Files
claudetools/.claude/skills/unifi-wifi/scripts/gw-audit.sh
Howard Enos 1118594cd2 unifi-wifi: pfSense gateway compat layer (§E) — REST backend + dispatch inside gw-audit/gw-control
Per Howard's decision (2026-06-16, "try what Mike wanted"): Mike's §E open decisions resolved as
REST API package backend + dispatch INSIDE the existing gateway verbs (his lean), not sibling scripts.

- NEW scripts/pfsense-backend.sh: pfSense REST API (pfSense-pkg-RESTAPI v2, X-API-Key) driver exposing
  the same verbs as gw-control (audit, pf-list/disable/enable/delete/set-ports, fw-list/disable/enable,
  block-ips) + a `setup` helper. Writes --apply-gated with per-object rollback to .claude/tmp + firewall/apply.
- gw-audit.sh: when num_gw=0 and a clients/<slug>/pfsense-api cred is vaulted (or --pfsense <slug>),
  appends the pfSense WAN/DHCP/firewall audit; else prints the setup hint. (captures num_gw to gate.)
- gw-control.sh: same-verb auto-dispatch to pfsense-backend when a pfSense cred resolves for the site.
- SKILL.md [PROPOSED]->[SCAFFOLDED]; ROADMAP §E open decisions marked resolved.

STATUS: scaffolded. BLOCKED/setup/no-cred paths tested; gw-audit dispatch validated live (Cascades
num_gw=0 -> hint). Live REST calls pending a reachable pfSense with the API pkg + a vaulted key; v2
endpoint paths must be verified against the installed API version on first live run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 13:51:10 -07:00

