refactor: replace hardcoded mabase_prod DB prefix with configurable settings

Replace all hardcoded 'mabase_prod.' table prefixes in dashboard route SQL queries with configurable database names from settings: - http_logs, http_logs_raw → settings.CLICKHOUSE_DB_LOGS - All other tables → settings.CLICKHOUSE_DB_PROCESSING Also qualify previously unqualified table references (bare FROM/JOIN table_name) with the appropriate database prefix for consistency. Each route file now imports 'from ..config import settings' and uses f-strings with {settings.CLICKHOUSE_DB_PROCESSING} or {settings.CLICKHOUSE_DB_LOGS} for database-qualified table names. Files updated: analysis, attributes, audit, botnets, bruteforce, clustering, detections, entities, fingerprints, header_fingerprint, heatmap, incidents, investigation_summary, metrics, ml_features, rotation, search, tcp_spoofing, variability (19 files). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-07 19:03:05 +02:00
parent dba2676fa7
commit b6391afbeb
19 changed files with 225 additions and 206 deletions
--- a/services/dashboard/backend/routes/tcp_spoofing.py
+++ b/services/dashboard/backend/routes/tcp_spoofing.py
@ -18,6 +18,7 @@ from ..services.tcp_fingerprint import (
    detect_spoof,
    declared_os_from_ua,
 )
+from ..config import settings

 router = APIRouter(prefix="/api/tcp-spoofing", tags=["tcp_spoofing"])

@ -26,7 +27,7 @@ router = APIRouter(prefix="/api/tcp-spoofing", tags=["tcp_spoofing"])
 async def get_tcp_spoofing_overview():
    """Statistiques globales avec fingerprinting multi-signal (TTL + MSS + fenêtre + scale)."""
    try:
-        sql = """
+        sql = f"""
        SELECT
            count()                                                              AS total_entries,
            uniq(src_ip)                                                         AS unique_ips,
@ -36,34 +37,34 @@ async def get_tcp_spoofing_overview():
            countIf(tcp_ttl_raw > 64 AND tcp_ttl_raw <= 128)                     AS windows_fp,
            countIf(tcp_ttl_raw > 128)                                           AS cisco_bsd_fp,
            countIf(tcp_win_raw = 5808 AND tcp_mss_raw = 1452 AND tcp_scale_raw = 4) AS bot_scanner_fp
-        FROM mabase_prod.agg_host_ip_ja4_1h
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.agg_host_ip_ja4_1h
        WHERE window_start >= now() - INTERVAL 24 HOUR
        """
        result = db.query(sql)
        row = result.result_rows[0]

        # Distribution TTL (top 15)
-        ttl_sql = """
+        ttl_sql = f"""
        SELECT tcp_ttl_raw AS ttl, count() AS cnt, uniq(src_ip) AS ips
-        FROM mabase_prod.agg_host_ip_ja4_1h
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.agg_host_ip_ja4_1h
        WHERE window_start >= now() - INTERVAL 24 HOUR AND tcp_ttl_raw > 0
        GROUP BY ttl ORDER BY cnt DESC
        """
        ttl_res = db.query(ttl_sql)

        # Distribution MSS — nouveau signal clé (top 12)
-        mss_sql = """
+        mss_sql = f"""
        SELECT tcp_mss_raw AS mss, count() AS cnt, uniq(src_ip) AS ips
-        FROM mabase_prod.agg_host_ip_ja4_1h
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.agg_host_ip_ja4_1h
        WHERE window_start >= now() - INTERVAL 24 HOUR AND tcp_mss_raw > 0
        GROUP BY mss ORDER BY cnt DESC
        """
        mss_res = db.query(mss_sql)

        # Distribution fenêtre (top 10)
-        win_sql = """
+        win_sql = f"""
        SELECT tcp_win_raw AS win, count() AS cnt
-        FROM mabase_prod.agg_host_ip_ja4_1h
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.agg_host_ip_ja4_1h
        WHERE window_start >= now() - INTERVAL 24 HOUR AND tcp_ttl_raw > 0
        GROUP BY win ORDER BY cnt DESC
        """
@ -105,17 +106,17 @@ async def get_tcp_spoofing_list(
    Inclut les champs enrichis : mss, win_scale, initial_ttl, hop_count, confidence, network_path, is_bot_tool.
    """
    try:
-        count_sql = """
+        count_sql = f"""
        SELECT count() FROM (
            SELECT src_ip, ja4
-            FROM mabase_prod.agg_host_ip_ja4_1h
+            FROM {settings.CLICKHOUSE_DB_PROCESSING}.agg_host_ip_ja4_1h
            WHERE window_start >= now() - INTERVAL 24 HOUR AND tcp_ttl_raw > 0
            GROUP BY src_ip, ja4
        )
        """
        total = int(db.query(count_sql).result_rows[0][0])

-        sql = """
+        sql = f"""
        SELECT
            replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS src_ip,
            ja4,
@ -125,7 +126,7 @@ async def get_tcp_spoofing_list(
            any(tcp_mss_raw)   AS tcp_mss,
            any(first_ua)      AS first_ua,
            sum(hits)          AS hits
-        FROM mabase_prod.agg_host_ip_ja4_1h
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.agg_host_ip_ja4_1h
        WHERE window_start >= now() - INTERVAL 24 HOUR AND tcp_ttl_raw > 0
        GROUP BY src_ip, ja4
        ORDER BY hits DESC
@ -178,7 +179,7 @@ async def get_tcp_spoofing_list(
 async def get_tcp_spoofing_matrix():
    """Matrice OS suspecté × OS déclaré avec fingerprinting multi-signal."""
    try:
-        sql = """
+        sql = f"""
        SELECT
            any(tcp_ttl_raw)   AS ttl,
            any(tcp_win_raw)   AS win,
@ -186,7 +187,7 @@ async def get_tcp_spoofing_matrix():
            any(tcp_mss_raw)   AS mss,
            any(first_ua)      AS ua,
            count()            AS cnt
-        FROM mabase_prod.agg_host_ip_ja4_1h
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.agg_host_ip_ja4_1h
        WHERE window_start >= now() - INTERVAL 24 HOUR AND tcp_ttl_raw > 0
        GROUP BY src_ip, ja4
        """