Aegis/backend/app/routers/detection_rules.py

"""Detection rules endpoints — listing, filtering, and template association.

Thin HTTP adapter: delegates all query and business logic to detection_rule_service.

Provides endpoints for browsing detection rules, querying rules by technique,
and managing the template ↔ detection rule associations.
"""

import uuid
from typing import Optional

from fastapi import APIRouter, Depends, Query
from pydantic import BaseModel
from sqlalchemy.orm import Session

from app.database import get_db
from app.dependencies.auth import get_current_user, require_role, require_any_role
from app.models.user import User
from app.services.detection_rule_service import (
    list_rules,
    get_rules_for_template,
    auto_associate_rules,
    get_rules_for_test,
    evaluate_rule,
)


# ── Pydantic schemas for request validation ────────────────────────────


class DetectionRuleEvaluate(BaseModel):
    """Payload for evaluating a detection rule against a test."""
    test_id: uuid.UUID
    detection_rule_id: uuid.UUID
    triggered: Optional[bool] = None
    notes: Optional[str] = None


router = APIRouter(prefix="/detection-rules", tags=["detection-rules"])


# ── GET /detection-rules — List with filters ───────────────────────────


@router.get("")
def list_detection_rules(
    technique: Optional[str] = Query(None, description="Filter by MITRE technique ID"),
    source: Optional[str] = Query(None, description="Filter by source (sigma, elastic, splunk, custom)"),
    severity: Optional[str] = Query(None),
    search: Optional[str] = Query(None),
    offset: int = Query(0, ge=0),
    limit: int = Query(50, ge=1, le=200),
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    """List detection rules with optional filters and pagination."""
    return list_rules(
        db,
        technique=technique,
        source=source,
        severity=severity,
        search=search,
        offset=offset,
        limit=limit,
    )


# ── GET /detection-rules/for-template/{template_id} ────────────────────


@router.get("/for-template/{template_id}")
def get_detection_rules_for_template(
    template_id: str,
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    """Get detection rules associated with a test template."""
    return get_rules_for_template(db, template_id)


# ── POST /detection-rules/auto-associate ────────────────────────────────


@router.post("/auto-associate")
def auto_associate_detection_rules(
    db: Session = Depends(get_db),
    current_user: User = Depends(require_role("admin")),
):
    """Auto-associate test templates with detection rules by MITRE technique ID.

    For each active template, find all active detection rules for the same
    technique and create associations. Rules with severity >= high are marked
    as primary.
    """
    return auto_associate_rules(db)


# ── GET /detection-rules/for-test/{test_id} ──────────────────────────────


@router.get("/for-test/{test_id}")
def get_detection_rules_for_test(
    test_id: str,
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    """Get detection rules relevant to a test, along with their evaluation results.

    Finds rules by matching the test's technique_id to detection rules,
    and returns any existing evaluation results.
    """
    return get_rules_for_test(db, test_id)


# ── POST /detection-rules/evaluate ──────────────────────────────────────


@router.post("/evaluate")
def evaluate_detection_rule(
    payload: DetectionRuleEvaluate,
    db: Session = Depends(get_db),
    current_user: User = Depends(require_any_role("blue_tech", "blue_lead")),
):
    """Save or update the evaluation result for a detection rule on a test."""
    return evaluate_rule(
        db,
        test_id=payload.test_id,
        detection_rule_id=payload.detection_rule_id,
        triggered=payload.triggered,
        notes=payload.notes,
        evaluator_id=current_user.id,
    )