DECNET/tests/collector/test_session_aggregator.py

"""Collector session aggregator emits ``attacker.session.ended``.

Pins the producer-side fix that closes the gap surfaced in TTP
debugging: the TTP worker subscribes to ``attacker.session.ended`` but
no upstream component published it. The aggregator indexes shell
``command`` events per attacker_ip and emits one envelope per
``session_recorded`` event with the commands that fall inside the
session window.
"""
from __future__ import annotations

from typing import Any

import pytest

from decnet.bus import topics as _topics
from decnet.collector.worker import _SessionAggregator


_ATTACKER_IP = "192.168.1.5"


def _cmd(ts_iso: str, text: str) -> dict[str, Any]:
    return {
        "timestamp": ts_iso,
        "decky": "SRV-DELTA-77",
        "service": "bash",
        "event_type": "command",
        "attacker_ip": _ATTACKER_IP,
        "fields": {"command": text, "src": _ATTACKER_IP},
    }


def _session_recorded(
    ts_iso: str, sid: str, duration_s: float = 60.0,
) -> dict[str, Any]:
    return {
        "timestamp": ts_iso,
        "decky": "omega-decky",
        "service": "sessrec",
        "event_type": "session_recorded",
        "attacker_ip": _ATTACKER_IP,
        "fields": {
            "sid": sid,
            "service": "ssh",
            "duration_s": str(duration_s),
            "src_ip": _ATTACKER_IP,
        },
    }


@pytest.fixture
def captured_publishes() -> list[tuple[str, dict[str, Any], str]]:
    return []


@pytest.fixture
def aggregator(
    captured_publishes: list[tuple[str, dict[str, Any], str]],
) -> _SessionAggregator:
    def _publish(topic: str, payload: dict[str, Any], event_type: str) -> None:
        captured_publishes.append((topic, payload, event_type))

    return _SessionAggregator(_publish, ttl_sec=3600.0)


# ── Indexing ────────────────────────────────────────────────────────


def test_command_events_are_indexed_per_attacker_ip(
    aggregator: _SessionAggregator,
) -> None:
    aggregator.add_event(_cmd("2026-05-02T06:22:48", "whoami"))
    aggregator.add_event(_cmd("2026-05-02T06:22:50", "id"))
    assert len(aggregator._cmds[_ATTACKER_IP]) == 2


def test_unknown_attacker_ip_is_ignored(
    aggregator: _SessionAggregator,
    captured_publishes: list[tuple[str, dict[str, Any], str]],
) -> None:
    bad = _cmd("2026-05-02T06:22:48", "whoami")
    bad["attacker_ip"] = "Unknown"
    aggregator.add_event(bad)
    assert aggregator._cmds == {}


def test_unparseable_timestamp_is_skipped(
    aggregator: _SessionAggregator,
) -> None:
    bad = _cmd("not-a-timestamp", "whoami")
    aggregator.add_event(bad)
    assert aggregator._cmds == {}


# ── Session emission ────────────────────────────────────────────────


def test_session_recorded_emits_attacker_session_ended(
    aggregator: _SessionAggregator,
    captured_publishes: list[tuple[str, dict[str, Any], str]],
) -> None:
    aggregator.add_event(_cmd("2026-05-02T06:22:48", "whoami"))
    aggregator.add_event(_cmd("2026-05-02T06:23:00", "id"))
    aggregator.add_event(_cmd("2026-05-02T06:23:10", "uname -a"))
    aggregator.add_event(_session_recorded(
        "2026-05-02T06:23:30", sid="sess-123", duration_s=120.0,
    ))

    assert len(captured_publishes) == 1
    topic, payload, event_type = captured_publishes[0]
    assert topic == _topics.attacker(_topics.ATTACKER_SESSION_ENDED)
    assert event_type == _topics.ATTACKER_SESSION_ENDED
    assert payload["session_id"] == "sess-123"
    assert payload["attacker_ip"] == _ATTACKER_IP
    assert payload["decky_id"] == "omega-decky"
    assert payload["service"] == "ssh"
    assert payload["duration_s"] == 120.0
    cmds = payload["commands"]
    assert [c["command_text"] for c in cmds] == ["whoami", "id", "uname -a"]
    assert [c["id"] for c in cmds] == [
        "sess-123#0", "sess-123#1", "sess-123#2",
    ]


