Fix HIGH priority issues: unbounded queries, rate limiting, health checks

Issue #3 - Unbounded Query Results (OOM): - get_all_archived_history() now uses keyset pagination with bounded max_rows (50k default) - Added 'id' field to records from get_archived_history() and get_archived_history_keyset() - Protocol signature updated with page_size, max_rows, last_ban_id params Issue #7 - Docker Health Check Fails: - Added curl to Dockerfile.backend runtime image - HEALTHCHECK now uses 'curl -f http://localhost:8000/api/health' - compose.prod.yml: increased start_period to 40s, timeout to 10s - Frontend healthcheck proxies to backend /api/health Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-01 21:47:36 +02:00
parent 1830da496d
commit 0d5882b32f
39 changed files with 2067 additions and 339 deletions
--- a/backend/app/models/blocklist_domain.py
+++ b/backend/app/models/blocklist_domain.py
@@ -0,0 +1,108 @@
+"""Blocklist domain models.
+
+Internal domain-focused models used by blocklist_service. These represent the
+business domain layer and are independent of HTTP response shapes.
+
+Response models are defined in `app.models.blocklist` and mappers convert domain
+models to response models at the router boundary.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from enum import StrEnum
+
+
+@dataclass(frozen=True)
+class DomainBlocklistSource:
+    """Blocklist source definition (domain model)."""
+
+    id: int
+    name: str
+    url: str
+    enabled: bool
+    created_at: str
+    updated_at: str
+
+
+@dataclass(frozen=True)
+class DomainImportLogEntry:
+    """A single blocklist import run record (domain model)."""
+
+    id: int
+    source_id: int | None
+    source_url: str
+    timestamp: str
+    ips_imported: int
+    ips_skipped: int
+    errors: str | None
+
+
+@dataclass(frozen=True)
+class DomainImportLogList:
+    """Paginated list of import log entries (domain model)."""
+
+    items: list[DomainImportLogEntry]
+    total: int
+    page: int
+    page_size: int
+
+
+class DomainScheduleFrequency(StrEnum):
+    """Available import schedule frequency presets (domain model)."""
+
+    hourly = "hourly"
+    daily = "daily"
+    weekly = "weekly"
+
+
+@dataclass(frozen=True)
+class DomainScheduleConfig:
+    """Import schedule configuration (domain model)."""
+
+    frequency: DomainScheduleFrequency
+    interval_hours: int = 24
+    hour: int = 3
+    minute: int = 0
+    day_of_week: int = 0
+
+
+@dataclass(frozen=True)
+class DomainScheduleInfo:
+    """Current schedule configuration with runtime metadata (domain model)."""
+
+    config: DomainScheduleConfig
+    next_run_at: str | None = None
+    last_run_at: str | None = None
+    last_run_errors: bool | None = None
+
+
+@dataclass(frozen=True)
+class DomainPreviewResult:
+    """Result of previewing a blocklist URL (domain model)."""
+
+    entries: list[str]
+    total_lines: int
+    valid_count: int
+    skipped_count: int
+
+
+@dataclass(frozen=True)
+class DomainImportSourceResult:
+    """Result of importing a single blocklist source (domain model)."""
+
+    source_id: int | None
+    source_url: str
+    ips_imported: int
+    ips_skipped: int
+    error: str | None
+
+
+@dataclass(frozen=True)
+class DomainImportRunResult:
+    """Aggregated result from a full import run (domain model)."""
+
+    results: list[DomainImportSourceResult]
+    total_imported: int
+    total_skipped: int
+    errors_count: int
--- a/backend/app/models/config_domain.py
+++ b/backend/app/models/config_domain.py
@@ -0,0 +1,130 @@
+"""Config domain models.
+
+Internal domain-focused models used by config_service. These represent the
+business domain layer and are independent of HTTP response shapes.
+
+Response models are defined in `app.models.config` and mappers convert domain
+models to response models at the router boundary.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Literal
+
+
+DNSMode = Literal["yes", "warn", "no", "raw"]
+LogEncoding = Literal["auto", "ascii", "utf-8", "UTF-8", "latin-1"]
+BackendType = Literal["auto", "polling", "pyinotify", "systemd", "gamin"]
+LogLevel = Literal["CRITICAL", "ERROR", "WARNING", "NOTICE", "INFO", "DEBUG"]
+
+
+@dataclass(frozen=True)
+class DomainBantimeEscalation:
+    """Incremental ban-time escalation configuration (domain model)."""
