lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor config loading and add status code docs

Browse Source 
- Move config loading to dedicated ConfigLoader class with validation
- Add DATABASE_MIGRATIONS.md content to TROUBLESHOOTING.md
- Add API_STATUS_CODES.md documenting all API response codes
- Update runner.csx to use new config structure
- Add check_responses.py validation script
- Update config tests for new structure

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Lukas
2026-05-03 11:52:01 +02:00
parent 8f26776bb3
commit 7b93499551
9 changed files with 1249 additions and 415 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
backend/app/config.py
View File

@@ -5,7 +5,9 @@ and validated at startup via the Settings singleton.
"""
import ipaddress
import os
import shlex
from pathlib import Path
from typing import Literal
from pydantic import Field, field_validator
@@ -134,6 +136,142 @@ class Settings(BaseSettings):
),
)
@field_validator("database_path", mode="after")
@classmethod
def _validate_database_path(cls, value: str) -> str:
"""Validate database_path parent directory exists and is writable.
Args:
value: The database path string.
Returns:
The validated path string.
Raises:
ValueError: If parent directory does not exist or is not writable.
"""
path = Path(value)
parent = path.parent
if not parent.exists():
raise ValueError(
f"Database parent directory does not exist: {parent}\n"
f"Hint: Create it with: mkdir -p {parent}"
)
if not os.access(parent, os.W_OK):
raise ValueError(
f"Database parent directory not writable: {parent}\n"
f"Hint: Fix with: chmod 755 {parent}"
)
return value
@field_validator("fail2ban_socket", mode="after")
@classmethod
def _validate_fail2ban_socket(cls, value: str) -> str:
"""Validate fail2ban socket exists and is readable.
Args:
value: The fail2ban socket path string.
Returns:
The validated path string.
Raises:
ValueError: If the socket path exists but is not readable.
"""
path = Path(value)
if path.exists() and not os.access(path, os.R_OK):
raise ValueError(
f"fail2ban socket not readable: {path}\n"
f"Hint: Fix with: chmod 644 {path}"
)
return value
@field_validator("geoip_db_path", mode="after")
@classmethod
def _validate_geoip_db_path(cls, value: str | None) -> str | None:
"""Validate geoip_db_path exists if set.
Args:
value: The GeoIP database path or None.
Returns:
The validated path or None.
Raises:
ValueError: If the path is set but the file does not exist.
"""
if value is None:
return value
path = Path(value)
if not path.exists():
raise ValueError(
f"GeoIP database file does not exist: {path}\n"
f"Hint: Download from https://dev.maxmind.com/geoip/geolite2-country"
)
return value
@field_validator("fail2ban_config_dir", mode="after")
@classmethod
def _validate_fail2ban_config_dir(cls, value: str) -> str:
"""Validate fail2ban_config_dir exists.
Args:
value: The fail2ban configuration directory path.
Returns:
The validated path string.
Raises:
ValueError: If the directory does not exist.
"""
path = Path(value)
if not path.exists():
raise ValueError(
f"fail2ban config directory does not exist: {path}\n"
f"Hint: Mount the fail2ban config directory or adjust BANGUI_FAIL2BAN_CONFIG_DIR"
)
return value
@field_validator("session_secret", mode="after")
@classmethod
def _validate_session_secret(cls, value: str) -> str:
"""Validate session_secret is sufficiently long and non-trivial.
Args:
value: The session secret string.
Returns:
The validated secret string.
Raises:
ValueError: If the secret is too short or appears weak.
"""
if len(value) < 32:
raise ValueError(
f"session_secret must be at least 32 characters. Got {len(value)}.\n"
f"Hint: Generate one with: python -c \"import secrets; print(secrets.token_hex(32))\""
)
weak_indicators = {"password", "secret", "123", "abc", "admin"}
value_lower = value.lower()
if any(value_lower.startswith(w) for w in weak_indicators):
raise ValueError(
"session_secret is too weak (found common word).\n"
"Hint: Generate one with: python -c \"import secrets; print(secrets.token_hex(32))\""
)
return value
@field_validator("cors_allowed_origins", mode="before")
@classmethod
def _normalize_cors_origins(cls, value: str | list[str] | None) -> list[str]:
@@ -429,4 +567,4 @@ def get_settings() -> Settings:
A validated :class:`Settings` object. Raises :class:`pydantic.ValidationError`
if required keys are absent or values fail validation.
"""
return Settings() # type: ignore[call-arg] # pydantic-settings populates required fields from env vars
return Settings()

