policy drift/CLI tool for troubleshooting

Author: ChrispyBacon-dev

CLI_USAGE.md

@@ -0,0 +1,113 @@
+# DockFlare CLI Utilities
+
+## Cleanup Duplicate Policies
+
+DockFlare now includes a CLI utility to detect and remove duplicate reusable policies in your Cloudflare account.
+
+### Problem
+
+When running multiple DockFlare instances (local + deployed) or experiencing state.json drift between instances, duplicate policies with the same name can be created in Cloudflare. This utility consolidates them by keeping the oldest policy and deleting newer duplicates.
+
+### Usage
+
+#### Preview (Dry Run) - Recommended First Step
+
+```bash
+docker exec dockflare python -m app.cli cleanup-duplicate-policies --dry-run
+```
+
+This will:
+- Scan all reusable policies in your Cloudflare account
+- Identify policies with duplicate names
+- Show which policies would be deleted (newer ones)
+- Show which policy ID would be kept (oldest one)
+- Show state.json updates that would be made
+- **Make NO actual changes**
+
+#### Execute Cleanup
+
+```bash
+docker exec dockflare python -m app.cli cleanup-duplicate-policies --apply
+```
+
+This will:
+- Delete all duplicate policies (keeping the oldest)
+- Update state.json to reference the correct policy IDs
+- **Actually make changes to your Cloudflare account**
+
+### What It Does
+
+1. **Fetches all reusable policies** from your Cloudflare account
+2. **Groups policies by name** to identify duplicates
+3. **Sorts by creation date** - keeps the oldest policy for each name
+4. **Deletes newer duplicates** (only when using `--apply`)
+5. **Updates state.json** - ensures all access groups reference the correct (kept) policy ID
+
+### Example Output
+
+```
+============================================================
+DUPLICATE POLICY CLEANUP UTILITY
+============================================================
+Mode: DRY RUN (no changes will be made)
+
+Step 1: Fetching all reusable policies from Cloudflare...
+Found 15 total policies
+
+Step 2: Grouping policies by name...
+
+Step 3: Identifying duplicates...
+✗ Found 2 policy names with duplicates:
+
+  Policy: 'DockFlare-Default-Public-Access-Bypass' (3 instances)
+  Policy: 'DockFlare-AccessGroup-idp-blocker' (3 instances)
+
+Total policies to delete: 4
+
+Step 4: Processing duplicates...
+
+Processing: 'DockFlare-Default-Public-Access-Bypass'
+  ✓ Keeping: ID=abc123 (created: 2025-01-01T10:00:00Z)
+  ✗ Would delete: ID=def456 (created: 2025-01-02T11:00:00Z)
+  ✗ Would delete: ID=ghi789 (created: 2025-01-03T12:00:00Z)
+
+Processing: 'DockFlare-AccessGroup-idp-blocker'
+  ✓ Keeping: ID=jkl012 (created: 2025-01-01T09:00:00Z)
+  ✗ Would delete: ID=mno345 (created: 2025-01-02T10:00:00Z)
+  ✗ Would delete: ID=pqr678 (created: 2025-01-03T11:00:00Z)
+
+Step 5: Updating state.json with correct policy IDs...
+DRY RUN: Would update state.json with the following changes:
+  Group 'public-default-bypass': def456 → abc123 (policy: DockFlare-Default-Public-Access-Bypass)
+  Group 'idp-blocker': mno345 → jkl012 (policy: DockFlare-AccessGroup-idp-blocker)
+
+============================================================
+SUMMARY
+============================================================
+Total policies scanned: 15
+Duplicate policy names found: 2
+Policies that would be deleted: 4
+Policies that would be kept: 2
+============================================================
+```
+
+### Safety Features
+
+- **Dry run by default** - You must explicitly use `--apply` to make changes
+- **Keeps oldest policy** - Ensures you don't lose the original policy
+- **Updates state.json** - Automatically fixes references to deleted policies
+- **Detailed logging** - Shows exactly what will be (or was) done
+
+### When to Use
+
+- After discovering duplicate system policies (DockFlare-Default-*)
+- After running multiple DockFlare instances that created duplicate user policies
+- Before major version upgrades to clean up your Cloudflare account
+- When troubleshooting policy-related issues
+
+### Notes
+
+- The utility requires DockFlare to be configured with valid Cloudflare credentials
+- It operates on **all reusable policies** in your account, not just DockFlare-managed ones
+- Always run with `--dry-run` first to preview changes
+- Deletion is permanent and cannot be undone (except by recreating policies manually)

