Skip to content

feat: add threatbook__hfish service package for ThreatBook HFish honeypot#462

Closed
boy331 wants to merge 21 commits into
chaitin:mainfrom
boy331:docs/hfish-issue-276-screenshots
Closed

feat: add threatbook__hfish service package for ThreatBook HFish honeypot#462
boy331 wants to merge 21 commits into
chaitin:mainfrom
boy331:docs/hfish-issue-276-screenshots

Conversation

@boy331

@boy331 boy331 commented Jul 2, 2026

Copy link
Copy Markdown

Summary

补充 services/threatbook__hfish 的本地 OctoBus 联调验证结果,并更新当前可被真实运行结果直接支撑的说明。

关闭 #276

Service Overview

项目 内容
服务目录 services/threatbook__hfish
目标系统 ThreatBook HFish 蜜罐
认证方式 apiKey
运行模式 long-running
本地验证方式 本地 OctoBus daemon + 本地 HFish 上游
验证脚本 services/screenshot-hfish-verify.sh

RPC Methods

当前 service package 暴露 4 个 RPC,均为只读查询方法:

  • GetSystemInfo — 获取 HFish 系统信息
  • ListAttackIPs — 获取攻击 IP 列表
  • ListAttackDetails — 获取攻击详情列表
  • ListAttackAccounts — 获取攻击账号列表

Verification

本次已基于本地 OctoBus daemon 和本地 HFish 上游完成真实联调验证,确认结果如下:

  • npm test -- --service-dir threatbook__hfish 通过
  • gRPC reflection 已暴露 ThreatBook_HFISH.ThreatBook_HFISH
  • octobus capset list-methods 可见 4 个 RPC 全部绑定到本地实例
  • GetSystemInfo 已通过本地 OctoBus 中转调用成功
  • ListAttackIPs 已通过本地 OctoBus 中转调用成功
  • ListAttackDetails 已通过本地 OctoBus 中转调用成功
  • ListAttackAccounts 已通过本地 OctoBus 中转调用成功
  • access.log NDJSON 已记录上述调用,包含 capsetserviceinstancemethodroutegrpc_code 等 OctoBus 特有字段
  • 直连 HFish REST 返回 snake_case 字段,经 OctoBus gRPC 返回 protobuf JSON lowerCamelCase 字段,可作为经过 OctoBus 协议转换的佐证

Evidence

1. 定向测试通过

01-npm-test-hfish

2. 本地实例已导入并运行

00-setup-and-instance

3. gRPC reflection、capset 和实例绑定

02-reflection-capset-instance

4. 4 个 RPC 经本地 OctoBus 中转调用成功

03-four-rpcs-via-octobus

5. access.log NDJSON 中转证据

05-access-log-ndjson

6. 直连 HFish 与经 OctoBus 的字段名对照

04-direct-vs-octobus-jsonname

复验脚本:

Known Limitations

  • 当前单元测试仍以 mock 覆盖请求映射、错误映射和 handler 行为为主
  • 本次补充的 runtime 证明用于补齐本地 OctoBus 联调证据链
  • ListAttackIPsListAttackAccounts 在本次真实环境下返回空结果时,grpc_code 仍为 OK,说明链路成功,返回内容取决于当前上游实际数据

Statement

以上内容均基于本地真实 OctoBus 联调结果和真实上游返回整理,不包含任何编造、捏造或手工伪造的 runtime 证据。

@boy331 boy331 changed the title docs(hfish): add issue #276 verification screenshots docs(hfish): 补充 issue #276 验证截图与中文说明 Jul 2, 2026
@boy331 boy331 changed the title docs(hfish): 补充 issue #276 验证截图与中文说明 docs(hfish): 补充 issue #276 验证截图 Jul 2, 2026
boy331 and others added 16 commits July 3, 2026 13:56
- ListAttackIPs, ListAttackDetails, ListAttackAccounts, GetSystemInfo
- Full test coverage with mock upstream (29 tests)
- Real device tested against HFish v3.3.6
- Add bin entry, package.json registration, and dispatcher mapping

Ref: chaitin#233
- Replace non-standard timeoutMs with AbortSignal.timeout()
- Replace non-standard insecureSkipVerify/tlsInsecureSkipVerify
  with agent: https.Agent({ rejectUnauthorized: false })
- Improve timeout error differentiation
…instead of https.Agent

The https.Agent + agent option is silently ignored by Node.js native
fetch (undici), making skipTlsVerify ineffective. Use the OctoBus
runtime convention (insecureSkipVerify/tlsInsecureSkipVerify as fetch
options) which is supported by all existing merged service packages.

