fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit of templates/* found three gaps: 1. MQTT — was working through the legacy adapter, silently dropped when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret() alongside the others. 2. Postgres — `auth, pw_hash=…` event captures the MD5 challenge-response the attacker sent. Plaintext irrecoverable, so it never fit the (principal, secret_b64=raw_bytes) shape. Lands in Credential as secret_kind="postgres_md5_challenge". 3. VNC — `auth_response, response=…hex` event captures the 16-byte DES-encrypted challenge. Same situation as Postgres: plaintext irrecoverable. Lands as secret_kind="vnc_des_response". Adds a `secret_kind` discriminator column to Credential (default "plaintext", indexed). The dedup tuple gains secret_kind so two credentials with the same sha256 but different kinds are fundamentally different rows — different challenges produce different bytes for the same plaintext password, so cross-kind reuse matches are meaningless and would only confuse analytics. The model now genuinely covers every cred-emitting service in the fleet: plaintext SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP, MQTT postgres_md5_* Postgres vnc_des_response VNC Username-only services (MySQL/MSSQL — TDS pre-encryption captures the user but never sees the password byte) intentionally don't feed Credential — they're recon signals, not cred attempts. 40 tests pass in the touched scope. New cases: secret_kind dedups independently in the repo; Postgres MD5 + VNC DES emitters thread through; MQTT round-trips through the native branch.
2026-04-25 06:16:57 -04:00
parent e696c2beb3
commit 6b16c844b6
9 changed files with 165 additions and 8 deletions
--- a/decnet/templates/mqtt/server.py
+++ b/decnet/templates/mqtt/server.py
@@ -14,7 +14,12 @@ import random
 import struct
 import instance_seed as _seed
-from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
+from syslog_bridge import (
    encode_secret,
    forward_syslog,
    syslog_line,
    write_syslog_file,
 )
 NODE_NAME = os.environ.get("NODE_NAME", "mqtt-broker")
 SERVICE_NAME   = "mqtt"
@@ -256,7 +261,17 @@ class MQTTProtocol(asyncio.Protocol):
            if pkt_type == 1:  # CONNECT
                info = _parse_connect(payload)
-                _log("auth", **info)
+                # Migrate auth event to the universal credential SD shape
                # so the ingester's native branch picks up the row. The
                # legacy username/password keys are intentionally NOT
                # forwarded — encode_secret() supplies secret_printable
                # and secret_b64 in their place.
                _user = info.get("username", "")
                _password = info.get("password", "")
                _passthrough = {k: v for k, v in info.items()
                                if k not in ("username", "password")}
                _log("auth", username=_user, principal=_user,
                     **encode_secret(_password), **_passthrough)
                # Decide connection: accept-all > cred list > deny.
                cred = (info.get("username", ""), info.get("password", ""))
                accepted = (
--- a/decnet/templates/postgres/server.py
+++ b/decnet/templates/postgres/server.py
@@ -11,6 +11,7 @@ import os
 import struct
 import instance_seed as _seed
 import base64 as _base64
 from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
 NODE_NAME = os.environ.get("NODE_NAME", "pgserver")
@@ -137,10 +138,27 @@ class PostgresProtocol(asyncio.Protocol):
        self._transport.write(auth_md5)
    def _handle_password(self, payload: bytes):
        # Postgres MD5 challenge-response: the wire form is the literal
        # ASCII string "md5" + 32 hex chars (md5(md5(pw+user)+salt)).
        # Plaintext is unrecoverable, so we land this in the Credential
        # table as secret_kind="postgres_md5_challenge" — secret_b64
        # carries the raw hash bytes (after stripping the "md5" prefix
        # and hex-decoding) for content-addressable reuse within-kind.
        pw_hash = payload.rstrip(b"\x00").decode(errors="replace")
-        _log("auth", src=self._peer[0], pw_hash=pw_hash,
+        _hex = pw_hash[3:] if pw_hash.startswith("md5") else pw_hash
-             username=getattr(self, "_username", ""),
+        try:
-             database=getattr(self, "_database", ""))
+            _raw = bytes.fromhex(_hex)
        except ValueError:
            _raw = _hex.encode("utf-8", errors="replace")
        _b64 = _base64.b64encode(_raw).decode("ascii")
        _user = getattr(self, "_username", "")
        _log("auth", src=self._peer[0],
             username=_user, principal=_user,
             database=getattr(self, "_database", ""),
             pw_hash=pw_hash,
             secret_kind="postgres_md5_challenge",
             secret_printable=pw_hash,
             secret_b64=_b64)
        user = getattr(self, "_username", "")
        msg = f'password authentication failed for user "{user}"'
        _seed.jitter_sync(20, 90)
--- a/decnet/templates/vnc/server.py
+++ b/decnet/templates/vnc/server.py
@@ -8,6 +8,7 @@ failed". Logs the raw response for offline cracking.
