internal/fail2ban/manager.go

package fail2ban

import (
	"context"
	"fmt"
	"sync"

	"github.com/swissmakers/fail2ban-ui/internal/config"
)

// =========================================================================
//  Connector Interface
// =========================================================================

// Connector is the communication backend for a Fail2ban server.
type Connector interface {
	ID() string
	Server() config.Fail2banServer

	GetJailInfos(ctx context.Context) ([]JailInfo, error)
	GetBannedIPs(ctx context.Context, jail string) ([]string, error)
	UnbanIP(ctx context.Context, jail, ip string) error
	BanIP(ctx context.Context, jail, ip string) error
	Reload(ctx context.Context) error
	Restart(ctx context.Context) error
	GetFilterConfig(ctx context.Context, jail string) (string, string, error)
	SetFilterConfig(ctx context.Context, jail, content string) error
	FetchBanEvents(ctx context.Context, limit int) ([]BanEvent, error)

	// Jail management
	GetAllJails(ctx context.Context) ([]JailInfo, error)
	UpdateJailEnabledStates(ctx context.Context, updates map[string]bool) error

	// Filter operations
	GetFilters(ctx context.Context) ([]string, error)
	TestFilter(ctx context.Context, filterName string, logLines []string, filterContent string) (output string, filterPath string, err error)

	// Jail configuration operations
	GetJailConfig(ctx context.Context, jail string) (string, string, error)
	SetJailConfig(ctx context.Context, jail, content string) error
	TestLogpath(ctx context.Context, logpath string) ([]string, error)
	TestLogpathWithResolution(ctx context.Context, logpath string) (originalPath, resolvedPath string, files []string, err error)

	// Default settings operations
	UpdateDefaultSettings(ctx context.Context, settings config.AppSettings) error

	// Jail local structure management
	EnsureJailLocalStructure(ctx context.Context) error

	// CheckJailLocalIntegrity checks whether jail.local exists and contains the
	// ui-custom-action marker, which indicates it is managed by Fail2ban-UI.
	CheckJailLocalIntegrity(ctx context.Context) (bool, bool, error)

	// Jail and filter creation/deletion
	CreateJail(ctx context.Context, jailName, content string) error
	DeleteJail(ctx context.Context, jailName string) error
	CreateFilter(ctx context.Context, filterName, content string) error
	DeleteFilter(ctx context.Context, filterName string) error
}

// =========================================================================
//  Manager
// =========================================================================

// Manager holds connectors for all configured Fail2ban servers.
type Manager struct {
	mu         sync.RWMutex
	connectors map[string]Connector
}

var (
	managerOnce sync.Once
	managerInst *Manager
)

func GetManager() *Manager {
	managerOnce.Do(func() {
		managerInst = &Manager{
			connectors: make(map[string]Connector),
		}
	})
	return managerInst
}

func (m *Manager) ReloadFromSettings(settings config.AppSettings) error {
	m.mu.Lock()
	defer m.mu.Unlock()

	connectors := make(map[string]Connector)
	for _, srv := range settings.Servers {
		if !srv.Enabled {
			continue
		}
		conn, err := newConnectorForServer(srv)
		if err != nil {
			return fmt.Errorf("failed to initialise connector for %s (%s): %w", srv.Name, srv.ID, err)
		}
		connectors[srv.ID] = conn
	}

	m.connectors = connectors
	return nil
}

// Returns the connector for the specified server ID.
func (m *Manager) Connector(serverID string) (Connector, error) {
	m.mu.RLock()
	defer m.mu.RUnlock()

	if serverID == "" {
		return nil, fmt.Errorf("server id must be provided")
	}
	conn, ok := m.connectors[serverID]
	if !ok {
		return nil, fmt.Errorf("connector for server %s not found or not enabled", serverID)
	}
	return conn, nil
}

// Returns the default connector as defined in settings.
func (m *Manager) DefaultConnector() (Connector, error) {
	server := config.GetDefaultServer()
	if server.ID == "" {
		return nil, fmt.Errorf("no active fail2ban server configured")
	}
	return m.Connector(server.ID)
}

// Returns all connectors.
func (m *Manager) Connectors() []Connector {
	m.mu.RLock()
	defer m.mu.RUnlock()
	result := make([]Connector, 0, len(m.connectors))
	for _, conn := range m.connectors {
		result = append(result, conn)
	}
	return result
}

