""" Firewall Rule API router for ClaudeTools. This module defines all REST API endpoints for managing firewall rules, including CRUD operations with proper authentication, validation, and error handling. """ from uuid import UUID from fastapi import APIRouter, Depends, HTTPException, Query, status from sqlalchemy.orm import Session from api.database import get_db from api.middleware.auth import get_current_user from api.schemas.firewall_rule import ( FirewallRuleCreate, FirewallRuleResponse, FirewallRuleUpdate, ) from api.services import firewall_rule_service # Create router with prefix and tags router = APIRouter() @router.get( "", response_model=dict, summary="List all firewall rules", description="Retrieve a paginated list of all firewall rules with optional filtering", status_code=status.HTTP_200_OK, ) def list_firewall_rules( skip: int = Query( default=0, ge=0, description="Number of records to skip for pagination" ), limit: int = Query( default=100, ge=1, le=1000, description="Maximum number of records to return (max 1000)" ), db: Session = Depends(get_db), current_user: dict = Depends(get_current_user), ): """ List all firewall rules with pagination. - **skip**: Number of firewall rules to skip (default: 0) - **limit**: Maximum number of firewall rules to return (default: 100, max: 1000) Returns a list of firewall rules with pagination metadata. **Example Request:** ``` GET /api/firewall-rules?skip=0&limit=50 Authorization: Bearer ``` **Example Response:** ```json { "total": 15, "skip": 0, "limit": 50, "firewall_rules": [ { "id": "123e4567-e89b-12d3-a456-426614174000", "infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0", "rule_name": "Allow SSH", "source_cidr": "10.0.0.0/8", "destination_cidr": "192.168.1.0/24", "port": 22, "protocol": "tcp", "action": "allow", "rule_order": 1, "notes": "Allow SSH from internal network", "created_by": "admin@example.com", "created_at": "2024-01-15T10:30:00Z", "updated_at": "2024-01-15T10:30:00Z" } ] } ``` """ try: rules, total = firewall_rule_service.get_firewall_rules(db, skip, limit) return { "total": total, "skip": skip, "limit": limit, "firewall_rules": [FirewallRuleResponse.model_validate(rule) for rule in rules] } except Exception as e: raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to retrieve firewall rules: {str(e)}" ) @router.get( "/by-infrastructure/{infrastructure_id}", response_model=dict, summary="Get firewall rules by infrastructure", description="Retrieve all firewall rules for a specific infrastructure with pagination", status_code=status.HTTP_200_OK, responses={ 200: { "description": "Firewall rules found and returned", "content": { "application/json": { "example": { "total": 5, "skip": 0, "limit": 100, "firewall_rules": [ { "id": "123e4567-e89b-12d3-a456-426614174000", "infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0", "rule_name": "Allow SSH", "source_cidr": "10.0.0.0/8", "destination_cidr": "192.168.1.0/24", "port": 22, "protocol": "tcp", "action": "allow", "rule_order": 1, "notes": "Allow SSH from internal network", "created_by": "admin@example.com", "created_at": "2024-01-15T10:30:00Z", "updated_at": "2024-01-15T10:30:00Z" } ] } } } }, 404: { "description": "Infrastructure not found", "content": { "application/json": { "example": {"detail": "Infrastructure with ID abc12345-6789-0def-1234-56789abcdef0 not found"} } }, }, }, ) def get_firewall_rules_by_infrastructure( infrastructure_id: UUID, skip: int = Query( default=0, ge=0, description="Number of records to skip for pagination" ), limit: int = Query( default=100, ge=1, le=1000, description="Maximum number of records to return (max 1000)" ), db: Session = Depends(get_db), current_user: dict = Depends(get_current_user), ): """ Get all firewall rules for a specific infrastructure. - **infrastructure_id**: UUID of the infrastructure - **skip**: Number of firewall rules to skip (default: 0) - **limit**: Maximum number of firewall rules to return (default: 100, max: 1000) Returns a list of firewall rules for the specified infrastructure with pagination metadata. **Example Request:** ``` GET /api/firewall-rules/by-infrastructure/abc12345-6789-0def-1234-56789abcdef0?skip=0&limit=50 Authorization: Bearer ``` """ rules, total = firewall_rule_service.get_firewall_rules_by_infrastructure(db, infrastructure_id, skip, limit) return { "total": total, "skip": skip, "limit": limit, "firewall_rules": [FirewallRuleResponse.model_validate(rule) for rule in rules] } @router.get( "/{firewall_rule_id}", response_model=FirewallRuleResponse, summary="Get firewall rule by ID", description="Retrieve a single firewall rule by its unique identifier", status_code=status.HTTP_200_OK, responses={ 200: { "description": "Firewall rule found and returned", "model": FirewallRuleResponse, }, 404: { "description": "Firewall rule not found", "content": { "application/json": { "example": {"detail": "Firewall rule with ID 123e4567-e89b-12d3-a456-426614174000 not found"} } }, }, }, ) def get_firewall_rule( firewall_rule_id: UUID, db: Session = Depends(get_db), current_user: dict = Depends(get_current_user), ): """ Get a specific firewall rule by ID. - **firewall_rule_id**: UUID of the firewall rule to retrieve Returns the complete firewall rule details. **Example Request:** ``` GET /api/firewall-rules/123e4567-e89b-12d3-a456-426614174000 Authorization: Bearer ``` **Example Response:** ```json { "id": "123e4567-e89b-12d3-a456-426614174000", "infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0", "rule_name": "Allow SSH", "source_cidr": "10.0.0.0/8", "destination_cidr": "192.168.1.0/24", "port": 22, "protocol": "tcp", "action": "allow", "rule_order": 1, "notes": "Allow SSH from internal network", "created_by": "admin@example.com", "created_at": "2024-01-15T10:30:00Z", "updated_at": "2024-01-15T10:30:00Z" } ``` """ rule = firewall_rule_service.get_firewall_rule_by_id(db, firewall_rule_id) return FirewallRuleResponse.model_validate(rule) @router.post( "", response_model=FirewallRuleResponse, summary="Create new firewall rule", description="Create a new firewall rule with the provided details", status_code=status.HTTP_201_CREATED, responses={ 201: { "description": "Firewall rule created successfully", "model": FirewallRuleResponse, }, 404: { "description": "Infrastructure not found", "content": { "application/json": { "example": {"detail": "Infrastructure with ID abc12345-6789-0def-1234-56789abcdef0 not found"} } }, }, 422: { "description": "Validation error", "content": { "application/json": { "example": { "detail": [ { "loc": ["body", "rule_name"], "msg": "field required", "type": "value_error.missing" } ] } } }, }, }, ) def create_firewall_rule( firewall_rule_data: FirewallRuleCreate, db: Session = Depends(get_db), current_user: dict = Depends(get_current_user), ): """ Create a new firewall rule. Requires a valid JWT token with appropriate permissions. The infrastructure_id must reference an existing infrastructure if provided. **Example Request:** ```json POST /api/firewall-rules Authorization: Bearer Content-Type: application/json { "infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0", "rule_name": "Allow SSH", "source_cidr": "10.0.0.0/8", "destination_cidr": "192.168.1.0/24", "port": 22, "protocol": "tcp", "action": "allow", "rule_order": 1, "notes": "Allow SSH from internal network", "created_by": "admin@example.com" } ``` **Example Response:** ```json { "id": "123e4567-e89b-12d3-a456-426614174000", "infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0", "rule_name": "Allow SSH", "source_cidr": "10.0.0.0/8", "destination_cidr": "192.168.1.0/24", "port": 22, "protocol": "tcp", "action": "allow", "rule_order": 1, "notes": "Allow SSH from internal network", "created_by": "admin@example.com", "created_at": "2024-01-15T10:30:00Z", "updated_at": "2024-01-15T10:30:00Z" } ``` """ rule = firewall_rule_service.create_firewall_rule(db, firewall_rule_data) return FirewallRuleResponse.model_validate(rule) @router.put( "/{firewall_rule_id}", response_model=FirewallRuleResponse, summary="Update firewall rule", description="Update an existing firewall rule's details", status_code=status.HTTP_200_OK, responses={ 200: { "description": "Firewall rule updated successfully", "model": FirewallRuleResponse, }, 404: { "description": "Firewall rule or infrastructure not found", "content": { "application/json": { "example": {"detail": "Firewall rule with ID 123e4567-e89b-12d3-a456-426614174000 not found"} } }, }, }, ) def update_firewall_rule( firewall_rule_id: UUID, firewall_rule_data: FirewallRuleUpdate, db: Session = Depends(get_db), current_user: dict = Depends(get_current_user), ): """ Update an existing firewall rule. - **firewall_rule_id**: UUID of the firewall rule to update Only provided fields will be updated. All fields are optional. If updating infrastructure_id, the new infrastructure must exist. **Example Request:** ```json PUT /api/firewall-rules/123e4567-e89b-12d3-a456-426614174000 Authorization: Bearer Content-Type: application/json { "action": "deny", "notes": "Changed to deny SSH access" } ``` **Example Response:** ```json { "id": "123e4567-e89b-12d3-a456-426614174000", "infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0", "rule_name": "Allow SSH", "source_cidr": "10.0.0.0/8", "destination_cidr": "192.168.1.0/24", "port": 22, "protocol": "tcp", "action": "deny", "rule_order": 1, "notes": "Changed to deny SSH access", "created_by": "admin@example.com", "created_at": "2024-01-15T10:30:00Z", "updated_at": "2024-01-15T14:20:00Z" } ``` """ rule = firewall_rule_service.update_firewall_rule(db, firewall_rule_id, firewall_rule_data) return FirewallRuleResponse.model_validate(rule) @router.delete( "/{firewall_rule_id}", response_model=dict, summary="Delete firewall rule", description="Delete a firewall rule by its ID", status_code=status.HTTP_200_OK, responses={ 200: { "description": "Firewall rule deleted successfully", "content": { "application/json": { "example": { "message": "Firewall rule deleted successfully", "firewall_rule_id": "123e4567-e89b-12d3-a456-426614174000" } } }, }, 404: { "description": "Firewall rule not found", "content": { "application/json": { "example": {"detail": "Firewall rule with ID 123e4567-e89b-12d3-a456-426614174000 not found"} } }, }, }, ) def delete_firewall_rule( firewall_rule_id: UUID, db: Session = Depends(get_db), current_user: dict = Depends(get_current_user), ): """ Delete a firewall rule. - **firewall_rule_id**: UUID of the firewall rule to delete This is a permanent operation and cannot be undone. **Example Request:** ``` DELETE /api/firewall-rules/123e4567-e89b-12d3-a456-426614174000 Authorization: Bearer ``` **Example Response:** ```json { "message": "Firewall rule deleted successfully", "firewall_rule_id": "123e4567-e89b-12d3-a456-426614174000" } ``` """ return firewall_rule_service.delete_firewall_rule(db, firewall_rule_id)