Task 13: move ban_ip, unban_ip, and get_active_bans from jail_service to ban_service and update routers/tests

2026-04-17 16:22:20 +02:00
parent 6e1e3c4546
commit 8c6950afc1
9 changed files with 366 additions and 247 deletions
--- a/backend/app/services/jail_service.py
+++ b/backend/app/services/jail_service.py
@@ -802,194 +802,6 @@ async def restart_daemon(
    )


-# ---------------------------------------------------------------------------
-# Public API — Ban / Unban
-# ---------------------------------------------------------------------------
-
-
-async def ban_ip(socket_path: str, jail: str, ip: str) -> None:
-    """Ban an IP address in a specific fail2ban jail.
-
-    The IP address is validated with :mod:`ipaddress` before the command
-    is sent to fail2ban.
-
-    Args:
-        socket_path: Path to the fail2ban Unix domain socket.
-        jail: Jail in which to apply the ban.
-        ip: IP address to ban (IPv4 or IPv6).
-
-    Raises:
-        ValueError: If *ip* is not a valid IP address.
-        JailNotFoundError: If *jail* is not a known jail.
-        JailOperationError: If fail2ban reports the operation failed.
-        ~app.utils.fail2ban_client.Fail2BanConnectionError: If the socket
-            cannot be reached.
-    """
-    # Validate the IP address before sending to avoid injection.
-    try:
-        ipaddress.ip_address(ip)
-    except ValueError as exc:
-        raise ValueError(f"Invalid IP address: {ip!r}") from exc
-
-    client = Fail2BanClient(socket_path=socket_path, timeout=_SOCKET_TIMEOUT)
-    try:
-        _ok(await client.send(["set", jail, "banip", ip]))
-        log.info("ip_banned", ip=ip, jail=jail)
-    except ValueError as exc:
-        if _is_not_found_error(exc):
-            raise JailNotFoundError(jail) from exc
-        raise JailOperationError(str(exc)) from exc
-
-
-async def unban_ip(
-    socket_path: str,
-    ip: str,
-    jail: str | None = None,
-) -> None:
-    """Unban an IP address from one or all fail2ban jails.
-
-    If *jail* is ``None``, the IP is unbanned from every jail using the
-    global ``unban`` command.  Otherwise only the specified jail is
-    targeted.
-
-    Args:
-        socket_path: Path to the fail2ban Unix domain socket.
-        ip: IP address to unban.
-        jail: Jail to unban from. ``None`` means all jails.
-
-    Raises:
-        ValueError: If *ip* is not a valid IP address.
-        JailNotFoundError: If *jail* is specified but does not exist.
-        JailOperationError: If fail2ban reports the operation failed.
-        ~app.utils.fail2ban_client.Fail2BanConnectionError: If the socket
-            cannot be reached.
-    """
-    try:
-        ipaddress.ip_address(ip)
-    except ValueError as exc:
-        raise ValueError(f"Invalid IP address: {ip!r}") from exc
-
-    client = Fail2BanClient(socket_path=socket_path, timeout=_SOCKET_TIMEOUT)
-    try:
-        if jail is None:
-            _ok(await client.send(["unban", ip]))
-            log.info("ip_unbanned_all_jails", ip=ip)
-        else:
-            _ok(await client.send(["set", jail, "unbanip", ip]))
-            log.info("ip_unbanned", ip=ip, jail=jail)
-    except ValueError as exc:
-        if _is_not_found_error(exc):
-            raise JailNotFoundError(jail or "") from exc
-        raise JailOperationError(str(exc)) from exc
-
-
-async def get_active_bans(
-    socket_path: str,
-    geo_batch_lookup: GeoBatchLookup | None = None,
-    geo_enricher: GeoEnricher | None = None,
-    http_session: aiohttp.ClientSession | None = None,
-    app_db: aiosqlite.Connection | None = None,
-) -> ActiveBanListResponse:
-    """Return all currently banned IPs across every jail.
-
-    For each jail the ``get <jail> banip --with-time`` command is used
-    to retrieve ban start and expiry times alongside the IP address.
-
-    Geo enrichment strategy (highest priority first):
-
