azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
claudetools/api/routers/firewall_rules.py
Mike Swanson 390b10b32c Complete Phase 6: MSP Work Tracking with Context Recall System 
Implements production-ready MSP platform with cross-machine persistent memory for Claude.

API Implementation:
- 130 REST API endpoints across 21 entities
- JWT authentication on all endpoints
- AES-256-GCM encryption for credentials
- Automatic audit logging
- Complete OpenAPI documentation

Database:
- 43 tables in MariaDB (172.16.3.20:3306)
- 42 SQLAlchemy models with modern 2.0 syntax
- Full Alembic migration system
- 99.1% CRUD test pass rate

Context Recall System (Phase 6):
- Cross-machine persistent memory via database
- Automatic context injection via Claude Code hooks
- Automatic context saving after task completion
- 90-95% token reduction with compression utilities
- Relevance scoring with time decay
- Tag-based semantic search
- One-command setup script

Security Features:
- JWT tokens with Argon2 password hashing
- AES-256-GCM encryption for all sensitive data
- Comprehensive audit trail for credentials
- HMAC tamper detection
- Secure configuration management

Test Results:
- Phase 3: 38/38 CRUD tests passing (100%)
- Phase 4: 34/35 core API tests passing (97.1%)
- Phase 5: 62/62 extended API tests passing (100%)
- Phase 6: 10/10 compression tests passing (100%)
- Overall: 144/145 tests passing (99.3%)

Documentation:
- Comprehensive architecture guides
- Setup automation scripts
- API documentation at /api/docs
- Complete test reports
- Troubleshooting guides

Project Status: 95% Complete (Production-Ready)
Phase 7 (optional work context APIs) remains for future enhancement.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-17 06:00:26 -07:00

