223 lines
9.3 KiB
Python
223 lines
9.3 KiB
Python
"""Log / Bounty / Credential / State tables + their list-response DTOs."""
|
||
from datetime import datetime, timezone
|
||
from typing import Any, List, Optional
|
||
|
||
from pydantic import BaseModel
|
||
from sqlalchemy import Column, Index, Text, UniqueConstraint
|
||
from sqlmodel import Field, SQLModel
|
||
|
||
from ._base import _BIG_TEXT
|
||
|
||
|
||
class Log(SQLModel, table=True):
|
||
__tablename__ = "logs"
|
||
id: Optional[int] = Field(default=None, primary_key=True)
|
||
timestamp: datetime = Field(default_factory=lambda: datetime.now(timezone.utc), index=True)
|
||
decky: str = Field(index=True)
|
||
service: str = Field(index=True)
|
||
event_type: str = Field(index=True)
|
||
attacker_ip: str = Field(index=True)
|
||
# Long-text columns — use TEXT so MySQL DDL doesn't truncate to VARCHAR(255).
|
||
# TEXT is equivalent to plain text in SQLite.
|
||
raw_line: str = Field(sa_column=Column("raw_line", Text, nullable=False))
|
||
fields: str = Field(sa_column=Column("fields", Text, nullable=False))
|
||
msg: Optional[str] = Field(default=None, sa_column=Column("msg", Text, nullable=True))
|
||
# OTEL trace context — bridges the collector→ingester trace to the SSE
|
||
# read path. Nullable so pre-existing rows and non-traced deployments
|
||
# are unaffected.
|
||
trace_id: Optional[str] = Field(default=None)
|
||
span_id: Optional[str] = Field(default=None)
|
||
|
||
|
||
class Bounty(SQLModel, table=True):
|
||
__tablename__ = "bounty"
|
||
id: Optional[int] = Field(default=None, primary_key=True)
|
||
timestamp: datetime = Field(default_factory=lambda: datetime.now(timezone.utc), index=True)
|
||
decky: str = Field(index=True)
|
||
service: str = Field(index=True)
|
||
attacker_ip: str = Field(index=True)
|
||
bounty_type: str = Field(index=True)
|
||
payload: str = Field(sa_column=Column("payload", Text, nullable=False))
|
||
|
||
|
||
class Credential(SQLModel, table=True):
|
||
"""One observed credential attempt against a decky service.
|
||
|
||
Forward-compatible across every auth-bearing service in the fleet:
|
||
SSH user+pass, Telnet user+pass, SMTP domain+pass, LDAP dn+pass,
|
||
Redis password-only, etc. The two universal lossless representations
|
||
(``secret_b64`` + ``secret_sha256``) hoist to indexed columns so
|
||
cross-service reuse queries don't scan opaque JSON.
|
||
|
||
Per-service identity (the human-meaningful "who's authenticating")
|
||
lives in ``principal`` — username for SSH, domain for SMTP, dn for
|
||
LDAP. Nullable for principal-less mechanisms (Redis AUTH, bearer
|
||
tokens). Fully service-specific keys ride in ``fields`` JSON.
|
||
|
||
Dedup contract: same (attacker_ip, decky, service, secret_sha256,
|
||
principal_or_empty) tuple → upsert, bumps ``attempt_count`` and
|
||
``last_seen``. Different secret or different principal → new row.
|
||
|
||
``attacker_uuid`` is backfilled by the profiler once an Attacker row
|
||
has been minted for the source IP. It is nullable on first write so
|
||
the credential ingest path stays decoupled from the profiler.
|
||
"""
|
||
__tablename__ = "credentials"
|
||
__table_args__ = (
|
||
Index("ix_credentials_secret_service", "secret_sha256", "service"),
|
||
Index("ix_credentials_principal_service", "principal", "service"),
|
||
)
|
||
id: Optional[int] = Field(default=None, primary_key=True)
|
||
# Keyed by attacker IP (not attackers.uuid) on the write path to
|
||
# avoid the chicken-and-egg of landing a credential before the
|
||
# profiler has minted the Attacker. The profiler backfills
|
||
# ``attacker_uuid`` once it knows the IP, so cross-IP reuse queries
|
||
# eventually have an indexed FK to traverse.
|
||
attacker_ip: str = Field(index=True)
|
||
attacker_uuid: Optional[str] = Field(
|
||
default=None, foreign_key="attackers.uuid", index=True
|
||
)
|
||
decky_name: str = Field(index=True)
|
||
service: str = Field(index=True)
|
||
principal: Optional[str] = Field(default=None, index=True, max_length=256)
|
||
# Discriminator for what `secret_b64` actually contains. Default
|
||
# ``"plaintext"`` — a recoverable password the attacker sent on the
|
||
# wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds:
|
||
# ``"postgres_md5_challenge"`` (md5(md5(pw+user)+salt) hex bytes
|
||
# the attacker sent in the Postgres password message — plaintext
|
||
# irrecoverable), ``"vnc_des_response"`` (16-byte DES-encrypted
|
||
# challenge response — same shape).
|
||
#
|
||
# Reuse semantics gracefully degrade: same secret_sha256 only
|
||
# correlates within a single ``secret_kind``. Cross-kind matches
|
||
# are meaningless because different challenges produce different
|
||
# bytes for the same plaintext password.
|
||
secret_kind: str = Field(default="plaintext", index=True, max_length=32)
