feat(refactor): PEP8, type annotations, docstrings and PyJWT security fix
This commit is contained in:
kitos
+261
-23
@@ -1,13 +1,41 @@
|
||||
"""FastAPI application factory and global middleware/exception configuration.
|
||||
|
||||
Builds the ``app`` instance, wires up CORS, rate limiting, domain-error
|
||||
mapping, all API routers, and async lifespan hooks (MinIO bucket creation,
|
||||
APScheduler startup/shutdown).
|
||||
"""
|
||||
|
||||
# Import logging
|
||||
import logging
|
||||
|
||||
# Import os
|
||||
import os
|
||||
|
||||
# Import AsyncGenerator from collections.abc
|
||||
from collections.abc import AsyncGenerator
|
||||
|
||||
# Import asynccontextmanager from contextlib
|
||||
from contextlib import asynccontextmanager
|
||||
|
||||
# Import FastAPI, Request, status from fastapi
|
||||
from fastapi import FastAPI, Request, status
|
||||
from fastapi.middleware.cors import CORSMiddleware
|
||||
from fastapi.responses import JSONResponse
|
||||
|
||||
# Import RequestValidationError from fastapi.exceptions
|
||||
from fastapi.exceptions import RequestValidationError
|
||||
|
||||
# Import CORSMiddleware from fastapi.middleware.cors
|
||||
from fastapi.middleware.cors import CORSMiddleware
|
||||
|
||||
# Import JSONResponse from fastapi.responses
|
||||
from fastapi.responses import JSONResponse
|
||||
|
||||
# Import _rate_limit_exceeded_handler from slowapi
|
||||
from slowapi import _rate_limit_exceeded_handler
|
||||
|
||||
# Import RateLimitExceeded from slowapi.errors
|
||||
from slowapi.errors import RateLimitExceeded
|
||||
|
||||
# Import SQLAlchemyError from sqlalchemy.exc
|
||||
from sqlalchemy.exc import SQLAlchemyError
|
||||
|
||||
from app.routers import auth as auth_router
|
||||
@@ -50,24 +78,127 @@ from app.routers import api_keys as api_keys_router
|
||||
from app.routers import sso as sso_router
|
||||
from app.routers import operational_alerts as alerts_router
|
||||
from app.domain.errors import DomainError
|
||||
from app.middleware.error_handler import domain_exception_handler
|
||||
from app.middleware.request_context import RequestContextMiddleware
|
||||
|
||||
# Import scheduler, start_scheduler from app.jobs.mitre_sync_job
|
||||
from app.jobs.mitre_sync_job import scheduler, start_scheduler
|
||||
|
||||
# Import limiter from app.limiter
|
||||
from app.limiter import limiter
|
||||
|
||||
# Import setup_logging from app.logging_config
|
||||
from app.logging_config import setup_logging
|
||||
|
||||
# Import domain_exception_handler from app.middleware.error_handler
|
||||
from app.middleware.error_handler import domain_exception_handler
|
||||
|
||||
# Import RequestContextMiddleware from app.middleware.request_context
|
||||
from app.middleware.request_context import RequestContextMiddleware
|
||||
|
||||
# Import advanced_metrics as advanced_metrics_router from app.routers
|
||||
from app.routers import advanced_metrics as advanced_metrics_router
|
||||
|
||||
# Import analytics as analytics_router from app.routers
|
||||
from app.routers import analytics as analytics_router
|
||||
|
||||
# Import audit as audit_router from app.routers
|
||||
from app.routers import audit as audit_router
|
||||
|
||||
# Import auth as auth_router from app.routers
|
||||
from app.routers import auth as auth_router
|
||||
|
||||
# Import campaigns as campaigns_router from app.routers
|
||||
from app.routers import campaigns as campaigns_router
|
||||
|
||||
# Import compliance as compliance_router from app.routers
|
||||
from app.routers import compliance as compliance_router
|
||||
|
||||
# Import d3fend as d3fend_router from app.routers
|
||||
from app.routers import d3fend as d3fend_router
|
||||
|
||||
# Import data_sources as data_sources_router from app.routers
|
