refactor(intel): re-key attacker_intel on attacker_uuid (closes DEBT-041)

The threat-intel surface was IP-keyed on day one as an expedient — the worker is woken by IP-bearing bus events. ANTI's call: don't carry that debt. NO IPs as primary keys anywhere on the attacker-intel surface. Schema: - attacker_uuid is now the canonical key — UNIQUE + FK to attackers.uuid. - attacker_ip stays as a denormalised, indexed, NON-UNIQUE value column. Updated on every upsert; useful for SIEM payloads and audit lookups, but explicitly NOT a key. Model docstring says so. - Pre-v1, no Alembic migration needed. SQLModel.metadata.create_all() builds the new shape on fresh DBs. Repo: - upsert_attacker_intel now keys on attacker_uuid. - get_attacker_intel_by_ip → get_attacker_intel_by_uuid. - get_unenriched_attacker_ips → get_unenriched_attackers, returning [{uuid, ip}] tuples so the worker writes by UUID and dispatches provider calls by IP without a second round-trip. Worker: - _enrich_one(uuid, ip, ...) — UUID lands on the row, IP rides for provider egress. - attacker.intel.enriched bus payload gains attacker_uuid alongside attacker_ip — webhook → SIEM consumers benefit; no removal. API: - GET /api/v1/attackers/{ip}/intel deleted outright (rip-and-replace, never deployed beyond dev). - GET /api/v1/attackers/{uuid}/intel is the only public route, matching every other /attackers/* route. Frontend: - <IntelPanel uuid={id!} /> uses the URL param directly, fetches in parallel with the rest of AttackerDetail rather than waiting on attacker.ip. Tests: re-keyed in place, 39 passed (same coverage as before the refactor). Provider-impl tests untouched. DEBT-041: closed in DEBT.md (entry preserved as historical rationale, summary table flipped to ✅, remaining-open list shortened by one).
2026-04-26 05:35:29 -04:00
parent a009549326
commit 3eb67c9400
10 changed files with 161 additions and 97 deletions
--- a/tests/web/test_api_attacker_intel.py
+++ b/tests/web/test_api_attacker_intel.py
@@ -1,4 +1,4 @@
-"""Tests for GET /api/v1/attackers/{ip}/intel."""
+"""Tests for GET /api/v1/attackers/{uuid}/intel."""
 from __future__ import annotations

 from unittest.mock import AsyncMock, patch
@@ -14,6 +14,7 @@ async def test_returns_cached_intel_row():
    )

    fake_row = {
+        "attacker_uuid": "att-uuid-xyz",
        "attacker_ip": "1.2.3.4",
        "aggregate_verdict": "malicious",
        "greynoise_classification": "malicious",
@@ -24,11 +25,12 @@ async def test_returns_cached_intel_row():
    with patch(
        "decnet.web.router.attackers.api_get_attacker_intel.repo"
    ) as mock_repo:
-        mock_repo.get_attacker_intel_by_ip = AsyncMock(return_value=fake_row)
+        mock_repo.get_attacker_intel_by_uuid = AsyncMock(return_value=fake_row)
        result = await get_attacker_intel(
-            ip="1.2.3.4",
+            uuid="att-uuid-xyz",
            user={"uuid": "viewer", "role": "viewer"},
        )
+    assert result["attacker_uuid"] == "att-uuid-xyz"
    assert result["aggregate_verdict"] == "malicious"
    assert result["abuseipdb_score"] == 92

@@ -42,10 +44,10 @@ async def test_404_when_no_row_cached():
    with patch(
        "decnet.web.router.attackers.api_get_attacker_intel.repo"
    ) as mock_repo:
-        mock_repo.get_attacker_intel_by_ip = AsyncMock(return_value=None)
+        mock_repo.get_attacker_intel_by_uuid = AsyncMock(return_value=None)
        with pytest.raises(HTTPException) as excinfo:
            await get_attacker_intel(
-                ip="0.0.0.0",
+                uuid="missing-uuid",
                user={"uuid": "viewer", "role": "viewer"},
            )
    assert excinfo.value.status_code == 404