom_adapter = HTTPAdapter(max_retries=3)
    session = requests.Session()
    session.mount(kandji_base, attom_adapter)

    try:
        response = session.request(
            method,
            kandji_base + endpoint,
            data=payload,
            headers=kandjiheaders,
            params=params,
            timeout=30,
        )

        # If a successful status code is returned (200 and 300 range)
        if response:
            try:
                data = response.json()
            except Exception:
                data = response.text

        # If the request is successful exceptions will not be raised
        response.raise_for_status()

    except requests.exceptions.RequestException as err:
        kandji_error_handling(resp=response, resp_code=response.status_code, err_msg=err)
        data = {"error": f"{response.status_code}", "api resp": f"{err}"}

    return data

# Function to get device records from Kandji 
def get_kandji_devices(platform):
    count = 0
    # dict placeholder for params passed to api requests
    params = {}
    # limit - set the number of records to return per API call
    limit = 300
    # offset - set the starting point within a list of resources
    offset = 0
    # inventory
    data = []

    while True:
        # update params
        params.update(
            {"platform": f"{platform}", "limit": f"{limit}", "offset": f"{offset}"}
        )

        # get devices
        endpoint="/api/v1/devices"
        logging.debug('Calling for all devices in Kandji against: {}'.format(kandji_base + endpoint))
        response = kandji_api(method="GET", endpoint=endpoint, params=params)
        count += len(response)
        offset += limit
        if len(response) == 0:
            break

        # breakout the response then append to the data list
        for record in response:
            data.append(record)

    return data

# Function to lookup details of a specific Kandji asset using the Device ID.
def get_kandji_device_details(kandji_id):
    endpoint=f"/api/v1/devices/{kandji_id}/details"
    logging.debug('Calling for device details in Kandji against: {}'.format(kandji_base + endpoint))
    response = kandji_api(method="GET", endpoint=endpoint)
    return response

# Function to lookup last activity date and time for a Kandji asset.
def get_kandji_device_activity_date(kandji_id):
    endpoint=f"/api/v1/devices/{kandji_id}/activity"
    logging.debug('Calling for device activity in Kandji against: {}'.format(kandji_base + endpoint))
    response = kandji_api(method="GET", endpoint=endpoint)
    return response

# Function to update the asset tag of devices in Kandji with an number passed from Snipe-IT.
def update_kandji_asset_tag(kandji_id, asset_tag):
    endpoint=f"/api/v1/devices/{kandji_id}"
    payload = '{{"asset_tag": "{}"}}'.format(asset_tag)
    logging.debug('Making PATCH request against: {}\n\tPayload for the request is: {}'.format(kandji_base + endpoint, payload))
    response = kandji_api(method="PATCH", endpoint=endpoint,payload=payload)
    return response

# Function to lookup a Snipe-IT asset by serial number.
def search_snipe_asset(serial):
    api_url = '{}/api/v1/hardware/byserial/{}'.format(snipe_base, serial)
    response = requests.get(api_url, headers=snipeheaders, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
    if response.status_code == 200:
        jsonresponse = response.json()
        # Check to make sure there's actually a result
        if "total" in jsonresponse:
            if jsonresponse['total'] == 1:
                return jsonresponse
            elif jsonresponse['total'] == 0:
                logging.info("No assets match {}".format(serial))
                return "NoMatch"
            else:
                logging.warning('FOUND {} matching assets while searching for: {}'.format(jsonresponse['total'], serial))
                return "MultiMatch"
        else:
            logging.info("No assets match {}".format(serial))
            return "NoMatch"
    else:
        logging.warning('Snipe-IT responded with error code:{} when we tried to look up: {}'.format(response.text, serial))
        logging.debug('{} - {}'.format(response.status_code, response.content))
        return "ERROR"

