From 0fdb7557547e2bc7be5512c9111a4e0508c6b17b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 7 Mar 2024 11:15:48 +0100
Subject: [PATCH] wireguard: migrate non-netmask allowed ip entries and enforce
 validation #7304

---
 plist                                         |  1 +
 .../app/models/OPNsense/Wireguard/Client.xml  |  3 +-
 .../OPNsense/Wireguard/Migrations/M1_0_0.php  | 58 +++++++++++++++++++
 3 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 src/opnsense/mvc/app/models/OPNsense/Wireguard/Migrations/M1_0_0.php

diff --git a/plist b/plist
index f9a9472f0..337fd2dca 100644
--- a/plist
+++ b/plist
@@ -742,6 +742,7 @@
 /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
 /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
+/usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Migrations/M1_0_0.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
 /usr/local/opnsense/mvc/app/views/OPNsense/CaptivePortal/clients.volt
diff --git a/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index 1e4491b1c..cb498d808 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/wireguard/client</mount>
     <description>WireGuard peer configuration</description>
-    <version>0.0.7</version>
+    <version>1.0.0</version>
     <items>
         <clients>
             <client type="ArrayField">
@@ -29,6 +29,7 @@
                 </pubkey>
                 <psk type="Base64Field"/>
                 <tunneladdress type="NetworkField">
+                    <NetMaskRequired>Y</NetMaskRequired>
                     <FieldSeparator>,</FieldSeparator>
                     <Required>Y</Required>
                     <asList>Y</asList>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Wireguard/Migrations/M1_0_0.php b/src/opnsense/mvc/app/models/OPNsense/Wireguard/Migrations/M1_0_0.php
new file mode 100644
index 000000000..333913c93
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/Wireguard/Migrations/M1_0_0.php
@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Wireguard\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Wireguard\Client;
+
+class M1_0_0 extends BaseModelMigration
+{
+    /**
+     * Migrate older models into shared model
+     * @param $model
+     */
+    public function run($model)
+    {
+        if ($model instanceof Client) {
+            foreach ($model->clients->client->iterateItems() as $client) {
+                $allowed_ips = array_filter(explode(',', (string)$client->tunneladdress));
+                foreach ($allowed_ips as &$allowed_ip) {
+                    if (strpos($allowed_ip, '/') !== false) {
+                        continue;
+                    } elseif (strpos($allowed_ip, ':') === false) {
+                        $allowed_ip .= '/32';
+                    } else {
+                        $allowed_ip .= '/128';
+                    }
+                }
+                $client->tunneladdress = join(',', $allowed_ips);
+            }
+        }
+    }
+}