provvedo/wiregui
2
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages 1 Wiki Activity Actions

Merge branch 'refs/heads/dev'
All checks were successful
CI / test (push) Successful in 1m5s
Details
CI / release (push) Successful in 36s
Details
CI / docker (push) Has been skipped
Details

Browse source
This commit is contained in:
Stefano Bertelli 2026-04-02 23:43:48 -05:00
commit 2a83cead67
61 changed files with 3617 additions and 2166 deletions
Download patch file Download diff file Expand all files Collapse all files

104
.forgejo/workflows/dev.yml
View file

@ -6,7 +6,101 @@ on:
- dev - dev
jobs: jobs:
test:
runs-on: docker
container:
image: python:3.13-slim
services:
postgres:
image: postgres:17
env:
POSTGRES_USER: wiregui
POSTGRES_PASSWORD: wiregui
POSTGRES_DB: wiregui
options: >-
--health-cmd "pg_isready -U wiregui"
--health-interval 5s
--health-timeout 5s
--health-retries 5
valkey:
image: valkey/valkey:8
options: >-
--health-cmd "valkey-cli ping"
--health-interval 5s
--health-timeout 5s
--health-retries 5
env:
CI: "true"
WG_DATABASE_URL: postgresql+asyncpg://wiregui:wiregui@postgres/wiregui
WG_REDIS_URL: redis://valkey:6379/0
steps:
- name: Install system dependencies and checkout
run: |
apt-get update && apt-get install -y --no-install-recommends \
git wireguard-tools pkg-config libxml2-dev libxmlsec1-dev libxmlsec1-openssl
git clone --depth=1 -b "${GITHUB_REF_NAME}" ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Install uv
run: pip install uv
- name: Install dependencies
run: uv sync
- name: Run migrations
run: uv run alembic upgrade head
- name: Run unit tests
run: uv run pytest tests/ --ignore=tests/e2e --ignore=tests/integration -v --tb=short
release:
needs: test
runs-on: docker
container:
image: python:3.13-slim
outputs:
new_version: ${{ steps.semrel.outputs.new_version }}
skip: ${{ steps.semrel.outputs.skip }}
steps:
- name: Install dependencies and checkout
run: |
apt-get update && apt-get install -y --no-install-recommends git ca-certificates
git clone ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
git checkout ${GITHUB_SHA}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Configure git
run: |
git config user.name "Forgejo Actions"
git config user.email "noreply@forge.provvedo.com"
git config --local http.${GITHUB_SERVER_URL}/.extraheader "AUTHORIZATION: basic $(echo -n "x-access-token:${GITHUB_TOKEN}" | base64 -w0)"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install uv and semantic-release
run: |
pip install uv
uv sync --group dev
- name: Semantic release (rc)
id: semrel
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
OUTPUT=$(uv run semantic-release version --print 2>/dev/null || echo "")
if [ -z "$OUTPUT" ]; then
echo "skip=true" >> "$GITHUB_OUTPUT"
echo "No release needed"
else
uv run semantic-release version
echo "skip=false" >> "$GITHUB_OUTPUT"
echo "new_version=${OUTPUT}" >> "$GITHUB_OUTPUT"
echo "Released v${OUTPUT}"
fi
docker: docker:
needs: release
if: needs.release.outputs.skip != 'true'
runs-on: docker runs-on: docker
container: container:
image: catthehacker/ubuntu:act-latest image: catthehacker/ubuntu:act-latest
@ -15,20 +109,14 @@ jobs:
- name: Checkout repository - name: Checkout repository
run: | run: |
git clone ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git -b dev . git clone ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git -b dev .
git fetch origin main --tags git fetch origin --tags
- name: Build and push pre-release image - name: Build and push pre-release image
shell: bash shell: bash
env: env:
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: | run: |
# Derive version from latest tag on main: v1.2.3 -> 1.2.3.dev0, .dev1, etc. VERSION="${{ needs.release.outputs.new_version }}"
LATEST_TAG=$(git describe --tags --abbrev=0 origin/main 2>/dev/null || echo "v0.0.0")
BASE_VERSION="${LATEST_TAG#v}"
# Count commits on dev since that tag
DEV_N=$(git rev-list --count "${LATEST_TAG}..HEAD" 2>/dev/null || echo "0")
VERSION="${BASE_VERSION}.dev${DEV_N}"
REGISTRY=$(echo "${{ github.server_url }}" | sed 's|https://||; s|http://||') REGISTRY=$(echo "${{ github.server_url }}" | sed 's|https://||; s|http://||')
IMAGE="${REGISTRY}/${{ github.repository_owner }}/wiregui" IMAGE="${REGISTRY}/${{ github.repository_owner }}/wiregui"

174
.forgejo/workflows/release.yml
View file

@ -23,16 +23,23 @@ jobs:
--health-interval 5s --health-interval 5s
--health-timeout 5s --health-timeout 5s
--health-retries 5 --health-retries 5
valkey:
image: valkey/valkey:8
options: >-
--health-cmd "valkey-cli ping"
--health-interval 5s
--health-timeout 5s
--health-retries 5
env: env:
CI: "true" CI: "true"
WG_DATABASE_URL: postgresql+asyncpg://wiregui:wiregui@postgres/wiregui WG_DATABASE_URL: postgresql+asyncpg://wiregui:wiregui@postgres/wiregui
WG_REDIS_URL: redis://valkey:6379/0
steps: steps:
- name: Install system dependencies and checkout - name: Install system dependencies and checkout
run: | run: |
apt-get update && apt-get install -y --no-install-recommends \ apt-get update && apt-get install -y --no-install-recommends \
git wireguard-tools pkg-config libxml2-dev libxmlsec1-dev libxmlsec1-openssl git wireguard-tools pkg-config libxml2-dev libxmlsec1-dev libxmlsec1-openssl
git clone --depth=1 ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . git clone --depth=1 -b "${GITHUB_REF_NAME}" ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
git checkout ${GITHUB_SHA}
- name: Install uv - name: Install uv
run: pip install uv run: pip install uv
@ -40,146 +47,58 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: uv sync run: uv sync
- name: Run unit tests - name: Run migrations
run: uv run pytest tests/ --ignore=tests/e2e -v --tb=short run: uv run alembic upgrade head
- name: Run E2E tests - name: Run unit tests
run: | run: uv run pytest tests/ --ignore=tests/e2e --ignore=tests/integration -v --tb=short
uv run alembic upgrade head
uv run pytest tests/e2e/ -v --tb=short
release: release:
needs: test needs: test
if: github.ref == 'refs/heads/main' && github.event_name == 'push' if: github.ref == 'refs/heads/main' && github.event_name == 'push'
runs-on: docker runs-on: docker
container: container:
image: node:20-slim image: python:3.13-slim
outputs: outputs:
new_tag: ${{ steps.version.outputs.new_tag }} new_version: ${{ steps.semrel.outputs.new_version }}
new_version: ${{ steps.version.outputs.new_version }} skip: ${{ steps.semrel.outputs.skip }}
skip: ${{ steps.version.outputs.skip }}
steps: steps:
- name: Install dependencies and checkout - name: Install dependencies and checkout
run: | run: |
apt-get update && apt-get install -y --no-install-recommends bash git python3 ca-certificates apt-get update && apt-get install -y --no-install-recommends git ca-certificates
git clone ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . git clone ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
git checkout ${GITHUB_SHA} git checkout ${GITHUB_SHA}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Configure git
run: |
git config user.name "Forgejo Actions"
git config user.email "noreply@forge.provvedo.com"
git config --local http.${GITHUB_SERVER_URL}/.extraheader "AUTHORIZATION: basic $(echo -n "x-access-token:${GITHUB_TOKEN}" | base64 -w0)" git config --local http.${GITHUB_SERVER_URL}/.extraheader "AUTHORIZATION: basic $(echo -n "x-access-token:${GITHUB_TOKEN}" | base64 -w0)"
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Determine version bump - name: Install uv and semantic-release
id: version
shell: bash
run: | run: |
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") pip install uv
echo "latest_tag=${LATEST_TAG}" >> "$GITHUB_OUTPUT" uv sync --group dev
CURRENT="${LATEST_TAG#v}" - name: Semantic release
IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT" id: semrel
COMMITS=$(git log "${LATEST_TAG}..HEAD" --pretty=format:"%s" 2>/dev/null || git log --pretty=format:"%s")
BUMP="none"
while IFS= read -r msg; do
case "$msg" in
*"BREAKING CHANGE"*|*"!:"*)
BUMP="major"
break
;;
feat:*|feat\(*)
[ "$BUMP" != "major" ] && BUMP="minor"
;;
fix:*|fix\(*|perf:*|perf\(*|refactor:*|refactor\(*)
[ "$BUMP" = "none" ] && BUMP="patch"
;;
esac
done <<< "$COMMITS"
if [ "$BUMP" = "none" ]; then
echo "No version-relevant commits since ${LATEST_TAG}, skipping release"
echo "skip=true" >> "$GITHUB_OUTPUT"
exit 0
fi
case "$BUMP" in
major) MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0 ;;
minor) MINOR=$((MINOR + 1)); PATCH=0 ;;
patch) PATCH=$((PATCH + 1)) ;;
esac
NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}"
echo "new_version=${NEW_VERSION}" >> "$GITHUB_OUTPUT"
echo "new_tag=v${NEW_VERSION}" >> "$GITHUB_OUTPUT"
echo "bump=${BUMP}" >> "$GITHUB_OUTPUT"
echo "skip=false" >> "$GITHUB_OUTPUT"
echo "Version bump: ${BUMP} -> v${NEW_VERSION}"
- name: Generate changelog
id: changelog
if: steps.version.outputs.skip != 'true'
shell: bash
run: |
LATEST_TAG="${{ steps.version.outputs.latest_tag }}"
NEW_TAG="${{ steps.version.outputs.new_tag }}"
BODY="## ${NEW_TAG}"$'\n\n'
for type_label in "feat:Features" "fix:Bug Fixes" "refactor:Refactoring" "perf:Performance" "docs:Documentation" "chore:Maintenance"; do
prefix="${type_label%%:*}"
label="${type_label#*:}"
MATCHES=$(git log "${LATEST_TAG}..HEAD" --pretty=format:"%s" 2>/dev/null | grep -E "^${prefix}[:(]" || true)
if [ -n "$MATCHES" ]; then
BODY="${BODY}### ${label}"$'\n\n'
while IFS= read -r line; do
CLEAN=$(echo "$line" | sed -E "s/^${prefix}(\([^)]*\))?:\s*//")
BODY="${BODY}- ${CLEAN}"$'\n'
done <<< "$MATCHES"
BODY="${BODY}"$'\n'
fi
done
echo "${BODY}" > /tmp/changelog.md
echo "Generated changelog for ${NEW_TAG}"
- name: Create tag and release
if: steps.version.outputs.skip != 'true'
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
NEW_TAG="${{ steps.version.outputs.new_tag }}" OUTPUT=$(uv run semantic-release version --print 2>/dev/null || echo "")
if [ -z "$OUTPUT" ]; then
git config user.name "Forgejo Actions" echo "skip=true" >> "$GITHUB_OUTPUT"
git config user.email "noreply@forge.provvedo.com" echo "No release needed"
git tag -a "${NEW_TAG}" -m "Release ${NEW_TAG}" else
git push origin "${NEW_TAG}" uv run semantic-release version
echo "skip=false" >> "$GITHUB_OUTPUT"
FORGEJO_URL="${GITHUB_SERVER_URL}" echo "new_version=${OUTPUT}" >> "$GITHUB_OUTPUT"
REPO="${GITHUB_REPOSITORY}" echo "Released v${OUTPUT}"
fi
python3 -c "
import json, urllib.request, os
body = open('/tmp/changelog.md').read()
tag = '${NEW_TAG}'
data = json.dumps({
'tag_name': tag,
'name': tag,
'body': body,
'draft': False,
'prerelease': False
}).encode()
req = urllib.request.Request(
'${FORGEJO_URL}/api/v1/repos/${REPO}/releases',
data=data,
headers={
'Authorization': 'token ' + os.environ['GITHUB_TOKEN'],
'Content-Type': 'application/json'
},
method='POST'
)
resp = urllib.request.urlopen(req)
print(f'Created release {tag} (HTTP {resp.status})')
"
docker: docker:
needs: release needs: release
@ -191,8 +110,7 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
run: | run: |
git clone --depth=1 ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . git clone --depth=1 -b "${GITHUB_REF_NAME}" ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
git checkout ${GITHUB_SHA}
- name: Build and push image - name: Build and push image
shell: bash shell: bash
@ -200,30 +118,26 @@ jobs:
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: | run: |
VERSION="${{ needs.release.outputs.new_version }}" VERSION="${{ needs.release.outputs.new_version }}"
TAG="${{ needs.release.outputs.new_tag }}"
REGISTRY=$(echo "${{ github.server_url }}" | sed 's|https://||; s|http://||') REGISTRY=$(echo "${{ github.server_url }}" | sed 's|https://||; s|http://||')
IMAGE="${REGISTRY}/${{ github.repository_owner }}/wiregui" IMAGE="${REGISTRY}/${{ github.repository_owner }}/wiregui"
MAJOR=$(echo "$VERSION" | cut -d. -f1) MAJOR=$(echo "$VERSION" | cut -d. -f1)
MINOR=$(echo "$VERSION" | cut -d. -f2) MINOR=$(echo "$VERSION" | cut -d. -f2)
echo "Building ${IMAGE}:${TAG}" echo "Building ${IMAGE}:v${VERSION}"
# Log in to Forgejo container registry
echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY}" \ echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY}" \
-u "${{ github.repository_owner }}" --password-stdin -u "${{ github.repository_owner }}" --password-stdin
# Build the image
docker build --no-cache \ docker build --no-cache \
--build-arg "VERSION=${VERSION}" \ --build-arg "VERSION=${VERSION}" \
-t "${IMAGE}:${TAG}" \ -t "${IMAGE}:v${VERSION}" \
-t "${IMAGE}:${MAJOR}.${MINOR}" \ -t "${IMAGE}:${MAJOR}.${MINOR}" \
-t "${IMAGE}:latest" \ -t "${IMAGE}:latest" \
. .
# Push all tags docker push "${IMAGE}:v${VERSION}"
docker push "${IMAGE}:${TAG}"
docker push "${IMAGE}:${MAJOR}.${MINOR}" docker push "${IMAGE}:${MAJOR}.${MINOR}"
docker push "${IMAGE}:latest" docker push "${IMAGE}:latest"
echo "Pushed ${IMAGE}:${TAG}, ${IMAGE}:${MAJOR}.${MINOR}, ${IMAGE}:latest" echo "Pushed ${IMAGE}:v${VERSION}, ${IMAGE}:${MAJOR}.${MINOR}, ${IMAGE}:latest"

1
.gitignore vendored
View file

@ -6,3 +6,4 @@ __pycache__/
logs/ logs/
.idea/ .idea/
.coverage .coverage
docker/mock-clients/

2
Dockerfile
View file

@ -20,6 +20,7 @@ RUN uv sync --no-dev --frozen 2>/dev/null || uv sync --no-dev
COPY wiregui/ wiregui/ COPY wiregui/ wiregui/
COPY alembic/ alembic/ COPY alembic/ alembic/
COPY alembic.ini ./ COPY alembic.ini ./
COPY img/ img/
FROM python:3.13-slim AS runner FROM python:3.13-slim AS runner
@ -34,6 +35,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
COPY --from=builder /usr/local/bin/uv /usr/local/bin/uv COPY --from=builder /usr/local/bin/uv /usr/local/bin/uv
COPY --from=builder /app/.venv /app/.venv COPY --from=builder /app/.venv /app/.venv
COPY --from=builder /app/wiregui /app/wiregui COPY --from=builder /app/wiregui /app/wiregui
COPY --from=builder /app/img /app/img
COPY --from=builder /app/alembic /app/alembic COPY --from=builder /app/alembic /app/alembic
COPY --from=builder /app/alembic.ini /app/alembic.ini COPY --from=builder /app/alembic.ini /app/alembic.ini
COPY --from=builder /app/pyproject.toml /app/pyproject.toml COPY --from=builder /app/pyproject.toml /app/pyproject.toml