|
||
# Universal lossless secret representations. For non-plaintext
|
||
# kinds, secret_b64 is base64 of the raw attacker-sent bytes (after
|
||
# hex-decode for protocols that ship the response as a hex string).
|
||
secret_sha256: str = Field(index=True, max_length=64)
|
||
secret_b64: Optional[str] = Field(default=None, max_length=2048)
|
||
# Best-effort printable form — non-printable bytes collapsed to '?'
|
||
# by either auth-helper.c (SSH/Telnet) or the ingester's legacy
|
||
# adapter (FTP/POP3/IMAP/SMTP). May be lossy on non-UTF8.
|
||
secret_printable: Optional[str] = Field(default=None, max_length=512)
|
||
outcome: Optional[str] = Field(default=None, max_length=16) # success|failure|observed
|
||
fields: str = Field(
|
||
sa_column=Column("fields", _BIG_TEXT, nullable=False, default="{}")
|
||
)
|
||
first_seen: datetime = Field(
|
||
default_factory=lambda: datetime.now(timezone.utc), index=True
|
||
)
|
||
last_seen: datetime = Field(
|
||
default_factory=lambda: datetime.now(timezone.utc), index=True
|
||
)
|
||
attempt_count: int = Field(default=1)
|
||
|
||
|
||
class CredentialReuse(SQLModel, table=True):
|
||
"""One observed credential reuse pattern across deckies and/or services.
|
||
|
||
A row here is a *finding* produced by the correlator: the same
|
||
``(secret_sha256, secret_kind, principal)`` tuple was observed
|
||
against ``target_count`` distinct decky×service pairs. Upserted on
|
||
that natural key — the row accumulates new deckies/services/IPs
|
||
over time as the credential is reused.
|
||
|
||
The ``confidence`` column is reserved for a future fuzzy-match pass
|
||
(credential variants, e.g. ``hunter2`` vs ``hunter22``); rows
|
||
written by the exact-secret correlator are always 1.0.
|
||
"""
|
||
__tablename__ = "credential_reuse"
|
||
__table_args__ = (
|
||
UniqueConstraint(
|
||
"secret_sha256", "secret_kind", "principal_key",
|
||
name="uq_credential_reuse_secret_principal",
|
||
),
|
||
)
|
||
id: str = Field(primary_key=True, max_length=36)
|
||
secret_sha256: str = Field(index=True, max_length=64)
|
||
secret_kind: str = Field(index=True, max_length=32)
|
||
# Optional human-readable principal (e.g. "root"). Nullable — for
|
||
# cross-principal reuse rows we leave this null, but we still need
|
||
# a unique constraint, so ``principal_key`` is the non-null
|
||
# canonicalised form ("" when principal is null) used in the
|
||
# uniqueness tuple. SQLite's NULLs-distinct-in-UNIQUE behaviour
|
||
# would otherwise let duplicate null-principal rows through.
|
||
principal: Optional[str] = Field(default=None, max_length=256)
|
||
principal_key: str = Field(default="", max_length=256)
|
||
attacker_uuids: str = Field(
|
||
default="[]",
|
||
sa_column=Column("attacker_uuids", _BIG_TEXT, nullable=False, default="[]"),
|
||
) # JSON list[str]
|
||
attacker_ips: str = Field(
|
||
default="[]",
|
||
sa_column=Column("attacker_ips", _BIG_TEXT, nullable=False, default="[]"),
|
||
) # JSON list[str]
|
||
deckies: str = Field(
|
||
default="[]",
|
||
sa_column=Column("deckies", _BIG_TEXT, nullable=False, default="[]"),
|
||
) # JSON list[str]
|
||
services: str = Field(
|
||
default="[]",
|
||
sa_column=Column("services", _BIG_TEXT, nullable=False, default="[]"),
|
||
) # JSON list[str]
|
||
# COUNT(DISTINCT decky||':'||service). The discriminative scalar
|
||
# for ranking and filtering — a credential seen on 12 targets is
|
||
# far more interesting than one seen on 2.
|
||
target_count: int = Field(default=0, index=True)
|
||
attempt_count: int = Field(default=0)
|
||
confidence: float = Field(default=1.0)
|
||
first_seen: datetime = Field(
|
||
default_factory=lambda: datetime.now(timezone.utc), index=True
|
||
)
|
||
last_seen: datetime = Field(
|
||
default_factory=lambda: datetime.now(timezone.utc), index=True
|
||
)
|
||
updated_at: datetime = Field(
|
||
default_factory=lambda: datetime.now(timezone.utc), index=True
|
||
)
|
||
|
||
|
||
class CredentialReuseResponse(BaseModel):
|
||
total: int
|
||
limit: int
|
||
offset: int
|
||
data: List[dict[str, Any]]
|
||
|
||
|
||
class State(SQLModel, table=True):
|
||
__tablename__ = "state"
|
||
key: str = Field(primary_key=True)
|
||
# JSON-serialized DecnetConfig or other state blobs — can be large as
|
||
# deckies/services accumulate. MEDIUMTEXT on MySQL (16 MiB ceiling).
|
||
value: str = Field(sa_column=Column("value", _BIG_TEXT, nullable=False))
|
||
|
||
|
||
class LogsResponse(BaseModel):
|
||
total: int
|
||
limit: int
|
||
offset: int
|
||
data: List[dict[str, Any]]
|
||
|
||
|
||
class BountyResponse(BaseModel):
|
||
total: int
|
||
limit: int
|
||
offset: int
|
||
data: List[dict[str, Any]]
|
||
|
||
|
||
class CredentialsResponse(BaseModel):
|
||
total: int
|
||
limit: int
|
||
offset: int
|
||
data: List[dict[str, Any]]
|
||
|
||
|
||
class StatsResponse(BaseModel):
|
||
total_logs: int
|
||
unique_attackers: int
|
||
active_deckies: int
|
||
deployed_deckies: int
|