refactor: Add backend abstration to firewall_lib, remove obsolete firewall_lib offline code

[martinpitt]

Prerequisite for adding a backend with firewall-offline-cmd or XML editing. I'll experiment with that next. But I first want a complete test run to ensure I didn't break anything.

Summary by Sourcery

Introduce an OnlineAPIBackend to centralize all firewall operations via the FirewallClient API, streamline the module’s entry point, and drop legacy offline code paths.

Enhancements:

• Centralize firewall operations in a new OnlineAPIBackend class using the FirewallClient API
• Simplify main() to instantiate the backend and delegate all configuration methods, removing manual branching and version checks
• Eliminate obsolete offline code and helper functions (e.g., handle_interface_permanent, offline version parsing)

Tests:

• Remove legacy offline-specific unit tests and adapt the test suite to the new backend abstraction

[sourcery-ai]

Reviewer's Guide

This PR refactors firewall_lib by introducing a unified OnlineAPIBackend for all FirewallClient operations, removing legacy offline support and related tests, and simplifying main() to delegate work to the new backend.

File-Level Changes

Change	Details	Files
Introduce OnlineAPIBackend to centralize all firewall operations	Implemented OnlineAPIBackend class with set_* methods for services, ipsets, ports, rules, etc. Initialized FirewallClient in backend, set exception handler, tracked changed and reload flags Added finalize() to apply settings and reload firewalld	library/firewall_lib.py
Remove legacy offline support code paths	Deleted handle_interface_permanent and set_the_default_zone helpers Removed fw_offline detection, offline client imports and branches Eliminated outdated offline-only version checks	library/firewall_lib.py
Simplify main() by delegating to OnlineAPIBackend	Replaced inline runtime/permanent logic with backend instantiation and method calls Consolidated version checking into a single pre-run step Removed manual changed/need_reload tracking in main()	library/firewall_lib.py
Reposition and retain utility definitions	Moved PCI_REGEX and lsr_parse_version below backend class Ensured version parsing remains available for pre-run checks	library/firewall_lib.py
Clean up obsolete unit tests related to offline mode	Removed tests for handle_interface_permanent and offline version scenarios Deleted offline-mode test blocks in test_firewall_lib.py	tests/unit/test_firewall_lib.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[martinpitt]

[citest]

[richm]

lgtm

[martinpitt]

I poured a bucket of black paint over this and fixed a typo, now it should pass the unit tests. Otherwise this was fairly green.

[codecov]

Codecov Report

Attention: Patch coverage is 72.18935% with 141 lines in your changes missing coverage. Please review.

Project coverage is 61.16%. Comparing base (2d7c4ba) to head (7565dc4).
Report is 74 commits behind head on main.

Files with missing lines	Patch %	Lines
library/firewall_lib.py	72.18%	141 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #271      +/-   ##
==========================================
+ Coverage   61.09%   61.16%   +0.06%     
==========================================
  Files           2        2              
  Lines         910      927      +17     
==========================================
+ Hits          556      567      +11     
- Misses        354      360       +6     

Flag	Coverage Δ
sanity	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[martinpitt]

[citest]

[sourcery-ai]

Hey @martinpitt - I've reviewed your changes - here's some feedback:

• The OnlineAPIBackend class is very large and handles many responsibilities—consider splitting out per-resource handlers or moving chunks into helper modules to improve maintainability.
• You’ve duplicated definitions of PCI_REGEX and lsr_parse_version; consolidate those into a single definition at the top to avoid confusion.
• You removed the offline tests but haven’t added coverage for the new backend methods—add focused unit tests for key OnlineAPIBackend.set_* methods (including check-mode vs normal mode) to validate the abstraction.

Here's what I looked at during the review

• 🟡 General issues: 2 issues found
• 🟢 Review instructions: all looks good
• 🟢 Testing: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Missing initialization of fw_zone and fw_settings after creating a zone

Initialize self.fw_zone and self.fw_settings after addZone(): fetch the new zone via config().getZoneByName() and call .getSettings() to avoid None errors.

