anti
8cbb7834ef
Adds GET /attackers/{uuid}/smtp-targets (viewer) and GET /attackers/{uuid}/mail
(admin) endpoints, plus two new sections on the attacker detail page:
VICTIM DOMAINS rollup (aggregate-only, federation-gossip-safe) and STORED MAIL
with a drawer that decodes headers, lists attachments, and downloads the raw
.eml via the existing artifact endpoint (?service=smtp).
38 lines
1.3 KiB
Python
38 lines
1.3 KiB
Python
from typing import Any
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException
|
|
|
|
from decnet.telemetry import traced as _traced
|
|
from decnet.web.dependencies import require_admin, repo
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
@router.get(
|
|
"/attackers/{uuid}/mail",
|
|
tags=["Attacker Profiles"],
|
|
responses={
|
|
401: {"description": "Could not validate credentials"},
|
|
403: {"description": "Admin access required"},
|
|
404: {"description": "Attacker not found"},
|
|
},
|
|
)
|
|
@_traced("api.get_attacker_mail")
|
|
async def get_attacker_mail(
|
|
uuid: str,
|
|
admin: dict = Depends(require_admin),
|
|
) -> dict[str, Any]:
|
|
"""List stored messages this attacker relayed via the SMTP honeypots.
|
|
|
|
Each entry is a ``message_stored`` log row — headers + attachment
|
|
manifest live in ``fields``; the raw .eml bytes are fetched via
|
|
``/artifacts/{decky}/{stored_as}?service=smtp`` (also admin-gated).
|
|
Admin-only because message bodies are attacker-controlled content
|
|
and may include phishing kits / malware droppers.
|
|
"""
|
|
attacker = await repo.get_attacker_by_uuid(uuid)
|
|
if not attacker:
|
|
raise HTTPException(status_code=404, detail="Attacker not found")
|
|
rows = await repo.get_attacker_stored_mail(uuid)
|
|
return {"total": len(rows), "data": rows}
|