123
Makefile Normal file
View file

@ -0,0 +1,123 @@
.PHONY: help install migrate dev dev-up dev-down dev-logs \
test test-unit test-e2e test-e2e-headed \
test-stack-up test-stack-seed test-stack-down test-stack-logs test-stack-verify \
prod-build \
clean
# Default target
help:
@echo "WireGUI — available targets:"
@echo ""
@echo " Development (app runs on host, infra in Docker):"
@echo " make install Install dependencies (uv sync)"
@echo " make migrate Run database migrations"
@echo " make dev Start infra + mock IdPs, run app locally"
@echo " make dev-up Start infra only (Postgres, Valkey, mock IdPs)"
@echo " make dev-down Stop all containers"
@echo " make dev-logs Tail container logs"
@echo ""
@echo " Testing:"
@echo " make test Run unit + e2e tests"
@echo " make test-unit Run unit tests only"
@echo " make test-e2e Run e2e tests (headless)"
@echo " make test-e2e-headed Run e2e tests in headed mode (visible browser)"
@echo ""
@echo " Integration stack (containerized WireGUI + WG clients + VictoriaMetrics):"
@echo " make test-stack-up Seed DB, build, start everything"
@echo " make test-stack-down Stop and remove containers + volumes"
@echo " make test-stack-logs Tail logs"
@echo " make test-stack-verify Verify metrics flowing to VictoriaMetrics"
@echo ""
@echo " Production:"
@echo " make prod-build Build production Docker image"
@echo ""
@echo " Housekeeping:"
@echo " make clean Remove generated files, caches, volumes"
# ---------------------------------------------------------------------------
# Development
# ---------------------------------------------------------------------------
install:
uv sync
migrate:
uv run alembic upgrade head
dev-up:
docker compose up -d postgres valkey mock-oidc mock-saml
dev-down:
docker compose down
dev-logs:
docker compose logs -f
dev: dev-up migrate
uv run python -m wiregui.main
# ---------------------------------------------------------------------------
# Testing
# ---------------------------------------------------------------------------
test-unit:
uv run pytest tests/ --ignore=tests/e2e --ignore=tests/integration -v --tb=short
test-e2e:
uv run pytest tests/e2e/ -v --tb=short
test-e2e-headed:
uv run pytest tests/e2e/ --headed --slowmo 100 -v --tb=short
test: test-stack-up test-unit test-e2e
# ---------------------------------------------------------------------------
# Integration test stack (real WireGuard + mock clients + VictoriaMetrics)
# ---------------------------------------------------------------------------
test-stack-up: test-stack-seed
docker compose up -d --build wiregui client1 client2 client3
@echo ""
@echo "Integration stack running:"
@echo " WireGUI: http://localhost:13000 (admin@test.local / admin123)"
@echo " VictoriaMetrics: http://localhost:8428"
@echo " Mock clients: 3 peers generating traffic every 3s"
test-stack-seed:
@echo "[*] Starting infrastructure..."
docker compose up -d postgres valkey victoriametrics mock-oidc mock-saml
@echo "[*] Waiting for Postgres..."
@until docker compose exec -T postgres pg_isready -U wiregui > /dev/null 2>&1; do sleep 1; done
@echo "[*] Running migrations..."
uv run alembic upgrade head
@echo "[*] Seeding server keypair, admin user, and client devices..."
PYTHONPATH=. uv run python docker/mock-clients/setup.py
test-stack-down:
docker compose down -v
test-stack-verify:
uv run pytest tests/integration/ -v --tb=short
test-stack-logs:
docker compose logs -f wiregui client1 client2 client3 victoriametrics
# ---------------------------------------------------------------------------
# Production
# ---------------------------------------------------------------------------
PROD_IMAGE ?= wiregui
PROD_TAG ?= latest
prod-build:
docker build --no-cache -t $(PROD_IMAGE):$(PROD_TAG) .
# ---------------------------------------------------------------------------
# Housekeeping
# ---------------------------------------------------------------------------
clean:
find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null || true
rm -rf .pytest_cache .coverage htmlcov
rm -rf docker/mock-clients/configs/
rm -rf .nicegui/

77
TESTS.md Normal file
View file

@ -0,0 +1,77 @@
# WireGUI — Test Suite
**Test count: 271 (201 unit + 70 E2E) | Unit coverage: 36% | Effective: ~81% (incl. E2E)**
**Run:** `uv run pytest` (unit) / `uv run pytest tests/e2e/` (E2E via Playwright)
---
## Unit Tests — Coverage by Module
**Done:**
- [x] `wiregui/api/deps.py` (91%) — 11 tests: Bearer token auth, get_current_api_user, require_admin
- [x] `wiregui/services/wireguard.py` (98%) — 6 tests: ensure_interface, set_private_key, set_listen_port, configure_interface
- [x] `wiregui/services/firewall.py` (94%) — 17 tests: _nft/_nft_batch errors, jump rules, policies, get_ruleset
- [x] `wiregui/auth/api_token.py` (100%) — covered via test_api_deps.py
- [x] `wiregui/auth/saml.py` — full SAML flow tested via mock SimpleSAMLphp IdP (e2e)
- [x] `wiregui/utils/server_key.py` (100%) — 3 tests: returns key, raises when missing, raises when empty
**Remaining unit test gaps (by coverage):**
- [ ] `wiregui/auth/seed.py` (29%) — test seed_admin, seed_idp_providers with various YAML configs, ensure_server_keypair
- [ ] `wiregui/tasks/__init__.py` (35%) — test register_task, cancel_all
- [ ] `wiregui/tasks/oidc_refresh.py` (40%) — test successful refresh, failure with notification, disable_vpn_on_oidc_error
- [ ] `wiregui/api/v0/configuration.py` (55%) — test GET/PUT configuration endpoints
- [ ] `wiregui/api/v0/devices.py` (65%) — test CRUD device API endpoints
- [ ] `wiregui/api/v0/rules.py` (70%) — test CRUD rule API endpoints
- [ ] `wiregui/tasks/connectivity.py` (72%) — test connectivity check loop
- [ ] `wiregui/utils/network.py` (73%) — test IPv6 allocation, edge cases in CIDR validation
- [ ] `wiregui/tasks/stats.py` (74%) — test WG stats polling loop
- [ ] `wiregui/tasks/vpn_session.py` (77%) — test session expiry loop
- [ ] `wiregui/auth/webauthn.py` (87%) — test verify_registration, verify_authentication with mock credential data
- [ ] `wiregui/auth/middleware.py` (0%) — test NiceGUI auth middleware redirect logic
---
## E2E Tests (Playwright)
**Completed test suites:**
- [x] `tests/e2e/test_login.py` (6 tests) — valid login, invalid password, nonexistent email, disabled user, logout, unauthenticated redirect
- [x] `tests/e2e/test_devices.py` (2 tests) — add device full flow, name validation
- [x] `tests/e2e/test_account.py` (8 tests) — change password (success/wrong/mismatch/short), create API token, TOTP registration + invalid code, account deletion
- [x] `tests/e2e/test_admin_users.py` (10 tests) — page renders, create user, duplicate email, edit role/password, disable/enable, delete, cascade delete, self-delete guard
- [x] `tests/e2e/test_idp_seed.py` (9 tests) — IdP YAML seeding (noop/missing/invalid, OIDC/SAML add, upsert, preserve), OIDC button visible, full OIDC login flow via mock-oidc
- [x] `tests/e2e/test_mfa_login.py` (4 tests) — MFA redirect on login, valid TOTP completes login, invalid code error, cancel returns to login
- [x] `tests/e2e/test_magic_link_page.py` (4 tests) — page renders, success on submit, empty email error, back to login
- [x] `tests/e2e/test_admin_devices.py` (7 tests) — list all devices, filter by user, create with defaults, create with overrides, edit name/description, delete, config dialog with QR
- [x] `tests/e2e/test_admin_rules.py` (7 tests) — list rules table, create accept/drop/global rules, edit action/destination, delete rule (all verified in DB)
- [x] `tests/e2e/test_admin_settings.py` (9 tests) — client defaults save/reload, security toggles (local auth, VPN session, unprivileged), OIDC add/delete, SAML add/delete (all verified in DB)
- [x] `tests/e2e/test_saml_login.py` (4 tests) — SAML button visible, redirect to IdP, SP metadata endpoint, full SAML login flow via mock SimpleSAMLphp
**Remaining E2E test suites:**
`tests/e2e/test_admin_diagnostics.py` — Admin Diagnostics:
- [ ] Page renders WireGuard interface status
- [ ] Active peers table shows devices with handshakes
- [ ] Connectivity checks table shows recent results
- [ ] Notifications list shows system notifications
- [ ] Clear single notification → removed
- [ ] Clear all notifications → list empty
`tests/e2e/test_devices_user.py` — User Device Pages:
- [ ] Device list shows only own devices (not other users')
- [ ] Create device → shows in table with allocated IPs
- [ ] Device detail page shows public key, IPs, stats, active config
- [ ] Device detail: edit name → persists
- [ ] Device detail: toggle config overrides → custom values saved
- [ ] Device detail: delete with confirmation → redirects to /devices
- [ ] Auto-refresh: stats labels update after timer fires (mock timer)
`tests/e2e/test_account_extended.py` — Account Page (additional):
- [ ] SSO providers section shows connected providers
- [ ] SSO providers section shows "No SSO providers" when empty
- [ ] MFA: add security key (WebAuthn) → method appears in table (mock navigator.credentials)
- [ ] MFA: delete method with confirmation → removed from table
- [ ] API tokens: expired token shows "Expired" badge
- [ ] API tokens: delete token → removed from table
- [ ] API tokens: copy button calls clipboard API
- [ ] Danger zone: disabled when only admin
- [ ] Danger zone: wrong email in confirmation → shows error

161
TODO.md
View file

@ -1,124 +1,93 @@
# WireGUI — Pending Items # WireGUI — TODO
**Test count: 174 (164 unit + 10 E2E) | Coverage: ~35%**
--- ---
## Testing ## WireGuard Metrics Collector
# WireGUI Implementation TODO ### Overview
Migration of Wirezone (Elixir/Phoenix) to Python/NiceGUI. Separate Python process dedicated to high-frequency WireGuard stats collection, with optional VictoriaMetrics time-series storage. Replaces the current 60s in-process polling with a 5s external collector.
Source: `/home/stefanob/PycharmProjects/personal/wirezone`
**Test count: 199 (164 unit + 35 E2E) | Coverage: 35%** ### Current state
**Run:** `uv run pytest` (unit) / `uv run pytest tests/e2e/` (E2E via Playwright) - `tasks/stats.py`: polls `wg show dump` every 60s inside the web process asyncio loop
- UI timers: 30s refresh on device pages
- Worst-case latency: ~90s before a stat change is visible
### Target state
- Collector process: polls every 5s, writes to DB + VictoriaMetrics
- UI timers: 10s refresh
- Worst-case latency: ~15s
## Phase 7: Admin UI ✅ ### Phase 1: Configuration
- [ ] **TODO:** SAML provider management in Authentication tab - [x] Add settings to `config.py`:
- `WG_METRICS_ENABLED: bool = False`
- `WG_METRICS_POLL_INTERVAL: int = 5` (seconds)
- `WG_VICTORIAMETRICS_URL: str | None = None` (e.g. `http://localhost:8428`)
- [x] When `WG_METRICS_ENABLED=false`, keep existing `stats_loop` as fallback
- [x] When `WG_METRICS_ENABLED=true`, skip registering `stats_loop` in `main.py`
## Phase 10: Polish, Testing & Deployment ### Phase 2: Collector process ✅
### Testing (partially done) - [x] Create `wiregui/collector.py` — standalone entry point (`python -m wiregui.collector`)
- [ ] HTTP-level integration tests (OIDC redirect/callback flow with respx mocking) - [x] No NiceGUI dependency — only asyncio + asyncpg + httpx
- [ ] `wiregui/api/deps.py` — test get_current_api_user with real Bearer header parsing, require_admin rejection - [x] Poll `wg show <iface> dump` every `WG_METRICS_POLL_INTERVAL` seconds
- [ ] `wiregui/services/wireguard.py` — test ensure_interface, set_private_key, set_listen_port - [x] Update Device rows in PostgreSQL (same fields as current `stats_loop`)
- [ ] `wiregui/services/firewall.py` — test _nft/_nft_batch error handling, add_device_jump_rule with only ipv4/ipv6 - [x] Push metrics to VictoriaMetrics via `/api/v1/import/prometheus` (if URL configured)
- [ ] `wiregui/tasks/oidc_refresh.py` — test successful refresh, failure with notification, disable_vpn_on_oidc_error - [x] Graceful shutdown on SIGTERM/SIGINT
- [ ] `wiregui/auth/saml.py` (0%) — needs mock SAML IdP metadata + response parsing - [x] Web app spawns collector as subprocess when `WG_METRICS_ENABLED=true`
- [ ] `wiregui/auth/webauthn.py` — test verify_registration, verify_authentication with mock credential data - [x] Web app terminates collector on shutdown
- [ ] E2E tests for admin pages (users, devices, rules, settings)
**E2E page tests (Playwright async API in `tests/e2e/`):** ### Phase 3: VictoriaMetrics metrics ✅
- [x] `tests/e2e/test_login.py` (6 tests) — valid login, invalid password, nonexistent email, disabled user, logout, unauthenticated redirect
- [x] `tests/e2e/test_devices.py` (2 tests) — add device full flow, name validation
- [x] `tests/e2e/test_account.py` (8 tests) — change password (success/wrong/mismatch/short), create API token, TOTP registration + invalid code, account deletion
- [x] `tests/e2e/test_admin_users.py` (10 tests) — page renders, create user, duplicate email, edit role/password, disable/enable, delete, cascade delete, self-delete guard
- [x] `tests/e2e/test_idp_seed.py` (9 tests) — IdP YAML seeding (noop/missing/invalid, OIDC/SAML add, upsert, preserve), OIDC button visible, full OIDC login flow via mock-oidc
**E2E tests still needed:** All metrics implemented in `collector.py` and verified by integration tests:
- [x] `wiregui_peer_rx_bytes{public_key, user_email, device_name}` — counter
- [x] `wiregui_peer_tx_bytes{public_key, user_email, device_name}` — counter
- [x] `wiregui_peer_latest_handshake_seconds{public_key, user_email, device_name}` — gauge
- [x] `wiregui_peer_connected{public_key, user_email, device_name}` — 1 if handshake < 180s, else 0
- [x] `wiregui_peers_total` — gauge, count of active peers
`tests/e2e/test_login.py` — Login & Auth flows (remaining): ### Phase 4: UI improvements
- [ ] Login with MFA → redirects to /mfa challenge page
- [ ] MFA challenge: valid TOTP code → completes login
- [ ] MFA challenge: invalid code → shows error, stays on /mfa
- [ ] MFA challenge: cancel → returns to /login
- [ ] Magic link request page renders, shows success on submit
`tests/e2e/test_admin_devices.py` — Admin Device Management: - [x] Reduce UI timer from 30s to 5s on all device pages (devices.py, admin/devices.py, detail page)
- [ ] List all devices across users - [x] Add connection status indicator (green/yellow/red dot) based on handshake age
- [ ] Filter by user → shows only that user's devices - Green: handshake < 2 min
- [ ] Create device with full config overrides (DNS, endpoint, MTU, keepalive, allowed IPs) - Yellow: handshake < 5 min
- [ ] Create device with defaults → use_default flags all True - Red: no recent handshake or never connected
- [ ] Edit device name and description → persists - [x] Status column in both user and admin device tables
- [ ] Edit device config overrides (toggle use_default off, set custom values) - [x] Status badge on device detail page (live-updating)
- [ ] Delete device → removed from table - [x] Add traffic rate display (RX/s, TX/s computed from delta between 5s polls)
- [ ] Config dialog shows valid WireGuard config with real server public key - [x] Device detail page: live ECharts traffic rate chart (RX/s + TX/s area lines, 60-point rolling window, auto-scaled axis with human-readable byte formatting)
- [ ] QR code renders in config dialog
`tests/e2e/test_admin_rules.py` — Admin Firewall Rules: ### Phase 5: Infrastructure ✅
- [ ] List rules → table shows action, destination, protocol, port, user
- [ ] Create accept rule with CIDR → appears in table
- [ ] Create drop rule with TCP port range → appears correctly
- [ ] Create global rule (no user) → shows "Global"
- [ ] Edit rule action (accept → drop) → persists
- [ ] Edit rule destination → persists
- [ ] Delete rule → removed from table
`tests/e2e/test_admin_settings.py` — Admin Settings: - [x] Create `compose.test.yml` — full integration stack with real WG
- [ ] Client defaults: save endpoint, DNS, MTU, keepalive, allowed IPs → persists in DB - [x] Add VictoriaMetrics (single-node, port 8428, 7d retention)
- [ ] Client defaults: saved values reflected on page reload - [x] Add 3 mock WG client containers (alpine + wireguard-tools)
- [ ] Security: toggle local auth → persists - [x] Clients generate traffic by pinging each other through the tunnel every 3s
- [ ] Security: change VPN session duration → persists - [x] Setup script (`docker/mock-clients/setup.py`) generates keypairs and configs
- [ ] Security: toggle unprivileged device management/configuration → persists - [x] Collector runs as subprocess inside the WireGUI container (shares network namespace)
- [ ] OIDC: add provider → appears in table - [ ] Add VictoriaMetrics to dev `compose.yml` (optional, for local testing)
- [ ] OIDC: delete provider → removed from table
- [ ] SAML: add provider → appears in table
- [ ] SAML: delete provider → removed from table
`tests/e2e/test_admin_diagnostics.py` — Admin Diagnostics: ### Design notes
- [ ] Page renders WireGuard interface status
- [ ] Active peers table shows devices with handshakes
- [ ] Connectivity checks table shows recent results
- [ ] Notifications list shows system notifications
- [ ] Clear single notification → removed
- [ ] Clear all notifications → list empty
`tests/e2e/test_devices_user.py` — User Device Pages: - **Why a separate process?** The `wg show` subprocess call and DB writes at 5s intervals shouldn't share the asyncio loop with the web app. A separate process ensures UI responsiveness isn't affected by stats collection.
- [ ] Device list shows only own devices (not other users') - **Why not `run.cpu_bound`?** That uses `ProcessPoolExecutor` for one-shot CPU tasks inside request handling — not suitable for a long-running daemon. A separate entry point is cleaner.
- [ ] Create device → shows in table with allocated IPs - **VictoriaMetrics push model:** Use the Prometheus remote write API. No scrape config needed — the collector pushes directly. VictoriaMetrics is optional; the collector works fine with just PostgreSQL.
- [ ] Device detail page shows public key, IPs, stats, active config - **Backward compatible:** When `WG_METRICS_ENABLED=false` (default), everything works exactly as it does today.
- [ ] Device detail: edit name → persists
- [ ] Device detail: toggle config overrides → custom values saved ---
- [ ] Device detail: delete with confirmation → redirects to /devices
- [ ] Auto-refresh: stats labels update after timer fires (mock timer) ## CI/Testing
- [ ] Fix E2E tests in CI — tests pass locally but fail in the Forgejo Actions container environment (stale DB reads between app subprocess and test process, Playwright can't resolve Docker service hostnames for SAML redirect). Currently disabled in `.forgejo/workflows/dev.yml`.
## UI ## UI
- [ ] SAML provider management in Authentication tab (admin settings)
- [ ] SSO Providers on account page: add Status column, "Disconnect" action - [ ] SSO Providers on account page: add Status column, "Disconnect" action
- [ ] Admin pages (users, devices, rules): apply same card-based styling as account/settings/diagnostics - [ ] Admin pages (users, devices, rules): apply same card-based styling as account/settings/diagnostics
`tests/e2e/test_account_extended.py` — Account Page (additional):
- [ ] SSO providers section shows connected providers
- [ ] SSO providers section shows "No SSO providers" when empty
- [ ] MFA: add security key (WebAuthn) → method appears in table (mock navigator.credentials)
- [ ] MFA: delete method with confirmation → removed from table
- [ ] API tokens: expired token shows "Expired" badge
- [ ] API tokens: delete token → removed from table
- [ ] API tokens: copy button calls clipboard API
- [ ] Danger zone: disabled when only admin
- [ ] Danger zone: wrong email in confirmation → shows error
## Features ## Features
### Deployment ✅
- [ ] First-run CLI setup command - [ ] First-run CLI setup command
---
### Remaining
- [ ] SSO Providers: add Status column, "Disconnect" action
- [ ] Admin pages (users, devices, rules): apply same card-based styling