# Function to get all the asset models from Snipe-IT
def get_snipe_models():
    api_url = '{}/api/v1/models'.format(snipe_base)
    logging.debug('Calling against: {}'.format(api_url))
    response = requests.get(api_url, headers=snipeheaders, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
    if response.status_code == 200:
        jsonresponse = response.json()
        logging.info("Got a valid response that should have {} models.".format(jsonresponse['total']))
        if jsonresponse['total'] <= len(jsonresponse['rows']) :
            return jsonresponse
        else:
            logging.info("We didn't get enough results so we need to get them again.")
            api_url = '{}/api/v1/models?limit={}'.format(snipe_base, jsonresponse['total'])
            newresponse = requests.get(api_url, headers=snipeheaders, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
            if response.status_code == 200:
                newjsonresponse = newresponse.json()
                if newjsonresponse['total'] == len(newjsonresponse['rows']) :
                    return newjsonresponse
                else:
                    logging.error("Unable to get all models from Snipe-IT")
                    sys.exit(exit_error_message)
            else:
                logging.error('When we tried to retrieve a list of models, Snipe-IT responded with error status code:{} - {}'.format(response.status_code, response.content))
                sys.exit(exit_error_message)
    else:
        logging.error('When we tried to retrieve a list of models, Snipe-IT responded with error status code:{} - {}'.format(response.status_code, response.content))
        sys.exit(exit_error_message)

# Recursive function returns all users in a Snipe-IT Instance, 100 at a time.
def get_snipe_users(previous=[]):
    user_id_url = '{}/api/v1/users'.format(snipe_base)
    payload = {
        'limit': 100,
        'offset': len(previous)
    }
    logging.debug('The payload for the Snipe-IT users GET is {}'.format(payload))
    response = requests.get(user_id_url, headers=snipeheaders, params=payload, hooks={'response': request_handler})
    response_json = response.json()
    current = response_json['rows']
    if len(previous) != 0:
        current = previous + current
    if response_json['total'] > len(current):
        logging.debug('We have more than 100 users, get the next page - total: {} current: {}'.format(response_json['total'], len(current)))
        return get_snipe_users(current)
    else:
        return current

# Function to search Snipe-IT for a user
def get_snipe_user_id(username):
    if username == '':
        return "NotFound"
    username = username.lower()
    for user in snipe_users:
        for value in user.values():
            if str(value).lower() == username:
                id = user['id']
                return id
    if user_args.users_no_search:
        logging.debug("No matches in snipe_users for {}, not querying the API for the next closest match since we've been told not to".format(username))
        return "NotFound"
    logging.debug('No matches in snipe_users for {}, querying the API for the next closest match'.format(username))
    user_id_url = '{}/api/v1/users'.format(snipe_base)
    payload = {
        'search':username,
        'limit':1,
        'sort':'username',
        'order':'asc'
    }
    logging.debug('The payload for the Snipe-IT user search is: {}'.format(payload))
    response = requests.get(user_id_url, headers=snipeheaders, params=payload, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
    try:
        return response.json()['rows'][0]['id']
    except:
        return "NotFound"

# Function that creates a new Snipe-IT model - not an asset - with a JSON payload
def create_snipe_model(payload):
    api_url = '{}/api/v1/models'.format(snipe_base)
    logging.debug('Calling to create new snipe model type against: {}\nThe payload for the POST request is:{}\nThe request headers can be found near the start of the output.'.format(api_url, payload))
    response = requests.post(api_url, headers=snipeheaders, json=payload, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
    if response.status_code == 200:
        jsonresponse = response.json()
        modelnumbers[jsonresponse['payload']['model_number']] = jsonresponse['payload']['id']
        return True
    else:
        logging.warning('Error code: {} while trying to create a new model.'.format(response.status_code))
        return False

# Function to create a new asset by passing array
def create_snipe_asset(payload):
    api_url = '{}/api/v1/hardware'.format(snipe_base)
    logging.debug('Calling to create a new asset against: {}\nThe payload for the POST request is:{}\nThe request headers can be found near the start of the output.'.format(api_url, payload))
    response = requests.post(api_url, headers=snipeheaders, json=payload, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
    logging.debug(response.text)
    if response.status_code == 200:
        logging.debug("Got back status code: 200 - {}".format(response.content))
        jsonresponse = response.json()
        if jsonresponse['status'] == "error":
            logging.error('Asset creation failed for asset {} with error {}'.format(payload['name'],jsonresponse['messages']))
            return 'ERROR', response
        return 'AssetCreated', response
    else:
        logging.error('Asset creation failed for asset {} with error {}'.format(payload['name'],response.text))
        return 'ERROR', response

