refactor: replace hardcoded mabase_prod DB prefix with configurable settings

Replace all hardcoded 'mabase_prod.' table prefixes in dashboard route SQL queries with configurable database names from settings: - http_logs, http_logs_raw → settings.CLICKHOUSE_DB_LOGS - All other tables → settings.CLICKHOUSE_DB_PROCESSING Also qualify previously unqualified table references (bare FROM/JOIN table_name) with the appropriate database prefix for consistency. Each route file now imports 'from ..config import settings' and uses f-strings with {settings.CLICKHOUSE_DB_PROCESSING} or {settings.CLICKHOUSE_DB_LOGS} for database-qualified table names. Files updated: analysis, attributes, audit, botnets, bruteforce, clustering, detections, entities, fingerprints, header_fingerprint, heatmap, incidents, investigation_summary, metrics, ml_features, rotation, search, tcp_spoofing, variability (19 files). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-07 19:03:05 +02:00
parent dba2676fa7
commit b6391afbeb
19 changed files with 225 additions and 206 deletions
--- a/services/dashboard/backend/routes/incidents.py
+++ b/services/dashboard/backend/routes/incidents.py
@ -6,6 +6,7 @@ from fastapi import APIRouter, HTTPException, Query
 from typing import List, Optional
 from datetime import datetime
 from ..database import db
+from ..config import settings

 router = APIRouter(prefix="/api/incidents", tags=["incidents"])

@ -28,7 +29,7 @@ async def get_incident_clusters(
        # Cluster par subnet /24 avec une IP exemple
        # Note: src_ip est en IPv6, les IPv4 sont stockés comme ::ffff:x.x.x.x
        # toIPv4() convertit les IPv4-mapped, IPv4NumToString() retourne l'IPv4 en notation x.x.x.x
-        cluster_query = """
+        cluster_query = f"""
        WITH cleaned_ips AS (
            SELECT
                replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS clean_ip,
@ -38,7 +39,7 @@ async def get_incident_clusters(
                asn_number,
                threat_level,
                anomaly_score
-            FROM ml_detected_anomalies
+            FROM {settings.CLICKHOUSE_DB_PROCESSING}.ml_detected_anomalies
            WHERE detected_at >= now() - INTERVAL %(hours)s HOUR
        ),
        subnet_groups AS (
@ -84,13 +85,13 @@ async def get_incident_clusters(
        # Collect sample IPs to fetch real UA and trend data in bulk
        sample_ips = [row[10] for row in result.result_rows if row[10]]

-        # Fetch real primary UA per sample IP from view_dashboard_entities
+        # Fetch real primary UA per sample IP from {settings.CLICKHOUSE_DB_PROCESSING}.view_dashboard_entities
        ua_by_ip: dict = {}
        if sample_ips:
            ip_list_sql = ", ".join(f"'{ip}'" for ip in sample_ips[:50])
            ua_query = f"""
            SELECT entity_value, arrayElement(user_agents, 1) AS top_ua
-            FROM view_dashboard_entities
+            FROM {settings.CLICKHOUSE_DB_PROCESSING}.view_dashboard_entities
            WHERE entity_type = 'ip'
              AND entity_value IN ({ip_list_sql})
              AND notEmpty(user_agents)
@ -106,7 +107,7 @@ async def get_incident_clusters(
                pass  # UA enrichment is best-effort

        # Compute real trend: compare current window vs previous window of same duration
-        trend_query = """
+        trend_query = f"""
        WITH cleaned AS (
            SELECT
                replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS clean_ip,
@ -116,7 +117,7 @@ async def get_incident_clusters(
                    splitByChar('.', clean_ip)[2], '.',
                    splitByChar('.', clean_ip)[3], '.0/24'
                ) AS subnet
-            FROM ml_detected_anomalies
+            FROM {settings.CLICKHOUSE_DB_PROCESSING}.ml_detected_anomalies
        ),
        current_window AS (
            SELECT subnet, count() AS cnt