22
compose.prod.yml
View file

@ -16,7 +16,7 @@ services:
- net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.disable_ipv6=0
environment: environment:
WG_DATABASE_URL: postgresql+asyncpg://wiregui:wiregui@postgres/wiregui WG_DATABASE_URL: postgresql+asyncpg://wiregui:${POSTGRES_PASSWORD:-wiregui}@postgres/wiregui
WG_REDIS_URL: redis://valkey:6379/0 WG_REDIS_URL: redis://valkey:6379/0
WG_SECRET_KEY: ${WG_SECRET_KEY:-change-me-in-production} WG_SECRET_KEY: ${WG_SECRET_KEY:-change-me-in-production}
WG_WG_ENABLED: "true" WG_WG_ENABLED: "true"
@ -28,6 +28,10 @@ services:
WG_ADMIN_EMAIL: ${WG_ADMIN_EMAIL:-admin@localhost} WG_ADMIN_EMAIL: ${WG_ADMIN_EMAIL:-admin@localhost}
WG_ADMIN_PASSWORD: ${WG_ADMIN_PASSWORD:-} WG_ADMIN_PASSWORD: ${WG_ADMIN_PASSWORD:-}
WG_LOG_TO_FILE: "true" WG_LOG_TO_FILE: "true"
WG_METRICS_ENABLED: "true"
WG_METRICS_POLL_INTERVAL: "5"
WG_VICTORIAMETRICS_URL: http://victoriametrics:8428
WG_IDP_CONFIG_FILE: ${WG_IDP_CONFIG_FILE:-}
volumes: volumes:
- wiregui_logs:/app/logs - wiregui_logs:/app/logs
depends_on: depends_on:
@ -35,15 +39,15 @@ services:
condition: service_healthy condition: service_healthy
valkey: valkey:
condition: service_started condition: service_started
victoriametrics:
condition: service_started
postgres: postgres:
image: postgres:17 image: postgres:17
restart: unless-stopped restart: unless-stopped
ports:
- "5432:5432"
environment: environment:
POSTGRES_USER: wiregui POSTGRES_USER: wiregui
POSTGRES_PASSWORD: wiregui POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-wiregui}
POSTGRES_DB: wiregui POSTGRES_DB: wiregui
volumes: volumes:
- postgres_data:/var/lib/postgresql/data - postgres_data:/var/lib/postgresql/data
@ -59,7 +63,17 @@ services:
volumes: volumes:
- valkey_data:/data - valkey_data:/data
victoriametrics:
image: victoriametrics/victoria-metrics:v1.108.1
restart: unless-stopped
command:
- "-retentionPeriod=90d"
- "-httpListenAddr=:8428"
volumes:
- vm_data:/victoria-metrics-data
volumes: volumes:
postgres_data: postgres_data:
valkey_data: valkey_data:
wiregui_logs: wiregui_logs:
vm_data:

162
compose.yml
View file

@ -1,12 +1,29 @@
# WireGUI — unified compose stack
#
# Dev mode (app runs on host):
# make dev — starts infra + mock IdPs, runs app locally
# make dev-up — starts infra only
#
# Integration test mode (real WireGuard + mock clients + metrics):
# make test-stack-up — seeds DB, builds, starts everything
# make test-stack-down — tears down and removes volumes
#
# Services are opt-in: only start what you need.
services: services:
# ---------------------------------------------------------------------------
# Core infrastructure (always needed)
# ---------------------------------------------------------------------------
postgres: postgres:
image: postgres:17 image: postgres:17
ports:
- "5432:5432"
environment: environment:
POSTGRES_USER: wiregui POSTGRES_USER: wiregui
POSTGRES_PASSWORD: wiregui POSTGRES_PASSWORD: wiregui
POSTGRES_DB: wiregui POSTGRES_DB: wiregui
ports:
- "5432:5432"
volumes: volumes:
- postgres_data:/var/lib/postgresql/data - postgres_data:/var/lib/postgresql/data
@ -17,6 +34,147 @@ services:
volumes: volumes:
- valkey_data:/data - valkey_data:/data
# ---------------------------------------------------------------------------
# Mock identity providers (dev + e2e tests)
# ---------------------------------------------------------------------------
# OIDC — accepts any login, issues real JWTs
# Discovery: http://localhost:9000/test-idp/.well-known/openid-configuration
mock-oidc:
image: ghcr.io/navikt/mock-oauth2-server:2.1.10
ports:
- "9000:9000"
environment:
SERVER_PORT: "9000"
JSON_CONFIG: >
{
"interactiveLogin": true,
"httpServer": "NettyWrapper",
"tokenCallbacks": [
{
"issuerId": "test-idp",
"tokenExpiry": 3600,
"requestMappings": [
{
"requestParam": "scope",
"match": "*",
"claims": {
"sub": "$${claim:sub}",
"email": "$${claim:sub}@test.local",
"name": "Test User"
}
}
]
}
]
}
# SAML — SimpleSAMLphp as IdP
# Metadata: http://localhost:8080/simplesaml/saml2/idp/metadata.php
# Admin: http://localhost:8080/simplesaml (admin / secret)
# Users: user1/password, user2/password
mock-saml:
image: kenchan0130/simplesamlphp
ports:
- "8080:8080"
environment:
SIMPLESAMLPHP_SP_ENTITY_ID: "http://localhost:13000/auth/saml/test-saml/metadata"
SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: "http://localhost:13000/auth/saml/test-saml/callback"
SIMPLESAMLPHP_IDP_BASE_URL: http://localhost:8080/simplesaml/
volumes:
- ./docker/mock-saml/saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php:ro
# ---------------------------------------------------------------------------
# WireGUI server (integration test mode — containerized with real WG)
# ---------------------------------------------------------------------------
wiregui:
build: .
ports:
- "13000:13000"
# 51820/udp exposed inside Docker network only — clients connect via service name
# Uncomment to expose to host: - "51820:51820/udp"
environment:
WG_DATABASE_URL: postgresql+asyncpg://wiregui:wiregui@postgres/wiregui
WG_REDIS_URL: redis://valkey:6379/0
WG_WG_ENABLED: "true"
WG_EXTERNAL_URL: http://localhost:13000
WG_ENDPOINT_HOST: wiregui
WG_METRICS_ENABLED: "true"
WG_METRICS_POLL_INTERVAL: "5"
WG_VICTORIAMETRICS_URL: http://victoriametrics:8428
WG_ADMIN_EMAIL: admin@test.local
WG_ADMIN_PASSWORD: admin123
WG_LOG_TO_FILE: "false"
WG_SECRET_KEY: test-secret-key-for-integration
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.ip_forward=1
- net.ipv6.conf.all.forwarding=1
depends_on:
- postgres
- valkey
# ---------------------------------------------------------------------------
# Metrics (integration test mode)
# ---------------------------------------------------------------------------
victoriametrics:
image: victoriametrics/victoria-metrics:v1.108.1
ports:
- "8428:8428"
command:
- "-retentionPeriod=7d"
- "-httpListenAddr=:8428"
volumes:
- vm_data:/victoria-metrics-data
# ---------------------------------------------------------------------------
# Mock WireGuard clients (integration test mode)
# Configs generated by: make test-stack-seed
# ---------------------------------------------------------------------------
client1:
build: docker/mock-clients
environment:
CLIENT_IP: ${CLIENT1_IP:-10.3.2.101}
PEER_IPS: ${CLIENT1_PEERS:-10.3.2.102 10.3.2.103}
PING_INTERVAL: "3"
volumes:
- ./docker/mock-clients/configs/client1.conf:/etc/wireguard/wg0.conf:ro
cap_add:
- NET_ADMIN
depends_on:
- wiregui
client2:
build: docker/mock-clients
environment:
CLIENT_IP: ${CLIENT2_IP:-10.3.2.102}
PEER_IPS: ${CLIENT2_PEERS:-10.3.2.101 10.3.2.103}
PING_INTERVAL: "3"
volumes:
- ./docker/mock-clients/configs/client2.conf:/etc/wireguard/wg0.conf:ro
cap_add:
- NET_ADMIN
depends_on:
- wiregui
client3:
build: docker/mock-clients
environment:
CLIENT_IP: ${CLIENT3_IP:-10.3.2.103}
PEER_IPS: ${CLIENT3_PEERS:-10.3.2.101 10.3.2.102}
PING_INTERVAL: "3"
volumes:
- ./docker/mock-clients/configs/client3.conf:/etc/wireguard/wg0.conf:ro
cap_add:
- NET_ADMIN
depends_on:
- wiregui
volumes: volumes:
postgres_data: postgres_data:
valkey_data: valkey_data:
vm_data:

4
docker/mock-clients/Dockerfile Normal file
View file

@ -0,0 +1,4 @@
FROM alpine:3.20
RUN apk add --no-cache wireguard-tools iproute2 iputils-ping
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

27
docker/mock-clients/entrypoint.sh Executable file
View file

@ -0,0 +1,27 @@
#!/bin/sh
# WireGuard mock client — configures interface and generates traffic
set -e
echo "[*] Configuring WireGuard interface..."
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip address add "${CLIENT_IP}/32" dev wg0
ip link set wg0 up
# Route traffic to the VPN subnet through the tunnel
ip route add 10.3.2.0/24 dev wg0
echo "[*] WireGuard client up: ${CLIENT_IP}"
echo "[*] Generating traffic to peers every ${PING_INTERVAL:-5}s..."
while true; do
# Ping the server (first host in the subnet)
ping -c 1 -W 1 10.3.2.1 > /dev/null 2>&1 || true
# Ping other peers if specified
for peer_ip in $PEER_IPS; do
ping -c 1 -W 1 "$peer_ip" > /dev/null 2>&1 || true
done
sleep "${PING_INTERVAL:-5}"
done

147
docker/mock-clients/setup.py Normal file
View file

@ -0,0 +1,147 @@
#!/usr/bin/env python3
"""Seed the test stack: generate server + client keypairs, write client WG configs,
and insert devices into the database.
Usage: uv run python docker/mock-clients/setup.py
Requires: Postgres running and migrations applied (alembic upgrade head).
"""
import asyncio
import sys
from pathlib import Path
from uuid import uuid4
from sqlmodel import select
from wiregui.auth.passwords import hash_password
from wiregui.db import async_session, engine
from wiregui.models.configuration import Configuration
from wiregui.models.device import Device
from wiregui.models.user import User
from wiregui.utils.crypto import generate_keypair, generate_preshared_key
NUM_CLIENTS = 3
SUBNET = "10.3.2"
SERVER_ENDPOINT = "wiregui:51820"
CONFIG_DIR = Path(__file__).parent / "configs"
# Test admin user
ADMIN_EMAIL = "admin@test.local"
ADMIN_PASSWORD = "admin123"
# Client definitions
CLIENTS = [
{"name": f"test-client-{i}", "ip": f"{SUBNET}.{100 + i}"}
for i in range(1, NUM_CLIENTS + 1)
]
async def seed():
CONFIG_DIR.mkdir(parents=True, exist_ok=True)
async with async_session() as session:
# --- Server keypair ---
config = (await session.execute(select(Configuration).limit(1))).scalar_one_or_none()
if config is None:
config = Configuration()
session.add(config)
await session.flush()
if not config.server_private_key or not config.server_public_key:
server_priv, server_pub = generate_keypair()
config.server_private_key = server_priv
config.server_public_key = server_pub
session.add(config)
print(f" Server keypair generated: {server_pub[:20]}...")
else:
server_pub = config.server_public_key
print(f" Server keypair already exists: {server_pub[:20]}...")
# --- Admin user ---
admin = (await session.execute(
select(User).where(User.email == ADMIN_EMAIL)
)).scalar_one_or_none()
if admin is None:
admin = User(
email=ADMIN_EMAIL,
password_hash=hash_password(ADMIN_PASSWORD),
role="admin",
)
session.add(admin)
await session.flush()
print(f" Admin user created: {ADMIN_EMAIL}")
else:
print(f" Admin user already exists: {ADMIN_EMAIL}")
# --- Client devices (delete + recreate for clean state) ---
client_names = [c["name"] for c in CLIENTS]
client_ips = [c["ip"] for c in CLIENTS]
stale = (await session.execute(
select(Device).where(
Device.name.in_(client_names) | Device.ipv4.in_(client_ips)
)
)).scalars().all()
for d in stale:
await session.delete(d)
if stale:
await session.flush()
print(f" Cleaned up {len(stale)} stale device(s)")
for client in CLIENTS:
client_priv, client_pub = generate_keypair()
psk = generate_preshared_key()
device = Device(
name=client["name"],
public_key=client_pub,
preshared_key=psk,
ipv4=client["ip"],
user_id=admin.id,
)
session.add(device)
client["privkey"] = client_priv
client["pubkey"] = client_pub
client["psk"] = psk
print(f" Device '{client['name']}' created ({client['ip']})")
await session.commit()
# --- Write client WG configs ---
for i, client in enumerate(CLIENTS):
conf = f"""[Interface]
PrivateKey = {client["privkey"]}
[Peer]
PublicKey = {server_pub}
PresharedKey = {client["psk"]}
Endpoint = {SERVER_ENDPOINT}
AllowedIPs = {SUBNET}.0/24
PersistentKeepalive = 5
"""
conf_path = CONFIG_DIR / f"client{i + 1}.conf"
conf_path.write_text(conf)
print(f" Config written: {conf_path}")
# --- Write env vars for compose ---
env_lines = []
for i, client in enumerate(CLIENTS):
other_ips = " ".join(c["ip"] for c in CLIENTS if c["ip"] != client["ip"])
env_lines.append(f"CLIENT{i + 1}_IP={client['ip']}")
env_lines.append(f"CLIENT{i + 1}_PEERS={other_ips}")
env_path = CONFIG_DIR / "clients.env"
env_path.write_text("\n".join(env_lines) + "\n")
await engine.dispose()
def main():
print("[*] Seeding test stack...")
asyncio.run(seed())
print("\n[*] Done. Start the stack with:")
print(" make test-stack-up")
if __name__ == "__main__":
main()

15
docker/mock-saml/saml20-sp-remote.php Normal file
View file

@ -0,0 +1,15 @@
<?php
/**
* SAML 2.0 remote SP metadata for WireGUI testing.
* Registers SPs for dev (port 13000) and e2e test (port 13003).
*/
// Dev instance
$metadata['http://localhost:13000/auth/saml/test-saml/metadata'] = [
'AssertionConsumerService' => 'http://localhost:13000/auth/saml/test-saml/callback',
];
// E2E test instance
$metadata['http://localhost:13003/auth/saml/test-saml/metadata'] = [
'AssertionConsumerService' => 'http://localhost:13003/auth/saml/test-saml/callback',
];

