anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0fe9f895d0475b2fa1876790634ca696816dc2aa
DECNET/tests/canary/test_fingerprint_generators.py
anti b26dd8f529 feat(canary): API-trashing defense — 4-layer fingerprint validation 
Adds per-mint nonce gating, structural shape validation, mint UUID
consistency checks, and a per-(token, IP) rate limiter to the canary
worker so attackers who extract a canary from a decky filesystem cannot
poison fingerprint forensics by replaying or forging ?d= submissions.

Changes:

base.py
  fingerprint_nonce: Optional[str] added to CanaryArtifact so generators
  can surface the nonce to the cultivator without coupling the generator
  directly to DB code.

obfuscator.py
  nonce_for(callback_token, mint_uuid): HMAC-SHA256 keyed on
  DECNET_CANARY_FINGERPRINT_SECRET, truncated to 16 hex chars.
  FingerprintSecretMissing raised at mint time if env var is unset.
  render_fingerprint_js() now accepts nonce= and substitutes MINT_NONCE.

fingerprint_payload.js
  New MINT_NONCE placeholder. Appended as &k= on all beacon URLs (bare-open,
  single-shot, chunked). Using &k= avoids colliding with &n= (chunk total).

fingerprint_html.py / fingerprint_svg.py
  Derive nonce via nonce_for() and pass to render_fingerprint_js(). Set
  artifact.fingerprint_nonce so the cultivator can persist it.

cultivator.py
  Passes fingerprint_nonce into create_canary_token() when present on the
  artifact; NULL for all non-fingerprint generators.

canary.py (model)
  fingerprint_nonce: Optional[str] = Field(default=None, max_length=16)
  added to CanaryToken. None for non-fingerprint tokens.

worker.py
  _extract_fingerprint now returns (meta_dict, parsed_fp) tuple.
  _record_hit accepts parsed_fp + raw_nonce and runs 4 layers after
  token lookup: nonce match, shape check, mint UUID consistency, rate limit.
  Each failure sets _fp_invalid_* flag and drops structured _fp.
  Trigger row always lands regardless.

tests/canary/conftest.py
  Session-scoped autouse fixture sets DECNET_CANARY_FINGERPRINT_SECRET so
  fingerprint generator and worker tests work offline.

tests
  5 new worker HTTP tests and 2 new generator tests covering each
  validation layer.
2026-04-29 17:41:04 -04:00

125 lines
4.7 KiB
Python
Raw Blame History

"""Tests for the HTML/SVG fingerprint canary generators.
Skipped when the Node toolchain (or vendored javascript-obfuscator) is
not installed, mirroring :mod:`tests.canary.test_obfuscator`.
"""
from __future__ import annotations
import shutil
from pathlib import Path
import pytest
from decnet.canary import CanaryContext, get_generator
def _toolchain_ready() -> bool:
if shutil.which("node") is None:
return False
canary_dir = Path(__file__).resolve().parents[2] / "decnet" / "canary"
return (canary_dir / "node_modules" / "javascript-obfuscator").is_dir()
pytestmark = pytest.mark.skipif(
not _toolchain_ready(),
reason="node + javascript-obfuscator not installed under decnet/canary",
)
def _ctx(callback_token: str = "fp-tok-123") -> CanaryContext:
return CanaryContext(
callback_token=callback_token,
http_base="https://canary.example.test",
dns_zone="canary.example.test",
persona="linux",
)
def test_fingerprint_html_renders_full_page() -> None:
art = get_generator("fingerprint_html").generate(_ctx())
body = art.content.decode("utf-8")
assert body.startswith("<!DOCTYPE html>")
assert "<script>" in body and "</script>" in body
assert "Internal Asset Directory" in body
assert "<table>" in body
# Beacon URL must NOT appear in plaintext — it's inside the
# obfuscated string array. (Sanity: this is the whole point of
# obfuscating the payload.)
assert "/c/fp-tok-123" not in body
# Visible content shouldn't leak the slug either.
assert "fp-tok-123" not in body
assert art.mode == 0o644
assert art.generator == "fingerprint_html"
def test_fingerprint_html_is_deterministic_per_token() -> None:
a = get_generator("fingerprint_html").generate(_ctx("tokA"))
b = get_generator("fingerprint_html").generate(_ctx("tokA"))
assert a.content == b.content
def test_fingerprint_html_differs_across_tokens() -> None:
a = get_generator("fingerprint_html").generate(_ctx("tokA"))
b = get_generator("fingerprint_html").generate(_ctx("tokB"))
assert a.content != b.content
def test_fingerprint_html_notes_carry_mint_uuid_and_beacon() -> None:
art = get_generator("fingerprint_html").generate(_ctx("tok-notes"))
joined = " | ".join(art.notes)
assert "mint_uuid=" in joined
assert "https://canary.example.test/c/tok-notes" in joined
def test_fingerprint_svg_renders_valid_svg_with_script() -> None:
art = get_generator("fingerprint_svg").generate(_ctx())
body = art.content.decode("utf-8")
assert body.startswith("<?xml version=\"1.0\"")
assert "<svg" in body and "</svg>" in body
assert "<script" in body and "<![CDATA[" in body
assert art.mode == 0o644
assert art.generator == "fingerprint_svg"
def test_fingerprint_svg_is_deterministic_per_token() -> None:
a = get_generator("fingerprint_svg").generate(_ctx("svgTokA"))
b = get_generator("fingerprint_svg").generate(_ctx("svgTokA"))
assert a.content == b.content
def test_fingerprint_svg_differs_across_tokens() -> None:
a = get_generator("fingerprint_svg").generate(_ctx("svgTokA"))
b = get_generator("fingerprint_svg").generate(_ctx("svgTokB"))
assert a.content != b.content
def test_mint_uuid_stable_across_html_and_svg() -> None:
# Same callback token → same mint UUID across both generators, so
# the worker can correlate beacons regardless of artifact shape.
html = get_generator("fingerprint_html").generate(_ctx("shared-tok"))
svg = get_generator("fingerprint_svg").generate(_ctx("shared-tok"))
html_uuid = next(n for n in html.notes if n.startswith("mint_uuid="))
svg_uuid = next(n for n in svg.notes if n.startswith("mint_uuid="))
assert html_uuid == svg_uuid
def test_fingerprint_html_nonce_populated_and_matches_hmac() -> None:
"""Artifact carries ``fingerprint_nonce`` matching HMAC derivation."""
import uuid as _uuid
from decnet.canary.obfuscator import nonce_for
art = get_generator("fingerprint_html").generate(_ctx("nonce-tok"))
assert art.fingerprint_nonce is not None
assert len(art.fingerprint_nonce) == 16
_MINT_NS = _uuid.UUID("a3f7c821-9d1e-4b6a-8c2d-1e4f9a7b3c5d")
expected_mint = str(_uuid.uuid5(_MINT_NS, "nonce-tok"))
expected_nonce = nonce_for("nonce-tok", expected_mint)
assert art.fingerprint_nonce == expected_nonce
def test_fingerprint_svg_nonce_matches_html_for_same_token() -> None:
"""Both generators derive the same nonce for the same callback token."""
html = get_generator("fingerprint_html").generate(_ctx("nonce-tok2"))
svg = get_generator("fingerprint_svg").generate(_ctx("nonce-tok2"))
assert html.fingerprint_nonce == svg.fingerprint_nonce
Reference in New Issue View Git Blame Copy Permalink