feat(creds): Phase 1 — Authorization header + SNMP community capture

Closes the cred-coverage gap for 7 services that already had the data on the wire but never landed it in the Credential table: - SNMP — community string lands as secret_kind="snmp_community", principal=None (v1/v2c has no per-user identity, the community IS the auth). - SIP — Digest response hash, previously buried in the auth= header dump, now classify_authorization()-extracted. - HTTP / HTTPS — Authorization header was in the headers JSON but never extracted. Now Basic decodes to plaintext, Bearer → http_bearer (principal=None), Digest → http_digest_md5. - K8s — already extracted Authorization but didn't normalize. Service- account JWTs flow through as Bearer. - Docker API — headers absent entirely. Adds the headers JSON dump and runs Authorization through the classifier. - Elasticsearch — five distinct request handlers; each gains a per-handler _cred_fields() helper. Adds canonical templates/syslog_bridge.py:classify_authorization(). Recognised: Basic / Bearer / Token / Digest. Unknown schemes (NTLM, AWS4-HMAC, Negotiate) return None; the header still rides in the ambient SD-block but isn't normalized as a credential. The SD shape on the wire collapses sip_digest_md5 into http_digest_md5 — same algorithm, so cross-protocol reuse correlates correctly when (rare) nonce collisions allow. Drive-by repair of tests/core/test_fingerprinting.py: - The pre-existing `test_http_useragent_extracted` asserted both that add_bounty was called exactly once AND that the UA payload carried `path` and `method` fields. Both wrong since this session opened: the http_quirks fingerprint added later fires too, and the UA payload never actually included path/method despite the assertion. - Adds `path`/`method` to the UA fingerprint payload (real operator value: "Nikto hit /admin" beats "Nikto seen on this decky"). - Replaces `assert_awaited_once` with a `_find_ua_bounty()` helper that filters add_bounty calls by `fingerprint_type`. New fingerprint families landing later won't retroactively break old tests. - Updates the two credential-bearing tests to use the post-DEBT-039 native shape (`secret_b64` / `principal`) and `upsert_credential`, not the deleted legacy `username+password` adapter. Also rebuilds the per-service fake `syslog_bridge` modules in tests/service_testing/{conftest,test_imap,test_pop3,test_snmp,test_mqtt,test_smtp}.py to expose `encode_secret` + `classify_authorization`. Service templates that import either now no longer fail at test collection. 173 tests pass in the touched scope. Phases 2-7 still pending.
2026-04-25 07:04:10 -04:00
parent 6b16c844b6
commit 3404e3b3a6
44 changed files with 3081 additions and 66 deletions
--- a/tests/services/test_cred_emitters.py
+++ b/tests/services/test_cred_emitters.py
@@ -222,6 +222,109 @@ async def test_vnc_hash_credential():
    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()


+@pytest.mark.asyncio
+async def test_snmp_community_native_shape():
+    """SNMP v1/v2c community string lands as secret_kind=snmp_community,
+    principal=None (no per-user identity in v1/v2c)."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    raw = b"public"
+    log_data = {
+        "decky": "decky-01",
+        "service": "snmp",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "version": 1,
+            "community": "public",
+            "secret_kind": "snmp_community",
+            "secret_printable": "public",
+            "secret_b64": base64.b64encode(raw).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "snmp"
+    assert cred["secret_kind"] == "snmp_community"
+    assert cred["principal"] is None
+    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
+
+
+@pytest.mark.asyncio
+async def test_http_basic_native_shape():
+    """HTTP Basic via classify_authorization → principal+plaintext."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    log_data = {
+        "decky": "decky-01",
+        "service": "http",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "method": "GET",
+            "path": "/admin",
+            "principal": "admin",
+            "secret_kind": "plaintext",
+            "secret_printable": "hunter2",
+            "secret_b64": base64.b64encode(b"hunter2").decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "http"
+    assert cred["principal"] == "admin"
+    assert cred["secret_kind"] == "plaintext"
+
+
+@pytest.mark.asyncio
+async def test_http_bearer_native_shape():
+    """HTTP Bearer — principal=None, secret_kind=http_bearer, opaque."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    token = b"eyJhbGciOiJIUzI1NiJ9.foo.bar"
+    log_data = {
+        "decky": "decky-01",
+        "service": "k8s",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "method": "GET",
+            "path": "/api/v1/secrets",
+            "principal": None,
+            "secret_kind": "http_bearer",
+            "secret_printable": token.decode(),
+            "secret_b64": base64.b64encode(token).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["secret_kind"] == "http_bearer"
+    assert cred["principal"] is None
+    assert cred["secret_sha256"] == hashlib.sha256(token).hexdigest()
+
+
+@pytest.mark.asyncio
+async def test_sip_digest_native_shape():
+    """SIP Digest via classify_authorization → response hash captured."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    response_hash = "d41d8cd98f00b204e9800998ecf8427e"
+    log_data = {
+        "decky": "decky-01",
+        "service": "sip",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "method": "REGISTER",
+            "principal": "alice",
+            "secret_kind": "http_digest_md5",
+            "secret_printable": response_hash,
+            "secret_b64": base64.b64encode(response_hash.encode()).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "sip"
+    assert cred["secret_kind"] == "http_digest_md5"
+    assert cred["principal"] == "alice"
+
+
@pytest.mark.asyncio
 async def test_lossless_b64_survives_nonprintable_password():
    """Even when secret_printable is sanitized, secret_b64 still decodes