1
img/wiregui.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 45 KiB

35
pyproject.toml
View file

@ -43,6 +43,7 @@ dev = [
"pytest>=8.0", "pytest>=8.0",
"pytest-asyncio>=0.24", "pytest-asyncio>=0.24",
"pytest-cov>=7.1.0", "pytest-cov>=7.1.0",
"python-semantic-release>=9.0",
"respx>=0.22.0", "respx>=0.22.0",
] ]
@ -55,3 +56,37 @@ testpaths = ["tests"]
# NiceGUI's testing plugin conflicts with unit tests when loaded together # NiceGUI's testing plugin conflicts with unit tests when loaded together
addopts = "--ignore=tests/e2e" addopts = "--ignore=tests/e2e"
main_file = "wiregui/main.py" main_file = "wiregui/main.py"
# ---------------------------------------------------------------------------
# Semantic Release
# ---------------------------------------------------------------------------
[tool.semantic_release]
version_toml = ["pyproject.toml:project.version"]
tag_format = "v{version}"
commit_message = "chore(release): {version}"
build_command = ""
major_on_zero = false
[tool.semantic_release.branches.main]
match = "(main|master)"
prerelease = false
[tool.semantic_release.branches.dev]
match = "dev"
prerelease = true
prerelease_token = "rc"
[tool.semantic_release.changelog]
exclude_commit_patterns = [
"^chore\\(release\\):",
]
[tool.semantic_release.changelog.default_templates]
changelog_file = "CHANGELOG.md"
[tool.semantic_release.remote]
type = "gitea"
token = { env = "GITHUB_TOKEN" }
[tool.semantic_release.publish]
upload_to_vcs_release = false

239
tests/e2e/test_admin_devices.py Normal file
View file

@ -0,0 +1,239 @@
"""E2E tests for admin device management page."""
import pytest_asyncio
from playwright.async_api import Page, expect
from sqlmodel import select
from wiregui.auth.passwords import hash_password
from wiregui.db import async_session
from wiregui.models.device import Device
from wiregui.models.user import User
from wiregui.utils.crypto import generate_keypair, generate_preshared_key
from tests.e2e.conftest import (
TEST_APP_BASE,
TEST_EMAIL,
TEST_PASSWORD,
_cleanup_user_by_email,
login,
)
SECOND_USER_EMAIL = "e2e-device-user2@example.com"
@pytest_asyncio.fixture
async def second_user(test_user):
"""Create a second user with a device for filtering tests."""
await _cleanup_user_by_email(SECOND_USER_EMAIL)
async with async_session() as session:
user = User(
email=SECOND_USER_EMAIL,
password_hash=hash_password("pass12345"),
role="unprivileged",
)
session.add(user)
await session.commit()
await session.refresh(user)
yield user
await _cleanup_user_by_email(SECOND_USER_EMAIL)
@pytest_asyncio.fixture
async def devices_for_both_users(test_user, second_user):
"""Create one device per user for table/filter tests."""
_, pub1 = generate_keypair()
_, pub2 = generate_keypair()
psk1 = generate_preshared_key()
psk2 = generate_preshared_key()
async with async_session() as session:
d1 = Device(
name="admin-laptop",
public_key=pub1,
preshared_key=psk1,
ipv4="10.0.0.10",
user_id=test_user.id,
)
d2 = Device(
name="user2-phone",
public_key=pub2,
preshared_key=psk2,
ipv4="10.0.0.11",
user_id=second_user.id,
)
session.add_all([d1, d2])
await session.commit()
yield d1, d2
# Cleanup handled by user fixture cascade
async def _go_to_admin_devices(page: Page):
"""Login as admin and navigate to admin devices page."""
await login(page)
await expect(page.get_by_text("My Devices")).to_be_visible(timeout=10_000)
await page.goto(f"{TEST_APP_BASE}/admin/devices")
await expect(page.locator("role=main").get_by_text("All Devices")).to_be_visible(timeout=10_000)
async def test_list_all_devices(page: Page, devices_for_both_users):
"""Admin devices page lists devices from all users."""
await _go_to_admin_devices(page)
await expect(page.get_by_text("admin-laptop")).to_be_visible(timeout=5_000)
await expect(page.get_by_text("user2-phone")).to_be_visible(timeout=5_000)
async def test_filter_by_user(page: Page, second_user, devices_for_both_users):
"""Filtering by user shows only that user's devices."""
await _go_to_admin_devices(page)
await expect(page.get_by_text("admin-laptop")).to_be_visible(timeout=5_000)
await expect(page.get_by_text("user2-phone")).to_be_visible(timeout=5_000)
# Filter to second user
await page.locator("label:has-text('Filter by User')").click()
await page.get_by_role("option", name=SECOND_USER_EMAIL).click()
await page.wait_for_timeout(1000)
await expect(page.get_by_text("user2-phone")).to_be_visible(timeout=5_000)
await expect(page.get_by_text("admin-laptop")).not_to_be_visible()
# Filter back to all
await page.locator("label:has-text('Filter by User')").click()
await page.get_by_role("option", name="All Users").click()
await page.wait_for_timeout(1000)
await expect(page.get_by_text("admin-laptop")).to_be_visible(timeout=5_000)
await expect(page.get_by_text("user2-phone")).to_be_visible(timeout=5_000)
async def test_create_device_with_defaults(page: Page, test_user):
"""Create device with all defaults — config dialog appears."""
await _go_to_admin_devices(page)
await page.get_by_role("button", name="Add Device").click()
await expect(page.get_by_text("New Device")).to_be_visible(timeout=5_000)
await page.locator("input[aria-label='Device Name']").fill("default-test-device")
await page.get_by_role("button", name="Create").click()
# Config dialog should appear with WireGuard config
await expect(page.get_by_text("Config for default-test-device")).to_be_visible(timeout=10_000)
await expect(page.get_by_text("[Interface]")).to_be_visible(timeout=5_000)
await page.get_by_role("button", name="Close").click()
await page.wait_for_timeout(500)
# Device should be in the table
await expect(page.get_by_role("cell", name="default-test-device").first).to_be_visible(timeout=5_000)
async def test_create_device_with_overrides(page: Page, test_user):
"""Create device with custom config overrides."""
await _go_to_admin_devices(page)
await page.get_by_role("button", name="Add Device").click()
await expect(page.get_by_text("New Device")).to_be_visible(timeout=5_000)
await page.locator("input[aria-label='Device Name']").fill("custom-override-dev")
await page.locator("input[aria-label='Description (optional)']").fill("Custom overrides test")
# Toggle off DNS default and set custom — Quasar switches use .q-toggle
await page.locator(".q-toggle", has_text="Use default DNS").click()
dns_input = page.locator("input[aria-label='DNS Servers']")
await dns_input.clear()
await dns_input.fill("8.8.8.8, 8.8.4.4")
# Toggle off MTU default and set custom
await page.locator(".q-toggle", has_text="Use default MTU").click()
mtu_input = page.locator("input[aria-label='MTU']")
await mtu_input.clear()
await mtu_input.fill("1400")
await page.get_by_role("button", name="Create").click()
await expect(page.get_by_text("Config for custom-override-dev")).to_be_visible(timeout=10_000)
await page.get_by_role("button", name="Close").click()
await page.wait_for_timeout(500)
await expect(page.get_by_role("cell", name="custom-override-dev").first).to_be_visible(timeout=5_000)
# Verify in DB
async with async_session() as session:
result = await session.execute(
select(Device).where(Device.name == "custom-override-dev")
.order_by(Device.inserted_at.desc()).limit(1)
)
device = result.scalar_one()
assert device.use_default_dns is False
assert "8.8.8.8" in device.dns
assert device.use_default_mtu is False
assert device.mtu == 1400
async def test_edit_device_name_and_description(page: Page, devices_for_both_users):
"""Edit a device name and description via the edit dialog."""
await _go_to_admin_devices(page)
await expect(page.get_by_text("admin-laptop")).to_be_visible(timeout=5_000)
# Click edit button on admin-laptop row — Quasar slot buttons with icon
row = page.locator("tr", has_text="admin-laptop")
await row.locator(".q-btn").first.click()
await expect(page.get_by_text("Edit Device")).to_be_visible(timeout=5_000)
name_input = page.locator(".q-dialog input[aria-label='Device Name']")
await name_input.clear()
await name_input.fill("admin-laptop-renamed")
desc_input = page.locator(".q-dialog input[aria-label='Description']")
await desc_input.clear()
await desc_input.fill("Updated description")
await page.get_by_role("button", name="Save").click()
await expect(page.get_by_text("Device updated")).to_be_visible(timeout=5_000)
await expect(page.get_by_text("admin-laptop-renamed")).to_be_visible(timeout=5_000)
async def test_delete_device(page: Page, test_user):
"""Delete a device — removed from table."""
_, pub = generate_keypair()
async with async_session() as session:
d = Device(
name="delete-me-device",
public_key=pub,
preshared_key=generate_preshared_key(),
ipv4="10.0.0.99",
user_id=test_user.id,
)
session.add(d)
await session.commit()
await _go_to_admin_devices(page)
await expect(page.get_by_role("cell", name="delete-me-device")).to_be_visible(timeout=5_000)
# Click the delete (second) button in the row
row = page.locator("tr", has_text="delete-me-device")
await row.locator(".q-btn").nth(1).click()
await expect(page.get_by_text("Deleted delete-me-device")).to_be_visible(timeout=5_000)
await page.wait_for_timeout(1000)
await expect(page.get_by_role("cell", name="delete-me-device")).not_to_be_visible()
async def test_config_dialog_shows_wg_config(page: Page, test_user):
"""Config dialog after device creation shows valid WireGuard config."""
await _go_to_admin_devices(page)
await page.get_by_role("button", name="Add Device").click()
await expect(page.get_by_text("New Device")).to_be_visible(timeout=5_000)
await page.locator("input[aria-label='Device Name']").fill("config-test-device")
await page.get_by_role("button", name="Create").click()
await expect(page.get_by_text("Config for config-test-device")).to_be_visible(timeout=10_000)
await expect(page.get_by_text("[Interface]")).to_be_visible(timeout=5_000)
await expect(page.get_by_text("[Peer]")).to_be_visible(timeout=5_000)
await expect(page.get_by_text("PrivateKey")).to_be_visible()
await expect(page.get_by_role("button", name="Download .conf")).to_be_visible()
# QR code should be rendered
await expect(page.locator(".q-dialog img")).to_be_visible(timeout=5_000)

227
tests/e2e/test_admin_rules.py Normal file
View file

@ -0,0 +1,227 @@
"""E2E tests for admin firewall rules management page."""
from uuid import UUID
import pytest_asyncio
from playwright.async_api import Page, expect
from sqlmodel import select
from wiregui.db import async_session
from wiregui.models.rule import Rule
from wiregui.models.user import User
from tests.e2e.conftest import TEST_APP_BASE, TEST_EMAIL, login
async def _cleanup_test_rules():
"""Remove rules created by tests (identified by test-specific destinations)."""
async with async_session() as session:
result = await session.execute(
select(Rule).where(Rule.destination.in_([
"10.99.0.0/16", "10.88.0.0/16", "10.77.0.0/16",
"10.66.0.0/16", "10.55.0.0/16",
]))
)
for rule in result.scalars().all():
await session.delete(rule)
await session.commit()
@pytest_asyncio.fixture(autouse=True)
async def clean_rules(app_server):
"""Clean up test rules before and after each test."""
await _cleanup_test_rules()
yield
await _cleanup_test_rules()
async def _go_to_rules(page: Page):
"""Login and navigate to admin rules page."""
await login(page)
await expect(page.get_by_text("My Devices")).to_be_visible(timeout=10_000)
await page.goto(f"{TEST_APP_BASE}/admin/rules")
await expect(page.locator("role=main").get_by_text("Firewall Rules")).to_be_visible(timeout=10_000)
async def _create_rule_via_dialog(
page: Page, *, action: str = "accept", destination: str = "10.99.0.0/16",
protocol: str = "any", port_range: str = "", user: str = "global",
):
"""Open create dialog and fill in a rule."""
await page.get_by_role("button", name="Add Rule").click()
await expect(page.get_by_text("New Firewall Rule")).to_be_visible(timeout=5_000)
# Action select
if action != "accept":
await page.locator(".q-dialog label:has-text('Action')").click()
await page.get_by_role("option", name=action).click()
# Destination
await page.locator(".q-dialog input[aria-label='Destination (CIDR)']").fill(destination)
# Protocol
if protocol != "any":
await page.locator(".q-dialog label:has-text('Protocol')").click()
await page.get_by_role("option", name=protocol).click()
# Port range
if port_range:
await page.locator(".q-dialog input[aria-label='Port Range']").fill(port_range)
# User
if user != "global":
await page.locator(".q-dialog label:has-text('Applies to')").click()
await page.get_by_role("option", name=user).click()
await page.get_by_role("button", name="Create").click()
await page.wait_for_timeout(500)
async def test_list_rules_table(page: Page, test_user: User):
"""Rules page renders table with correct columns."""
# Seed a rule in DB
async with async_session() as session:
rule = Rule(action="accept", destination="10.99.0.0/16", port_type="tcp",
port_range="443", user_id=test_user.id)
session.add(rule)
await session.commit()
await _go_to_rules(page)
await expect(page.get_by_role("cell", name="accept")).to_be_visible(timeout=5_000)
await expect(page.get_by_role("cell", name="10.99.0.0/16")).to_be_visible()
await expect(page.get_by_role("cell", name="tcp")).to_be_visible()
await expect(page.get_by_role("cell", name="443")).to_be_visible()
await expect(page.get_by_role("cell", name=TEST_EMAIL)).to_be_visible()
async def test_create_accept_rule_with_cidr(page: Page, test_user: User):
"""Create an accept rule with CIDR — verify in table and DB."""
await _go_to_rules(page)
await _create_rule_via_dialog(page, action="accept", destination="10.88.0.0/16")
await expect(page.get_by_role("cell", name="10.88.0.0/16")).to_be_visible(timeout=5_000)
# Verify in DB
async with async_session() as session:
result = await session.execute(select(Rule).where(Rule.destination == "10.88.0.0/16"))
rule = result.scalar_one()
assert rule.action == "accept"
assert rule.port_type is None
assert rule.port_range is None
assert rule.user_id is None
async def test_create_drop_rule_with_tcp_port_range(page: Page, test_user: User):
"""Create a drop rule with TCP port range — verify in table and DB."""
await _go_to_rules(page)
await _create_rule_via_dialog(
page, action="drop", destination="10.77.0.0/16",
protocol="tcp", port_range="80-443",
)
await expect(page.get_by_role("cell", name="10.77.0.0/16")).to_be_visible(timeout=5_000)
await expect(page.get_by_role("cell", name="drop").first).to_be_visible()
# Verify in DB
async with async_session() as session:
result = await session.execute(select(Rule).where(Rule.destination == "10.77.0.0/16"))
rule = result.scalar_one()
assert rule.action == "drop"
assert rule.port_type == "tcp"
assert rule.port_range == "80-443"
async def test_create_global_rule(page: Page, test_user: User):
"""Create a global rule (no user) — shows 'Global' in table and DB has null user_id."""
await _go_to_rules(page)
await _create_rule_via_dialog(page, destination="10.66.0.0/16", user="global")
await expect(page.get_by_role("cell", name="10.66.0.0/16")).to_be_visible(timeout=5_000)
await expect(page.get_by_role("cell", name="Global")).to_be_visible()
# Verify in DB
async with async_session() as session:
result = await session.execute(select(Rule).where(Rule.destination == "10.66.0.0/16"))
rule = result.scalar_one()
assert rule.user_id is None
async def test_edit_rule_action(page: Page, test_user: User):
"""Edit rule action from accept to drop — verify in table and DB."""
async with async_session() as session:
rule = Rule(action="accept", destination="10.55.0.0/16")
session.add(rule)
await session.commit()
rule_id = rule.id
await _go_to_rules(page)
await expect(page.get_by_role("cell", name="10.55.0.0/16")).to_be_visible(timeout=5_000)
# Click edit (first button in the row)
row = page.locator("tr", has_text="10.55.0.0/16")
await row.locator(".q-btn").first.click()
await expect(page.get_by_text("Edit Firewall Rule")).to_be_visible(timeout=5_000)
# Change action to drop
await page.locator(".q-dialog label:has-text('Action')").click()
await page.get_by_role("option", name="drop").click()
await page.get_by_role("button", name="Save").click()
await expect(page.get_by_text("Rule updated")).to_be_visible(timeout=5_000)
# Verify in DB
async with async_session() as session:
rule = await session.get(Rule, rule_id)
assert rule.action == "drop"
async def test_edit_rule_destination(page: Page, test_user: User):
"""Edit rule destination — verify in table and DB."""
async with async_session() as session:
rule = Rule(action="accept", destination="10.99.0.0/16")
session.add(rule)
await session.commit()
rule_id = rule.id
await _go_to_rules(page)
await expect(page.get_by_role("cell", name="10.99.0.0/16")).to_be_visible(timeout=5_000)
row = page.locator("tr", has_text="10.99.0.0/16")
await row.locator(".q-btn").first.click()
await expect(page.get_by_text("Edit Firewall Rule")).to_be_visible(timeout=5_000)
dest_input = page.locator(".q-dialog input[aria-label='Destination (CIDR)']")
await dest_input.clear()
await dest_input.fill("10.88.0.0/16")
await page.get_by_role("button", name="Save").click()
await expect(page.get_by_text("Rule updated")).to_be_visible(timeout=5_000)
# Verify in DB
async with async_session() as session:
rule = await session.get(Rule, rule_id)
assert rule.destination == "10.88.0.0/16"
async def test_delete_rule(page: Page, test_user: User):
"""Delete a rule — removed from table and DB."""
async with async_session() as session:
rule = Rule(action="accept", destination="10.99.0.0/16")
session.add(rule)
await session.commit()
rule_id = rule.id
await _go_to_rules(page)
await expect(page.get_by_role("cell", name="10.99.0.0/16")).to_be_visible(timeout=5_000)
# Click delete (second button in the row)
row = page.locator("tr", has_text="10.99.0.0/16")
await row.locator(".q-btn").nth(1).click()
await page.wait_for_timeout(1000)
await expect(page.get_by_role("cell", name="10.99.0.0/16")).not_to_be_visible()
# Verify in DB
async with async_session() as session:
rule = await session.get(Rule, rule_id)
assert rule is None

