Stage 7: configuration view — backend service, routers, tests, and frontend

- config_service.py: read/write jail config via asyncio.gather, global settings, in-process regex validation, log preview via _read_tail_lines - server_service.py: read/write server settings, flush logs - config router: 9 endpoints for jail/global config, regex-test, logpath management, log preview - server router: GET/PUT settings, POST flush-logs - models/config.py expanded with JailConfig, GlobalConfigUpdate, LogPreview* models - 285 tests pass (68 new), ruff clean, mypy clean (44 files) - Frontend: types/config.ts, api/config.ts, hooks/useConfig.ts, ConfigPage.tsx full implementation (Jails accordion editor, Global config, Server settings, Regex Tester with preview) - Fixed pre-existing frontend lint: JSX.Element → React.JSX.Element (10 files), void/promise patterns in useServerStatus + useJails, no-misused-spread in client.ts, eslint.config.ts self-excluded
2026-03-01 14:37:55 +01:00
parent ebec5e0f58
commit 7f81f0614b
33 changed files with 4488 additions and 82 deletions
--- a/backend/app/services/server_service.py
+++ b/backend/app/services/server_service.py
@@ -0,0 +1,189 @@
+"""Server-level settings service.
+
+Provides methods to read and update fail2ban server-level settings
+(log level, log target, database configuration) via the Unix domain socket.
+Also exposes the ``flushlogs`` command for use after log rotation.
+
+Architecture note: this module is a pure service — it contains **no**
+HTTP/FastAPI concerns.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+import structlog
+
+from app.models.server import ServerSettings, ServerSettingsResponse, ServerSettingsUpdate
+from app.utils.fail2ban_client import Fail2BanClient
+
+log: structlog.stdlib.BoundLogger = structlog.get_logger()
+
+_SOCKET_TIMEOUT: float = 10.0
+
+
+# ---------------------------------------------------------------------------
+# Custom exceptions
+# ---------------------------------------------------------------------------
+
+
+class ServerOperationError(Exception):
+    """Raised when a server-level set command fails."""
+
+
+# ---------------------------------------------------------------------------
+# Internal helpers
+# ---------------------------------------------------------------------------
+
+
+def _ok(response: Any) -> Any:
+    """Extract payload from a fail2ban ``(code, data)`` response.
+
+    Args:
+        response: Raw value returned by :meth:`~Fail2BanClient.send`.
+
+    Returns:
+        The payload ``data`` portion of the response.
+
+    Raises:
+        ValueError: If the return code indicates an error.
+    """
+    try:
+        code, data = response
+    except (TypeError, ValueError) as exc:
+        raise ValueError(f"Unexpected response shape: {response!r}") from exc
+    if code != 0:
+        raise ValueError(f"fail2ban error {code}: {data!r}")
+    return data
+
+
+async def _safe_get(
+    client: Fail2BanClient,
+    command: list[Any],
+    default: Any = None,
+) -> Any:
+    """Send a command and silently return *default* on any error.
+
+    Args:
+        client: The :class:`~app.utils.fail2ban_client.Fail2BanClient` to use.
+        command: Command list to send.
+        default: Fallback value.
+
+    Returns:
+        The successful response, or *default*.
+    """
+    try:
+        return _ok(await client.send(command))
+    except Exception:
+        return default
+
+
+# ---------------------------------------------------------------------------
+# Public API
+# ---------------------------------------------------------------------------
+
+
+async def get_settings(socket_path: str) -> ServerSettingsResponse:
+    """Return current fail2ban server-level settings.
+
+    Fetches log level, log target, syslog socket, database file path, purge
+    age, and max matches in a single round-trip batch.
+
+    Args:
+        socket_path: Path to the fail2ban Unix domain socket.
+
+    Returns:
+        :class:`~app.models.server.ServerSettingsResponse`.
+
+    Raises:
+        ~app.utils.fail2ban_client.Fail2BanConnectionError: Socket unreachable.
+    """
+    import asyncio
+
+    client = Fail2BanClient(socket_path=socket_path, timeout=_SOCKET_TIMEOUT)
+
+    (
+        log_level_raw,
+        log_target_raw,
+        syslog_socket_raw,
+        db_path_raw,
+        db_purge_age_raw,
+        db_max_matches_raw,
+    ) = await asyncio.gather(
+        _safe_get(client, ["get", "loglevel"], "INFO"),
+        _safe_get(client, ["get", "logtarget"], "STDOUT"),
+        _safe_get(client, ["get", "syslogsocket"], None),
+        _safe_get(client, ["get", "dbfile"], "/var/lib/fail2ban/fail2ban.sqlite3"),
+        _safe_get(client, ["get", "dbpurgeage"], 86400),
+        _safe_get(client, ["get", "dbmaxmatches"], 10),
+    )
+
+    settings = ServerSettings(
+        log_level=str(log_level_raw or "INFO").upper(),
+        log_target=str(log_target_raw or "STDOUT"),
+        syslog_socket=str(syslog_socket_raw) if syslog_socket_raw else None,
+        db_path=str(db_path_raw or "/var/lib/fail2ban/fail2ban.sqlite3"),
+        db_purge_age=int(db_purge_age_raw or 86400),
+        db_max_matches=int(db_max_matches_raw or 10),
+    )
+
+    log.info("server_settings_fetched")
+    return ServerSettingsResponse(settings=settings)
+
+
+async def update_settings(socket_path: str, update: ServerSettingsUpdate) -> None:
+    """Apply *update* to fail2ban server-level settings.
+
+    Only non-None fields in *update* are sent.
+
+    Args:
+        socket_path: Path to the fail2ban Unix domain socket.
+        update: Partial update payload.
+
+    Raises:
+        ServerOperationError: If any ``set`` command is rejected.
+        ~app.utils.fail2ban_client.Fail2BanConnectionError: Socket unreachable.
+    """
+    client = Fail2BanClient(socket_path=socket_path, timeout=_SOCKET_TIMEOUT)
+
+    async def _set(key: str, value: Any) -> None:
+        try:
+            _ok(await client.send(["set", key, value]))
+        except ValueError as exc:
+            raise ServerOperationError(f"Failed to set {key!r} = {value!r}: {exc}") from exc
+
+    if update.log_level is not None:
+        await _set("loglevel", update.log_level.upper())
+    if update.log_target is not None:
+        await _set("logtarget", update.log_target)
+    if update.db_purge_age is not None:
+        await _set("dbpurgeage", update.db_purge_age)
+    if update.db_max_matches is not None:
+        await _set("dbmaxmatches", update.db_max_matches)
+
+    log.info("server_settings_updated")
+
+
+async def flush_logs(socket_path: str) -> str:
+    """Flush and re-open fail2ban log files.
+
+    Useful after log rotation so the daemon starts writing to the newly
+    created file rather than the old rotated one.
+
+    Args:
+        socket_path: Path to the fail2ban Unix domain socket.
+
+    Returns:
+        The response message from fail2ban (e.g. ``"OK"``) as a string.
+
+    Raises:
+        ServerOperationError: If the command is rejected.
+        ~app.utils.fail2ban_client.Fail2BanConnectionError: Socket unreachable.
+    """
+    client = Fail2BanClient(socket_path=socket_path, timeout=_SOCKET_TIMEOUT)
+    try:
+        result = _ok(await client.send(["flushlogs"]))
+        log.info("logs_flushed", result=result)
+        return str(result)
+    except ValueError as exc:
+        raise ServerOperationError(f"flushlogs failed: {exc}") from exc