dockflare/app/cli.py

@@ -0,0 +1,263 @@
+# DockFlare: Automates Cloudflare Tunnel ingress from Docker labels.
+# Copyright (C) 2025 ChrispyBacon-Dev <https://github.com/ChrispyBacon-dev/DockFlare>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+# dockflare/app/cli.py
+"""
+DockFlare CLI utilities for maintenance and troubleshooting.
+"""
+import argparse
+import sys
+import logging
+from collections import defaultdict
+from datetime import datetime
+
+def cleanup_duplicate_policies(dry_run=True):
+    """
+    Scan for duplicate reusable policies (same name) and consolidate them.
+    Keeps the oldest policy, deletes newer duplicates.
+    Updates state.json to reference the correct policy IDs.
+
+    Args:
+        dry_run: If True, only show what would be done. If False, execute deletions.
+
+    Returns:
+        dict: Summary of actions taken
+    """
+    from app import app
+    from app.core import reusable_policies
+    from app.core.state_manager import access_groups, save_state, state_lock
+
+    with app.app_context():
+        logging.info("=" * 60)
+        logging.info("DUPLICATE POLICY CLEANUP UTILITY")
+        logging.info("=" * 60)
+        logging.info(f"Mode: {'DRY RUN (no changes will be made)' if dry_run else 'APPLY (changes will be executed)'}")
+        logging.info("")
+
+        # Step 1: List all reusable policies
+        logging.info("Step 1: Fetching all reusable policies from Cloudflare...")
+        policies = reusable_policies.list_reusable_policies()
+
+        if not policies:
+            logging.info("No reusable policies found.")
+            return {"total_policies": 0, "duplicates_found": 0, "policies_deleted": 0}
+
+        logging.info(f"Found {len(policies)} total policies")
+        logging.info("")
+
+        # Step 2: Group policies by name
+        logging.info("Step 2: Grouping policies by name...")
+        policies_by_name = defaultdict(list)
+        for policy in policies:
+            policy_name = policy.get("name", "")
+            policies_by_name[policy_name].append(policy)
+
+        # Step 3: Identify duplicates
+        logging.info("Step 3: Identifying duplicates...")
+        duplicates = {name: policies_list for name, policies_list in policies_by_name.items() if len(policies_list) > 1}
+
+        if not duplicates:
+            logging.info("✓ No duplicate policies found. All policies have unique names.")
+            return {"total_policies": len(policies), "duplicates_found": 0, "policies_deleted": 0}
+
+        logging.info(f"✗ Found {len(duplicates)} policy names with duplicates:")
+        logging.info("")
+
+        total_to_delete = 0
+        for name, dup_list in duplicates.items():
+            logging.info(f"  Policy: '{name}' ({len(dup_list)} instances)")
+            total_to_delete += len(dup_list) - 1
+
+        logging.info("")
+        logging.info(f"Total policies to delete: {total_to_delete}")
+        logging.info("")
+
+        # Step 4: Process each duplicate group
+        logging.info("Step 4: Processing duplicates...")
+        logging.info("")
+
+        deleted_count = 0
+        kept_count = 0
+        state_updates = {}
+
+        for name, dup_list in duplicates.items():
+            logging.info(f"Processing: '{name}'")
+
+            # Sort by created_at (oldest first)
+            # Note: Cloudflare API returns created_at in ISO format
+            sorted_policies = sorted(dup_list, key=lambda p: p.get("created_at", ""))
+
+            # Keep the oldest one
+            policy_to_keep = sorted_policies[0]
+            policies_to_delete = sorted_policies[1:]
+
+            kept_id = policy_to_keep.get("id")
+            kept_created = policy_to_keep.get("created_at", "N/A")
+
+            logging.info(f"  ✓ Keeping: ID={kept_id} (created: {kept_created})")
+            kept_count += 1
+
+            # Delete the rest
+            for policy in policies_to_delete:
+                policy_id = policy.get("id")
+                policy_created = policy.get("created_at", "N/A")
+
+                if dry_run:
+                    logging.info(f"  ✗ Would delete: ID={policy_id} (created: {policy_created})")
+                else:
+                    logging.info(f"  ✗ Deleting: ID={policy_id} (created: {policy_created})")
+                    success = reusable_policies.delete_reusable_policy(policy_id)
+                    if success:
+                        logging.info(f"    → Successfully deleted policy {policy_id}")
+                        deleted_count += 1
+                    else:
+                        logging.error(f"    → Failed to delete policy {policy_id}")
+
+            # Track which policy ID should be kept for this name
+            state_updates[name] = kept_id
+            logging.info("")
+
+        # Step 5: Update state.json with correct policy IDs
+        logging.info("Step 5: Updating state.json with correct policy IDs...")
+
+        if dry_run:
+            logging.info("DRY RUN: Would update state.json with the following changes:")
+
+        state_updated = False
+        with state_lock:
+            for group_id, group_data in access_groups.items():
+                policy_id = group_data.get("cloudflare_policy_id")
+
+                if not policy_id:
+                    continue
+
+                # Check if this group references a policy that was deleted
+                # by finding the policy name and checking if we kept a different ID
+                current_policy_name = None
+                for name, policies_list in policies_by_name.items():
+                    for policy in policies_list:
+                        if policy.get("id") == policy_id:
+                            current_policy_name = name
+                            break
+                    if current_policy_name:
+                        break
+
+                if current_policy_name and current_policy_name in state_updates:
+                    correct_id = state_updates[current_policy_name]
+                    if policy_id != correct_id:
+                        if dry_run:
+                            logging.info(f"  Group '{group_id}': {policy_id} → {correct_id} (policy: {current_policy_name})")
+                        else:
+                            logging.info(f"  Updating group '{group_id}': {policy_id} → {correct_id}")
+                            access_groups[group_id]["cloudflare_policy_id"] = correct_id
+                            state_updated = True
+
+        if state_updated and not dry_run:
+            save_state()
+            logging.info("✓ state.json updated successfully")
+        elif not state_updated:
+            logging.info("✓ No state.json updates needed")
+
+        logging.info("")
+        logging.info("=" * 60)
+        logging.info("SUMMARY")
+        logging.info("=" * 60)
+        logging.info(f"Total policies scanned: {len(policies)}")
+        logging.info(f"Duplicate policy names found: {len(duplicates)}")
+        if dry_run:
+            logging.info(f"Policies that would be deleted: {total_to_delete}")
+            logging.info(f"Policies that would be kept: {kept_count}")
+        else:
+            logging.info(f"Policies deleted: {deleted_count}")
+            logging.info(f"Policies kept: {kept_count}")
+            logging.info(f"State updates applied: {state_updated}")
+        logging.info("=" * 60)
+
+        return {
+            "total_policies": len(policies),
+            "duplicates_found": len(duplicates),
+            "policies_deleted": deleted_count if not dry_run else 0,
+            "policies_kept": kept_count,
+            "would_delete": total_to_delete if dry_run else 0
+        }
+
+
+def main():
+    """CLI entry point"""
+    parser = argparse.ArgumentParser(
+        description="DockFlare CLI utilities",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  # Preview what would be cleaned up (dry run)
+  python3 -m app.cli cleanup-duplicate-policies --dry-run
+
+  # Actually perform the cleanup
+  python3 -m app.cli cleanup-duplicate-policies --apply
+
+  # Run from Docker container
+  docker exec dockflare python3 -m app.cli cleanup-duplicate-policies --dry-run
+"""
+    )
+
+    parser.add_argument(
+        "command",
+        choices=["cleanup-duplicate-policies"],
+        help="Command to execute"
+    )
+
+    parser.add_argument(
+        "--dry-run",
+        action="store_true",
+        help="Preview changes without executing them (default)"
+    )
+
+    parser.add_argument(
+        "--apply",
+        action="store_true",
+        help="Execute the cleanup (deletes duplicate policies)"
+    )
+
+    args = parser.parse_args()
+
+    # Configure logging for CLI
+    logging.basicConfig(
+        level=logging.INFO,
+        format='%(message)s',
+        handlers=[logging.StreamHandler(sys.stdout)]
+    )
+
+    # Determine mode
+    if args.apply:
+        dry_run = False
+    else:
+        dry_run = True  # Default to dry run for safety
+
+    # Execute command
+    if args.command == "cleanup-duplicate-policies":
+        try:
+            result = cleanup_duplicate_policies(dry_run=dry_run)
+            sys.exit(0)
+        except Exception as e:
+            logging.error(f"Error executing cleanup: {e}", exc_info=True)
+            sys.exit(1)
+    else:
+        logging.error(f"Unknown command: {args.command}")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()