From d40b4c676cda639277e3e01c17687deb3f9cd69f Mon Sep 17 00:00:00 2001
From: John Crispin <john@phrozen.org>
Date: Sat, 29 Oct 2022 09:40:37 +0200
Subject: [PATCH] add FCC restriction support

Signed-off-by: John Crispin <john@phrozen.org>
---
 command/cmd.uc                     |  3 +++
 command/cmd_rtty.uc                | 11 +++++++++++
 command/cmd_upgrade.uc             | 19 ++++++++++++++++++-
 renderer/renderer.uc               |  4 ++++
 renderer/templates/radio.uc        | 11 ++++++++++-
 renderer/templates/services/ssh.uc | 19 ++++++++++++++-----
 6 files changed, 60 insertions(+), 7 deletions(-)

diff --git a/command/cmd.uc b/command/cmd.uc
index 469403e..50138a0 100755
--- a/command/cmd.uc
+++ b/command/cmd.uc
@@ -4,6 +4,8 @@ let uci = require("uci");
 let ubus = require("ubus");
 let capabfile = fs.open("/etc/ucentral/capabilities.json", "r");
 let capab = json(capabfile.read("all"));
+let restrictfile = fs.open("/etc/ucentral/restrictions.json", "r");
+let restrict = restrictfile ? json(restrictfile.read("all")) : null;
 let cmdfile = fs.open(ARGV[0], "r");
 let cmd = json(cmdfile.read("all"));
 let id = ARGV[1];
@@ -50,6 +52,7 @@ let scope = {
 	cursor: uci.cursor(),
 	ctx,
 	fs,
+	restrict,
 
 	/* log helper */
 	log,
diff --git a/command/cmd_rtty.uc b/command/cmd_rtty.uc
index c3c1e08..fd0ff04 100644
--- a/command/cmd_rtty.uc
+++ b/command/cmd_rtty.uc
@@ -8,6 +8,17 @@ if (!args.id || !args.server || !args.port || !args.token || !args.timeout) {
 	return;
 }
 
+if (restrict.rtty) {
+	result_json({
+		"error": 2,
+		"text": "RTTY is restricted.",
+		"resultCode": -1
+	});
+
+	return;
+}
+
+
 cursor.load("rtty");
 cursor.set("rtty", "@rtty[-1]", "enable", 1);
 cursor.set("rtty", "@rtty[-1]", "id", args.id);
diff --git a/command/cmd_upgrade.uc b/command/cmd_upgrade.uc
index 6a604e5..1c4a107 100644
--- a/command/cmd_upgrade.uc
+++ b/command/cmd_upgrade.uc
@@ -33,6 +33,23 @@ else if (!validation_result.valid) {
 	return;
 }
 
+function verify_signature(file, signature) {
+
+	return true;
+}
+
+if (restrict.sysupgrade) {
+	if (!verify_signature(image_path, args.signature)) {
+		result_json({
+			"error": 2,
+			"text": "Invalid signature",
+			"resultCode": -1
+		});
+
+		return;
+	}
+}
+
 let archive_cmdline = [
 	'tar', 'czf', '/tmp/sysupgrade.tgz',
 	'/etc/config/ucentral'
@@ -42,7 +59,7 @@ let files = [
 		"/etc/ucentral/cas.pem", "/etc/ucentral/cert.pem",
 		"/etc/ucentral/redirector.json", "/etc/ucentral/dev-id",
 		"/etc/ucentral/key.pem", "/etc/config/ucentral",
-		"/etc/ucentral/profile.json"
+		"/etc/ucentral/profile.json", "/etc/ucentral/restrictions.json"
 ];
 for (let f in files)
 	if (fs.stat(f))
diff --git a/renderer/renderer.uc b/renderer/renderer.uc
index 9da852a..3bc6fc5 100644
--- a/renderer/renderer.uc
+++ b/renderer/renderer.uc
@@ -12,6 +12,9 @@ let conn = ubus ? ubus.connect() : null;
 let capabfile = fs.open("/etc/ucentral/capabilities.json", "r");
 let capab = capabfile ? json(capabfile.read("all")) : null;
 
+let restrictfile = fs.open("/etc/ucentral/restrictions.json", "r");
+let restrict = restrictfile ? json(restrictfile.read("all")) : {};
+
 let serial = cursor.get("ucentral", "config", "serial");
 
 assert(cursor, "Unable to instantiate uci");
@@ -1087,6 +1090,7 @@ return /** @lends uCentral.prototype */ {
 			location: '/',
 			cursor,
 			capab,
+			restrict,
 
 			/** @member {uCentral.files} */
 			files,
diff --git a/renderer/templates/radio.uc b/renderer/templates/radio.uc
index 5d4bb35..0d33f20 100644
--- a/renderer/templates/radio.uc
+++ b/renderer/templates/radio.uc
@@ -57,6 +57,9 @@
 		radio.country = capab.country_code;
 	}
 
+	if (length(restrict.country) && !(radio.country in restrict.country))
+		die("Country code is restricted");
+
 	function allowed_channel(radio) {
 		if (radio.channel_width == 20)
 			return true;
@@ -133,6 +136,11 @@
 
 		return modes[require_mode] || '';
 	}
+
+	if (restrict.dfs && radio.allow_dfs) {
+		warn('DFS is restricted.');
+		radio.allow_dfs = false;
+	}
 %}
 
 # Wireless Configuration
@@ -154,7 +162,8 @@ set wireless.{{ phy.section }}.chan_bw={{ radio.bandwidth }}
 set wireless.{{ phy.section }}.maxassoc={{ radio.maximum_clients }}
 set wireless.{{ phy.section }}.noscan=1
 set wireless.{{ phy.section }}.acs_exclude_dfs={{ b(!radio.allow_dfs) }}
-{% if (radio.allow_dfs) for (let channel in radio.valid_channels): %}
+{% for (let channel in radio.valid_channels): %}
+{%    if (!radio.allow_dfs && channel in phy.dfs_channels) continue %}
 add_list wireless.{{ phy.section }}.channels={{ channel }}
 {% endfor %}
 {%  if (radio.he_settings && phy.he_mac_capa && match(htmode, /HE.*/)): %}
diff --git a/renderer/templates/services/ssh.uc b/renderer/templates/services/ssh.uc
index 736667d..9642119 100644
--- a/renderer/templates/services/ssh.uc
+++ b/renderer/templates/services/ssh.uc
@@ -1,8 +1,17 @@
-{% let interfaces = services.lookup_interfaces("ssh") %}
-{% let enable = length(interfaces) %}
-{% services.set_enabled("dropbear", enable) %}
-{% if (!enable) return %}
-{% files.add_named("/etc/dropbear/authorized_keys", join("\n", ssh.authorized_keys || []) + "\n") %}
+{%
+let interfaces = services.lookup_interfaces("ssh");
+let enable = length(interfaces);
+
+if (restrict.ssh && enable) {
+	warn('SSH is restricted');
+	enable = false;
+}
+
+services.set_enabled("dropbear", enable);
+if (!enable)
+	return;
+files.add_named("/etc/dropbear/authorized_keys", join("\n", ssh.authorized_keys || []) + "\n");
+%}
 
 # SSH service configuration