nuno revisou este gist 1 month ago. Ir para a revisão
1 file changed, 317 insertions
gistfile1.txt(arquivo criado)
| @@ -0,0 +1,317 @@ | |||
| 1 | + | #!/usr/bin/env bash | |
| 2 | + | ||
| 3 | + | function cmd::inspect::on_load() { | |
| 4 | + | flag::register --name | |
| 5 | + | flag::register --type | |
| 6 | + | flag::register --config | |
| 7 | + | flag::register --qr | |
| 8 | + | } | |
| 9 | + | ||
| 10 | + | function cmd::inspect::help() { | |
| 11 | + | cat <<EOF | |
| 12 | + | Usage: wgctl inspect --name <name> [options] | |
| 13 | + | wgctl inspect <full-name> | |
| 14 | + | ||
| 15 | + | Show detailed information for a WireGuard client. | |
| 16 | + | ||
| 17 | + | Sections shown: | |
| 18 | + | Client — IP, type, rule, status, activity | |
| 19 | + | Groups — group memberships | |
| 20 | + | Rule — firewall rule with inheritance tree and service annotations | |
| 21 | + | Peer Blocks — peer-specific restrictions (beyond the assigned rule) | |
| 22 | + | Firewall — active iptables rules with ACCEPT/DROP counts | |
| 23 | + | ||
| 24 | + | Options: | |
| 25 | + | --name <name> Client name (e.g. phone-nuno) | |
| 26 | + | --type <type> Device type — combines with --name | |
| 27 | + | --config Also show raw WireGuard client config | |
| 28 | + | --qr Also show QR code | |
| 29 | + | ||
| 30 | + | Examples: | |
| 31 | + | wgctl inspect --name phone-nuno | |
| 32 | + | wgctl inspect --name nuno --type phone | |
| 33 | + | wgctl inspect --name phone-nuno --config | |
| 34 | + | wgctl inspect --name phone-nuno --qr | |
| 35 | + | wgctl inspect guest-zephyr | |
| 36 | + | EOF | |
| 37 | + | } | |
| 38 | + | ||
| 39 | + | INSPECT_WIDTH=48 # total visible width of section lines | |
| 40 | + | INSPECT_LABEL_WIDTH=20 | |
| 41 | + | ||
| 42 | + | # ============================================ | |
| 43 | + | # Private helpers | |
| 44 | + | # ============================================ | |
| 45 | + | ||
| 46 | + | ||
| 47 | + | function cmd::inspect::_section() { | |
| 48 | + | local title="${1:-}" extra="${2:-0}" | |
| 49 | + | local width=$(( INSPECT_WIDTH + extra )) | |
| 50 | + | local title_len=${#title} | |
| 51 | + | # Account for "── " (3) + " " (1) before dashes | |
| 52 | + | local dash_count=$(( width - title_len - 4 )) | |
| 53 | + | [[ $dash_count -lt 2 ]] && dash_count=2 | |
| 54 | + | local dashes | |
| 55 | + | dashes=$(printf '─%.0s' $(seq 1 $dash_count)) | |
| 56 | + | printf "\n \033[0;37m── %s %s\033[0m\n" "$title" "$dashes" | |
| 57 | + | } | |
| 58 | + | ||
| 59 | + | function cmd::inspect::_peer_info() { | |
| 60 | + | local name="${1:-}" | |
| 61 | + | ||
| 62 | + | local ip type rule public_key allowed_ips | |
| 63 | + | ip=$(peers::get_ip "$name") | |
| 64 | + | type=$(peers::get_type "$name") | |
| 65 | + | rule=$(peers::get_meta "$name" "rule") | |
| 66 | + | public_key=$(keys::public "$name" 2>/dev/null || echo "") | |
| 67 | + | allowed_ips=$(grep "^AllowedIPs" "$(ctx::clients)/${name}.conf" \ | |
| 68 | + | 2>/dev/null | cut -d'=' -f2- | xargs) | |
| 69 | + | ||
| 70 | + | # Status | |
| 71 | + | local handshake_ts is_blocked last_ts | |
| 72 | + | handshake_ts=$(monitor::get_handshake_ts "$public_key") | |
| 73 | + | peers::is_blocked "$name" && is_blocked="true" || is_blocked="false" | |
| 74 | + | last_ts=$(monitor::last_attempt "$name") | |
| 75 | + | ||
| 76 | + | local is_restricted="false" | |
| 77 | + | block::has_specific_rules "$name" 2>/dev/null && is_restricted="true" | |
| 78 | + | ||
| 79 | + | local status last_seen endpoint | |
| 80 | + | status=$(peers::format_status_verbose "$name" "$public_key" \ | |
| 81 | + | "$is_blocked" "$is_restricted" "$handshake_ts" "$last_ts") | |
| 82 | + | last_seen=$(peers::format_last_seen "$name" "$public_key" \ | |
| 83 | + | "$is_blocked" "$last_ts" "" "$handshake_ts") | |
| 84 | + | endpoint=$(monitor::get_cached_endpoint "$name") | |
| 85 | + | ||
| 86 | + | local activity_total | |
| 87 | + | activity_total=$(peers::format_activity_total "$public_key") | |
| 88 | + | ||
| 89 | + | local activity_current | |
| 90 | + | activity_current=$(peers::format_activity_current "$public_key") | |
| 91 | + | ||
| 92 | + | local subtype | |
| 93 | + | subtype=$(peers::get_meta "$name" "subtype") | |
| 94 | + | ||
| 95 | + | local rule_extends="" | |
| 96 | + | if [[ -n "$rule" ]]; then | |
| 97 | + | local rule_file | |
| 98 | + | rule_file="$(rule::path "$rule" 2>/dev/null)" || true | |
| 99 | + | if [[ -n "$rule_file" ]]; then | |
| 100 | + | local ext=() | |
| 101 | + | mapfile -t ext < <(json::get "$rule_file" "extends" 2>/dev/null || true) | |
| 102 | + | if [[ ${#ext[@]} -gt 0 && -n "${ext[0]:-}" ]]; then | |
| 103 | + | rule_extends=" (↳ ${ext[*]})" | |
| 104 | + | fi | |
| 105 | + | fi | |
| 106 | + | fi | |
| 107 | + | ||
| 108 | + | # Rule formatting | |
| 109 | + | local rule_display="${rule:-—}" | |
| 110 | + | if [[ -n "$rule_file" && ${#ext[@]} -gt 0 && -n "${ext[0]:-}" ]]; then | |
| 111 | + | local extends_str | |
| 112 | + | extends_str=$(printf '%s, ' "${ext[@]}" | sed 's/, $//') | |
| 113 | + | rule_display="${rule} ↳ (${extends_str})" | |
| 114 | + | fi | |
| 115 | + | ||
| 116 | + | cmd::inspect::_section "Client" | |
| 117 | + | printf "\n" | |
| 118 | + | ui::row "Name" "$name" "${INSPECT_LABEL_WIDTH}" | |
| 119 | + | ui::row "IP" "$ip" "${INSPECT_LABEL_WIDTH}" | |
| 120 | + | ui::row "Type" "$(peers::display_type "$type" "$subtype")" "${INSPECT_LABEL_WIDTH}" | |
| 121 | + | ui::row "Rule" "$rule_display" "${INSPECT_LABEL_WIDTH}" | |
| 122 | + | ui::row "Status" "$(echo -e "$status")" "${INSPECT_LABEL_WIDTH}" | |
| 123 | + | ui::row "Endpoint" "${endpoint:-—}" "${INSPECT_LABEL_WIDTH}" | |
| 124 | + | ui::row "Last seen" "$last_seen" "${INSPECT_LABEL_WIDTH}" | |
| 125 | + | ui::row "AllowedIPs" "$allowed_ips" "${INSPECT_LABEL_WIDTH}" | |
| 126 | + | ui::row "Public key" "${public_key:-—}" "${INSPECT_LABEL_WIDTH}" | |
| 127 | + | ui::row "Activity (total)" "$activity_total" "${INSPECT_LABEL_WIDTH}" | |
| 128 | + | ui::row "Activity (current)" "$activity_current" "${INSPECT_LABEL_WIDTH}" | |
| 129 | + | ||
| 130 | + | return 0 | |
| 131 | + | } | |
| 132 | + | ||
| 133 | + | function cmd::inspect::_rule_info() { | |
| 134 | + | local name="${1:-}" | |
| 135 | + | local rule | |
| 136 | + | rule=$(peers::get_meta "$name" "rule") | |
| 137 | + | [[ -z "$rule" ]] && return 0 | |
| 138 | + | rule::exists "$rule" || return 0 | |
| 139 | + | ||
| 140 | + | cmd::inspect::_section "Rule: ${rule}" | |
| 141 | + | ||
| 142 | + | if rule::render_extends_tree "$rule"; then | |
| 143 | + | # printf "\n" | |
| 144 | + | : # no-op | |
| 145 | + | else | |
| 146 | + | # No inheritance — flat view | |
| 147 | + | rule::render_flat "$rule" | |
| 148 | + | fi | |
| 149 | + | return 0 | |
| 150 | + | } | |
| 151 | + | ||
| 152 | + | function cmd::inspect::_blocks_info() { | |
| 153 | + | local name="${1:-}" | |
| 154 | + | block::has_file "$name" || return 0 | |
| 155 | + | ||
| 156 | + | local blocked_direct | |
| 157 | + | blocked_direct=$(block::is_blocked_direct "$name") | |
| 158 | + | ||
| 159 | + | local blocked_groups | |
| 160 | + | blocked_groups=$(block::get_groups "$name") | |
| 161 | + | ||
| 162 | + | local rules_output | |
| 163 | + | rules_output=$(block::get_rules "$name") | |
| 164 | + | ||
| 165 | + | # Skip if truly empty | |
| 166 | + | if [[ "$blocked_direct" != "true" ]] && \ | |
| 167 | + | ui::empty "$blocked_groups" && \ | |
| 168 | + | ui::empty "$rules_output"; then | |
| 169 | + | block::cleanup "$name" # clean up stale empty file | |
| 170 | + | return 0 | |
| 171 | + | fi | |
| 172 | + | ||
| 173 | + | # Count rules for header | |
| 174 | + | local rule_count=0 | |
| 175 | + | while IFS= read -r line; do | |
| 176 | + | [[ -n "$line" ]] && (( rule_count++ )) || true | |
| 177 | + | done <<< "$rules_output" | |
| 178 | + | ||
| 179 | + | # Build header like firewall: Blocks (+N) | |
| 180 | + | local header_counts="" | |
| 181 | + | [[ "$rule_count" -gt 0 ]] && header_counts=" (${rule_count})" | |
| 182 | + | [[ "$blocked_direct" == "true" || -n "$blocked_groups" ]] && \ | |
| 183 | + | header_counts="${header_counts} 🚫" | |
| 184 | + | ||
| 185 | + | cmd::inspect::_section "Blocks${header_counts}" | |
| 186 | + | printf "\n" | |
| 187 | + | ||
| 188 | + | [[ "$blocked_direct" == "true" ]] && \ | |
| 189 | + | printf " \033[1;31m🚫\033[0m blocked directly\n" | |
| 190 | + | [[ -n "$blocked_groups" ]] && \ | |
| 191 | + | printf " \033[1;31m🚫\033[0m blocked by groups: %s\n" "$blocked_groups" | |
| 192 | + | ||
| 193 | + | block::format_rules "$name" | |
| 194 | + | return 0 | |
| 195 | + | } | |
| 196 | + | ||
| 197 | + | function cmd::inspect::_group_info() { | |
| 198 | + | local name="$1" | |
| 199 | + | ||
| 200 | + | local groups=() | |
| 201 | + | mapfile -t groups < <(json::peer_groups "$(ctx::groups)" "$name") | |
| 202 | + | ||
| 203 | + | ui::empty "${groups[*]}" && return 0 | |
| 204 | + | ||
| 205 | + | local count=${#groups[@]} | |
| 206 | + | cmd::inspect::_section "Groups (${count})" | |
| 207 | + | printf "\n" | |
| 208 | + | ||
| 209 | + | for g in "${groups[@]}"; do | |
| 210 | + | [[ -z "$g" ]] && continue | |
| 211 | + | local peer_count | |
| 212 | + | local main_marker="" | |
| 213 | + | peer_count=$(json::count "$(group::path "$g")" "peers") | |
| 214 | + | [[ "$g" == "$(peers::get_main_group "$name")" ]] && \ | |
| 215 | + | main_marker=" \033[0;33m★\033[0m" | |
| 216 | + | printf " \033[0;37m·\033[0m %-20s \033[0;37m%s peers\033[0m%b\n" \ | |
| 217 | + | "$g" "$peer_count" "$main_marker" | |
| 218 | + | done | |
| 219 | + | ||
| 220 | + | return 0 | |
| 221 | + | } | |
| 222 | + | ||
| 223 | + | function cmd::inspect::_firewall_info() { | |
| 224 | + | local name="${1:-}" | |
| 225 | + | local ip | |