// =========================================================================
//  Action File Management
// =========================================================================

// Updates action files for all active remote connectors (SSH and Agent).
func (m *Manager) UpdateActionFiles(ctx context.Context) error {
	m.mu.RLock()
	connectors := make([]Connector, 0, len(m.connectors))
	for _, conn := range m.connectors {
		server := conn.Server()
		// Only update remote servers (SSH and Agent), not local
		if server.Type == "ssh" || server.Type == "agent" {
			connectors = append(connectors, conn)
		}
	}
	m.mu.RUnlock()

	var lastErr error
	for _, conn := range connectors {
		if err := updateConnectorAction(ctx, conn); err != nil {
			fmt.Printf("warning: failed to update action file for server %s: %v\n", conn.Server().Name, err)
			lastErr = err
		}
	}
	return lastErr
}

// Updates the action file for a single server.
func (m *Manager) UpdateActionFileForServer(ctx context.Context, serverID string) error {
	m.mu.RLock()
	conn, ok := m.connectors[serverID]
	m.mu.RUnlock()
	if !ok {
		return fmt.Errorf("connector for server %s not found or not enabled", serverID)
	}
	return updateConnectorAction(ctx, conn)
}

func updateConnectorAction(ctx context.Context, conn Connector) error {
	switch c := conn.(type) {
	case *SSHConnector:
		return c.ensureAction(ctx)
	case *AgentConnector:
		return c.ensureAction(ctx)
	default:
		return nil
	}
}

// =========================================================================
//  Connector Factory
// =========================================================================

func newConnectorForServer(server config.Fail2banServer) (Connector, error) {
	switch server.Type {
	case "local":
		// Run migration before ensuring structure, but only when the experimental JAIL_AUTOMIGRATION=true env var is set.
		if isJailAutoMigrationEnabled() {
			config.DebugLog("JAIL_AUTOMIGRATION=true: running experimental jail.local → jail.d/ migration for local server %s", server.Name)
			if err := MigrateJailsFromJailLocal(); err != nil {
				return nil, fmt.Errorf("failed to initialise local fail2ban connector for %s: %w", server.Name, err)
			}
		}

		if err := config.EnsureLocalFail2banAction(server); err != nil {
			return nil, fmt.Errorf("failed to ensure local fail2ban action for %s: %w", server.Name, err)
		}
		return NewLocalConnector(server), nil
	case "ssh":
		return NewSSHConnector(server)
	case "agent":
		return NewAgentConnector(server)
	default:
		return nil, fmt.Errorf("unsupported server type %s", server.Type)
	}
}
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`package fail2ban`

			`import (`
			`"context"`
			`"fmt"`
			`"sync"`

			`"github.com/swissmakers/fail2ban-ui/internal/config"`
			`)`

Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// =========================================================================`
			`// Connector Interface`
			`// =========================================================================`

			`// Connector is the communication backend for a Fail2ban server.`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`type Connector interface {`
			`ID() string`
			`Server() config.Fail2banServer`

			`GetJailInfos(ctx context.Context) ([]JailInfo, error)`
			`GetBannedIPs(ctx context.Context, jail string) ([]string, error)`
			`UnbanIP(ctx context.Context, jail, ip string) error`
Added manual block section and BanIP method to for all connectors, like the UnbanIP functionallity 2026-01-07 16:14:48 +01:00			`BanIP(ctx context.Context, jail, ip string) error`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`Reload(ctx context.Context) error`
			`Restart(ctx context.Context) error`
Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`GetFilterConfig(ctx context.Context, jail string) (string, string, error)`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`SetFilterConfig(ctx context.Context, jail, content string) error`
			`FetchBanEvents(ctx context.Context, limit int) ([]BanEvent, error)`
Fix the manage jails functions over ssh, also improve the speed or remote connections 2025-11-12 16:25:16 +01:00
			`// Jail management`
			`GetAllJails(ctx context.Context) ([]JailInfo, error)`
			`UpdateJailEnabledStates(ctx context.Context, updates map[string]bool) error`

