From 71f83d5d4f7a147c0549a898eeebe2084f2a8907 Mon Sep 17 00:00:00 2001
From: Admin MPCZ <admin@mpcz.fr>
Date: Tue, 14 Apr 2026 15:20:17 +0200
Subject: [PATCH] Qualys refresh: threading lock + 409 if already running

---
 app/routers/qualys.py          |  6 +++++-
 app/services/qualys_service.py | 17 +++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/app/routers/qualys.py b/app/routers/qualys.py
index b28fa38..f6804d7 100644
--- a/app/routers/qualys.py
+++ b/app/routers/qualys.py
@@ -529,7 +529,11 @@ def qualys_agents_refresh(request: Request, db=Depends(get_db)):
     from ..services.qualys_service import refresh_all_agents
     try:
         stats = refresh_all_agents(db)
-        return JSONResponse({"ok": True, "msg": f"{stats.get('created',0)} créés, {stats.get('updated',0)} mis à jour", "stats": stats})
+        if stats.get("busy"):
+            return JSONResponse(stats, status_code=409)
+        if not stats.get("ok"):
+            return JSONResponse(stats, status_code=500)
+        return JSONResponse({"ok": True, "msg": stats.get("msg") or f"{stats.get('created',0)} créés, {stats.get('updated',0)} mis à jour", "stats": stats})
     except Exception as e:
         import traceback; traceback.print_exc()
         return JSONResponse({"ok": False, "msg": str(e)[:200]}, status_code=500)
diff --git a/app/services/qualys_service.py b/app/services/qualys_service.py
index 722b928..44a51c0 100644
--- a/app/services/qualys_service.py
+++ b/app/services/qualys_service.py
@@ -1,6 +1,10 @@
 """Service Qualys — sync tags pour un serveur via API + cache memoire"""
 import re
 import requests
+import threading
+
+_refresh_lock = threading.Lock()
+_refresh_running = False
 import urllib3
 from sqlalchemy import text
 from .secrets_service import get_secret
@@ -536,6 +540,19 @@ def get_cache_stats():
 
 def refresh_all_agents(db):
     """Rafraichit tous les agents depuis l'API Qualys QPS (bulk, paginé)"""
+    global _refresh_running
+    if not _refresh_lock.acquire(blocking=False):
+        return {"ok": False, "msg": "Une synchronisation Qualys est déjà en cours", "busy": True}
+    _refresh_running = True
+    try:
+        return _refresh_all_agents_impl(db)
+    finally:
+        _refresh_running = False
+        _refresh_lock.release()
+
+
+def _refresh_all_agents_impl(db):
+    """Implémentation réelle du refresh (appelée sous verrou)"""
     qualys_url, qualys_user, qualys_pass, qualys_proxy = _get_qualys_creds(db)
     if not qualys_user:
         return {"ok": False, "msg": "Credentials Qualys non configurés"}