-    1. When *http_session* is provided the entire set of banned IPs is resolved
-       in a single :func:`~app.services.geo_service.lookup_batch` call (up to
-       100 IPs per HTTP request).  This is far more efficient than concurrent
-       per-IP lookups and stays within ip-api.com rate limits.
-    2. When only *geo_enricher* is provided (legacy / test path) each IP is
-       resolved individually via the supplied async callable.
-
-    Args:
-        socket_path: Path to the fail2ban Unix domain socket.
-        geo_enricher: Optional async callable ``(ip) → GeoInfo | None``
-            used to enrich each ban entry with country and ASN data.
-            Ignored when *http_session* is provided.
-        http_session: Optional shared :class:`aiohttp.ClientSession`.  When
-            provided, :func:`~app.services.geo_service.lookup_batch` is used
-            for efficient bulk geo resolution.
-        app_db: Optional BanGUI application database connection used to
-            persist newly resolved geo entries across restarts.  Only
-            meaningful when *http_session* is provided.
-
-    Returns:
-        :class:`~app.models.ban.ActiveBanListResponse` with all active bans.
-
-    Raises:
-        ~app.utils.fail2ban_client.Fail2BanConnectionError: If the socket
-            cannot be reached.
-    """
-
-    client = Fail2BanClient(socket_path=socket_path, timeout=_SOCKET_TIMEOUT)
-
-    # Fetch jail names.
-    global_status = _to_dict(_ok(await client.send(["status"])))
-    jail_list_raw: str = str(global_status.get("Jail list", "") or "").strip()
-    jail_names: list[str] = (
-        [j.strip() for j in jail_list_raw.split(",") if j.strip()]
-        if jail_list_raw
-        else []
-    )
-
-    if not jail_names:
-        return ActiveBanListResponse(bans=[], total=0)
-
-    # For each jail, fetch the ban list with time info in parallel.
-    results: list[object | Exception] = await asyncio.gather(
-        *[client.send(["get", jn, "banip", "--with-time"]) for jn in jail_names],
-        return_exceptions=True,
-    )
-
-    bans: list[ActiveBan] = []
-    for jail_name, raw_result in zip(jail_names, results, strict=False):
-        if isinstance(raw_result, Exception):
-            log.warning(
-                "active_bans_fetch_error",
-                jail=jail_name,
-                error=str(raw_result),
-            )
-            continue
-
-        try:
-            ban_list: list[str] = cast("list[str]", _ok(raw_result)) or []
-        except (TypeError, ValueError) as exc:
-            log.warning(
-                "active_bans_parse_error",
-                jail=jail_name,
-                error=str(exc),
-            )
-            continue
-
-        for entry in ban_list:
-            ban = _parse_ban_entry(str(entry), jail_name)
-            if ban is not None:
-                bans.append(ban)
-
-    # Enrich with geo data — prefer batch lookup over per-IP enricher.
-    if http_session is not None and bans and geo_batch_lookup is not None:
-        all_ips: list[str] = [ban.ip for ban in bans]
-        try:
-            geo_map = await geo_batch_lookup(all_ips, http_session, db=app_db)
-        except Exception:  # noqa: BLE001
-            log.warning("active_bans_batch_geo_failed")
-            geo_map = {}
-        enriched: list[ActiveBan] = []
-        for ban in bans:
-            geo = geo_map.get(ban.ip)
-            if geo is not None:
-                enriched.append(ban.model_copy(update={"country": geo.country_code}))
-            else:
-                enriched.append(ban)
-        bans = enriched
-    elif geo_enricher is not None:
-        bans = await _enrich_bans(bans, geo_enricher)
-
-    log.info("active_bans_fetched", total=len(bans))
-    return ActiveBanListResponse(bans=bans, total=len(bans))


 def _parse_ban_entry(entry: str, jail: str) -> ActiveBan | None: