anti
c4e29e3bf9
The collector's `attacker.session.ended` envelope carries
`attacker_uuid: null` and `attacker_ip: <ip>` because the collector
doesn't talk to the DB. The TTP worker passed that null straight
through, and `TTPTag.__init__` raised the documented invariant:
ValueError: ttp_tag requires at least one of attacker_uuid /
identity_uuid; both NULL is not a valid anchor.
The worker now resolves `attacker_uuid` from `attacker_ip` via
`BaseRepository.get_attacker_uuid_by_ip` before fanning out the
event. When the IP isn't in the DB yet (profiler hasn't ingested
the row), the event is dropped with one log line — better than
exploding mid-tag.
- New `get_attacker_uuid_by_ip(ip) -> str | None` on the repo
(BaseRepository abstract + AttackersCoreMixin impl).
- `_resolve_attacker_uuid` helper in `decnet/ttp/worker.py` runs
before `_build_events`. Short-circuits when the payload already
has either anchor; drops the event when neither anchor is
resolvable.
- Tests pin: short-circuit on existing uuid/identity, repo lookup,
drop on unknown IP, drop on "Unknown" sentinel, drop on
no-anchor payload, drop on repo failure.
103 lines
3.5 KiB
Python
103 lines
3.5 KiB
Python
"""TTP worker resolves ``attacker_uuid`` from ``attacker_ip`` per repo lookup.
|
|
|
|
The collector publishes ``attacker.session.ended`` with
|
|
``attacker_uuid: null`` because it doesn't talk to the DB.
|
|
:class:`TTPTag` rejects rows whose ``attacker_uuid`` AND
|
|
``identity_uuid`` are both NULL — so the worker must resolve via
|
|
:meth:`BaseRepository.get_attacker_uuid_by_ip` before fanning the
|
|
event out, and drop the event entirely when no anchor can be set.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
from typing import Any
|
|
|
|
import pytest
|
|
|
|
from decnet.ttp.worker import _resolve_attacker_uuid
|
|
|
|
|
|
class _FakeRepo:
|
|
def __init__(self, mapping: dict[str, str | None]) -> None:
|
|
self._mapping = mapping
|
|
self.calls: list[str] = []
|
|
|
|
async def get_attacker_uuid_by_ip(self, ip: str) -> str | None:
|
|
self.calls.append(ip)
|
|
return self._mapping.get(ip)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_payload_with_attacker_uuid_is_returned_unchanged() -> None:
|
|
repo = _FakeRepo({})
|
|
payload = {"attacker_uuid": "att-1", "attacker_ip": "1.2.3.4"}
|
|
out = await _resolve_attacker_uuid(repo, payload) # type: ignore[arg-type]
|
|
assert out is payload # short-circuit, no DB lookup
|
|
assert repo.calls == []
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_payload_with_identity_uuid_is_returned_unchanged() -> None:
|
|
repo = _FakeRepo({})
|
|
payload = {"identity_uuid": "id-1", "attacker_ip": "1.2.3.4"}
|
|
out = await _resolve_attacker_uuid(repo, payload) # type: ignore[arg-type]
|
|
assert out is payload
|
|
assert repo.calls == []
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_payload_resolves_uuid_via_attacker_ip() -> None:
|
|
repo = _FakeRepo({"192.168.1.5": "att-7"})
|
|
payload: dict[str, Any] = {
|
|
"attacker_ip": "192.168.1.5",
|
|
"session_id": "sess-1",
|
|
"commands": [{"command_text": "whoami"}],
|
|
}
|
|
out = await _resolve_attacker_uuid(repo, payload) # type: ignore[arg-type]
|
|
assert out is not None
|
|
assert out["attacker_uuid"] == "att-7"
|
|
assert out["attacker_ip"] == "192.168.1.5"
|
|
# Other fields preserved.
|
|
assert out["session_id"] == "sess-1"
|
|
assert repo.calls == ["192.168.1.5"]
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_payload_dropped_when_ip_unknown_to_repo() -> None:
|
|
"""Profiler hasn't seen this IP yet → no Attacker row → drop."""
|
|
repo = _FakeRepo({})
|
|
payload = {"attacker_ip": "10.0.0.99"}
|
|
out = await _resolve_attacker_uuid(repo, payload) # type: ignore[arg-type]
|
|
assert out is None
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_payload_dropped_when_no_anchor_fields_present() -> None:
|
|
repo = _FakeRepo({})
|
|
payload: dict[str, Any] = {"foo": "bar"}
|
|
out = await _resolve_attacker_uuid(repo, payload) # type: ignore[arg-type]
|
|
assert out is None
|
|
assert repo.calls == []
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_payload_dropped_when_attacker_ip_is_unknown_sentinel() -> None:
|
|
repo = _FakeRepo({"Unknown": "should-not-resolve"})
|
|
payload = {"attacker_ip": "Unknown"}
|
|
out = await _resolve_attacker_uuid(repo, payload) # type: ignore[arg-type]
|
|
assert out is None
|
|
# We must not even ask the repo about the literal "Unknown" sentinel.
|
|
assert repo.calls == []
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_payload_dropped_when_repo_lookup_raises() -> None:
|
|
class _RaisingRepo:
|
|
async def get_attacker_uuid_by_ip(self, _ip: str) -> str | None:
|
|
raise RuntimeError("db gone")
|
|
|
|
out = await _resolve_attacker_uuid(
|
|
_RaisingRepo(), # type: ignore[arg-type]
|
|
{"attacker_ip": "1.2.3.4"},
|
|
)
|
|
assert out is None
|