anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d4dc7dff81ce826b2214119e2b2d97adfe287c22
DECNET/tests/intel/test_abuseipdb.py
anti 999d3494b4 feat(intel): persist per-provider taxonomy on AttackerIntel for TTP dispatch 
The 2026-05-02 ship-time audit of the R0054-R0058 intel rule pack found
that AbuseIPDB / GreyNoise / ThreatFox stored only the aggregate verdict
(score / classification / listed-bool) plus the raw response blob. The
TTP IntelLifter expects per-provider taxonomy fields (categories, tags,
threat_types) that were never populated, so R0054 / R0055 / R0057
emitted zero tags in production despite passing unit tests.

Add typed columns: abuseipdb_categories, greynoise_tags, greynoise_name,
feodo_malware_family, threatfox_threat_types, threatfox_ioc_types,
threatfox_malware_families. Each provider now parses the relevant
taxonomy out of the upstream response and writes it through
column_updates. JSON-list columns ride as TEXT with default "[]" to
keep the SQLite/MySQL backend split honest, deserialised back to native
lists by the repo on read.
2026-05-02 18:07:57 -04:00

154 lines
4.9 KiB
Python
Raw Blame History

"""Unit tests for the AbuseIPDB provider."""
from __future__ import annotations
import json
import httpx
import pytest
from decnet.intel.abuseipdb import AbuseIPDBProvider, _score_to_verdict
def _install_transport(handler) -> list[httpx.Request]:
captured: list[httpx.Request] = []
async def _wrapped(request: httpx.Request) -> httpx.Response:
captured.append(request)
return await handler(request)
transport = httpx.MockTransport(_wrapped)
from decnet.intel import abuseipdb as mod
def _factory():
return httpx.AsyncClient(
transport=transport,
headers={"User-Agent": "curl/7.88.1"},
)
mod.stealth_client = _factory # type: ignore[assignment]
return captured
def test_score_thresholds():
assert _score_to_verdict(0) == "benign"
assert _score_to_verdict(24) == "benign"
assert _score_to_verdict(25) == "suspicious"
assert _score_to_verdict(74) == "suspicious"
assert _score_to_verdict(75) == "malicious"
assert _score_to_verdict(100) == "malicious"
@pytest.mark.anyio
async def test_missing_api_key_returns_error_no_egress(monkeypatch):
monkeypatch.delenv("DECNET_ABUSEIPDB_API_KEY", raising=False)
captured = _install_transport(
lambda r: (_ for _ in ()).throw(AssertionError("must not egress"))
)
provider = AbuseIPDBProvider()
result = await provider.lookup("1.2.3.4")
assert result.error == "DECNET_ABUSEIPDB_API_KEY not configured"
assert result.column_updates == {}
assert captured == [] # no request made
@pytest.mark.anyio
async def test_high_score_maps_to_malicious(monkeypatch):
monkeypatch.setenv("DECNET_ABUSEIPDB_API_KEY", "k3y")
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(
200,
json={"data": {
"ipAddress": "1.2.3.4",
"abuseConfidenceScore": 92,
"totalReports": 41,
"countryCode": "RU",
}},
)
captured = _install_transport(handler)
provider = AbuseIPDBProvider()
result = await provider.lookup("1.2.3.4")
assert result.verdict == "malicious"
assert result.column_updates["abuseipdb_score"] == 92
raw = json.loads(result.column_updates["abuseipdb_raw"])
assert raw["countryCode"] == "RU"
# Key header sent, query params correct.
req = captured[0]
assert req.headers["key"] == "k3y"
assert "ipAddress=1.2.3.4" in str(req.url)
@pytest.mark.anyio
async def test_low_score_maps_to_benign(monkeypatch):
monkeypatch.setenv("DECNET_ABUSEIPDB_API_KEY", "k3y")
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(
200, json={"data": {"abuseConfidenceScore": 0}},
)
_install_transport(handler)
provider = AbuseIPDBProvider()
result = await provider.lookup("8.8.8.8")
assert result.verdict == "benign"
assert result.column_updates["abuseipdb_score"] == 0
@pytest.mark.anyio
async def test_categories_flattened_from_reports(monkeypatch):
"""Post-2026-05-02 audit: provider must extract the union of
``data.reports[*].categories`` so the IntelLifter can dispatch
ATT&CK techniques. Sorted for deterministic test + bus diff."""
monkeypatch.setenv("DECNET_ABUSEIPDB_API_KEY", "k3y")
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(
200,
json={"data": {
"abuseConfidenceScore": 80,
"reports": [
{"categories": [18, 22]},
{"categories": [22, 14]},
{"categories": []},
{"not_a_dict": True},
{"categories": [21]},
],
}},
)
_install_transport(handler)
provider = AbuseIPDBProvider()
result = await provider.lookup("1.2.3.4")
cats = json.loads(result.column_updates["abuseipdb_categories"])
assert cats == [14, 18, 21, 22]
@pytest.mark.anyio
async def test_categories_empty_when_no_reports(monkeypatch):
monkeypatch.setenv("DECNET_ABUSEIPDB_API_KEY", "k3y")
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(
200, json={"data": {"abuseConfidenceScore": 5}},
)
_install_transport(handler)
provider = AbuseIPDBProvider()
result = await provider.lookup("8.8.8.8")
assert json.loads(result.column_updates["abuseipdb_categories"]) == []
@pytest.mark.anyio
async def test_429_returns_error(monkeypatch):
monkeypatch.setenv("DECNET_ABUSEIPDB_API_KEY", "k3y")
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(429)
_install_transport(handler)
provider = AbuseIPDBProvider()
result = await provider.lookup("1.1.1.1")
assert result.error == "HTTP 429"
assert result.column_updates == {}
Reference in New Issue View Git Blame Copy Permalink