CalvinBackup/Shadowbroker
1
0
Fork 0
mirror of https://github.com/BigBodyCobain/Shadowbroker.git synced 2026-06-01 20:11:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Harden infonet control surfaces

Browse Source
This commit is contained in:
BigBodyCobain
2026-05-18 11:22:38 -06:00
parent 25a98a9869
commit 11ea345518
30 changed files with 1810 additions and 276 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/services/fetchers/_store.py
+1 -1
View File
@@ -318,7 +318,7 @@ active_layers: dict[str, bool] = {
"uap_sightings": True,
"wastewater": True,
"ai_intel": True,
"crowdthreat": True,
"crowdthreat": False,
"sar": True,
}
backend/services/fetchers/crowdthreat.py
+17
View File
@@ -7,6 +7,7 @@ No API key required — the /threats endpoint is unauthenticated.
"""
import logging
import os
from services.network_utils import fetch_with_curl
from services.fetchers._store import latest_data, _data_lock, _mark_fresh, is_any_active
@@ -16,6 +17,16 @@ logger = logging.getLogger("services.data_fetcher")
_CT_BASE = "https://backend.crowdthreat.world"
def crowdthreat_fetch_enabled() -> bool:
"""Return True only when the operator explicitly opts into CrowdThreat pulls."""
return str(os.environ.get("CROWDTHREAT_ENABLED", "")).strip().lower() in {
"1",
"true",
"yes",
"on",
}
# CrowdThreat category_id → icon ID used on the MapLibre layer
_CATEGORY_ICON = {
1: "ct-security", # Security & Conflict (red)
@@ -43,6 +54,12 @@ _CATEGORY_COLOUR = {
@with_retry(max_retries=2, base_delay=5)
def fetch_crowdthreat():
"""Fetch verified threat reports from CrowdThreat public API."""
if not crowdthreat_fetch_enabled():
logger.debug("CrowdThreat fetch skipped; set CROWDTHREAT_ENABLED=true to opt in")
with _data_lock:
latest_data["crowdthreat"] = []
_mark_fresh("crowdthreat")
return
if not is_any_active("crowdthreat"):
return
backend/services/mesh/mesh_hashchain.py
+19 -2
View File
@@ -1438,6 +1438,7 @@ class Infonet:
# Running counters — avoid O(N) scans in get_info()
self._type_counts: dict[str, int] = {}
self._active_count: int = 0
self._registered_nodes: set[str] = set()
self._chain_bytes: int = 2 # Start with "[]" empty JSON array
self._dirty = False
self._save_lock = threading.Lock()
@@ -1518,6 +1519,7 @@ class Infonet:
self._last_validated_index = 0
self._type_counts = {}
self._active_count = 0
self._registered_nodes = set()
self._chain_bytes = 2
def _rebuild_state(self) -> None:
@@ -1566,10 +1568,15 @@ class Infonet:
now = time.time()
self._type_counts = {}
self._active_count = 0
self._registered_nodes = set()
self._chain_bytes = 2 # "[]"
for evt in self.events:
t = evt.get("event_type", "unknown")
self._type_counts[t] = self._type_counts.get(t, 0) + 1
if t == "node_register":
node_id = str(evt.get("node_id", "") or "")
if node_id:
self._registered_nodes.add(node_id)
is_eph = evt.get("payload", {}).get("ephemeral") or evt.get("payload", {}).get("_ephemeral")
if not is_eph or (now - evt.get("timestamp", 0)) < EPHEMERAL_TTL:
self._active_count += 1
@@ -1579,6 +1586,10 @@ class Infonet:
"""Incrementally update counters when a new event is appended."""
