Npm access list update script

1. #!/usr/bin/env bash
2. set -euo pipefail
3.  
4. ### ─── CONFIGURATION ────────────────────────────────────────────────────────
5. NPM_HOST="servers_local_ip"
6. NPM_PORT="port_its_on"
7.  
8. # your NPM admin credentials
9. ADMIN_EMAIL="npm_username"
10. ADMIN_PASS="npmpassword"
11.  
12. # the exact name of the ACL in NPM
13. ACL_NAME="accesslistname"
14.  
15. # service to fetch your current public IP
16. IP_SERVICE="https://api.ipify.org"
17.  
18. # API endpoints
19. LOGIN_URL="http://${NPM_HOST}:${NPM_PORT}/api/tokens"
20. ACL_LIST_URL="http://${NPM_HOST}:${NPM_PORT}/api/nginx/access-lists"
21. ACL_BASE_URL="${ACL_LIST_URL}"
22. ### ──────────────────────────────────────────────────────────────────────────
23.  
24. echo
25. echo "---- STEP 1: Fetch current public IP from ${IP_SERVICE} ----"
26. CURRENT_IP=$(curl -fsS "${IP_SERVICE}")
27. if [[ ! $CURRENT_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
28. echo "ERROR: could not parse a valid IPv4 from '${CURRENT_IP}'."
29. exit 1
30. fi
31. echo "✔ Current WAN IP = ${CURRENT_IP}"
32. echo
33.  
34. echo "---- STEP 2: Log in to NPM to obtain JWT ----"
35. JWT_JSON=$(curl -fsS -X POST "${LOGIN_URL}" \
36. -H "Content-Type: application/json" \
37. -d "{\"identity\":\"${ADMIN_EMAIL}\",\"secret\":\"${ADMIN_PASS}\"}")
38. JWT_TOKEN=$(echo "$JWT_JSON" | jq -r '.token // empty')
39. if [[ -z "$JWT_TOKEN" ]]; then
40. echo "ERROR: failed to retrieve JWT. Response was:"
41. echo "$JWT_JSON" | jq .
42. exit 2
43. fi
44. echo "✔ Obtained JWT"
45. echo
46.  
47. echo "---- STEP 3: List all Access Lists → find ID of '${ACL_NAME}' ----"
48. ACL_LIST_JSON=$(curl -fsS \
49. -H "Authorization: Bearer ${JWT_TOKEN}" \
50. "${ACL_LIST_URL}")
51. ACL_ID=$(echo "$ACL_LIST_JSON" | jq -r --arg NAME "$ACL_NAME" \
52. '.[] | select(.name == $NAME) | .id')
53. if [[ -z "$ACL_ID" ]]; then
54. echo "ERROR: could not locate an Access List named '${ACL_NAME}'."
55. exit 3
56. fi
57. echo "✔ Found ACL '${ACL_NAME}' → ID = ${ACL_ID}"
58. echo
59.  
60. echo "---- STEP 4: GET full ACL details (to get satisfy_any & pass_auth) ----"
61. ACL_DETAIL_JSON=$(curl -fsS \
62. -H "Authorization: Bearer ${JWT_TOKEN}" \
63. "${ACL_BASE_URL}/${ACL_ID}")
64. EXISTING_SATISFY_ANY=$(echo "$ACL_DETAIL_JSON" | jq -r '.satisfy_any')
65. EXISTING_PASS_AUTH=$(echo "$ACL_DETAIL_JSON" | jq -r '.pass_auth')
66. echo "✔ Current ACL flags: satisfy_any = ${EXISTING_SATISFY_ANY}, pass_auth = ${EXISTING_PASS_AUTH}"
67. echo
68.  
69. echo "---- STEP 5: Build JSON payload (with your real WAN IP!) ----"
70. UPDATE_PAYLOAD=$(
71. jq -c -n \
72. --arg name "$ACL_NAME" \
73. --argjson sat "$EXISTING_SATISFY_ANY" \
74. --argjson auth "$EXISTING_PASS_AUTH" \
75. --arg ip "${CURRENT_IP}/32" \
76. '{
77. name: $name,
78. satisfy_any: $sat,
79. pass_auth: $auth,
80. clients: [ { address: $ip, directive: "allow" } ]
81. }'
82. )
83. echo "$UPDATE_PAYLOAD" | jq '.' # for logging/verification
84. echo
85.  
86. echo "---- STEP 6: PUT /api/nginx/access-lists/${ACL_ID} with new clients ----"
87. UPDATE_RESPONSE=$(curl -fsS -X PUT "${ACL_BASE_URL}/${ACL_ID}" \
88. -H "Content-Type: application/json" \
89. -H "Authorization: Bearer ${JWT_TOKEN}" \
90. -d "$UPDATE_PAYLOAD")
91.  
92. if echo "$UPDATE_RESPONSE" | jq -e 'has("error")' >/dev/null; then
93. echo "ERROR: API returned an error when updating. See response:"
94. echo "$UPDATE_RESPONSE" | jq .
95. exit 4
96. else
97. echo "✅ Access List updated successfully: now allowing ${CURRENT_IP}/32"
98. fi
99.  
100. exit 0