anti
2f47f67eef
Replaces the opaque Bounty.bounty_type='credential' path with a
dedicated `credentials` table whose schema is forward-compatible
across every auth-bearing service in the fleet. Hoisted indexed
columns (secret_sha256, principal, service, attacker_ip) carry the
universal reuse-analytics signal; service-specific JSON keys ride
in `fields`. Cross-service reuse queries become an indexed lookup
on secret_sha256 instead of JSON_EXTRACT scans.
Schema decisions baked in (per ANTI):
- New `Credential` table, not extension to Bounty
- Hoisted `principal` column for cross-service principal-reuse
- Standardized JSON keys: every payload carries secret_b64 +
secret_printable + principal universally; service-specific extras
(user, domain, dn, mech, …) ride alongside
The auth-helper SD-block emits the new shape natively. The ingester
forks at _extract_bounty:
- Native shape (SSH/Telnet, future emitters): secret_b64 present →
direct upsert_credential
- Legacy shape (FTP/POP3/IMAP/SMTP today): username + password →
adapter synthesizes secret_{b64,sha256,printable} on the fly,
upserts into the same Credential table. Tracked as DEBT-039;
one-shot bridge until those service templates migrate.
Defense-in-depth across five layers (input validation):
- C helper: bytes outside [0x20, 0x7f) collapse to '?', RFC 5424
escape rules for \\, ", ]; b64 preserves exact bytes
- Ingester native branch: rejects malformed secret_b64 (regex), drops
the credential row but keeps the underlying Log
- Ingester legacy adapter: same printable-ASCII filter as the C
code; sha256 + b64 over the original utf-8 bytes (lossless, even
when secret_printable is sanitized)
- DB column caps with truncation warning; sha256 always over the
full pre-truncation bytes so reuse queries match across truncation
- JSON serialized with ensure_ascii=True so utf8mb4 columns stay
safe even with non-ASCII service-specific keys
Bounty.bounty_type='credential' is no longer written. Pre-v1: no
historical backfill; existing rows stay untouched but unused.
595 tests pass; new tests cover the model + repo (upsert dedup,
null-principal independence, cross-service reuse, filters), both
ingester branches, b64 validation, sanitization preserving the
fingerprinting signal in b64.
143 lines
4.6 KiB
Python
143 lines
4.6 KiB
Python
"""Credential model + repo tests — upsert, dedup, cross-service reuse."""
|
|
from __future__ import annotations
|
|
|
|
import hashlib
|
|
from pathlib import Path
|
|
|
|
import pytest
|
|
|
|
from decnet.web.db.factory import get_repository
|
|
|
|
|
|
@pytest.fixture
|
|
async def repo(tmp_path: Path):
|
|
r = get_repository(db_path=str(tmp_path / "creds.db"))
|
|
await r.initialize()
|
|
return r
|
|
|
|
|
|
def _sha256(s: str) -> str:
|
|
return hashlib.sha256(s.encode("utf-8")).hexdigest()
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_upsert_inserts_then_dedups(repo) -> None:
|
|
"""Same dedup tuple twice → one row, attempt_count=2."""
|
|
payload = {
|
|
"attacker_ip": "10.0.0.5",
|
|
"decky_name": "decky-01",
|
|
"service": "ssh",
|
|
"principal": "root",
|
|
"secret_sha256": _sha256("hunter2"),
|
|
"secret_b64": "aHVudGVyMg==",
|
|
"secret_printable": "hunter2",
|
|
"fields": {"user": "root"},
|
|
}
|
|
rid_a = await repo.upsert_credential(payload)
|
|
rid_b = await repo.upsert_credential(payload)
|
|
assert rid_a == rid_b
|
|
rows = await repo.get_credentials()
|
|
assert len(rows) == 1
|
|
assert rows[0]["attempt_count"] == 2
|
|
assert rows[0]["fields"] == {"user": "root"} # preserved
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_different_principal_creates_new_row(repo) -> None:
|
|
base = {
|
|
"attacker_ip": "10.0.0.5",
|
|
"decky_name": "decky-01",
|
|
"service": "ssh",
|
|
"secret_sha256": _sha256("hunter2"),
|
|
"secret_b64": "aHVudGVyMg==",
|
|
"secret_printable": "hunter2",
|
|
"fields": {},
|
|
}
|
|
await repo.upsert_credential({**base, "principal": "root"})
|
|
await repo.upsert_credential({**base, "principal": "admin"})
|
|
rows = await repo.get_credentials()
|
|
assert len(rows) == 2
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_null_principal_dedups_independently(repo) -> None:
|
|
"""principal=None and principal='root' are different keys."""