# Function that updates a Snipe-IT asset with a JSON payload
def update_snipe_asset(snipe_id, payload):
    api_url = '{}/api/v1/hardware/{}'.format(snipe_base, snipe_id)
    logging.debug('The payload for the Snipe-IT update is: {}'.format(payload))
    response = requests.patch(api_url, headers=snipeheaders, json=payload, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
    # Verify that the payload updated properly.
    goodupdate = True
    if response.status_code == 200:
        logging.debug("Got back status code: 200 - Checking the payload updated properly: If you error here it's because you configure the API mapping right.")
        jsonresponse = response.json()
        # Check if there's an Error and Log it, or parse the payload.
        if jsonresponse['status'] == "error":
            logging.error('Unable to update ID: {}. Error "{}"'.format(snipe_id, jsonresponse['messages']))
            goodupdate = False
        else:
            for key in payload:
                if payload[key] == '':
                    payload[key] = None
                if jsonresponse['payload'][key] != payload[key]:
                    logging.warning('Unable to update ID: {}. We failed to update the {} field with "{}"'.format(snipe_id, key, payload[key]))
                    goodupdate = False
                else:
                    logging.info("Sucessfully updated {} with: {}".format(key, payload[key]))
        return goodupdate
    else:
        logging.error('Whoops. Got an error status code while updating ID {}: {} - {}'.format(snipe_id, response.status_code, response.content))
        return False

# Function that checks in an asset in Snipe-IT
def checkin_snipe_asset(asset_id):
    api_url = '{}/api/v1/hardware/{}/checkin'.format(snipe_base, asset_id)
    payload = {
        'note':'Checked in by kandji2snipe'
    }
    logging.debug('The payload for the Snipe-IT checkin is: {}'.format(payload))
    response = requests.post(api_url, headers=snipeheaders, json=payload, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
    logging.debug('The response from Snipe-IT is: {}'.format(response.json()))
    if response.status_code == 200:
        logging.debug("Got back status code: 200 - {}".format(response.content))
        return "CheckedOut"
    else:
        return response

# Function that checks out an asset in Snipe-IT
def checkout_snipe_asset(user, asset_id, asset_name, checked_out_user=None):
    logging.debug('Checking out {} (ID: {}) to {}'.format(asset_name,asset_id,user))
    user_id = get_snipe_user_id(user)
    if user_id == 'NotFound':
        logging.info("User {} not found in Snipe-IT, skipping check out".format(user))
        return "NotFound"
    if checked_out_user == None:
        logging.info("Not checked out, checking out {} (ID: {}) to {}.".format(asset_name,asset_id,user))
    elif checked_out_user == "NewAsset":
        logging.info("First time this asset will be checked out, checking out to {}".format(user))
    else:
        logging.info("Checking in {} (ID: {}) to check it out to {}".format(asset_name,asset_id,user))
        checkin_snipe_asset(asset_id)
    api_url = '{}/api/v1/hardware/{}/checkout'.format(snipe_base, asset_id)
    logging.info("Checking out {} (ID: {}) to {}.".format(asset_name,asset_id,user))
    payload = {
        'checkout_to_type':'user',
        'assigned_user':user_id,
        'note':'Checked out by kandji2snipe.'
    }
    logging.debug('The payload for the Snipe-IT checkin is: {}'.format(payload))
    response = requests.post(api_url, headers=snipeheaders, json=payload, verify=user_args.do_not_verify_ssl, hooks={'response': request_handler})
    logging.debug('The response from Snipe-IT is: {}'.format(response.json()))
    if response.status_code == 200:
        logging.debug("Got back status code: 200 - {}".format(response.content))
        return "CheckedOut"
    else:
        logging.error('Asset checkout failed for asset {} with error {}'.format(asset_id,response.text))
        return response

### Main Logic ###

# Print version and exit
if user_args.version:
    print('kandji2snipe v'+version)
    sys.exit()

# Configure logging and set logging level
set_logging()

# Notify if we're doing a dry run.
if user_args.dryrun and user_args.logfile:
    logging.info('Dry Run: Starting')
    print("Dry Run: Starting")
elif user_args.dryrun:
    logging.info('Dry Run: Starting')

# Validate User Sync Options
if user_args.users_no_search and not user_args.users:
    logging.error("The -uns option requires the use of -u for user syncing.")
    sys.exit(exit_error_message)

# Find and validate the settings.conf file  
get_settings()

# Create variables based on setings.conf values
create_variables()

# Report if we're verifying SSL or not for Snipe-IT
logging.info("SSL Verification for Snipe-IT is set to: {}".format(user_args.do_not_verify_ssl))

# Do some tests to see if the hosts are accessible
logging.info("Running tests to see if hosts are up.")

# Verify that Snipe-IT is accessible
snipe_access_test()

# Verify that Kandji is accessible
kandji_access_test()

logging.info("Setup and testing complete. Let's get started...")