120 lines
7.1 KiB
Bash

#!/usr/bin/env bash
# gw-audit.sh — gateway / WAN / internet + overall site-health audit (controller-side, read-only).
# Uses the controller's own stat/health (wan/www/wlan/lan/vpn subsystems) + the gateway device's
# per-WAN detail. Reports WAN status + IP + uplink speed, internet latency/drops/last-speedtest,
# gateway CPU/mem/uptime, and the adoption/health rollup (APs/switches adopted vs disconnected vs
# pending, client counts). Flags: WAN/internet not-ok, high latency/drops, disconnected or pending
# devices, gateway resource pressure. No AP cred / VPN needed -> any UOS site. (ROADMAP C)
#
# Sites with a third-party firewall (e.g. pfSense) show num_gw=0 -> "no UniFi gateway" (still reports
# wlan/lan/adoption health).
#
# Usage: bash .claude/skills/unifi-wifi/scripts/gw-audit.sh <site-name|id>
set -uo pipefail
REPO="$(git rev-parse --show-toplevel 2>/dev/null || echo .)"
UOS="$REPO/.claude/scripts/uos-mongo.sh"; VAULT="$REPO/.claude/scripts/vault.sh"
HOST="${UOS_HOST:-172.16.3.29}"; PORT="${UOS_HTTPS_PORT:-11443}"
SITEARG="${1:?usage: gw-audit.sh <site-name|id> [--pfsense <slug>]}"; shift || true
PFARG="" # optional: pfSense client slug (or full vault path) when UOS site name != client slug
while [ $# -gt 0 ]; do case "$1" in --pfsense) PFARG="${2:?--pfsense needs a slug/vault-path}"; shift 2;; *) shift;; esac; done
TMP="$(mktemp -d)"; trap 'rm -rf "$TMP"' EXIT
U="$(bash "$VAULT" get-field infrastructure/uos-server-network-api-rw credentials.username 2>/dev/null)"
P="$(bash "$VAULT" get-field infrastructure/uos-server-network-api-rw credentials.password 2>/dev/null)"
[ -n "$U" ] && [ -n "$P" ] || { echo "[ERROR] no controller cred (infrastructure/uos-server-network-api-rw)"; exit 1; }
base="https://$HOST:$PORT"; CJ="$TMP/cj"
code=$(curl -sk -c "$CJ" -o /dev/null -w '%{http_code}' -X POST "$base/api/auth/login" -H 'Content-Type: application/json' \
--data-binary "$(python -c 'import json,sys;print(json.dumps({"username":sys.argv[1],"password":sys.argv[2]}))' "$U" "$P")")
[ "$code" = "200" ] || { echo "[ERROR] controller login HTTP $code"; exit 1; }
SHORT="$(curl -sk -b "$CJ" "$base/proxy/network/api/self/sites" | python -c "
import sys,json; d=json.load(sys.stdin).get('data',[]); q='''$SITEARG'''.lower()
for s in d:
if s.get('_id')=='''$SITEARG''' or s.get('name')=='''$SITEARG''' or q in (s.get('desc','').lower()): print(s.get('name')); break
")"; [ -n "$SHORT" ] || SHORT="$SITEARG"
echo "[INFO] gateway/health audit: site=$SHORT"
curl -sk -b "$CJ" "$base/proxy/network/api/s/$SHORT/stat/health" -o "$TMP/health.json"
curl -sk -b "$CJ" "$base/proxy/network/api/s/$SHORT/stat/device" -o "$TMP/dev.json"
export NGW_FILE="$TMP/ngw"
python - "$TMP/health.json" "$TMP/dev.json" <<'PY'
import sys,json,os
H={h['subsystem']:h for h in json.load(open(sys.argv[1])).get('data',[])}
devs=json.load(open(sys.argv[2])).get('data',[])
flags=[]
def st(x): return (x or 'unknown')
wan=H.get('wan',{}); www=H.get('www',{}); wlan=H.get('wlan',{}); lan=H.get('lan',{}); vpn=H.get('vpn',{})
print("\n== WAN / Internet ==")
ngw=wan.get('num_gw',0)
try: open(os.environ['NGW_FILE'],'w').write(str(ngw))
except Exception: pass
if not ngw:
print(" no UniFi gateway at this site (third-party firewall, e.g. pfSense)")
else:
gwdev=next((d for d in devs if d.get('type') in ('ugw','uxg','udm')),None)
gwname=wan.get('gw_name') or (gwdev and (gwdev.get('name') or gwdev.get('model'))) or '?'
gwmodel=(gwdev and gwdev.get('model')) or ''
print(f" gateway: {gwname} [{gwmodel}] ({wan.get('gw_version')}) status={st(wan.get('status'))}")
print(f" WAN IP: {wan.get('wan_ip')} gateways: {wan.get('gateways')} nameservers: {wan.get('nameservers')}")
gs=wan.get('gw_system-stats') or {}
if gs: print(f" gw load: cpu={gs.get('cpu')}% mem={gs.get('mem')}% uptime={int(int(gs.get('uptime',0))/86400)}d")
if st(wan.get('status'))!='ok': flags.append(f"WAN status={wan.get('status')}")
try:
if float(gs.get('cpu',0))>85: flags.append(f"gateway CPU {gs.get('cpu')}%")
if float(gs.get('mem',0))>90: flags.append(f"gateway MEM {gs.get('mem')}%")
except: pass
# internet (www)
print(f" internet: status={st(www.get('status'))} latency={www.get('latency')}ms drops={www.get('drops')} "
f"speedtest={www.get('xput_down')}/{www.get('xput_up')} Mbps ping={www.get('speedtest_ping')}ms")
if ngw and www and st(www.get('status'))!='ok': flags.append(f"internet(www) status={www.get('status')}")
try:
if www.get('latency') and float(www.get('latency'))>80: flags.append(f"internet latency {www.get('latency')}ms")
if www.get('drops') and float(www.get('drops'))>5: flags.append(f"internet drops={www.get('drops')}")
except: pass
# per-WAN device detail (multi-WAN)
for d in devs:
if d.get('type') in ('ugw','uxg','udm'):
for wk in ('wan1','wan2'):
w=d.get(wk) or {}
if w.get('enable'): print(f" {wk}: ip={w.get('ip')} up={w.get('up')} {w.get('speed')}M{'' if w.get('full_duplex',True) else ' HALF-DUPLEX'}")
if w.get('enable') and not w.get('up'): flags.append(f"{wk} DOWN")
print("\n== Adoption / device health ==")
for label,sub in (('APs (wlan)',wlan),('switches (lan)',lan),('gateway (wan)',wan)):
a=sub.get('num_adopted'); dc=sub.get('num_disconnected'); pe=sub.get('num_pending')
if a is None and dc is None: continue
print(f" {label}: adopted={a} disconnected={dc} pending={pe}")
if dc: flags.append(f"{label}: {dc} disconnected")
if pe: flags.append(f"{label}: {pe} pending adoption")
print(f" clients: users={wlan.get('num_user')} guests={wlan.get('num_guest')} iot={wlan.get('num_iot')}")
# outdated firmware (from device list)
outd=[d.get('name') for d in devs if d.get('upgradable')]
if outd: flags.append(f"{len(outd)} device(s) with firmware upgrade available")
print("\n== FLAGS ==")
if flags:
for f in flags: print(f" [!] {f}")
else:
print(" [OK] gateway/WAN/adoption all healthy")
PY
# ---------- pfSense gateway augmentation (ROADMAP §E: dispatch when there's no UniFi gateway) ----------
# A pfSense site shows num_gw=0 above (no UniFi gateway). If a pfSense REST API cred is vaulted, run the
# pfSense gateway/WAN/DHCP audit via the backend so one `gw-audit <site>` covers either gateway vendor.
NGW="$(cat "$TMP/ngw" 2>/dev/null || echo 1)"
if [ "$NGW" = "0" ]; then
cands=()
[ -n "$PFARG" ] && { case "$PFARG" in */*) cands+=("$PFARG");; *) cands+=("clients/$PFARG/pfsense-api");; esac; }
cands+=("clients/$SITEARG/pfsense-api")
pf_vp=""
for cand in "${cands[@]}"; do
if [ -n "$(bash "$VAULT" get-field "$cand" credentials.apikey 2>/dev/null || bash "$VAULT" get-field "$cand" apikey 2>/dev/null)" ]; then pf_vp="$cand"; break; fi
done
if [ -n "$pf_vp" ]; then
echo; echo "[INFO] pfSense gateway cred found (vault:$pf_vp) -> pfSense gateway audit:"
bash "$REPO/.claude/skills/unifi-wifi/scripts/pfsense-backend.sh" "$pf_vp" audit || true
else
echo; echo "[INFO] gateway is third-party (pfSense?). For pfSense WAN/DHCP/firewall audit, vault an API"
echo " cred then re-run (pass --pfsense <slug> if the UOS site name differs from the client slug):"
echo " bash .claude/skills/unifi-wifi/scripts/pfsense-backend.sh clients/<slug>/pfsense-api setup"
fi
fi