refactor(intel): re-key attacker_intel on attacker_uuid (closes DEBT-041)
The threat-intel surface was IP-keyed on day one as an expedient — the
worker is woken by IP-bearing bus events. ANTI's call: don't carry that
debt. NO IPs as primary keys anywhere on the attacker-intel surface.
Schema:
- attacker_uuid is now the canonical key — UNIQUE + FK to attackers.uuid.
- attacker_ip stays as a denormalised, indexed, NON-UNIQUE value column.
Updated on every upsert; useful for SIEM payloads and audit lookups,
but explicitly NOT a key. Model docstring says so.
- Pre-v1, no Alembic migration needed. SQLModel.metadata.create_all()
builds the new shape on fresh DBs.
Repo:
- upsert_attacker_intel now keys on attacker_uuid.
- get_attacker_intel_by_ip → get_attacker_intel_by_uuid.
- get_unenriched_attacker_ips → get_unenriched_attackers, returning
[{uuid, ip}] tuples so the worker writes by UUID and dispatches
provider calls by IP without a second round-trip.
Worker:
- _enrich_one(uuid, ip, ...) — UUID lands on the row, IP rides for
provider egress.
- attacker.intel.enriched bus payload gains attacker_uuid alongside
attacker_ip — webhook → SIEM consumers benefit; no removal.
API:
- GET /api/v1/attackers/{ip}/intel deleted outright (rip-and-replace,
never deployed beyond dev).
- GET /api/v1/attackers/{uuid}/intel is the only public route, matching
every other /attackers/* route.
Frontend:
- <IntelPanel uuid={id!} /> uses the URL param directly, fetches in
parallel with the rest of AttackerDetail rather than waiting on
attacker.ip.
Tests: re-keyed in place, 39 passed (same coverage as before the
refactor). Provider-impl tests untouched.
DEBT-041: closed in DEBT.md (entry preserved as historical rationale,
summary table flipped to ✅, remaining-open list shortened by one).
This commit is contained in:
@@ -280,23 +280,31 @@ class BaseRepository(ABC):
|
||||
|
||||
@abstractmethod
|
||||
async def upsert_attacker_intel(self, data: dict[str, Any]) -> str:
|
||||
"""Insert or update the threat-intel row for an attacker IP.
|
||||
"""Insert or update the threat-intel row for an attacker UUID.
|
||||
|
||||
``data`` MUST include ``attacker_ip`` and ``expires_at``. Returns
|
||||
the row UUID. Used by the ``decnet enrich`` worker.
|
||||
``data`` MUST include ``attacker_uuid``, ``attacker_ip`` and
|
||||
``expires_at``. Returns the row UUID. Keyed on ``attacker_uuid``
|
||||
(UNIQUE + FK to ``attackers.uuid``); ``attacker_ip`` is denormalised
|
||||
— it gets overwritten on every upsert if the attacker rotates IPs.
|
||||
"""
|
||||
pass
|
||||
|
||||
@abstractmethod
|
||||
async def get_attacker_intel_by_ip(self, ip: str) -> Optional[dict[str, Any]]:
|
||||
"""Return the threat-intel row for ``ip`` or ``None`` if missing."""
|
||||
async def get_attacker_intel_by_uuid(self, uuid: str) -> Optional[dict[str, Any]]:
|
||||
"""Return the threat-intel row for ``uuid`` or ``None`` if missing."""
|
||||
pass
|
||||
|
||||
@abstractmethod
|
||||
async def get_unenriched_attacker_ips(self, limit: int = 100) -> list[str]:
|
||||
"""List attacker IPs with no intel row OR whose row is past expires_at.
|
||||
async def get_unenriched_attackers(
|
||||
self, limit: int = 100,
|
||||
) -> list[dict[str, Any]]:
|
||||
"""List ``{"uuid", "ip"}`` pairs for attackers with no intel row OR
|
||||
whose row is past ``expires_at``.
|
||||
|
||||
Used by the enrich worker to backfill on startup and on each wake.
|
||||
Returns both fields so the worker can write keyed on UUID without
|
||||
a second per-attacker DB round-trip to resolve the IP for outbound
|
||||
provider calls.
|
||||
"""
|
||||
pass
|
||||
|
||||
|
||||
Reference in New Issue
Block a user