### Get Started ###

# Get a list of known models from Snipe-IT
logging.info("Getting a list of models from Snipe-IT.")
snipemodels = get_snipe_models()
logging.debug("Parsing the {} model results for models with model numbers.".format(len(snipemodels['rows'])))
modelnumbers = {}
for model in snipemodels['rows']:
    if model['model_number'] == "":
        logging.debug("The model, {}, did not have a model number. Skipping.".format(model['name']))
        continue
    modelnumbers[model['model_number']] = model['id']
logging.info("Our list of models has {} entries.".format(len(modelnumbers)))
logging.debug("Here's the list of the {} models and their id's that we were able to collect:\n{}".format(len(modelnumbers), modelnumbers))

# Get a list of users from Snipe-IT if the user argument was used
if user_args.users:
    snipe_users = get_snipe_users()

# Get the device_ids of all active assets.
kandji_mac_list = get_kandji_devices(platform ='mac')
kandji_iphone_list = get_kandji_devices(platform ='iphone')
kandji_ipad_list = get_kandji_devices(platform ='ipad')
kandji_appletv_list = get_kandji_devices(platform ='appletv')
kandji_device_types = {
    'mac': kandji_mac_list,
    'iphone': kandji_iphone_list,
    'ipad': kandji_ipad_list,
    'appletv': kandji_appletv_list
}

TotalNumber = 0
if user_args.mac:
    TotalNumber = len(kandji_device_types['mac'])
elif user_args.iphone:
    TotalNumber = len(kandji_device_types['iphone'])
elif user_args.ipad:
    TotalNumber = len(kandji_device_types['ipad'])
elif user_args.appletv:
    TotalNumber = len(kandji_device_types['appletv'])
else:
    for kandji_device_type in kandji_device_types:
        TotalNumber += len(kandji_device_types[kandji_device_type])

# Make sure we have a good list.
if TotalNumber != None:
    logging.info('Received a list of Kandji assets that had {} entries.'.format(TotalNumber))
else:
    logging.error("We were not able to retrieve a list of assets from your Kandji instance. It's likely that your settings or credentials are incorrect. Check your settings.conf and verify you can make API calls outside of this system with the credentials found in your settings.conf")
    sys.exit(exit_error_message)

# After this point we start editing data, so quit if this is a dry run
if user_args.dryrun and user_args.logfile:
    logging.info('Dry Run: Complete')
    sys.exit('Dry Run: Complete')
elif user_args.dryrun:
    logging.info('Dry Run: Complete')
    sys.exit()
    
# From this point on, we're editing data.
logging.info('Starting to Update Inventory')
CurrentNumber = 0

for kandji_device_type in kandji_device_types:
    if user_args.mac:
        if kandji_device_type != 'mac':
            continue
    if user_args.iphone:
        if kandji_device_type != 'iphone':
            continue
    if user_args.ipad:
        if kandji_device_type != 'ipad':
            continue
    if user_args.appletv:
        if kandji_device_type != 'appletv':
            continue
    for kandji_asset in kandji_device_types[kandji_device_type]:
        CurrentNumber += 1
        logging.info("Processing entry {} out of {} - Device Name: {} - Device ID: {}".format(CurrentNumber, TotalNumber, kandji_asset['device_name'], kandji_asset['device_id']))

        # Search through the list by device_id for all asset information
        kandji = get_kandji_device_details(kandji_asset['device_id'])
        if kandji == None:
            continue

