fix: retry, semaphore, reload lock, activation verify, bans_by_jail diagnostics

Stage 1.1-1.3: reload_all include/exclude_jails params already implemented; added keyword-arg assertions in router and service tests. Stage 2.1/6.1: _send_command_sync retry loop (3 attempts, 150ms exp backoff) retrying on EAGAIN/ECONNREFUSED/ENOBUFS; immediate raise on all other errors. Stage 2.2: asyncio.Lock at module level in jail_service.reload_all to serialize concurrent reload--all commands. Stage 3.1: activate_jail re-queries _get_active_jail_names after reload; returns active=False with descriptive message if jail did not start. Stage 4.1/6.2: asyncio.Semaphore (max 10) in Fail2BanClient.send, lazy- initialized; logs fail2ban_command_waiting_semaphore at debug when waiting. Stage 5.1/5.2: unit tests asserting reload_all is called with include_jails and exclude_jails; activation verification happy/sad path tests. Stage 6.3: TestSendCommandSyncRetry (5 cases) + TestFail2BanClientSemaphore concurrency test. Stage 7.1-7.3: _since_unix uses time.time(); bans_by_jail debug logging with since_iso; diagnostic warning when total==0 despite table rows; unit test verifying the warning fires for stale data.
2026-03-14 11:09:55 +01:00
parent 2274e20123
commit 2f2e5a7419
9 changed files with 880 additions and 115 deletions
--- a/backend/tests/test_services/test_ban_service.py
+++ b/backend/tests/test_services/test_ban_service.py
@@ -1005,3 +1005,38 @@ class TestBansByJail:
        assert result.total == 3
        assert len(result.jails) == 3

+    async def test_diagnostic_warning_when_zero_results_despite_data(
+        self, tmp_path: Path
+    ) -> None:
+        """A warning is logged when the time-range filter excludes all existing rows."""
+        import time as _time
+
+        # Insert rows with timeofban far in the past (outside any range window).
+        far_past = int(_time.time()) - 400 * 24 * 3600  # ~400 days ago
+        path = str(tmp_path / "test_diag.sqlite3")
+        await _create_f2b_db(
+            path,
+            [
+                {"jail": "sshd", "ip": "1.1.1.1", "timeofban": far_past},
+            ],
+        )
+
+        with (
+            patch(
+                "app.services.ban_service._get_fail2ban_db_path",
+                new=AsyncMock(return_value=path),
+            ),
+            patch("app.services.ban_service.log") as mock_log,
+        ):
+            result = await ban_service.bans_by_jail("/fake/sock", "24h")
+
+        assert result.total == 0
+        assert result.jails == []
+        # The diagnostic warning must have been emitted.
+        warning_calls = [
+            c
+            for c in mock_log.warning.call_args_list
+            if c[0][0] == "ban_service_bans_by_jail_empty_despite_data"
+        ]
+        assert len(warning_calls) == 1
+