[tests] Add regression tests for VpnClient post_delete openwisp#1221

mn-ram · mn-ram · commit 4866768bad29 · 2026-03-25T23:42:03.000+05:30
- test_vpn_client_post_delete_on_template_removal: verifies peer cache invalidation and certificate revocation on M2M template removal - test_vpn_client_post_delete_on_device_deactivation: same for device.deactivate() path - test_vpn_client_post_delete_multiple_clients: device with 2 VPN templates — all clients deleted, all certs revoked, cache invalidated twice - test_wireguard_vpnclient_ip_released_on_template_removal: Wireguard IP address is released when VPN template is removed - test_device_patch_vpn_template_removal_triggers_post_delete: API path via PATCH — covers both replace-with-generic and empty-templates cases Closes openwisp#1221
diff --git a/openwisp_controller/config/tests/test_api.py b/openwisp_controller/config/tests/test_api.py
@@ -26,6 +26,7 @@
 Template = load_model("config", "Template")
 Vpn = load_model("config", "Vpn")
 VpnClient = load_model("config", "VpnClient")
+Cert = load_model("django_x509", "Cert")
 Device = load_model("config", "Device")
 Config = load_model("config", "Config")
 DeviceGroup = load_model("config", "DeviceGroup")
@@ -518,6 +519,46 @@ def test_device_patch_with_templates_of_different_org(self):
             f" do not match the organization of this configuration: {t3}",
         )
 
+    def test_device_patch_vpn_template_removal_triggers_post_delete(self):
+        """Regression test for #1221: removing VPN template via PATCH API must
+        trigger VpnClient.post_delete so peer cache is invalidated and the
+        certificate is revoked. Tests both empty and non-empty replacement."""
+        org = self._get_org()
+        vpn = self._create_vpn(organization=org)
+        t_vpn = self._create_template(
+            name="vpn-test", type="vpn", vpn=vpn, auto_cert=True, organization=org
+        )
+        t_generic = self._create_template(name="generic-test", organization=org)
+        device = self._create_device(organization=org)
+        config = self._create_config(device=device)
+        path = reverse("config_api:device_detail", args=[device.pk])
+
+        with self.subTest("replace VPN template with generic template"):
+            config.templates.set([t_vpn])
+            vpnclient = config.vpnclient_set.first()
+            self.assertIsNotNone(vpnclient)
+            cert_pk = vpnclient.cert.pk
+            data = {"config": {"templates": [str(t_generic.pk)]}}
+            with patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+                response = self.client.patch(path, data, content_type="application/json")
+                mock_invalidate.assert_called_once()
+            self.assertEqual(response.status_code, 200)
+            self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+            self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
+        with self.subTest("remove all templates (empty list)"):
+            config.templates.set([t_vpn])
+            vpnclient = config.vpnclient_set.first()
+            self.assertIsNotNone(vpnclient)
+            cert_pk = vpnclient.cert.pk
+            data = {"config": {"templates": []}}
+            with patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+                response = self.client.patch(path, data, content_type="application/json")
+                mock_invalidate.assert_called_once()
+            self.assertEqual(response.status_code, 200)
+            self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+            self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
     def test_device_change_organization_required_templates(self):
         org1 = self._create_org(name="org1")
         org2 = self._create_org(name="org2")
diff --git a/openwisp_controller/config/tests/test_vpn.py b/openwisp_controller/config/tests/test_vpn.py
@@ -286,6 +286,74 @@ def _assert_vpn_client_cert(cert, vpn_client, cert_ct, vpn_client_ct):
             vpnclient.save()
             _assert_vpn_client_cert(cert, vpnclient, 1, 0)
 