470 lines
14 KiB
Python
Raw Permalink Blame History

"""
Firewall Rule API router for ClaudeTools.
This module defines all REST API endpoints for managing firewall rules, including
CRUD operations with proper authentication, validation, and error handling.
"""
from uuid import UUID
from fastapi import APIRouter, Depends, HTTPException, Query, status
from sqlalchemy.orm import Session
from api.database import get_db
from api.middleware.auth import get_current_user
from api.schemas.firewall_rule import (
FirewallRuleCreate,
FirewallRuleResponse,
FirewallRuleUpdate,
)
from api.services import firewall_rule_service
# Create router with prefix and tags
router = APIRouter()
@router.get(
"",
response_model=dict,
summary="List all firewall rules",
description="Retrieve a paginated list of all firewall rules with optional filtering",
status_code=status.HTTP_200_OK,
)
def list_firewall_rules(
skip: int = Query(
default=0,
ge=0,
description="Number of records to skip for pagination"
),
limit: int = Query(
default=100,
ge=1,
le=1000,
description="Maximum number of records to return (max 1000)"
),
db: Session = Depends(get_db),
current_user: dict = Depends(get_current_user),
):
"""
List all firewall rules with pagination.
- **skip**: Number of firewall rules to skip (default: 0)
- **limit**: Maximum number of firewall rules to return (default: 100, max: 1000)
Returns a list of firewall rules with pagination metadata.
**Example Request:**
```
GET /api/firewall-rules?skip=0&limit=50
Authorization: Bearer <token>
```
**Example Response:**
```json
{
"total": 15,
"skip": 0,
"limit": 50,
"firewall_rules": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0",
"rule_name": "Allow SSH",
"source_cidr": "10.0.0.0/8",
"destination_cidr": "192.168.1.0/24",
"port": 22,
"protocol": "tcp",
"action": "allow",
"rule_order": 1,
"notes": "Allow SSH from internal network",
"created_by": "admin@example.com",
"created_at": "2024-01-15T10:30:00Z",
"updated_at": "2024-01-15T10:30:00Z"
}
]
}
```
"""
try:
rules, total = firewall_rule_service.get_firewall_rules(db, skip, limit)
return {
"total": total,
"skip": skip,
"limit": limit,
"firewall_rules": [FirewallRuleResponse.model_validate(rule) for rule in rules]
}
except Exception as e:
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail=f"Failed to retrieve firewall rules: {str(e)}"
)
@router.get(
"/by-infrastructure/{infrastructure_id}",
response_model=dict,
summary="Get firewall rules by infrastructure",
description="Retrieve all firewall rules for a specific infrastructure with pagination",
status_code=status.HTTP_200_OK,
responses={
200: {
"description": "Firewall rules found and returned",
"content": {
"application/json": {
"example": {
"total": 5,
"skip": 0,
"limit": 100,
"firewall_rules": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0",
"rule_name": "Allow SSH",
"source_cidr": "10.0.0.0/8",
"destination_cidr": "192.168.1.0/24",
"port": 22,
"protocol": "tcp",
"action": "allow",
"rule_order": 1,
"notes": "Allow SSH from internal network",
"created_by": "admin@example.com",
"created_at": "2024-01-15T10:30:00Z",
"updated_at": "2024-01-15T10:30:00Z"
}
]
}
}
}
},
404: {
"description": "Infrastructure not found",
"content": {
"application/json": {
"example": {"detail": "Infrastructure with ID abc12345-6789-0def-1234-56789abcdef0 not found"}
}
},
},
},
)
def get_firewall_rules_by_infrastructure(
infrastructure_id: UUID,
skip: int = Query(
default=0,
ge=0,
description="Number of records to skip for pagination"
),
limit: int = Query(
default=100,
ge=1,
le=1000,
description="Maximum number of records to return (max 1000)"
),
db: Session = Depends(get_db),
current_user: dict = Depends(get_current_user),
):
"""
Get all firewall rules for a specific infrastructure.
- **infrastructure_id**: UUID of the infrastructure
- **skip**: Number of firewall rules to skip (default: 0)
- **limit**: Maximum number of firewall rules to return (default: 100, max: 1000)
Returns a list of firewall rules for the specified infrastructure with pagination metadata.
**Example Request:**
```
GET /api/firewall-rules/by-infrastructure/abc12345-6789-0def-1234-56789abcdef0?skip=0&limit=50
Authorization: Bearer <token>
```
"""
rules, total = firewall_rule_service.get_firewall_rules_by_infrastructure(db, infrastructure_id, skip, limit)
return {
"total": total,
"skip": skip,
"limit": limit,
"firewall_rules": [FirewallRuleResponse.model_validate(rule) for rule in rules]
}
@router.get(
"/{firewall_rule_id}",
response_model=FirewallRuleResponse,
summary="Get firewall rule by ID",
description="Retrieve a single firewall rule by its unique identifier",
status_code=status.HTTP_200_OK,
responses={
200: {
"description": "Firewall rule found and returned",
"model": FirewallRuleResponse,
},
404: {
"description": "Firewall rule not found",
"content": {
"application/json": {
"example": {"detail": "Firewall rule with ID 123e4567-e89b-12d3-a456-426614174000 not found"}
}
},
},
},
)
def get_firewall_rule(
firewall_rule_id: UUID,
db: Session = Depends(get_db),
current_user: dict = Depends(get_current_user),
):
"""
Get a specific firewall rule by ID.
- **firewall_rule_id**: UUID of the firewall rule to retrieve
Returns the complete firewall rule details.
**Example Request:**
```
GET /api/firewall-rules/123e4567-e89b-12d3-a456-426614174000
Authorization: Bearer <token>
```
**Example Response:**
```json
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0",
