#!/usr/bin/env bash # commands/unblock/helpers.sh function cmd::unblock::_impl() { local name="$1" identity="$2" type="$3" reason="$4" local all="$5" quiet="$6" force="$7" local -n _ips_ref="$8" local -n _subnets_ref="$9" local -n _ports_ref="${10}" local -n _services_ref="${11}" if [[ -n "$identity" ]]; then cmd::unblock::_unblock_identity "$identity" "$quiet" || return 1 return 0 fi [[ -z "$name" ]] && { log::error "Missing required flag: --name or --identity" return 1 } name=$(peers::resolve_and_require "$name" "$type") || return 1 if ! peers::is_blocked "$name" && ! block::has_file "$name"; then log::wg_warning "Client is not blocked: ${name}" return 0 fi if [[ ${#_ips_ref[@]} -eq 0 && ${#_subnets_ref[@]} -eq 0 && \ ${#_ports_ref[@]} -eq 0 && ${#_services_ref[@]} -eq 0 ]]; then all=true fi local client_ip client_ip=$(peers::get_ip "$name") || return 1 if [[ "$all" == "true" ]]; then cmd::unblock::_unblock_all "$name" "$client_ip" "$quiet" cmd::unblock::_record_history "$name" "manual" "$reason" return 0 fi for ip in "${_ips_ref[@]:-}"; do fw::unblock_ip "$client_ip" "$ip" block::remove_rule "$name" "ip" "$ip" $quiet || log::wg_success "${ip} has been unblocked for ${name}" done for subnet in "${_subnets_ref[@]:-}"; do fw::unblock_subnet "$client_ip" "$subnet" block::remove_rule "$name" "subnet" "$subnet" $quiet || log::wg_success "${subnet} has been unblocked for ${name}" done for entry in "${_ports_ref[@]:-}"; do local target port proto IFS=":" read -r target port proto <<< "$entry" proto="${proto:-tcp}" fw::unblock_port "$client_ip" "$target" "$port" "$proto" block::remove_rule "$name" "port" "$target" "$port" "$proto" $quiet || log::wg_success "${target}:${port}:${proto} has been unblocked for ${name}" done for svc in "${_services_ref[@]:-}"; do local resolved_lines=() mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null) if [[ ${#resolved_lines[@]} -eq 0 ]]; then log::error "Service not found: ${svc}" return 1 fi local is_blocked=false for resolved in "${resolved_lines[@]}"; do if [[ "$resolved" == *:*:* ]]; then local b_ip b_port b_proto IFS=":" read -r b_ip b_port b_proto <<< "$resolved" fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null && \ { is_blocked=true; break; } else fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null && \ { is_blocked=true; break; } fi done if ! $is_blocked; then $quiet || log::wg_warning "${svc} is not blocked for ${name}" continue fi for resolved in "${resolved_lines[@]}"; do if [[ "$resolved" == *:*:* ]]; then local b_ip b_port b_proto IFS=":" read -r b_ip b_port b_proto <<< "$resolved" fw::unblock_port "$client_ip" "$b_ip" "$b_port" "$b_proto" block::remove_rule "$name" "port" "$b_ip" "$b_port" "$b_proto" else fw::unblock_ip "$client_ip" "$resolved" block::remove_rule "$name" "ip" "$resolved" fi done $quiet || log::wg_success "${svc} has been unblocked for ${name}" done block::cleanup "$name" cmd::unblock::_record_history "$name" "manual" "$reason" return 0 } # ── Helpers ─────────────────────────────────────────────────────────────────── function cmd::unblock::_unblock_identity() { local identity_name="${1:-}" quiet="${2:-false}" identity::require_exists "$identity_name" || return 1 identity::require_has_peers "$identity_name" || return 1 local peers unblocked=0 skipped=0 peers=$(identity::peers "$identity_name") while IFS= read -r peer_name; do [[ -z "$peer_name" ]] && continue if ! peers::is_blocked "$peer_name" && ! block::has_file "$peer_name"; then skipped=$(( skipped + 1 )) continue fi local client_ip client_ip=$(peers::get_ip "$peer_name") || continue if cmd::unblock::_unblock_all "$peer_name" "$client_ip" true; then unblocked=$(( unblocked + 1 )) else skipped=$(( skipped + 1 )) fi done <<< "$peers" if [[ $unblocked -eq 0 ]]; then log::wg_warning "No peers were blocked for identity '${identity_name}'" elif [[ $skipped -gt 0 ]]; then log::ok "Unblocked ${unblocked} peer(s) for identity '${identity_name}' (${skipped} were not blocked)" else log::ok "Unblocked ${unblocked} peer(s) for identity '${identity_name}'" fi return 0 } function cmd::unblock::_unblock_all() { local name="${1:?}" client_ip="${2:?}" quiet="${3:-false}" block::set_direct "$name" "$client_ip" "false" block::clear_full_block "$name" block::restore_peer "$name" "$client_ip" block::cleanup "$name" local rule rule=$(peers::get_meta "$name" "rule") if [[ -n "$rule" ]] && rule::exists "$rule"; then rule::apply "$rule" "$client_ip" "$name" fi local groups groups=$(block::get_groups "$name") if [[ -n "$groups" ]]; then log::wg_warning "${name} was blocked by group(s): ${groups} — unblocking anyway" fi $quiet || log::wg_success "${name} has been unblocked." return 0 } function cmd::unblock::_record_history() { local name="${1:-}" unblocked_by="${2:-manual}" reason="${3:-}" json::block_history_unblock \ "$(ctx::block_history)" \ "$name" \ "$unblocked_by" \ "$reason" \ 2>/dev/null > /dev/null || true }