281
tests/e2e/test_admin_settings.py Normal file
View file

@ -0,0 +1,281 @@
"""E2E tests for admin settings page — client defaults, security, OIDC/SAML providers."""
import pytest_asyncio
from playwright.async_api import Page, expect
from sqlmodel import select
from wiregui.db import async_session
from wiregui.models.configuration import Configuration
from wiregui.models.user import User
from tests.e2e.conftest import TEST_APP_BASE, login
@pytest_asyncio.fixture(autouse=True)
async def reset_config(app_server):
"""Snapshot config before test, restore after."""
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one_or_none()
if not c:
yield
return
snap = {
"default_client_endpoint": c.default_client_endpoint,
"default_client_dns": list(c.default_client_dns),
"default_client_mtu": c.default_client_mtu,
"default_client_persistent_keepalive": c.default_client_persistent_keepalive,
"default_client_allowed_ips": list(c.default_client_allowed_ips),
"vpn_session_duration": c.vpn_session_duration,
"local_auth_enabled": c.local_auth_enabled,
"allow_unprivileged_device_management": c.allow_unprivileged_device_management,
"allow_unprivileged_device_configuration": c.allow_unprivileged_device_configuration,
"openid_connect_providers": list(c.openid_connect_providers or []),
"saml_identity_providers": list(c.saml_identity_providers or []),
}
cid = c.id
yield
async with async_session() as session:
c = await session.get(Configuration, cid)
if c:
for k, v in snap.items():
setattr(c, k, v)
session.add(c)
await session.commit()
async def _go_to_settings(page: Page):
await login(page)
await expect(page.get_by_text("My Devices")).to_be_visible(timeout=10_000)
await page.goto(f"{TEST_APP_BASE}/admin/settings")
await expect(page.get_by_text("Default Client Configuration")).to_be_visible(timeout=10_000)
# --- Client Defaults ---
async def test_save_client_defaults(page: Page, test_user: User):
"""Save endpoint, DNS, MTU, keepalive, allowed IPs — verify persists in DB."""
await _go_to_settings(page)
endpoint = page.locator("input[aria-label='Endpoint']")
await endpoint.clear()
await endpoint.fill("vpn.test.local")
dns = page.locator("input[aria-label='DNS Servers']")
await dns.clear()
await dns.fill("9.9.9.9, 149.112.112.112")
mtu = page.locator("input[aria-label='MTU']")
await mtu.clear()
await mtu.fill("1420")
keepalive = page.locator("input[aria-label='Persistent Keepalive']")
await keepalive.clear()
await keepalive.fill("30")
allowed = page.locator("input[aria-label='Allowed IPs']")
await allowed.clear()
await allowed.fill("10.0.0.0/8, 192.168.0.0/16")
await page.get_by_role("button", name="Save Defaults").click()
await expect(page.get_by_text("Client defaults saved")).to_be_visible(timeout=5_000)
# Verify in DB
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
assert c.default_client_endpoint == "vpn.test.local"
assert c.default_client_dns == ["9.9.9.9", "149.112.112.112"]
assert c.default_client_mtu == 1420
assert c.default_client_persistent_keepalive == 30
assert c.default_client_allowed_ips == ["10.0.0.0/8", "192.168.0.0/16"]
async def test_client_defaults_persist_on_reload(page: Page, test_user: User):
"""Saved defaults are reflected after page reload."""
# Set values via DB
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
c.default_client_endpoint = "reload-test.vpn"
c.default_client_dns = ["8.8.8.8"]
c.default_client_mtu = 1500
c.default_client_persistent_keepalive = 15
c.default_client_allowed_ips = ["172.16.0.0/12"]
session.add(c)
await session.commit()
await _go_to_settings(page)
await expect(page.locator("input[aria-label='Endpoint']")).to_have_value("reload-test.vpn")
await expect(page.locator("input[aria-label='DNS Servers']")).to_have_value("8.8.8.8")
await expect(page.locator("input[aria-label='MTU']")).to_have_value("1500")
await expect(page.locator("input[aria-label='Persistent Keepalive']")).to_have_value("15")
await expect(page.locator("input[aria-label='Allowed IPs']")).to_have_value("172.16.0.0/12")
# --- Security ---
async def test_save_security_local_auth_toggle(page: Page, test_user: User):
"""Toggle local auth off — verify in DB."""
await _go_to_settings(page)
# Find the local auth switch and toggle it off
switch = page.locator(".q-toggle", has_text="Local Authentication")
await switch.click()
await page.get_by_role("button", name="Save Security Settings").click()
await expect(page.get_by_text("Security settings saved")).to_be_visible(timeout=5_000)
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
assert c.local_auth_enabled is False
async def test_save_vpn_session_duration(page: Page, test_user: User):
"""Change VPN session duration — verify in DB."""
await _go_to_settings(page)
await page.locator("label:has-text('VPN Session Duration')").click()
await page.get_by_role("option", name="Every Day").click()
await page.get_by_role("button", name="Save Security Settings").click()
await expect(page.get_by_text("Security settings saved")).to_be_visible(timeout=5_000)
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
assert c.vpn_session_duration == 86400
async def test_save_unprivileged_toggles(page: Page, test_user: User):
"""Toggle unprivileged device management/configuration — verify in DB."""
await _go_to_settings(page)
await page.locator(".q-toggle", has_text="Allow Unprivileged Device Management").click()
await page.locator(".q-toggle", has_text="Allow Unprivileged Device Configuration").click()
await page.get_by_role("button", name="Save Security Settings").click()
await expect(page.get_by_text("Security settings saved")).to_be_visible(timeout=5_000)
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
# Toggled from default (True) to False
assert c.allow_unprivileged_device_management is False
assert c.allow_unprivileged_device_configuration is False
# --- OIDC Providers ---
async def test_add_oidc_provider(page: Page, test_user: User):
"""Add an OIDC provider — appears in table and DB."""
await _go_to_settings(page)
await page.get_by_role("button", name="Add OIDC Provider").click()
await expect(page.get_by_text("OIDC Provider", exact=True)).to_be_visible(timeout=5_000)
await page.locator(".q-dialog input[aria-label='Config ID']").fill("e2e-test-oidc")
await page.locator(".q-dialog input[aria-label='Label']").fill("E2E Test IdP")
await page.locator(".q-dialog input[aria-label='Client ID']").fill("test-client-id")
await page.locator(".q-dialog input[aria-label='Client Secret']").fill("test-client-secret")
await page.locator(".q-dialog input[aria-label='Discovery Document URI']").fill("https://idp.test/.well-known/openid-configuration")
await page.locator(".q-dialog").get_by_role("button", name="Save").click()
await expect(page.get_by_text("OIDC provider 'E2E Test IdP' saved")).to_be_visible(timeout=5_000)
await expect(page.get_by_role("cell", name="e2e-test-oidc")).to_be_visible(timeout=5_000)
# Verify in DB
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
provider = next((p for p in c.openid_connect_providers if p["id"] == "e2e-test-oidc"), None)
assert provider is not None
assert provider["label"] == "E2E Test IdP"
assert provider["client_id"] == "test-client-id"
async def test_delete_oidc_provider(page: Page, test_user: User):
"""Delete an OIDC provider — removed from table and DB."""
# Seed a provider
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
providers = list(c.openid_connect_providers or [])
providers.append({
"id": "delete-me-oidc", "label": "Delete Me", "scope": "openid",
"client_id": "x", "client_secret": "x",
"discovery_document_uri": "https://x/.well-known/openid-configuration",
})
c.openid_connect_providers = providers
session.add(c)
await session.commit()
await _go_to_settings(page)
await expect(page.get_by_role("cell", name="delete-me-oidc")).to_be_visible(timeout=5_000)
row = page.locator("tr", has_text="delete-me-oidc")
await row.locator(".q-btn").first.click()
await expect(page.get_by_text("OIDC provider deleted")).to_be_visible(timeout=5_000)
await page.wait_for_timeout(500)
await expect(page.get_by_role("cell", name="delete-me-oidc")).not_to_be_visible()
# Verify in DB
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
assert not any(p["id"] == "delete-me-oidc" for p in c.openid_connect_providers)
# --- SAML Providers ---
async def test_add_saml_provider(page: Page, test_user: User):
"""Add a SAML provider — appears in table and DB."""
await _go_to_settings(page)
await page.get_by_role("button", name="Add SAML Provider").click()
await expect(page.get_by_text("SAML Identity Provider", exact=True)).to_be_visible(timeout=5_000)
await page.locator(".q-dialog input[aria-label='Config ID']").fill("e2e-test-saml")
await page.locator(".q-dialog input[aria-label='Label']").fill("E2E SAML IdP")
await page.locator(".q-dialog textarea").fill("<EntityDescriptor>test</EntityDescriptor>")
await page.locator(".q-dialog").get_by_role("button", name="Save").click()
await expect(page.get_by_text("SAML provider 'E2E SAML IdP' saved")).to_be_visible(timeout=5_000)
await expect(page.get_by_role("cell", name="e2e-test-saml")).to_be_visible(timeout=5_000)
# Verify in DB
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
provider = next((p for p in c.saml_identity_providers if p["id"] == "e2e-test-saml"), None)
assert provider is not None
assert provider["label"] == "E2E SAML IdP"
async def test_delete_saml_provider(page: Page, test_user: User):
"""Delete a SAML provider — removed from table and DB."""
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
providers = list(c.saml_identity_providers or [])
providers.append({
"id": "delete-me-saml", "label": "Delete Me SAML",
"metadata": "<EntityDescriptor/>",
})
c.saml_identity_providers = providers
session.add(c)
await session.commit()
await _go_to_settings(page)
await expect(page.get_by_role("cell", name="delete-me-saml")).to_be_visible(timeout=5_000)
row = page.locator("tr", has_text="delete-me-saml")
await row.locator(".q-btn").first.click()
await expect(page.get_by_text("SAML provider deleted")).to_be_visible(timeout=5_000)
await page.wait_for_timeout(500)
await expect(page.get_by_role("cell", name="delete-me-saml")).not_to_be_visible()
# Verify in DB
async with async_session() as session:
c = (await session.execute(select(Configuration).limit(1))).scalar_one()
assert not any(p["id"] == "delete-me-saml" for p in c.saml_identity_providers)

3
tests/e2e/test_idp_seed.py
View file

@ -22,7 +22,8 @@ from wiregui.models.configuration import Configuration
from tests.e2e.conftest import FAKE_SERVER_KEY from tests.e2e.conftest import FAKE_SERVER_KEY
MOCK_OIDC_DISCOVERY = "http://localhost:9000/test-idp/.well-known/openid-configuration" MOCK_OIDC_HOST = os.environ.get("MOCK_OIDC_HOST", "localhost")
MOCK_OIDC_DISCOVERY = f"http://{MOCK_OIDC_HOST}:9000/test-idp/.well-known/openid-configuration"
# Separate port for the IdP-seeded app instance # Separate port for the IdP-seeded app instance
IDP_APP_PORT = 13002 IDP_APP_PORT = 13002

41
tests/e2e/test_magic_link_page.py Normal file
View file

@ -0,0 +1,41 @@
"""E2E tests for magic link request page."""
from playwright.async_api import Page, expect
from tests.e2e.conftest import TEST_APP_BASE, TEST_EMAIL
from wiregui.models.user import User
async def test_magic_link_page_renders(page: Page, test_user: User):
"""Magic link request page renders with email input and submit button."""
await page.goto(f"{TEST_APP_BASE}/auth/magic-link")
await page.wait_for_load_state("networkidle")
await expect(page.get_by_text("Sign in with magic link")).to_be_visible(timeout=10_000)
await expect(page.locator("input[aria-label='Email']")).to_be_visible()
await expect(page.get_by_role("button", name="Send Magic Link")).to_be_visible()
await expect(page.get_by_role("button", name="Back to login")).to_be_visible()
async def test_magic_link_shows_success_on_submit(page: Page, test_user: User):
"""Submitting an email shows success message (regardless of whether account exists)."""
await page.goto(f"{TEST_APP_BASE}/auth/magic-link")
await page.wait_for_load_state("networkidle")
await page.locator("input[aria-label='Email']").fill(TEST_EMAIL)
await page.get_by_role("button", name="Send Magic Link").click()
await expect(page.get_by_text("a sign-in link has been sent")).to_be_visible(timeout=5_000)
async def test_magic_link_empty_email_shows_error(page: Page, test_user: User):
"""Submitting without email shows error."""
await page.goto(f"{TEST_APP_BASE}/auth/magic-link")
await page.wait_for_load_state("networkidle")
await page.get_by_role("button", name="Send Magic Link").click()
await expect(page.get_by_text("Enter your email")).to_be_visible(timeout=5_000)
async def test_magic_link_back_to_login(page: Page, test_user: User):
"""Back to login button navigates to login page."""
await page.goto(f"{TEST_APP_BASE}/auth/magic-link")
await page.wait_for_load_state("networkidle")
await page.get_by_role("button", name="Back to login").click()
await expect(page.get_by_role("button", name="Sign in", exact=True)).to_be_visible(timeout=10_000)

111
tests/e2e/test_mfa_login.py Normal file
View file

@ -0,0 +1,111 @@
"""E2E tests for MFA login flow — login with TOTP redirects to /mfa challenge page."""
import pyotp
import pytest_asyncio
from playwright.async_api import Page, expect
from wiregui.auth.mfa import generate_totp_secret
from wiregui.auth.passwords import hash_password
from wiregui.db import async_session
from wiregui.models.mfa_method import MFAMethod
from wiregui.models.user import User
from tests.e2e.conftest import (
FAKE_SERVER_KEY,
TEST_APP_BASE,
TEST_PASSWORD,
_cleanup_user_by_email,
)
MFA_EMAIL = "e2e-mfa@example.com"
MFA_PASSWORD = "mfapass123"
TOTP_SECRET = generate_totp_secret()
@pytest_asyncio.fixture
async def mfa_user(app_server):
"""Create a user with a TOTP MFA method, clean up after."""
await _cleanup_user_by_email(MFA_EMAIL)
async with async_session() as session:
from sqlmodel import select
from wiregui.models.configuration import Configuration
config = (await session.execute(select(Configuration).limit(1))).scalar_one_or_none()
if config:
if not config.server_public_key:
config.server_public_key = FAKE_SERVER_KEY
session.add(config)
else:
config = Configuration(server_public_key=FAKE_SERVER_KEY)
session.add(config)
user = User(
email=MFA_EMAIL,
password_hash=hash_password(MFA_PASSWORD),
role="admin",
)
session.add(user)
await session.commit()
await session.refresh(user)
mfa = MFAMethod(
name="Test TOTP",
type="totp",
payload={"secret": TOTP_SECRET},
user_id=user.id,
)
session.add(mfa)
await session.commit()
yield user
await _cleanup_user_by_email(MFA_EMAIL)
async def _login_mfa_user(page: Page):
"""Fill login form for the MFA user and submit."""
await page.goto(f"{TEST_APP_BASE}/login")
await page.wait_for_load_state("networkidle")
await page.locator("input[aria-label='Email']").fill(MFA_EMAIL)
await page.locator("input[aria-label='Password']").fill(MFA_PASSWORD)
await page.get_by_role("button", name="Sign in", exact=True).click()
async def test_mfa_login_redirects_to_challenge(page: Page, mfa_user: User):
"""Login with MFA-enabled user redirects to /mfa challenge page."""
await _login_mfa_user(page)
await expect(page.get_by_text("Two-Factor Authentication")).to_be_visible(timeout=10_000)
await expect(page.locator("input[aria-label='Authentication Code']")).to_be_visible()
async def test_mfa_valid_totp_completes_login(page: Page, mfa_user: User):
"""Entering a valid TOTP code on /mfa completes login."""
await _login_mfa_user(page)
await expect(page.get_by_text("Two-Factor Authentication")).to_be_visible(timeout=10_000)
code = pyotp.TOTP(TOTP_SECRET).now()
await page.locator("input[aria-label='Authentication Code']").fill(code)
await page.get_by_role("button", name="Verify").click()
await expect(page.get_by_text("My Devices")).to_be_visible(timeout=10_000)
async def test_mfa_invalid_code_shows_error(page: Page, mfa_user: User):
"""Entering an invalid TOTP code shows error and stays on /mfa."""
await _login_mfa_user(page)
await expect(page.get_by_text("Two-Factor Authentication")).to_be_visible(timeout=10_000)
await page.locator("input[aria-label='Authentication Code']").fill("000000")
await page.get_by_role("button", name="Verify").click()
await expect(page.get_by_text("Invalid code")).to_be_visible(timeout=5_000)
await expect(page.get_by_text("Two-Factor Authentication")).to_be_visible()
async def test_mfa_cancel_returns_to_login(page: Page, mfa_user: User):
"""Clicking Cancel on /mfa clears session and returns to login."""
await _login_mfa_user(page)
await expect(page.get_by_text("Two-Factor Authentication")).to_be_visible(timeout=10_000)
await page.get_by_role("button", name="Cancel").click()
await expect(page.get_by_role("button", name="Sign in", exact=True)).to_be_visible(timeout=10_000)

