Aegis/backend/app/main.py

"""FastAPI application factory and global middleware/exception configuration.

Builds the ``app`` instance, wires up CORS, rate limiting, domain-error
mapping, all API routers, and async lifespan hooks (MinIO bucket creation,
APScheduler startup/shutdown).
"""

# Import logging
import logging

# Import os
import os

# Import AsyncGenerator from collections.abc
from collections.abc import AsyncGenerator

# Import asynccontextmanager from contextlib
from contextlib import asynccontextmanager

# Import FastAPI, Request, status from fastapi
from fastapi import FastAPI, Request, status

# Import RequestValidationError from fastapi.exceptions
from fastapi.exceptions import RequestValidationError

# Import CORSMiddleware from fastapi.middleware.cors
from fastapi.middleware.cors import CORSMiddleware

# Import JSONResponse from fastapi.responses
from fastapi.responses import JSONResponse

# Import _rate_limit_exceeded_handler from slowapi
from slowapi import _rate_limit_exceeded_handler

# Import RateLimitExceeded from slowapi.errors
from slowapi.errors import RateLimitExceeded

# Import SQLAlchemyError from sqlalchemy.exc
from sqlalchemy.exc import SQLAlchemyError

from app.routers import auth as auth_router
from app.routers import techniques as techniques_router
from app.routers import tests as tests_router
from app.routers import evidence as evidence_router
from app.routers import test_templates as test_templates_router
from app.routers import system as system_router
from app.routers import metrics as metrics_router
from app.routers import users as users_router
from app.routers import audit as audit_router
from app.routers import notifications as notifications_router
from app.routers import reports as reports_router
from app.routers import data_sources as data_sources_router
from app.routers import threat_actors as threat_actors_router
from app.routers import d3fend as d3fend_router
from app.routers import detection_rules as detection_rules_router
from app.routers import campaigns as campaigns_router
from app.routers import heatmap as heatmap_router
from app.routers import scores as scores_router
from app.routers import operational_metrics as operational_metrics_router
from app.routers import compliance as compliance_router
from app.routers import snapshots as snapshots_router
from app.routers import jira as jira_router
from app.routers import worklogs as worklogs_router
from app.routers import professional_reports as professional_reports_router
from app.routers import analytics as analytics_router
from app.routers import advanced_metrics as advanced_metrics_router
from app.routers import osint as osint_router
from app.routers import webhooks as webhooks_router
from app.routers import detection_lifecycle as detection_lifecycle_router
from app.routers import intel as intel_router
from app.routers import admin_config as admin_config_router
from app.routers import ownership as ownership_router
from app.routers import attack_paths as attack_paths_router
from app.routers import knowledge as knowledge_router
from app.routers import risk_intelligence as risk_router
from app.routers import executive_dashboard as dashboard_router
from app.routers import api_keys as api_keys_router
from app.routers import sso as sso_router
from app.routers import operational_alerts as alerts_router
from app.domain.errors import DomainError

# Import scheduler, start_scheduler from app.jobs.mitre_sync_job
from app.jobs.mitre_sync_job import scheduler, start_scheduler

# Import limiter from app.limiter
from app.limiter import limiter

# Import setup_logging from app.logging_config
from app.logging_config import setup_logging

# Import domain_exception_handler from app.middleware.error_handler
from app.middleware.error_handler import domain_exception_handler

# Import RequestContextMiddleware from app.middleware.request_context
from app.middleware.request_context import RequestContextMiddleware
from app.storage import ensure_bucket_exists
from app.config import settings as _settings
from starlette.middleware.base import BaseHTTPMiddleware

# Configure structured logging before any module initialises its own logger
setup_logging()

logger = logging.getLogger(__name__)

# ── Environment detection ─────────────────────────────────────────────────
_IS_PRODUCTION = os.environ.get("AEGIS_ENV", "").lower() == "production"

# Apply the @asynccontextmanager decorator
@asynccontextmanager
# Define async function lifespan
async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
    """Manage application startup and shutdown lifecycle.

    Args:
        app (FastAPI): The FastAPI application instance.

