feat: initial WireGUI implementation — full VPN management platform
Complete Python/NiceGUI rewrite of the Wirezone (Elixir/Phoenix) VPN management platform. All 10 implementation phases delivered. Core stack: - NiceGUI reactive UI with SQLModel ORM on PostgreSQL (asyncpg) - Alembic migrations, Valkey/Redis cache, pydantic-settings config - WireGuard management via subprocess (wg/ip/nft CLIs) - 164 tests passing, 35% code coverage Features: - User/device/rule CRUD with admin and unprivileged roles - Full device config form with per-device WG overrides - WireGuard client config generation with QR codes - REST API (v0) with Bearer token auth for all resources - TOTP MFA with QR registration and challenge flow - OIDC SSO with authlib (provider registry, auto-create users) - Magic link passwordless sign-in via email - SAML SP-initiated SSO with IdP metadata parsing - WebAuthn/FIDO2 security key registration - nftables firewall with per-user chains and masquerade - Background tasks: WG stats polling, VPN session expiry, OIDC token refresh, WAN connectivity checks - Startup reconciliation (DB ↔ WireGuard state sync) - In-memory notification system with header badge - Admin UI: users, devices, rules, settings (3 tabs), diagnostics - Loguru logging with optional timestamped file output Deployment: - Multi-stage Dockerfile (python:3.13-slim) - Docker Compose prod stack (bridge networking, NET_ADMIN, nftables) - Forgejo CI: tests → semantic versioning → Docker registry push - Health endpoint at /api/health
This commit is contained in:
commit
0546b44507
109 changed files with 11793 additions and 0 deletions
127
tests/test_mfa.py
Normal file
127
tests/test_mfa.py
Normal file
|
|
@ -0,0 +1,127 @@
|
|||
"""Tests for TOTP MFA functionality."""
|
||||
|
||||
import pyotp
|
||||
|
||||
from wiregui.auth.mfa import (
|
||||
generate_totp_qr_svg,
|
||||
generate_totp_secret,
|
||||
get_totp_uri,
|
||||
verify_totp_code,
|
||||
)
|
||||
from wiregui.models.mfa_method import MFAMethod
|
||||
from wiregui.models.user import User
|
||||
|
||||
|
||||
# --- TOTP secret generation ---
|
||||
|
||||
|
||||
def test_generate_secret():
|
||||
secret = generate_totp_secret()
|
||||
assert len(secret) == 32 # base32 encoded
|
||||
assert secret.isalpha() or any(c.isdigit() for c in secret)
|
||||
|
||||
|
||||
def test_generate_secret_unique():
|
||||
s1 = generate_totp_secret()
|
||||
s2 = generate_totp_secret()
|
||||
assert s1 != s2
|
||||
|
||||
|
||||
# --- TOTP URI ---
|
||||
|
||||
|
||||
def test_get_totp_uri():
|
||||
uri = get_totp_uri("JBSWY3DPEHPK3PXP", "user@example.com")
|
||||
assert uri.startswith("otpauth://totp/")
|
||||
assert "user%40example.com" in uri or "user@example.com" in uri
|
||||
assert "secret=JBSWY3DPEHPK3PXP" in uri
|
||||
assert "issuer=WireGUI" in uri
|
||||
|
||||
|
||||
def test_get_totp_uri_custom_issuer():
|
||||
uri = get_totp_uri("SECRET", "test@test.com", issuer="MyVPN")
|
||||
assert "issuer=MyVPN" in uri
|
||||
|
||||
|
||||
# --- TOTP verification ---
|
||||
|
||||
|
||||
def test_verify_valid_code():
|
||||
secret = generate_totp_secret()
|
||||
totp = pyotp.TOTP(secret)
|
||||
code = totp.now()
|
||||
assert verify_totp_code(secret, code) is True
|
||||
|
||||
|
||||
def test_verify_invalid_code():
|
||||
secret = generate_totp_secret()
|
||||
assert verify_totp_code(secret, "000000") is False
|
||||
|
||||
|
||||
def test_verify_wrong_secret():
|
||||
secret1 = generate_totp_secret()
|
||||
secret2 = generate_totp_secret()
|
||||
code = pyotp.TOTP(secret1).now()
|
||||
assert verify_totp_code(secret2, code) is False
|
||||
|
||||
|
||||
def test_verify_empty_code():
|
||||
secret = generate_totp_secret()
|
||||
assert verify_totp_code(secret, "") is False
|
||||
|
||||
|
||||
# --- QR code generation ---
|
||||
|
||||
|
||||
def test_generate_qr_svg():
|
||||
uri = get_totp_uri("SECRET", "test@test.com")
|
||||
svg = generate_totp_qr_svg(uri)
|
||||
assert "<svg" in svg
|
||||
assert "</svg>" in svg
|
||||
|
||||
|
||||
# --- MFA method model integration ---
|
||||
|
||||
|
||||
async def test_create_totp_method(session):
|
||||
user = User(email="mfa-test@example.com")
|
||||
session.add(user)
|
||||
await session.flush()
|
||||
|
||||
secret = generate_totp_secret()
|
||||
method = MFAMethod(
|
||||
name="My Phone",
|
||||
type="totp",
|
||||
payload={"secret": secret},
|
||||
user_id=user.id,
|
||||
)
|
||||
session.add(method)
|
||||
await session.flush()
|
||||
|
||||
from sqlmodel import select
|
||||
fetched = (await session.execute(
|
||||
select(MFAMethod).where(MFAMethod.user_id == user.id)
|
||||
)).scalar_one()
|
||||
|
||||
assert fetched.name == "My Phone"
|
||||
assert fetched.type == "totp"
|
||||
stored_secret = fetched.payload["secret"]
|
||||
code = pyotp.TOTP(stored_secret).now()
|
||||
assert verify_totp_code(stored_secret, code) is True
|
||||
|
||||
|
||||
async def test_user_multiple_mfa_methods(session):
|
||||
user = User(email="multi-mfa@example.com")
|
||||
session.add(user)
|
||||
await session.flush()
|
||||
|
||||
m1 = MFAMethod(name="Phone", type="totp", payload={"secret": generate_totp_secret()}, user_id=user.id)
|
||||
m2 = MFAMethod(name="Backup", type="totp", payload={"secret": generate_totp_secret()}, user_id=user.id)
|
||||
session.add_all([m1, m2])
|
||||
await session.flush()
|
||||
|
||||
from sqlmodel import select, func
|
||||
count = (await session.execute(
|
||||
select(func.count()).select_from(MFAMethod).where(MFAMethod.user_id == user.id)
|
||||
)).scalar()
|
||||
assert count == 2
|
||||
Loading…
Add table
Add a link
Reference in a new issue