DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	5f8149daee	feat(prober-cert): capture leaf TLS cert after successful JARM JARM probes are crafted ClientHellos with weird ciphers — they never complete a real handshake, so the peer cert isn't reachable from those sockets. After a non-empty JARM hash proves the port speaks TLS, do a separate ssl.wrap_socket() against the same (ip, port) to fetch and parse the leaf cert. - decnet/prober/tlscert.py: fetch + parse via cryptography lib; swallows all connect/handshake/parse failures (returns None). - decnet/prober/worker.py::_capture_tls_cert: emits a tls_certificate event with subject_cn / issuer / SANs / validity / SHA-256 + publishes on the bus. Wired from _jarm_phase only when JARM succeeds, so non-TLS ports never trigger a second connect. - Tests cover happy path, cert-fetch failure, defense-in-depth crash, empty-JARM skip, publish_fn, and parser edge cases (garbage DER, empty bytes, missing SAN extension, non-self-signed).	2026-04-28 11:14:44 -04:00
anti	6b407e8c9c	fix(tests): align stale tests with current behavior - swarm/test_swarm_api, swarm/test_heartbeat: replace deprecated asyncio.get_event_loop().run_until_complete() with asyncio.run(); the former raises in 3.11 once another test has set+closed a loop on the main thread. - prober/test_prober_bus, prober/test_prober_worker: extend tcp_fingerprint mocks with tos/dscp/ecn/server_isn so the worker doesn't KeyError into the prober_error branch. - services/test_service_isolation: collector now retries on event-stream errors instead of exiting; assert it stays running and cancel cleanly. - live/test_imap_live, live/test_pop3_live: log format emits outcome="failure", not "failed". - live/test_service_isolation_live: is_service_container accepts label OR state-name; rewrite the empty-state test against a synthetic unlabeled container instead of the host's real fleet.	2026-04-28 00:44:40 -04:00
anti	ea95a009df	refactor(tests): move flat tests/.py into per-subsystem subfolders Groups every flat test_.py under the module it exercises, matching the existing tests/{profiler,sniffer,prober,collector,correlation,cli,web, topology,swarm,bus,updater,api,docker,geoip,...} layout. New folders: services/, fleet/, config/, logging/, db/ (+ db/mysql/), telemetry/, mutator/, core/. Path-dependent __file__ references bumped an extra .parent in three files that moved one level deeper: - tests/sniffer/test_sniffer_ja3.py (template path) - tests/services/test_ssh_capture_emit.py (template path) - tests/cli/test_mode_gating.py (REPO root) - tests/web/test_env_lazy_jwt.py (repo var) Also drops two SQLite runtime artifacts (test_decnet.db-{shm,wal}) that were leaking into the repo from a previous test run. Fixes two test_service_isolation cases that patched asyncio.sleep (no longer on the profiler main-loop hot path — same pre-existing bug I fixed earlier in test_attacker_worker.py) by patching asyncio.wait_for and passing interval=0.	2026-04-23 21:34:25 -04:00

Author

SHA1

Message

Date

anti

5f8149daee

feat(prober-cert): capture leaf TLS cert after successful JARM

JARM probes are crafted ClientHellos with weird ciphers — they never
complete a real handshake, so the peer cert isn't reachable from
those sockets. After a non-empty JARM hash proves the port speaks
TLS, do a separate ssl.wrap_socket() against the same (ip, port) to
fetch and parse the leaf cert.

- decnet/prober/tlscert.py: fetch + parse via cryptography lib;
  swallows all connect/handshake/parse failures (returns None).
- decnet/prober/worker.py::_capture_tls_cert: emits a tls_certificate
  event with subject_cn / issuer / SANs / validity / SHA-256 +
  publishes on the bus. Wired from _jarm_phase only when JARM
  succeeds, so non-TLS ports never trigger a second connect.
- Tests cover happy path, cert-fetch failure, defense-in-depth crash,
  empty-JARM skip, publish_fn, and parser edge cases (garbage DER,
  empty bytes, missing SAN extension, non-self-signed).

2026-04-28 11:14:44 -04:00

anti

6b407e8c9c

fix(tests): align stale tests with current behavior

- swarm/test_swarm_api, swarm/test_heartbeat: replace deprecated
  asyncio.get_event_loop().run_until_complete() with asyncio.run();
  the former raises in 3.11 once another test has set+closed a loop on
  the main thread.
- prober/test_prober_bus, prober/test_prober_worker: extend tcp_fingerprint
  mocks with tos/dscp/ecn/server_isn so the worker doesn't KeyError into
  the prober_error branch.
- services/test_service_isolation: collector now retries on event-stream
  errors instead of exiting; assert it stays running and cancel cleanly.
- live/test_imap_live, live/test_pop3_live: log format emits
  outcome="failure", not "failed".
- live/test_service_isolation_live: is_service_container accepts label
  OR state-name; rewrite the empty-state test against a synthetic
  unlabeled container instead of the host's real fleet.

2026-04-28 00:44:40 -04:00

anti

ea95a009df

refactor(tests): move flat tests/*.py into per-subsystem subfolders

Groups every flat test_*.py under the module it exercises, matching the
existing tests/{profiler,sniffer,prober,collector,correlation,cli,web,
topology,swarm,bus,updater,api,docker,geoip,...} layout. New folders:
services/, fleet/, config/, logging/, db/ (+ db/mysql/), telemetry/,
mutator/, core/.

Path-dependent __file__ references bumped an extra .parent in three
files that moved one level deeper:
- tests/sniffer/test_sniffer_ja3.py   (template path)
- tests/services/test_ssh_capture_emit.py (template path)
- tests/cli/test_mode_gating.py  (REPO root)
- tests/web/test_env_lazy_jwt.py (repo var)

Also drops two SQLite runtime artifacts (test_decnet.db-{shm,wal}) that
were leaking into the repo from a previous test run.

Fixes two test_service_isolation cases that patched asyncio.sleep (no
longer on the profiler main-loop hot path — same pre-existing bug I
fixed earlier in test_attacker_worker.py) by patching asyncio.wait_for
and passing interval=0.

2026-04-23 21:34:25 -04:00

3 Commits