refactor(ingester): drop legacy cred adapter — DEBT-039 closed

Phase 3/3 of DEBT-039. Now that all six cred-emitting services (SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP) emit the universal `secret_b64`-bearing SD shape, the ingester's legacy fork has no live emitters to handle. Deletes: - `_ingest_credential_legacy()` — synthesized native fields from username+password - The `elif _fields.get("username") and _fields.get("password")` branch in `_extract_bounty` - `_printable_filter()` — only the legacy adapter called it; the native branch trusts the emitter (encode_secret() in Python or sd_escape() in C) to have already sanitized - The legacy-adapter test cases in tests/web/test_ingester.py; their coverage moved to tests/services/test_cred_emitters.py per-service in Phase 2 The cred path is now single-shape end-to-end. A pre-migration log row carrying only username+password silently produces no Credential write — by design, since no current emitter writes that shape and keeping a code path alive for theoretical legacy data risks masking emitter regressions. Pre-v1: any historical Bounty cred rows from before commit 2f47f67 stay untouched. DEBT-039 marked resolved with summary of the three commits and the silent-loss bug fix for Redis + LDAP that fell out of execution.
2026-04-25 06:04:09 -04:00
parent abb4dd9fc0
commit e696c2beb3
3 changed files with 20 additions and 145 deletions
--- a/tests/web/test_ingester.py
+++ b/tests/web/test_ingester.py
@@ -16,29 +16,6 @@ import pytest
 # ── _extract_bounty ───────────────────────────────────────────────────────────

 class TestExtractBounty:
-    @pytest.mark.asyncio
-    async def test_credential_legacy_adapter(self):
-        """FTP/POP3/IMAP/SMTP shape (username + password) → upsert_credential."""
-        from decnet.web.ingester import _extract_bounty
-        mock_repo = MagicMock()
-        mock_repo.upsert_credential = AsyncMock()
-        log_data: dict = {
-            "decky": "decky-01",
-            "service": "ftp",
-            "attacker_ip": "10.0.0.5",
-            "fields": {"username": "admin", "password": "hunter2"},
-        }
-        await _extract_bounty(mock_repo, log_data)
-        mock_repo.upsert_credential.assert_awaited_once()
-        cred = mock_repo.upsert_credential.call_args[0][0]
-        assert cred["service"] == "ftp"
-        assert cred["principal"] == "admin"
-        assert cred["secret_printable"] == "hunter2"
-        # b64 + sha256 computed over the original utf-8 bytes.
-        import base64, hashlib
-        assert cred["secret_b64"] == base64.b64encode(b"hunter2").decode()
-        assert cred["secret_sha256"] == hashlib.sha256(b"hunter2").hexdigest()
-
    @pytest.mark.asyncio
    async def test_credential_native_shape(self):
        """SSH/Telnet auth-helper shape (secret_b64) → upsert_credential."""
@@ -79,32 +56,6 @@ class TestExtractBounty:
        await _extract_bounty(mock_repo, log_data)
        mock_repo.upsert_credential.assert_not_awaited()

-    @pytest.mark.asyncio
-    async def test_credential_legacy_sanitizes_nonprintable(self):
-        """Non-printable bytes in legacy password collapse to '?' in
-        secret_printable; b64 + sha256 reflect the ORIGINAL bytes."""
-        from decnet.web.ingester import _extract_bounty
-        import base64, hashlib
-        mock_repo = MagicMock()
-        mock_repo.upsert_credential = AsyncMock()
-        # ANSI escape + NUL byte in the password.
-        bad_pw = "\x1b[31mbad\x00trail"
-        log_data: dict = {
-            "decky": "decky-01",
-            "service": "ftp",
-            "attacker_ip": "10.0.0.5",
-            "fields": {"username": "user", "password": bad_pw},
-        }
-        await _extract_bounty(mock_repo, log_data)
-        cred = mock_repo.upsert_credential.call_args[0][0]
-        # No 0x1b, no NUL — collapsed to '?'.
-        assert "\x1b" not in cred["secret_printable"]
-        assert "\x00" not in cred["secret_printable"]
-        # Original bytes survive in b64 + sha256.
-        raw = bad_pw.encode("utf-8")
-        assert base64.b64decode(cred["secret_b64"]) == raw
-        assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
-
    @pytest.mark.asyncio
    async def test_no_fields_skips(self):
        from decnet.web.ingester import _extract_bounty
@@ -122,21 +73,19 @@ class TestExtractBounty:
        mock_repo.upsert_credential.assert_not_awaited()

    @pytest.mark.asyncio
-    async def test_missing_password_skips(self):
+    async def test_no_secret_b64_no_credential(self):
+        """The native branch keys off `secret_b64`. Fields lacking it
+        produce no Credential row — even if username/password keys
+        from the pre-migration era are present, they're now ignored."""
        from decnet.web.ingester import _extract_bounty
        mock_repo = MagicMock()
        mock_repo.upsert_credential = AsyncMock()
-        await _extract_bounty(mock_repo, {"fields": {"username": "admin"}})
+        # Pre-migration shape — adapter is gone; this is a no-op path.
+        await _extract_bounty(mock_repo, {
+            "fields": {"username": "admin", "password": "stale"},
+        })
        mock_repo.upsert_credential.assert_not_awaited()

-    @pytest.mark.asyncio
-    async def test_missing_username_skips(self):
-        from decnet.web.ingester import _extract_bounty
-        mock_repo = MagicMock()
-        mock_repo.add_bounty = AsyncMock()
-        await _extract_bounty(mock_repo, {"fields": {"password": "pass"}})
-        mock_repo.add_bounty.assert_not_awaited()
-

 # ── log_ingestion_worker ──────────────────────────────────────────────────────