anti
5a34371009
Resolve each attacker IP's rDNS name once at first sighting, store on
Attacker.ptr_record, render on AttackerDetail under ORIGIN. Many
attackers run infrastructure with forgotten rDNS that instantly
identifies them once surfaced: scan-node-42.shodan.io,
shady-vps.leasecloud.net, etc.
Resolver lives in decnet/geoip/ptr.py — colocated with enrich_ip
because the shape matches (take an IP, return supplementary
metadata, never raise). Uses the OS resolver via socket.gethostbyaddr
offloaded to the default executor, wrapped with asyncio.wait_for
timeout=2s so a slow authoritative NS can't stall the profiler tick.
Profiler side: _WorkerState grows a ptr_attempted: set[str] bounding
resolution to once per worker lifetime. Cold-start batches resolve
concurrently (Semaphore(_PTR_CONCURRENCY=10)) so a backlog doesn't
serialize 2s ceilings. _build_record gains a keyword-only ptr_record
parameter that, when _UNSET, omits the key from the record dict —
upsert_attacker's attribute-merge loop then preserves whatever's
stored on the row. Explicit None is a "fresh failed attempt" signal
and gets written through.
Env kill-switch DECNET_PTR_ENABLED=false for locked-down deploys
where egress DNS is forbidden. Private / loopback / link-local /
multicast / reserved addresses short-circuit before any DNS call.
IPv6 reverse DNS works transparently through the stdlib resolver.
Schema change — run once on upgrade:
ALTER TABLE attackers
ADD COLUMN ptr_record VARCHAR(256) NULL DEFAULT NULL;
Or drop-and-recreate on dev boxes (db-reset's SQLModel.metadata-driven
table discovery now picks it up automatically since ba155b7).
tests/conftest.py disables DECNET_PTR_ENABLED globally for the same
reason it disables DECNET_GEOIP_ENABLED — unit tests must never hit
the network. tests/geoip/test_ptr.py re-enables explicitly via an
autouse fixture.
42 lines
1.8 KiB
Python
42 lines
1.8 KiB
Python
"""
|
|
Shared pytest configuration.
|
|
|
|
Env vars required by decnet.env must be set here, at module level, before
|
|
any test file imports decnet.* — pytest loads conftest.py first.
|
|
"""
|
|
import os
|
|
import tempfile
|
|
|
|
# Redirect log paths to a user-writable tempdir so unprivileged test runs
|
|
# (CI, local sans-sudo) don't try to mkdir /var/log/decnet.
|
|
_TEST_LOG_DIR = os.path.join(tempfile.gettempdir(), "decnet-tests-logs")
|
|
os.makedirs(_TEST_LOG_DIR, exist_ok=True)
|
|
os.environ.setdefault("DECNET_LOG_FILE", os.path.join(_TEST_LOG_DIR, "decnet.log"))
|
|
os.environ.setdefault("DECNET_INGEST_LOG_FILE", os.path.join(_TEST_LOG_DIR, "decnet.log"))
|
|
os.environ.setdefault("DECNET_AGENT_LOG_FILE", os.path.join(_TEST_LOG_DIR, "agent.log"))
|
|
|
|
os.environ["DECNET_JWT_SECRET"] = "stable-test-secret-key-at-least-32-chars-long"
|
|
os.environ["DECNET_ADMIN_PASSWORD"] = "test-password-123"
|
|
os.environ["DECNET_DEVELOPER"] = "true"
|
|
os.environ["DECNET_DEVELOPER_TRACING"] = "false"
|
|
os.environ["DECNET_DB_TYPE"] = "sqlite"
|
|
|
|
# GeoIP enrichment is offline-by-design (RIR delegated-stats) but the
|
|
# first access triggers a background file fetch. Unit tests must never
|
|
# hit the network and don't care about country codes — disable
|
|
# enrichment globally. The geoip-specific tests re-enable it via
|
|
# monkeypatch + a temp DECNET_GEOIP_ROOT.
|
|
os.environ["DECNET_GEOIP_ENABLED"] = "false"
|
|
# Same posture for PTR resolution — tests that cover the resolver
|
|
# re-enable it explicitly via monkeypatch; everyone else gets the
|
|
# short-circuit (returns None without touching socket.gethostbyaddr).
|
|
os.environ["DECNET_PTR_ENABLED"] = "false"
|
|
|
|
import pytest
|
|
from typing import Any
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def standardize_auth_secret(monkeypatch: Any) -> None:
|
|
import decnet.web.auth
|
|
monkeypatch.setattr(decnet.web.auth, "SECRET_KEY", os.environ["DECNET_JWT_SECRET"])
|