feat: initial WireGUI implementation — full VPN management platform

Complete Python/NiceGUI rewrite of the Wirezone (Elixir/Phoenix) VPN management platform. All 10 implementation phases delivered. Core stack: - NiceGUI reactive UI with SQLModel ORM on PostgreSQL (asyncpg) - Alembic migrations, Valkey/Redis cache, pydantic-settings config - WireGuard management via subprocess (wg/ip/nft CLIs) - 164 tests passing, 35% code coverage Features: - User/device/rule CRUD with admin and unprivileged roles - Full device config form with per-device WG overrides - WireGuard client config generation with QR codes - REST API (v0) with Bearer token auth for all resources - TOTP MFA with QR registration and challenge flow - OIDC SSO with authlib (provider registry, auto-create users) - Magic link passwordless sign-in via email - SAML SP-initiated SSO with IdP metadata parsing - WebAuthn/FIDO2 security key registration - nftables firewall with per-user chains and masquerade - Background tasks: WG stats polling, VPN session expiry, OIDC token refresh, WAN connectivity checks - Startup reconciliation (DB ↔ WireGuard state sync) - In-memory notification system with header badge - Admin UI: users, devices, rules, settings (3 tabs), diagnostics - Loguru logging with optional timestamped file output Deployment: - Multi-stage Dockerfile (python:3.13-slim) - Docker Compose prod stack (bridge networking, NET_ADMIN, nftables) - Forgejo CI: tests → semantic versioning → Docker registry push - Health endpoint at /api/health
2026-03-30 16:53:46 -05:00 · 2026-03-30 16:53:46 -05:00 · 0546b44507
commit 0546b44507
109 changed files with 11793 additions and 0 deletions
--- a/tests/test_models.py
+++ b/tests/test_models.py
@ -0,0 +1,168 @@
+"""Tests for SQLModel table definitions."""
+
+import pytest  # noqa: F401 — needed for pytest.raises
+from sqlmodel import select
+
+from wiregui.models.api_token import ApiToken
+from wiregui.models.configuration import Configuration
+from wiregui.models.connectivity_check import ConnectivityCheck
+from wiregui.models.device import Device
+from wiregui.models.mfa_method import MFAMethod
+from wiregui.models.oidc_connection import OIDCConnection
+from wiregui.models.rule import Rule
+from wiregui.models.user import User
+
+
+async def test_create_user(session):
+    user = User(email="alice@example.com", role="admin")
+    session.add(user)
+    await session.flush()
+
+    result = await session.execute(select(User).where(User.email == "alice@example.com"))
+    fetched = result.scalar_one()
+    assert fetched.id == user.id
+    assert fetched.role == "admin"
+    assert fetched.disabled_at is None
+
+
+async def test_create_device_with_user(session):
+    user = User(email="bob@example.com")
+    session.add(user)
+    await session.flush()
+
+    device = Device(
+        name="laptop",
+        public_key="pk-test-device-001",
+        user_id=user.id,
+    )
+    session.add(device)
+    await session.flush()
+
+    result = await session.execute(select(Device).where(Device.public_key == "pk-test-device-001"))
+    fetched = result.scalar_one()
+    assert fetched.name == "laptop"
+    assert fetched.user_id == user.id
+    assert fetched.use_default_dns is True
+    assert fetched.use_default_allowed_ips is True
+    assert fetched.rx_bytes is None
+
+
+async def test_device_unique_public_key(session):
+    user = User(email="carol@example.com")
+    session.add(user)
+    await session.flush()
+
+    d1 = Device(name="d1", public_key="duplicate-key", user_id=user.id)
+    session.add(d1)
+    await session.flush()
+
+    d2 = Device(name="d2", public_key="duplicate-key", user_id=user.id)
+    session.add(d2)
+    with pytest.raises(Exception):  # IntegrityError
+        await session.flush()
+
+
+async def test_create_rule(session):
+    user = User(email="dave@example.com")
+    session.add(user)
+    await session.flush()
+
+    rule = Rule(action="accept", destination="10.0.0.0/8", user_id=user.id)
+    session.add(rule)
+    await session.flush()
+
+    result = await session.execute(select(Rule).where(Rule.user_id == user.id))
+    fetched = result.scalar_one()
+    assert fetched.action == "accept"
+    assert fetched.destination == "10.0.0.0/8"
+    assert fetched.port_type is None
+    assert fetched.port_range is None
+
+
+async def test_create_rule_with_port(session):
+    rule = Rule(
+        action="drop",
+        destination="192.168.0.0/16",
+        port_type="tcp",
+        port_range="80-443",
+    )
+    session.add(rule)
+    await session.flush()
+
+    fetched = (await session.execute(select(Rule).where(Rule.id == rule.id))).scalar_one()
+    assert fetched.port_type == "tcp"
+    assert fetched.port_range == "80-443"
+    assert fetched.user_id is None  # global rule
+
+
+async def test_create_mfa_method(session):
+    user = User(email="eve@example.com")
+    session.add(user)
+    await session.flush()
+
+    mfa = MFAMethod(
+        name="My Authenticator",
+        type="totp",
+        payload={"secret": "JBSWY3DPEHPK3PXP"},
+        user_id=user.id,
+    )
+    session.add(mfa)
+    await session.flush()
+
+    fetched = (await session.execute(select(MFAMethod).where(MFAMethod.user_id == user.id))).scalar_one()
+    assert fetched.type == "totp"
+    assert fetched.payload["secret"] == "JBSWY3DPEHPK3PXP"
+
+
+async def test_create_oidc_connection(session):
+    user = User(email="frank@example.com")
+    session.add(user)
+    await session.flush()
+
+    conn = OIDCConnection(provider="google", refresh_token="tok_abc", user_id=user.id)
+    session.add(conn)
+    await session.flush()
+
+    fetched = (await session.execute(select(OIDCConnection).where(OIDCConnection.user_id == user.id))).scalar_one()
+    assert fetched.provider == "google"
+    assert fetched.refresh_token == "tok_abc"
+
+
+async def test_create_api_token(session):
+    user = User(email="grace@example.com")
+    session.add(user)
+    await session.flush()
+
+    token = ApiToken(token_hash="sha256_fake_hash", user_id=user.id)
+    session.add(token)
+    await session.flush()
+
+    fetched = (await session.execute(select(ApiToken).where(ApiToken.user_id == user.id))).scalar_one()
+    assert fetched.token_hash == "sha256_fake_hash"
+    assert fetched.expires_at is None
+
+
+async def test_create_connectivity_check(session):
+    check = ConnectivityCheck(url="https://example.com", response_code=200)
+    session.add(check)
+    await session.flush()
+
+    fetched = (await session.execute(select(ConnectivityCheck).where(ConnectivityCheck.id == check.id))).scalar_one()
+    assert fetched.response_code == 200
+
+
+async def test_configuration_defaults(session):
+    config = Configuration()
+    session.add(config)
+    await session.flush()
+
+    fetched = (await session.execute(select(Configuration).where(Configuration.id == config.id))).scalar_one()
+    assert fetched.allow_unprivileged_device_management is True
+    assert fetched.local_auth_enabled is True
+    assert fetched.default_client_mtu == 1280
+    assert fetched.default_client_persistent_keepalive == 25
+    assert fetched.default_client_dns == ["1.1.1.1", "1.0.0.1"]
+    assert fetched.default_client_allowed_ips == ["0.0.0.0/0", "::/0"]
+    assert fetched.vpn_session_duration == 0
+    assert fetched.openid_connect_providers == []
+    assert fetched.saml_identity_providers == []