Complete tasks 1-5: UI cleanup, pie chart fix, log path allowlist, activation hardening

Task 1: Remove ActiveBansSection from JailsPage - Delete buildBanColumns, fmtTimestamp, ActiveBansSection - Remove Dialog/Delete/Dismiss imports, ActiveBan type - Update JSDoc to reflect three sections Task 2: Remove JailDistributionChart from Dashboard - Delete import and JSX block from DashboardPage.tsx Task 3: Fix transparent pie chart (TopCountriesPieChart) - Add Cell import and per-slice <Cell fill={slice.fill}> children inside <Pie> - Suppress @typescript-eslint/no-deprecated (recharts v3 types) Task 4: Allow /config/log as safe log prefix - Add '/config/log' to _SAFE_LOG_PREFIXES in config_service.py - Update error message to list both allowed directories Task 5: Block jail activation on missing filter/logpath - activate_jail refuses to proceed when filter/logpath issues found - ActivateJailDialog treats all validation issues as blocking - Trigger immediate _run_probe after activation in config router - /api/health now reports fail2ban online/offline from cached probe - Add TestActivateJailBlocking tests; fix existing tests to mock validation
2026-03-14 18:57:01 +01:00
parent 68d8056d2e
commit ee7412442a
11 changed files with 425 additions and 656 deletions
--- a/backend/app/routers/config.py
+++ b/backend/app/routers/config.py
@@ -97,6 +97,7 @@ from app.services.config_service import (
    ConfigValidationError,
    JailNotFoundError,
 )
+from app.tasks.health_check import _run_probe
 from app.utils.fail2ban_client import Fail2BanConnectionError

 router: APIRouter = APIRouter(prefix="/api/config", tags=["Config"])
@@ -654,6 +655,10 @@ async def activate_jail(
            detected_at=datetime.datetime.now(tz=datetime.UTC),
        )

+    # Force an immediate health probe so the cached status reflects the current
+    # fail2ban state without waiting for the next scheduled check.
+    await _run_probe(request.app)
+
    return result


--- a/backend/app/routers/health.py
+++ b/backend/app/routers/health.py
@@ -1,21 +1,37 @@
 """Health check router.

 A lightweight ``GET /api/health`` endpoint that verifies the application
-is running and can serve requests.  It does not probe fail2ban — that
-responsibility belongs to the health service (Stage 4).
+is running and can serve requests.  Also reports the cached fail2ban liveness
+state so monitoring tools and Docker health checks can observe daemon status
+without probing the socket directly.
 """

-from fastapi import APIRouter
+from fastapi import APIRouter, Request
 from fastapi.responses import JSONResponse

+from app.models.server import ServerStatus
+
 router: APIRouter = APIRouter(prefix="/api", tags=["Health"])


@router.get("/health", summary="Application health check")
-async def health_check() -> JSONResponse:
-    """Return a 200 response confirming the API is operational.
+async def health_check(request: Request) -> JSONResponse:
+    """Return 200 with application and fail2ban status.
+
+    HTTP 200 is always returned so Docker health checks do not restart the
+    backend container when fail2ban is temporarily offline.  The
+    ``fail2ban`` field in the body indicates the daemon's current state.
+
+    Args:
+        request: FastAPI request (used to read cached server status).

    Returns:
-        A JSON object with ``{"status": "ok"}``.
+        A JSON object with ``{"status": "ok", "fail2ban": "online"|"offline"}``.
    """
-    return JSONResponse(content={"status": "ok"})
+    cached: ServerStatus = getattr(
+        request.app.state, "server_status", ServerStatus(online=False)
+    )
+    return JSONResponse(content={
+        "status": "ok",
+        "fail2ban": "online" if cached.online else "offline",
+    })
--- a/backend/app/services/config_file_service.py
+++ b/backend/app/services/config_file_service.py
@@ -1136,6 +1136,25 @@ async def activate_jail(
            warnings=warnings,
        )

+    # Block activation on critical validation failures (missing filter or logpath).
+    blocking = [i for i in validation_result.issues if i.field in ("filter", "logpath")]
+    if blocking:
+        log.warning(
+            "jail_activation_blocked",
+            jail=name,
+            issues=[f"{i.field}: {i.message}" for i in blocking],
+        )
+        return JailActivationResponse(
+            name=name,
+            active=False,
+            fail2ban_running=True,
+            validation_warnings=warnings,
+            message=(
+                f"Jail {name!r} cannot be activated: "
+                + "; ".join(i.message for i in blocking)
+            ),
+        )
+
    overrides: dict[str, Any] = {
        "bantime": req.bantime,
        "findtime": req.findtime,
--- a/backend/app/services/config_service.py
+++ b/backend/app/services/config_service.py
@@ -768,7 +768,7 @@ _NON_FILE_LOG_TARGETS: frozenset[str] = frozenset(
 )

 # Only allow reading log files under these base directories (security).
-_SAFE_LOG_PREFIXES: tuple[str, ...] = ("/var/log",)
+_SAFE_LOG_PREFIXES: tuple[str, ...] = ("/var/log", "/config/log")


 def _count_file_lines(file_path: str) -> int:
@@ -847,7 +847,7 @@ async def read_fail2ban_log(
    if not any(resolved_str.startswith(safe) for safe in _SAFE_LOG_PREFIXES):
        raise ConfigOperationError(
            f"Log path {resolved_str!r} is outside the allowed directory. "
-            "Only paths under /var/log are permitted."
+            "Only paths under /var/log or /config/log are permitted."
        )

    if not resolved.is_file():