anti
ffc275f051
Populates Attacker.country_code + country_source (MVP) using the five RIR delegated-stats files (ARIN/RIPE/APNIC/LACNIC/AFRINIC). Offline, license-free, no outbound traffic that could burn honeypot stealth. - decnet.geoip package with factory/base/lookup + rir/ subpackage (fetch/parse/provider) mirroring the db + bus factory convention - Profiler._build_record calls enrich_ip on every upsert - Idempotent ALTER TABLE migrations for both SQLite and MySQL - decnet geoip refresh/lookup CLI (master-only) - /var/lib/decnet/geoip seeded by decnet init - DECNET_GEOIP_ENABLED=false kill-switch; set in tests/conftest.py so unit tests never trigger the first-access fetch
40 lines
1.3 KiB
Python
40 lines
1.3 KiB
Python
"""_build_record must thread country fields through to the upsert payload."""
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime, timezone
|
|
from pathlib import Path
|
|
|
|
from decnet.correlation.parser import LogEvent
|
|
from decnet.geoip.rir.fetch import RIR_SOURCES
|
|
from decnet.profiler.worker import _build_record
|
|
|
|
|
|
def _evt(ip: str) -> LogEvent:
|
|
return LogEvent(
|
|
timestamp=datetime(2026, 4, 23, tzinfo=timezone.utc),
|
|
attacker_ip=ip,
|
|
decky="decky-01",
|
|
service="ssh",
|
|
event_type="conn",
|
|
fields={},
|
|
raw="",
|
|
)
|
|
|
|
|
|
def test_build_record_includes_country_when_resolved(tmp_path: Path) -> None:
|
|
(tmp_path / f"{RIR_SOURCES[0][0]}.txt").write_text(
|
|
"arin|US|ipv4|8.8.8.0|256|20000101|allocated|abc\n"
|
|
)
|
|
record = _build_record("8.8.8.8", [_evt("8.8.8.8")], None, [], [])
|
|
assert record["country_code"] == "US"
|
|
assert record["country_source"] == "rir"
|
|
|
|
|
|
def test_build_record_country_none_for_private(tmp_path: Path) -> None:
|
|
(tmp_path / f"{RIR_SOURCES[0][0]}.txt").write_text(
|
|
"arin|US|ipv4|8.8.8.0|256|20000101|allocated|abc\n"
|
|
)
|
|
record = _build_record("10.0.0.1", [_evt("10.0.0.1")], None, [], [])
|
|
assert record["country_code"] is None
|
|
assert record["country_source"] is None
|