From e1eda1e75418c395042a2861f994065290547e4c Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Thu, 21 May 2026 16:14:51 -0400
Subject: [PATCH] feat(profiler): wire enrich_rpki into _build_record

Import enrich_rpki from decnet.rpki and call it inline after the
ASN lookup. bgp_prefix, rpki_status, rpki_source added to the
record dict that feeds the Attacker upsert. enrich_rpki short-circuits
to (None, None) when asn is None, so private / unannounced IPs
never hit RIPE STAT.
---
 decnet/profiler/worker.py               |  4 ++
 tests/rpki/conftest.py                  | 18 ++++++
 tests/rpki/test_profiler_integration.py | 78 +++++++++++++++++++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 tests/rpki/conftest.py
 create mode 100644 tests/rpki/test_profiler_integration.py

diff --git a/decnet/profiler/worker.py b/decnet/profiler/worker.py
index 83510298..a7602881 100644
--- a/decnet/profiler/worker.py
+++ b/decnet/profiler/worker.py
@@ -33,6 +33,7 @@ from decnet.correlation.engine import CorrelationEngine
 from decnet.correlation.parser import LogEvent
 from decnet.asn import enrich_ip as enrich_ip_asn
 from decnet.geoip import enrich_ip
+from decnet.rpki import enrich_rpki
 from decnet.geoip.ptr import resolve_ptr_record
 from decnet.logging import get_logger
 from decnet.profiler.behave_shell._handler import handle_session_ended
@@ -357,6 +358,7 @@ def _build_record(
     credential_count = sum(1 for b in bounties if b.get("bounty_type") == "credential")
     country_code, country_source = enrich_ip(ip)
     asn, as_name, bgp_prefix, asn_source = enrich_ip_asn(ip)
+    rpki_status, rpki_source = enrich_rpki(ip, asn)
 
     record: dict[str, Any] = {
         "ip": ip,
@@ -379,6 +381,8 @@ def _build_record(
         "as_name": as_name,
         "bgp_prefix": bgp_prefix,
         "asn_source": asn_source,
+        "rpki_status": rpki_status,
+        "rpki_source": rpki_source,
         "updated_at": datetime.now(timezone.utc),
     }
     # ptr_record is omitted from the dict entirely when the caller didn't
diff --git a/tests/rpki/conftest.py b/tests/rpki/conftest.py
new file mode 100644
index 00000000..e274a9fc
--- /dev/null
+++ b/tests/rpki/conftest.py
@@ -0,0 +1,18 @@
+"""Sandbox the RPKI validator into a tmp dir so no real
+/var/lib/decnet paths get touched and no real RIPE STAT calls are made."""
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+
+
+@pytest.fixture(autouse=True)
+def _rpki_sandbox(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Path:
+    monkeypatch.setenv("DECNET_RPKI_ENABLED", "true")
+    monkeypatch.setenv("DECNET_RPKI_ROOT", str(tmp_path))
+    import decnet.rpki.factory as _f
+    import decnet.rpki.paths as _p
+    monkeypatch.setattr(_p, "RPKI_ROOT", tmp_path)
+    _f.reset_cache()
+    return tmp_path
diff --git a/tests/rpki/test_profiler_integration.py b/tests/rpki/test_profiler_integration.py
new file mode 100644
index 00000000..360ecce1
--- /dev/null
+++ b/tests/rpki/test_profiler_integration.py
@@ -0,0 +1,78 @@
+"""_build_record must thread RPKI fields through to the upsert payload."""
+from __future__ import annotations
+
+import gzip
+from datetime import datetime, timezone
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+
+from decnet.correlation.parser import LogEvent
+from decnet.profiler.worker import _build_record
+from decnet.rpki.base import RpkiResult
+
+
+def _evt(ip: str) -> LogEvent:
+    return LogEvent(
+        timestamp=datetime(2026, 4, 23, tzinfo=timezone.utc),
+        attacker_ip=ip,
+        decky="decky-01",
+        service="ssh",
+        event_type="conn",
+        fields={},
+        raw="",
+    )
+
+
+def _seed_asn(root: Path) -> None:
+    target = root / "ip2asn-v4.tsv.gz"
+    with gzip.open(target, "wt", encoding="utf-8") as fh:
+        fh.write("8.8.8.0\t8.8.8.255\t15169\tUS\tGOOGLE\n")
+
+
+def test_build_record_includes_rpki_when_resolved(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    _seed_asn(tmp_path)
+
+    def _stub_validate(self, ip: str, asn: int) -> RpkiResult:
+        return RpkiResult(status="valid", prefix="8.8.8.0/24")
+
+    with patch(
+        "decnet.rpki.ripestat.validator.RipeStatValidator.validate",
+        _stub_validate,
+    ):
+        record = _build_record("8.8.8.8", [_evt("8.8.8.8")], None, [], [])
+
+    assert record["bgp_prefix"] == "8.8.8.0/24"
+    assert record["rpki_status"] == "valid"
+    assert record["rpki_source"] == "ripestat"
+
+
+def test_build_record_rpki_none_for_private(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    _seed_asn(tmp_path)
+    record = _build_record("10.0.0.1", [_evt("10.0.0.1")], None, [], [])
+    assert record["rpki_status"] is None
+    assert record["rpki_source"] is None
+
+
+def test_build_record_rpki_unknown_on_network_failure(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    _seed_asn(tmp_path)
+
+    def _fail(self, ip: str, asn: int) -> RpkiResult:
+        raise OSError("connection refused")
+
+    with patch(
+        "decnet.rpki.ripestat.validator.RipeStatValidator.validate",
+        _fail,
+    ):
+        record = _build_record("8.8.8.8", [_evt("8.8.8.8")], None, [], [])
+
+    # enrich_rpki wraps the validator — any exception collapses to (None, None)
+    assert record["rpki_status"] is None
+    assert record["rpki_source"] is None