anti
0c10869e26
The Fleet module had no delete — neither UI nor API — though the engine
capability existed (engine.teardown(decky_id=...), exposed only via
`decnet teardown --id`). Wire it to HTTP.
DELETE /deckies/{name} (admin-gated, 204). Synchronous: a single decky's
compose stop/rm is quick, so it's awaited off-thread rather than the
202+lifecycle path deploy/mutate use for slow builds. The single-decky
teardown never touches the host macvlan interface, so it needs no extra
CAP_NET_ADMIN.
State consistency: engine.teardown removes the containers and the
fleet_deckies row but leaves the decky in decnet-state.json. Left as is, the
reconciler would see "present in JSON, absent from DB" and re-INSERT the row,
resurrecting the decky. So the handler prunes it from both decnet-state.json
and the DB deployment key after teardown; deleting the last decky clears
state entirely (DecnetConfig.deckies has min_length=1).
Route ordering: the dynamic DELETE /deckies/{decky_name} is registered AFTER
the fixed /deckies/* routes (Starlette matches in registration order), so it
no longer shadows DELETE /deckies/files (file-drop).
Tests cover 401/403/404/422, single-delete pruning, and last-decky clear.
221 lines
11 KiB
Python
221 lines
11 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
from fastapi import APIRouter
|
|
|
|
from .auth.api_login import router as login_router
|
|
from .auth.api_change_pass import router as change_pass_router
|
|
from .auth.api_logout import router as logout_router
|
|
from .auth.api_sse_ticket import router as sse_ticket_router
|
|
from .logs.api_get_logs import router as logs_router
|
|
from .logs.api_get_histogram import router as histogram_router
|
|
from .bounty.api_get_bounties import router as bounty_router
|
|
from .credentials.api_get_credentials import router as credentials_router
|
|
from .credential_reuse.api_get_credential_reuse import router as credential_reuse_router
|
|
from .stats.api_get_stats import router as stats_router
|
|
from .fleet.api_get_deckies import router as get_deckies_router
|
|
from .fleet.api_mutate_decky import router as mutate_decky_router
|
|
from .fleet.api_mutate_interval import router as mutate_interval_router
|
|
from .fleet.api_deploy_deckies import router as deploy_deckies_router
|
|
from .fleet.api_teardown_decky import router as teardown_decky_router
|
|
from .fleet.api_lifecycle import router as lifecycle_router
|
|
from .stream.api_stream_events import router as stream_router
|
|
from .attackers.api_get_attackers import router as attackers_router
|
|
from .attackers.api_export_attackers import router as attackers_export_router
|
|
from .attackers.api_export_attacker_stix import router as attacker_export_stix_router
|
|
from .attackers.api_export_attackers_stix import router as attackers_export_stix_router
|
|
from .attackers.api_export_attacker_misp import router as attacker_export_misp_router
|
|
from .attackers.api_export_attackers_misp import router as attackers_export_misp_router
|
|
from .attackers.api_events import router as attacker_events_router
|
|
from .attackers.api_get_attacker_detail import router as attacker_detail_router
|
|
from .attackers.api_get_attacker_commands import router as attacker_commands_router
|
|
from .attackers.api_get_attacker_artifacts import router as attacker_artifacts_router
|
|
from .attackers.api_get_attacker_transcripts import router as attacker_transcripts_router
|
|
from .attackers.api_get_attacker_smtp_targets import router as attacker_smtp_targets_router
|
|
from .attackers.api_get_attacker_mail import router as attacker_mail_router
|
|
from .attackers.api_get_attacker_intel import router as attacker_intel_router
|
|
from .attackers.api_get_attacker_attribution import router as attacker_attribution_router
|
|
from .identities.api_list_identities import router as identities_list_router
|
|
from .identities.api_get_identity_detail import router as identity_detail_router
|
|
from .identities.api_list_identity_observations import router as identity_observations_router
|
|
from .identities.api_events import router as identity_events_router
|
|
from .campaigns.api_list_campaigns import router as campaigns_list_router
|
|
from .campaigns.api_get_campaign_detail import router as campaign_detail_router
|
|
from .campaigns.api_list_campaign_identities import router as campaign_identities_router
|
|
from .campaigns.api_events import router as campaign_events_router
|
|
from .orchestrator.api_list_events import router as orchestrator_list_router
|
|
from .orchestrator.api_events import router as orchestrator_events_router
|
|
from .orchestrator.api_event_stats import router as orchestrator_stats_router