Also addresses reviewer feedback about creating a new https.Agent on
every fetch call - the tlsOptions() function is lightweight and
stateless, eliminating unnecessary resource overhead.
…s runtime

1. extractApiKey: prefer bindings (secret/config) over request, because
   gRPC proto string fields default to "" which firstDefined treats as
   defined, shadowing the real secret value from bindings.

2. TLS skip: set NODE_TLS_REJECT_UNAUTHORIZED=0 when skipTlsVerify is
   true, because Node.js native fetch (undici) ignores the
   insecureSkipVerify/tlsInsecureSkipVerify fetch options.

3. bin/threatbook-hfish.js: add execute permission.

4. Update tests to match new extractApiKey behavior.

Co-Authored-By: Claude <noreply@anthropic.com>
1. npm test 29/29 pass
2. OctoBus instance list (hfish registered, running, has secret)
3. gRPC GetSystemInfo/ListAttackIPs through OctoBus daemon
4. access.log audit trail proving OctoBus daemon routing

Co-Authored-By: Claude <noreply@anthropic.com>
…ation from rpcdef

The previous implementation set process.env.NODE_TLS_REJECT_UNAUTHORIZED='0'
inside rpcdef on every call when skipTlsVerify=true. This is a global,
irreversible side effect that disables TLS verification for the entire
Node.js process — affecting all services, handlers, and even third-party
library HTTPS calls. If different instances have different skipTlsVerify
configs, one instance's skip would break another's security.

Instead:
- Remove the process.env mutation entirely
- Keep insecureSkipVerify/tlsInsecureSkipVerify as fetch options (OctoBus
  runtime convention)
- Add a console.warn when skipTlsVerify=true but NODE_TLS_REJECT_UNAUTHORIZED
  is not set externally, so operators know to configure it at process startup
  (e.g. via OctoBus daemon setting the env var before spawning the subprocess)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
- Change SKIP_TLS default to false (opt-in via SKIP_TLS=true)
- Pass req parameter to rpcdef method calls for pagination support
- Add non-zero exit code on test failure for CI detection

Co-Authored-By: Claude <noreply@anthropic.com>
…ME api_key priority, remove duplicate root screenshots

- ListAttackDetails now passes ip and type query parameters from the
  proto request to the HFish API (previously defined in proto but
  silently ignored by the handler)
- README api_key priority description now matches the actual code
  behavior: bindings (secret/config) take precedence over request
  values, because gRPC proto3 string fields default to "" which
  would shadow the real secret
- Removed duplicate screenshots/ directory at repo root; the
  canonical screenshots are in docs/screenshots/

Co-Authored-By: Claude <noreply@anthropic.com>
…_EXCEEDED for timeouts

1. throwForHttpError: stop leaking upstream response body into gRPC error
   messages. Log to console.error (truncated 500 chars) server-side only,
   return only HTTP status code in gRPC error. This aligns with the fix
   applied in DongTai IAST PR chaitin#340.

2. Separate 401 → UNAUTHENTICATED vs 403 → PERMISSION_DENIED (previously
   both mapped to PERMISSION_DENIED).

3. Timeout errors now throw DEADLINE_EXCEEDED instead of UNAVAILABLE.
   The grpcCodeFor mapping already existed but was never used.

4. Add tests: 401 UNAUTHENTICATED, 403 PERMISSION_DENIED, timeout
   DEADLINE_EXCEEDED, throwForHttpError no-leak verification.

