merge: testing → main (reconcile 2-week divergence)

2026-04-28 18:36:00 -04:00
parent 499836c9e4
commit 862e4dbb31
1235 changed files with 160255 additions and 7996 deletions
--- a/decnet/web/db/models/logs.py
+++ b/decnet/web/db/models/logs.py
@@ -0,0 +1,222 @@
+"""Log / Bounty / Credential / State tables + their list-response DTOs."""
+from datetime import datetime, timezone
+from typing import Any, List, Optional
+
+from pydantic import BaseModel
+from sqlalchemy import Column, Index, Text, UniqueConstraint
+from sqlmodel import Field, SQLModel
+
+from ._base import _BIG_TEXT
+
+
+class Log(SQLModel, table=True):
+    __tablename__ = "logs"
+    id: Optional[int] = Field(default=None, primary_key=True)
+    timestamp: datetime = Field(default_factory=lambda: datetime.now(timezone.utc), index=True)
+    decky: str = Field(index=True)
+    service: str = Field(index=True)
+    event_type: str = Field(index=True)
+    attacker_ip: str = Field(index=True)
+    # Long-text columns — use TEXT so MySQL DDL doesn't truncate to VARCHAR(255).
+    # TEXT is equivalent to plain text in SQLite.
+    raw_line: str = Field(sa_column=Column("raw_line", Text, nullable=False))
+    fields: str = Field(sa_column=Column("fields", Text, nullable=False))
+    msg: Optional[str] = Field(default=None, sa_column=Column("msg", Text, nullable=True))
+    # OTEL trace context — bridges the collector→ingester trace to the SSE
+    # read path.  Nullable so pre-existing rows and non-traced deployments
+    # are unaffected.
+    trace_id: Optional[str] = Field(default=None)
+    span_id: Optional[str] = Field(default=None)
+
+
+class Bounty(SQLModel, table=True):
+    __tablename__ = "bounty"
+    id: Optional[int] = Field(default=None, primary_key=True)
+    timestamp: datetime = Field(default_factory=lambda: datetime.now(timezone.utc), index=True)
+    decky: str = Field(index=True)
+    service: str = Field(index=True)
+    attacker_ip: str = Field(index=True)
+    bounty_type: str = Field(index=True)
+    payload: str = Field(sa_column=Column("payload", Text, nullable=False))
+
+
+class Credential(SQLModel, table=True):
+    """One observed credential attempt against a decky service.
+
+    Forward-compatible across every auth-bearing service in the fleet:
+    SSH user+pass, Telnet user+pass, SMTP domain+pass, LDAP dn+pass,
+    Redis password-only, etc. The two universal lossless representations
+    (``secret_b64`` + ``secret_sha256``) hoist to indexed columns so
+    cross-service reuse queries don't scan opaque JSON.
+
+    Per-service identity (the human-meaningful "who's authenticating")
+    lives in ``principal`` — username for SSH, domain for SMTP, dn for
+    LDAP. Nullable for principal-less mechanisms (Redis AUTH, bearer
+    tokens). Fully service-specific keys ride in ``fields`` JSON.
+
+    Dedup contract: same (attacker_ip, decky, service, secret_sha256,
+    principal_or_empty) tuple → upsert, bumps ``attempt_count`` and
+    ``last_seen``. Different secret or different principal → new row.
+
+    ``attacker_uuid`` is backfilled by the profiler once an Attacker row
+    has been minted for the source IP. It is nullable on first write so
+    the credential ingest path stays decoupled from the profiler.
+    """
+    __tablename__ = "credentials"
+    __table_args__ = (
+        Index("ix_credentials_secret_service", "secret_sha256", "service"),
+        Index("ix_credentials_principal_service", "principal", "service"),
+    )
+    id: Optional[int] = Field(default=None, primary_key=True)
+    # Keyed by attacker IP (not attackers.uuid) on the write path to
+    # avoid the chicken-and-egg of landing a credential before the
+    # profiler has minted the Attacker. The profiler backfills
+    # ``attacker_uuid`` once it knows the IP, so cross-IP reuse queries
+    # eventually have an indexed FK to traverse.
+    attacker_ip: str = Field(index=True)
+    attacker_uuid: Optional[str] = Field(
+        default=None, foreign_key="attackers.uuid", index=True
+    )
+    decky_name: str = Field(index=True)
+    service: str = Field(index=True)
+    principal: Optional[str] = Field(default=None, index=True, max_length=256)
+    # Discriminator for what `secret_b64` actually contains. Default
+    # ``"plaintext"`` — a recoverable password the attacker sent on the
+    # wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds:
+    # ``"postgres_md5_challenge"`` (md5(md5(pw+user)+salt) hex bytes
+    # the attacker sent in the Postgres password message — plaintext
+    # irrecoverable), ``"vnc_des_response"`` (16-byte DES-encrypted
+    # challenge response — same shape).
+    #
+    # Reuse semantics gracefully degrade: same secret_sha256 only
+    # correlates within a single ``secret_kind``. Cross-kind matches
+    # are meaningless because different challenges produce different
+    # bytes for the same plaintext password.
