fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit of templates/* found three gaps: 1. MQTT — was working through the legacy adapter, silently dropped when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret() alongside the others. 2. Postgres — `auth, pw_hash=…` event captures the MD5 challenge-response the attacker sent. Plaintext irrecoverable, so it never fit the (principal, secret_b64=raw_bytes) shape. Lands in Credential as secret_kind="postgres_md5_challenge". 3. VNC — `auth_response, response=…hex` event captures the 16-byte DES-encrypted challenge. Same situation as Postgres: plaintext irrecoverable. Lands as secret_kind="vnc_des_response". Adds a `secret_kind` discriminator column to Credential (default "plaintext", indexed). The dedup tuple gains secret_kind so two credentials with the same sha256 but different kinds are fundamentally different rows — different challenges produce different bytes for the same plaintext password, so cross-kind reuse matches are meaningless and would only confuse analytics. The model now genuinely covers every cred-emitting service in the fleet: plaintext SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP, MQTT postgres_md5_* Postgres vnc_des_response VNC Username-only services (MySQL/MSSQL — TDS pre-encryption captures the user but never sees the password byte) intentionally don't feed Credential — they're recon signals, not cred attempts. 40 tests pass in the touched scope. New cases: secret_kind dedups independently in the repo; Postgres MD5 + VNC DES emitters thread through; MQTT round-trips through the native branch.
2026-04-25 06:16:57 -04:00
parent e696c2beb3
commit 6b16c844b6
9 changed files with 165 additions and 8 deletions
--- a/decnet/templates/mqtt/server.py
+++ b/decnet/templates/mqtt/server.py
@@ -14,7 +14,12 @@ import random
 import struct

 import instance_seed as _seed
-from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
+from syslog_bridge import (
+    encode_secret,
+    forward_syslog,
+    syslog_line,
+    write_syslog_file,
+)

 NODE_NAME = os.environ.get("NODE_NAME", "mqtt-broker")
 SERVICE_NAME   = "mqtt"
@@ -256,7 +261,17 @@ class MQTTProtocol(asyncio.Protocol):

            if pkt_type == 1:  # CONNECT
                info = _parse_connect(payload)
-                _log("auth", **info)
+                # Migrate auth event to the universal credential SD shape
+                # so the ingester's native branch picks up the row. The
+                # legacy username/password keys are intentionally NOT
+                # forwarded — encode_secret() supplies secret_printable
+                # and secret_b64 in their place.
+                _user = info.get("username", "")
+                _password = info.get("password", "")
+                _passthrough = {k: v for k, v in info.items()
+                                if k not in ("username", "password")}
+                _log("auth", username=_user, principal=_user,
+                     **encode_secret(_password), **_passthrough)
                # Decide connection: accept-all > cred list > deny.
                cred = (info.get("username", ""), info.get("password", ""))
                accepted = (