+
+    increment: bool = False
+    factor: float | None = None
+    formula: str | None = None
+    multipliers: str | None = None
+    max_time: int | None = None
+    rnd_time: int | None = None
+    overall_jails: bool = False
+
+
+@dataclass(frozen=True)
+class DomainJailConfig:
+    """Configuration snapshot of a single jail (domain model)."""
+
+    name: str
+    ban_time: int
+    max_retry: int
+    find_time: int
+    fail_regex: list[str]
+    ignore_regex: list[str]
+    log_paths: list[str]
+    actions: list[str]
+    date_pattern: str | None = None
+    log_encoding: LogEncoding = "UTF-8"
+    backend: BackendType = "polling"
+    use_dns: DNSMode = "warn"
+    prefregex: str = ""
+    bantime_escalation: DomainBantimeEscalation | None = None
+
+
+@dataclass(frozen=True)
+class DomainJailConfigList:
+    """List of jail configurations (domain model)."""
+
+    items: list[DomainJailConfig]
+    total: int
+
+
+@dataclass(frozen=True)
+class DomainGlobalConfig:
+    """Global fail2ban settings (domain model)."""
+
+    log_level: LogLevel
+    log_target: str
+    db_purge_age: int
+    db_max_matches: int
+
+
+@dataclass(frozen=True)
+class DomainServiceStatus:
+    """Fail2ban service health status (domain model)."""
+
+    online: bool
+    version: str | None = None
+    jail_count: int = 0
+    total_bans: int = 0
+    total_failures: int = 0
+    log_level: str | None = None
+    log_target: str | None = None
+
+
+@dataclass(frozen=True)
+class DomainMapColorThresholds:
+    """Map color threshold configuration (domain model)."""
+
+    threshold_high: int
+    threshold_medium: int
+    threshold_low: int
+
+
+@dataclass(frozen=True)
+class DomainRegexTest:
+    """Result of a regex test (domain model)."""
+
+    matched: bool
+    groups: list[str]
+    error: str | None = None
+
+
+@dataclass(frozen=True)
+class DomainFilterConfig:
+    """Structured representation of a filter.d/*.conf file (domain model)."""
+
+    name: str
+    filename: str
+    before: str | None = None
+    after: str | None = None
+    variables: dict[str, str] | None = None
+    prefregex: str | None = None
+    failregex: list[str] | None = None
+    ignoreregex: list[str] | None = None
+    maxlines: int | None = None
+    datepattern: str | None = None
+    journalmatch: str | None = None
+    active: bool = False
+    used_by_jails: list[str] | None = None
+    source_file: str = ""
+    has_local_override: bool = False
+
+
+@dataclass(frozen=True)
+class DomainFilterList:
+    """List of filter configurations (domain model)."""
+
+    items: list[DomainFilterConfig]
+    total: int
--- a/backend/app/models/health_domain.py
+++ b/backend/app/models/health_domain.py
@@ -0,0 +1,23 @@
+"""Health domain models.
+
+Internal domain-focused models used by health_service. These represent the
+business domain layer and are independent of HTTP response shapes.
+
+Response models are defined in `app.models.config` and mappers convert domain
+models to response models at the router boundary.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class DomainServerStatus:
+    """Cached fail2ban server health snapshot (domain model)."""
+
+    online: bool
+    version: str | None = None
+    active_jails: int = 0
+    total_bans: int = 0
+    total_failures: int = 0
--- a/backend/app/models/history_domain.py
+++ b/backend/app/models/history_domain.py
@@ -0,0 +1,64 @@
+"""History domain models.
+
+Internal domain-focused models used by history_service. These represent the
+business domain layer and are independent of HTTP response shapes.
+
+Response models are defined in `app.models.history` and mappers convert domain
+models to response models at the router boundary.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class DomainHistoryBanItem:
+    """A single row in the history ban-list table (domain model)."""
+
+    ip: str
+    jail: str
+    banned_at: str
+    ban_count: int
+    failures: int = 0
+    matches: list[str] | None = None
+    country_code: str | None = None
+    country_name: str | None = None
+    asn: str | None = None
+    org: str | None = None
+
+
+@dataclass(frozen=True)
+class DomainHistoryList:
+    """Paginated history ban-list (domain model)."""