179
tests/e2e/test_saml_login.py Normal file
View file

@ -0,0 +1,179 @@
"""E2E tests for SAML authentication — mock SimpleSAMLphp IdP.
Requires mock-saml service running (docker compose up -d mock-saml).
IdP metadata: http://localhost:8080/simplesaml/saml2/idp/metadata.php
Test users: user1/user1pass, user2/user2pass
"""
import os
import subprocess
import time
import httpx
import pytest
import pytest_asyncio
from playwright.async_api import Page, expect
from sqlmodel import select
from wiregui.db import async_session
from wiregui.models.configuration import Configuration
from wiregui.models.user import User
from tests.e2e.conftest import FAKE_SERVER_KEY, _cleanup_user_by_email
MOCK_SAML_HOST = os.environ.get("MOCK_SAML_HOST", "localhost")
MOCK_SAML_METADATA_URL = f"http://{MOCK_SAML_HOST}:8080/simplesaml/saml2/idp/metadata.php"
# Separate app port for SAML tests (like OIDC IdP tests)
SAML_APP_PORT = 13003
SAML_APP_BASE = f"http://localhost:{SAML_APP_PORT}"
SAML_TEST_EMAIL = "user1@example.com"
def _fetch_idp_metadata() -> str:
"""Fetch IdP metadata XML from the mock SAML server."""
try:
r = httpx.get(MOCK_SAML_METADATA_URL, timeout=5)
r.raise_for_status()
return r.text
except Exception:
pytest.skip(f"Mock SAML IdP not available at {MOCK_SAML_METADATA_URL}")
def _saml_provider_config(metadata: str) -> dict:
return {
"id": "test-saml",
"label": "Sign in with Mock SAML",
"metadata": metadata,
"sign_requests": False,
"sign_metadata": False,
"signed_assertion_in_resp": False,
"signed_envelopes_in_resp": False,
"auto_create_users": True,
"strict": False, # Relaxed for test IdP with expired certs
}
@pytest_asyncio.fixture(scope="module")
async def saml_metadata():
return _fetch_idp_metadata()
@pytest.fixture(scope="module")
def app_with_saml(saml_metadata):
"""Start a WireGUI instance with a SAML provider seeded in the DB."""
import asyncio
# Seed the SAML provider config into the database
async def _seed():
async with async_session() as session:
config = (await session.execute(select(Configuration).limit(1))).scalar_one_or_none()
if config is None:
config = Configuration(server_public_key=FAKE_SERVER_KEY)
session.add(config)
await session.flush()
providers = list(config.saml_identity_providers or [])
providers = [p for p in providers if p.get("id") != "test-saml"]
providers.append(_saml_provider_config(saml_metadata))
config.saml_identity_providers = providers
session.add(config)
await session.commit()
asyncio.get_event_loop().run_until_complete(_seed())
env = os.environ.copy()
env["WG_LOG_TO_FILE"] = "false"
env["WG_PORT"] = str(SAML_APP_PORT)
env["WG_EXTERNAL_URL"] = SAML_APP_BASE
env.pop("PYTEST_CURRENT_TEST", None)
env.pop("NICEGUI_SCREEN_TEST_PORT", None)
proc = subprocess.Popen(
["uv", "run", "python", "-m", "wiregui.main"],
env=env,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
)
for _ in range(30):
try:
r = httpx.get(f"{SAML_APP_BASE}/api/health", timeout=1)
if r.status_code == 200:
break
except Exception:
pass
time.sleep(1)
else:
proc.kill()
out = proc.stdout.read().decode() if proc.stdout else ""
pytest.fail(f"App did not start in time. Output:\n{out}")
yield proc
proc.terminate()
proc.wait(timeout=10)
# Clean up seeded provider and test user
async def _cleanup():
await _cleanup_user_by_email(SAML_TEST_EMAIL)
async with async_session() as session:
config = (await session.execute(select(Configuration).limit(1))).scalar_one_or_none()
if config:
config.saml_identity_providers = [
p for p in (config.saml_identity_providers or []) if p.get("id") != "test-saml"
]
session.add(config)
await session.commit()
asyncio.get_event_loop().run_until_complete(_cleanup())
async def test_saml_button_visible_on_login(app_with_saml, page: Page):
"""Login page shows SAML provider button."""
await page.goto(f"{SAML_APP_BASE}/login")
await page.wait_for_load_state("networkidle")
await expect(page.get_by_text("Sign in with Mock SAML")).to_be_visible(timeout=10_000)
@pytest.mark.skipif(os.environ.get("CI") == "true", reason="Chromium cannot resolve Docker service hostnames in CI")
async def test_saml_redirect_to_idp(app_with_saml, page: Page):
"""Clicking SAML login redirects to the SimpleSAMLphp IdP login page."""
await page.goto(f"{SAML_APP_BASE}/auth/saml/test-saml")
# Should redirect to the SimpleSAMLphp SSO service
await page.wait_for_url(f"**{MOCK_SAML_HOST}:8080/simplesaml/**", timeout=30_000)
async def test_saml_sp_metadata_endpoint(app_with_saml, page: Page):
"""SP metadata endpoint returns valid XML."""
response = await page.request.get(f"{SAML_APP_BASE}/auth/saml/test-saml/metadata")
assert response.status == 200
body = await response.text()
assert "EntityDescriptor" in body
assert "AssertionConsumerService" in body
@pytest.mark.skipif(os.environ.get("CI") == "true", reason="Chromium cannot resolve Docker service hostnames in CI")
async def test_full_saml_login_flow(app_with_saml, page: Page):
"""Full SAML SSO flow: app → IdP login → callback → authenticated."""
await page.goto(f"{SAML_APP_BASE}/auth/saml/test-saml")
await page.wait_for_url(f"**{MOCK_SAML_HOST}:8080/simplesaml/**", timeout=30_000)
# SimpleSAMLphp login form
await page.locator("input[name='username']").fill("user1")
await page.locator("input[name='password']").fill("password")
await page.locator("button[type='submit'], input[type='submit']").first.click()
# Should redirect back to the app after SAML response
await page.wait_for_url(f"{SAML_APP_BASE}/**", timeout=15_000)
await page.wait_for_load_state("networkidle")
await page.wait_for_timeout(3000)
assert "/login" not in page.url, f"SAML login failed — still on login page: {page.url}"
# Verify user was auto-created in DB
async with async_session() as session:
result = await session.execute(select(User).where(User.email == SAML_TEST_EMAIL))
user = result.scalar_one_or_none()
assert user is not None, f"Expected user {SAML_TEST_EMAIL} to be auto-created"
assert user.last_signed_in_method == "saml:test-saml"

0
tests/integration/__init__.py Normal file
View file

156
tests/integration/test_metrics_pipeline.py Normal file
View file

@ -0,0 +1,156 @@
"""Integration test: verify metrics flow from WG clients → collector → VictoriaMetrics.
Requires the full integration stack running: make test-stack-up
Run with: make test-stack-verify (or: uv run pytest tests/integration/ -v)
"""
import os
import time
import httpx
import pytest
VM_URL = os.environ.get("WG_VICTORIAMETRICS_URL", "http://localhost:8428")
WIREGUI_URL = os.environ.get("WG_EXTERNAL_URL", "http://localhost:13000")
EXPECTED_CLIENTS = ["test-client-1", "test-client-2", "test-client-3"]
# Wait up to this long for metrics to appear (collector runs every 5s)
MAX_WAIT = 60
POLL_INTERVAL = 5
def _vm_query(query: str) -> dict:
"""Execute an instant query against VictoriaMetrics."""
resp = httpx.get(f"{VM_URL}/api/v1/query", params={"query": query}, timeout=5)
resp.raise_for_status()
return resp.json()
def _vm_series(metric: str) -> list[dict]:
"""Get all series for a metric from VictoriaMetrics."""
resp = httpx.get(f"{VM_URL}/api/v1/series", params={"match[]": metric}, timeout=5)
resp.raise_for_status()
return resp.json().get("data", [])
@pytest.fixture(scope="module", autouse=True)
def check_stack_running():
"""Skip all tests if the integration stack isn't running."""
try:
r = httpx.get(f"{WIREGUI_URL}/api/health", timeout=3)
if r.status_code != 200:
pytest.skip("WireGUI not running")
except httpx.HTTPError:
pytest.skip("WireGUI not running — start with: make test-stack-up")
try:
r = httpx.get(f"{VM_URL}/health", timeout=3)
if r.status_code != 200:
pytest.skip("VictoriaMetrics not running")
except httpx.HTTPError:
pytest.skip("VictoriaMetrics not running — start with: make test-stack-up")
@pytest.fixture(scope="module")
def wait_for_metrics():
"""Wait until at least one peer metric appears in VictoriaMetrics."""
deadline = time.time() + MAX_WAIT
while time.time() < deadline:
result = _vm_query("wiregui_peers_total")
data = result.get("data", {}).get("result", [])
if data and float(data[0].get("value", [0, "0"])[1]) > 0:
return
time.sleep(POLL_INTERVAL)
pytest.fail(f"No metrics appeared in VictoriaMetrics after {MAX_WAIT}s")
def test_peers_total(wait_for_metrics):
"""wiregui_peers_total reports at least 1 active peer."""
result = _vm_query("wiregui_peers_total")
data = result["data"]["result"]
assert len(data) > 0
value = float(data[0]["value"][1])
assert value >= 1, f"Expected at least 1 peer, got {value}"
def test_rx_bytes_per_client(wait_for_metrics):
"""Each client has wiregui_peer_rx_bytes > 0."""
series = _vm_series("wiregui_peer_rx_bytes")
device_names = {s.get("device_name") for s in series}
for client in EXPECTED_CLIENTS:
assert client in device_names, (
f"Missing rx_bytes metric for '{client}'. "
f"Found: {device_names}"
)
# Verify values are non-zero (traffic is flowing)
for client in EXPECTED_CLIENTS:
result = _vm_query(f'wiregui_peer_rx_bytes{{device_name="{client}"}}')
data = result["data"]["result"]
assert len(data) > 0, f"No rx_bytes data for {client}"
value = float(data[0]["value"][1])
assert value > 0, f"rx_bytes for {client} is 0 — no traffic?"
def test_tx_bytes_per_client(wait_for_metrics):
"""Each client has wiregui_peer_tx_bytes > 0."""
for client in EXPECTED_CLIENTS:
result = _vm_query(f'wiregui_peer_tx_bytes{{device_name="{client}"}}')
data = result["data"]["result"]
assert len(data) > 0, f"No tx_bytes data for {client}"
value = float(data[0]["value"][1])
assert value > 0, f"tx_bytes for {client} is 0 — no traffic?"
def test_handshake_per_client(wait_for_metrics):
"""Each client has a recent handshake timestamp."""
now = time.time()
for client in EXPECTED_CLIENTS:
result = _vm_query(f'wiregui_peer_latest_handshake_seconds{{device_name="{client}"}}')
data = result["data"]["result"]
assert len(data) > 0, f"No handshake data for {client}"
ts = float(data[0]["value"][1])
assert ts > 0, f"Handshake timestamp for {client} is 0"
age = now - ts
assert age < 300, f"Handshake for {client} is {age:.0f}s old (stale?)"
def test_connected_status_per_client(wait_for_metrics):
"""Each client reports wiregui_peer_connected = 1."""
for client in EXPECTED_CLIENTS:
result = _vm_query(f'wiregui_peer_connected{{device_name="{client}"}}')
data = result["data"]["result"]
assert len(data) > 0, f"No connected status for {client}"
value = int(float(data[0]["value"][1]))
assert value == 1, f"Client {client} not connected (wiregui_peer_connected={value})"
def test_db_devices_have_stats():
"""Verify device rows in PostgreSQL also have updated stats."""
import asyncio
from sqlmodel import select
from wiregui.db import async_session, engine
from wiregui.models.device import Device
async def check():
async with async_session() as session:
result = await session.execute(
select(Device).where(Device.name.in_(EXPECTED_CLIENTS))
)
devices = result.scalars().all()
assert len(devices) == len(EXPECTED_CLIENTS), (
f"Expected {len(EXPECTED_CLIENTS)} devices, found {len(devices)}"
)
for device in devices:
assert device.latest_handshake is not None, (
f"Device {device.name} has no handshake in DB"
)
assert device.rx_bytes is not None and device.rx_bytes > 0, (
f"Device {device.name} has no rx_bytes in DB"
)
await engine.dispose()
asyncio.run(check())

161
tests/test_account.py
View file

@ -1,161 +0,0 @@
"""Tests for account functionality — password changes, API tokens, OIDC connections."""
import hashlib
from datetime import timedelta
from sqlmodel import func, select
from wiregui.auth.api_token import generate_api_token
from wiregui.auth.passwords import hash_password, verify_password
from wiregui.models.api_token import ApiToken
from wiregui.models.oidc_connection import OIDCConnection
from wiregui.models.user import User
from wiregui.utils.time import utcnow
# --- Password change ---
async def test_password_change_flow(session):
"""Simulate the password change flow: verify old, set new."""
user = User(email="pw-change@example.com", password_hash=hash_password("old-password"))
session.add(user)
await session.flush()
# Verify old password
assert verify_password("old-password", user.password_hash) is True
# Change password
user.password_hash = hash_password("new-password")
session.add(user)
await session.flush()
fetched = await session.get(User, user.id)
assert verify_password("new-password", fetched.password_hash) is True
assert verify_password("old-password", fetched.password_hash) is False
async def test_password_change_wrong_current(session):
"""Wrong current password should not allow change."""
user = User(email="pw-wrong@example.com", password_hash=hash_password("correct"))
session.add(user)
await session.flush()
# Simulate check
assert verify_password("wrong", user.password_hash) is False
# --- API token management ---
async def test_create_multiple_tokens(session):
user = User(email="multi-token@example.com")
session.add(user)
await session.flush()
for _ in range(3):
_, token_hash = generate_api_token()
session.add(ApiToken(token_hash=token_hash, user_id=user.id))
await session.flush()
count = (await session.execute(
select(func.count()).select_from(ApiToken).where(ApiToken.user_id == user.id)
)).scalar()
assert count == 3
async def test_token_with_expiry(session):
user = User(email="expiry-token@example.com")
session.add(user)
await session.flush()
_, token_hash = generate_api_token()
expires = utcnow() + timedelta(days=30)
token = ApiToken(token_hash=token_hash, expires_at=expires, user_id=user.id)
session.add(token)
await session.flush()
fetched = await session.get(ApiToken, token.id)
assert fetched.expires_at is not None
assert fetched.expires_at > utcnow()
async def test_delete_token(session):
user = User(email="del-token@example.com")
session.add(user)
await session.flush()
_, token_hash = generate_api_token()
token = ApiToken(token_hash=token_hash, user_id=user.id)
session.add(token)
await session.flush()
await session.delete(token)
await session.flush()
assert await session.get(ApiToken, token.id) is None
# --- OIDC connections ---
async def test_oidc_connection_create(session):
user = User(email="oidc-conn@example.com")
session.add(user)
await session.flush()
conn = OIDCConnection(
provider="google",
refresh_token="refresh-tok-123",
refresh_response={"access_token": "at", "token_type": "Bearer"},
refreshed_at=utcnow(),
user_id=user.id,
)
session.add(conn)
await session.flush()
fetched = (await session.execute(
select(OIDCConnection).where(OIDCConnection.user_id == user.id)
)).scalar_one()
assert fetched.provider == "google"
assert fetched.refresh_token == "refresh-tok-123"
assert fetched.refresh_response["access_token"] == "at"
async def test_multiple_oidc_providers(session):
user = User(email="multi-oidc@example.com")
session.add(user)
await session.flush()
for provider in ["google", "okta", "azure"]:
conn = OIDCConnection(provider=provider, user_id=user.id)
session.add(conn)
await session.flush()
count = (await session.execute(
select(func.count()).select_from(OIDCConnection).where(OIDCConnection.user_id == user.id)
)).scalar()
assert count == 3
async def test_oidc_connection_update_refresh_token(session):
user = User(email="oidc-refresh@example.com")
session.add(user)
await session.flush()
conn = OIDCConnection(
provider="google",
refresh_token="old-token",
user_id=user.id,
)
session.add(conn)
await session.flush()
conn.refresh_token = "new-token"
conn.refreshed_at = utcnow()
session.add(conn)
await session.flush()
fetched = await session.get(OIDCConnection, conn.id)
assert fetched.refresh_token == "new-token"
assert fetched.refreshed_at is not None

