mirror of
https://github.com/BigBodyCobain/Shadowbroker.git
synced 2026-05-28 18:11:31 +02:00
Shadowbroker
76750caa92
== Per-install operator handle for every third-party API call ==
Before this PR, every Shadowbroker install identified itself to
Wikipedia, Wikidata, Nominatim, GDELT, OpenMHz, Broadcastify,
weather.gov, NUFORC, Sentinel/Planetary Computer, TinyGS / CelesTrak,
Shodan, Finnhub, and others with a single project-wide User-Agent
("Shadowbroker/1.0" or "ShadowBroker-OSINT/1.0"). From the upstream's
perspective every install in the world looked like one giant scraper.
If one install misbehaved, the upstream's only recourse was to block
"Shadowbroker" as a whole.
PR #284 inadvertently doubled down on this in the frontend by
introducing a shared `WIKIMEDIA_API_USER_AGENT` constant. This PR
retrofits both backends to per-operator attribution.
New setting: OPERATOR_HANDLE (env var / settings UI / auto-gen)
New helper: network_utils.outbound_user_agent("purpose")
The handle is auto-generated as "operator-XXXXXX" on first call (the
"shadow-" prefix from earlier drafts was deliberately dropped — too
suspicious-looking for abuse-detection systems). Operators can
override via OPERATOR_HANDLE; the value is sanitized to lowercase
alphanumeric+dash+underscore and capped at 48 chars. Persisted to
backend/data/operator_handle.json so it survives container restarts.
Retrofitted call sites (every previously-MONSTER User-Agent):
- services/region_dossier.py (Wikipedia + Wikidata + Nominatim)
- services/geocode.py (Nominatim)
- services/sentinel_search.py (Microsoft Planetary Computer)
- services/feed_ingester.py (operator-curated RSS feeds)
- services/fetchers/earth_observation.py (weather.gov, NUFORC)
- services/fetchers/infrastructure.py
- services/fetchers/aircraft_database.py
- services/fetchers/route_database.py
- services/fetchers/trains.py
- services/fetchers/meshtastic_map.py
- services/shodan_connector.py
- services/unusual_whales_connector.py (Finnhub)
- services/tinygs_fetcher.py (CelesTrak + TinyGS)
- services/sar/sar_products_client.py
- services/geopolitics.py (GDELT)
- services/radio_intercept.py (Broadcastify + OpenMHz)
- routers/cctv.py + main.py (CCTV proxy)
- routers/ai_intel.py
- scripts/convert_power_plants.py (release-time data refresh)
Spoofed browser UAs removed (issues #289 / #290 / #291 — tg12 audit):
- cloudscraper-based Chrome impersonation against api.openmhz.com
-> replaced with honest requests + per-install UA
- Mozilla/5.0 spoofed UA on Broadcastify scrape
-> replaced with honest UA
- Mozilla/5.0 + fake first-party Referer on OpenMHz audio relay
-> replaced with honest UA
- cloudscraper dependency dropped from pyproject.toml + uv.lock
Frontend retrofit:
- new GET /api/settings/operator-handle endpoint (local-operator
gated) returns the install's handle
- frontend/src/lib/wikimediaClient.ts fetches the handle once on
first use, caches it for page lifetime, embeds it in the
Api-User-Agent for every Wikipedia / Wikidata browser-direct call
== GDELT GCS-direct fix ==
GDELT's data.gdeltproject.org is a CNAME to a Google Cloud Storage
bucket. GCS responds with the wildcard *.storage.googleapis.com cert
which legitimately does NOT cover the GDELT custom domain, so Python's
TLS verification correctly refuses the connection. Some networks
happen to route through a path where this works; many (notably Docker
Desktop's outbound NAT on local installs) do not. Verified on the
maintainer's local install: GDELT was unreachable; 1610 geopolitical
events / 48 export files were dropping silently.
Fix: services/geopolitics._gcs_direct_gdelt_url() rewrites any
data.gdeltproject.org URL to its GCS-direct equivalent
(storage.googleapis.com/data.gdeltproject.org/...) where the standard
GCS cert is genuinely valid. api.gdeltproject.org and every other host
are left untouched.
Confirmed live: backend log goes from
GDELT lastupdate failed: 500
to
Downloading 48 GDELT export files...
Downloaded 48/48 GDELT exports
GDELT parsed: 1610 conflict locations from 48 files
== Tests ==
backend/tests/test_per_operator_outbound_attribution.py (12 tests)
backend/tests/test_gdelt_gcs_direct_rewrite.py (6 tests)
backend/tests/test_region_dossier_wikimedia_ua.py (updated to
pin the helper + per-operator handle, not the old constant)
frontend/src/__tests__/utils/wikimediaClient.test.ts (rewritten
to mock /api/settings/operator-handle and assert per-operator UA)
Local: backend 114/114 security+audit+round7a suite green;
frontend 718/718 vitest suite green.