||||
from app.routers import data_sources as data_sources_router
|
||||
|
||||
# Import detection_rules as detection_rules_router from app.routers
|
||||
from app.routers import detection_rules as detection_rules_router
|
||||
|
||||
# Import evidence as evidence_router from app.routers
|
||||
from app.routers import evidence as evidence_router
|
||||
|
||||
# Import heatmap as heatmap_router from app.routers
|
||||
from app.routers import heatmap as heatmap_router
|
||||
|
||||
# Import jira as jira_router from app.routers
|
||||
from app.routers import jira as jira_router
|
||||
|
||||
# Import metrics as metrics_router from app.routers
|
||||
from app.routers import metrics as metrics_router
|
||||
|
||||
# Import notifications as notifications_router from app.routers
|
||||
from app.routers import notifications as notifications_router
|
||||
|
||||
# Import operational_metrics as operational_metrics_router from app.routers
|
||||
from app.routers import operational_metrics as operational_metrics_router
|
||||
|
||||
# Import osint as osint_router from app.routers
|
||||
from app.routers import osint as osint_router
|
||||
|
||||
# Import professional_reports as professional_reports_ro... from app.routers
|
||||
from app.routers import professional_reports as professional_reports_router
|
||||
|
||||
# Import reports as reports_router from app.routers
|
||||
from app.routers import reports as reports_router
|
||||
|
||||
# Import scores as scores_router from app.routers
|
||||
from app.routers import scores as scores_router
|
||||
|
||||
# Import snapshots as snapshots_router from app.routers
|
||||
from app.routers import snapshots as snapshots_router
|
||||
|
||||
# Import system as system_router from app.routers
|
||||
from app.routers import system as system_router
|
||||
|
||||
# Import techniques as techniques_router from app.routers
|
||||
from app.routers import techniques as techniques_router
|
||||
|
||||
# Import test_templates as test_templates_router from app.routers
|
||||
from app.routers import test_templates as test_templates_router
|
||||
|
||||
# Import tests as tests_router from app.routers
|
||||
from app.routers import tests as tests_router
|
||||
|
||||
# Import threat_actors as threat_actors_router from app.routers
|
||||
from app.routers import threat_actors as threat_actors_router
|
||||
|
||||
# Import users as users_router from app.routers
|
||||
from app.routers import users as users_router
|
||||
|
||||
# Import worklogs as worklogs_router from app.routers
|
||||
from app.routers import worklogs as worklogs_router
|
||||
|
||||
# Import ensure_bucket_exists from app.storage
|
||||
from app.storage import ensure_bucket_exists
|
||||
from app.jobs.mitre_sync_job import start_scheduler, scheduler
|
||||
|
||||
# Configure structured logging before any module initialises its own logger
|
||||
setup_logging()
|
||||
|
||||
# ── Environment detection ─────────────────────────────────────────────────
|
||||
_IS_PRODUCTION = os.environ.get("AEGIS_ENV", "").lower() == "production"
|
||||
|
||||
# ── Logging ───────────────────────────────────────────────────────────────
|
||||
from app.logging_config import setup_logging
|
||||
|
||||
setup_logging()
|
||||
|
||||
# Apply the @asynccontextmanager decorator
|
||||
@asynccontextmanager
|
||||
async def lifespan(app: FastAPI):
|
||||
"""Startup / shutdown logic."""
|
||||
# Define async function lifespan
|
||||
async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
|
||||
"""Manage application startup and shutdown lifecycle.
|
||||
|
||||
Args:
|
||||
app (FastAPI): The FastAPI application instance.
|
||||
|
||||
Yields:
|
||||
None: Control is yielded to the running application.
|
||||
"""
|
||||
# Call ensure_bucket_exists()
|
||||
ensure_bucket_exists()
|
||||
# Call start_scheduler()
|
||||
start_scheduler()
|
||||
# Seed decay policies
|
||||
from app.database import SessionLocal
|
||||
@@ -95,17 +226,24 @@ async def lifespan(app: FastAPI):
|
||||
|
||||
# ── In production, disable Swagger UI and ReDoc to hide API surface ──────
|
||||
app = FastAPI(
|
||||
# Keyword argument: title
|
||||
title="Attack Coverage Platform",
|
||||
# Keyword argument: lifespan
|
||||
lifespan=lifespan,
|
||||
# Keyword argument: docs_url
|
||||
docs_url=None if _IS_PRODUCTION else "/docs",
|
||||
# Keyword argument: redoc_url
|
||||
redoc_url=None if _IS_PRODUCTION else "/redoc",
|
||||
# Keyword argument: openapi_url
|
||||
openapi_url=None if _IS_PRODUCTION else "/openapi.json",
|
||||
)
|
||||
|
||||
# ── Rate Limiter ──────────────────────────────────────────────────────────
|
||||
app.state.limiter = limiter
|
||||
# Call app.add_exception_handler()
|
||||
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
|
||||
|
||||
# Call app.add_middleware()
|
||||
app.add_middleware(RequestContextMiddleware)
|
||||
|
||||
|
||||
@@ -130,49 +268,77 @@ app.add_middleware(NoCacheAPIMiddleware)
|
||||
app.add_exception_handler(DomainError, domain_exception_handler)
|
||||
|
||||
# ── CORS ──────────────────────────────────────────────────────────────────
|
||||
from app.config import settings as _settings
|
||||
|
||||
_cors_origins: list[str] = [
|
||||
o.strip() for o in _settings.CORS_ORIGINS.split(",") if o.strip()
|
||||
]
|
||||
|
||||
# Call app.add_middleware()
|
||||
app.add_middleware(
|
||||
CORSMiddleware,
|
||||
# Keyword argument: allow_origins
|
||||
allow_origins=_cors_origins,
|
||||
# Keyword argument: allow_credentials
|
||||
allow_credentials=True,
|
||||
# Keyword argument: allow_methods
|
||||
allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
|
||||
# Keyword argument: allow_headers
|
||||
allow_headers=["Authorization", "Content-Type"],
|
||||
)
|
||||
|
||||
# ── Routers ──────────────────────────────────────────────────────────────
|
||||
app.include_router(auth_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(techniques_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(tests_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(evidence_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(test_templates_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(system_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(metrics_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(users_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(audit_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(notifications_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(reports_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(data_sources_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(threat_actors_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(d3fend_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(detection_rules_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(campaigns_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(heatmap_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(scores_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(operational_metrics_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(compliance_router.router, prefix="/api/v1")
|
||||
app.include_router(intel_router.router, prefix="/api/v1")
|
||||
app.include_router(admin_config_router.router, prefix="/api/v1")
|
||||
app.include_router(snapshots_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(jira_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(worklogs_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(professional_reports_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(analytics_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(advanced_metrics_router.router, prefix="/api/v1")
|
||||
# Call app.include_router()
|
||||
app.include_router(osint_router.router, prefix="/api/v1")
|
||||
app.include_router(webhooks_router.router, prefix="/api/v1")
|
||||
app.include_router(detection_lifecycle_router.router, prefix="/api/v1")
|
||||
@@ -186,13 +352,19 @@ app.include_router(sso_router.router, prefix="/api/v1")
|
||||
app.include_router(alerts_router.router, prefix="/api/v1")
|
||||
|
||||
|
||||
# Apply the @app.get decorator
|
||||
@app.get("/health", include_in_schema=False)
|
||||
def health():
|
||||
"""Minimal health check — returns only an HTTP 200 with no service metadata.
|
||||
# Define function health
|
||||
def health() -> dict[str, str]:
|
||||
"""Return a minimal liveness probe response.
|
||||
|
||||
Access is restricted to internal networks at the Nginx level
|
||||
(see ``frontend/nginx.conf``).
|
||||
|
||||
Returns:
|
||||
dict[str, str]: A dict with ``{"status": "ok"}``.
|
||||
"""
|
||||
# Return {"status": "ok"}
|
||||
return {"status": "ok"}
|
||||
|
||||
|
||||
@@ -200,51 +372,117 @@ def health():
|
||||
|
||||
|
||||
def _serialize_validation_errors(exc: RequestValidationError) -> list[dict]:
|
||||
"""Return validation errors safe for JSON (no raw exception objects)."""
|
||||
"""Return validation errors safe for JSON serialization.
|
||||
|
||||
Converts non-serializable values inside ``ctx`` dictionaries to strings
|
||||
so the response body can be safely encoded.
|
||||
|
||||
Args:
|
||||
exc (RequestValidationError): The Pydantic validation exception.
|
||||
|
||||
Returns:
|
||||
list[dict]: A list of sanitised error detail dictionaries.
|
||||
"""
|
||||
# Assign serialized = []
|
||||
serialized: list[dict] = []
|
||||
# Iterate over exc.errors()
|
||||
for err in exc.errors():
|
||||
# Assign item = dict(err)
|
||||
item = dict(err)
|
||||
# Assign ctx = item.get("ctx")
|
||||
ctx = item.get("ctx")
|
||||
# Check: isinstance(ctx, dict)
|
||||
if isinstance(ctx, dict):
|
||||
# Assign item["ctx"] = {key: str(value) for key, value in ctx.items()}
|
||||
item["ctx"] = {key: str(value) for key, value in ctx.items()}
|
||||
# Call serialized.append()
|
||||
serialized.append(item)
|
||||
# Return serialized
|
||||
return serialized
|
||||
|
||||
|
||||
# Apply the @app.exception_handler decorator
|
||||
@app.exception_handler(RequestValidationError)
|
||||
async def validation_exception_handler(request: Request, exc: RequestValidationError):
|
||||
"""Handle validation errors with consistent format."""
|
||||
# Define async function validation_exception_handler
|
||||
async def validation_exception_handler(request: Request, exc: RequestValidationError) -> JSONResponse:
|
||||
"""Handle Pydantic validation errors and return a structured 422 response.
|
||||
|
||||
Args:
|
||||
request (Request): The incoming HTTP request.
|
||||
exc (RequestValidationError): The caught validation exception.
|
||||
|
||||
Returns:
|
||||
JSONResponse: A 422 response with a ``VALIDATION_ERROR`` code and error details.
|
||||
"""
|
||||
# Return JSONResponse(
|
||||
return JSONResponse(
|
||||
# Keyword argument: status_code
|
||||
status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
|
||||
# Keyword argument: content
|
||||
content={
|
||||
# Literal argument value
|
||||
"detail": "Validation error",
|
||||
# Literal argument value
|
||||
"code": "VALIDATION_ERROR",
|
||||
# Literal argument value
|
||||
"errors": _serialize_validation_errors(exc),
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
# Apply the @app.exception_handler decorator
|
||||
@app.exception_handler(SQLAlchemyError)
|
||||
async def sqlalchemy_exception_handler(request: Request, exc: SQLAlchemyError):
|
||||
"""Handle database errors."""
|
||||
# Define async function sqlalchemy_exception_handler
|
||||
async def sqlalchemy_exception_handler(request: Request, exc: SQLAlchemyError) -> JSONResponse:
|
||||
"""Handle SQLAlchemy database errors and return a structured 500 response.
|
||||
|
||||
Args:
|
||||
request (Request): The incoming HTTP request.
|
||||
exc (SQLAlchemyError): The caught SQLAlchemy exception.
|
||||
|
||||
Returns:
|
||||
JSONResponse: A 500 response with a ``DATABASE_ERROR`` code.
|
||||
"""
|
||||
# Log error: f"Database error: {exc}"
|
||||
logging.error(f"Database error: {exc}")
|
||||
# Return JSONResponse(
|
||||
return JSONResponse(
|
||||
# Keyword argument: status_code
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
# Keyword argument: content
|
||||
content={
|
||||
# Literal argument value
|
||||
"detail": "Database error occurred",
|
||||
# Literal argument value
|
||||
"code": "DATABASE_ERROR",
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
# Apply the @app.exception_handler decorator
|
||||
@app.exception_handler(Exception)
|
||||
async def general_exception_handler(request: Request, exc: Exception):
|
||||
"""Handle all unhandled exceptions."""
|
||||
# Define async function general_exception_handler
|
||||
async def general_exception_handler(request: Request, exc: Exception) -> JSONResponse:
|
||||
"""Handle all otherwise-unhandled exceptions and return a structured 500 response.
|
||||
|
||||
Args:
|
||||
request (Request): The incoming HTTP request.
|
||||
exc (Exception): The unhandled exception.
|
||||
|
||||
Returns:
|
||||
JSONResponse: A 500 response with an ``INTERNAL_ERROR`` code.
|
||||
"""
|
||||
# Log error: f"Unhandled exception: {exc}"
|
||||
logging.error(f"Unhandled exception: {exc}")
|
||||
# Return JSONResponse(
|
||||
return JSONResponse(
|
||||
# Keyword argument: status_code
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
# Keyword argument: content
|
||||
content={
|
||||
# Literal argument value
|
||||
"detail": "An internal server error occurred",
|
||||
# Literal argument value
|
||||
"code": "INTERNAL_ERROR",
|
||||
},
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user