wiregui/tests/test_mfa.py

"""Tests for TOTP MFA functionality."""

import pyotp

from wiregui.auth.mfa import (
    generate_totp_qr_svg,
    generate_totp_secret,
    get_totp_uri,
    verify_totp_code,
)
from wiregui.models.mfa_method import MFAMethod
from wiregui.models.user import User


# --- TOTP secret generation ---


def test_generate_secret():
    secret = generate_totp_secret()
    assert len(secret) == 32  # base32 encoded
    assert secret.isalpha() or any(c.isdigit() for c in secret)


def test_generate_secret_unique():
    s1 = generate_totp_secret()
    s2 = generate_totp_secret()
    assert s1 != s2


# --- TOTP URI ---


def test_get_totp_uri():
    uri = get_totp_uri("JBSWY3DPEHPK3PXP", "user@example.com")
    assert uri.startswith("otpauth://totp/")
    assert "user%40example.com" in uri or "user@example.com" in uri
    assert "secret=JBSWY3DPEHPK3PXP" in uri
    assert "issuer=WireGUI" in uri


def test_get_totp_uri_custom_issuer():
    uri = get_totp_uri("SECRET", "test@test.com", issuer="MyVPN")
    assert "issuer=MyVPN" in uri


# --- TOTP verification ---


def test_verify_valid_code():
    secret = generate_totp_secret()
    totp = pyotp.TOTP(secret)
    code = totp.now()
    assert verify_totp_code(secret, code) is True


def test_verify_invalid_code():
    secret = generate_totp_secret()
    assert verify_totp_code(secret, "000000") is False


def test_verify_wrong_secret():
    secret1 = generate_totp_secret()
    secret2 = generate_totp_secret()
    code = pyotp.TOTP(secret1).now()
    assert verify_totp_code(secret2, code) is False


def test_verify_empty_code():
    secret = generate_totp_secret()
    assert verify_totp_code(secret, "") is False


# --- QR code generation ---


def test_generate_qr_svg():
    uri = get_totp_uri("SECRET", "test@test.com")
    svg = generate_totp_qr_svg(uri)
    assert "<svg" in svg
    assert "</svg>" in svg


# --- MFA method model integration ---


async def test_create_totp_method(session):
    user = User(email="mfa-test@example.com")
    session.add(user)
    await session.flush()

    secret = generate_totp_secret()
    method = MFAMethod(
        name="My Phone",
        type="totp",
        payload={"secret": secret},
        user_id=user.id,
    )
    session.add(method)
    await session.flush()

    from sqlmodel import select
    fetched = (await session.execute(
        select(MFAMethod).where(MFAMethod.user_id == user.id)
    )).scalar_one()

    assert fetched.name == "My Phone"
    assert fetched.type == "totp"
    stored_secret = fetched.payload["secret"]
    code = pyotp.TOTP(stored_secret).now()
    assert verify_totp_code(stored_secret, code) is True


async def test_user_multiple_mfa_methods(session):
    user = User(email="multi-mfa@example.com")
    session.add(user)
    await session.flush()

    m1 = MFAMethod(name="Phone", type="totp", payload={"secret": generate_totp_secret()}, user_id=user.id)
    m2 = MFAMethod(name="Backup", type="totp", payload={"secret": generate_totp_secret()}, user_id=user.id)
    session.add_all([m1, m2])
    await session.flush()

    from sqlmodel import select, func
    count = (await session.execute(
        select(func.count()).select_from(MFAMethod).where(MFAMethod.user_id == user.id)
    )).scalar()
    assert count == 2
feat: initial WireGUI implementation — full VPN management platform Complete Python/NiceGUI rewrite of the Wirezone (Elixir/Phoenix) VPN management platform. All 10 implementation phases delivered. Core stack: - NiceGUI reactive UI with SQLModel ORM on PostgreSQL (asyncpg) - Alembic migrations, Valkey/Redis cache, pydantic-settings config - WireGuard management via subprocess (wg/ip/nft CLIs) - 164 tests passing, 35% code coverage Features: - User/device/rule CRUD with admin and unprivileged roles - Full device config form with per-device WG overrides - WireGuard client config generation with QR codes - REST API (v0) with Bearer token auth for all resources - TOTP MFA with QR registration and challenge flow - OIDC SSO with authlib (provider registry, auto-create users) - Magic link passwordless sign-in via email - SAML SP-initiated SSO with IdP metadata parsing - WebAuthn/FIDO2 security key registration - nftables firewall with per-user chains and masquerade - Background tasks: WG stats polling, VPN session expiry, OIDC token refresh, WAN connectivity checks - Startup reconciliation (DB ↔ WireGuard state sync) - In-memory notification system with header badge - Admin UI: users, devices, rules, settings (3 tabs), diagnostics - Loguru logging with optional timestamped file output Deployment: - Multi-stage Dockerfile (python:3.13-slim) - Docker Compose prod stack (bridge networking, NET_ADMIN, nftables) - Forgejo CI: tests → semantic versioning → Docker registry push - Health endpoint at /api/health 2026-03-30 16:53:46 -05:00			`"""Tests for TOTP MFA functionality."""`