    Yields:
        None: Control is yielded to the running application.
    """
    # Call ensure_bucket_exists()
    ensure_bucket_exists()
    # Call start_scheduler()
    start_scheduler()
    # Seed decay policies
    from app.database import SessionLocal
    from app.seed_decay_policies import seed_decay_policies
    db = SessionLocal()
    try:
        seed_decay_policies(db)
    except Exception as e:
        logger.warning("seed_decay_policies failed at startup: %s", e)
    finally:
        db.close()
    # Seed operational alert system rules
    db2 = SessionLocal()
    try:
        from app.services.operational_alert_service import seed_system_rules
        seed_system_rules(db2)
    except Exception as e:
        logger.warning("seed_system_rules failed at startup: %s", e)
    finally:
        db2.close()
    yield
    # Graceful shutdown of the background scheduler
    scheduler.shutdown(wait=False)


# ── In production, disable Swagger UI and ReDoc to hide API surface ──────
app = FastAPI(
    # Keyword argument: title
    title="Attack Coverage Platform",
    # Keyword argument: lifespan
    lifespan=lifespan,
    # Keyword argument: docs_url
    docs_url=None if _IS_PRODUCTION else "/docs",
    # Keyword argument: redoc_url
    redoc_url=None if _IS_PRODUCTION else "/redoc",
    # Keyword argument: openapi_url
    openapi_url=None if _IS_PRODUCTION else "/openapi.json",
)

# ── Rate Limiter ──────────────────────────────────────────────────────────
app.state.limiter = limiter
# Call app.add_exception_handler()
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)

# Call app.add_middleware()
app.add_middleware(RequestContextMiddleware)


# ── No-cache middleware for all /api/ responses ───────────────────────────
# Prevents Cloudflare and browser caches from storing API responses,
# which would cause stale/empty data to be served after backend restarts.
class NoCacheAPIMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next):
        response = await call_next(request)
        if request.url.path.startswith("/api/"):
            response.headers["Cache-Control"] = "no-store, no-cache, must-revalidate"
            response.headers["Pragma"] = "no-cache"
        return response

app.add_middleware(NoCacheAPIMiddleware)


# ── Domain exception → HTTP mapping ──────────────────────────────────────
app.add_exception_handler(DomainError, domain_exception_handler)

# ── CORS ──────────────────────────────────────────────────────────────────
_cors_origins: list[str] = [
    o.strip() for o in _settings.CORS_ORIGINS.split(",") if o.strip()
]

# Call app.add_middleware()
app.add_middleware(
    CORSMiddleware,
    # Keyword argument: allow_origins
    allow_origins=_cors_origins,
    # Keyword argument: allow_credentials
    allow_credentials=True,
    # Keyword argument: allow_methods
    allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
    # Keyword argument: allow_headers
    allow_headers=["Authorization", "Content-Type"],
)

# ── Routers ──────────────────────────────────────────────────────────────
app.include_router(auth_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(techniques_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(tests_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(evidence_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(test_templates_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(system_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(metrics_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(users_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(audit_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(notifications_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(reports_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(data_sources_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(threat_actors_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(d3fend_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(detection_rules_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(campaigns_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(heatmap_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(scores_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(operational_metrics_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(compliance_router.router, prefix="/api/v1")
app.include_router(intel_router.router, prefix="/api/v1")
app.include_router(admin_config_router.router, prefix="/api/v1")
app.include_router(snapshots_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(jira_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(worklogs_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(professional_reports_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(analytics_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(advanced_metrics_router.router, prefix="/api/v1")
# Call app.include_router()
app.include_router(osint_router.router, prefix="/api/v1")
app.include_router(webhooks_router.router, prefix="/api/v1")
app.include_router(detection_lifecycle_router.router, prefix="/api/v1")
app.include_router(ownership_router.router, prefix="/api/v1")
app.include_router(attack_paths_router.router, prefix="/api/v1")
app.include_router(knowledge_router.router, prefix="/api/v1")
app.include_router(risk_router.router, prefix="/api/v1")
app.include_router(dashboard_router.router, prefix="/api/v1")
app.include_router(api_keys_router.router, prefix="/api/v1")
app.include_router(sso_router.router, prefix="/api/v1")
app.include_router(alerts_router.router, prefix="/api/v1")


# Apply the @app.get decorator
@app.get("/health", include_in_schema=False)
# Define function health
def health() -> dict[str, str]:
    """Return a minimal liveness probe response.

