anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5f8149daeea52e70dcd779b63219ddfb262b9f4e
DECNET/tests/intel/test_attacker_intel_repo.py
anti 3eb67c9400 refactor(intel): re-key attacker_intel on attacker_uuid (closes DEBT-041) 
The threat-intel surface was IP-keyed on day one as an expedient — the
worker is woken by IP-bearing bus events. ANTI's call: don't carry that
debt. NO IPs as primary keys anywhere on the attacker-intel surface.

Schema:
- attacker_uuid is now the canonical key — UNIQUE + FK to attackers.uuid.
- attacker_ip stays as a denormalised, indexed, NON-UNIQUE value column.
  Updated on every upsert; useful for SIEM payloads and audit lookups,
  but explicitly NOT a key. Model docstring says so.
- Pre-v1, no Alembic migration needed. SQLModel.metadata.create_all()
  builds the new shape on fresh DBs.

Repo:
- upsert_attacker_intel now keys on attacker_uuid.
- get_attacker_intel_by_ip → get_attacker_intel_by_uuid.
- get_unenriched_attacker_ips → get_unenriched_attackers, returning
  [{uuid, ip}] tuples so the worker writes by UUID and dispatches
  provider calls by IP without a second round-trip.

Worker:
- _enrich_one(uuid, ip, ...) — UUID lands on the row, IP rides for
  provider egress.
- attacker.intel.enriched bus payload gains attacker_uuid alongside
  attacker_ip — webhook → SIEM consumers benefit; no removal.

API:
- GET /api/v1/attackers/{ip}/intel deleted outright (rip-and-replace,
  never deployed beyond dev).
- GET /api/v1/attackers/{uuid}/intel is the only public route, matching
  every other /attackers/* route.

Frontend:
- <IntelPanel uuid={id!} /> uses the URL param directly, fetches in
  parallel with the rest of AttackerDetail rather than waiting on
  attacker.ip.

Tests: re-keyed in place, 39 passed (same coverage as before the
refactor). Provider-impl tests untouched.

DEBT-041: closed in DEBT.md (entry preserved as historical rationale,
summary table flipped to , remaining-open list shortened by one).
2026-04-26 05:35:29 -04:00

130 lines
4.4 KiB
Python
Raw Blame History

"""
Round-trip tests for the ``attacker_intel`` table and its repo helpers.
Covers:
* empty-write upsert path (attacker_uuid as canonical key)
* per-provider partial update preserves untouched columns
* JSON-blob deserialization on read
* TTL bookkeeping (cached_at + expires_at) round-trips intact
* ``get_unenriched_attackers`` returns ``{"uuid", "ip"}`` pairs and
selects fresh + stale rows while skipping cached ones
"""
from __future__ import annotations
from datetime import datetime, timedelta, timezone
import pytest
from decnet.web.db.factory import get_repository
@pytest.fixture
async def repo(tmp_path):
r = get_repository(db_path=str(tmp_path / "attacker_intel.db"))
await r.initialize()
return r
async def _seed_attacker(repo, ip: str) -> str:
"""Seed an attackers row and return its UUID (the FK target)."""
now = datetime.now(timezone.utc)
return await repo.upsert_attacker(
{"ip": ip, "first_seen": now, "last_seen": now, "event_count": 1}
)
def _intel_payload(
*, attacker_uuid: str, ip: str, ttl_hours: int = 24, **overrides
) -> dict:
now = datetime.now(timezone.utc)
base = {
"attacker_uuid": attacker_uuid,
"attacker_ip": ip,
"cached_at": now,
"expires_at": now + timedelta(hours=ttl_hours),
}
base.update(overrides)
return base
@pytest.mark.anyio
async def test_empty_upsert_writes_minimal_row(repo):
a_uuid = await _seed_attacker(repo, "1.2.3.4")
row_uuid = await repo.upsert_attacker_intel(
_intel_payload(attacker_uuid=a_uuid, ip="1.2.3.4")
)
assert row_uuid
row = await repo.get_attacker_intel_by_uuid(a_uuid)
assert row is not None
assert row["attacker_uuid"] == a_uuid
assert row["attacker_ip"] == "1.2.3.4"
assert row["uuid"] == row_uuid
assert row["schema_version"] == 1
# All per-provider verdicts default to None.
assert row["greynoise_classification"] is None
assert row["abuseipdb_score"] is None
assert row["feodo_listed"] is None
assert row["threatfox_listed"] is None
assert row["aggregate_verdict"] is None
@pytest.mark.anyio
async def test_partial_provider_update_preserves_others(repo):
a_uuid = await _seed_attacker(repo, "9.9.9.9")
# First pass: GreyNoise responds, others lag.
first_uuid = await repo.upsert_attacker_intel(
_intel_payload(
attacker_uuid=a_uuid, ip="9.9.9.9",
greynoise_classification="malicious",
greynoise_raw='{"classification":"malicious"}',
greynoise_queried_at=datetime.now(timezone.utc),
)
)
# Second pass: AbuseIPDB lands. Re-upsert MUST NOT clobber GreyNoise
# columns — the worker passes only the new fields.
second_uuid = await repo.upsert_attacker_intel(
_intel_payload(
attacker_uuid=a_uuid, ip="9.9.9.9",
abuseipdb_score=85,
abuseipdb_raw='{"abuseConfidenceScore":85}',
abuseipdb_queried_at=datetime.now(timezone.utc),
)
)
assert first_uuid == second_uuid # same row keyed on attacker_uuid
row = await repo.get_attacker_intel_by_uuid(a_uuid)
assert row["greynoise_classification"] == "malicious"
assert row["greynoise_raw"] == {"classification": "malicious"}
assert row["abuseipdb_score"] == 85
assert row["abuseipdb_raw"] == {"abuseConfidenceScore": 85}
@pytest.mark.anyio
async def test_get_missing_returns_none(repo):
assert await repo.get_attacker_intel_by_uuid("nonexistent-uuid") is None
@pytest.mark.anyio
async def test_unenriched_returns_uuid_ip_pairs(repo):
fresh_uuid = await _seed_attacker(repo, "10.0.0.1")
stale_uuid = await _seed_attacker(repo, "10.0.0.2")
new_uuid = await _seed_attacker(repo, "10.0.0.3")
# 10.0.0.1 has fresh intel (not due for refresh).
await repo.upsert_attacker_intel(
_intel_payload(attacker_uuid=fresh_uuid, ip="10.0.0.1", ttl_hours=24)
)
# 10.0.0.2 has stale intel (already expired).
await repo.upsert_attacker_intel(
_intel_payload(attacker_uuid=stale_uuid, ip="10.0.0.2", ttl_hours=-1)
)
# 10.0.0.3 has no intel row at all.
pending = await repo.get_unenriched_attackers(limit=10)
by_uuid = {entry["uuid"]: entry["ip"] for entry in pending}
assert fresh_uuid not in by_uuid # fresh, skipped
assert by_uuid.get(stale_uuid) == "10.0.0.2" # stale, queue it
assert by_uuid.get(new_uuid) == "10.0.0.3" # never enriched
Reference in New Issue View Git Blame Copy Permalink