        # Check that the model number exists in Snipe-IT, if not create it.
        if kandji_device_type == 'mac':
            if kandji['hardware_overview']['model_identifier'] not in modelnumbers:
                logging.info("Could not find a model ID in Snipe-IT for: {}".format(kandji['general']['model']))
                newmodel = {"category_id":config['snipe-it']['mac_model_category_id'],"manufacturer_id":apple_manufacturer_id,"name": kandji['general']['model'],"model_number":kandji['hardware_overview']['model_identifier']}
                if 'mac_custom_fieldset_id' in config['snipe-it']:
                    fieldset_split = config['snipe-it']['mac_custom_fieldset_id']
                    newmodel['fieldset_id'] = fieldset_split
                create_snipe_model(newmodel)
        elif kandji_device_type == 'iphone':
            if kandji['hardware_overview']['model_identifier'] not in modelnumbers:
                logging.info("Could not find a model ID in Snipe-IT for: {}".format(kandji['general']['model']))
                newmodel = {"category_id":config['snipe-it']['iphone_model_category_id'],"manufacturer_id":apple_manufacturer_id,"name": kandji['general']['model'],"model_number":kandji['hardware_overview']['model_identifier']}
                if 'iphone_custom_fieldset_id' in config['snipe-it']:
                    fieldset_split = config['snipe-it']['iphone_custom_fieldset_id']
                    newmodel['fieldset_id'] = fieldset_split
                create_snipe_model(newmodel)
        elif kandji_device_type == 'ipad':
            if kandji['hardware_overview']['model_identifier'] not in modelnumbers:
                logging.info("Could not find a model ID in Snipe-IT for: {}".format(kandji['general']['model']))
                newmodel = {"category_id":config['snipe-it']['ipad_model_category_id'],"manufacturer_id":apple_manufacturer_id,"name": kandji['general']['model'],"model_number":kandji['hardware_overview']['model_identifier']}
                if 'ipad_custom_fieldset_id' in config['snipe-it']:
                    fieldset_split = config['snipe-it']['ipad_custom_fieldset_id']
                    newmodel['fieldset_id'] = fieldset_split
                create_snipe_model(newmodel)
        elif kandji_device_type == 'appletv':
            if kandji['hardware_overview']['model_identifier'] not in modelnumbers:
                logging.info("Could not find a model ID in Snipe-IT for: {}".format(kandji['general']['model']))
                newmodel = {"category_id":config['snipe-it']['appletv_model_category_id'],"manufacturer_id":apple_manufacturer_id,"name": kandji['general']['model'],"model_number":kandji['hardware_overview']['model_identifier']}
                if 'appletv_custom_fieldset_id' in config['snipe-it']:
                    fieldset_split = config['snipe-it']['appletv_custom_fieldset_id']
                    newmodel['fieldset_id'] = fieldset_split
                create_snipe_model(newmodel)


        # Pass the SN from Kandji to search for a match in Snipe-IT
        snipe = search_snipe_asset(kandji['hardware_overview']['serial_number'])