90
backend/check_responses.py Normal file
View File

@@ -0,0 +1,90 @@
#!/usr/bin/env python3
"""Validate that every API router endpoint has an explicit `responses={}` dict.
This script runs in CI to ensure no endpoint is merged without OpenAPI
response documentation. An endpoint without `responses={}` makes status-code
branching impossible for frontend clients.
Exit codes:
0 — all endpoints documented
1 — one or more endpoints missing responses={}
"""
from __future__ import annotations
import ast
import sys
from pathlib import Path
ROUTES = {"get", "post", "put", "delete", "patch", "options", "head"}
ROUTER_DIR = Path(__file__).parent / "app" / "routers"
class EndpointVisitor(ast.NodeVisitor):
"""Walk router files and collect endpoints lacking `responses={}`."""
def __init__(self) -> None:
self.errors: list[str] = []
self._current_path = ""
def visit_FunctionDef(self, node: ast.FunctionDef) -> None:
for decorator in node.decorator_list:
if self._is_router_decorator(decorator):
self._check_decorator(decorator, node)
self.generic_visit(node)
def _is_router_decorator(self, node: ast.AST) -> bool:
match node:
case ast.Name():
return node.id in ROUTES
case ast.Attribute():
return node.attr in ROUTES
return False
def _check_decorator(self, decorator: ast.AST, node: ast.FunctionDef) -> None:
found_responses = False
for child in ast.walk(decorator):
if isinstance(child, ast.keyword) and child.arg == "responses":
found_responses = True
break
if not found_responses:
lineno = node.lineno
self.errors.append(
f"{self._current_path}:{lineno}"
f"endpoint in {node.name}() lacks `responses={{}}`"
)
def check_file(path: Path) -> list[str]:
"""Return list of errors for one router file."""
source = path.read_text()
tree = ast.parse(source, filename=str(path))
visitor = EndpointVisitor()
visitor._current_path = str(path)
visitor.visit(tree)
return visitor.errors
def main() -> int:
errors: list[str] = []
for py_file in sorted(ROUTER_DIR.glob("*.py")):
if py_file.name.startswith("_"):
continue
errors.extend(check_file(py_file))
if errors:
print("ERRORS: Endpoints missing `responses={}`:")
for e in errors:
print(f" {e}")
print(f"\n{len(errors)} endpoint(s) lack response documentation.")
return 1
print("OK: all router endpoints have `responses={}`")
return 0
if __name__ == "__main__":
sys.exit(main())