+    secret_kind: str = Field(default="plaintext", index=True, max_length=32)
+    # Universal lossless secret representations. For non-plaintext
+    # kinds, secret_b64 is base64 of the raw attacker-sent bytes (after
+    # hex-decode for protocols that ship the response as a hex string).
+    secret_sha256: str = Field(index=True, max_length=64)
+    secret_b64: Optional[str] = Field(default=None, max_length=2048)
+    # Best-effort printable form — non-printable bytes collapsed to '?'
+    # by either auth-helper.c (SSH/Telnet) or the ingester's legacy
+    # adapter (FTP/POP3/IMAP/SMTP). May be lossy on non-UTF8.
+    secret_printable: Optional[str] = Field(default=None, max_length=512)
+    outcome: Optional[str] = Field(default=None, max_length=16)  # success|failure|observed
+    fields: str = Field(
+        sa_column=Column("fields", _BIG_TEXT, nullable=False, default="{}")
+    )
+    first_seen: datetime = Field(
+        default_factory=lambda: datetime.now(timezone.utc), index=True
+    )
+    last_seen: datetime = Field(
+        default_factory=lambda: datetime.now(timezone.utc), index=True
+    )
+    attempt_count: int = Field(default=1)
+
+
+class CredentialReuse(SQLModel, table=True):
+    """One observed credential reuse pattern across deckies and/or services.
+
+    A row here is a *finding* produced by the correlator: the same
+    ``(secret_sha256, secret_kind, principal)`` tuple was observed
+    against ``target_count`` distinct decky×service pairs. Upserted on
+    that natural key — the row accumulates new deckies/services/IPs
+    over time as the credential is reused.
+
+    The ``confidence`` column is reserved for a future fuzzy-match pass
+    (credential variants, e.g. ``hunter2`` vs ``hunter22``); rows
+    written by the exact-secret correlator are always 1.0.
+    """
+    __tablename__ = "credential_reuse"
+    __table_args__ = (
+        UniqueConstraint(
+            "secret_sha256", "secret_kind", "principal_key",
+            name="uq_credential_reuse_secret_principal",
+        ),
+    )
+    id: str = Field(primary_key=True, max_length=36)
+    secret_sha256: str = Field(index=True, max_length=64)
+    secret_kind: str = Field(index=True, max_length=32)
+    # Optional human-readable principal (e.g. "root"). Nullable — for
+    # cross-principal reuse rows we leave this null, but we still need
+    # a unique constraint, so ``principal_key`` is the non-null
+    # canonicalised form ("" when principal is null) used in the
+    # uniqueness tuple. SQLite's NULLs-distinct-in-UNIQUE behaviour
+    # would otherwise let duplicate null-principal rows through.
+    principal: Optional[str] = Field(default=None, max_length=256)
+    principal_key: str = Field(default="", max_length=256)
+    attacker_uuids: str = Field(
+        default="[]",
+        sa_column=Column("attacker_uuids", _BIG_TEXT, nullable=False, default="[]"),
+    )  # JSON list[str]
+    attacker_ips: str = Field(
+        default="[]",
+        sa_column=Column("attacker_ips", _BIG_TEXT, nullable=False, default="[]"),
+    )  # JSON list[str]
+    deckies: str = Field(
+        default="[]",
+        sa_column=Column("deckies", _BIG_TEXT, nullable=False, default="[]"),
+    )  # JSON list[str]
+    services: str = Field(
+        default="[]",
+        sa_column=Column("services", _BIG_TEXT, nullable=False, default="[]"),
+    )  # JSON list[str]
+    # COUNT(DISTINCT decky||':'||service). The discriminative scalar
+    # for ranking and filtering — a credential seen on 12 targets is
+    # far more interesting than one seen on 2.
+    target_count: int = Field(default=0, index=True)
+    attempt_count: int = Field(default=0)
+    confidence: float = Field(default=1.0)
+    first_seen: datetime = Field(
+        default_factory=lambda: datetime.now(timezone.utc), index=True
+    )
+    last_seen: datetime = Field(
+        default_factory=lambda: datetime.now(timezone.utc), index=True
+    )
+    updated_at: datetime = Field(
+        default_factory=lambda: datetime.now(timezone.utc), index=True
+    )
+
+
+class CredentialReuseResponse(BaseModel):
+    total: int
+    limit: int
+    offset: int
+    data: List[dict[str, Any]]
+
+
+class State(SQLModel, table=True):
+    __tablename__ = "state"
+    key: str = Field(primary_key=True)
+    # JSON-serialized DecnetConfig or other state blobs — can be large as
+    # deckies/services accumulate.  MEDIUMTEXT on MySQL (16 MiB ceiling).
+    value: str = Field(sa_column=Column("value", _BIG_TEXT, nullable=False))
+
+
+class LogsResponse(BaseModel):
+    total: int
+    limit: int
+    offset: int
+    data: List[dict[str, Any]]
+
+
+class BountyResponse(BaseModel):
+    total: int
+    limit: int
+    offset: int
+    data: List[dict[str, Any]]
+
+
+class CredentialsResponse(BaseModel):
+    total: int
+    limit: int
+    offset: int
+    data: List[dict[str, Any]]
+
+
+class StatsResponse(BaseModel):
+    total_logs: int
+    unique_attackers: int
+    active_deckies: int
+    deployed_deckies: int