 import asyncio
 import os
 import base64 as _base64
 from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
 NODE_NAME = os.environ.get("NODE_NAME", "desktop")
@@ -68,7 +69,16 @@ class VNCProtocol(asyncio.Protocol):
                return
            response = self._buf[:16]
            self._buf = self._buf[16:]
-            _log("auth_response", src=self._peer[0], response=response.hex())
+            # VNC protocol: 16-byte DES-encrypted challenge. Plaintext
            # password is irrecoverable, so we land this credential as
            # secret_kind="vnc_des_response" — secret_b64 carries the
            # raw 16 bytes for content-addressable within-kind reuse.
            _hex = response.hex()
            _log("auth_response", src=self._peer[0],
                 response=_hex,
                 secret_kind="vnc_des_response",
                 secret_printable=_hex,
                 secret_b64=_base64.b64encode(response).decode("ascii"))
            # SecurityResult: 1 = failed
            self._transport.write(b"\x00\x00\x00\x01")
            # Failure reason
--- a/decnet/web/db/models/logs.py
+++ b/decnet/web/db/models/logs.py
@@ -72,7 +72,22 @@ class Credential(SQLModel, table=True):
    decky_name: str = Field(index=True)
    service: str = Field(index=True)
    principal: Optional[str] = Field(default=None, index=True, max_length=256)
-    # Universal lossless secret representations.
+    # Discriminator for what `secret_b64` actually contains. Default
    # ``"plaintext"`` — a recoverable password the attacker sent on the
    # wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds:
    # ``"postgres_md5_challenge"`` (md5(md5(pw+user)+salt) hex bytes
    # the attacker sent in the Postgres password message — plaintext
    # irrecoverable), ``"vnc_des_response"`` (16-byte DES-encrypted
    # challenge response — same shape).
    #
    # Reuse semantics gracefully degrade: same secret_sha256 only
    # correlates within a single ``secret_kind``. Cross-kind matches
    # are meaningless because different challenges produce different
    # bytes for the same plaintext password.
    secret_kind: str = Field(default="plaintext", index=True, max_length=32)
    # Universal lossless secret representations. For non-plaintext
    # kinds, secret_b64 is base64 of the raw attacker-sent bytes (after
    # hex-decode for protocols that ship the response as a hex string).
    secret_sha256: str = Field(index=True, max_length=64)
    secret_b64: Optional[str] = Field(default=None, max_length=2048)
    # Best-effort printable form — non-printable bytes collapsed to '?'
--- a/decnet/web/db/sqlmodel_repo.py
+++ b/decnet/web/db/sqlmodel_repo.py
@@ -557,11 +557,13 @@ class SQLModelRepository(BaseRepository):
            payload["fields"] = json.dumps(payload["fields"], ensure_ascii=True)
        principal = payload.get("principal")
        secret_kind = payload.get("secret_kind") or "plaintext"
        async with self._session() as session:
            stmt = select(Credential).where(
                Credential.attacker_ip == payload["attacker_ip"],
                Credential.decky_name == payload["decky_name"],
                Credential.service == payload["service"],
                Credential.secret_kind == secret_kind,
                Credential.secret_sha256 == payload["secret_sha256"],
                # NULL == NULL is False under SQL — branch the predicate.
                (Credential.principal == principal) if principal is not None
@@ -582,6 +584,7 @@ class SQLModelRepository(BaseRepository):
                decky_name=payload["decky_name"],
                service=payload["service"],
                principal=principal,
                secret_kind=secret_kind,
                secret_sha256=payload["secret_sha256"],
                secret_b64=payload.get("secret_b64"),
                secret_printable=payload.get("secret_printable"),
--- a/decnet/web/ingester.py
+++ b/decnet/web/ingester.py
@@ -246,12 +246,14 @@ async def _ingest_credential_native(
    sha256_hex = hashlib.sha256(raw).hexdigest()
    principal = fields.get("principal") or fields.get("username")
    secret_printable = fields.get("secret_printable")
    secret_kind = fields.get("secret_kind") or "plaintext"
    await repo.upsert_credential({
        "attacker_ip": log_data.get("attacker_ip"),
        "decky_name": log_data.get("decky"),
        "service": log_data.get("service"),
        "principal": _truncate_with_warn(principal, _PRINCIPAL_MAX, "principal"),
        "secret_kind": secret_kind,
        "secret_sha256": sha256_hex,
        "secret_b64": _truncate_with_warn(b64, _SECRET_B64_MAX, "secret_b64"),
        "secret_printable": _truncate_with_warn(
--- a/development/DEBT.md
+++ b/development/DEBT.md
@@ -1,6 +1,6 @@
 # DECNET — Technical Debt Register
-> Last updated: 2026-04-25 — DEBT-039 resolved (six service emitters on standardized shape, legacy ingester adapter deleted).