t = evt.get("event_type", "unknown")
self._type_counts[t] = self._type_counts.get(t, 0) + 1
if t == "node_register":
node_id = str(evt.get("node_id", "") or "")
if node_id:
self._registered_nodes.add(node_id)
self._active_count += 1
self._chain_bytes += len(json.dumps(evt)) + 2
@@ -2247,6 +2258,7 @@ class Infonet:
self.event_index[event_id] = len(self.events) - 1
self.head_hash = event_id
self.node_sequences[node_id] = sequence
self._update_counters_for_event(evt)
accepted += 1
expected_prev = event_id
self._replay_filter.add(event_id)
@@ -2552,6 +2564,8 @@ class Infonet:
# Apply fork
self.events = prefix + ordered
self._rebuild_state()
self._rebuild_revocations()
self._rebuild_counters()
self._save()
try:
from services.mesh.mesh_metrics import increment as metrics_inc
@@ -2681,6 +2695,8 @@ class Infonet:
"head_hash_full": self.head_hash,
"chain_lock": self.chain_lock(),
"known_nodes": len(self.node_sequences),
"author_nodes": len(self.node_sequences),
"registered_nodes": len(self._registered_nodes),
"event_types": dict(self._type_counts),
"chain_size_kb": round(self._chain_bytes / 1024, 1),
"unsigned_events": 0,
@@ -2716,8 +2732,9 @@ class Infonet:
if len(new_events) != before:
self.events = new_events
# Rebuild index
self.event_index = {e["event_id"]: i for i, e in enumerate(self.events)}
self._rebuild_state()
self._rebuild_revocations()
self._rebuild_counters()
self._save()
logger.info(f"Infonet cleanup: removed {before - len(new_events)} expired events")
backend/services/mesh/mesh_wormhole_identity.py
+125 -3
View File
@@ -17,7 +17,7 @@ import time
from typing import Any
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives.asymmetric import ed25519, x25519
from services.mesh.mesh_crypto import (
build_signature_payload,
@@ -464,6 +464,37 @@ def _bundle_fingerprint(data: dict[str, Any]) -> str:
return hashlib.sha256(raw.encode("utf-8")).hexdigest()
def _ensure_dm_dh_material(data: dict[str, Any]) -> tuple[dict[str, Any], bool]:
"""Repair legacy/corrupt DM identities that kept signing keys but lost DH material."""
if str(data.get("dh_pub_key", "") or "").strip() and str(data.get("dh_private_key", "") or "").strip():
return data, False
dh_priv = x25519.X25519PrivateKey.generate()
dh_priv_raw = dh_priv.private_bytes(
encoding=serialization.Encoding.Raw,
format=serialization.PrivateFormat.Raw,
encryption_algorithm=serialization.NoEncryption(),
)
dh_pub_raw = dh_priv.public_key().public_bytes(
encoding=serialization.Encoding.Raw,
format=serialization.PublicFormat.Raw,
)
repaired = {
**dict(data or {}),
"dh_pub_key": base64.b64encode(dh_pub_raw).decode("ascii"),
"dh_algo": "X25519",
"dh_private_key": base64.b64encode(dh_priv_raw).decode("ascii"),
"last_dh_timestamp": int(time.time()),
"bundle_fingerprint": "",
"bundle_sequence": 0,
"bundle_registered_at": 0,
"prekey_bundle_registered_at": 0,
"prekey_transparency_head": "",
"prekey_transparency_size": 0,
}
return _write_identity(repaired), True
def trust_fingerprint_for_identity_material(
*,
agent_id: str,
@@ -830,10 +861,11 @@ def _sign_dm_invite_payload(
def register_wormhole_dm_key(force: bool = False) -> dict[str, Any]:
data = read_wormhole_identity()
data, repaired_dh = _ensure_dm_dh_material(data)
timestamp = int(time.time())
fingerprint = _bundle_fingerprint(data)
if not force and fingerprint and fingerprint == data.get("bundle_fingerprint"):
if not force and not repaired_dh and fingerprint and fingerprint == data.get("bundle_fingerprint"):
return {
"ok": True,
**_public_view(data),
@@ -1525,11 +1557,101 @@ def import_wormhole_dm_invite(invite: dict[str, Any], *, alias: str = "") -> dic
"detail": "compat dm invite import disabled; ask the sender to re-export a current signed invite",
}
def _prekey_missing_or_pending(detail: str) -> bool:
lower = str(detail or "").strip().lower()
return any(
phrase in lower
for phrase in (
"prekey bundle not found",
"invite prekey bundle not found",
"peer prekey lookup unavailable",
"peer prekey lookup still preparing",
"transport tier insufficient",
"preparing_private_lane",
)
)
def _pin_pending_invite_prekey(detail: str) -> dict[str, Any]:
if invite_version < DM_INVITE_VERSION:
return {"ok": False, "detail": detail or "invite prekey bundle not found"}
invite_root_distribution = _verify_dm_invite_root_distribution(payload)
if not invite_root_distribution.get("ok"):
return invite_root_distribution
attested = _verify_dm_invite_identity_attestation(
envelope=envelope,
payload=payload,
resolved_root_node_id=str(invite_root_distribution.get("root_node_id", "") or ""),
resolved_root_public_key=str(invite_root_distribution.get("root_public_key", "") or ""),
resolved_root_public_key_algo=str(
invite_root_distribution.get("root_public_key_algo", "Ed25519") or "Ed25519"
),
resolved_root_manifest_fingerprint=str(
invite_root_distribution.get("root_manifest_fingerprint", "") or ""
).strip().lower(),
)
if not attested.get("ok"):
return attested
pending_peer_id = str(verified.get("peer_id", "") or "").strip()
trust_fingerprint = str(verified.get("trust_fingerprint", "") or "").strip().lower()
contact = pin_wormhole_dm_invite(
pending_peer_id,
invite_payload={
"trust_fingerprint": trust_fingerprint,
"public_key": "",
"public_key_algo": "Ed25519",
"identity_dh_pub_key": "",
"dh_algo": "X25519",
"prekey_lookup_handle": lookup_handle,
"issued_at": int(payload.get("issued_at", 0) or 0),
"expires_at": int(payload.get("expires_at", 0) or 0),
"label": str(payload.get("label", "") or ""),
"root_node_id": str(attested.get("root_node_id", "") or ""),
"root_public_key": str(attested.get("root_public_key", "") or ""),
"root_public_key_algo": str(attested.get("root_public_key_algo", "Ed25519") or "Ed25519"),
"root_fingerprint": str(attested.get("root_fingerprint", "") or ""),
"root_manifest_fingerprint": str(invite_root_distribution.get("root_manifest_fingerprint", "") or ""),
"root_witness_policy_fingerprint": str(
invite_root_distribution.get("root_witness_policy_fingerprint", "") or ""
),
"root_witness_threshold": _safe_int(
invite_root_distribution.get("root_witness_threshold", 0) or 0,
0,
),
"root_witness_count": _safe_int(invite_root_distribution.get("root_witness_count", 0) or 0, 0),
"root_witness_domain_count": _safe_int(
invite_root_distribution.get("root_witness_domain_count", 0) or 0,
0,
),
"root_manifest_generation": _safe_int(
invite_root_distribution.get("root_manifest_generation", 0) or 0,
0,
),
"root_rotation_proven": bool(invite_root_distribution.get("root_rotation_proven")),
},
alias=resolved_alias,
attested=True,
)
return {
"ok": True,
"peer_id": pending_peer_id,
"invite_peer_id": pending_peer_id,
"trust_fingerprint": trust_fingerprint,
"trust_level": str(contact.get("trust_level", "") or ""),
"detail": "Contact saved.",
"invite_attested": True,
"pending_prekey": True,
"prekey_detail": detail or "invite prekey bundle not found",
"contact": contact,
}
from services.mesh.mesh_wormhole_prekey import fetch_dm_prekey_bundle
fetched = fetch_dm_prekey_bundle(lookup_token=lookup_handle)
if not fetched.get("ok"):
return {"ok": False, "detail": str(fetched.get("detail", "") or "invite prekey bundle not found")}
fetch_detail = str(fetched.get("detail", "") or "invite prekey bundle not found")
if _prekey_missing_or_pending(fetch_detail):
return _pin_pending_invite_prekey(fetch_detail)
return {"ok": False, "detail": fetch_detail}
resolved_peer_id = str(fetched.get("agent_id", "") or "").strip()
if not resolved_peer_id:
backend/services/mesh/mesh_wormhole_prekey.py
+118
View File
@@ -11,6 +11,7 @@ import os
import random
import time
import urllib.error
import urllib.parse
import urllib.request
from typing import Any
@@ -150,6 +151,118 @@ def _fetch_dm_prekey_bundle_from_peer_lookup(lookup_token: str) -> dict[str, Any
return {"ok": False, "detail": last_detail or "Prekey bundle not found"}
def _configured_public_lookup_peer_urls() -> list[str]:
try:
from services.config import get_settings
from services.mesh.mesh_router import active_sync_peer_urls, parse_configured_relay_peers
settings = get_settings()
candidates: list[str] = []
for raw in (
getattr(settings, "MESH_BOOTSTRAP_SEED_PEERS", ""),
getattr(settings, "MESH_DEFAULT_SYNC_PEERS", ""),
):
candidates.extend(parse_configured_relay_peers(str(raw or "")))
candidates.extend(active_sync_peer_urls())
except Exception:
return []
seen: set[str] = set()
peers: list[str] = []