| 226 | + | ip=$(peers::get_ip "$name") | |
| 227 | + | ||
| 228 | + | local total=0 accepts=0 drops=0 | |
| 229 | + | local rules_output=() | |
| 230 | + | while IFS= read -r line; do | |
| 231 | + | [[ -z "$line" ]] && continue | |
| 232 | + | (( total++ )) || true | |
| 233 | + | [[ "$line" =~ ACCEPT ]] && (( accepts++ )) || true | |
| 234 | + | [[ "$line" =~ DROP ]] && (( drops++ )) || true | |
| 235 | + | rules_output+=("$line") | |
| 236 | + | done < <(fw::forward_rules_for_ip "$ip" | grep -v NFLOG) | |
| 237 | + | ||
| 238 | + | ui::empty "${rules_output[*]}" && return 0 | |
| 239 | + | ||
| 240 | + | printf "\n \033[0;37m── Firewall (%s %s) \033[0m%s\n\n" \ | |
| 241 | + | "$(color::green "+${accepts}")" \ | |
| 242 | + | "$(color::red "-${drops}")" \ | |
| 243 | + | "$(printf '\033[0;37m─%.0s' {1..28})" | |
| 244 | + | ||
| 245 | + | fw::list_peer_rules "$ip" false | |
| 246 | + | ||
| 247 | + | return 0 | |
| 248 | + | } | |
| 249 | + | ||
| 250 | + | function cmd::inspect::_config() { | |
| 251 | + | local name="$1" | |
| 252 | + | cmd::inspect::_section "Config" | |
| 253 | + | printf "\n" | |
| 254 | + | cat "$(ctx::clients)/${name}.conf" | |
| 255 | + | printf "\n" | |
| 256 | + | ||
| 257 | + | return 0 | |
| 258 | + | } | |
| 259 | + | ||
| 260 | + | # ============================================ | |
| 261 | + | # Run | |
| 262 | + | # ============================================ | |
| 263 | + | ||
| 264 | + | function cmd::inspect::run() { | |
| 265 | + | local name="" type="" show_config=false show_qr=false | |
| 266 | + | ||
| 267 | + | if [[ $# -gt 0 && "$1" != "--"* ]]; then | |
| 268 | + | name="$1" | |
| 269 | + | shift | |
| 270 | + | fi | |
| 271 | + | ||
| 272 | + | while [[ $# -gt 0 ]]; do | |
| 273 | + | case "$1" in | |
| 274 | + | --name) name="$2"; shift 2 ;; | |
| 275 | + | --type) type="$2"; shift 2 ;; | |
| 276 | + | --config) show_config=true; shift ;; | |
| 277 | + | --qr) show_qr=true; shift ;; | |
| 278 | + | --help) cmd::inspect::help; return ;; | |
| 279 | + | *) | |
| 280 | + | log::error "Unknown flag: $1" | |
| 281 | + | cmd::inspect::help | |
| 282 | + | return 1 | |
| 283 | + | ;; | |
| 284 | + | esac | |
| 285 | + | done | |
| 286 | + | ||
| 287 | + | if [[ -z "$name" ]]; then | |
| 288 | + | log::error "Missing required flag: --name" | |
| 289 | + | cmd::inspect::help | |
| 290 | + | return 1 | |
| 291 | + | fi | |
| 292 | + | ||
| 293 | + | name=$(peers::resolve_and_require "$name" "$type") || return 1 | |
| 294 | + | ||
| 295 | + | load_command list | |
| 296 | + | ||
| 297 | + | log::section "Inspect: ${name}" | |
| 298 | + | ||
| 299 | + | cmd::inspect::_peer_info "$name" | |
| 300 | + | cmd::inspect::_group_info "$name" | |
| 301 | + | cmd::inspect::_rule_info "$name" | |
| 302 | + | cmd::inspect::_blocks_info "$name" | |
| 303 | + | cmd::inspect::_firewall_info "$name" | |
| 304 | + | ||
| 305 | + | if $show_config; then | |
| 306 | + | cmd::inspect::_config "$name" | |
| 307 | + | fi | |
| 308 | + | ||
| 309 | + | if $show_qr; then | |
| 310 | + | cmd::inspect::_section "QR Code" | |
| 311 | + | printf "\n" | |
| 312 | + | load_command qr | |
| 313 | + | cmd::qr::run --name "$name" | |
| 314 | + | fi | |
| 315 | + | ||
| 316 | + | printf "\n" | |
| 317 | + | } | |
Próximo
Anterior