feat(intel): attacker_intel table + repo helpers

New TTL-cached threat-intel row keyed by attacker IP, with per-provider verdict/raw/queried_at columns for GreyNoise, AbuseIPDB, abuse.ch Feodo Tracker and ThreatFox. Carries schema_version from day one (federation wire-format precedent set by SessionProfile). Repo gains upsert_attacker_intel, get_attacker_intel_by_ip, and a get_unenriched_attacker_ips backfill primitive that picks fresh + stale rows for the forthcoming 'decnet enrich' worker. Also documents the open-source intel-source backlog in DEVELOPMENT_V2.
2026-04-26 04:56:47 -04:00
parent 9816cdbd53
commit 0dd3811436
7 changed files with 339 additions and 0 deletions
--- a/tests/intel/init.py
+++ b/tests/intel/init.py
--- a/tests/intel/test_attacker_intel_repo.py
+++ b/tests/intel/test_attacker_intel_repo.py
@@ -0,0 +1,113 @@
+"""
+Round-trip tests for the ``attacker_intel`` table and its repo helpers.
+
+Covers:
+* empty-write upsert path
+* per-provider partial update
+* JSON-blob deserialization on read
+* TTL bookkeeping (cached_at + expires_at) round-trips intact
+* ``get_unenriched_attacker_ips`` selects fresh + stale, skips cached
+"""
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+
+import pytest
+
+from decnet.web.db.factory import get_repository
+
+
+@pytest.fixture
+async def repo(tmp_path):
+    r = get_repository(db_path=str(tmp_path / "attacker_intel.db"))
+    await r.initialize()
+    return r
+
+
+def _intel_payload(ip: str, *, ttl_hours: int = 24, **overrides) -> dict:
+    now = datetime.now(timezone.utc)
+    base = {
+        "attacker_ip": ip,
+        "cached_at": now,
+        "expires_at": now + timedelta(hours=ttl_hours),
+    }
+    base.update(overrides)
+    return base
+
+
+@pytest.mark.anyio
+async def test_empty_upsert_writes_minimal_row(repo):
+    row_uuid = await repo.upsert_attacker_intel(_intel_payload("1.2.3.4"))
+    assert row_uuid
+
+    row = await repo.get_attacker_intel_by_ip("1.2.3.4")
+    assert row is not None
+    assert row["attacker_ip"] == "1.2.3.4"
+    assert row["uuid"] == row_uuid
+    assert row["schema_version"] == 1
+    # All per-provider verdicts default to None.
+    assert row["greynoise_classification"] is None
+    assert row["abuseipdb_score"] is None
+    assert row["feodo_listed"] is None
+    assert row["threatfox_listed"] is None
+    assert row["aggregate_verdict"] is None
+
+
+@pytest.mark.anyio
+async def test_partial_provider_update_preserves_others(repo):
+    # First pass: GreyNoise responds, others lag.
+    first_uuid = await repo.upsert_attacker_intel(
+        _intel_payload(
+            "9.9.9.9",
+            greynoise_classification="malicious",
+            greynoise_raw='{"classification":"malicious"}',
+            greynoise_queried_at=datetime.now(timezone.utc),
+        )
+    )
+    # Second pass: AbuseIPDB lands. Re-upsert MUST NOT clobber GreyNoise
+    # columns — the worker passes only the new fields.
+    second_uuid = await repo.upsert_attacker_intel(
+        _intel_payload(
+            "9.9.9.9",
+            abuseipdb_score=85,
+            abuseipdb_raw='{"abuseConfidenceScore":85}',
+            abuseipdb_queried_at=datetime.now(timezone.utc),
+        )
+    )
+    assert first_uuid == second_uuid  # same row
+
+    row = await repo.get_attacker_intel_by_ip("9.9.9.9")
+    assert row["greynoise_classification"] == "malicious"
+    assert row["greynoise_raw"] == {"classification": "malicious"}
+    assert row["abuseipdb_score"] == 85
+    assert row["abuseipdb_raw"] == {"abuseConfidenceScore": 85}
+
+
+@pytest.mark.anyio
+async def test_get_missing_returns_none(repo):
+    assert await repo.get_attacker_intel_by_ip("0.0.0.0") is None
+
+
+@pytest.mark.anyio
+async def test_unenriched_selects_fresh_and_stale_ips(repo):
+    # Seed three attackers via upsert_attacker.
+    now = datetime.now(timezone.utc)
+    for ip in ("10.0.0.1", "10.0.0.2", "10.0.0.3"):
+        await repo.upsert_attacker(
+            {
+                "ip": ip,
+                "first_seen": now,
+                "last_seen": now,
+                "event_count": 1,
+            }
+        )
+    # 10.0.0.1 has fresh intel (not due for refresh).
+    await repo.upsert_attacker_intel(_intel_payload("10.0.0.1", ttl_hours=24))
+    # 10.0.0.2 has stale intel (already expired).
+    await repo.upsert_attacker_intel(_intel_payload("10.0.0.2", ttl_hours=-1))
+    # 10.0.0.3 has no intel row at all.
+
+    pending = await repo.get_unenriched_attacker_ips(limit=10)
+    assert "10.0.0.1" not in pending  # fresh, skipped
+    assert "10.0.0.2" in pending      # stale, queue it
+    assert "10.0.0.3" in pending      # never enriched