        # Create a new asset if there's no match:
        if snipe == 'NoMatch':
            logging.info("Creating a new asset in Snipe-IT for Kandji ID {} - {}".format(kandji['general']['device_id'], kandji['general']['device_name']))
            # This section checks to see if an asset tag exists in Kandji, if not it creates one.
            if kandji['general']['asset_tag'] == '':
                logging.debug('No asset tag found in Kandji, checking settings.conf for custom asset tag patterns.')
                # Check for custom patterns and use them if enabled, otherwise use the default pattern.
                if config['asset-tag']['use_custom_pattern'] == 'yes':
                    logging.debug('Custom asset tag patterns found.')
                    if kandji_device_type == 'mac':
                        tag_split = config['asset-tag']['pattern_mac'].split()
                        kandji_asset_tag = tag_split[0]+kandji['{}'.format(tag_split[1])]['{}'.format(tag_split[2])]
                    elif kandji_device_type == 'iphone':
                        tag_split = config['asset-tag']['pattern_iphone'].split()
                        kandji_asset_tag = tag_split[0]+kandji['{}'.format(tag_split[1])]['{}'.format(tag_split[2])]
                    elif kandji_device_type == 'ipad':
                        tag_split = config['asset-tag']['pattern_ipad'].split()
                        kandji_asset_tag = tag_split[0]+kandji['{}'.format(tag_split[1])]['{}'.format(tag_split[2])]
                    elif kandji_device_type == 'appletv':
                        tag_split = config['asset-tag']['pattern_appletv'].split()
                        kandji_asset_tag = tag_split[0]+kandji['{}'.format(tag_split[1])]['{}'.format(tag_split[2])]
                else:
                    logging.debug('No custom asset tag patterns found in settings.conf, using default.')
                    kandji_asset_tag = 'KANDJI-{}'.format(kandji['hardware_overview']['serial_number'])
            else:
                kandji_asset_tag = kandji['general']['asset_tag']
                logging.info("Asset tag found in Kandji, setting it to: {}".format(kandji_asset_tag))
            # Create the payload
            logging.debug("Payload is being made.")
            newasset = {'asset_tag': kandji_asset_tag,'model_id': modelnumbers['{}'.format(kandji['hardware_overview']['model_identifier'])], 'name': kandji['general']['device_name'], 'status_id': defaultStatus,'serial': kandji['hardware_overview']['serial_number']}
            for snipekey in config['{}-api-mapping'.format(kandji_device_type)]:
                kandjisplit = config['{}-api-mapping'.format(kandji_device_type)][snipekey].split()
                try:
                    for i, item in enumerate(kandjisplit):
                        try:
                            item = int(item)
                        except ValueError:
                            logging.debug('{} is not an integer'.format(item))
                        if i == 0:
                            kandji_value = kandji[item]
                        else:
                            kandji_value = kandji_value[item]
                    newasset[snipekey] = kandji_value
                except KeyError:
                    continue
            # Reset the payload without the asset_tag if auto_incrementing flag is set.
            if user_args.auto_incrementing:
                newasset.pop('asset_tag', None)
            new_snipe_asset = create_snipe_asset(newasset)
            if new_snipe_asset[0] != "AssetCreated":
                continue
            if user_args.users:
                if not kandji['general']['assigned_user']:
                    logging.info("No user is assigned to {} in Kandji, not checking it out.".format(kandji['general']['device_name']))
                    continue
                logging.info('Checking out new item {} to user {}'.format(kandji['general']['device_name'], kandji['general']['assigned_user']['email']))
                checkout_snipe_asset(kandji['general']['assigned_user']['email'], new_snipe_asset[1].json()['payload']['id'], "NewAsset")

        # Log an error if there's an issue, or more than once match.
        elif snipe == 'MultiMatch':
            logging.warning("WARN: You need to resolve multiple assets with the same serial number in your inventory. If you can't find them in your inventory, you might need to purge your deleted records. You can find that in the Snipe-IT Admin settings. Skipping serial number {} for now.".format(kandji['hardware_overview']['serial_number']))
        elif snipe == 'ERROR':
            logging.error("We got an error when looking up serial number {} in Snipe-IT, which shouldn't happen at this point. Check your Snipe-IT instance and setup. Skipping for now.".format(kandji['hardware_overview']['serial_number']))

        else:
            # Only update if Kandji has more recent info.
            snipe_id = snipe['rows'][0]['id']
            snipe_time = snipe['rows'][0]['updated_at']['datetime']
            kandji_device_activity = get_kandji_device_activity_date(kandji['general']['device_id'])
            kandji_time_conversion = datetime.strptime(kandji_device_activity['activity']['results'][-1]['created_at'], '%Y-%m-%dT%H:%M:%S.%fZ')
            kandji_time_conversion = pytz.timezone('UTC').localize(kandji_time_conversion)
            kandji_time_conversion = kandji_time_conversion.astimezone(pytz.timezone(config['snipe-it']['timezone']))
            kandji_time = kandji_time_conversion.strftime('%Y-%m-%d %H:%M:%S')

            # Check to see that the Kandji record is newer than the previous Snipe-IT update, or if it is a new record in Snipe-IT
            if ( kandji_time > snipe_time ) or ( user_args.force ):
                if user_args.force:
                    logging.info("Forcing the update regardless of the timestamps due to -f being used.")
                logging.debug("Updating the Snipe-IT asset because Kandji has a more recent timestamp: {} > {} or the Snipe-IT record is new".format(kandji_time, snipe_time))
                updates = {}

                if html.unescape(snipe['rows'][0]['name']) != kandji['general']['device_name']:
                    logging.info('Device name changed in Kandji... Updating Snipe-IT')
                    updates={'name': kandji['general']['device_name']}

                for snipekey in config['{}-api-mapping'.format(kandji_device_type)]:
                    try:
                        kandjisplit = config['{}-api-mapping'.format(kandji_device_type)][snipekey].split()
                        for i, item in enumerate(kandjisplit):
                            try:
                                item = int(item)
                            except ValueError:
                                logging.debug('{} is not an integer'.format(item))
                            if i == 0:
                                kandji_value = kandji[item]
                            else:
                                kandji_value = kandji_value[item]
                        payload = {snipekey: kandji_value}
                        latestvalue = kandji_value
                    except KeyError:
                        logging.debug("Skipping the payload, because the Kandji key we're mapping to doesn't exist")
                        continue

