anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(intel): decnet enrich CLI + GET /attackers/{ip}/intel endpoint

Browse Source 
CLI command mirrors the reuse-correlate shape (--poll-interval, --ttl-hours,
--daemon). Run it under systemd as a sibling worker.

The API endpoint returns the most recent cached row for an attacker IP
or 404. Auth-gated via require_viewer like every other attacker route.

Also extends the worker test with a real FakeBus so the
attacker.intel.enriched publish path is exercised end-to-end (no longer
a no-op against NullBus).
This commit is contained in:
anti
2026-04-26 05:17:25 -04:00
parent cd70136d09
commit d3d9bd5aa7
5 changed files with 202 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
tests/intel/test_worker.py
View File

@@ -203,3 +203,61 @@ async def test_provider_error_does_not_poison_row(repo):
assert row["abuseipdb_score"] is None
# Aggregate reflects only the providers that responded.
assert row["aggregate_verdict"] == "benign"
@pytest.mark.anyio
async def test_intel_enriched_event_published_to_bus(repo, monkeypatch):
"""End-to-end: worker dispatches providers + publishes the event."""
from decnet.bus.fake import FakeBus
from decnet.bus.topics import ATTACKER_INTEL_ENRICHED, attacker
# Re-enable bus path; swap factory for a shared FakeBus instance the
# test can also subscribe to.
monkeypatch.setenv("DECNET_BUS_ENABLED", "true")
monkeypatch.setenv("DECNET_BUS_TYPE", "fake")
shared_bus = FakeBus()
from decnet.intel import worker as worker_mod
monkeypatch.setattr(
worker_mod, "get_bus", lambda **_: shared_bus,
)
# Subscribe before the worker starts so we don't race the publish.
sub = shared_bus.subscribe(attacker(ATTACKER_INTEL_ENRICHED))
await sub.__aenter__()
now = datetime.now(timezone.utc)
await repo.upsert_attacker(
{"ip": "4.4.4.4", "first_seen": now, "last_seen": now, "event_count": 1}
)
provider = _FakeProvider(
"greynoise",
verdict="malicious",
column_updates={
"greynoise_classification": "malicious",
"greynoise_raw": "{}",
"greynoise_queried_at": datetime.now(timezone.utc),
},
)
shutdown = asyncio.Event()
task = asyncio.create_task(
run_intel_loop(
repo,
poll_interval_secs=0.05,
providers=[provider],
shutdown=shutdown,
)
)
try:
event = await asyncio.wait_for(sub.__anext__(), timeout=2.0)
finally:
shutdown.set()
await asyncio.wait_for(task, timeout=2.0)
await sub.__aexit__(None, None, None)
payload = event.payload
assert payload["attacker_ip"] == "4.4.4.4"
assert payload["aggregate_verdict"] == "malicious"
assert payload["providers"] == ["greynoise"]

52
tests/web/test_api_attacker_intel.py Normal file
View File

@@ -0,0 +1,52 @@
"""Tests for GET /api/v1/attackers/{ip}/intel."""
from __future__ import annotations
from unittest.mock import AsyncMock, patch
import pytest
from fastapi import HTTPException
@pytest.mark.asyncio
async def test_returns_cached_intel_row():
from decnet.web.router.attackers.api_get_attacker_intel import (
get_attacker_intel,
)
fake_row = {
"attacker_ip": "1.2.3.4",
"aggregate_verdict": "malicious",
"greynoise_classification": "malicious",
"abuseipdb_score": 92,
"feodo_listed": True,
"threatfox_listed": False,
}
with patch(
"decnet.web.router.attackers.api_get_attacker_intel.repo"
) as mock_repo:
mock_repo.get_attacker_intel_by_ip = AsyncMock(return_value=fake_row)
result = await get_attacker_intel(
ip="1.2.3.4",
user={"uuid": "viewer", "role": "viewer"},
)
assert result["aggregate_verdict"] == "malicious"
assert result["abuseipdb_score"] == 92
@pytest.mark.asyncio
async def test_404_when_no_row_cached():
from decnet.web.router.attackers.api_get_attacker_intel import (
get_attacker_intel,
)
with patch(
"decnet.web.router.attackers.api_get_attacker_intel.repo"
) as mock_repo:
mock_repo.get_attacker_intel_by_ip = AsyncMock(return_value=None)
with pytest.raises(HTTPException) as excinfo:
await get_attacker_intel(
ip="0.0.0.0",
user={"uuid": "viewer", "role": "viewer"},
)
assert excinfo.value.status_code == 404
assert "No intel cached" in excinfo.value.detail