346
backend/tests/test_config.py
View File

@@ -1,57 +1,59 @@
"""Unit tests for application configuration and validation."""
import os
import tempfile
import pytest
from pydantic import ValidationError
from app.config import Settings
# Module-level temp dir for tests that need real existing directories.
_test_tmpdir = tempfile.mkdtemp()
def _minimal_settings(**overrides: object) -> Settings:
"""Create a Settings with valid defaults for unit tests.
Uses _test_tmpdir (module-level) for paths that require existing directories.
"""
defaults = {
"database_path": os.path.join(_test_tmpdir, "test.db"),
"fail2ban_socket": "/tmp/fake_fail2ban.sock",
"fail2ban_config_dir": _test_tmpdir,
"session_secret": "test-secret-key-do-not-use-in-production",
}
defaults.update(overrides) # type: ignore[arg-type]
return Settings(**defaults) # type: ignore[arg-type]
# ---------------------------------------------------------------------------
# fail2ban_start_command validation tests
# ---------------------------------------------------------------------------
def test_fail2ban_start_command_validates_simple_command() -> None:
"""Simple fail2ban commands without special characters are accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
fail2ban_start_command="fail2ban-client start",
)
settings = _minimal_settings(fail2ban_start_command="fail2ban-client start")
assert settings.fail2ban_start_command == "fail2ban-client start"
def test_fail2ban_start_command_validates_systemctl_command() -> None:
"""systemctl commands are accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
fail2ban_start_command="systemctl start fail2ban",
)
settings = _minimal_settings(fail2ban_start_command="systemctl start fail2ban")
assert settings.fail2ban_start_command == "systemctl start fail2ban"
def test_fail2ban_start_command_accepts_quoted_paths() -> None:
"""Commands with quoted paths containing spaces are accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
fail2ban_start_command='"/opt/my tools/fail2ban-client" start',
)
settings = _minimal_settings(fail2ban_start_command='"/opt/my tools/fail2ban-client" start')
assert settings.fail2ban_start_command == '"/opt/my tools/fail2ban-client" start'
def test_fail2ban_start_command_rejects_mismatched_quotes() -> None:
"""Commands with mismatched quotes raise ValidationError."""
with pytest.raises(ValidationError) as exc_info:
Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
fail2ban_start_command='"/opt/my tools/fail2ban-client start',
)
_minimal_settings(fail2ban_start_command='"/opt/my tools/fail2ban-client start')
error_msg = str(exc_info.value)
assert "fail2ban_start_command" in error_msg
assert "mismatched quotes" in error_msg or "No closing quotation" in error_msg
@@ -61,62 +63,38 @@ def test_fail2ban_start_command_error_includes_problematic_value() -> None:
"""Validation errors include the problematic command value."""
problematic_command = '"/opt/broken start'
with pytest.raises(ValidationError) as exc_info:
Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
fail2ban_start_command=problematic_command,
)
_minimal_settings(fail2ban_start_command=problematic_command)
error_msg = str(exc_info.value)
assert problematic_command in error_msg
def test_fail2ban_start_command_default_value_is_valid() -> None:
"""The default fail2ban_start_command value is valid and parseable."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
)
settings = _minimal_settings()
assert settings.fail2ban_start_command == "fail2ban-client start"
def test_fail2ban_start_command_single_quoted() -> None:
"""Commands with single quotes are accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
fail2ban_start_command="'/usr/bin/fail2ban-client' start",
)
settings = _minimal_settings(fail2ban_start_command="'/usr/bin/fail2ban-client' start")
assert settings.fail2ban_start_command == "'/usr/bin/fail2ban-client' start"
def test_fail2ban_start_command_multiple_arguments() -> None:
"""Commands with multiple arguments are accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="test-secret-key-do-not-use-in-production",
fail2ban_start_command="fail2ban-client -c /etc/fail2ban start",
)
settings = _minimal_settings(fail2ban_start_command="fail2ban-client -c /etc/fail2ban start")
assert settings.fail2ban_start_command == "fail2ban-client -c /etc/fail2ban start"
# ---------------------------------------------------------------------------
# session_secret validation tests
# ---------------------------------------------------------------------------
def test_session_secret_enforces_minimum_length() -> None:
"""session_secret must be at least 32 characters."""
# Test with a secret shorter than 32 characters
with pytest.raises(ValidationError) as exc_info:
Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="short-secret",
)
_minimal_settings(session_secret="short-secret")
error_msg = str(exc_info.value)
assert "session_secret" in error_msg
assert "32" in error_msg or "at least" in error_msg
@@ -124,42 +102,149 @@ def test_session_secret_enforces_minimum_length() -> None:
def test_session_secret_accepts_32_characters() -> None:
"""session_secret with exactly 32 characters is accepted."""
secret_32 = "a" * 32 # Exactly 32 characters