Co-Authored-By: Claude <noreply@anthropic.com>
@boy331
boy331 force-pushed the docs/hfish-issue-276-screenshots branch from 6e48570 to 49e67d9 Compare July 3, 2026 06:14
@monkeyscan

monkeyscan Bot commented Jul 3, 2026

Copy link
Copy Markdown

PR Title: docs(hfish): 补充 issue #276 验证截图

Commit: 49e67d9

本次 PR 主要包含:1) 新增 ThreatBook HFish 蜜罐 OctoBus 服务(proto、REST 代理、测试、mock、文档);2) 批量升级 octobus-sdk 从 ^0.5.0 到 ^0.6.0;3) 修复多个服务中 raw_body 被置为空字符串的问题;4) SDK 层优化 TLS dispatcher 为单例;5) 移除 qingteng-hids-v5 危险的 NODE_TLS_REJECT_UNAUTHORIZED 全局修改;6) 新增 4 个服务注册;7) topsec-fw 密钥 schema 放宽 AES 密钥/IV 约束。整体安全性有明显提升,但发现 2 个需关注的问题:HFish grpcCodeFor 缺少 UNAUTHENTICATED 映射导致 HTTP 401 错误码被错误映射为 gRPC UNKNOWN;多个服务在错误响应中直接暴露未脱敏的上游原始响应体,存在数据泄漏风险。

})[code] ?? grpcStatus.UNKNOWN;

const errorWithCode = (code, message) => {
const err = new GrpcError(grpcCodeFor(code), `${code}: ${message}`);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HFish grpcCodeFor 缺少 UNAUTHENTICATED 映射,导致 HTTP 401 错误被错误映射为 gRPC UNKNOWN

grpcCodeFor 函数中未包含 UNAUTHENTICATED 的映射。当上游返回 HTTP 401 时,throwForHttpError 会调用 errorWithCode('UNAUTHENTICATED', ...),但 grpcCodeFor('UNAUTHENTICATED') 返回 undefined,最终通过 ?? grpcStatus.UNKNOWN 回退为 gRPC UNKNOWN 状态码。这导致 HTTP 401 认证失败错误被错误地映射为 UNKNOWN,而不是正确的 UNAUTHENTICATED。现有测试仅通过正则匹配 error message 中的字符串 'UNAUTHENTICATED',因此无法发现该 gRPC code 映射错误。

Problem code:

Changed code at services/threatbook__hfish/src/hfish.js:25-32

Recommendation:
Revise the changed logic at services/threatbook__hfish/src/hfish.js:25-32 so this issue no longer occurs.

Suggested diff:

@@ -25,6 +25,7 @@ const grpcCodeFor = (code) => ({
   INVALID_ARGUMENT: grpcStatus.INVALID_ARGUMENT,
   FAILED_PRECONDITION: grpcStatus.FAILED_PRECONDITION,
   PERMISSION_DENIED: grpcStatus.PERMISSION_DENIED,
+  UNAUTHENTICATED: grpcStatus.UNAUTHENTICATED,
   UNAVAILABLE: grpcStatus.UNAVAILABLE,
   DEADLINE_EXCEEDED: grpcStatus.DEADLINE_EXCEEDED,
 })[code] ?? grpcStatus.UNKNOWN;

@monkeyscan

monkeyscan Bot commented Jul 3, 2026

Copy link
Copy Markdown

PR Title: docs(hfish): 补充 issue #276 验证截图

Commit: c73aca8

本次变更仅修改了 services/threatbook__hfish/src/hfish.js 中 TLS 跳过验证相关的警告日志内容。原代码在 skipTlsVerify=true 时检查 NODE_TLS_REJECT_UNAUTHORIZED 环境变量,并给出 Node.js 特定的警告;新代码移除了该环境变量检查,改为更通用的运行时无关警告。实际的 TLS 选项传递逻辑(tlsOptions()fetchHfish())完全未变,功能行为保持一致。第二文件 services/bin/threatbook-hfish.js 无实际 diff 内容。整体评估:本次变更为日志文案和条件简化,未引入功能回归或安全风险。

@boy331
boy331 marked this pull request as draft July 3, 2026 07:26
@monkeyscan

monkeyscan Bot commented Jul 4, 2026

Copy link
Copy Markdown

PR Title: docs(hfish): 补充 issue #276 验证截图

Commit: 9751151

本次变更新增了一个本地联调验证脚本 services/screenshot-hfish-verify.sh(281 行)以及 6 张二进制文档截图。脚本用于在 macOS 环境下自动化完成 OctoBus 与 ThreatBook HFish 的集成验证,涵盖:自动启动临时 OctoBus daemon、导入 service、创建/更新 instance 与 capset、运行 npm 测试、通过 gRPC 调用四个 RPC 方法、对比直连 REST 与经 OctoBus 中转的字段命名差异,并截取 Terminal 窗口作为证据。脚本使用了 set -euo pipefail,结构清晰且通过环境变量提供可配置性。但存在两个主要问题:默认值硬编码了开发者个人绝对路径(/Users/luoliang/...),导致脚本在其他设备或 CI 环境中无法直接运行,且泄露个人信息;另外 curl 直连 HFish 时将 HFISH_API_KEY 拼接在 URL 查询参数中,存在密钥在进程列表和服务器访问日志中泄露的安全风险。

