feat: add region unblock, improve FileCache fallback, enhance tests

- Add unblock_region() with proper Americas/subregion normalization
- Make FileCache import/init graceful with fallback to in-memory cache
- Add FDS_NOCACHE env var for test/container environments
- Handle HTTP errors when fetching country network lists
- Ensure download destination directories exist
- Silence cloudflare PendingDeprecationWarning
- Pin cloudflare<2.20, add filelock dependency
- Rewrite firewalld-tests.sh to work without systemd
- Add continent block/unblock functional tests
- Add Makefile for Docker-based test workflow
- Add pytest smoke test for region unblock

Author: dvershinin

Makefile

@@ -0,0 +1,147 @@
+# Makefile to build and run firewalld tests in Docker
+
+IMAGE ?= my-firewalld-image
+CONTAINER ?= firewalld-container
+DOCKERFILE ?= firewalld.Dockerfile
+UNAME_S := $(shell uname -s)
+DOCKER ?= docker
+DOCKER_CONTEXT := $(shell docker context show 2>/dev/null)
+
+# On some hosts (e.g. macOS), you may need to override CGROUP_FLAGS to empty:
+#   make test CGROUP_FLAGS=
+CGROUP_FLAGS ?= --volume=/sys/fs/cgroup:/sys/fs/cgroup:rw --cgroupns=host
+TMPFS_FLAGS ?= --tmpfs /run --tmpfs /run/lock
+RUN_FLAGS ?= --detach --privileged $(CGROUP_FLAGS) --name $(CONTAINER)
+TEST_SCRIPT := $(abspath firewalld-tests.sh)
+PKG_DIR := $(abspath fds)
+
+.PHONY: build rebuild ensure-image start start-mac stop rm logs shell exec test test-mac tests tests-colima ensure-env stop-colima-if-needed clean up down
+
+build:
+	@DOCKER_BUILDKIT=0 $(DOCKER) build -t $(IMAGE) -f $(DOCKERFILE) .
+
+rebuild:
+	@DOCKER_BUILDKIT=0 $(DOCKER) build --no-cache -t $(IMAGE) -f $(DOCKERFILE) .
+
+ensure-image:
+	@$(DOCKER) image inspect $(IMAGE) >/dev/null 2>&1 || (echo "Building $(IMAGE)..." && DOCKER_BUILDKIT=0 $(DOCKER) build -t $(IMAGE) -f $(DOCKERFILE) .)
+
+start:
+	@-$(DOCKER) rm -f $(CONTAINER) >/dev/null 2>&1 || true
+	@$(DOCKER) run $(RUN_FLAGS) $(IMAGE)
+	@sleep 10
+	@running=$$($(DOCKER) inspect -f '{{.State.Running}}' $(CONTAINER) 2>/dev/null || true); \
+	if [ "$$running" != "true" ]; then \
+	  echo "Container failed to start. Logs:"; \
+	  $(DOCKER) logs $(CONTAINER) || true; \
+	  $(DOCKER) inspect $(CONTAINER) || true; \
+	  exit 1; \
+	fi
+
+stop:
+	@-$(DOCKER) stop $(CONTAINER) >/dev/null 2>&1 || true
+
+rm: stop
+	@-$(DOCKER) rm $(CONTAINER) >/dev/null 2>&1 || true
+
+logs:
+	@$(DOCKER) logs -f $(CONTAINER)
+
+shell:
+	@$(DOCKER) exec -it $(CONTAINER) /bin/bash
+
+exec:
+	@$(DOCKER) exec $(CONTAINER) /bin/bash -c "$(CMD)"
+
+test: ensure-image start
+	@$(DOCKER) cp $(TEST_SCRIPT) $(CONTAINER):/app/firewalld-tests.sh
+	@$(DOCKER) cp -a $(PKG_DIR) $(CONTAINER):/usr/local/lib/python3.9/site-packages/
+	@$(DOCKER) exec -e FDS_NOCACHE=1 $(CONTAINER) /bin/bash -c "./firewalld-tests.sh"
+
+start-mac: CGROUP_FLAGS=
+start-mac:
+	@-$(DOCKER) rm -f $(CONTAINER) >/dev/null 2>&1 || true
+	@$(DOCKER) run --detach --privileged $(TMPFS_FLAGS) --name $(CONTAINER) $(IMAGE) sleep infinity
+	@sleep 10
+	@running=$$($(DOCKER) inspect -f '{{.State.Running}}' $(CONTAINER) 2>/dev/null || true); \
+	if [ "$$running" != "true" ]; then \
+	  echo "Container failed to start. Logs:"; \
+	  $(DOCKER) logs $(CONTAINER) || true; \
+	  $(DOCKER) inspect $(CONTAINER) || true; \
+	  exit 1; \
+	fi
+
+test-mac: CGROUP_FLAGS=
+test-mac: ensure-image start-mac
+	@$(DOCKER) cp $(TEST_SCRIPT) $(CONTAINER):/app/firewalld-tests.sh
+	@$(DOCKER) cp -a $(PKG_DIR) $(CONTAINER):/usr/local/lib/python3.9/site-packages/
+	@$(DOCKER) exec -e FDS_NOCACHE=1 $(CONTAINER) /bin/bash -c "./firewalld-tests.sh"
+
+ensure-env:
+	@# Ensure environment for tests (start Colima on macOS if available)
+	@if [ "$(UNAME_S)" = "Darwin" ]; then \
+	  if command -v colima >/dev/null 2>&1; then \
+	    if ! colima status 2>/dev/null | grep -q Running; then \
+	      echo "Starting Colima for systemd-compatible Docker..."; \
+	      colima start --cpu 2 --memory 4 --disk 20 || true; \
+	      touch .colima-started-by-make; \
+	    fi; \
+	  else \
+	    if command -v brew >/dev/null 2>&1; then \
+	      echo "Colima not found. Installing via Homebrew..."; \
+	      brew install colima || true; \
+	      if command -v colima >/dev/null 2>&1; then \
+	        echo "Starting Colima..."; \
+	        colima start --cpu 2 --memory 4 --disk 20 || true; \
+	        touch .colima-started-by-make; \
+	      fi; \
+	    fi; \
+	  fi; \
+	fi
+
+tests: ensure-env
+	@status=0; \
+	if [ "$(UNAME_S)" = "Darwin" ] && command -v colima >/dev/null 2>&1 && colima status 2>/dev/null | grep -q Running; then \
+	  echo "Using Colima Docker context"; \
+	  $(MAKE) DOCKER='docker --context colima' DOCKER_BUILDKIT=0 test; \
+	  status=$$?; \
+	else \
+	  if [ "$(UNAME_S)" = "Darwin" ]; then \
+	    echo "Colima not available; using Docker Desktop fallback"; \
+	    $(MAKE) DOCKER='docker' test-mac; \
+	    status=$$?; \
+	  else \
+	    $(MAKE) DOCKER='docker' test; \
+	    status=$$?; \
+	  fi; \
+	fi; \
+	$(MAKE) stop-colima-if-needed; \
+	exit $$status
+
+tests-colima:
+	@status=0; \
+	if ! command -v colima >/dev/null 2>&1 || ! colima status 2>/dev/null | grep -q Running; then \
+	  echo "Starting Colima for systemd-compatible Docker..."; \
+	  colima start --cpu 2 --memory 4 --disk 20 || true; \
+	  touch .colima-started-by-make; \
+	fi; \
+	$(MAKE) DOCKER='docker --context colima' DOCKER_BUILDKIT=0 test; \
+	status=$$?; \
+	$(MAKE) stop-colima-if-needed; \
+	exit $$status
+
+stop-colima-if-needed:
+	@if [ -f .colima-started-by-make ]; then \
+	  echo "Stopping Colima started by tests..."; \
+	  colima stop; \
+	  rm -f .colima-started-by-make; \
+	fi
+
+clean: rm
+	@-$(DOCKER) rmi $(IMAGE) >/dev/null 2>&1 || true
+
+up: start
+
+down: rm
+
+