Credit: tg12 (external security audit, issues #289/#290/#291
relating to spoofed UAs); BigBodyCobain (operator-prefix call,
GDELT cloud-vs-local diagnosis).
84 lines
3.4 KiB
Python
84 lines
3.4 KiB
Python
"""GDELT's ``data.gdeltproject.org`` is a CNAME to a Google Cloud Storage
|
|
bucket. GCS responds with the wildcard ``*.storage.googleapis.com``
|
|
certificate, which legitimately does NOT cover the GDELT custom
|
|
domain, so Python's TLS verification refuses the connection. Some
|
|
networks happen to route through a path where this works; many
|
|
(notably Docker Desktop's outbound NAT on local installs) do not.
|
|
|
|
The fix in ``services.geopolitics._gcs_direct_gdelt_url`` rewrites any
|
|
URL pointing at ``data.gdeltproject.org`` to its GCS-direct equivalent
|
|
(``storage.googleapis.com/data.gdeltproject.org/...``), where the
|
|
standard GCS certificate is genuinely valid. ``api.gdeltproject.org``
|
|
and every other host are left untouched.
|
|
|
|
These tests pin that behavior so a future refactor that drops the
|
|
helper or accidentally rewrites the wrong host gets a loud failure.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
|
|
|
|
def test_rewrites_data_gdeltproject_https():
|
|
from services.geopolitics import _gcs_direct_gdelt_url
|
|
|
|
assert _gcs_direct_gdelt_url(
|
|
"https://data.gdeltproject.org/gdeltv2/lastupdate.txt"
|
|
) == "https://storage.googleapis.com/data.gdeltproject.org/gdeltv2/lastupdate.txt"
|
|
|
|
|
|
def test_rewrites_data_gdeltproject_http():
|
|
"""GDELT's lastupdate.txt sometimes lists URLs with http:// — we
|
|
rewrite those too (the downstream call upgrades them to https)."""
|
|
from services.geopolitics import _gcs_direct_gdelt_url
|
|
|
|
assert _gcs_direct_gdelt_url(
|
|
"http://data.gdeltproject.org/gdeltv2/20260301120000.export.CSV.zip"
|
|
) == "http://storage.googleapis.com/data.gdeltproject.org/gdeltv2/20260301120000.export.CSV.zip"
|
|
|
|
|
|
def test_rewrites_preserve_query_string_and_path():
|
|
from services.geopolitics import _gcs_direct_gdelt_url
|
|
|
|
url = "https://data.gdeltproject.org/some/deep/path?a=1&b=2&c=hello%20world"
|
|
rewritten = _gcs_direct_gdelt_url(url)
|
|
assert rewritten == (
|
|
"https://storage.googleapis.com/data.gdeltproject.org"
|
|
"/some/deep/path?a=1&b=2&c=hello%20world"
|
|
)
|
|
|
|
|
|
def test_does_not_touch_api_gdeltproject_org():
|
|
"""The API host is NOT a CNAME to GCS; rewriting it would break the
|
|
actual GDELT API endpoint."""
|
|
from services.geopolitics import _gcs_direct_gdelt_url
|
|
|
|
url = "https://api.gdeltproject.org/api/v2/doc/doc?query=carrier"
|
|
assert _gcs_direct_gdelt_url(url) == url
|
|
|
|
|
|
def test_does_not_touch_other_hosts():
|
|
from services.geopolitics import _gcs_direct_gdelt_url
|
|
|
|
for url in (
|
|
"https://en.wikipedia.org/wiki/Boeing_747",
|
|
"https://query.wikidata.org/sparql",
|
|
"https://storage.googleapis.com/already-correct/path",
|
|
"https://nominatim.openstreetmap.org/search",
|
|
):
|
|
assert _gcs_direct_gdelt_url(url) == url
|
|
|
|
|
|
def test_does_not_partially_match_strings():
|
|
"""``data.gdeltproject.org`` is matched exactly; URLs that merely
|
|
contain that substring elsewhere (in a query parameter, for example)
|
|
are left alone. Otherwise we'd rewrite something like
|
|
``https://example.com/?ref=data.gdeltproject.org/x`` which is wrong."""
|
|
from services.geopolitics import _gcs_direct_gdelt_url
|
|
|
|
# The match requires ``://`` immediately before the host, so a host
|
|
# like ``example-data.gdeltproject.org`` would also be left alone
|
|
# (treated as a different host, which is correct).
|
|
url = "https://example-data.gdeltproject.org/path"
|
|
assert _gcs_direct_gdelt_url(url) == url
|