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret=secret_32,
)
secret_32 = "a" * 32
settings = _minimal_settings(session_secret=secret_32)
assert settings.session_secret == secret_32
def test_session_secret_accepts_longer_than_32() -> None:
"""session_secret with more than 32 characters is accepted."""
secret_64 = "b" * 64 # 64 characters
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret=secret_64,
)
secret_64 = "b" * 64
settings = _minimal_settings(session_secret=secret_64)
assert settings.session_secret == secret_64
def test_session_secret_error_message_includes_guidance() -> None:
"""Validation error for short session_secret includes secret generation guidance."""
with pytest.raises(ValidationError) as exc_info:
Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="too-short",
)
_minimal_settings(session_secret="too-short")
error_msg = str(exc_info.value)
# Verify the error mentions the constraint
assert "session_secret" in error_msg
def test_session_secret_rejects_weak_secrets() -> None:
"""Common weak words in session_secret are rejected."""
with pytest.raises(ValidationError) as exc_info:
_minimal_settings(session_secret="password1234567890123456789012345")
error_msg = str(exc_info.value)
assert "too weak" in error_msg or "weak" in error_msg
# ---------------------------------------------------------------------------
# database_path validation tests
# ---------------------------------------------------------------------------
def test_database_path_parent_must_exist() -> None:
"""database_path parent directory must exist."""
with pytest.raises(ValidationError) as exc_info:
_minimal_settings(database_path="/nonexistent/parent/test.db")
error_msg = str(exc_info.value)
assert "parent directory does not exist" in error_msg
def test_database_path_parent_must_be_writable() -> None:
"""database_path parent directory must be writable."""
with tempfile.TemporaryDirectory() as tmpdir:
# Create a read-only directory
readonly_dir = os.path.join(tmpdir, "readonly")
os.makedirs(readonly_dir, exist_ok=True)
os.chmod(readonly_dir, 0o555)
try:
with pytest.raises(ValidationError) as exc_info:
_minimal_settings(database_path=os.path.join(readonly_dir, "test.db"))
error_msg = str(exc_info.value)
assert "not writable" in error_msg
finally:
os.chmod(readonly_dir, 0o755)
def test_database_path_with_existing_writable_parent_is_accepted() -> None:
"""database_path with existing writable parent is accepted."""
with tempfile.TemporaryDirectory() as tmpdir:
settings = _minimal_settings(database_path=os.path.join(tmpdir, "test.db"))
assert settings.database_path == os.path.join(tmpdir, "test.db")
# ---------------------------------------------------------------------------
# fail2ban_socket validation tests
# ---------------------------------------------------------------------------
def test_fail2ban_socket_nonexistent_is_accepted() -> None:
"""fail2ban_socket path that doesn't exist yet is accepted (deferred creation)."""
settings = _minimal_settings(fail2ban_socket="/nonexistent/socket.sock")
assert settings.fail2ban_socket == "/nonexistent/socket.sock"
def test_fail2ban_socket_existing_must_be_readable() -> None:
"""fail2ban_socket that exists must be readable."""
with tempfile.NamedTemporaryFile() as f:
# Make it unreadable
os.chmod(f.name, 0o000)
try:
with pytest.raises(ValidationError) as exc_info:
_minimal_settings(fail2ban_socket=f.name)
error_msg = str(exc_info.value)
assert "not readable" in error_msg
finally:
os.chmod(f.name, 0o644)
def test_fail2ban_socket_existing_readable_is_accepted() -> None:
"""fail2ban_socket that exists and is readable is accepted."""
with tempfile.NamedTemporaryFile() as f:
settings = _minimal_settings(fail2ban_socket=f.name)
assert settings.fail2ban_socket == f.name
# ---------------------------------------------------------------------------
# geoip_db_path validation tests
# ---------------------------------------------------------------------------
def test_geoip_db_path_none_is_accepted() -> None:
"""geoip_db_path set to None is accepted."""
settings = _minimal_settings(geoip_db_path=None)
assert settings.geoip_db_path is None
def test_geoip_db_path_nonexistent_is_rejected() -> None:
"""geoip_db_path that doesn't exist is rejected."""
with pytest.raises(ValidationError) as exc_info:
_minimal_settings(geoip_db_path="/nonexistent/GeoLite2-Country.mmdb")
error_msg = str(exc_info.value)
assert "does not exist" in error_msg
def test_geoip_db_path_existing_is_accepted() -> None:
"""geoip_db_path that exists is accepted."""
with tempfile.NamedTemporaryFile() as f:
settings = _minimal_settings(geoip_db_path=f.name)
assert settings.geoip_db_path == f.name
# ---------------------------------------------------------------------------
# fail2ban_config_dir validation tests
# ---------------------------------------------------------------------------
def test_fail2ban_config_dir_nonexistent_is_rejected() -> None:
"""fail2ban_config_dir that doesn't exist is rejected."""
with pytest.raises(ValidationError) as exc_info:
_minimal_settings(fail2ban_config_dir="/nonexistent/fail2ban/config")
error_msg = str(exc_info.value)
assert "does not exist" in error_msg