cds/__init__.py

@@ -1 +1,7 @@
+import warnings
+
+# Silence PendingDeprecationWarning emitted by the 'cloudflare' library
+# during client initialization; we pin <2.20 but some releases still warn.
+warnings.filterwarnings('ignore', category=PendingDeprecationWarning)
+
 from .cds import cf

fds/WebClient.py

@@ -3,8 +3,12 @@
 import logging as log
 
 import requests
+import os
 from cachecontrol import CacheControl
-from cachecontrol.caches import FileCache
+try:
+    from cachecontrol.caches import FileCache
+except Exception:
+    FileCache = None
 from tqdm import tqdm
 
 from .__about__ import __version__
@@ -41,7 +45,18 @@ class WebClient:
     def __init__(self):
         s = requests.session()
         s.headers.update({'User-Agent': 'fds/{}'.format(__version__)})
-        self.cs = CacheControl(s, cache=FileCache('/var/cache/fds'))
+        # Allow disabling on-disk cache via env var (useful in tests/containers)
+        if os.getenv('FDS_NOCACHE') == '1':
+            self.cs = CacheControl(s)
+        else:
+            cache = None
+            if FileCache is not None:
+                try:
+                    cache = FileCache('/var/cache/fds')
+                except Exception:
+                    cache = None
+            # Fallback to in-memory cache if file cache cannot be used
+            self.cs = CacheControl(s, cache=cache) if cache is not None else CacheControl(s)
 
     def download_file(self, url, local_filename=None, display_name=None,
                       return_type='filename'):
@@ -70,6 +85,10 @@ def download_file(self, url, local_filename=None, display_name=None,
                 desc='Downloading {}'.format(local_filename if not display_name else display_name),
                 leave=True  # progressbar stays
             )
+            # Ensure destination directory exists
+            dest_dir = os.path.dirname(local_filename)
+            if dest_dir and not os.path.isdir(dest_dir):
+                os.makedirs(dest_dir, exist_ok=True)
             with open(local_filename, 'wb') as f:
                 for chunk in r.iter_content(chunk_size=chunk_size):
                     if chunk:  # filter out keep-alive new chunks
@@ -91,12 +110,16 @@ def get_country_networks(self, country):
         # )
         url = get_country_ipblocks_url(country)
         log.debug('Downloading {}'.format(url))
-        content = self.download_file(
-            url,
-            display_name='{} networks list'.format(country.getNation()),
-            local_filename=get_country_zone_filename(country),
-            return_type='contents'
-        )
+        try:
+            content = self.download_file(
+                url,
+                display_name='{} networks list'.format(country.getNation()),
+                local_filename=get_country_zone_filename(country),
+                return_type='contents'
+            )
+        except requests.exceptions.HTTPError as e:
+            log.warning('Failed to fetch networks for %s (%s): %s', country.name, country.code, e)
+            return []
         return content.splitlines()
 
     def get_tor_exits(self, family=4):

fds/fds.py

@@ -39,10 +39,33 @@ def block_region(region):
     countries = Countries()
     fw = FirewallWrapper()  # Create a single instance outside the loop
     for country in countries:
-        if country.data['region'] == region:
+        # normalize region same way as Countries.get_continents()
+        country_region = country.data['region']
+        if country_region == 'Americas':
+            country_region = country.data['subregion']
+        if country_region in ['Caribbean', 'Central America']:
+            country_region = 'North America'
+        if country_region == region:
             action_block(country.name, reload=False, fw=fw)
 
 
+def unblock_region(region):
+    """
+    Unblock all countries within a given region/continent.
+    Mirrors block_region's normalization logic.
+    """
+    countries = Countries()
+    fw = FirewallWrapper()
+    for country in countries:
+        country_region = country.data['region']
+        if country_region == 'Americas':
+            country_region = country.data['subregion']
+        if country_region in ['Caribbean', 'Central America']:
+            country_region = 'North America'
+        if country_region == region:
+            fw.unblock_country(country.name)
+
+
 def action_block(ip_or_country_name, ipset_name=None, reload=True, fw=None):
     # FD
     if fw is None:
@@ -92,7 +115,12 @@ def action_unblock(ip_or_country_name):
         fw.unblock_ip(ip_or_country_name)
         cw.unblock_ip(ip_or_country_name)
     except ValueError:
-        fw.unblock_country(ip_or_country_name)
+        countries = Countries()
+        regions = countries.get_continents()
+        if ip_or_country_name in regions:
+            unblock_region(ip_or_country_name)
+        else:
+            fw.unblock_country(ip_or_country_name)
 
