feat(stix_export): wire fingerprint bounties through all endpoints + tests

Remaining files from the fingerprint-bounties + characterizes-SRO commit: misp_export, repository, bounties mixin, all 4 router endpoints, and test suite updates. Prerequisite: previous commit added _extract_fingerprint_bounty_data and the stix_export changes.
2026-05-09 09:14:48 -04:00
parent 51d0fc7b6c
commit 4c6b12dcf8
13 changed files with 181 additions and 4 deletions
--- a/tests/db/test_base_repo.py
+++ b/tests/db/test_base_repo.py
@@ -115,6 +115,10 @@ class DummyRepo(BaseRepository):
        await super().list_observations_by_attacker(attacker_uuid); return []
    async def get_all_observations_for_export(self):
        await super().get_all_observations_for_export(); return {}
+    async def get_fingerprint_bounties_by_ip(self, ip):
+        await super().get_fingerprint_bounties_by_ip(ip); return []
+    async def get_all_fingerprint_bounties_for_export(self):
+        await super().get_all_fingerprint_bounties_for_export(); return {}
    async def get_attacker_uuid_by_ip(self, ip):
        await super().get_attacker_uuid_by_ip(ip); return None
    # TTP rollup surface (TTP_TAGGING.md)
@@ -261,6 +265,10 @@ async def test_base_repo_coverage():
        await dr.list_observations_by_attacker("a")
    with pytest.raises(NotImplementedError):
        await dr.get_all_observations_for_export()
+    with pytest.raises(NotImplementedError):
+        await dr.get_fingerprint_bounties_by_ip("1.1.1.1")
+    with pytest.raises(NotImplementedError):
+        await dr.get_all_fingerprint_bounties_for_export()
    with pytest.raises(NotImplementedError):
        await dr.get_attacker_uuid_by_ip("1.1.1.1")
    with pytest.raises(NotImplementedError):
--- a/tests/ttp/test_stix_export_threat_actor_extensions.py
+++ b/tests/ttp/test_stix_export_threat_actor_extensions.py
@@ -239,6 +239,100 @@ def test_kd_digraph_simhash_base64_input():
    assert profile.kd_digraph_simhash == raw.hex()


+def _fp_bounties() -> list[dict]:
+    return [
+        {
+            "payload": {
+                "fingerprint_type": "jarm",
+                "hash": "2ad2ad16d2ad2ad00042d42d000000f93d17e5fba64fc1c6f4cb080b9a5cf1e",
+                "target_ip": "1.2.3.4",
+                "target_port": "443",
+            }
+        },
+        {
+            "payload": {
+                "fingerprint_type": "http_quirks",
+                "order_hash": "abc123",
+                "order": ["Host", "User-Agent", "Accept"],
+                "casing_hash": "def456",
+                "casing_category": "title_case",
+                "stable_count": 3,
+                "tool_guess": "curl",
+            }
+        },
+        {
+            "payload": {
+                "fingerprint_type": "jarm",
+                "hash": "2ad2ad16d2ad2ad00042d42d000000f93d17e5fba64fc1c6f4cb080b9a5cf1e",
+            }
+        },
+    ]
+
+
+def test_fingerprint_bounties_jarm_in_protocol_fingerprints():
+    """JARM hashes from bounties appear deduplicated in protocol_fingerprints."""
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=None,
+        fingerprint_bounties=_fp_bounties(),
+    )
+    ta = _get_ta(bundle)
+    assert ta.extensions, "expected extension block with fingerprint bounties"
+    ext = ta.extensions[ACTOR_FINGERPRINT_EXT_ID]
+    fp = ext.protocol_fingerprints
+    assert "jarm_hashes" in fp
+    assert len(fp["jarm_hashes"]) == 1, "duplicate JARM hash must be collapsed"
+    assert "http_quirks" in fp
+    assert fp["http_quirks"][0]["tool_guess"] == "curl"
+    assert fp["http_quirks"][0]["order"] == ["Host", "User-Agent", "Accept"]
+
+
+def test_fingerprint_bounties_empty_produces_no_extension():
+    """Empty fingerprint bounties with no other signal → no extension block."""
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=None,
+        fingerprint_bounties=[],
+    )
+    ta = _get_ta(bundle)
+    assert not getattr(ta, "extensions", None)
+
+
+def test_behave_profile_has_characterizes_relationship():
+    """When behave_profile is present the bundle contains a 'characterizes' Relationship."""
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=_obs(),
+    )
+    ta = _get_ta(bundle)
+    profile = next(o for o in bundle.objects if o.type == "x-decnet-behave-profile")
+    rels = [o for o in bundle.objects if o.type == "relationship"
+            and o.relationship_type == "characterizes"]
+    assert len(rels) == 1
+    rel = rels[0]
+    assert rel.source_ref == profile.id
+    assert rel.target_ref == ta.id
+
+
+def test_no_behave_profile_no_characterizes_relationship():
+    """Skinny attacker with no observations → no 'characterizes' relationship."""
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=None,
+    )
+    rels = [o for o in bundle.objects if o.type == "relationship"
+            and o.relationship_type == "characterizes"]
+    assert len(rels) == 0
+
+
 def test_inter_decnet_round_trip():
    """Primary fidelity: stix2.parse restores typed objects, not bare dicts."""
    ident = _identity()
--- a/tests/web/test_api_export_attacker_misp.py
+++ b/tests/web/test_api_export_attacker_misp.py
@@ -113,6 +113,7 @@ def _mock_repo(*, attacker=None, intel=None, rollup=None, tags=None,
    m.list_smtp_targets = AsyncMock(return_value=smtp or [])
    m.list_attacker_commands_deduped = AsyncMock(return_value=commands or [])
    m.list_observations_by_attacker = AsyncMock(return_value=[])
+    m.get_fingerprint_bounties_by_ip = AsyncMock(return_value=[])
    return m


--- a/tests/web/test_api_export_attacker_stix.py
+++ b/tests/web/test_api_export_attacker_stix.py
@@ -129,6 +129,7 @@ def _mock_repo(*, attacker=None, identity=None, intel=None,
    m.list_smtp_targets = AsyncMock(return_value=smtp or [])
    m.list_attacker_commands_deduped = AsyncMock(return_value=commands or [])
    m.list_observations_by_attacker = AsyncMock(return_value=[])
+    m.get_fingerprint_bounties_by_ip = AsyncMock(return_value=[])
    return m


--- a/tests/web/test_api_export_attackers_misp.py
+++ b/tests/web/test_api_export_attackers_misp.py
@@ -52,6 +52,7 @@ def _mock_repo(*, rows=None, ttp_by_attacker=None):
    m.get_all_attackers_for_export = AsyncMock(return_value=rows or [])
    m.get_all_ttp_rollups_for_export = AsyncMock(return_value=ttp_by_attacker or {})
    m.get_all_observations_for_export = AsyncMock(return_value={})
+    m.get_all_fingerprint_bounties_for_export = AsyncMock(return_value={})
    return m


--- a/tests/web/test_api_export_attackers_stix.py
+++ b/tests/web/test_api_export_attackers_stix.py
@@ -53,6 +53,7 @@ def _mock_repo(*, rows=None, ttp_by_attacker=None):
    m.get_all_attackers_for_export = AsyncMock(return_value=rows or [])
    m.get_all_ttp_rollups_for_export = AsyncMock(return_value=ttp_by_attacker or {})
    m.get_all_observations_for_export = AsyncMock(return_value={})
+    m.get_all_fingerprint_bounties_for_export = AsyncMock(return_value={})
    return m