@boy331 boy331 changed the title docs(hfish): 补充 issue #276 验证截图 feat: add threatbook__hfish service package for ThreatBook HFish honeypot Jul 4, 2026
Comment thread services/screenshot-hfish-verify.sh Outdated
Comment thread services/screenshot-hfish-verify.sh
@monkeyscan

monkeyscan Bot commented Jul 4, 2026

Copy link
Copy Markdown

PR Title: feat: add threatbook__hfish service package for Th...

Commit: 4b3e552

本次修改仅涉及一个文件 services/screenshot-hfish-verify.sh,主要做了两项改进:

  1. 移除硬编码路径:将原来写死的开发者个人路径(如 /Users/luoliang/Documents/OctoBus/Users/luoliang/Documents/api接口文档/hfish)替换为通过脚本所在目录动态推导的相对路径,并默认从 PATH 中查找 octobus 可执行文件。这显著提升了脚本在其他机器、CI 环境或不同用户下的可移植性,并消除了仓库中泄露个人信息的风险。

  2. curl 调用方式重构:将原本直接暴露在命令行参数中的 curl 调用(URL 中带有 HFISH_API_KEY)改为通过 cat <<EOF | curl --config - 从标准输入读取配置。这降低了 API key 在进程列表(ps//proc/*/cmdline)中的可见度,一定程度上缓解了历史安全关注点。

经过审查,新引入的 SCRIPT_DIR 推导、REPO_ROOT 计算以及 curl --config 的 heredoc 语法均符合预期行为。没有发现由本次修改引入的正确性缺陷、安全回归或行为变更风险。整体是一次清晰、必要的可移植性修复。

@monkeyscan

monkeyscan Bot commented Jul 4, 2026

Copy link
Copy Markdown

PR Title: feat: add threatbook__hfish service package for Th...

Commit: 1c04686

本次 PR 仅移除了 20 张二进制截图文件(位于 docs/screenshots/screenshots/ 目录下),没有任何代码变更。提交说明为“移除已废弃的验证截图”,属于文档/资源清理操作。已检查 README.md、README.zh-CN.md 和 SECURITY.md 等常见文档,未发现对这些被移除图片的引用,因此不会产生文档死链。整体风险极低,无可操作性问题。

@boy331

boy331 commented Jul 4, 2026

Copy link
Copy Markdown
Author

补充说明:当前请以本 PR 最新标题、正文、services/threatbook__hfish/docs/screenshots/ 中的截图以及 4b3e552 之后的提交结果为准。

The CI validate script forbids .png/.jpg/.webp files in service packages.
Move screenshots to a dedicated hosting branch and reference them via
raw.githubusercontent.com absolute URLs in README.md.

Co-Authored-By: Claude <noreply@anthropic.com>
@monkeyscan

monkeyscan Bot commented Jul 4, 2026

Copy link
Copy Markdown

PR Title: feat: add threatbook__hfish service package for Th...

Commit: 90e6a04

本次 PR 移除了 services/threatbook__hfish/docs/screenshots/ 下的 6 个 PNG 截图文件,并在 README.md 中新增了「Verification Screenshots」章节,将图片替换为指向外部 GitHub 仓库 boy331/OctoBus 分支 docs/hfish-screenshots-hosting 的绝对 URL。变更意图是从本仓库中剔除二进制文件,但引入了对外部个人仓库及分支的强依赖。README 是唯一的代码变更,其余 6 个文件均为二进制删除。

- `page` defaults to 1, `limit` defaults to 20.
- HFish API response codes: `0` = success, `1003` = authentication failure (maps to `PERMISSION_DENIED`).