[sourcery-ai]

issue (bug_risk): Incorrect condition for adding helper modules

Flip the condition to if not fw_service_settings.queryModule(_module): so modules are added only when they don’t already exist.

[sourcery-ai]

suggestion (code-quality): Merge nested if conditions (merge-nested-ifs)

Suggested change

	if destination_ipv4:
	if not fw_service_settings.queryDestination(
	"ipv4", destination_ipv4
	):
	if not self.module.check_mode:
	fw_service_settings.setDestination("ipv4", destination_ipv4)
	self.changed = True
	if destination_ipv4 and not fw_service_settings.queryDestination(
	"ipv4", destination_ipv4
	):
	if not self.module.check_mode:
	fw_service_settings.setDestination("ipv4", destination_ipv4)
	self.changed = True

Explanation

Too much nesting can make code difficult to understand, and this is especially
true in Python, where there are no brackets to help out with the delineation of
different nesting levels.

Reading deeply nested code is confusing, since you have to keep track of which
conditions relate to which levels. We therefore strive to reduce nesting where
possible, and the situation where two if conditions can be combined using
and is an easy win.

[sourcery-ai]

suggestion (code-quality): Merge nested if conditions (merge-nested-ifs)

Suggested change

	if destination_ipv6:
	if not fw_service_settings.queryDestination(
	"ipv6", destination_ipv6
	):
	if not self.module.check_mode:
	fw_service_settings.setDestination("ipv6", destination_ipv6)
	self.changed = True
	if destination_ipv6 and not fw_service_settings.queryDestination(
	"ipv6", destination_ipv6
	):
	if not self.module.check_mode:
	fw_service_settings.setDestination("ipv6", destination_ipv6)
	self.changed = True

Explanation

Too much nesting can make code difficult to understand, and this is especially
true in Python, where there are no brackets to help out with the delineation of
different nesting levels.

Reading deeply nested code is confusing, since you have to keep track of which
conditions relate to which levels. We therefore strive to reduce nesting where
possible, and the situation where two if conditions can be combined using
and is an easy win.

[sourcery-ai]

suggestion (code-quality): Merge nested if conditions (merge-nested-ifs)

Suggested change

	if destination_ipv4:
	if fw_service_settings.queryDestination("ipv4", destination_ipv4):
	if not self.module.check_mode:
	fw_service_settings.removeDestination(
	"ipv4", destination_ipv4
	)
	self.changed = True
	if destination_ipv4 and fw_service_settings.queryDestination("ipv4", destination_ipv4):
	if not self.module.check_mode:
	fw_service_settings.removeDestination(
	"ipv4", destination_ipv4
	)
	self.changed = True

Explanation

Too much nesting can make code difficult to understand, and this is especially
true in Python, where there are no brackets to help out with the delineation of
different nesting levels.

Reading deeply nested code is confusing, since you have to keep track of which
conditions relate to which levels. We therefore strive to reduce nesting where
possible, and the situation where two if conditions can be combined using
and is an easy win.

[sourcery-ai]

suggestion (code-quality): Replace interpolated string formatting with f-string (replace-interpolation-with-fstring)

Suggested change

	module.fail_json(msg="%s zone '%s' does not exist." % (err_str, zone))
	module.fail_json(msg=f"{err_str} zone '{zone}' does not exist.")

[sourcery-ai]

issue (code-quality): We've found these issues:

• Merge else clause's nested if statement into elif (merge-else-if-into-elif)
• Use f-string instead of string concatenation (use-fstring-for-concatenation)
• Low code quality found in OnlineAPIBackend.set_service - 3% (low-code-quality)

Explanation

The quality score for this function is below the quality threshold of 25%.
This score is a combination of the method length, cognitive complexity and working memory.

How can you solve this?

It might be worth refactoring this function to make it shorter and more readable.