def test_commands_outside_session_window_are_excluded(
    aggregator: _SessionAggregator,
    captured_publishes: list[tuple[str, dict[str, Any], str]],
) -> None:
    """duration_s window is [ended_at - duration_s, ended_at]."""
    # Old command from 10 minutes before the session — out of window
    # for a 60-second session.
    aggregator.add_event(_cmd("2026-05-02T06:13:00", "older-than-window"))
    # In-window
    aggregator.add_event(_cmd("2026-05-02T06:22:50", "whoami"))
    aggregator.add_event(_session_recorded(
        "2026-05-02T06:23:00", sid="s1", duration_s=60.0,
    ))
    payload = captured_publishes[0][1]
    cmd_texts = [c["command_text"] for c in payload["commands"]]
    assert "whoami" in cmd_texts
    assert "older-than-window" not in cmd_texts


def test_back_to_back_sessions_emit_distinct_envelopes(
    aggregator: _SessionAggregator,
    captured_publishes: list[tuple[str, dict[str, Any], str]],
) -> None:
    aggregator.add_event(_cmd("2026-05-02T06:22:50", "whoami"))
    aggregator.add_event(_session_recorded(
        "2026-05-02T06:23:00", sid="s1", duration_s=60.0,
    ))
    aggregator.add_event(_cmd("2026-05-02T06:30:00", "ls"))
    aggregator.add_event(_session_recorded(
        "2026-05-02T06:30:30", sid="s2", duration_s=60.0,
    ))
    assert len(captured_publishes) == 2
    s1, s2 = captured_publishes[0][1], captured_publishes[1][1]
    assert s1["session_id"] == "s1"
    assert s2["session_id"] == "s2"
    # The second session window is 60s — only "ls" lands in it.
    assert [c["command_text"] for c in s2["commands"]] == ["ls"]


def test_session_without_sid_falls_back_to_synthetic_id(
    aggregator: _SessionAggregator,
    captured_publishes: list[tuple[str, dict[str, Any], str]],
) -> None:
    aggregator.add_event(_cmd("2026-05-02T06:22:50", "whoami"))
    sr = _session_recorded("2026-05-02T06:23:00", sid="", duration_s=60.0)
    sr["fields"]["sid"] = ""
    aggregator.add_event(sr)
    payload = captured_publishes[0][1]
    assert payload["session_id"] is None
    cmd_id = payload["commands"][0]["id"]
    assert cmd_id.startswith(f"{_ATTACKER_IP}-2026-05-02T06:22:50")


# ── TTL eviction ────────────────────────────────────────────────────


def test_ttl_eviction_drops_old_commands() -> None:
    publishes: list[tuple[str, dict[str, Any], str]] = []

    def _publish(topic: str, payload: dict[str, Any], event_type: str) -> None:
        publishes.append((topic, payload, event_type))

    agg = _SessionAggregator(_publish, ttl_sec=10.0)
    agg.add_event(_cmd("2026-05-02T06:00:00", "old"))
    # New command 30 seconds later — TTL=10s, so the old one evicts.
    agg.add_event(_cmd("2026-05-02T06:00:30", "fresh"))
    remaining = [
        p.get("fields", {}).get("command")
        for _, p in agg._cmds[_ATTACKER_IP]
    ]
    assert remaining == ["fresh"]


def test_publish_failure_is_swallowed() -> None:
    """A blowing-up publish must not propagate into the stream thread."""
    def _bad(_t: str, _p: dict[str, Any], _e: str) -> None:
        raise RuntimeError("bus exploded")

    agg = _SessionAggregator(_bad, ttl_sec=3600.0)
    agg.add_event(_cmd("2026-05-02T06:22:50", "whoami"))
    # Should NOT raise.
    agg.add_event(_session_recorded("2026-05-02T06:23:00", sid="s1"))