anti
f2b3393669
Replaces LICENSE (GPLv3 -> AGPLv3) and prepends `SPDX-License-Identifier: AGPL-3.0-or-later` to every source file across decnet/, decnet_web/, tests/, scripts/, and tools/. Rationale: closes the GPLv3 ASP loophole so any party operating a modified DECNET as a network service must offer their modified source. Personal copyright (Samuel Paschuan) + inbound=outbound contributions make a future unilateral relicense infeasible. - LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt) - COPYRIGHT: project copyright notice - tools/add_spdx_headers.py: idempotent header injector (shebang- and PEP 263-aware) Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh). No behavior change; comments only.
81 lines
3.0 KiB
Python
81 lines
3.0 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""Boot-time ATT&CK bundle validation for lifters and the UKC tactic map.
|
|
|
|
Mirrors what :func:`decnet.ttp.worker.run_ttp_worker_loop` runs at
|
|
startup so a CI run catches the same drift the worker would refuse to
|
|
boot on. The two validators (``intel_lifter.validate_against_attack_bundle``
|
|
and ``ukc.validate_against_attack_bundle``) are the entry points; this
|
|
module also asserts the negative path (a typoed ID inside the
|
|
collection function raises :class:`AttackBundleError`) so a future
|
|
refactor that loses the assertion fails loudly here rather than in
|
|
production.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
from pathlib import Path
|
|
|
|
import pytest
|
|
|
|
from decnet.clustering import ukc
|
|
from decnet.ttp import attack_stix
|
|
from decnet.ttp.impl import intel_lifter
|
|
|
|
_REPO_BUNDLE = Path(__file__).resolve().parents[2] / "enterprise-attack-19.0.json"
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def _pin_bundle(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
monkeypatch.setenv("DECNET_ATTACK_BUNDLE", str(_REPO_BUNDLE))
|
|
attack_stix._data = None
|
|
attack_stix._loaded_path = None
|
|
attack_stix._attack_pattern_by_id.cache_clear()
|
|
attack_stix._tactic_by_id.cache_clear()
|
|
attack_stix._tactic_by_short_name.cache_clear()
|
|
|
|
|
|
def test_intel_lifter_emissions_resolve_in_bundle() -> None:
|
|
intel_lifter.validate_against_attack_bundle()
|
|
|
|
|
|
def test_intel_lifter_emission_set_is_complete() -> None:
|
|
ids = intel_lifter.all_emitted_technique_ids()
|
|
# Decision-flow constants should be present even though they don't
|
|
# appear in the lookup tables (see _greynoise_decisions /
|
|
# _feodo_decisions).
|
|
assert {"T1071", "T1595", "T1588"}.issubset(ids)
|
|
# Spot-check at least one entry from each table.
|
|
assert "T1110" in ids # AbuseIPDB cat 5/22
|
|
assert "T1090" in ids # GreyNoise tor_exit_node
|
|
assert "T1056" in ids # ThreatFox cc_skimming
|
|
|
|
|
|
def test_ukc_tactic_map_resolves_in_bundle() -> None:
|
|
ukc.validate_against_attack_bundle()
|
|
|
|
|
|
def test_ukc_ics_tactics_are_exempt_from_validation() -> None:
|
|
# ICS tactics aren't in the enterprise bundle, but the validator
|
|
# tolerates them via the _NON_ENTERPRISE_TACTICS exempt set.
|
|
assert "TA0100" in ukc._NON_ENTERPRISE_TACTICS
|
|
assert not attack_stix.tactic_exists("TA0100")
|
|
# And the validator passes (tested above) despite TA0100..TA0106
|
|
# being in ATTACK_TACTIC_TO_UKC.
|
|
|
|
|
|
def test_validator_raises_when_unknown_id_injected(
|
|
monkeypatch: pytest.MonkeyPatch,
|
|
) -> None:
|
|
# Inject a bogus tactic into the map for the duration of the test.
|
|
bogus = "TA9999"
|
|
monkeypatch.setitem(ukc.ATTACK_TACTIC_TO_UKC, bogus, ukc.UKCPhase.IMPACT)
|
|
with pytest.raises(attack_stix.AttackBundleError) as exc:
|
|
ukc.validate_against_attack_bundle()
|
|
assert bogus in str(exc.value)
|
|
|
|
|
|
def test_credential_lifter_t1078_resolves() -> None:
|
|
# credential_lifter has a single hardcoded T1078 reference; cover
|
|
# it explicitly so a future ATT&CK release that retires T1078
|
|
# surfaces here as well as in the rule-pack coverage test.
|
|
assert attack_stix.technique_exists("T1078")
|