anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6b16c844b69712f301661e6eb69081a8b579c6e7
DECNET/tests/services/test_cred_emitters.py
anti 6b16c844b6 fix(creds): MQTT regression + secret_kind for hash credentials 
Honest correction to the "every cred-emitting service" claim. Audit
of templates/* found three gaps:

1. MQTT — was working through the legacy adapter, silently dropped
   when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret()
   alongside the others.
2. Postgres — `auth, pw_hash=…` event captures the MD5
   challenge-response the attacker sent. Plaintext irrecoverable, so
   it never fit the (principal, secret_b64=raw_bytes) shape. Lands
   in Credential as secret_kind="postgres_md5_challenge".
3. VNC — `auth_response, response=…hex` event captures the 16-byte
   DES-encrypted challenge. Same situation as Postgres: plaintext
   irrecoverable. Lands as secret_kind="vnc_des_response".

Adds a `secret_kind` discriminator column to Credential (default
"plaintext", indexed). The dedup tuple gains secret_kind so two
credentials with the same sha256 but different kinds are
fundamentally different rows — different challenges produce
different bytes for the same plaintext password, so cross-kind
reuse matches are meaningless and would only confuse analytics.

The model now genuinely covers every cred-emitting service in the
fleet:

  plaintext        SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP,
                   MQTT
  postgres_md5_*   Postgres
  vnc_des_response VNC

Username-only services (MySQL/MSSQL — TDS pre-encryption captures
the user but never sees the password byte) intentionally don't feed
Credential — they're recon signals, not cred attempts.

40 tests pass in the touched scope. New cases: secret_kind dedups
independently in the repo; Postgres MD5 + VNC DES emitters thread
through; MQTT round-trips through the native branch.
2026-04-25 06:16:57 -04:00