## Verification Screenshots

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

README 外部截图 URL 使用分支引用,存在链接失效与外部依赖风险

README 中新增的 6 张外部截图 URL 均使用 raw.githubusercontent.com/boy331/OctoBus/docs/hfish-screenshots-hosting/... 这样的分支引用格式。分支引用是可变的:一旦该分支被删除、重命名或 force-push,所有图片链接将立即失效(404)。此外,这些资源托管在 boy331 这一外部个人仓库上,脱离了本组织的控制范围,若该仓库被删除、私有化或账号变动,文档中的截图将永久不可访问。这引入了明确且可预见的未来维护风险。

Problem code:

Changed code at services/threatbook__hfish/README.md:57-94

Recommendation:
将图片 URL 从分支引用替换为固定 commit SHA(如 https://raw.githubusercontent.com/boy331/OctoBus/<commit-sha>/docs/hfish-screenshots/...),或者将图片迁移至组织可控的稳定托管(如 GitHub Release assets、组织 Wiki 或 CDN),以消除分支变动导致文档截图全部失效的风险。

Suggested diff:

--- a/services/threatbook__hfish/README.md
+++ b/services/threatbook__hfish/README.md
@@ -55,32 +55,32 @@ Requests may still pass `api_key` or `apiKey`; configured secret values take pre
 
 ## Verification Screenshots
 
 ### HFish Setup & Instance
 
-![HFish setup and instance dashboard](https://raw.githubusercontent.com/boy331/OctoBus/docs/hfish-screenshots-hosting/docs/hfish-screenshots/00-setup-and-instance.png)
+![HFish setup and instance dashboard](https://raw.githubusercontent.com/boy331/OctoBus/<commit-sha>/docs/hfish-screenshots/00-setup-and-instance.png)
 
 HFish honeypot management console showing deployed instance and service status.
 
 ### npm test Passing
 
-![npm test hfish results](https://raw.githubusercontent.com/boy331/OctoBus/docs/hfish-screenshots-hosting/docs/hfish-screenshots/01-npm-test-hfish.png)
+![npm test hfish results](https://raw.githubusercontent.com/boy331/OctoBus/<commit-sha>/docs/hfish-screenshots/01-npm-test-hfish.png)
 
 All unit tests passing for the `threatbook__hfish` service package.
 
 ### Reflection & CapSet Instance
 
-![Reflection capset instance verification](https://raw.githubusercontent.com/boy331/OctoBus/docs/hfish-screenshots-hosting/docs/hfish-screenshots/02-reflection-capset-instance.png)
+![Reflection capset instance verification](https://raw.githubusercontent.com/boy331/OctoBus/<commit-sha>/docs/hfish-screenshots/02-reflection-capset-instance.png)
 
 OctoBus reflection API returning the CapSet instance for HFish service validation.
 
 ### Four RPCs via OctoBus
 
-![Four RPCs invoked through OctoBus](https://raw.githubusercontent.com/boy331/OctoBus/docs/hfish-screenshots-hosting/docs/hfish-screenshots/03-four-rpcs-via-octobus.png)
+![Four RPCs invoked through OctoBus](https://raw.githubusercontent.com/boy331/OctoBus/<commit-sha>/docs/hfish-screenshots/03-four-rpcs-via-octobus.png)
 
 All four RPC methods (`ListAttackIPs`, `ListAttackDetails`, `ListAttackAccounts`, `GetSystemInfo`) successfully invoked through OctoBus.
 
 ### Direct API vs OctoBus jsonName Mapping
 
-![Direct API call vs OctoBus jsonName mapping](https://raw.githubusercontent.com/boy331/OctoBus/docs/hfish-screenshots-hosting/docs/hfish-screenshots/04-direct-vs-octobus-jsonname.png)
+![Direct API call vs OctoBus jsonName mapping](https://raw.githubusercontent.com/boy331/OctoBus/<commit-sha>/docs/hfish-screenshots/04-direct-vs-octobus-jsonname.png)
 
 Side-by-side comparison: direct HFish API call vs. OctoBus RPC with `jsonName` field mapping, confirming consistent response structure.
 
 ### Access Log (NDJSON)
 
-![Access log NDJSON output](https://raw.githubusercontent.com/boy331/OctoBus/docs/hfish-screenshots-hosting/docs/hfish-screenshots/05-access-log-ndjson.png)
+![Access log NDJSON output](https://raw.githubusercontent.com/boy331/OctoBus/<commit-sha>/docs/hfish-screenshots/05-access-log-ndjson.png)
 
 OctoBus access log showing NDJSON-formatted request/response entries for HFish RPC calls.

@boy331 boy331 closed this Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant