fix: prevent test runs from corrupting live WG state; sync wg0.conf on IP change
Three fixes: 1. Extend the docker-exec safety guard in wireguard_manager to also check for 'wg_confs' in the config path. When running unit tests on the host the API uses /app/config/wireguard/wg0.conf (no wg_confs subdir), so the old '/tmp/' | 'pytest' check didn't fire — _syncconf and friends were executing live 'docker exec cell-wireguard wg set' calls against the running container, removing real VPN peers that didn't appear in the test config. The wg_confs subdir only exists inside the container mount, so its presence reliably gates live calls. 2. Fix get_split_tunnel_ips() wrong path: self.data_dir + 'api/cell_links.json' → self.data_dir + 'cell_links.json'. The extra 'api/' segment produced /app/data/api/cell_links.json inside the container instead of the real /app/data/cell_links.json, so connected cells were silently excluded from split-tunnel CIDRs. 3. update_peer_ip_registry and ip_update now also call wireguard_manager.update_peer_ip so wg0.conf AllowedIPs stay in sync when a peer's VPN IP changes at runtime (previously only peers.json was updated). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+16
-2
@@ -328,17 +328,24 @@ def unregister_peer(peer_name):
|
||||
@bp.route('/api/peers/<peer_name>/update-ip', methods=['PUT'])
|
||||
def update_peer_ip_registry(peer_name):
|
||||
try:
|
||||
from app import peer_registry, routing_manager
|
||||
from app import peer_registry, routing_manager, wireguard_manager
|
||||
data = request.get_json(silent=True)
|
||||
new_ip = data.get('ip') if data else None
|
||||
if not new_ip:
|
||||
return jsonify({"error": "Missing ip"}), 400
|
||||
peer = peer_registry.get_peer(peer_name)
|
||||
success = peer_registry.update_peer_ip(peer_name, new_ip)
|
||||
if success:
|
||||
try:
|
||||
routing_manager.update_peer_ip(peer_name, new_ip)
|
||||
except Exception as e:
|
||||
logger.warning(f"RoutingManager update_peer_ip failed: {e}")
|
||||
if peer and peer.get('public_key'):
|
||||
try:
|
||||
wg_ip = new_ip if '/' in new_ip else f'{new_ip}/32'
|
||||
wireguard_manager.update_peer_ip(peer['public_key'], wg_ip)
|
||||
except Exception as e:
|
||||
logger.warning(f"WireGuard update_peer_ip failed: {e}")
|
||||
return jsonify({"message": f"IP update received for {peer_name}"})
|
||||
return jsonify({"error": f"Peer {peer_name} not found"}), 404
|
||||
except Exception as e:
|
||||
@@ -349,7 +356,7 @@ def update_peer_ip_registry(peer_name):
|
||||
@bp.route('/api/ip-update', methods=['POST'])
|
||||
def ip_update():
|
||||
try:
|
||||
from app import peer_registry, routing_manager
|
||||
from app import peer_registry, routing_manager, wireguard_manager
|
||||
data = request.get_json(silent=True)
|
||||
if data is None:
|
||||
return jsonify({"error": "No data provided"}), 400
|
||||
@@ -357,12 +364,19 @@ def ip_update():
|
||||
new_ip = data.get('ip')
|
||||
if not peer_name or not new_ip:
|
||||
return jsonify({"error": "Missing peer or ip"}), 400
|
||||
peer = peer_registry.get_peer(peer_name)
|
||||
success = peer_registry.update_peer_ip(peer_name, new_ip)
|
||||
if success:
|
||||
try:
|
||||
routing_manager.update_peer_ip(peer_name, new_ip)
|
||||
except Exception as e:
|
||||
logger.warning(f"RoutingManager update_peer_ip failed: {e}")
|
||||
if peer and peer.get('public_key'):
|
||||
try:
|
||||
wg_ip = new_ip if '/' in new_ip else f'{new_ip}/32'
|
||||
wireguard_manager.update_peer_ip(peer['public_key'], wg_ip)
|
||||
except Exception as e:
|
||||
logger.warning(f"WireGuard update_peer_ip failed: {e}")
|
||||
return jsonify({"message": f"IP update received for {peer_name}"})
|
||||
return jsonify({"error": f"Peer {peer_name} not found"}), 404
|
||||
except Exception as e:
|
||||
|
||||
Reference in New Issue
Block a user