Kitos
4f6dd838fd
- Add Pydantic schemas for Technique, Test and Evidence - Add CRUD endpoints for Techniques (list with filters, detail, create, update, review) - Add CRUD endpoints for Tests (create, detail, update, validate, reject) - Add evidence upload with SHA-256 integrity and presigned download URLs - Add MinIO/S3 storage client with bucket auto-creation on startup - Add status_service to recalculate technique coverage from test results - Add require_any_role RBAC dependency for multi-role authorization - Update README with API endpoints reference and project structure
207 lines
6.2 KiB
Python
207 lines
6.2 KiB
Python
"""CRUD router for MITRE ATT&CK Techniques."""
|
|
|
|
from datetime import datetime
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, Query, status
|
|
from sqlalchemy.orm import Session, joinedload
|
|
|
|
from app.database import get_db
|
|
from app.dependencies.auth import get_current_user, require_role, require_any_role
|
|
from app.models.enums import TechniqueStatus
|
|
from app.models.technique import Technique
|
|
from app.models.user import User
|
|
from app.schemas.technique import (
|
|
TechniqueCreate,
|
|
TechniqueOut,
|
|
TechniqueSummary,
|
|
TechniqueUpdate,
|
|
)
|
|
from app.services.audit_service import log_action
|
|
|
|
router = APIRouter(prefix="/techniques", tags=["techniques"])
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# GET /techniques — list (with optional filters)
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
@router.get("", response_model=list[TechniqueSummary])
|
|
def list_techniques(
|
|
tactic: str | None = Query(None, description="Filter by tactic name"),
|
|
status_global: TechniqueStatus | None = Query(
|
|
None, alias="status", description="Filter by global status"
|
|
),
|
|
review_required: bool | None = Query(None, description="Filter by review flag"),
|
|
db: Session = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
"""Return a lightweight list of techniques, optionally filtered."""
|
|
query = db.query(Technique)
|
|
|
|
if tactic is not None:
|
|
query = query.filter(Technique.tactic == tactic)
|
|
if status_global is not None:
|
|
query = query.filter(Technique.status_global == status_global)
|
|
if review_required is not None:
|
|
query = query.filter(Technique.review_required == review_required)
|
|
|
|
return query.order_by(Technique.mitre_id).all()
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# GET /techniques/{mitre_id} — detail (with tests)
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
@router.get("/{mitre_id}", response_model=TechniqueOut)
|
|
def get_technique(
|
|
mitre_id: str,
|
|
db: Session = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
"""Return full details for a single technique, including its tests."""
|
|
technique = (
|
|
db.query(Technique)
|
|
.options(joinedload(Technique.tests))
|
|
.filter(Technique.mitre_id == mitre_id)
|
|
.first()
|
|
)
|
|
|
|
if technique is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_404_NOT_FOUND,
|
|
detail=f"Technique {mitre_id} not found",
|
|
)
|
|
|
|
return technique
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# POST /techniques — create (admin only)
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
@router.post(
|
|
"",
|
|
response_model=TechniqueOut,
|
|
status_code=status.HTTP_201_CREATED,
|
|
)
|
|
def create_technique(
|
|
payload: TechniqueCreate,
|
|
db: Session = Depends(get_db),
|
|
current_user: User = Depends(require_role("admin")),
|
|
):
|
|
"""Create a new technique manually."""
|
|
# Ensure mitre_id is unique
|
|
existing = (
|
|
db.query(Technique).filter(Technique.mitre_id == payload.mitre_id).first()
|
|
)
|
|
if existing is not None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_409_CONFLICT,
|
|
detail=f"Technique with mitre_id '{payload.mitre_id}' already exists",
|
|
)
|
|
|
|
technique = Technique(**payload.model_dump())
|
|
db.add(technique)
|
|
db.commit()
|
|
db.refresh(technique)
|
|
|
|
log_action(
|
|
db,
|
|
user_id=current_user.id,
|
|
action="create_technique",
|
|
entity_type="technique",
|
|
entity_id=technique.id,
|
|
details={"mitre_id": technique.mitre_id, "name": technique.name},
|
|
)
|
|
|
|
return technique
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# PATCH /techniques/{mitre_id} — update (admin only)
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
@router.patch("/{mitre_id}", response_model=TechniqueOut)
|
|
def update_technique(
|
|
mitre_id: str,
|
|
payload: TechniqueUpdate,
|
|
db: Session = Depends(get_db),
|
|
current_user: User = Depends(require_role("admin")),
|
|
):
|
|
"""Update one or more fields of an existing technique."""
|
|
technique = (
|
|
db.query(Technique).filter(Technique.mitre_id == mitre_id).first()
|
|
)
|
|
|
|
if technique is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_404_NOT_FOUND,
|
|
detail=f"Technique {mitre_id} not found",
|
|
)
|
|
|
|
update_data = payload.model_dump(exclude_unset=True)
|
|
for field, value in update_data.items():
|
|
setattr(technique, field, value)
|
|
|
|
db.commit()
|
|
db.refresh(technique)
|
|
|
|
log_action(
|
|
db,
|
|
user_id=current_user.id,
|
|
action="update_technique",
|
|
entity_type="technique",
|
|
entity_id=technique.id,
|
|
details={"mitre_id": mitre_id, "updated_fields": list(update_data.keys())},
|
|
)
|
|
|
|
return technique
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# PATCH /techniques/{mitre_id}/review — mark as reviewed (leads + admin)
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
@router.patch("/{mitre_id}/review", response_model=TechniqueOut)
|
|
def review_technique(
|
|
mitre_id: str,
|
|
db: Session = Depends(get_db),
|
|
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
|
|
):
|
|
"""Mark a technique as reviewed.
|
|
|
|
Sets ``review_required`` to *False* and records the current timestamp
|
|
in ``last_review_date``.
|
|
"""
|
|
technique = (
|
|
db.query(Technique).filter(Technique.mitre_id == mitre_id).first()
|
|
)
|
|
|
|
if technique is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_404_NOT_FOUND,
|
|
detail=f"Technique {mitre_id} not found",
|
|
)
|
|
|
|
technique.review_required = False
|
|
technique.last_review_date = datetime.utcnow()
|
|
|
|
db.commit()
|
|
db.refresh(technique)
|
|
|
|
log_action(
|
|
db,
|
|
user_id=current_user.id,
|
|
action="review_technique",
|
|
entity_type="technique",
|
|
entity_id=technique.id,
|
|
details={"mitre_id": mitre_id},
|
|
)
|
|
|
|
return technique
|