|
|
base = {
|
|
"attacker_ip": "10.0.0.5",
|
|
"decky_name": "decky-01",
|
|
"service": "ssh",
|
|
"secret_sha256": _sha256("hunter2"),
|
|
"secret_b64": "aHVudGVyMg==",
|
|
"secret_printable": "hunter2",
|
|
"fields": {},
|
|
}
|
|
await repo.upsert_credential({**base, "principal": None})
|
|
await repo.upsert_credential({**base, "principal": None}) # dedupes
|
|
await repo.upsert_credential({**base, "principal": "root"})
|
|
rows = await repo.get_credentials()
|
|
assert len(rows) == 2
|
|
null_row = next(r for r in rows if r["principal"] is None)
|
|
assert null_row["attempt_count"] == 2
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_cross_service_reuse_query(repo) -> None:
|
|
"""Same secret across SSH + FTP + SMTP → reuse query returns all three."""
|
|
secret = "hunter2"
|
|
sha = _sha256(secret)
|
|
services = [
|
|
("ssh", "decky-01", "root"),
|
|
("ftp", "decky-02", "anonymous"),
|
|
("smtp", "decky-03", "acme.com"),
|
|
]
|
|
for svc, decky, principal in services:
|
|
await repo.upsert_credential({
|
|
"attacker_ip": "10.0.0.5",
|
|
"decky_name": decky,
|
|
"service": svc,
|
|
"principal": principal,
|
|
"secret_sha256": sha,
|
|
"secret_b64": "aHVudGVyMg==",
|
|
"secret_printable": secret,
|
|
"fields": {},
|
|
})
|
|
reuse = await repo.get_credential_reuse(sha)
|
|
assert {r["service"] for r in reuse} == {"ssh", "ftp", "smtp"}
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_credentials_for_attacker(repo) -> None:
|
|
base = {
|
|
"decky_name": "decky-01",
|
|
"service": "ssh",
|
|
"principal": "root",
|
|
"secret_sha256": _sha256("hunter2"),
|
|
"secret_b64": "aHVudGVyMg==",
|
|
"secret_printable": "hunter2",
|
|
"fields": {},
|
|
}
|
|
await repo.upsert_credential({**base, "attacker_ip": "10.0.0.5"})
|
|
await repo.upsert_credential({**base, "attacker_ip": "10.0.0.6"})
|
|
rows = await repo.get_credentials_for_attacker("10.0.0.5")
|
|
assert len(rows) == 1
|
|
assert rows[0]["attacker_ip"] == "10.0.0.5"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_filters(repo) -> None:
|
|
base_secret = _sha256("a")
|
|
await repo.upsert_credential({
|
|
"attacker_ip": "10.0.0.5", "decky_name": "decky-01", "service": "ssh",
|
|
"principal": "root", "secret_sha256": base_secret,
|
|
"secret_printable": "a", "fields": {},
|
|
})
|
|
await repo.upsert_credential({
|
|
"attacker_ip": "10.0.0.5", "decky_name": "decky-01", "service": "ftp",
|
|
"principal": "root", "secret_sha256": base_secret,
|
|
"secret_printable": "a", "fields": {},
|
|
})
|
|
rows = await repo.get_credentials(service="ssh")
|
|
assert len(rows) == 1 and rows[0]["service"] == "ssh"
|
|
assert await repo.get_total_credentials(service="ssh") == 1
|
|
assert await repo.get_total_credentials() == 2
|