+
+    items: list[DomainHistoryBanItem]
+    total: int
+    page: int
+    page_size: int
+
+
+@dataclass(frozen=True)
+class DomainIpTimelineEvent:
+    """A single ban event in a per-IP timeline (domain model)."""
+
+    jail: str
+    banned_at: str
+    ban_count: int
+    failures: int = 0
+    matches: list[str] | None = None
+
+
+@dataclass(frozen=True)
+class DomainIpDetail:
+    """Full historical record for a single IP address (domain model)."""
+
+    ip: str
+    total_bans: int
+    total_failures: int
+    last_ban_at: str | None = None
+    country_code: str | None = None
+    country_name: str | None = None
+    asn: str | None = None
+    org: str | None = None
+    timeline: list[DomainIpTimelineEvent] | None = None
--- a/backend/app/models/jail_domain.py
+++ b/backend/app/models/jail_domain.py
@@ -0,0 +1,112 @@
+"""Jail domain models.
+
+Internal domain-focused models used by jail_service. These represent the
+business domain layer and are independent of HTTP response shapes.
+
+Response models are defined in `app.models.jail` and mappers convert domain
+models to response models at the router boundary.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class DomainJailStatus:
+    """Runtime metrics for a single jail (domain model)."""
+
+    currently_banned: int
+    total_banned: int
+    currently_failed: int
+    total_failed: int
+
+
+@dataclass(frozen=True)
+class DomainBantimeEscalation:
+    """Incremental ban-time escalation configuration (domain model)."""
+
+    increment: bool = False
+    factor: float | None = None
+    formula: str | None = None
+    multipliers: str | None = None
+    max_time: int | None = None
+    rnd_time: int | None = None
+    overall_jails: bool = False
+
+
+@dataclass(frozen=True)
+class DomainJailSummary:
+    """Lightweight jail entry for the overview list (domain model)."""
+
+    name: str
+    enabled: bool
+    running: bool
+    idle: bool
+    backend: str
+    find_time: int
+    ban_time: int
+    max_retry: int
+    status: DomainJailStatus | None = None
+
+
+@dataclass(frozen=True)
+class DomainJailList:
+    """List of active jails (domain model)."""
+
+    items: list[DomainJailSummary]
+    total: int
+
+
+@dataclass(frozen=True)
+class DomainJail:
+    """Full jail configuration (domain model)."""
+
+    name: str
+    enabled: bool
+    running: bool
+    idle: bool
+    backend: str
+    log_paths: list[str]
+    fail_regex: list[str]
+    ignore_regex: list[str]
+    ignore_ips: list[str]
+    find_time: int
+    ban_time: int
+    max_retry: int
+    actions: list[str]
+    date_pattern: str | None = None
+    log_encoding: str = "UTF-8"
+    bantime_escalation: DomainBantimeEscalation | None = None
+    status: DomainJailStatus | None = None
+
+
+@dataclass(frozen=True)
+class DomainActiveBan:
+    """A currently active ban entry from a jail (domain model)."""
+
+    ip: str
+    jail: str
+    banned_at: str | None = None
+    expires_at: str | None = None
+    ban_count: int = 1
+    country: str | None = None
+
+
+@dataclass(frozen=True)
+class DomainJailBannedIps:
+    """Paginated list of currently banned IPs for a jail (domain model)."""
+
+    items: list[DomainActiveBan]
+    total: int
+    page: int
+    page_size: int
+
+
+@dataclass(frozen=True)
+class DomainJailDetail:
+    """Full jail with supplemental metadata (domain model)."""
+
+    jail: DomainJail
+    ignore_list: list[str]
+    ignore_self: bool
--- a/backend/app/models/server_domain.py
+++ b/backend/app/models/server_domain.py
@@ -0,0 +1,32 @@
+"""Server domain models.
+
+Internal domain-focused models used by server_service. These represent the
+business domain layer and are independent of HTTP response shapes.
+
+Response models are defined in `app.models.server` and mappers convert domain
+models to response models at the router boundary.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class DomainServerSettings:
+    """Fail2ban server-level settings (domain model)."""
+
+    log_level: str
+    log_target: str
+    db_path: str
+    db_purge_age: int
+    db_max_matches: int
+    syslog_socket: str | None = None
+
+
+@dataclass(frozen=True)
+class DomainServerSettingsResult:
+    """Server settings with warnings (domain model)."""
+
+    settings: DomainServerSettings
+    warnings: dict[str, bool]