283
tests/test_admin.py
View file

@ -1,283 +0,0 @@
"""Tests for admin functionality — user management, configuration, cascading deletes."""
import pytest
from sqlmodel import func, select
from wiregui.auth.passwords import hash_password, verify_password
from wiregui.models.api_token import ApiToken
from wiregui.models.configuration import Configuration
from wiregui.models.device import Device
from wiregui.models.mfa_method import MFAMethod
from wiregui.models.rule import Rule
from wiregui.models.user import User
from wiregui.utils.time import utcnow
# --- User CRUD ---
async def test_create_user_with_role(session):
user = User(email="new-admin@test.com", password_hash=hash_password("secret"), role="admin")
session.add(user)
await session.flush()
fetched = await session.get(User, user.id)
assert fetched.role == "admin"
assert verify_password("secret", fetched.password_hash)
async def test_update_user_email(session):
user = User(email="old@test.com", password_hash=hash_password("pw"))
session.add(user)
await session.flush()
user.email = "new@test.com"
session.add(user)
await session.flush()
fetched = await session.get(User, user.id)
assert fetched.email == "new@test.com"
async def test_disable_user(session):
user = User(email="active@test.com", password_hash=hash_password("pw"))
session.add(user)
await session.flush()
assert user.disabled_at is None
user.disabled_at = utcnow()
session.add(user)
await session.flush()
fetched = await session.get(User, user.id)
assert fetched.disabled_at is not None
async def test_promote_demote_user(session):
user = User(email="user@test.com", role="unprivileged")
session.add(user)
await session.flush()
assert user.role == "unprivileged"
user.role = "admin"
session.add(user)
await session.flush()
fetched = await session.get(User, user.id)
assert fetched.role == "admin"
user.role = "unprivileged"
session.add(user)
await session.flush()
assert (await session.get(User, user.id)).role == "unprivileged"
# --- Cascading delete (manual, as we do it in the admin page) ---
async def test_delete_user_cascades_devices(session):
user = User(email="cascade@test.com")
session.add(user)
await session.flush()
d1 = Device(name="d1", public_key="pk-cascade-1", ipv4="10.0.0.1", user_id=user.id)
d2 = Device(name="d2", public_key="pk-cascade-2", ipv4="10.0.0.2", user_id=user.id)
session.add_all([d1, d2])
await session.flush()
# Manually delete devices then user (matching admin page behavior)
devices = (await session.execute(select(Device).where(Device.user_id == user.id))).scalars().all()
for d in devices:
await session.delete(d)
await session.delete(user)
await session.flush()
assert (await session.execute(select(func.count()).select_from(Device).where(Device.user_id == user.id))).scalar() == 0
assert await session.get(User, user.id) is None
async def test_delete_user_cascades_rules(session):
user = User(email="rule-cascade@test.com")
session.add(user)
await session.flush()
rule = Rule(action="accept", destination="10.0.0.0/8", user_id=user.id)
session.add(rule)
await session.flush()
# Delete rules then user
rules = (await session.execute(select(Rule).where(Rule.user_id == user.id))).scalars().all()
for r in rules:
await session.delete(r)
await session.delete(user)
await session.flush()
assert (await session.execute(select(func.count()).select_from(Rule).where(Rule.user_id == user.id))).scalar() == 0
# --- Configuration singleton ---
async def test_configuration_create_and_update(session):
config = Configuration()
session.add(config)
await session.flush()
assert config.default_client_mtu == 1280
assert config.local_auth_enabled is True
config.default_client_mtu = 1400
config.local_auth_enabled = False
config.vpn_session_duration = 3600
session.add(config)
await session.flush()
fetched = await session.get(Configuration, config.id)
assert fetched.default_client_mtu == 1400
assert fetched.local_auth_enabled is False
assert fetched.vpn_session_duration == 3600
async def test_configuration_oidc_providers(session):
config = Configuration()
session.add(config)
await session.flush()
assert config.openid_connect_providers == []
providers = [
{
"id": "google",
"label": "Sign in with Google",
"scope": "openid email profile",
"response_type": "code",
"client_id": "google-client-id",
"client_secret": "google-secret",
"discovery_document_uri": "https://accounts.google.com/.well-known/openid-configuration",
"auto_create_users": True,
},
{
"id": "okta",
"label": "Okta SSO",
"scope": "openid email profile",
"response_type": "code",
"client_id": "okta-client-id",
"client_secret": "okta-secret",
"discovery_document_uri": "https://dev-123.okta.com/.well-known/openid-configuration",
"auto_create_users": False,
},
]
config.openid_connect_providers = providers
session.add(config)
await session.flush()
fetched = await session.get(Configuration, config.id)
assert len(fetched.openid_connect_providers) == 2
assert fetched.openid_connect_providers[0]["id"] == "google"
assert fetched.openid_connect_providers[1]["auto_create_users"] is False
async def test_configuration_update_client_defaults(session):
config = Configuration()
session.add(config)
await session.flush()
config.default_client_endpoint = "vpn.example.com"
config.default_client_dns = ["8.8.8.8", "8.8.4.4"]
config.default_client_allowed_ips = ["10.0.0.0/8"]
config.default_client_persistent_keepalive = 30
session.add(config)
await session.flush()
fetched = await session.get(Configuration, config.id)
assert fetched.default_client_endpoint == "vpn.example.com"
assert fetched.default_client_dns == ["8.8.8.8", "8.8.4.4"]
assert fetched.default_client_allowed_ips == ["10.0.0.0/8"]
assert fetched.default_client_persistent_keepalive == 30
async def test_configuration_security_toggles(session):
config = Configuration()
session.add(config)
await session.flush()
config.allow_unprivileged_device_management = False
config.allow_unprivileged_device_configuration = False
config.disable_vpn_on_oidc_error = True
session.add(config)
await session.flush()
fetched = await session.get(Configuration, config.id)
assert fetched.allow_unprivileged_device_management is False
assert fetched.allow_unprivileged_device_configuration is False
assert fetched.disable_vpn_on_oidc_error is True
# --- Device config overrides ---
async def test_device_with_custom_config(session):
user = User(email="config-user@test.com")
session.add(user)
await session.flush()
device = Device(
name="custom-config",
public_key="pk-custom-config",
user_id=user.id,
use_default_dns=False,
use_default_endpoint=False,
use_default_mtu=False,
use_default_persistent_keepalive=False,
use_default_allowed_ips=False,
dns=["8.8.8.8"],
endpoint="custom-vpn.example.com",
mtu=1400,
persistent_keepalive=15,
allowed_ips=["10.0.0.0/8", "172.16.0.0/12"],
)
session.add(device)
await session.flush()
fetched = await session.get(Device, device.id)
assert fetched.use_default_dns is False
assert fetched.dns == ["8.8.8.8"]
assert fetched.endpoint == "custom-vpn.example.com"
assert fetched.mtu == 1400
assert fetched.persistent_keepalive == 15
assert fetched.allowed_ips == ["10.0.0.0/8", "172.16.0.0/12"]
async def test_device_default_flags_are_true(session):
user = User(email="defaults@test.com")
session.add(user)
await session.flush()
device = Device(name="defaults", public_key="pk-defaults", user_id=user.id)
session.add(device)
await session.flush()
fetched = await session.get(Device, device.id)
assert fetched.use_default_allowed_ips is True
assert fetched.use_default_dns is True
assert fetched.use_default_endpoint is True
assert fetched.use_default_mtu is True
assert fetched.use_default_persistent_keepalive is True
# --- User device count ---
async def test_user_device_count_query(session):
user = User(email="count-user@test.com")
session.add(user)
await session.flush()
for i in range(3):
session.add(Device(name=f"d{i}", public_key=f"pk-count-{i}", user_id=user.id))
await session.flush()
count = (await session.execute(
select(func.count()).select_from(Device).where(Device.user_id == user.id)
)).scalar()
assert count == 3

183
tests/test_api_deps.py Normal file
View file

@ -0,0 +1,183 @@
"""Tests for API dependency injection — Bearer token auth and admin guard."""
from datetime import timedelta
import pytest
from unittest.mock import AsyncMock, MagicMock
from wiregui.auth.api_token import generate_api_token, resolve_bearer_token
from wiregui.auth.passwords import hash_password
from wiregui.models.api_token import ApiToken
from wiregui.models.user import User
from wiregui.utils.time import utcnow
# ========== resolve_bearer_token ==========
async def test_resolve_valid_token(session):
"""Valid, non-expired token resolves to user."""
plaintext, token_hash = generate_api_token()
user = User(email="api-test@test.com", password_hash=hash_password("x"), role="admin")
session.add(user)
await session.flush()
api_token = ApiToken(token_hash=token_hash, user_id=user.id, expires_at=utcnow() + timedelta(hours=1))
session.add(api_token)
await session.flush()
resolved = await resolve_bearer_token(session, plaintext)
assert resolved is not None
assert resolved.id == user.id
assert resolved.email == "api-test@test.com"
async def test_resolve_expired_token(session):
"""Expired token returns None."""
plaintext, token_hash = generate_api_token()
user = User(email="api-expired@test.com", password_hash=hash_password("x"), role="admin")
session.add(user)
await session.flush()
api_token = ApiToken(token_hash=token_hash, user_id=user.id, expires_at=utcnow() - timedelta(hours=1))
session.add(api_token)
await session.flush()
resolved = await resolve_bearer_token(session, plaintext)
assert resolved is None
async def test_resolve_invalid_token(session):
"""Nonexistent token returns None."""
resolved = await resolve_bearer_token(session, "totally-bogus-token")
assert resolved is None
async def test_resolve_token_disabled_user(session):
"""Token for disabled user returns None."""
plaintext, token_hash = generate_api_token()
user = User(
email="api-disabled@test.com", password_hash=hash_password("x"),
role="admin", disabled_at=utcnow(),
)
session.add(user)
await session.flush()
api_token = ApiToken(token_hash=token_hash, user_id=user.id, expires_at=utcnow() + timedelta(hours=1))
session.add(api_token)
await session.flush()
resolved = await resolve_bearer_token(session, plaintext)
assert resolved is None
async def test_resolve_token_no_expiry(session):
"""Token without expires_at (never expires) resolves successfully."""
plaintext, token_hash = generate_api_token()
user = User(email="api-noexp@test.com", password_hash=hash_password("x"), role="admin")
session.add(user)
await session.flush()
api_token = ApiToken(token_hash=token_hash, user_id=user.id, expires_at=None)
session.add(api_token)
await session.flush()
resolved = await resolve_bearer_token(session, plaintext)
assert resolved is not None
assert resolved.id == user.id
# ========== get_current_api_user (via FastAPI deps) ==========
async def test_get_current_api_user_missing_header():
"""Missing Authorization header raises 401."""
from fastapi import HTTPException
from wiregui.api.deps import get_current_api_user
request = MagicMock()
request.headers = {}
with pytest.raises(HTTPException) as exc_info:
await get_current_api_user(request, session=AsyncMock())
assert exc_info.value.status_code == 401
assert "Missing" in exc_info.value.detail
async def test_get_current_api_user_bad_scheme():
"""Non-Bearer auth scheme raises 401."""
from fastapi import HTTPException
from wiregui.api.deps import get_current_api_user
request = MagicMock()
request.headers = {"Authorization": "Basic dXNlcjpwYXNz"}
with pytest.raises(HTTPException) as exc_info:
await get_current_api_user(request, session=AsyncMock())
assert exc_info.value.status_code == 401
async def test_get_current_api_user_invalid_token(session):
"""Valid Bearer scheme but bogus token raises 401."""
from fastapi import HTTPException
from wiregui.api.deps import get_current_api_user
request = MagicMock()
request.headers = {"Authorization": "Bearer bogus-token-value"}
with pytest.raises(HTTPException) as exc_info:
await get_current_api_user(request, session=session)
assert exc_info.value.status_code == 401
assert "Invalid" in exc_info.value.detail
async def test_get_current_api_user_valid_token(session):
"""Valid Bearer token resolves to user."""
from wiregui.api.deps import get_current_api_user
plaintext, token_hash = generate_api_token()
user = User(email="api-dep-test@test.com", password_hash=hash_password("x"), role="admin")
session.add(user)
await session.flush()
api_token = ApiToken(token_hash=token_hash, user_id=user.id, expires_at=utcnow() + timedelta(hours=1))
session.add(api_token)
await session.flush()
request = MagicMock()
request.headers = {"Authorization": f"Bearer {plaintext}"}
resolved = await get_current_api_user(request, session=session)
assert resolved.id == user.id
# ========== require_admin ==========
async def test_require_admin_allows_admin():
"""Admin user passes require_admin."""
from wiregui.api.deps import require_admin
admin_user = MagicMock(spec=User)
admin_user.role = "admin"
result = await require_admin(user=admin_user)
assert result == admin_user
async def test_require_admin_rejects_unprivileged():
"""Non-admin user gets 403."""
from fastapi import HTTPException
from wiregui.api.deps import require_admin
regular_user = MagicMock(spec=User)
regular_user.role = "unprivileged"
with pytest.raises(HTTPException) as exc_info:
await require_admin(user=regular_user)
assert exc_info.value.status_code == 403
assert "Admin" in exc_info.value.detail

325
tests/test_api_routes.py
View file

@ -1,325 +0,0 @@
"""Tests for REST API routes via httpx AsyncClient against the FastAPI app."""
import hashlib
from uuid import UUID, uuid4
from fastapi import FastAPI
from fastapi.testclient import TestClient
from httpx import ASGITransport, AsyncClient
from sqlmodel import select
from wiregui.api.deps import get_current_api_user, get_db, require_admin
from wiregui.api.v0 import router as api_router
from wiregui.auth.api_token import generate_api_token
from wiregui.auth.passwords import hash_password
from wiregui.models.api_token import ApiToken
from wiregui.models.configuration import Configuration
from wiregui.models.device import Device
from wiregui.models.rule import Rule
from wiregui.models.user import User
def _build_app(session, admin_user=None, regular_user=None):
"""Build a test FastAPI app with overridden dependencies."""
test_app = FastAPI()
test_app.include_router(api_router, prefix="/api")
async def override_get_db():
yield session
test_app.dependency_overrides[get_db] = override_get_db
if admin_user:
test_app.dependency_overrides[get_current_api_user] = lambda: admin_user
test_app.dependency_overrides[require_admin] = lambda: admin_user
return test_app
async def _make_admin(session) -> User:
user = User(email="api-admin@test.com", password_hash=hash_password("pw"), role="admin")
session.add(user)
await session.flush()
return user
async def _make_user(session, email="api-user@test.com") -> User:
user = User(email=email, password_hash=hash_password("pw"), role="unprivileged")
session.add(user)
await session.flush()
return user
# ========== Users API ==========
async def test_list_users(session):
admin = await _make_admin(session)
await _make_user(session, "user1@test.com")
await _make_user(session, "user2@test.com")
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.get("/api/v0/users/")
assert resp.status_code == 200
data = resp.json()
assert len(data) >= 3 # admin + 2 users
async def test_get_user(session):
admin = await _make_admin(session)
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.get(f"/api/v0/users/{admin.id}")
assert resp.status_code == 200
assert resp.json()["email"] == "api-admin@test.com"
async def test_get_user_not_found(session):
admin = await _make_admin(session)
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.get(f"/api/v0/users/{uuid4()}")
assert resp.status_code == 404
async def test_create_user(session):
admin = await _make_admin(session)
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.post("/api/v0/users/", json={
"email": "new-api-user@test.com",
"password": "secret123",
"role": "unprivileged",
})
assert resp.status_code == 201
data = resp.json()
assert data["email"] == "new-api-user@test.com"
assert data["role"] == "unprivileged"
assert "id" in data
async def test_update_user(session):
admin = await _make_admin(session)
user = await _make_user(session)
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.put(f"/api/v0/users/{user.id}", json={
"role": "admin",
})
assert resp.status_code == 200
assert resp.json()["role"] == "admin"
async def test_update_user_password(session):
admin = await _make_admin(session)
user = await _make_user(session)
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.put(f"/api/v0/users/{user.id}", json={
"password": "new-password-123",
})
assert resp.status_code == 200
from wiregui.auth.passwords import verify_password
refreshed = await session.get(User, user.id)
assert verify_password("new-password-123", refreshed.password_hash)
async def test_delete_user(session):
admin = await _make_admin(session)
user = await _make_user(session)
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.delete(f"/api/v0/users/{user.id}")
assert resp.status_code == 204
assert await session.get(User, user.id) is None
# ========== Devices API ==========
async def test_list_devices_admin_sees_all(session):
admin = await _make_admin(session)
user = await _make_user(session)
session.add(Device(name="d1", public_key="pk-api-d1", user_id=admin.id))
session.add(Device(name="d2", public_key="pk-api-d2", user_id=user.id))
await session.flush()
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.get("/api/v0/devices/")
assert resp.status_code == 200
assert len(resp.json()) >= 2
async def test_list_devices_user_sees_own(session):
admin = await _make_admin(session)
user = await _make_user(session, "own-devices@test.com")
session.add(Device(name="mine", public_key="pk-api-mine", user_id=user.id))
session.add(Device(name="not-mine", public_key="pk-api-notmine", user_id=admin.id))
await session.flush()
# Override to be the regular user
test_app = _build_app(session)
test_app.dependency_overrides[get_current_api_user] = lambda: user
async with AsyncClient(transport=ASGITransport(app=test_app), base_url="http://test") as client:
resp = await client.get("/api/v0/devices/")
assert resp.status_code == 200
names = [d["name"] for d in resp.json()]
assert "mine" in names
assert "not-mine" not in names
async def test_get_device(session):
admin = await _make_admin(session)
device = Device(name="detail", public_key="pk-api-detail", user_id=admin.id, ipv4="10.0.0.5")
session.add(device)
await session.flush()
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.get(f"/api/v0/devices/{device.id}")
assert resp.status_code == 200
assert resp.json()["name"] == "detail"
assert resp.json()["ipv4"] == "10.0.0.5"
async def test_get_device_forbidden_for_other_user(session):
admin = await _make_admin(session)
user = await _make_user(session, "other-dev@test.com")
device = Device(name="admin-dev", public_key="pk-api-forbid", user_id=admin.id)
session.add(device)
await session.flush()
test_app = _build_app(session)
test_app.dependency_overrides[get_current_api_user] = lambda: user
async with AsyncClient(transport=ASGITransport(app=test_app), base_url="http://test") as client:
resp = await client.get(f"/api/v0/devices/{device.id}")
assert resp.status_code == 403
async def test_update_device(session):
admin = await _make_admin(session)
device = Device(name="old-name", public_key="pk-api-update", user_id=admin.id)
session.add(device)
await session.flush()
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.put(f"/api/v0/devices/{device.id}", json={"name": "new-name"})
assert resp.status_code == 200
assert resp.json()["name"] == "new-name"
async def test_delete_device(session):
admin = await _make_admin(session)
device = Device(name="to-delete", public_key="pk-api-del", user_id=admin.id)
session.add(device)
await session.flush()
did = device.id
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.delete(f"/api/v0/devices/{did}")
assert resp.status_code == 204
assert await session.get(Device, did) is None
# ========== Rules API ==========
async def test_list_rules(session):
admin = await _make_admin(session)
session.add(Rule(action="accept", destination="10.0.0.0/8"))
session.add(Rule(action="drop", destination="192.168.0.0/16", user_id=admin.id))
await session.flush()
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.get("/api/v0/rules/")
assert resp.status_code == 200
assert len(resp.json()) >= 2
async def test_create_rule(session):
admin = await _make_admin(session)
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.post("/api/v0/rules/", json={
"action": "accept",
"destination": "172.16.0.0/12",
"port_type": "tcp",
"port_range": "443",
})
assert resp.status_code == 201
data = resp.json()
assert data["action"] == "accept"
assert data["destination"] == "172.16.0.0/12"
assert data["port_type"] == "tcp"
assert data["port_range"] == "443"
async def test_update_rule(session):
admin = await _make_admin(session)
rule = Rule(action="accept", destination="10.0.0.0/8")
session.add(rule)
await session.flush()
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.put(f"/api/v0/rules/{rule.id}", json={"action": "drop"})
assert resp.status_code == 200
assert resp.json()["action"] == "drop"
async def test_delete_rule(session):
admin = await _make_admin(session)
rule = Rule(action="drop", destination="0.0.0.0/0")
session.add(rule)
await session.flush()
rid = rule.id
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.delete(f"/api/v0/rules/{rid}")
assert resp.status_code == 204
assert await session.get(Rule, rid) is None
# ========== Configuration API ==========
async def test_get_configuration_auto_creates(session):
admin = await _make_admin(session)
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.get("/api/v0/configuration/")
assert resp.status_code == 200
data = resp.json()
assert data["default_client_mtu"] == 1280
assert data["local_auth_enabled"] is True
async def test_update_configuration(session):
admin = await _make_admin(session)
# Pre-create config
config = Configuration()
session.add(config)
await session.flush()
app = _build_app(session, admin_user=admin)
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
resp = await client.put("/api/v0/configuration/", json={
"default_client_mtu": 1400,
"vpn_session_duration": 3600,
"default_client_dns": ["8.8.8.8"],
})
assert resp.status_code == 200
data = resp.json()
assert data["default_client_mtu"] == 1400
assert data["vpn_session_duration"] == 3600
assert data["default_client_dns"] == ["8.8.8.8"]