def test_fail2ban_config_dir_existing_is_accepted() -> None:
"""fail2ban_config_dir that exists is accepted."""
with tempfile.TemporaryDirectory() as tmpdir:
settings = _minimal_settings(fail2ban_config_dir=tmpdir)
assert settings.fail2ban_config_dir == tmpdir
# ---------------------------------------------------------------------------
# trusted_proxies configuration tests
# ---------------------------------------------------------------------------
@@ -167,85 +252,44 @@ def test_session_secret_error_message_includes_guidance() -> None:
def test_trusted_proxies_default_is_empty_list() -> None:
"""By default, trusted_proxies is an empty list (no trusted proxies)."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
)
settings = _minimal_settings()
assert settings.trusted_proxies == []
def test_trusted_proxies_accepts_single_ip() -> None:
"""Single IP address is accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="192.168.1.1",
)
settings = _minimal_settings(trusted_proxies="192.168.1.1")
assert settings.trusted_proxies == ["192.168.1.1"]
def test_trusted_proxies_accepts_single_cidr() -> None:
"""Single CIDR range is accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="10.0.0.0/8",
)
settings = _minimal_settings(trusted_proxies="10.0.0.0/8")
assert settings.trusted_proxies == ["10.0.0.0/8"]
def test_trusted_proxies_accepts_comma_separated_list() -> None:
"""Comma-separated list of IPs and CIDRs is accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="192.168.1.1,10.0.0.0/8,172.16.0.0/12",
)
settings = _minimal_settings(trusted_proxies="192.168.1.1,10.0.0.0/8,172.16.0.0/12")
assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8", "172.16.0.0/12"]
def test_trusted_proxies_accepts_list() -> None:
"""List of IPs and CIDRs is accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies=["192.168.1.1", "10.0.0.0/8"],
)
settings = _minimal_settings(trusted_proxies=["192.168.1.1", "10.0.0.0/8"])
assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8"]
def test_trusted_proxies_strips_whitespace() -> None:
"""Whitespace around IPs is stripped."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies=" 192.168.1.1 , 10.0.0.0/8 ",
)
settings = _minimal_settings(trusted_proxies=" 192.168.1.1 , 10.0.0.0/8 ")
assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8"]
def test_trusted_proxies_rejects_invalid_ip() -> None:
"""Invalid IP address is rejected."""
with pytest.raises(ValidationError) as exc_info:
Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="not-an-ip",
)
_minimal_settings(trusted_proxies="not-an-ip")
error_msg = str(exc_info.value)
assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg
@@ -253,13 +297,7 @@ def test_trusted_proxies_rejects_invalid_ip() -> None:
def test_trusted_proxies_rejects_invalid_cidr() -> None:
"""Invalid CIDR range is rejected."""
with pytest.raises(ValidationError) as exc_info:
Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="10.0.0.0/33", # Invalid - /33 is out of range for IPv4
)
_minimal_settings(trusted_proxies="10.0.0.0/33")
error_msg = str(exc_info.value)
assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg
@@ -267,48 +305,24 @@ def test_trusted_proxies_rejects_invalid_cidr() -> None:
def test_trusted_proxies_rejects_one_invalid_in_list() -> None:
"""One invalid IP in a list causes entire list to be rejected."""
with pytest.raises(ValidationError) as exc_info:
Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="192.168.1.1,invalid-ip,10.0.0.0/8",
)
_minimal_settings(trusted_proxies="192.168.1.1,invalid-ip,10.0.0.0/8")
error_msg = str(exc_info.value)
assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg
def test_trusted_proxies_accepts_ipv6_address() -> None:
"""IPv6 address is accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="2001:db8::1",
)
settings = _minimal_settings(trusted_proxies="2001:db8::1")
assert settings.trusted_proxies == ["2001:db8::1"]
def test_trusted_proxies_accepts_ipv6_cidr() -> None:
"""IPv6 CIDR range is accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="2001:db8::/32",
)
settings = _minimal_settings(trusted_proxies="2001:db8::/32")
assert settings.trusted_proxies == ["2001:db8::/32"]
def test_trusted_proxies_accepts_mixed_ipv4_and_ipv6() -> None:
"""Mixed IPv4 and IPv6 addresses and ranges are accepted."""
settings = Settings(
database_path="/tmp/test.db",
fail2ban_socket="/tmp/fake_fail2ban.sock",
fail2ban_config_dir="/tmp/fail2ban",
session_secret="a" * 32,
trusted_proxies="192.168.1.0/24,2001:db8::/32,10.0.0.1",
)
settings = _minimal_settings(trusted_proxies="192.168.1.0/24,2001:db8::/32,10.0.0.1")
assert settings.trusted_proxies == ["192.168.1.0/24", "2001:db8::/32", "10.0.0.1"]

4
backend/tests/test_startup_integration.py
View File

@@ -17,8 +17,8 @@ def _create_test_settings(tmpdir: str) -> Settings:
database_path=str(Path(tmpdir) / "bangui.db"),
fail2ban_socket="/var/run/fail2ban/fail2ban.sock",
session_secret="test-secret-12345678901234567890",
fail2ban_config_dir="/etc/fail2ban",
geoip_db_path="/usr/share/GeoIP/GeoLite2-Country.mmdb",
fail2ban_config_dir=tmpdir, # Use tmpdir (exists) instead of /etc/fail2ban
geoip_db_path=None, # None = skip geoip validation
geoip_allow_http_fallback=False,
log_level="info",
)