wgctl/commands/unblock/helpers.sh
Nuno Duque Nunes f61bc59446 feat: block/unblock migration, help.sh optimization
- commands/block/: block.sh, show.sh, helpers.sh
- commands/unblock/: unblock.sh, show.sh, helpers.sh
- flag::define array type: --ip[], --subnet[], --port[], --service[]
- help.sh: use pre-cached _FLAG_C_* arrays instead of flag::_parse_constraints
- remove flag::_parse_constraints/flag::_constraint_get calls from help.sh
- adopt local var; var=value pattern for safe assignment
2026-05-30 12:31:41 +00:00

180 lines
No EOL
5.5 KiB
Bash

#!/usr/bin/env bash
# commands/unblock/helpers.sh
function cmd::unblock::_impl() {
local name="$1" identity="$2" type="$3" reason="$4"
local all="$5" quiet="$6" force="$7"
local -n _ips_ref="$8"
local -n _subnets_ref="$9"
local -n _ports_ref="${10}"
local -n _services_ref="${11}"
if [[ -n "$identity" ]]; then
cmd::unblock::_unblock_identity "$identity" "$quiet" || return 1
return 0
fi
[[ -z "$name" ]] && {
log::error "Missing required flag: --name or --identity"
return 1
}
name=$(peers::resolve_and_require "$name" "$type") || return 1
if ! peers::is_blocked "$name" && ! block::has_file "$name"; then
log::wg_warning "Client is not blocked: ${name}"
return 0
fi
if [[ ${#_ips_ref[@]} -eq 0 && ${#_subnets_ref[@]} -eq 0 && \
${#_ports_ref[@]} -eq 0 && ${#_services_ref[@]} -eq 0 ]]; then
all=true
fi
local client_ip
client_ip=$(peers::get_ip "$name") || return 1
if [[ "$all" == "true" ]]; then
cmd::unblock::_unblock_all "$name" "$client_ip" "$quiet"
cmd::unblock::_record_history "$name" "manual" "$reason"
return 0
fi
for ip in "${_ips_ref[@]:-}"; do
fw::unblock_ip "$client_ip" "$ip"
block::remove_rule "$name" "ip" "$ip"
$quiet || log::wg_success "${ip} has been unblocked for ${name}"
done
for subnet in "${_subnets_ref[@]:-}"; do
fw::unblock_subnet "$client_ip" "$subnet"
block::remove_rule "$name" "subnet" "$subnet"
$quiet || log::wg_success "${subnet} has been unblocked for ${name}"
done
for entry in "${_ports_ref[@]:-}"; do
local target port proto
IFS=":" read -r target port proto <<< "$entry"
proto="${proto:-tcp}"
fw::unblock_port "$client_ip" "$target" "$port" "$proto"
block::remove_rule "$name" "port" "$target" "$port" "$proto"
$quiet || log::wg_success "${target}:${port}:${proto} has been unblocked for ${name}"
done
for svc in "${_services_ref[@]:-}"; do
local resolved_lines=()
mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null)
if [[ ${#resolved_lines[@]} -eq 0 ]]; then
log::error "Service not found: ${svc}"
return 1
fi
local is_blocked=false
for resolved in "${resolved_lines[@]}"; do
if [[ "$resolved" == *:*:* ]]; then
local b_ip b_port b_proto
IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null && \
{ is_blocked=true; break; }
else
fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null && \
{ is_blocked=true; break; }
fi
done
if ! $is_blocked; then
$quiet || log::wg_warning "${svc} is not blocked for ${name}"
continue
fi
for resolved in "${resolved_lines[@]}"; do
if [[ "$resolved" == *:*:* ]]; then
local b_ip b_port b_proto
IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
fw::unblock_port "$client_ip" "$b_ip" "$b_port" "$b_proto"
block::remove_rule "$name" "port" "$b_ip" "$b_port" "$b_proto"
else
fw::unblock_ip "$client_ip" "$resolved"
block::remove_rule "$name" "ip" "$resolved"
fi
done
$quiet || log::wg_success "${svc} has been unblocked for ${name}"
done
block::cleanup "$name"
cmd::unblock::_record_history "$name" "manual" "$reason"
return 0
}
# ── Helpers ───────────────────────────────────────────────────────────────────
function cmd::unblock::_unblock_identity() {
local identity_name="${1:-}" quiet="${2:-false}"
identity::require_exists "$identity_name" || return 1
identity::require_has_peers "$identity_name" || return 1
local peers unblocked=0 skipped=0
peers=$(identity::peers "$identity_name")
while IFS= read -r peer_name; do
[[ -z "$peer_name" ]] && continue
if ! peers::is_blocked "$peer_name" && ! block::has_file "$peer_name"; then
skipped=$(( skipped + 1 ))
continue
fi
local client_ip
client_ip=$(peers::get_ip "$peer_name") || continue
if cmd::unblock::_unblock_all "$peer_name" "$client_ip" true; then
unblocked=$(( unblocked + 1 ))
else
skipped=$(( skipped + 1 ))
fi
done <<< "$peers"
if [[ $unblocked -eq 0 ]]; then
log::wg_warning "No peers were blocked for identity '${identity_name}'"
elif [[ $skipped -gt 0 ]]; then
log::ok "Unblocked ${unblocked} peer(s) for identity '${identity_name}' (${skipped} were not blocked)"
else
log::ok "Unblocked ${unblocked} peer(s) for identity '${identity_name}'"
fi
return 0
}
function cmd::unblock::_unblock_all() {
local name="${1:?}" client_ip="${2:?}" quiet="${3:-false}"
block::set_direct "$name" "$client_ip" "false"
block::clear_full_block "$name"
block::restore_peer "$name" "$client_ip"
block::cleanup "$name"
local rule
rule=$(peers::get_meta "$name" "rule")
if [[ -n "$rule" ]] && rule::exists "$rule"; then
rule::apply "$rule" "$client_ip" "$name"
fi
local groups
groups=$(block::get_groups "$name")
if [[ -n "$groups" ]]; then
log::wg_warning "${name} was blocked by group(s): ${groups} — unblocking anyway"
fi
$quiet || log::wg_success "${name} has been unblocked."
return 0
}
function cmd::unblock::_record_history() {
local name="${1:-}" unblocked_by="${2:-manual}" reason="${3:-}"
json::block_history_unblock \
"$(ctx::block_history)" \
"$name" \
"$unblocked_by" \
"$reason" \
2>/dev/null > /dev/null || true
}