fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit of templates/* found three gaps: 1. MQTT — was working through the legacy adapter, silently dropped when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret() alongside the others. 2. Postgres — `auth, pw_hash=…` event captures the MD5 challenge-response the attacker sent. Plaintext irrecoverable, so it never fit the (principal, secret_b64=raw_bytes) shape. Lands in Credential as secret_kind="postgres_md5_challenge". 3. VNC — `auth_response, response=…hex` event captures the 16-byte DES-encrypted challenge. Same situation as Postgres: plaintext irrecoverable. Lands as secret_kind="vnc_des_response". Adds a `secret_kind` discriminator column to Credential (default "plaintext", indexed). The dedup tuple gains secret_kind so two credentials with the same sha256 but different kinds are fundamentally different rows — different challenges produce different bytes for the same plaintext password, so cross-kind reuse matches are meaningless and would only confuse analytics. The model now genuinely covers every cred-emitting service in the fleet: plaintext SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP, MQTT postgres_md5_* Postgres vnc_des_response VNC Username-only services (MySQL/MSSQL — TDS pre-encryption captures the user but never sees the password byte) intentionally don't feed Credential — they're recon signals, not cred attempts. 40 tests pass in the touched scope. New cases: secret_kind dedups independently in the repo; Postgres MD5 + VNC DES emitters thread through; MQTT round-trips through the native branch.
2026-04-25 06:16:57 -04:00
parent e696c2beb3
commit 6b16c844b6
9 changed files with 165 additions and 8 deletions
--- a/decnet/web/db/models/logs.py
+++ b/decnet/web/db/models/logs.py
@@ -72,7 +72,22 @@ class Credential(SQLModel, table=True):
    decky_name: str = Field(index=True)
    service: str = Field(index=True)
    principal: Optional[str] = Field(default=None, index=True, max_length=256)
-    # Universal lossless secret representations.
+    # Discriminator for what `secret_b64` actually contains. Default
+    # ``"plaintext"`` — a recoverable password the attacker sent on the
+    # wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds:
+    # ``"postgres_md5_challenge"`` (md5(md5(pw+user)+salt) hex bytes
+    # the attacker sent in the Postgres password message — plaintext
+    # irrecoverable), ``"vnc_des_response"`` (16-byte DES-encrypted
+    # challenge response — same shape).
+    #
+    # Reuse semantics gracefully degrade: same secret_sha256 only
+    # correlates within a single ``secret_kind``. Cross-kind matches
+    # are meaningless because different challenges produce different
+    # bytes for the same plaintext password.
+    secret_kind: str = Field(default="plaintext", index=True, max_length=32)
+    # Universal lossless secret representations. For non-plaintext
+    # kinds, secret_b64 is base64 of the raw attacker-sent bytes (after
+    # hex-decode for protocols that ship the response as a hex string).
    secret_sha256: str = Field(index=True, max_length=64)
    secret_b64: Optional[str] = Field(default=None, max_length=2048)
    # Best-effort printable form — non-printable bytes collapsed to '?'
--- a/decnet/web/db/sqlmodel_repo.py
+++ b/decnet/web/db/sqlmodel_repo.py
@@ -557,11 +557,13 @@ class SQLModelRepository(BaseRepository):
            payload["fields"] = json.dumps(payload["fields"], ensure_ascii=True)

        principal = payload.get("principal")
+        secret_kind = payload.get("secret_kind") or "plaintext"
        async with self._session() as session:
            stmt = select(Credential).where(
                Credential.attacker_ip == payload["attacker_ip"],
                Credential.decky_name == payload["decky_name"],
                Credential.service == payload["service"],
+                Credential.secret_kind == secret_kind,
                Credential.secret_sha256 == payload["secret_sha256"],
                # NULL == NULL is False under SQL — branch the predicate.
                (Credential.principal == principal) if principal is not None
@@ -582,6 +584,7 @@ class SQLModelRepository(BaseRepository):
                decky_name=payload["decky_name"],
                service=payload["service"],
                principal=principal,
+                secret_kind=secret_kind,
                secret_sha256=payload["secret_sha256"],
                secret_b64=payload.get("secret_b64"),
                secret_printable=payload.get("secret_printable"),