#!/usr/bin/env bash # test/destructive.sh — tests that modify system state # Sourced by test.command.sh — do not execute directly. # Requires run_cmd / run_cmd_fails from integration.sh to be sourced first. function cmd::test::section_destructive() { test::section "Destructive (modifying state)" # Cleanup from any previous failed run "$WGCTL_BINARY" remove --name phone-testunit --force > /dev/null 2>&1 || true "$WGCTL_BINARY" remove --name laptop-testunit2 --force > /dev/null 2>&1 || true "$WGCTL_BINARY" remove --name laptop-testunit2b --force > /dev/null 2>&1 || true "$WGCTL_BINARY" group remove --name testgroup --force > /dev/null 2>&1 || true "$WGCTL_BINARY" group remove --name testgroup2 --force > /dev/null 2>&1 || true "$WGCTL_BINARY" net rm --name test-block-svc --force > /dev/null 2>&1 || true "$WGCTL_BINARY" unblock --name phone-testunit > /dev/null 2>&1 || true cmd::test::_destructive_peer cmd::test::_destructive_block_unblock cmd::test::_destructive_service_block cmd::test::_destructive_rule cmd::test::_destructive_groups cmd::test::_destructive_identity cmd::test::_destructive_cleanup cmd::test::_destructive_rule_duplicate cmd::test::_destructive_peer_dns } function cmd::test::_destructive_peer() { cmd::test::run_cmd "add phone peer" "added" \ add --name testunit --type phone } function cmd::test::_destructive_block_unblock() { cmd::test::run_cmd "block peer" "blocked" block --name phone-testunit cmd::test::run_cmd "list shows blocked" "phone-testunit" list --blocked cmd::test::run_cmd "unblock peer" "unblocked" unblock --name phone-testunit cmd::test::run_cmd "block peer --ip" "blocked for" \ block --name phone-testunit --ip 10.0.0.99 cmd::test::run_cmd "list shows restricted" "restricted" \ list --name phone-testunit cmd::test::run_cmd "unblock peer --ip" "unblocked" \ unblock --name phone-testunit --ip 10.0.0.99 } function cmd::test::_destructive_service_block() { "$WGCTL_BINARY" net add --name test-block-svc \ --ip 10.0.0.99 > /dev/null 2>&1 "$WGCTL_BINARY" net add --name test-block-svc:web \ --port 9999:tcp > /dev/null 2>&1 cmd::test::run_cmd "block peer --service (ip)" "blocked" block --name phone-testunit --service test-block-svc cmd::test::run_cmd "block already blocked service" "already" block --name phone-testunit --service test-block-svc cmd::test::run_cmd "unblock peer --service (ip)" "unblocked" unblock --name phone-testunit --service test-block-svc cmd::test::run_cmd "unblock not blocked service" "not blocked" unblock --name phone-testunit --service test-block-svc cmd::test::run_cmd "block peer --service (port)" "blocked" block --name phone-testunit --service test-block-svc:web cmd::test::run_cmd "unblock peer --service (port)" "unblocked" unblock --name phone-testunit --service test-block-svc:web "$WGCTL_BINARY" net rm --name test-block-svc --force > /dev/null 2>&1 || true } function cmd::test::_destructive_rule() { cmd::test::run_cmd "rule assign" "Assigned" rule assign --name user --peer phone-testunit cmd::test::run_cmd "rule unassign" "Unassigned" rule unassign --peer phone-testunit "$WGCTL_BINARY" rule assign --name user --peer phone-testunit > /dev/null 2>&1 || true } function cmd::test::_destructive_groups() { cmd::test::run_cmd "group add" "created" group add --name testgroup --desc "Test group" cmd::test::run_cmd "group peer add" "Added" group peer add --name testgroup --peer phone-testunit cmd::test::run_cmd "group block" "blocked" group block --name testgroup cmd::test::run_cmd "group unblock" "unblocked" group unblock --name testgroup "$WGCTL_BINARY" group add --name testgroup2 --desc "Test group 2" > /dev/null 2>&1 "$WGCTL_BINARY" group peer add --name testgroup2 --peer phone-testunit > /dev/null 2>&1 cmd::test::run_cmd "group block first" "blocked" group block --name testgroup cmd::test::run_cmd "group block second" "blocked" group block --name testgroup2 "$WGCTL_BINARY" group unblock --name testgroup > /dev/null 2>&1 cmd::test::run_cmd "peer stays blocked after partial unblock" "phone-testunit" list --blocked "$WGCTL_BINARY" group unblock --name testgroup2 > /dev/null 2>&1 cmd::test::run_cmd "peer unblocked after all groups unblock" "phone-testunit" list --allowed "$WGCTL_BINARY" group block --name testgroup > /dev/null 2>&1 cmd::test::run_cmd "direct unblock overrides group block" "unblocked" unblock --name phone-testunit cmd::test::run_cmd "group remove" "removed" group remove --name testgroup --force "$WGCTL_BINARY" group remove --name testgroup2 --force > /dev/null 2>&1 || true } function cmd::test::_destructive_identity() { test::section "Destructive: identity auto-attach/detach" # Cleanup from any previous failed run "$WGCTL_BINARY" remove --name laptop-testunit2 --force > /dev/null 2>&1 || true "$WGCTL_BINARY" remove --name laptop-testunit2b --force > /dev/null 2>&1 || true # Add — verify auto-attach to identity "testunit2" cmd::test::run_cmd "add attaches to identity" "added" \ add --name testunit2 --type laptop cmd::test::run_cmd "identity created for testunit2" "laptop-testunit2" \ identity show --name testunit2 # Rename — verify identity::rename_peer moves peer to new identity "testunit2b" cmd::test::run_cmd "rename peer" "renamed" \ rename --name laptop-testunit2 --new-name laptop-testunit2b cmd::test::run_cmd "identity reflects rename (new identity)" "laptop-testunit2b" \ identity show --name testunit2b cmd::test::run_cmd_fails "old identity gone after rename" \ identity show --name testunit2 # Remove — verify auto-detach cleans up identity file cmd::test::run_cmd "remove detaches from identity" "removed" \ remove --name laptop-testunit2b --force cmd::test::run_cmd_fails "identity cleaned up after remove" \ identity show --name testunit2b } function cmd::test::_destructive_rule_duplicate() { # Cleanup from any previous failed run "$WGCTL_BINARY" remove --name phone-testunit --force > /dev/null 2>&1 || true "$WGCTL_BINARY" identity rule unassign --name testunit --all > /dev/null 2>&1 || true "$WGCTL_BINARY" add --name testunit --type phone > /dev/null 2>&1 # Assign admin to identity "$WGCTL_BINARY" identity rule assign --name testunit --rule admin > /dev/null 2>&1 || true # Try to assign admin directly — should fail (identity has it) cmd::test::run_cmd_fails "rule assign blocked by identity rule" \ rule assign --name admin --peer phone-testunit # Remove admin from identity first so we can assign user directly to peer "$WGCTL_BINARY" identity rule unassign --name testunit --rule admin > /dev/null 2>&1 || true # Assign user directly to peer "$WGCTL_BINARY" rule assign --name user --peer phone-testunit > /dev/null 2>&1 || true # Now assign user to identity with --migrate — should remove from peer cmd::test::run_cmd "identity rule assign --migrate" "Migrated" \ identity rule assign --name testunit --rule user --migrate # Cleanup "$WGCTL_BINARY" identity rule unassign --name testunit --all > /dev/null 2>&1 || true "$WGCTL_BINARY" remove --name phone-testunit --force > /dev/null 2>&1 || true } function cmd::test::_destructive_peer_dns() { test::section "Destructive: peer update-dns" "$WGCTL_BINARY" remove --name phone-testunit --force > /dev/null 2>&1 || true "$WGCTL_BINARY" add --name testunit --type phone > /dev/null 2>&1 # Update DNS and verify it's in the conf cmd::test::run_cmd "peer update-dns single peer" "Updated DNS" \ peer update-dns --name phone-testunit --fallback-dns "9.9.9.9" local conf_dns conf_dns=$(grep "^DNS" /etc/wireguard/clients/phone-testunit.conf 2>/dev/null) [[ "$conf_dns" == *"9.9.9.9"* ]] && \ test::pass "DNS line contains fallback" || \ test::fail "DNS line missing fallback (got: $conf_dns)" # Update tunnel mode cmd::test::run_cmd "peer update-tunnel to full" "Updated" \ peer update-tunnel --name phone-testunit --mode full local conf_allowed conf_allowed=$(grep "^AllowedIPs" /etc/wireguard/clients/phone-testunit.conf 2>/dev/null) [[ "$conf_allowed" == *"0.0.0.0/0"* ]] && \ test::pass "AllowedIPs set to full tunnel" || \ test::fail "AllowedIPs not full tunnel (got: $conf_allowed)" cmd::test::run_cmd "peer update-tunnel to split" "Updated" \ peer update-tunnel --name phone-testunit --mode split "$WGCTL_BINARY" remove --name phone-testunit --force > /dev/null 2>&1 || true } function cmd::test::_destructive_cleanup() { cmd::test::run_cmd "remove phone peer" "removed" \ remove --name phone-testunit --force }