feat(geoip): country-code enrichment via RIR delegated-stats

Populates Attacker.country_code + country_source (MVP) using the five RIR delegated-stats files (ARIN/RIPE/APNIC/LACNIC/AFRINIC). Offline, license-free, no outbound traffic that could burn honeypot stealth. - decnet.geoip package with factory/base/lookup + rir/ subpackage (fetch/parse/provider) mirroring the db + bus factory convention - Profiler._build_record calls enrich_ip on every upsert - Idempotent ALTER TABLE migrations for both SQLite and MySQL - decnet geoip refresh/lookup CLI (master-only) - /var/lib/decnet/geoip seeded by decnet init - DECNET_GEOIP_ENABLED=false kill-switch; set in tests/conftest.py so unit tests never trigger the first-access fetch
2026-04-23 21:12:38 -04:00
parent 07bf3dc8cb
commit ffc275f051
24 changed files with 969 additions and 6 deletions
--- a/decnet/web/db/models/attackers.py
+++ b/decnet/web/db/models/attackers.py
@@ -39,6 +39,10 @@ class Attacker(SQLModel, table=True):
    commands: str = Field(
        default="[]", sa_column=Column("commands", _BIG_TEXT, nullable=False, default="[]")
    )  # JSON list[dict] — commands per service/decky
+    # GeoIP enrichment (populated by the profiler from decnet.geoip.enrich_ip).
+    # Nullable because private / loopback / IPv6 sources never resolve.
+    country_code: Optional[str] = Field(default=None, max_length=2, index=True)
+    country_source: Optional[str] = Field(default=None, max_length=16)
    updated_at: datetime = Field(
        default_factory=lambda: datetime.now(timezone.utc), index=True
    )
--- a/decnet/web/db/mysql/repository.py
+++ b/decnet/web/db/mysql/repository.py
@@ -35,16 +35,32 @@ class MySQLRepository(SQLModelRepository):
    async def _migrate_attackers_table(self) -> None:
        """Drop the legacy (pre-UUID) ``attackers`` table if it exists without a ``uuid`` column.

-        MySQL exposes column metadata via ``information_schema.COLUMNS``.
-        ``DATABASE()`` scopes the lookup to the currently connected schema.
+        Also adds the GeoIP columns (``country_code``, ``country_source``)
+        to existing tables that predate them. MySQL exposes column
+        metadata via ``information_schema.COLUMNS``; ``DATABASE()`` scopes
+        the lookup to the currently connected schema.
        """
        async with self.engine.begin() as conn:
            rows = (await conn.execute(text(
                "SELECT COLUMN_NAME FROM information_schema.COLUMNS "
                "WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'attackers'"
            ))).fetchall()
-            if rows and not any(r[0] == "uuid" for r in rows):
+            if not rows:
+                return  # table absent; create_all() handles it.
+            if not any(r[0] == "uuid" for r in rows):
                await conn.execute(text("DROP TABLE attackers"))
+                return
+            existing_cols = {r[0] for r in rows}
+            if "country_code" not in existing_cols:
+                await conn.execute(text(
+                    "ALTER TABLE attackers "
+                    "ADD COLUMN country_code VARCHAR(2) NULL, "
+                    "ADD INDEX ix_attackers_country_code (country_code)"
+                ))
+            if "country_source" not in existing_cols:
+                await conn.execute(text(
+                    "ALTER TABLE attackers ADD COLUMN country_source VARCHAR(16) NULL"
+                ))

    async def _migrate_column_types(self) -> None:
        """Upgrade TEXT → MEDIUMTEXT for columns that accumulate large JSON blobs.
--- a/decnet/web/db/sqlite/repository.py
+++ b/decnet/web/db/sqlite/repository.py
@@ -26,11 +26,33 @@ class SQLiteRepository(SQLModelRepository):
        )

    async def _migrate_attackers_table(self) -> None:
-        """Drop the old attackers table if it lacks the uuid column (pre-UUID schema)."""
+        """Drop the old attackers table if it lacks the uuid column (pre-UUID schema).
+
+        Also adds the GeoIP columns (``country_code``, ``country_source``)
+        to existing tables that predate them. SQLite's
+        ``ALTER TABLE ADD COLUMN`` is idempotent only if we gate on
+        ``PRAGMA table_info`` first — re-adding raises.
+        """
        async with self.engine.begin() as conn:
            rows = (await conn.execute(text("PRAGMA table_info(attackers)"))).fetchall()
            if rows and not any(r[1] == "uuid" for r in rows):
                await conn.execute(text("DROP TABLE attackers"))
+                return  # create_all() rebuilds fresh — no need to patch columns.
+            if not rows:
+                return  # table absent; create_all() handles it.
+            existing_cols = {r[1] for r in rows}
+            if "country_code" not in existing_cols:
+                await conn.execute(text(
+                    "ALTER TABLE attackers ADD COLUMN country_code VARCHAR(2)"
+                ))
+                await conn.execute(text(
+                    "CREATE INDEX IF NOT EXISTS ix_attackers_country_code "
+                    "ON attackers (country_code)"
+                ))
+            if "country_source" not in existing_cols:
+                await conn.execute(text(
+                    "ALTER TABLE attackers ADD COLUMN country_source VARCHAR(16)"
+                ))

    def _json_field_equals(self, key: str):
        # SQLite stores JSON as text; json_extract is the canonical accessor.