- core/lib/block_history.py: record/unblock/list functions - ctx::block_history: .wgctl/data/block-history/ path - block --reason: record block event with reason, endpoint, triggered_by - unblock --reason: update block event with unblock timestamp - json::block_history_record/unblock/list/list_all wrappers - json::endpoint_cache_get: get cached endpoint for peer - export --all: include block-history in full backup - import --all: restore block-history files - tests: section_block_unblock with fixture peer, history field validation
269 lines
No EOL
8 KiB
Bash
269 lines
No EOL
8 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# ============================================
|
|
# Lifecycle
|
|
# ============================================
|
|
|
|
function cmd::unblock::on_load() {
|
|
flag::register --name
|
|
flag::register --identity
|
|
flag::register --type
|
|
flag::register --force
|
|
flag::register --quiet
|
|
flag::register --ip
|
|
flag::register --port
|
|
flag::register --proto
|
|
flag::register --subnet
|
|
flag::register --all
|
|
flag::register --service
|
|
flag::register --reason
|
|
}
|
|
|
|
# ============================================
|
|
# Help
|
|
# ============================================
|
|
|
|
function cmd::unblock::help() {
|
|
cat <<EOF
|
|
Usage: wgctl unblock --name <name> [options]
|
|
or: wgctl unblock --identity <identity> [options]
|
|
|
|
Remove block rules for a client. Without specific flags, performs a full unblock.
|
|
Direct unblock overrides any group blocks.
|
|
|
|
Options:
|
|
--name <name> Client name (e.g. phone-nuno)
|
|
--identity <name> Unblock all peers belonging to an identity
|
|
--type <type> Device type (optional, combines with --name)
|
|
--ip <ip> Unblock specific IP (repeatable)
|
|
--subnet <cidr> Unblock specific subnet (repeatable)
|
|
--port <ip:port:proto> Unblock specific port (repeatable)
|
|
--service <name> Unblock a named service (repeatable)
|
|
--all Remove all block rules (same as no flags)
|
|
--quiet Suppress output (used by group unblock)
|
|
|
|
Examples:
|
|
wgctl unblock --name phone-nuno
|
|
wgctl unblock --identity nuno
|
|
wgctl unblock --name nuno --type phone
|
|
wgctl unblock --name phone-nuno --ip 10.0.0.210
|
|
wgctl unblock --name phone-nuno --service proxmox
|
|
wgctl unban --name phone-nuno
|
|
EOF
|
|
}
|
|
|
|
# ============================================
|
|
# Run
|
|
# ============================================
|
|
|
|
function cmd::unblock::run() {
|
|
local name="" identity="" type=""
|
|
local ips=() subnets=() ports=() services=()
|
|
local all=false quiet=false force=false
|
|
local reason=""
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--name) name="$2"; shift 2 ;;
|
|
--identity) identity="$2"; shift 2 ;;
|
|
--type) type="$2"; shift 2 ;;
|
|
--ip) ips+=("$2"); shift 2 ;;
|
|
--force) force=true; shift ;;
|
|
--quiet) quiet=true; shift ;;
|
|
--subnet) subnets+=("$2"); shift 2 ;;
|
|
--port) ports+=("$2"); shift 2 ;;
|
|
--service) services+=("$2"); shift 2 ;;
|
|
--reason) reason="$2"; shift 2 ;;
|
|
--all) all=true; shift ;;
|
|
--help) cmd::unblock::help; return ;;
|
|
*)
|
|
log::error "Unknown flag: $1"
|
|
cmd::unblock::help
|
|
return 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# --identity: unblock all peers for this identity
|
|
if [[ -n "$identity" ]]; then
|
|
cmd::unblock::_unblock_identity "$identity" "$quiet" || return 1
|
|
return 0
|
|
fi
|
|
|
|
if [[ -z "$name" ]]; then
|
|
log::error "Missing required flag: --name or --identity"
|
|
cmd::unblock::help
|
|
return 1
|
|
fi
|
|
|
|
name=$(peers::resolve_and_require "$name" "$type") || return 1
|
|
|
|
if ! peers::is_blocked "$name" && ! block::has_file "$name"; then
|
|
log::wg_warning "Client is not blocked: ${name}"
|
|
return 0
|
|
fi
|
|
|
|
if [[ ${#ips[@]} -eq 0 && ${#subnets[@]} -eq 0 && \
|
|
${#ports[@]} -eq 0 && ${#services[@]} -eq 0 ]]; then
|
|
all=true
|
|
fi
|
|
|
|
local client_ip
|
|
client_ip=$(peers::get_ip "$name") || return 1
|
|
|
|
if $all; then
|
|
cmd::unblock::_unblock_all "$name" "$client_ip" "$quiet"
|
|
cmd::unblock::_record_history "$name" "manual" "$reason"
|
|
return 0
|
|
fi
|
|
|
|
# Unblock specific IPs
|
|
for ip in "${ips[@]}"; do
|
|
fw::unblock_ip "$client_ip" "$ip"
|
|
block::remove_rule "$name" "ip" "$ip"
|
|
$quiet || log::wg_success "${ip} has been unblocked for ${name}"
|
|
done
|
|
|
|
# Unblock specific subnets
|
|
for subnet in "${subnets[@]}"; do
|
|
fw::unblock_subnet "$client_ip" "$subnet"
|
|
block::remove_rule "$name" "subnet" "$subnet"
|
|
$quiet || log::wg_success "${subnet} has been unblocked for ${name}"
|
|
done
|
|
|
|
# Unblock specific ports
|
|
for entry in "${ports[@]}"; do
|
|
local target port proto
|
|
IFS=":" read -r target port proto <<< "$entry"
|
|
proto="${proto:-tcp}"
|
|
fw::unblock_port "$client_ip" "$target" "$port" "$proto"
|
|
block::remove_rule "$name" "port" "$target" "$port" "$proto"
|
|
$quiet || log::wg_success "${target}:${port}:${proto} has been unblocked for ${name}"
|
|
done
|
|
|
|
# Unblock services
|
|
for svc in "${services[@]}"; do
|
|
local resolved_lines=()
|
|
mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null)
|
|
if [[ ${#resolved_lines[@]} -eq 0 ]]; then
|
|
log::error "Service not found: ${svc}"
|
|
return 1
|
|
fi
|
|
|
|
local is_blocked=false
|
|
for resolved in "${resolved_lines[@]}"; do
|
|
if [[ "$resolved" == *:*:* ]]; then
|
|
local b_ip b_port b_proto
|
|
IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
|
|
fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null && \
|
|
{ is_blocked=true; break; }
|
|
else
|
|
fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null && \
|
|
{ is_blocked=true; break; }
|
|
fi
|
|
done
|
|
|
|
if ! $is_blocked; then
|
|
$quiet || log::wg_warning "${svc} is not blocked for ${name}"
|
|
continue
|
|
fi
|
|
|
|
for resolved in "${resolved_lines[@]}"; do
|
|
if [[ "$resolved" == *:*:* ]]; then
|
|
local b_ip b_port b_proto
|
|
IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
|
|
fw::unblock_port "$client_ip" "$b_ip" "$b_port" "$b_proto"
|
|
block::remove_rule "$name" "port" "$b_ip" "$b_port" "$b_proto"
|
|
else
|
|
fw::unblock_ip "$client_ip" "$resolved"
|
|
block::remove_rule "$name" "ip" "$resolved"
|
|
fi
|
|
done
|
|
|
|
$quiet || log::wg_success "${svc} has been unblocked for ${name}"
|
|
done
|
|
|
|
block::cleanup "$name"
|
|
|
|
# Record unblock for specific rules
|
|
cmd::unblock::_record_history "$name" "manual" "$reason"
|
|
return 0
|
|
}
|
|
|
|
# ============================================
|
|
# Identity unblock
|
|
# ============================================
|
|
|
|
function cmd::unblock::_unblock_identity() {
|
|
local identity_name="${1:-}" quiet="${2:-false}"
|
|
|
|
identity::require_exists "$identity_name" || return 1
|
|
identity::require_has_peers "$identity_name" || return 1
|
|
|
|
local peers unblocked=0 skipped=0
|
|
peers=$(identity::peers "$identity_name")
|
|
|
|
while IFS= read -r peer_name; do
|
|
[[ -z "$peer_name" ]] && continue
|
|
if ! peers::is_blocked "$peer_name" && ! block::has_file "$peer_name"; then
|
|
skipped=$(( skipped + 1 ))
|
|
continue
|
|
fi
|
|
local client_ip
|
|
client_ip=$(peers::get_ip "$peer_name") || continue
|
|
|
|
if cmd::unblock::_unblock_all "$peer_name" "$client_ip" true; then
|
|
unblocked=$(( unblocked + 1 ))
|
|
else
|
|
skipped=$(( skipped + 1 ))
|
|
fi
|
|
done <<< "$peers"
|
|
|
|
if [[ $unblocked -eq 0 ]]; then
|
|
log::wg_warning "No peers were blocked for identity '${identity_name}'"
|
|
elif [[ $skipped -gt 0 ]]; then
|
|
log::ok "Unblocked ${unblocked} peer(s) for identity '${identity_name}' (${skipped} were not blocked)"
|
|
else
|
|
log::ok "Unblocked ${unblocked} peer(s) for identity '${identity_name}'"
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
# ============================================
|
|
# Helpers
|
|
# ============================================
|
|
|
|
function cmd::unblock::_unblock_all() {
|
|
local name="${1:?}" client_ip="${2:?}" quiet="${3:-false}"
|
|
|
|
block::set_direct "$name" "$client_ip" "false"
|
|
block::clear_full_block "$name"
|
|
block::restore_peer "$name" "$client_ip"
|
|
block::cleanup "$name"
|
|
|
|
local rule
|
|
rule=$(peers::get_meta "$name" "rule")
|
|
if [[ -n "$rule" ]] && rule::exists "$rule"; then
|
|
rule::apply "$rule" "$client_ip" "$name"
|
|
fi
|
|
|
|
local groups
|
|
groups=$(block::get_groups "$name")
|
|
if [[ -n "$groups" ]]; then
|
|
log::wg_warning "${name} was blocked by group(s): ${groups} — unblocking anyway"
|
|
fi
|
|
|
|
$quiet || log::wg_success "${name} has been unblocked."
|
|
return 0
|
|
}
|
|
|
|
function cmd::unblock::_record_history() {
|
|
local name="${1:-}" unblocked_by="${2:-manual}" reason="${3:-}"
|
|
|
|
json::block_history_unblock \
|
|
"$(ctx::block_history)" \
|
|
"$name" \
|
|
"$unblocked_by" \
|
|
"$reason" \
|
|
2>/dev/null > /dev/null || true
|
|
} |