Complete tasks 1-5: UI cleanup, pie chart fix, log path allowlist, activation hardening

Task 1: Remove ActiveBansSection from JailsPage - Delete buildBanColumns, fmtTimestamp, ActiveBansSection - Remove Dialog/Delete/Dismiss imports, ActiveBan type - Update JSDoc to reflect three sections Task 2: Remove JailDistributionChart from Dashboard - Delete import and JSX block from DashboardPage.tsx Task 3: Fix transparent pie chart (TopCountriesPieChart) - Add Cell import and per-slice <Cell fill={slice.fill}> children inside <Pie> - Suppress @typescript-eslint/no-deprecated (recharts v3 types) Task 4: Allow /config/log as safe log prefix - Add '/config/log' to _SAFE_LOG_PREFIXES in config_service.py - Update error message to list both allowed directories Task 5: Block jail activation on missing filter/logpath - activate_jail refuses to proceed when filter/logpath issues found - ActivateJailDialog treats all validation issues as blocking - Trigger immediate _run_probe after activation in config router - /api/health now reports fail2ban online/offline from cached probe - Add TestActivateJailBlocking tests; fix existing tests to mock validation
2026-03-14 18:57:01 +01:00
parent 68d8056d2e
commit ee7412442a
11 changed files with 425 additions and 656 deletions
--- a/backend/app/services/config_file_service.py
+++ b/backend/app/services/config_file_service.py
@@ -1136,6 +1136,25 @@ async def activate_jail(
            warnings=warnings,
        )

+    # Block activation on critical validation failures (missing filter or logpath).
+    blocking = [i for i in validation_result.issues if i.field in ("filter", "logpath")]
+    if blocking:
+        log.warning(
+            "jail_activation_blocked",
+            jail=name,
+            issues=[f"{i.field}: {i.message}" for i in blocking],
+        )
+        return JailActivationResponse(
+            name=name,
+            active=False,
+            fail2ban_running=True,
+            validation_warnings=warnings,
+            message=(
+                f"Jail {name!r} cannot be activated: "
+                + "; ".join(i.message for i in blocking)
+            ),
+        )
+
    overrides: dict[str, Any] = {
        "bantime": req.bantime,
        "findtime": req.findtime,
--- a/backend/app/services/config_service.py
+++ b/backend/app/services/config_service.py
@@ -768,7 +768,7 @@ _NON_FILE_LOG_TARGETS: frozenset[str] = frozenset(
 )

 # Only allow reading log files under these base directories (security).
-_SAFE_LOG_PREFIXES: tuple[str, ...] = ("/var/log",)
+_SAFE_LOG_PREFIXES: tuple[str, ...] = ("/var/log", "/config/log")


 def _count_file_lines(file_path: str) -> int:
@@ -847,7 +847,7 @@ async def read_fail2ban_log(
    if not any(resolved_str.startswith(safe) for safe in _SAFE_LOG_PREFIXES):
        raise ConfigOperationError(
            f"Log path {resolved_str!r} is outside the allowed directory. "
-            "Only paths under /var/log are permitted."
+            "Only paths under /var/log or /config/log are permitted."
        )

    if not resolved.is_file():