"""FastAPI application factory and global middleware/exception configuration. Builds the ``app`` instance, wires up CORS, rate limiting, domain-error mapping, all API routers, and async lifespan hooks (MinIO bucket creation, APScheduler startup/shutdown). """ # Import logging import logging # Import os import os # Import AsyncGenerator from collections.abc from collections.abc import AsyncGenerator # Import asynccontextmanager from contextlib from contextlib import asynccontextmanager # Import FastAPI, Request, status from fastapi from fastapi import FastAPI, Request, status # Import RequestValidationError from fastapi.exceptions from fastapi.exceptions import RequestValidationError # Import CORSMiddleware from fastapi.middleware.cors from fastapi.middleware.cors import CORSMiddleware # Import JSONResponse from fastapi.responses from fastapi.responses import JSONResponse # Import _rate_limit_exceeded_handler from slowapi from slowapi import _rate_limit_exceeded_handler # Import RateLimitExceeded from slowapi.errors from slowapi.errors import RateLimitExceeded # Import SQLAlchemyError from sqlalchemy.exc from sqlalchemy.exc import SQLAlchemyError from app.routers import auth as auth_router from app.routers import techniques as techniques_router from app.routers import tests as tests_router from app.routers import evidence as evidence_router from app.routers import test_templates as test_templates_router from app.routers import system as system_router from app.routers import metrics as metrics_router from app.routers import users as users_router from app.routers import audit as audit_router from app.routers import notifications as notifications_router from app.routers import reports as reports_router from app.routers import data_sources as data_sources_router from app.routers import threat_actors as threat_actors_router from app.routers import d3fend as d3fend_router from app.routers import detection_rules as detection_rules_router from app.routers import campaigns as campaigns_router from app.routers import heatmap as heatmap_router from app.routers import scores as scores_router from app.routers import operational_metrics as operational_metrics_router from app.routers import compliance as compliance_router from app.routers import snapshots as snapshots_router from app.routers import jira as jira_router from app.routers import worklogs as worklogs_router from app.routers import professional_reports as professional_reports_router from app.routers import analytics as analytics_router from app.routers import advanced_metrics as advanced_metrics_router from app.routers import osint as osint_router from app.routers import webhooks as webhooks_router from app.routers import detection_lifecycle as detection_lifecycle_router from app.routers import intel as intel_router from app.routers import admin_config as admin_config_router from app.routers import ownership as ownership_router from app.routers import attack_paths as attack_paths_router from app.routers import knowledge as knowledge_router from app.routers import risk_intelligence as risk_router from app.routers import executive_dashboard as dashboard_router from app.routers import api_keys as api_keys_router from app.routers import sso as sso_router from app.routers import operational_alerts as alerts_router from app.domain.errors import DomainError # Import scheduler, start_scheduler from app.jobs.mitre_sync_job from app.jobs.mitre_sync_job import scheduler, start_scheduler # Import limiter from app.limiter from app.limiter import limiter # Import setup_logging from app.logging_config from app.logging_config import setup_logging # Import domain_exception_handler from app.middleware.error_handler from app.middleware.error_handler import domain_exception_handler # Import RequestContextMiddleware from app.middleware.request_context from app.middleware.request_context import RequestContextMiddleware from app.storage import ensure_bucket_exists from app.config import settings as _settings from starlette.middleware.base import BaseHTTPMiddleware # Configure structured logging before any module initialises its own logger setup_logging() # ── Environment detection ───────────────────────────────────────────────── _IS_PRODUCTION = os.environ.get("AEGIS_ENV", "").lower() == "production" # Apply the @asynccontextmanager decorator @asynccontextmanager # Define async function lifespan async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]: """Manage application startup and shutdown lifecycle. Args: app (FastAPI): The FastAPI application instance. Yields: None: Control is yielded to the running application. """ # Call ensure_bucket_exists() ensure_bucket_exists() # Call start_scheduler() start_scheduler() # Seed decay policies from app.database import SessionLocal from app.seed_decay_policies import seed_decay_policies db = SessionLocal() try: seed_decay_policies(db) except Exception as e: logger.warning("seed_decay_policies failed at startup: %s", e) finally: db.close() # Seed operational alert system rules db2 = SessionLocal() try: from app.services.operational_alert_service import seed_system_rules seed_system_rules(db2) except Exception as e: logger.warning("seed_system_rules failed at startup: %s", e) finally: db2.close() yield # Graceful shutdown of the background scheduler scheduler.shutdown(wait=False) # ── In production, disable Swagger UI and ReDoc to hide API surface ────── app = FastAPI( # Keyword argument: title title="Attack Coverage Platform", # Keyword argument: lifespan lifespan=lifespan, # Keyword argument: docs_url docs_url=None if _IS_PRODUCTION else "/docs", # Keyword argument: redoc_url redoc_url=None if _IS_PRODUCTION else "/redoc", # Keyword argument: openapi_url openapi_url=None if _IS_PRODUCTION else "/openapi.json", ) # ── Rate Limiter ────────────────────────────────────────────────────────── app.state.limiter = limiter # Call app.add_exception_handler() app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler) # Call app.add_middleware() app.add_middleware(RequestContextMiddleware) # ── No-cache middleware for all /api/ responses ─────────────────────────── # Prevents Cloudflare and browser caches from storing API responses, # which would cause stale/empty data to be served after backend restarts. class NoCacheAPIMiddleware(BaseHTTPMiddleware): async def dispatch(self, request: Request, call_next): response = await call_next(request) if request.url.path.startswith("/api/"): response.headers["Cache-Control"] = "no-store, no-cache, must-revalidate" response.headers["Pragma"] = "no-cache" return response app.add_middleware(NoCacheAPIMiddleware) # ── Domain exception → HTTP mapping ────────────────────────────────────── app.add_exception_handler(DomainError, domain_exception_handler) # ── CORS ────────────────────────────────────────────────────────────────── _cors_origins: list[str] = [ o.strip() for o in _settings.CORS_ORIGINS.split(",") if o.strip() ] # Call app.add_middleware() app.add_middleware( CORSMiddleware, # Keyword argument: allow_origins allow_origins=_cors_origins, # Keyword argument: allow_credentials allow_credentials=True, # Keyword argument: allow_methods allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"], # Keyword argument: allow_headers allow_headers=["Authorization", "Content-Type"], ) # ── Routers ────────────────────────────────────────────────────────────── app.include_router(auth_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(techniques_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(tests_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(evidence_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(test_templates_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(system_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(metrics_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(users_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(audit_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(notifications_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(reports_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(data_sources_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(threat_actors_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(d3fend_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(detection_rules_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(campaigns_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(heatmap_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(scores_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(operational_metrics_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(compliance_router.router, prefix="/api/v1") app.include_router(intel_router.router, prefix="/api/v1") app.include_router(admin_config_router.router, prefix="/api/v1") app.include_router(snapshots_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(jira_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(worklogs_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(professional_reports_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(analytics_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(advanced_metrics_router.router, prefix="/api/v1") # Call app.include_router() app.include_router(osint_router.router, prefix="/api/v1") app.include_router(webhooks_router.router, prefix="/api/v1") app.include_router(detection_lifecycle_router.router, prefix="/api/v1") app.include_router(ownership_router.router, prefix="/api/v1") app.include_router(attack_paths_router.router, prefix="/api/v1") app.include_router(knowledge_router.router, prefix="/api/v1") app.include_router(risk_router.router, prefix="/api/v1") app.include_router(dashboard_router.router, prefix="/api/v1") app.include_router(api_keys_router.router, prefix="/api/v1") app.include_router(sso_router.router, prefix="/api/v1") app.include_router(alerts_router.router, prefix="/api/v1") # Apply the @app.get decorator @app.get("/health", include_in_schema=False) # Define function health def health() -> dict[str, str]: """Return a minimal liveness probe response. Access is restricted to internal networks at the Nginx level (see ``frontend/nginx.conf``). Returns: dict[str, str]: A dict with ``{"status": "ok"}``. """ # Return {"status": "ok"} return {"status": "ok"} # ── Exception Handlers ──────────────────────────────────────────────────── def _serialize_validation_errors(exc: RequestValidationError) -> list[dict]: """Return validation errors safe for JSON serialization. Converts non-serializable values inside ``ctx`` dictionaries to strings so the response body can be safely encoded. Args: exc (RequestValidationError): The Pydantic validation exception. Returns: list[dict]: A list of sanitised error detail dictionaries. """ # Assign serialized = [] serialized: list[dict] = [] # Iterate over exc.errors() for err in exc.errors(): # Assign item = dict(err) item = dict(err) # Assign ctx = item.get("ctx") ctx = item.get("ctx") # Check: isinstance(ctx, dict) if isinstance(ctx, dict): # Assign item["ctx"] = {key: str(value) for key, value in ctx.items()} item["ctx"] = {key: str(value) for key, value in ctx.items()} # Call serialized.append() serialized.append(item) # Return serialized return serialized # Apply the @app.exception_handler decorator @app.exception_handler(RequestValidationError) # Define async function validation_exception_handler async def validation_exception_handler(request: Request, exc: RequestValidationError) -> JSONResponse: """Handle Pydantic validation errors and return a structured 422 response. Args: request (Request): The incoming HTTP request. exc (RequestValidationError): The caught validation exception. Returns: JSONResponse: A 422 response with a ``VALIDATION_ERROR`` code and error details. """ # Return JSONResponse( return JSONResponse( # Keyword argument: status_code status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, # Keyword argument: content content={ # Literal argument value "detail": "Validation error", # Literal argument value "code": "VALIDATION_ERROR", # Literal argument value "errors": _serialize_validation_errors(exc), }, ) # Apply the @app.exception_handler decorator @app.exception_handler(SQLAlchemyError) # Define async function sqlalchemy_exception_handler async def sqlalchemy_exception_handler(request: Request, exc: SQLAlchemyError) -> JSONResponse: """Handle SQLAlchemy database errors and return a structured 500 response. Args: request (Request): The incoming HTTP request. exc (SQLAlchemyError): The caught SQLAlchemy exception. Returns: JSONResponse: A 500 response with a ``DATABASE_ERROR`` code. """ # Log error: f"Database error: {exc}" logging.error(f"Database error: {exc}") # Return JSONResponse( return JSONResponse( # Keyword argument: status_code status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, # Keyword argument: content content={ # Literal argument value "detail": "Database error occurred", # Literal argument value "code": "DATABASE_ERROR", }, ) # Apply the @app.exception_handler decorator @app.exception_handler(Exception) # Define async function general_exception_handler async def general_exception_handler(request: Request, exc: Exception) -> JSONResponse: """Handle all otherwise-unhandled exceptions and return a structured 500 response. Args: request (Request): The incoming HTTP request. exc (Exception): The unhandled exception. Returns: JSONResponse: A 500 response with an ``INTERNAL_ERROR`` code. """ # Log error: f"Unhandled exception: {exc}" logging.error(f"Unhandled exception: {exc}") # Return JSONResponse( return JSONResponse( # Keyword argument: status_code status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, # Keyword argument: content content={ # Literal argument value "detail": "An internal server error occurred", # Literal argument value "code": "INTERNAL_ERROR", }, )