			`import pyotp`

			`from wiregui.auth.mfa import (`
			`generate_totp_qr_svg,`
			`generate_totp_secret,`
			`get_totp_uri,`
			`verify_totp_code,`
			`)`
			`from wiregui.models.mfa_method import MFAMethod`
			`from wiregui.models.user import User`


			`# --- TOTP secret generation ---`


			`def test_generate_secret():`
			`secret = generate_totp_secret()`
			`assert len(secret) == 32 # base32 encoded`
			`assert secret.isalpha() or any(c.isdigit() for c in secret)`


			`def test_generate_secret_unique():`
			`s1 = generate_totp_secret()`
			`s2 = generate_totp_secret()`
			`assert s1 != s2`


			`# --- TOTP URI ---`


			`def test_get_totp_uri():`
			`uri = get_totp_uri("JBSWY3DPEHPK3PXP", "user@example.com")`
			`assert uri.startswith("otpauth://totp/")`
			`assert "user%40example.com" in uri or "user@example.com" in uri`
			`assert "secret=JBSWY3DPEHPK3PXP" in uri`
			`assert "issuer=WireGUI" in uri`


			`def test_get_totp_uri_custom_issuer():`
			`uri = get_totp_uri("SECRET", "test@test.com", issuer="MyVPN")`
			`assert "issuer=MyVPN" in uri`


			`# --- TOTP verification ---`


			`def test_verify_valid_code():`
			`secret = generate_totp_secret()`
			`totp = pyotp.TOTP(secret)`
			`code = totp.now()`
			`assert verify_totp_code(secret, code) is True`


			`def test_verify_invalid_code():`
			`secret = generate_totp_secret()`
			`assert verify_totp_code(secret, "000000") is False`


			`def test_verify_wrong_secret():`
			`secret1 = generate_totp_secret()`
			`secret2 = generate_totp_secret()`
			`code = pyotp.TOTP(secret1).now()`
			`assert verify_totp_code(secret2, code) is False`


			`def test_verify_empty_code():`
			`secret = generate_totp_secret()`
			`assert verify_totp_code(secret, "") is False`


			`# --- QR code generation ---`


			`def test_generate_qr_svg():`
			`uri = get_totp_uri("SECRET", "test@test.com")`
			`svg = generate_totp_qr_svg(uri)`
			`assert "<svg" in svg`
			`assert "</svg>" in svg`


			`# --- MFA method model integration ---`


			`async def test_create_totp_method(session):`
			`user = User(email="mfa-test@example.com")`
			`session.add(user)`
			`await session.flush()`

			`secret = generate_totp_secret()`
			`method = MFAMethod(`
			`name="My Phone",`
			`type="totp",`
			`payload={"secret": secret},`
			`user_id=user.id,`
			`)`
			`session.add(method)`
			`await session.flush()`

			`from sqlmodel import select`
			`fetched = (await session.execute(`
			`select(MFAMethod).where(MFAMethod.user_id == user.id)`
			`)).scalar_one()`

			`assert fetched.name == "My Phone"`
			`assert fetched.type == "totp"`
			`stored_secret = fetched.payload["secret"]`
			`code = pyotp.TOTP(stored_secret).now()`
			`assert verify_totp_code(stored_secret, code) is True`


			`async def test_user_multiple_mfa_methods(session):`
			`user = User(email="multi-mfa@example.com")`
			`session.add(user)`
			`await session.flush()`

			`m1 = MFAMethod(name="Phone", type="totp", payload={"secret": generate_totp_secret()}, user_id=user.id)`
			`m2 = MFAMethod(name="Backup", type="totp", payload={"secret": generate_totp_secret()}, user_id=user.id)`
			`session.add_all([m1, m2])`
			`await session.flush()`

			`from sqlmodel import select, func`
			`count = (await session.execute(`
			`select(func.count()).select_from(MFAMethod).where(MFAMethod.user_id == user.id)`
			`)).scalar()`
			`assert count == 2`