wgctl/commands/unblock.command.sh

209 lines
No EOL
5.8 KiB
Bash

#!/usr/bin/env bash
# ============================================
# Lifecycle
# ============================================
function cmd::unblock::on_load() {
flag::register --name
flag::register --type
flag::register --force
flag::register --quiet
flag::register --ip
flag::register --port
flag::register --proto
flag::register --subnet
flag::register --all
# System - NET Services
flag::register --service
}
# ============================================
# Help
# ============================================
function cmd::unblock::help() {
cat <<EOF
Usage: wgctl unblock --name <name> [options]
Remove block rules for a client.
Options:
--name <name> Client name (e.g. phone-nuno)
--type <type> Device type (optional, combines with --name)
--ip <ip> Unblock specific IP (repeatable)
--subnet <cidr> Unblock specific subnet (repeatable)
--port <ip:port:proto> Unblock specific port (repeatable)
--all Remove all block rules for this client
--force Skip confirmation prompt
--quiet Suppress output (used by group unblock)
Examples:
wgctl unblock --name phone-nuno
wgctl unblock --name nuno --type phone
wgctl unblock --name phone-nuno --ip 10.0.0.210
wgctl unban --name phone-nuno
EOF
}
# ============================================
# Unblock Run
# ============================================
function cmd::unblock::run() {
local name=""
local type=""
local ips=()
local subnets=()
local ports=()
local services=()
local all=false
local quiet=false
while [[ $# -gt 0 ]]; do
case "$1" in
--name) name="$2"; shift 2 ;;
--type) type="$2"; shift 2 ;;
--ip) ips+=("$2"); shift 2 ;;
--force) force=true; shift ;;
--quiet) quiet=true; shift ;;
--subnet) subnets+=("$2"); shift 2 ;;
--port) ports+=("$2"); shift 2 ;;
--service) services+=("$2"); shift 2 ;;
--all) all=true; shift ;;
--help) cmd::unblock::help; return ;;
*)
log::error "Unknown flag: $1"
cmd::unblock::help
return 1
;;
esac
done
if [[ -z "$name" ]]; then
log::error "Missing required flag: --name"
cmd::unblock::help
return 1
fi
name=$(peers::resolve_and_require "$name" "$type") || return 1
# Check if actually blocked
if ! peers::is_blocked "$name" && ! block::has_file "$name"; then
log::wg_warning "Client is not blocked: ${name}"
return 0
fi
# Default to full unblock if no specific flags given
if [[ ${#ips[@]} -eq 0 && ${#subnets[@]} -eq 0 && ${#ports[@]} -eq 0 && ${#services[@]} -eq 0 ]]; then
all=true
fi
local client_ip
client_ip=$(peers::get_ip "$name") || return 1
# $quiet || log::section "Unblocking client: ${name} (${client_ip})"
if $all; then
cmd::unblock::_unblock_all "$name" "$client_ip" "$quiet"
return 0
fi
# Unblock services
for svc in "${services[@]}"; do
local resolved_lines=()
mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null)
if [[ ${#resolved_lines[@]} -eq 0 ]]; then
log::error "Service not found: ${svc}"
return 1
fi
# Check if actually blocked
local is_blocked=false
for resolved in "${resolved_lines[@]}"; do
if [[ "$resolved" == *:*:* ]]; then
local b_ip b_port b_proto
IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
fw::has_block_rule "$client_ip" "$b_ip" "$b_proto" "$b_port" 2>/dev/null && \
{ is_blocked=true; break; }
else
fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null && \
{ is_blocked=true; break; }
fi
done
if ! $is_blocked; then
$quiet || log::wg_warning "${svc} is not blocked for ${name}"
continue
fi
for resolved in "${resolved_lines[@]}"; do
if [[ "$resolved" == *:*:* ]]; then
local b_ip b_port b_proto
IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
fw::unblock_port "$client_ip" "$b_ip" "$b_port" "$b_proto"
block::remove_rule "$name" "port" "$b_ip" "$b_port" "$b_proto"
else
fw::unblock_ip "$client_ip" "$resolved"
block::remove_rule "$name" "ip" "$resolved"
fi
done
$quiet || log::wg_success "${svc} has been unblocked for ${name}"
done
# Unblock specific IPs
for ip in "${ips[@]}"; do
fw::unblock_ip "$client_ip" "$ip"
block::remove_rule "$name" "ip" "$ip"
done
# Unblock specific subnets
for subnet in "${subnets[@]}"; do
fw::unblock_subnet "$client_ip" "$subnet"
block::remove_rule "$name" "subnet" "$subnet"
done
# Unblock specific ports
for entry in "${ports[@]}"; do
local target port proto
IFS=":" read -r target port proto <<< "$entry"
proto="${proto:-tcp}"
fw::unblock_port "$client_ip" "$target" "$port" "$proto"
block::remove_rule "$name" "port" "$b_target" "$b_port" "$b_proto"
done
# Clean up block file if now empty
block::cleanup "$name"
return 0
}
function cmd::unblock::_unblock_all() {
local name="${1:?}" client_ip="${2:?}" quiet="${3:-false}"
# Direct unblock overrides everything — clear all block state
block::set_direct "$name" "$client_ip" "false"
# Force full unblock regardless of group blocks
# (direct unblock = admin override)
block::restore_peer "$name" "$client_ip"
block::remove_file "$name"
local rule
rule=$(peers::get_meta "$name" "rule")
[[ -n "$rule" ]] && rule::exists "$rule" && \
rule::apply "$rule" "$client_ip" "$name"
local groups
groups=$(block::get_groups "$name")
if [[ -n "$groups" ]]; then
log::wg_warning "${name} was blocked by group(s): ${groups} — unblocking anyway"
fi
$quiet || log::wg_success "${name} has been unblocked."
return 0
}