|
|
from .realism.api_config import router as realism_config_router
|
|
from .realism.api_llm import router as realism_llm_router
|
|
from .realism.api_personas import router as realism_personas_router
|
|
from .realism.api_synthetic_files import router as realism_synthetic_files_router
|
|
from .transcripts import transcripts_router
|
|
from .config.api_get_config import router as config_get_router
|
|
from .config.api_update_config import router as config_update_router
|
|
from .config.api_manage_users import router as config_users_router
|
|
from .config.api_reinit import router as config_reinit_router
|
|
from .health.api_get_health import router as health_router
|
|
from .workers.api_list_workers import router as workers_list_router
|
|
from .workers.api_control_worker import router as workers_control_router
|
|
from .workers.api_start_worker import router as workers_start_router
|
|
from .workers.api_start_all_workers import router as workers_start_all_router
|
|
from .artifacts.api_get_artifact import router as artifacts_router
|
|
from .swarm_updates import swarm_updates_router
|
|
from .swarm_mgmt import swarm_mgmt_router
|
|
from .system import system_router
|
|
from .topology import topology_router
|
|
from .canary import canary_router
|
|
from .deckies import deckies_router
|
|
from .webhooks import webhooks_router
|
|
from .ttp.api_get_techniques import router as ttp_techniques_router
|
|
from .ttp.api_get_by_identity import router as ttp_by_identity_router
|
|
from .ttp.api_get_by_attacker import router as ttp_by_attacker_router
|
|
from .ttp.api_get_by_campaign import router as ttp_by_campaign_router
|
|
from .ttp.api_get_by_session import router as ttp_by_session_router
|
|
from .ttp.api_get_rules import router as ttp_rules_router
|
|
from .ttp.api_get_tag_details import router as ttp_tag_details_router
|
|
from .ttp.api_export_navigator import router as ttp_navigator_router
|
|
from .ttp.api_get_groups_for_technique import router as ttp_groups_for_technique_router
|
|
|
|
api_router = APIRouter(
|
|
# Auth is enforced PER ROUTE via explicit ``require_*`` Depends (see
|
|
# decnet.web.dependencies) — there is NO global auth middleware. A route
|
|
# without a require_* dependency is unauthenticated BY DESIGN; the only such
|
|
# routes are /health (liveness) and /auth/login (credential exchange).
|
|
# The 401/403 entries below are documented here so the OpenAPI schema
|
|
# reflects reality for contract tests, not because a middleware applies them.
|
|
responses={
|
|
400: {"description": "Malformed request body"},
|
|
401: {"description": "Missing or invalid credentials"},
|
|
403: {"description": "Authenticated but not authorized"},
|
|
404: {"description": "Referenced resource does not exist"},
|
|
409: {"description": "Conflict with existing resource"},
|
|
},
|
|
)
|
|
|
|
# Authentication
|
|
api_router.include_router(login_router)
|
|
api_router.include_router(change_pass_router)
|
|
api_router.include_router(logout_router)
|
|
api_router.include_router(sse_ticket_router)
|
|
|
|
# Logs & Analytics
|
|
api_router.include_router(logs_router)
|
|
api_router.include_router(histogram_router)
|
|
|
|
# Bounty Vault
|
|
api_router.include_router(bounty_router)
|
|
|
|
# Credentials (deduped attacker auth attempts)
|
|
api_router.include_router(credentials_router)
|
|
|
|
# Credential reuse findings (cross-decky/cross-service same-secret hits)
|
|
api_router.include_router(credential_reuse_router)
|
|
|
|
# Fleet Management
|
|
api_router.include_router(get_deckies_router)
|
|
api_router.include_router(mutate_decky_router)
|
|
api_router.include_router(mutate_interval_router)
|
|
api_router.include_router(deploy_deckies_router)
|
|
api_router.include_router(lifecycle_router)
|
|
|
|
# Attacker Profiles
|
|
api_router.include_router(attackers_router)
|
|
api_router.include_router(attackers_export_router)
|
|
api_router.include_router(attackers_export_stix_router)
|
|
api_router.include_router(attacker_export_stix_router)
|
|
api_router.include_router(attackers_export_misp_router)
|
|
api_router.include_router(attacker_export_misp_router)
|
|
api_router.include_router(attacker_detail_router)
|
|
api_router.include_router(attacker_events_router)
|
|
api_router.include_router(attacker_commands_router)
|
|
api_router.include_router(attacker_artifacts_router)
|
|
api_router.include_router(attacker_transcripts_router)
|
|
api_router.include_router(attacker_smtp_targets_router)
|
|
api_router.include_router(attacker_mail_router)
|
|
api_router.include_router(attacker_intel_router)
|
|
api_router.include_router(attacker_attribution_router)
