tests, ip_ban engine implemented, frontend dashboard improvements

Author: vsilent

migrations/00000000000003_create_ip_offenses/down.sql

@@ -0,0 +1,4 @@
+DROP INDEX IF EXISTS idx_ip_offenses_last_seen;
+DROP INDEX IF EXISTS idx_ip_offenses_status;
+DROP INDEX IF EXISTS idx_ip_offenses_ip;
+DROP TABLE IF EXISTS ip_offenses;

migrations/00000000000003_create_ip_offenses/up.sql

@@ -0,0 +1,18 @@
+CREATE TABLE IF NOT EXISTS ip_offenses (
+    id TEXT PRIMARY KEY,
+    ip_address TEXT NOT NULL,
+    source_type TEXT NOT NULL,
+    container_id TEXT,
+    offense_count INTEGER NOT NULL DEFAULT 1,
+    first_seen TEXT NOT NULL,
+    last_seen TEXT NOT NULL,
+    blocked_until TEXT,
+    status TEXT NOT NULL DEFAULT 'Active',
+    reason TEXT NOT NULL,
+    metadata TEXT,
+    created_at TEXT DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS idx_ip_offenses_ip ON ip_offenses(ip_address);
+CREATE INDEX IF NOT EXISTS idx_ip_offenses_status ON ip_offenses(status);
+CREATE INDEX IF NOT EXISTS idx_ip_offenses_last_seen ON ip_offenses(last_seen);

src/api/alerts.rs

@@ -50,7 +50,8 @@ pub async fn get_alert_stats(pool: web::Data<DbPool>) -> impl Responder {
             "total_count": stats.total_count,
             "new_count": stats.new_count,
             "acknowledged_count": stats.acknowledged_count,
-            "resolved_count": stats.resolved_count
+            "resolved_count": stats.resolved_count,
+            "false_positive_count": stats.false_positive_count
         })),
         Err(e) => {
             log::error!("Failed to get alert stats: {}", e);
@@ -59,7 +60,8 @@ pub async fn get_alert_stats(pool: web::Data<DbPool>) -> impl Responder {
                 "total_count": 0,
                 "new_count": 0,
                 "acknowledged_count": 0,
-                "resolved_count": 0
+                "resolved_count": 0,
+                "false_positive_count": 0
             }))
         }
     }

src/correlator/engine.rs

@@ -1,15 +1,68 @@
 //! Event correlation engine
 
+use crate::events::security::SecurityEvent;
 use anyhow::Result;
+use chrono::Duration;
+use std::collections::HashMap;
+
+#[derive(Debug, Clone)]
+pub struct CorrelatedEventGroup {
+    pub correlation_key: String,
+    pub events: Vec<SecurityEvent>,
+}
 
 /// Event correlation engine
 pub struct CorrelationEngine {
-    // TODO: Implement in TASK-017
+    window: Duration,
 }
 
 impl CorrelationEngine {
     pub fn new() -> Result<Self> {
-        Ok(Self {})
+        Ok(Self {
+            window: Duration::minutes(5),
+        })
+    }
+
+    pub fn correlate(&self, events: &[SecurityEvent]) -> Vec<CorrelatedEventGroup> {
+        let mut grouped: HashMap<String, Vec<SecurityEvent>> = HashMap::new();
+
+        for event in events {
+            if let Some(key) = self.correlation_key(event) {
+                grouped.entry(key).or_default().push(event.clone());
+            }
+        }
+
+        grouped
+            .into_iter()
+            .filter_map(|(correlation_key, mut grouped_events)| {
+                grouped_events.sort_by_key(SecurityEvent::timestamp);
+                let first = grouped_events.first()?.timestamp();
+                let last = grouped_events.last()?.timestamp();
+                if grouped_events.len() >= 2 && (last - first) <= self.window {
+                    Some(CorrelatedEventGroup {
+                        correlation_key,
+                        events: grouped_events,
+                    })
+                } else {
+                    None
+                }
+            })
+            .collect()
+    }
+
+    fn correlation_key(&self, event: &SecurityEvent) -> Option<String> {
+        match event {
+            SecurityEvent::Syscall(event) => Some(format!("pid:{}", event.pid)),
+            SecurityEvent::Container(event) => Some(format!("container:{}", event.container_id)),
+            SecurityEvent::Network(event) => event
+                .container_id
+                .as_ref()
+                .map(|container_id| format!("container:{container_id}")),
+            SecurityEvent::Alert(event) => event
+                .source_event_id
+                .as_ref()
+                .map(|source_event_id| format!("source:{source_event_id}")),
+        }
     }
 }
 