                    # Need to check that we're not needlessly updating the asset.
                    # If it's a custom value it'll fail the first section and send it to except section that will parse custom sections.
                    try:
                        if snipe['rows'][0][snipekey] != latestvalue:
                            updates.update(payload)
                        else:
                            logging.debug("Skipping the payload, because it already exits.")
                    except:
                        logging.debug("The snipekey lookup failed, which means it's a custom field. Parsing those to see if it needs to be updated or not.")
                        needsupdate = False
                        for CustomField in snipe['rows'][0]['custom_fields']:
                            if snipe['rows'][0]['custom_fields'][CustomField]['field'] == snipekey :
                                if snipe['rows'][0]['custom_fields'][CustomField]['value'] != str(latestvalue):
                                    logging.debug("Found the field, and the value needs to be updated from {} to {}".format(snipe['rows'][0]['custom_fields'][CustomField]['value'], latestvalue))
                                    needsupdate = True
                        if needsupdate == True:
                            updates.update(payload)
                        else:
                            logging.debug("Skipping the payload, because it already exists, or the Snipe-IT key we're mapping to doesn't.")

                if updates:
                    update_snipe_asset(snipe_id, updates)

                if user_args.users:
                    if snipe['rows'][0]['status_label']['status_meta'] in ('deployable', 'deployed'):
                        if snipe['rows'][0]['assigned_to'] and not kandji['general']['assigned_user']:
                            logging.info("No user is assigned to {} in Kandji, checking it in.".format(kandji['general']['device_name']))
                            checkin_snipe_asset(snipe_id)
                        elif not kandji['general']['assigned_user']:
                            logging.info("No user is assigned to {} in Kandji, skipping check out.".format(kandji['general']['device_name']))
                            continue
                        elif snipe['rows'][0]['assigned_to'] == None or snipe['rows'][0]['assigned_to']['email'] != kandji['general']['assigned_user']['email']:
                            logging.info('Checking out {} to user {}'.format(kandji['general']['device_name'], kandji['general']['assigned_user']['email']))
                            checkout_snipe_asset(kandji['general']['assigned_user']['email'], snipe_id, kandji['general']['device_name'], snipe['rows'][0]['assigned_to'])
                        elif snipe['rows'][0]['assigned_to']['email'] == kandji['general']['assigned_user']['email']:
                            logging.info("{} is already checked out to {}, skipping check out.".format(kandji['general']['device_name'],snipe['rows'][0]['assigned_to']['email']))
                            continue
                        else:
                            logging.info("Failed checking out {} to {}.".format(kandji['general']['device_name'],snipe['rows'][0]['assigned_to']['email']))
                    else:
                        logging.info("Can't checkout {} since the status isn't set to deployable".format(kandji['general']['device_name']))

            else:
                logging.info("Snipe-IT record is newer than the Kandji record. Nothing to sync. If this wrong, then force an inventory update in Kandji")
                logging.debug("Not updating the Snipe-IT asset because Snipe-IT has a more recent timestamp: {} < {}".format(kandji_time, snipe_time))

            # Sync the Snipe-IT Asset Tag Number back to Kandji if needed
            # The user arg below is set to false if it's called, so this would fail if the user called it.
            if (kandji['general']['asset_tag'] != snipe['rows'][0]['asset_tag']) and user_args.do_not_update_kandji :
                logging.info("Asset tag changed in Snipe-IT... Updating Kandji")
                if snipe['rows'][0]['asset_tag'][0]:
                    update_kandji_asset_tag("{}".format(kandji['general']['device_id']), '{}'.format(snipe['rows'][0]['asset_tag']))
                    logging.info("Updating device record")

if user_args.ratelimited:
    logging.debug('Total amount of API calls made: {}'.format(snipe_api_count))