			`// Filter operations`
			`GetFilters(ctx context.Context) ([]string, error)`
Enhanced Filter Debug page with inline editing and improved SSH filter testing 2026-01-16 11:39:51 +01:00			`TestFilter(ctx context.Context, filterName string, logLines []string, filterContent string) (output string, filterPath string, err error)`
Refactor jail.local and jail.d management 2025-12-03 20:43:44 +01:00
			`// Jail configuration operations`
Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`GetJailConfig(ctx context.Context, jail string) (string, string, error)`
Refactor jail.local and jail.d management 2025-12-03 20:43:44 +01:00			`SetJailConfig(ctx context.Context, jail, content string) error`
			`TestLogpath(ctx context.Context, logpath string) ([]string, error)`
Reimplement Logpath Tester with fail2ban variable resolution and real-path joining 2025-12-05 23:21:08 +01:00			`TestLogpathWithResolution(ctx context.Context, logpath string) (originalPath, resolvedPath string, files []string, err error)`
restructure jail.local default config functions, make banactions configurable 2025-12-04 19:42:43 +01:00
			`// Default settings operations`
			`UpdateDefaultSettings(ctx context.Context, settings config.AppSettings) error`

			`// Jail local structure management`
			`EnsureJailLocalStructure(ctx context.Context) error`
Fix loading wrong filter problem, implement creation and deletion of filters and jails, fix some css mismatches, update the handlers and routes 2025-12-30 01:10:49 +01:00
Check jail.local state and warn user if it is not fail2ban-UI managed, disable automatic jail.local migration because it is only testing 2026-02-09 19:56:43 +01:00			`// CheckJailLocalIntegrity checks whether jail.local exists and contains the`
			`// ui-custom-action marker, which indicates it is managed by Fail2ban-UI.`
			`CheckJailLocalIntegrity(ctx context.Context) (bool, bool, error)`

Fix loading wrong filter problem, implement creation and deletion of filters and jails, fix some css mismatches, update the handlers and routes 2025-12-30 01:10:49 +01:00			`// Jail and filter creation/deletion`
			`CreateJail(ctx context.Context, jailName, content string) error`
			`DeleteJail(ctx context.Context, jailName string) error`
			`CreateFilter(ctx context.Context, filterName, content string) error`
			`DeleteFilter(ctx context.Context, filterName string) error`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`}`

Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// =========================================================================`
			`// Manager`
			`// =========================================================================`

			`// Manager holds connectors for all configured Fail2ban servers.`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`type Manager struct {`
			`mu sync.RWMutex`
			`connectors map[string]Connector`
			`}`

			`var (`
			`managerOnce sync.Once`
			`managerInst *Manager`
			`)`

			`func GetManager() *Manager {`
			`managerOnce.Do(func() {`
			`managerInst = &Manager{`
			`connectors: make(map[string]Connector),`
			`}`
			`})`
			`return managerInst`
			`}`

			`func (m *Manager) ReloadFromSettings(settings config.AppSettings) error {`
			`m.mu.Lock()`
			`defer m.mu.Unlock()`

			`connectors := make(map[string]Connector)`
			`for _, srv := range settings.Servers {`
			`if !srv.Enabled {`
			`continue`
			`}`
			`conn, err := newConnectorForServer(srv)`
			`if err != nil {`
			`return fmt.Errorf("failed to initialise connector for %s (%s): %w", srv.Name, srv.ID, err)`
			`}`
			`connectors[srv.ID] = conn`
			`}`

			`m.connectors = connectors`
			`return nil`
			`}`

Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// Returns the connector for the specified server ID.`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`func (m *Manager) Connector(serverID string) (Connector, error) {`
			`m.mu.RLock()`
			`defer m.mu.RUnlock()`

			`if serverID == "" {`
			`return nil, fmt.Errorf("server id must be provided")`
			`}`
			`conn, ok := m.connectors[serverID]`
			`if !ok {`
			`return nil, fmt.Errorf("connector for server %s not found or not enabled", serverID)`
			`}`
			`return conn, nil`
			`}`

Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// Returns the default connector as defined in settings.`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`func (m *Manager) DefaultConnector() (Connector, error) {`
			`server := config.GetDefaultServer()`
			`if server.ID == "" {`
			`return nil, fmt.Errorf("no active fail2ban server configured")`
			`}`
			`return m.Connector(server.ID)`
			`}`

Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// Returns all connectors.`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`func (m *Manager) Connectors() []Connector {`
			`m.mu.RLock()`
			`defer m.mu.RUnlock()`
			`result := make([]Connector, 0, len(m.connectors))`
			`for _, conn := range m.connectors {`
			`result = append(result, conn)`
			`}`
			`return result`
			`}`

Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// =========================================================================`
			`// Action File Management`
			`// =========================================================================`

			`// Updates action files for all active remote connectors (SSH and Agent).`
fix Fail2ban Callback URL update also on ssh/agent servers 2025-11-14 11:20:18 +01:00			`func (m *Manager) UpdateActionFiles(ctx context.Context) error {`
			`m.mu.RLock()`
			`connectors := make([]Connector, 0, len(m.connectors))`
			`for _, conn := range m.connectors {`
			`server := conn.Server()`
			`// Only update remote servers (SSH and Agent), not local`
			`if server.Type == "ssh" \|\| server.Type == "agent" {`
			`connectors = append(connectors, conn)`
			`}`
			`}`
			`m.mu.RUnlock()`

			`var lastErr error`
			`for _, conn := range connectors {`
			`if err := updateConnectorAction(ctx, conn); err != nil {`
			`fmt.Printf("warning: failed to update action file for server %s: %v\n", conn.Server().Name, err)`
			`lastErr = err`
			`}`
			`}`
			`return lastErr`
			`}`

Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// Updates the action file for a single server.`
replace base64 payload bash -c with a stdin via here-doc to prevent false pharsing 2025-11-14 11:44:23 +01:00			`func (m *Manager) UpdateActionFileForServer(ctx context.Context, serverID string) error {`
			`m.mu.RLock()`
			`conn, ok := m.connectors[serverID]`
			`m.mu.RUnlock()`
			`if !ok {`
			`return fmt.Errorf("connector for server %s not found or not enabled", serverID)`
			`}`
			`return updateConnectorAction(ctx, conn)`
			`}`

fix Fail2ban Callback URL update also on ssh/agent servers 2025-11-14 11:20:18 +01:00			`func updateConnectorAction(ctx context.Context, conn Connector) error {`
			`switch c := conn.(type) {`
			`case *SSHConnector:`
			`return c.ensureAction(ctx)`
			`case *AgentConnector:`
			`return c.ensureAction(ctx)`
			`default:`
Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`return nil`
fix Fail2ban Callback URL update also on ssh/agent servers 2025-11-14 11:20:18 +01:00			`}`
			`}`

Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// =========================================================================`
			`// Connector Factory`
			`// =========================================================================`

Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`func newConnectorForServer(server config.Fail2banServer) (Connector, error) {`
			`switch server.Type {`
			`case "local":`
Add sections header to the validation.js and four more go-files 2026-02-18 01:00:40 +01:00			`// Run migration before ensuring structure, but only when the experimental JAIL_AUTOMIGRATION=true env var is set.`
Check jail.local state and warn user if it is not fail2ban-UI managed, disable automatic jail.local migration because it is only testing 2026-02-09 19:56:43 +01:00			`if isJailAutoMigrationEnabled() {`
			`config.DebugLog("JAIL_AUTOMIGRATION=true: running experimental jail.local → jail.d/ migration for local server %s", server.Name)`
			`if err := MigrateJailsFromJailLocal(); err != nil {`
			`return nil, fmt.Errorf("failed to initialise local fail2ban connector for %s: %w", server.Name, err)`
			`}`
Implement jails migration if there are old jails in the jail.local file, before adding the f2b server to f2b-UI 2025-12-06 15:32:28 +01:00			`}`

Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`if err := config.EnsureLocalFail2banAction(server); err != nil {`
Fix loading wrong filter problem, implement creation and deletion of filters and jails, fix some css mismatches, update the handlers and routes 2025-12-30 01:10:49 +01:00			`return nil, fmt.Errorf("failed to ensure local fail2ban action for %s: %w", server.Name, err)`
Refactor the whole backend to support remote-fail2ban machines over ssh or over a agent-api(needs to be build) 2025-11-12 15:52:34 +01:00			`}`
			`return NewLocalConnector(server), nil`
			`case "ssh":`
			`return NewSSHConnector(server)`
			`case "agent":`
			`return NewAgentConnector(server)`
			`default:`
			`return nil, fmt.Errorf("unsupported server type %s", server.Type)`
			`}`
			`}`