• Reduce the function length by extracting pieces of functionality out into
  their own functions. This is the most important thing you can do - ideally a
  function should be less than 10 lines.
• Reduce nesting, perhaps by introducing guard clauses to return early.
• Ensure that variables are tightly scoped, so that code using related concepts
  sits together within the function rather than being scattered.

[sourcery-ai]

issue (code-quality): We've found these issues:

• Replace interpolated string formatting with f-string (replace-interpolation-with-fstring)
• Split conditional into multiple branches (split-or-ifs)
• Merge duplicate blocks in conditional (merge-duplicate-blocks)
• Remove redundant conditional [×2] (remove-redundant-if)
• Low code quality found in OnlineAPIBackend.set_ipset - 12% (low-code-quality)

Explanation

The quality score for this function is below the quality threshold of 25%.
This score is a combination of the method length, cognitive complexity and working memory.

How can you solve this?

It might be worth refactoring this function to make it shorter and more readable.

• Reduce the function length by extracting pieces of functionality out into
  their own functions. This is the most important thing you can do - ideally a
  function should be less than 10 lines.
• Reduce nesting, perhaps by introducing guard clauses to return early.
• Ensure that variables are tightly scoped, so that code using related concepts
  sits together within the function rather than being scattered.

[sourcery-ai]

suggestion (code-quality): We've found these issues:

• Replace interpolated string formatting with f-string (replace-interpolation-with-fstring)
• Low code quality found in OnlineAPIBackend.set_source - 23% (low-code-quality)

Suggested change

	"%s does not exist - ensure it is defined in a previous task before running play outside check mode"
	% item
	f"{item} does not exist - ensure it is defined in a previous task before running play outside check mode"

Explanation

The quality score for this function is below the quality threshold of 25%.
This score is a combination of the method length, cognitive complexity and working memory.

How can you solve this?

It might be worth refactoring this function to make it shorter and more readable.

• Reduce the function length by extracting pieces of functionality out into
  their own functions. This is the most important thing you can do - ideally a
  function should be less than 10 lines.
• Reduce nesting, perhaps by introducing guard clauses to return early.
• Ensure that variables are tightly scoped, so that code using related concepts
  sits together within the function rather than being scattered.

[sourcery-ai]

issue (code-quality): Low code quality found in OnlineAPIBackend.set_interface - 15% (low-code-quality)

Explanation

The quality score for this function is below the quality threshold of 25%.
This score is a combination of the method length, cognitive complexity and working memory.

How can you solve this?

It might be worth refactoring this function to make it shorter and more readable.

• Reduce the function length by extracting pieces of functionality out into
  their own functions. This is the most important thing you can do - ideally a
  function should be less than 10 lines.
• Reduce nesting, perhaps by introducing guard clauses to return early.
• Ensure that variables are tightly scoped, so that code using related concepts
  sits together within the function rather than being scattered.

[martinpitt]

Yes yes sourcery.ai, I know the code isn't good. There are lots of issues, but I don't want to change the logic here. We can't use f-strings yet, this has to work on RHEL 7.

You’ve duplicated definitions of PCI_REGEX and lsr_parse_version

Erm, no, I didn't.

[richm]

Yes yes sourcery.ai, I know the code isn't good. There are lots of issues, but I don't want to change the logic here. We can't use f-strings yet, this has to work on RHEL 7.

You’ve duplicated definitions of PCI_REGEX and lsr_parse_version

Erm, no, I didn't.

Yeah, just downvote or delete those annoying comments.

[martinpitt]

I am getting quite far in my bootc-container-test branch which implements an offline backend, and now gained enough faith in this structure.

However, there are two global functions create_{service,ipset} which ought to move into the OnlineAPI class. Let's clean that up, pushed. I also rebased, so the interdiff above now also has #270 included (and that's good for making sure the merge works).

[martinpitt]

Fixed an asymmetry, this makes the offline implementation a bit simpler. It is a no-op (by happenstance and a code smell) with the old code.

[martinpitt]

[citest]