247 lines
9.1 KiB
Python
Raw Blame History

"""Per-service credential-emitter integration tests.
Each test simulates the SD-block a migrated emitter produces, hands it
to the ingester, and asserts the resulting Credential row carries the
universal shape (principal + secret_sha256 + secret_b64 + outcome).
Closes the silent-loss bug for Redis (no username) and LDAP (dn-keyed)
by exercising the full ingester native-shape path for each.
"""
from __future__ import annotations
import base64
import hashlib
from unittest.mock import AsyncMock, MagicMock
import pytest
def _native_log(service: str, *, principal: str | None, password: str,
outcome: str | None = None, extra: dict | None = None) -> dict:
"""Build a parsed-log dict in the shape `_extract_bounty` consumes,
matching what a migrated emitter writes to the wire."""
raw = password.encode("utf-8", errors="replace")
fields: dict[str, str] = {
"secret_b64": base64.b64encode(raw).decode("ascii"),
"secret_printable": "".join(
chr(b) if 0x20 <= b < 0x7f else "?" for b in raw
),
}
if principal is not None:
fields["principal"] = principal
if outcome is not None:
fields["outcome"] = outcome
if extra:
fields.update(extra)
return {
"decky": "decky-01",
"service": service,
"attacker_ip": "10.0.0.5",
"fields": fields,
}
@pytest.mark.asyncio
async def test_ftp_native_shape():
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
await _extract_bounty(repo, _native_log(
"ftp", principal="anonymous", password="test@example.com",
))
cred = repo.upsert_credential.call_args[0][0]
assert cred["service"] == "ftp"
assert cred["principal"] == "anonymous"
assert cred["secret_sha256"] == hashlib.sha256(b"test@example.com").hexdigest()
@pytest.mark.asyncio
async def test_pop3_outcome_mapped():
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
await _extract_bounty(repo, _native_log(
"pop3", principal="alice", password="hunter2", outcome="failure",
))
cred = repo.upsert_credential.call_args[0][0]
assert cred["service"] == "pop3"
assert cred["outcome"] == "failure"
@pytest.mark.asyncio
async def test_imap_native_shape():
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
await _extract_bounty(repo, _native_log(
"imap", principal="bob", password="letmein", outcome="success",
))
cred = repo.upsert_credential.call_args[0][0]
assert cred["principal"] == "bob"
assert cred["outcome"] == "success"
@pytest.mark.asyncio
async def test_smtp_auth_native_shape():
"""SMTP AUTH PLAIN/LOGIN — principal=SASL username."""
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
await _extract_bounty(repo, _native_log(
"smtp", principal="postmaster@acme.com", password="abc123",
))
cred = repo.upsert_credential.call_args[0][0]
assert cred["service"] == "smtp"
assert cred["principal"] == "postmaster@acme.com"
@pytest.mark.asyncio
async def test_smtp_mail_from_is_not_a_credential():
"""`event_type=mail_from` must NOT trigger a credential write —
even if the SD-block carries a `domain` field, no `secret_b64`
means the native branch never fires and the legacy branch needs
a `password` it'll never see for this event."""
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
repo.add_bounty = AsyncMock()
log_data = {
"decky": "decky-01",
"service": "smtp",
"attacker_ip": "10.0.0.5",
"fields": {
"value": "<spoof@evil.com>",
"mail_from": "spoof@evil.com",
"domain": "evil.com",
},
}
await _extract_bounty(repo, log_data)
repo.upsert_credential.assert_not_awaited()
@pytest.mark.asyncio
async def test_redis_principal_none_lands():
"""Redis legacy AUTH `<password>` — no username, principal stays
None. This was silently dropped by the legacy adapter pre-migration."""
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
await _extract_bounty(repo, _native_log(
"redis", principal=None, password="hunter2",
))
cred = repo.upsert_credential.call_args[0][0]
assert cred["service"] == "redis"
assert cred["principal"] is None
assert cred["secret_sha256"] == hashlib.sha256(b"hunter2").hexdigest()
@pytest.mark.asyncio
async def test_redis_acl_two_arg_principal_present():
"""Redis 6+ `AUTH <user> <pw>` — principal carries the ACL user."""
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
await _extract_bounty(repo, _native_log(
"redis", principal="default", password="hunter2",
))
cred = repo.upsert_credential.call_args[0][0]
assert cred["principal"] == "default"
@pytest.mark.asyncio
async def test_ldap_principal_is_dn():
"""LDAP bind — the DN itself is the principal."""
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
await _extract_bounty(repo, _native_log(
"ldap", principal="cn=admin,dc=acme,dc=com", password="rootpw",
))
cred = repo.upsert_credential.call_args[0][0]
assert cred["service"] == "ldap"
assert cred["principal"] == "cn=admin,dc=acme,dc=com"
@pytest.mark.asyncio
async def test_mqtt_native_shape():
"""MQTT CONNECT — username + password decoded from the wire,
emitted as principal + secret_b64. Was silently dropped between
Phase 3 (legacy adapter removed) and the MQTT migration commit."""
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
await _extract_bounty(repo, _native_log(
"mqtt", principal="iotuser", password="iotpass",
))
cred = repo.upsert_credential.call_args[0][0]
assert cred["service"] == "mqtt"
assert cred["principal"] == "iotuser"
assert cred["secret_sha256"] == hashlib.sha256(b"iotpass").hexdigest()
@pytest.mark.asyncio
async def test_postgres_hash_credential():
"""Postgres MD5 challenge-response — plaintext irrecoverable, lands
as secret_kind=postgres_md5_challenge with the raw hash bytes."""
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
pw_hash = "md5" + "ab" * 16 # 32 hex chars after the "md5" prefix
raw = bytes.fromhex("ab" * 16)
log_data = {
"decky": "decky-01",
"service": "postgres",
"attacker_ip": "10.0.0.5",
"fields": {
"username": "postgres",
"principal": "postgres",
"pw_hash": pw_hash,
"secret_kind": "postgres_md5_challenge",
"secret_printable": pw_hash,
"secret_b64": base64.b64encode(raw).decode("ascii"),
},
}
await _extract_bounty(repo, log_data)
cred = repo.upsert_credential.call_args[0][0]
assert cred["service"] == "postgres"
assert cred["secret_kind"] == "postgres_md5_challenge"
assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
@pytest.mark.asyncio
async def test_vnc_hash_credential():
"""VNC DES-encrypted challenge response — same shape, different kind."""
from decnet.web.ingester import _extract_bounty
repo = MagicMock(); repo.upsert_credential = AsyncMock()
raw = bytes(range(16))
log_data = {
"decky": "decky-01",
"service": "vnc",
"attacker_ip": "10.0.0.5",
"fields": {
"response": raw.hex(),
"secret_kind": "vnc_des_response",
"secret_printable": raw.hex(),
"secret_b64": base64.b64encode(raw).decode("ascii"),
},
}
await _extract_bounty(repo, log_data)
cred = repo.upsert_credential.call_args[0][0]
assert cred["service"] == "vnc"
assert cred["secret_kind"] == "vnc_des_response"
assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
@pytest.mark.asyncio
async def test_lossless_b64_survives_nonprintable_password():
"""Even when secret_printable is sanitized, secret_b64 still decodes
to the original bytes — the cross-service reuse hash matches across
sanitized and non-sanitized representations."""
from decnet.web.ingester import _extract_bounty
raw = b"\x1b[31mbad\xff\x00trail"
repo = MagicMock(); repo.upsert_credential = AsyncMock()
log_data = {
"decky": "decky-01",
"service": "ftp",
"attacker_ip": "10.0.0.5",
"fields": {
"principal": "user",
"secret_printable": "?[31mbad??trail",
"secret_b64": base64.b64encode(raw).decode("ascii"),
},
}
await _extract_bounty(repo, log_data)
cred = repo.upsert_credential.call_args[0][0]
assert base64.b64decode(cred["secret_b64"]) == raw
assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
Reference in New Issue View Git Blame Copy Permalink