+    def test_vpn_client_post_delete_on_template_removal(self):
+        """Regression test for #1221: VpnClient.post_delete must fire
+        when a VPN template is removed so that peer cache is invalidated
+        and certificates are properly revoked."""
+        org = self._get_org()
+        vpn = self._create_vpn()
+        t = self._create_template(name="vpn-test", type="vpn", vpn=vpn, auto_cert=True)
+        c = self._create_config(organization=org)
+        c.templates.add(t)
+        vpnclient = c.vpnclient_set.first()
+        self.assertIsNotNone(vpnclient)
+        cert_pk = vpnclient.cert.pk
+        with mock.patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+            c.templates.remove(t)
+            mock_invalidate.assert_called_once()
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+        # Certificate should be revoked (auto_cert=True)
+        self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
+    def test_vpn_client_post_delete_on_device_deactivation(self):
+        """Regression test for #1221: VpnClient.post_delete must fire
+        when a device is deactivated so that peer cache is invalidated
+        and certificates are properly revoked."""
+        org = self._get_org()
+        vpn = self._create_vpn()
+        t = self._create_template(name="vpn-test", type="vpn", vpn=vpn, auto_cert=True)
+        d = self._create_device(organization=org)
+        c = self._create_config(device=d)
+        c.templates.add(t)
+        vpnclient = c.vpnclient_set.first()
+        self.assertIsNotNone(vpnclient)
+        cert_pk = vpnclient.cert.pk
+        with mock.patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+            d.deactivate()
+            mock_invalidate.assert_called_once()
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+        # Certificate should be revoked (auto_cert=True)
+        self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
+    def test_vpn_client_post_delete_multiple_clients(self):
+        """Regression test for #1221: when a device has multiple VPN templates,
+        removing all of them must delete every VpnClient, invalidate peer cache
+        for each VPN, and revoke all auto-created certificates."""
+        org = self._get_org()
+        vpn1 = self._create_vpn(name="vpn1")
+        vpn2 = self._create_vpn(name="vpn2", ca=vpn1.ca)
+        t1 = self._create_template(
+            name="vpn-t1", type="vpn", vpn=vpn1, auto_cert=True
+        )
+        t2 = self._create_template(
+            name="vpn-t2", type="vpn", vpn=vpn2, auto_cert=True
+        )
+        d = self._create_device(organization=org)
+        c = self._create_config(device=d)
+        c.templates.add(t1, t2)
+        self.assertEqual(c.vpnclient_set.count(), 2)
+        vpnclient1 = c.vpnclient_set.get(vpn=vpn1)
+        vpnclient2 = c.vpnclient_set.get(vpn=vpn2)
+        cert_pk1 = vpnclient1.cert.pk
+        cert_pk2 = vpnclient2.cert.pk
+        with mock.patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+            d.deactivate()
+            self.assertEqual(mock_invalidate.call_count, 2)
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient1.pk).exists())
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient2.pk).exists())
+        self.assertTrue(Cert.objects.get(pk=cert_pk1).revoked)
+        self.assertTrue(Cert.objects.get(pk=cert_pk2).revoked)
+
     def test_vpn_client_get_common_name(self):
         vpn = self._create_vpn()
         d = self._create_device()
@@ -728,6 +796,18 @@ def test_trigger_vpn_server_endpoint_invalid_vpn_id(self):
                 f"VPN Server UUID: {vpn_id} does not exist."
             )
 
+    def test_wireguard_vpnclient_ip_released_on_template_removal(self):
+        """Regression test for #1221: when a Wireguard VPN template is removed,
+        the allocated IP address must be released (deleted)."""
+        device, vpn, template = self._create_wireguard_vpn_template()
+        vpnclient = device.config.vpnclient_set.first()
+        self.assertIsNotNone(vpnclient)
+        self.assertIsNotNone(vpnclient.ip)
+        ip_pk = vpnclient.ip.pk
+        device.config.templates.remove(template)
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+        self.assertFalse(IpAddress.objects.filter(pk=ip_pk).exists())
+
 
 class TestWireguardTransaction(BaseTestVpn, TestWireguardVpnMixin, TransactionTestCase):
     mock_response = mock.Mock(spec=requests.Response)