|
|
|
|
# Identity Resolution (read-only; populated by the clusterer worker —
|
|
# see development/IDENTITY_RESOLUTION.md). Empty until the clusterer
|
|
# ships; the API surface lands first so frontend + downstream work
|
|
# can target a stable shape.
|
|
api_router.include_router(identities_list_router)
|
|
api_router.include_router(identity_detail_router)
|
|
api_router.include_router(identity_observations_router)
|
|
api_router.include_router(identity_events_router)
|
|
api_router.include_router(campaigns_list_router)
|
|
api_router.include_router(campaign_detail_router)
|
|
api_router.include_router(campaign_identities_router)
|
|
api_router.include_router(campaign_events_router)
|
|
api_router.include_router(orchestrator_list_router)
|
|
api_router.include_router(orchestrator_events_router)
|
|
api_router.include_router(orchestrator_stats_router)
|
|
|
|
# Realism — global persona pool CRUD for the dashboard's
|
|
# "Persona Generation" page. The orchestrator reads from the same
|
|
# on-disk JSON file directly (see decnet.realism.personas_pool).
|
|
api_router.include_router(realism_personas_router)
|
|
api_router.include_router(realism_synthetic_files_router)
|
|
api_router.include_router(realism_config_router)
|
|
api_router.include_router(realism_llm_router)
|
|
|
|
# Observability
|
|
api_router.include_router(stats_router)
|
|
api_router.include_router(stream_router)
|
|
api_router.include_router(health_router)
|
|
api_router.include_router(workers_list_router)
|
|
api_router.include_router(workers_control_router)
|
|
api_router.include_router(workers_start_router)
|
|
api_router.include_router(workers_start_all_router)
|
|
|
|
# Configuration
|
|
api_router.include_router(config_get_router)
|
|
api_router.include_router(config_update_router)
|
|
api_router.include_router(config_users_router)
|
|
api_router.include_router(config_reinit_router)
|
|
|
|
# Artifacts (captured attacker file drops)
|
|
api_router.include_router(artifacts_router)
|
|
|
|
# Transcripts (PTY session recordings, paged asciinema events)
|
|
api_router.include_router(transcripts_router)
|
|
|
|
# Remote Updates (dashboard → worker updater daemons)
|
|
api_router.include_router(swarm_updates_router)
|
|
|
|
# Swarm Management (dashboard: hosts, deckies, agent enrollment bundles)
|
|
api_router.include_router(swarm_mgmt_router)
|
|
|
|
# System info (deployment-mode auto-detection, etc.)
|
|
api_router.include_router(system_router)
|
|
|
|
# MazeNET Topologies (nested topology CRUD + mutation queue)
|
|
api_router.include_router(topology_router)
|
|
|
|
# Canary tokens — operator-facing CRUD (worker hosts the
|
|
# attacker-facing surface separately via `decnet canary`).
|
|
api_router.include_router(canary_router)
|
|
api_router.include_router(deckies_router)
|
|
|
|
# Single-decky teardown LAST among /deckies/* routes: its dynamic
|
|
# DELETE /deckies/{decky_name} would otherwise shadow the fixed paths
|
|
# (e.g. DELETE /deckies/files) since Starlette matches in registration
|
|
# order. Fixed paths must be declared before the variable path.
|
|
api_router.include_router(teardown_decky_router)
|
|
|
|
# External webhook subscriptions (SIEM/SOAR egress)
|
|
api_router.include_router(webhooks_router)
|
|
|
|
# TTP Tagging — see development/TTP_TAGGING.md. Contract phase: every
|
|
# handler returns the typed empty value; impl phase wires the repo
|
|
# and rule engine.
|
|
api_router.include_router(ttp_techniques_router)
|
|
api_router.include_router(ttp_by_identity_router)
|
|
api_router.include_router(ttp_by_attacker_router)
|
|
api_router.include_router(ttp_by_campaign_router)
|
|
api_router.include_router(ttp_by_session_router)
|
|
api_router.include_router(ttp_rules_router)
|
|
api_router.include_router(ttp_tag_details_router)
|
|
api_router.include_router(ttp_navigator_router)
|
|
api_router.include_router(ttp_groups_for_technique_router)
|