@@ -18,3 +71,63 @@ impl Default for CorrelationEngine {
         Self::new().unwrap()
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::events::security::{ContainerEvent, ContainerEventType, SecurityEvent};
+    use crate::events::syscall::{SyscallEvent, SyscallType};
+    use chrono::{Duration, Utc};
+
+    #[test]
+    fn test_correlates_syscall_events_by_pid_within_window() {
+        let engine = CorrelationEngine::new().unwrap();
+        let now = Utc::now();
+        let events = vec![
+            SecurityEvent::Syscall(SyscallEvent::new(4242, 1000, SyscallType::Execve, now)),
+            SecurityEvent::Syscall(SyscallEvent::new(
+                4242,
+                1000,
+                SyscallType::Open,
+                now + Duration::seconds(10),
+            )),
+            SecurityEvent::Syscall(SyscallEvent::new(7, 1000, SyscallType::Execve, now)),
+        ];
+
+        let groups = engine.correlate(&events);
+        assert_eq!(groups.len(), 1);
+        assert_eq!(groups[0].correlation_key, "pid:4242");
+        assert_eq!(groups[0].events.len(), 2);
+    }
+
+    #[test]
+    fn test_correlates_container_events_by_container_id() {
+        let engine = CorrelationEngine::new().unwrap();
+        let now = Utc::now();
+        let events = vec![
+            SecurityEvent::Container(ContainerEvent {
+                container_id: "container-1".into(),
+                event_type: ContainerEventType::Start,
+                timestamp: now,
+                details: None,
+            }),
+            SecurityEvent::Container(ContainerEvent {
+                container_id: "container-1".into(),
+                event_type: ContainerEventType::Stop,
+                timestamp: now + Duration::seconds(30),
+                details: Some("manual stop".into()),
+            }),
+            SecurityEvent::Container(ContainerEvent {
+                container_id: "container-2".into(),
+                event_type: ContainerEventType::Start,
+                timestamp: now,
+                details: None,
+            }),
+        ];
+
+        let groups = engine.correlate(&events);
+        assert_eq!(groups.len(), 1);
+        assert_eq!(groups[0].correlation_key, "container:container-1");
+        assert_eq!(groups[0].events.len(), 2);
+    }
+}

src/database/connection.rs

@@ -188,6 +188,37 @@ pub fn init_database(pool: &DbPool) -> Result<()> {
         [],
     );
 
+    conn.execute(
+        "CREATE TABLE IF NOT EXISTS ip_offenses (
+            id TEXT PRIMARY KEY,
+            ip_address TEXT NOT NULL,
+            source_type TEXT NOT NULL,
+            container_id TEXT,
+            offense_count INTEGER NOT NULL DEFAULT 1,
+            first_seen TEXT NOT NULL,
+            last_seen TEXT NOT NULL,
+            blocked_until TEXT,
+            status TEXT NOT NULL DEFAULT 'Active',
+            reason TEXT NOT NULL,
+            metadata TEXT,
+            created_at TEXT DEFAULT CURRENT_TIMESTAMP
+        )",
+        [],
+    )?;
+
+    let _ = conn.execute(
+        "CREATE INDEX IF NOT EXISTS idx_ip_offenses_ip ON ip_offenses(ip_address)",
+        [],
+    );
+    let _ = conn.execute(
+        "CREATE INDEX IF NOT EXISTS idx_ip_offenses_status ON ip_offenses(status)",
+        [],
+    );
+    let _ = conn.execute(
+        "CREATE INDEX IF NOT EXISTS idx_ip_offenses_last_seen ON ip_offenses(last_seen)",
+        [],
+    );
+
     Ok(())
 }
 

src/database/events.rs

@@ -1,15 +1,55 @@
 //! Security events database operations
 
+use crate::events::security::SecurityEvent;
 use anyhow::Result;
+use chrono::{DateTime, Utc};
+use std::sync::{Arc, RwLock};
 