 
 def action_reset():

firewalld-tests.sh

@@ -1,9 +1,74 @@
 #!/bin/bash
+set -euo pipefail
 set -x
 
-systemctl start dbus
-sleep 5
-systemctl start firewalld
-sleep 5
+have_systemd() {
+  # True if PID 1 is systemd
+  [ "$(cat /proc/1/comm 2>/dev/null || echo)" = "systemd" ]
+}
 
-fds block 1.2.3.4
+start_dbus_nosystemd() {
+  mkdir -p /var/run/dbus /run/lock
+  if command -v dbus-uuidgen >/dev/null 2>&1; then
+    dbus-uuidgen --ensure
+  elif command -v systemd-machine-id-setup >/dev/null 2>&1; then
+    systemd-machine-id-setup
+  elif [ ! -s /etc/machine-id ]; then
+    cat /proc/sys/kernel/random/uuid | tr -d '-' | head -c 32 > /etc/machine-id
+  fi
+  # Start system bus in background
+  dbus-daemon --system --fork
+}
+
+start_firewalld_nosystemd() {
+  # Start firewalld in background and wait for it to become ready
+  firewalld --nofork &
+  for i in {1..20}; do
+    if firewall-cmd --state >/dev/null 2>&1; then
+      break
+    fi
+    sleep 1
+  done
+  # Do not fail if it's not running; just print status for diagnostics
+  firewall-cmd --state || echo "firewalld not running"
+}
+
+if have_systemd; then
+  systemctl start dbus
+  sleep 3
+  systemctl start firewalld
+  # Give some time for firewalld to come up
+  for i in {1..20}; do
+    if firewall-cmd --state >/dev/null 2>&1; then
+      break
+    fi
+    sleep 1
+  done
+else
+  start_dbus_nosystemd
+  sleep 1
+  start_firewalld_nosystemd
+fi
+
+# Simple smoke test (only if firewalld is up)
+if firewall-cmd --state 2>/dev/null | grep -q running; then
+  # Smoke test: block single IP
+  fds block 1.2.3.4
+
+  # Functional test: block and unblock a continent (Europe)
+  # Expect an EU country's ipset (e.g., Germany) to appear then disappear
+  echo "Blocking continent: Europe"
+  fds block Europe
+  firewall-cmd --get-ipsets | grep -q 'fds-de-4'
+
+  echo "Unblocking continent: Europe"
+  fds unblock Europe
+  if firewall-cmd --get-ipsets | grep -q 'fds-de-4'; then
+    echo 'Expected fds-de-4 to be removed after unblocking Europe';
+    exit 1;
+  fi
+else
+  echo "Firewalld is not running in this environment. Skipping functional firewall test."
+fi
+
+exit 0

firewalld.Dockerfile

@@ -1,7 +1,7 @@
 FROM dvershinin/systemd-base:latest
 
 ## Install systemd and firewalld
-RUN yum install -y systemd firewalld dbus python3-pip git \
+RUN yum install -y systemd firewalld dbus dbus-daemon dbus-tools which python3-pip git \
     && yum clean all \
     && systemctl enable firewalld
 

setup.py

@@ -14,11 +14,12 @@
     'six',
     'netaddr',
     'cachecontrol',
+    'filelock>=3.0.0',
     'tqdm',
     # required for cf.user.tokens.verify.get() and cf.accounts.get()
     # neither endpoints are available in CentOS 7, thus we rebuild pkg from
     # https://github.com/dvershinin/python-cloudflare/releases/tag/2.7.1
-    'cloudflare>=2.7.1,<3',
+    'cloudflare>=2.7.1,<2.20',
     'ipaddress; python_version < "3.0.0"'
 ]
 tests_requires = ["pytest", "flake8", "faker"]