feat(api): GET /credentials endpoint
Surfaces the Credential table (deduped attacker auth attempts) via a new /api/v1/credentials route. Mirrors the Bounty cache pattern (5s TTL on the unfiltered default page) and reuses the existing get_credentials / get_total_credentials repo methods + the already defined CredentialsResponse DTO. Filters: search, service, attacker_ip.
This commit is contained in:
@@ -5,6 +5,7 @@ from .auth.api_change_pass import router as change_pass_router
|
||||
from .logs.api_get_logs import router as logs_router
|
||||
from .logs.api_get_histogram import router as histogram_router
|
||||
from .bounty.api_get_bounties import router as bounty_router
|
||||
from .credentials.api_get_credentials import router as credentials_router
|
||||
from .stats.api_get_stats import router as stats_router
|
||||
from .fleet.api_get_deckies import router as get_deckies_router
|
||||
from .fleet.api_mutate_decky import router as mutate_decky_router
|
||||
@@ -59,6 +60,9 @@ api_router.include_router(histogram_router)
|
||||
# Bounty Vault
|
||||
api_router.include_router(bounty_router)
|
||||
|
||||
# Credentials (deduped attacker auth attempts)
|
||||
api_router.include_router(credentials_router)
|
||||
|
||||
# Fleet Management
|
||||
api_router.include_router(get_deckies_router)
|
||||
api_router.include_router(mutate_decky_router)
|
||||
|
||||
0
decnet/web/router/credentials/__init__.py
Normal file
0
decnet/web/router/credentials/__init__.py
Normal file
103
decnet/web/router/credentials/api_get_credentials.py
Normal file
103
decnet/web/router/credentials/api_get_credentials.py
Normal file
@@ -0,0 +1,103 @@
|
||||
import asyncio
|
||||
import time
|
||||
from typing import Any, Optional
|
||||
|
||||
from fastapi import APIRouter, Depends, Query
|
||||
|
||||
from decnet.telemetry import traced as _traced
|
||||
from decnet.web.dependencies import require_viewer, repo
|
||||
from decnet.web.db.models import CredentialsResponse
|
||||
|
||||
router = APIRouter()
|
||||
|
||||
# Mirror the Bounty cache pattern: the dashboard hits the unfiltered
|
||||
# default page constantly. Filtered requests bypass — staleness matters
|
||||
# when an operator is searching for a specific principal/IP.
|
||||
_CRED_TTL = 5.0
|
||||
_DEFAULT_LIMIT = 50
|
||||
_DEFAULT_OFFSET = 0
|
||||
_cred_cache: tuple[Optional[dict[str, Any]], float] = (None, 0.0)
|
||||
_cred_lock: Optional[asyncio.Lock] = None
|
||||
|
||||
|
||||
def _reset_credentials_cache() -> None:
|
||||
global _cred_cache, _cred_lock
|
||||
_cred_cache = (None, 0.0)
|
||||
_cred_lock = None
|
||||
|
||||
|
||||
async def _get_credentials_default_cached() -> dict[str, Any]:
|
||||
global _cred_cache, _cred_lock
|
||||
value, ts = _cred_cache
|
||||
now = time.monotonic()
|
||||
if value is not None and now - ts < _CRED_TTL:
|
||||
return value
|
||||
if _cred_lock is None:
|
||||
_cred_lock = asyncio.Lock()
|
||||
async with _cred_lock:
|
||||
value, ts = _cred_cache
|
||||
now = time.monotonic()
|
||||
if value is not None and now - ts < _CRED_TTL:
|
||||
return value
|
||||
_data = await repo.get_credentials(
|
||||
limit=_DEFAULT_LIMIT, offset=_DEFAULT_OFFSET,
|
||||
search=None, service=None, attacker_ip=None,
|
||||
)
|
||||
_total = await repo.get_total_credentials(
|
||||
search=None, service=None, attacker_ip=None,
|
||||
)
|
||||
value = {"total": _total, "limit": _DEFAULT_LIMIT, "offset": _DEFAULT_OFFSET, "data": _data}
|
||||
_cred_cache = (value, time.monotonic())
|
||||
return value
|
||||
|
||||
|
||||
@router.get(
|
||||
"/credentials",
|
||||
response_model=CredentialsResponse,
|
||||
tags=["Credentials"],
|
||||
responses={
|
||||
401: {"description": "Could not validate credentials"},
|
||||
403: {"description": "Insufficient permissions"},
|
||||
422: {"description": "Validation error"},
|
||||
},
|
||||
)
|
||||
@_traced("api.get_credentials")
|
||||
async def get_credentials(
|
||||
limit: int = Query(50, ge=1, le=1000),
|
||||
offset: int = Query(0, ge=0, le=2147483647),
|
||||
search: Optional[str] = None,
|
||||
service: Optional[str] = None,
|
||||
attacker_ip: Optional[str] = None,
|
||||
user: dict = Depends(require_viewer),
|
||||
) -> dict[str, Any]:
|
||||
"""Retrieve captured credentials (deduped by attacker/decky/service/secret)."""
|
||||
def _norm(v: Optional[str]) -> Optional[str]:
|
||||
if v in (None, "null", "NULL", "undefined", ""):
|
||||
return None
|
||||
return v
|
||||
|
||||
s = _norm(search)
|
||||
svc = _norm(service)
|
||||
aip = _norm(attacker_ip)
|
||||
|
||||
if (
|
||||
s is None
|
||||
and svc is None
|
||||
and aip is None
|
||||
and limit == _DEFAULT_LIMIT
|
||||
and offset == _DEFAULT_OFFSET
|
||||
):
|
||||
return await _get_credentials_default_cached()
|
||||
|
||||
_data = await repo.get_credentials(
|
||||
limit=limit, offset=offset, search=s, service=svc, attacker_ip=aip,
|
||||
)
|
||||
_total = await repo.get_total_credentials(
|
||||
search=s, service=svc, attacker_ip=aip,
|
||||
)
|
||||
return {
|
||||
"total": _total,
|
||||
"limit": limit,
|
||||
"offset": offset,
|
||||
"data": _data,
|
||||
}
|
||||
Reference in New Issue
Block a user