"rule_name": "Allow SSH",
"source_cidr": "10.0.0.0/8",
"destination_cidr": "192.168.1.0/24",
"port": 22,
"protocol": "tcp",
"action": "allow",
"rule_order": 1,
"notes": "Allow SSH from internal network",
"created_by": "admin@example.com",
"created_at": "2024-01-15T10:30:00Z",
"updated_at": "2024-01-15T10:30:00Z"
}
```
"""
rule = firewall_rule_service.get_firewall_rule_by_id(db, firewall_rule_id)
return FirewallRuleResponse.model_validate(rule)
@router.post(
"",
response_model=FirewallRuleResponse,
summary="Create new firewall rule",
description="Create a new firewall rule with the provided details",
status_code=status.HTTP_201_CREATED,
responses={
201: {
"description": "Firewall rule created successfully",
"model": FirewallRuleResponse,
},
404: {
"description": "Infrastructure not found",
"content": {
"application/json": {
"example": {"detail": "Infrastructure with ID abc12345-6789-0def-1234-56789abcdef0 not found"}
}
},
},
422: {
"description": "Validation error",
"content": {
"application/json": {
"example": {
"detail": [
{
"loc": ["body", "rule_name"],
"msg": "field required",
"type": "value_error.missing"
}
]
}
}
},
},
},
)
def create_firewall_rule(
firewall_rule_data: FirewallRuleCreate,
db: Session = Depends(get_db),
current_user: dict = Depends(get_current_user),
):
"""
Create a new firewall rule.
Requires a valid JWT token with appropriate permissions.
The infrastructure_id must reference an existing infrastructure if provided.
**Example Request:**
```json
POST /api/firewall-rules
Authorization: Bearer <token>
Content-Type: application/json
{
"infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0",
"rule_name": "Allow SSH",
"source_cidr": "10.0.0.0/8",
"destination_cidr": "192.168.1.0/24",
"port": 22,
"protocol": "tcp",
"action": "allow",
"rule_order": 1,
"notes": "Allow SSH from internal network",
"created_by": "admin@example.com"
}
```
**Example Response:**
```json
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0",
"rule_name": "Allow SSH",
"source_cidr": "10.0.0.0/8",
"destination_cidr": "192.168.1.0/24",
"port": 22,
"protocol": "tcp",
"action": "allow",
"rule_order": 1,
"notes": "Allow SSH from internal network",
"created_by": "admin@example.com",
"created_at": "2024-01-15T10:30:00Z",
"updated_at": "2024-01-15T10:30:00Z"
}
```
"""
rule = firewall_rule_service.create_firewall_rule(db, firewall_rule_data)
return FirewallRuleResponse.model_validate(rule)
@router.put(
"/{firewall_rule_id}",
response_model=FirewallRuleResponse,
summary="Update firewall rule",
description="Update an existing firewall rule's details",
status_code=status.HTTP_200_OK,
responses={
200: {
"description": "Firewall rule updated successfully",
"model": FirewallRuleResponse,
},
404: {
"description": "Firewall rule or infrastructure not found",
"content": {
"application/json": {
"example": {"detail": "Firewall rule with ID 123e4567-e89b-12d3-a456-426614174000 not found"}
}
},
},
},
)
def update_firewall_rule(
firewall_rule_id: UUID,
firewall_rule_data: FirewallRuleUpdate,
db: Session = Depends(get_db),
current_user: dict = Depends(get_current_user),
):
"""
Update an existing firewall rule.
- **firewall_rule_id**: UUID of the firewall rule to update
Only provided fields will be updated. All fields are optional.
If updating infrastructure_id, the new infrastructure must exist.
**Example Request:**
```json
PUT /api/firewall-rules/123e4567-e89b-12d3-a456-426614174000
Authorization: Bearer <token>
Content-Type: application/json
{
"action": "deny",
"notes": "Changed to deny SSH access"
}
```
**Example Response:**
```json
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"infrastructure_id": "abc12345-6789-0def-1234-56789abcdef0",
"rule_name": "Allow SSH",
"source_cidr": "10.0.0.0/8",
"destination_cidr": "192.168.1.0/24",
"port": 22,
"protocol": "tcp",
"action": "deny",
"rule_order": 1,
"notes": "Changed to deny SSH access",
"created_by": "admin@example.com",
"created_at": "2024-01-15T10:30:00Z",
"updated_at": "2024-01-15T14:20:00Z"
}
```
"""
rule = firewall_rule_service.update_firewall_rule(db, firewall_rule_id, firewall_rule_data)
return FirewallRuleResponse.model_validate(rule)
@router.delete(
"/{firewall_rule_id}",
response_model=dict,
summary="Delete firewall rule",
description="Delete a firewall rule by its ID",
status_code=status.HTTP_200_OK,
responses={
200: {
"description": "Firewall rule deleted successfully",
"content": {
"application/json": {
"example": {
"message": "Firewall rule deleted successfully",
"firewall_rule_id": "123e4567-e89b-12d3-a456-426614174000"
}
}
},
},
404: {
"description": "Firewall rule not found",
"content": {
"application/json": {
"example": {"detail": "Firewall rule with ID 123e4567-e89b-12d3-a456-426614174000 not found"}
}
},
},
},
)
def delete_firewall_rule(
firewall_rule_id: UUID,
db: Session = Depends(get_db),
current_user: dict = Depends(get_current_user),
):
"""
Delete a firewall rule.
- **firewall_rule_id**: UUID of the firewall rule to delete
This is a permanent operation and cannot be undone.
**Example Request:**
```
DELETE /api/firewall-rules/123e4567-e89b-12d3-a456-426614174000
Authorization: Bearer <token>
```
**Example Response:**
```json
{
"message": "Firewall rule deleted successfully",
"firewall_rule_id": "123e4567-e89b-12d3-a456-426614174000"
}
```
"""
return firewall_rule_service.delete_firewall_rule(db, firewall_rule_id)
Reference in New Issue View Git Blame Copy Permalink