 /// Events database manager
 pub struct EventsDb {
-    // TODO: Implement
+    events: Arc<RwLock<Vec<SecurityEvent>>>,
 }
 
 impl EventsDb {
     pub fn new() -> Result<Self> {
-        Ok(Self {})
+        Ok(Self {
+            events: Arc::new(RwLock::new(Vec::new())),
+        })
+    }
+
+    pub fn insert(&self, event: SecurityEvent) -> Result<()> {
+        self.events.write().unwrap().push(event);
+        Ok(())
+    }
+
+    pub fn list(&self) -> Result<Vec<SecurityEvent>> {
+        Ok(self.events.read().unwrap().clone())
+    }
+
+    pub fn events_since(&self, since: DateTime<Utc>) -> Result<Vec<SecurityEvent>> {
+        Ok(self
+            .events
+            .read()
+            .unwrap()
+            .iter()
+            .filter(|event| event.timestamp() >= since)
+            .cloned()
+            .collect())
+    }
+
+    pub fn events_for_pid(&self, pid: u32) -> Result<Vec<SecurityEvent>> {
+        Ok(self
+            .events
+            .read()
+            .unwrap()
+            .iter()
+            .filter(|event| event.pid() == Some(pid))
+            .cloned()
+            .collect())
+    }
+
+    pub fn len(&self) -> usize {
+        self.events.read().unwrap().len()
     }
 }
 
@@ -18,3 +58,75 @@ impl Default for EventsDb {
         Self::new().unwrap()
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::events::security::{
+        AlertEvent, AlertSeverity, AlertType, ContainerEvent, ContainerEventType,
+    };
+    use crate::events::syscall::{SyscallEvent, SyscallType};
+    use chrono::{Duration, Utc};
+
+    #[test]
+    fn test_events_db_stores_and_queries_events_since_timestamp() {
+        let db = EventsDb::new().unwrap();
+        let old_time = Utc::now() - Duration::minutes(10);
+        let recent_time = Utc::now();
+
+        db.insert(SecurityEvent::Alert(AlertEvent {
+            alert_type: AlertType::ThreatDetected,
+            severity: AlertSeverity::High,
+            message: "old event".into(),
+            timestamp: old_time,
+            source_event_id: None,
+        }))
+        .unwrap();
+        db.insert(SecurityEvent::Alert(AlertEvent {
+            alert_type: AlertType::AnomalyDetected,
+            severity: AlertSeverity::Critical,
+            message: "recent event".into(),
+            timestamp: recent_time,
+            source_event_id: None,
+        }))
+        .unwrap();
+
+        let recent = db.events_since(Utc::now() - Duration::minutes(1)).unwrap();
+        assert_eq!(recent.len(), 1);
+        match &recent[0] {
+            SecurityEvent::Alert(event) => assert_eq!(event.message, "recent event"),
+            other => panic!("unexpected event: {other:?}"),
+        }
+    }
+
+    #[test]
+    fn test_events_db_filters_events_by_pid() {
+        let db = EventsDb::new().unwrap();
+        db.insert(SecurityEvent::Syscall(SyscallEvent::new(
+            42,
+            1000,
+            SyscallType::Execve,
+            Utc::now(),
+        )))
+        .unwrap();
+        db.insert(SecurityEvent::Container(ContainerEvent {
+            container_id: "container-1".into(),
+            event_type: ContainerEventType::Start,
+            timestamp: Utc::now(),
+            details: None,
+        }))
+        .unwrap();
+        db.insert(SecurityEvent::Syscall(SyscallEvent::new(
+            7,
+            1000,
+            SyscallType::Open,
+            Utc::now(),
+        )))
+        .unwrap();
+
+        let pid_events = db.events_for_pid(42).unwrap();
+        assert_eq!(pid_events.len(), 1);
+        assert_eq!(pid_events[0].pid(), Some(42));
+        assert_eq!(db.len(), 3);
+    }
+}

src/database/mod.rs

@@ -2,13 +2,16 @@
 
 pub mod baselines;
 pub mod connection;
+pub mod events;
 pub mod models;
 pub mod repositories;
 
 pub use baselines::*;
 pub use connection::{create_pool, init_database, DbPool};
+pub use events::*;
 pub use models::*;
 pub use repositories::alerts::*;
+pub use repositories::offenses::*;
 
 /// Marker struct for module tests
 pub struct DatabaseMarker;

src/database/repositories/alerts.rs

@@ -21,6 +21,7 @@ pub struct AlertStats {
     pub new_count: i64,
     pub acknowledged_count: i64,
     pub resolved_count: i64,
+    pub false_positive_count: i64,
 }
 
 /// Severity breakdown for open security alerts.
@@ -263,12 +264,18 @@ pub async fn get_alert_stats(pool: &DbPool) -> Result<AlertStats> {
         [],
         |row| row.get(0),
     )?;
+    let false_positive: i64 = conn.query_row(
+        "SELECT COUNT(*) FROM alerts WHERE status = 'FalsePositive'",
+        [],
+        |row| row.get(0),
+    )?;
 
     Ok(AlertStats {
         total_count: total,
         new_count: new,
         acknowledged_count: ack,
         resolved_count: resolved,
+        false_positive_count: false_positive,
     })
 }