    Access is restricted to internal networks at the Nginx level
    (see ``frontend/nginx.conf``).

    Returns:
        dict[str, str]: A dict with ``{"status": "ok"}``.
    """
    # Return {"status": "ok"}
    return {"status": "ok"}


# ── Exception Handlers ────────────────────────────────────────────────────


def _serialize_validation_errors(exc: RequestValidationError) -> list[dict]:
    """Return validation errors safe for JSON serialization.

    Converts non-serializable values inside ``ctx`` dictionaries to strings
    so the response body can be safely encoded.

    Args:
        exc (RequestValidationError): The Pydantic validation exception.

    Returns:
        list[dict]: A list of sanitised error detail dictionaries.
    """
    # Assign serialized = []
    serialized: list[dict] = []
    # Iterate over exc.errors()
    for err in exc.errors():
        # Assign item = dict(err)
        item = dict(err)
        # Assign ctx = item.get("ctx")
        ctx = item.get("ctx")
        # Check: isinstance(ctx, dict)
        if isinstance(ctx, dict):
            # Assign item["ctx"] = {key: str(value) for key, value in ctx.items()}
            item["ctx"] = {key: str(value) for key, value in ctx.items()}
        # Call serialized.append()
        serialized.append(item)
    # Return serialized
    return serialized


# Apply the @app.exception_handler decorator
@app.exception_handler(RequestValidationError)
# Define async function validation_exception_handler
async def validation_exception_handler(request: Request, exc: RequestValidationError) -> JSONResponse:
    """Handle Pydantic validation errors and return a structured 422 response.

    Args:
        request (Request): The incoming HTTP request.
        exc (RequestValidationError): The caught validation exception.

    Returns:
        JSONResponse: A 422 response with a ``VALIDATION_ERROR`` code and error details.
    """
    # Return JSONResponse(
    return JSONResponse(
        # Keyword argument: status_code
        status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
        # Keyword argument: content
        content={
            # Literal argument value
            "detail": "Validation error",
            # Literal argument value
            "code": "VALIDATION_ERROR",
            # Literal argument value
            "errors": _serialize_validation_errors(exc),
        },
    )


# Apply the @app.exception_handler decorator
@app.exception_handler(SQLAlchemyError)
# Define async function sqlalchemy_exception_handler
async def sqlalchemy_exception_handler(request: Request, exc: SQLAlchemyError) -> JSONResponse:
    """Handle SQLAlchemy database errors and return a structured 500 response.

    Args:
        request (Request): The incoming HTTP request.
        exc (SQLAlchemyError): The caught SQLAlchemy exception.

    Returns:
        JSONResponse: A 500 response with a ``DATABASE_ERROR`` code.
    """
    # Log error: f"Database error: {exc}"
    logging.error(f"Database error: {exc}")
    # Return JSONResponse(
    return JSONResponse(
        # Keyword argument: status_code
        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
        # Keyword argument: content
        content={
            # Literal argument value
            "detail": "Database error occurred",
            # Literal argument value
            "code": "DATABASE_ERROR",
        },
    )


# Apply the @app.exception_handler decorator
@app.exception_handler(Exception)
# Define async function general_exception_handler
async def general_exception_handler(request: Request, exc: Exception) -> JSONResponse:
    """Handle all otherwise-unhandled exceptions and return a structured 500 response.

    Args:
        request (Request): The incoming HTTP request.
        exc (Exception): The unhandled exception.

    Returns:
        JSONResponse: A 500 response with an ``INTERNAL_ERROR`` code.
    """
    # Log error: f"Unhandled exception: {exc}"
    logging.error(f"Unhandled exception: {exc}")
    # Return JSONResponse(
    return JSONResponse(
        # Keyword argument: status_code
        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
        # Keyword argument: content
        content={
            # Literal argument value
            "detail": "An internal server error occurred",
            # Literal argument value
            "code": "INTERNAL_ERROR",
        },
    )