for candidate in candidates:
peer = str(candidate or "").strip().rstrip("/")
if not peer or peer in seen:
continue
seen.add(peer)
peers.append(peer)
return peers
def _normalize_remote_lookup_bundle(payload: dict[str, Any]) -> dict[str, Any]:
data = dict(payload or {})
bundle = dict(data.get("bundle") or {})
public_key = str(data.get("public_key", "") or bundle.get("public_key", "") or "").strip()
if not public_key:
return {"ok": False, "detail": "Prekey bundle missing signing key"}
agent_id = str(data.get("agent_id", "") or "").strip() or derive_node_id(public_key)
if not agent_id:
return {"ok": False, "detail": "Prekey bundle public key binding mismatch"}
data["agent_id"] = agent_id
data["public_key"] = public_key
data["public_key_algo"] = str(data.get("public_key_algo", "") or bundle.get("public_key_algo", "Ed25519") or "Ed25519")
data["protocol_version"] = str(data.get("protocol_version", "") or bundle.get("protocol_version", PROTOCOL_VERSION) or PROTOCOL_VERSION)
data["bundle"] = bundle
ok, reason = _validate_bundle_record(data)
if not ok:
return {"ok": False, "detail": reason}
data["ok"] = True
data["lookup_mode"] = "invite_lookup_handle"
data["public_lookup"] = True
return data
def _fetch_dm_prekey_bundle_from_public_lookup(lookup_token: str) -> dict[str, Any]:
"""Fetch an invite-scoped prekey bundle from bootstrap/sync peers.
The token is high-entropy and invite-scoped. This path does not expose a
stable agent_id to the peer; if the ordinary peer response omits agent_id,
derive it from the signed identity public key and validate the bundle before
accepting it.
"""
token = str(lookup_token or "").strip()
if not token:
return {"ok": False, "detail": "lookup token required"}
peers = _configured_public_lookup_peer_urls()
if not peers:
return {"ok": False, "detail": "peer prekey lookup unavailable"}
try:
from services.config import get_settings
timeout = max(1, _safe_int(getattr(get_settings(), "MESH_SYNC_TIMEOUT_S", 5) or 5, 5))
except Exception:
timeout = 5
encoded = urllib.parse.urlencode({"lookup_token": token})
last_detail = ""
for peer_url in peers:
normalized_peer_url = str(peer_url or "").strip().rstrip("/")
if not normalized_peer_url:
continue
request = urllib.request.Request(
f"{normalized_peer_url}/api/mesh/dm/prekey-bundle?{encoded}",
headers={
"Accept": "application/json",
"User-Agent": "ShadowBroker-Infonet/0.9 (+https://github.com/BigBodyCobain/Shadowbroker)",
},
method="GET",
)
try:
with urllib.request.urlopen(request, timeout=timeout) as response:
raw = response.read(256 * 1024)
payload = json.loads(raw.decode("utf-8"))
except (urllib.error.URLError, TimeoutError, json.JSONDecodeError, OSError) as exc:
logger.debug("public prekey lookup failed for %s: %s", normalized_peer_url, type(exc).__name__)
last_detail = "peer prekey lookup unavailable"
continue
if not isinstance(payload, dict):
last_detail = "invalid peer response"
continue
if payload.get("pending") or str(payload.get("status", "") or "") == "preparing_private_lane":
last_detail = "peer prekey lookup still preparing"
continue
if not payload.get("ok"):
last_detail = str(payload.get("detail", "") or last_detail or "Prekey bundle not found")
continue
if not isinstance(payload.get("bundle"), dict):
last_detail = "Prekey bundle not found"
continue
normalized = _normalize_remote_lookup_bundle(payload)
if normalized.get("ok"):
return normalized
last_detail = str(normalized.get("detail", "") or last_detail)
return {"ok": False, "detail": last_detail or "Prekey bundle not found"}
def _b64(data: bytes) -> str:
return base64.b64encode(data).decode("ascii")
@@ -926,6 +1039,11 @@ def fetch_dm_prekey_bundle(
peer_found = _fetch_dm_prekey_bundle_from_peer_lookup(resolved_lookup)
if peer_found.get("ok"):
return peer_found
public_found = _fetch_dm_prekey_bundle_from_public_lookup(resolved_lookup)
if public_found.get("ok"):
return public_found
if str(public_found.get("detail", "") or "").strip():
return {"ok": False, "detail": str(public_found.get("detail", "") or "Prekey bundle not found")}
return {"ok": False, "detail": str(peer_found.get("detail", "") or "Prekey bundle not found")}
else:
return {"ok": False, "detail": "Prekey bundle not found"}