anti
3eb67c9400
The threat-intel surface was IP-keyed on day one as an expedient — the
worker is woken by IP-bearing bus events. ANTI's call: don't carry that
debt. NO IPs as primary keys anywhere on the attacker-intel surface.
Schema:
- attacker_uuid is now the canonical key — UNIQUE + FK to attackers.uuid.
- attacker_ip stays as a denormalised, indexed, NON-UNIQUE value column.
Updated on every upsert; useful for SIEM payloads and audit lookups,
but explicitly NOT a key. Model docstring says so.
- Pre-v1, no Alembic migration needed. SQLModel.metadata.create_all()
builds the new shape on fresh DBs.
Repo:
- upsert_attacker_intel now keys on attacker_uuid.
- get_attacker_intel_by_ip → get_attacker_intel_by_uuid.
- get_unenriched_attacker_ips → get_unenriched_attackers, returning
[{uuid, ip}] tuples so the worker writes by UUID and dispatches
provider calls by IP without a second round-trip.
Worker:
- _enrich_one(uuid, ip, ...) — UUID lands on the row, IP rides for
provider egress.
- attacker.intel.enriched bus payload gains attacker_uuid alongside
attacker_ip — webhook → SIEM consumers benefit; no removal.
API:
- GET /api/v1/attackers/{ip}/intel deleted outright (rip-and-replace,
never deployed beyond dev).
- GET /api/v1/attackers/{uuid}/intel is the only public route, matching
every other /attackers/* route.
Frontend:
- <IntelPanel uuid={id!} /> uses the URL param directly, fetches in
parallel with the rest of AttackerDetail rather than waiting on
attacker.ip.
Tests: re-keyed in place, 39 passed (same coverage as before the
refactor). Provider-impl tests untouched.
DEBT-041: closed in DEBT.md (entry preserved as historical rationale,
summary table flipped to ✅, remaining-open list shortened by one).
55 lines
1.7 KiB
Python
55 lines
1.7 KiB
Python
"""Tests for GET /api/v1/attackers/{uuid}/intel."""
|
|
from __future__ import annotations
|
|
|
|
from unittest.mock import AsyncMock, patch
|
|
|
|
import pytest
|
|
from fastapi import HTTPException
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_returns_cached_intel_row():
|
|
from decnet.web.router.attackers.api_get_attacker_intel import (
|
|
get_attacker_intel,
|
|
)
|
|
|
|
fake_row = {
|
|
"attacker_uuid": "att-uuid-xyz",
|
|
"attacker_ip": "1.2.3.4",
|
|
"aggregate_verdict": "malicious",
|
|
"greynoise_classification": "malicious",
|
|
"abuseipdb_score": 92,
|
|
"feodo_listed": True,
|
|
"threatfox_listed": False,
|
|
}
|
|
with patch(
|
|
"decnet.web.router.attackers.api_get_attacker_intel.repo"
|
|
) as mock_repo:
|
|
mock_repo.get_attacker_intel_by_uuid = AsyncMock(return_value=fake_row)
|
|
result = await get_attacker_intel(
|
|
uuid="att-uuid-xyz",
|
|
user={"uuid": "viewer", "role": "viewer"},
|
|
)
|
|
assert result["attacker_uuid"] == "att-uuid-xyz"
|
|
assert result["aggregate_verdict"] == "malicious"
|
|
assert result["abuseipdb_score"] == 92
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_404_when_no_row_cached():
|
|
from decnet.web.router.attackers.api_get_attacker_intel import (
|
|
get_attacker_intel,
|
|
)
|
|
|
|
with patch(
|
|
"decnet.web.router.attackers.api_get_attacker_intel.repo"
|
|
) as mock_repo:
|
|
mock_repo.get_attacker_intel_by_uuid = AsyncMock(return_value=None)
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
await get_attacker_intel(
|
|
uuid="missing-uuid",
|
|
user={"uuid": "viewer", "role": "viewer"},
|
|
)
|
|
assert excinfo.value.status_code == 404
|
|
assert "No intel cached" in excinfo.value.detail
|