+> Last updated: 2026-04-25 — Credential model gained `secret_kind` discriminator; Postgres MD5 + VNC DES challenge creds now land in the table; MQTT regression from the legacy-adapter removal patched.
 > Severity: 🔴 Critical · 🟠 High · 🟡 Medium · 🟢 Low
 ---
--- a/tests/db/test_credentials.py
+++ b/tests/db/test_credentials.py
@@ -123,6 +123,32 @@ async def test_get_credentials_for_attacker(repo) -> None:
    assert rows[0]["attacker_ip"] == "10.0.0.5"
@pytest.mark.anyio
 async def test_secret_kind_dedups_independently(repo) -> None:
    """Same sha256, same principal — different secret_kind = different row.
    Two rows with the same content-addressable hash but different kinds
    represent fundamentally different credentials (e.g. a plaintext
    password that happens to hash to the same value as a Postgres
    md5 challenge response is statistically impossible but semantically
    distinct anyway). Dedup must respect the kind boundary."""
    base = {
        "attacker_ip": "10.0.0.5",
        "decky_name": "decky-01",
        "service": "ssh",
        "principal": "root",
        "secret_sha256": _sha256("hunter2"),
        "secret_b64": "aHVudGVyMg==",
        "fields": {},
    }
    await repo.upsert_credential({**base, "secret_kind": "plaintext"})
    await repo.upsert_credential({**base, "secret_kind": "postgres_md5_challenge"})
    rows = await repo.get_credentials()
    assert len(rows) == 2
    kinds = {r["secret_kind"] for r in rows}
    assert kinds == {"plaintext", "postgres_md5_challenge"}
@pytest.mark.anyio
 async def test_filters(repo) -> None:
    base_secret = _sha256("a")
--- a/tests/services/test_cred_emitters.py
+++ b/tests/services/test_cred_emitters.py
@@ -154,6 +154,74 @@ async def test_ldap_principal_is_dn():
    assert cred["principal"] == "cn=admin,dc=acme,dc=com"
@pytest.mark.asyncio
 async def test_mqtt_native_shape():
    """MQTT CONNECT — username + password decoded from the wire,
    emitted as principal + secret_b64. Was silently dropped between
    Phase 3 (legacy adapter removed) and the MQTT migration commit."""
    from decnet.web.ingester import _extract_bounty
    repo = MagicMock(); repo.upsert_credential = AsyncMock()
    await _extract_bounty(repo, _native_log(
        "mqtt", principal="iotuser", password="iotpass",
    ))
    cred = repo.upsert_credential.call_args[0][0]
    assert cred["service"] == "mqtt"
    assert cred["principal"] == "iotuser"
    assert cred["secret_sha256"] == hashlib.sha256(b"iotpass").hexdigest()
@pytest.mark.asyncio
 async def test_postgres_hash_credential():
    """Postgres MD5 challenge-response — plaintext irrecoverable, lands
    as secret_kind=postgres_md5_challenge with the raw hash bytes."""
    from decnet.web.ingester import _extract_bounty
    repo = MagicMock(); repo.upsert_credential = AsyncMock()
    pw_hash = "md5" + "ab" * 16  # 32 hex chars after the "md5" prefix
    raw = bytes.fromhex("ab" * 16)
    log_data = {
        "decky": "decky-01",
        "service": "postgres",
        "attacker_ip": "10.0.0.5",
        "fields": {
            "username": "postgres",
            "principal": "postgres",
            "pw_hash": pw_hash,
            "secret_kind": "postgres_md5_challenge",
            "secret_printable": pw_hash,
            "secret_b64": base64.b64encode(raw).decode("ascii"),
        },
    }
    await _extract_bounty(repo, log_data)
    cred = repo.upsert_credential.call_args[0][0]
    assert cred["service"] == "postgres"
    assert cred["secret_kind"] == "postgres_md5_challenge"
    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
@pytest.mark.asyncio
 async def test_vnc_hash_credential():
    """VNC DES-encrypted challenge response — same shape, different kind."""
    from decnet.web.ingester import _extract_bounty
    repo = MagicMock(); repo.upsert_credential = AsyncMock()
    raw = bytes(range(16))
    log_data = {
        "decky": "decky-01",
        "service": "vnc",
        "attacker_ip": "10.0.0.5",
        "fields": {
            "response": raw.hex(),
            "secret_kind": "vnc_des_response",
            "secret_printable": raw.hex(),
            "secret_b64": base64.b64encode(raw).decode("ascii"),
        },
    }
    await _extract_bounty(repo, log_data)
    cred = repo.upsert_credential.call_args[0][0]
    assert cred["service"] == "vnc"
    assert cred["secret_kind"] == "vnc_des_response"
    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
@pytest.mark.asyncio
 async def test_lossless_b64_survives_nonprintable_password():
    """Even when secret_printable is sanitized, secret_b64 still decodes