27
tests/test_auth.py
View file

@ -1,4 +1,4 @@
"""Tests for authentication modules.""" """Tests for authentication modules — seed logic and JWT edge cases."""
from sqlmodel import select from sqlmodel import select
@ -8,17 +8,7 @@ from wiregui.auth.seed import seed_admin
from wiregui.models.user import User from wiregui.models.user import User
# --- Password hashing --- # --- Password hashing (format guard) ---
def test_hash_and_verify():
hashed = hash_password("my-secret")
assert verify_password("my-secret", hashed) is True
def test_verify_wrong_password():
hashed = hash_password("correct")
assert verify_password("wrong", hashed) is False
def test_hash_is_not_plaintext(): def test_hash_is_not_plaintext():
@ -27,16 +17,7 @@ def test_hash_is_not_plaintext():
assert hashed.startswith("$2b$") assert hashed.startswith("$2b$")
# --- JWT --- # --- JWT edge cases ---
def test_create_and_decode_token():
token = create_access_token(user_id="user-123", role="admin")
payload = decode_access_token(token)
assert payload is not None
assert payload["sub"] == "user-123"
assert payload["role"] == "admin"
assert "exp" in payload
def test_decode_invalid_token(): def test_decode_invalid_token():
@ -54,8 +35,6 @@ def test_decode_tampered_token():
async def test_seed_admin_creates_user(session, monkeypatch): async def test_seed_admin_creates_user(session, monkeypatch):
"""seed_admin should create an admin when no users exist.""" """seed_admin should create an admin when no users exist."""
# Patch async_session to use our test session
from unittest.mock import AsyncMock
from contextlib import asynccontextmanager from contextlib import asynccontextmanager
@asynccontextmanager @asynccontextmanager

60
tests/test_auth_extended.py
View file

@ -1,65 +1,9 @@
"""Extended auth tests — OIDC registration, WebAuthn options, session edge cases.""" """Extended auth tests — OIDC registration, WebAuthn options, rule event handlers."""
from unittest.mock import AsyncMock, MagicMock, patch from unittest.mock import AsyncMock, MagicMock, patch
from uuid import uuid4 from uuid import uuid4
from wiregui.auth.passwords import hash_password
from wiregui.auth.session import authenticate_user
from wiregui.models.user import User from wiregui.models.user import User
from wiregui.utils.time import utcnow
# ========== Session / authenticate_user edge cases ==========
async def test_authenticate_user_no_password_hash(session, monkeypatch):
"""Users without a password (OIDC-only) should not authenticate via password."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.session.async_session", mock_session)
user = User(email="no-pw@test.com", password_hash=None)
session.add(user)
await session.flush()
result = await authenticate_user("no-pw@test.com", "anything")
assert result is None
async def test_authenticate_user_disabled(session, monkeypatch):
"""Disabled users should not authenticate."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.session.async_session", mock_session)
user = User(email="disabled-auth@test.com", password_hash=hash_password("pw"), disabled_at=utcnow())
session.add(user)
await session.flush()
result = await authenticate_user("disabled-auth@test.com", "pw")
assert result is None
async def test_authenticate_user_nonexistent(session, monkeypatch):
"""Nonexistent email should return None."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.session.async_session", mock_session)
result = await authenticate_user("ghost@nowhere.com", "pw")
assert result is None
# ========== OIDC provider registration ========== # ========== OIDC provider registration ==========
@ -163,13 +107,11 @@ async def test_on_rule_updated_triggers_rebuild(mock_fw, mock_settings):
from wiregui.models.rule import Rule from wiregui.models.rule import Rule
from wiregui.services.events import on_rule_updated from wiregui.services.events import on_rule_updated
# Need to mock the DB call inside _rebuild_user_chain
with patch("wiregui.services.events.async_session") as mock_session_factory: with patch("wiregui.services.events.async_session") as mock_session_factory:
mock_session = AsyncMock() mock_session = AsyncMock()
mock_session.__aenter__ = AsyncMock(return_value=mock_session) mock_session.__aenter__ = AsyncMock(return_value=mock_session)
mock_session.__aexit__ = AsyncMock(return_value=False) mock_session.__aexit__ = AsyncMock(return_value=False)
# Mock the select results
mock_rules_result = MagicMock() mock_rules_result = MagicMock()
mock_rules_result.scalars.return_value.all.return_value = [] mock_rules_result.scalars.return_value.all.return_value = []
mock_devices_result = MagicMock() mock_devices_result = MagicMock()

266
tests/test_firewall_extended.py Normal file
View file

@ -0,0 +1,266 @@
"""Extended firewall tests — _nft/_nft_batch error handling, add_device_jump_rule edge cases, policies."""
from unittest.mock import AsyncMock, patch
import pytest
from wiregui.services.firewall import (
_nft,
_nft_batch,
add_device_jump_rule,
rebuild_all_rules,
setup_base_tables,
setup_masquerade,
apply_peer_to_peer_policy,
apply_lan_to_peers_policy,
get_ruleset,
)
# ========== _nft error handling ==========
@patch("asyncio.create_subprocess_exec")
async def test_nft_raises_on_failure(mock_exec):
"""_nft raises RuntimeError on non-zero exit code."""
mock_proc = AsyncMock()
mock_proc.communicate.return_value = (b"", b"nft: error message")
mock_proc.returncode = 1
mock_exec.return_value = mock_proc
with pytest.raises(RuntimeError, match="nft.*failed"):
await _nft("list ruleset")
@patch("asyncio.create_subprocess_exec")
async def test_nft_returns_stdout_on_success(mock_exec):
"""_nft returns stdout on success."""
mock_proc = AsyncMock()
mock_proc.communicate.return_value = (b"table inet wiregui {}", b"")
mock_proc.returncode = 0
mock_exec.return_value = mock_proc
result = await _nft("list ruleset")
assert "wiregui" in result
# ========== _nft_batch error handling ==========
@patch("asyncio.create_subprocess_exec")
async def test_nft_batch_raises_on_failure(mock_exec):
"""_nft_batch raises RuntimeError on non-zero exit code."""
mock_proc = AsyncMock()
mock_proc.communicate.return_value = (b"", b"Error: syntax error")
mock_proc.returncode = 1
mock_exec.return_value = mock_proc
with pytest.raises(RuntimeError, match="nft batch failed"):
await _nft_batch(["add table inet wiregui"])
@patch("asyncio.create_subprocess_exec")
async def test_nft_batch_sends_commands_via_stdin(mock_exec):
"""_nft_batch sends all commands via stdin to nft -f -."""
mock_proc = AsyncMock()
mock_proc.communicate.return_value = (b"", b"")
mock_proc.returncode = 0
mock_exec.return_value = mock_proc
cmds = ["add table inet wiregui", "add chain inet wiregui test"]
await _nft_batch(cmds)
mock_exec.assert_awaited_once()
# Verify nft -f - was called
call_args = mock_exec.call_args[0]
assert call_args == ("nft", "-f", "-")
# Verify stdin data
stdin_data = mock_proc.communicate.call_args[0][0]
assert b"add table inet wiregui" in stdin_data
assert b"add chain inet wiregui test" in stdin_data
# ========== add_device_jump_rule edge cases ==========
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_add_device_jump_rule_ipv4_only(mock_batch):
"""Only IPv4 — generates single IPv4 jump rule."""
await add_device_jump_rule("user-id-1", "10.0.0.5", None)
mock_batch.assert_awaited_once()
cmds = mock_batch.call_args[0][0]
assert len(cmds) == 1
assert "ip saddr 10.0.0.5" in cmds[0]
assert "jump" in cmds[0]
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_add_device_jump_rule_ipv6_only(mock_batch):
"""Only IPv6 — generates single IPv6 jump rule."""
await add_device_jump_rule("user-id-2", None, "fd00::5")
mock_batch.assert_awaited_once()
cmds = mock_batch.call_args[0][0]
assert len(cmds) == 1
assert "ip6 saddr fd00::5" in cmds[0]
assert "jump" in cmds[0]
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_add_device_jump_rule_no_ips(mock_batch):
"""Neither IPv4 nor IPv6 — no nft commands issued."""
await add_device_jump_rule("user-id-3", None, None)
mock_batch.assert_not_awaited()
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_add_device_jump_rule_both_ips(mock_batch):
"""Both IPv4 and IPv6 — generates two jump rules."""
await add_device_jump_rule("user-id-4", "10.0.0.7", "fd00::7")
mock_batch.assert_awaited_once()
cmds = mock_batch.call_args[0][0]
assert len(cmds) == 2
assert any("ip saddr 10.0.0.7" in c for c in cmds)
assert any("ip6 saddr fd00::7" in c for c in cmds)
# ========== setup_base_tables — already exists ==========
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_setup_base_tables_already_exists(mock_batch):
"""If table already exists (File exists error), don't raise."""
mock_batch.side_effect = RuntimeError("File exists")
await setup_base_tables() # should not raise
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_setup_base_tables_other_error_raises(mock_batch):
"""Other nft errors should propagate."""
mock_batch.side_effect = RuntimeError("Permission denied")
with pytest.raises(RuntimeError, match="Permission denied"):
await setup_base_tables()
# ========== setup_masquerade — error handling ==========
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_setup_masquerade_error_swallowed(mock_batch):
"""Masquerade errors are logged but not raised."""
mock_batch.side_effect = RuntimeError("nft error")
await setup_masquerade(iface="wg0") # should not raise
# ========== policy functions — command verification ==========
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_peer_to_peer_enabled(mock_batch):
"""Enabling peer-to-peer generates accept rules."""
await apply_peer_to_peer_policy(True)
cmds = mock_batch.call_args[0][0]
assert any("accept" in c for c in cmds)
assert any("peer_to_peer" in c for c in cmds)
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_peer_to_peer_disabled(mock_batch):
"""Disabling peer-to-peer generates drop rules."""
await apply_peer_to_peer_policy(False)
cmds = mock_batch.call_args[0][0]
assert any("drop" in c for c in cmds)
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_lan_to_peers_enabled(mock_batch):
"""Enabling LAN-to-peers generates accept rules."""
await apply_lan_to_peers_policy(True)
cmds = mock_batch.call_args[0][0]
assert any("accept" in c for c in cmds)
assert any("lan_to_peers" in c for c in cmds)
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_lan_to_peers_disabled(mock_batch):
"""Disabling LAN-to-peers generates drop rules."""
await apply_lan_to_peers_policy(False)
cmds = mock_batch.call_args[0][0]
assert any("drop" in c for c in cmds)
# ========== get_ruleset — error handling ==========
@patch("wiregui.services.firewall._nft", new_callable=AsyncMock)
async def test_get_ruleset_returns_output(mock_nft):
"""get_ruleset returns nft list ruleset output."""
mock_nft.return_value = "table inet wiregui { ... }"
result = await get_ruleset()
assert "wiregui" in result
@patch("wiregui.services.firewall._nft", new_callable=AsyncMock)
async def test_get_ruleset_returns_fallback_on_error(mock_nft):
"""get_ruleset returns friendly message when nft not available."""
mock_nft.side_effect = RuntimeError("nft not found")
result = await get_ruleset()
assert "not available" in result
# ========== rebuild_all_rules — orphan cleanup ==========
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
@patch("wiregui.services.firewall._list_user_chains", new_callable=AsyncMock)
async def test_rebuild_removes_orphaned_user_chains(mock_list, mock_batch):
"""Orphaned user chains (in nft but not in DB) should be flushed and deleted."""
mock_list.return_value = {"user_aaaa00000000", "user_bbbb00000000"}
# Only user_aaaa is still in the DB
await rebuild_all_rules([{
"user_id": "aaaa0000-0000-0000-0000-000000000000",
"devices": [{"ipv4": "10.0.0.2", "ipv6": None}],
"rules": [],
}])
batch_cmds = mock_batch.call_args[0][0]
batch_text = "\n".join(batch_cmds)
# user_bbbb should be flushed and deleted
assert "flush chain inet wiregui user_bbbb00000000" in batch_text
assert "delete chain inet wiregui user_bbbb00000000" in batch_text
# user_aaaa should NOT be deleted
assert "delete chain inet wiregui user_aaaa00000000" not in batch_text
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
@patch("wiregui.services.firewall._list_user_chains", new_callable=AsyncMock)
async def test_rebuild_with_no_devices_clears_forward_and_orphans(mock_list, mock_batch):
"""With zero devices, forward chain should be flushed and all user chains removed."""
mock_list.return_value = {"user_aaaa00000000", "user_bbbb00000000"}
await rebuild_all_rules([])
batch_cmds = mock_batch.call_args[0][0]
batch_text = "\n".join(batch_cmds)
# Forward chain must be flushed even with no devices
assert "flush chain inet wiregui forward" in batch_text
# Both orphans removed
assert "delete chain inet wiregui user_aaaa00000000" in batch_text
assert "delete chain inet wiregui user_bbbb00000000" in batch_text
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
@patch("wiregui.services.firewall._list_user_chains", new_callable=AsyncMock)
async def test_rebuild_no_orphans_no_deletions(mock_list, mock_batch):
"""When all nft chains match the DB, no deletions should occur."""
mock_list.return_value = {"user_aaaa00000000"}
await rebuild_all_rules([{
"user_id": "aaaa0000-0000-0000-0000-000000000000",
"devices": [{"ipv4": "10.0.0.2", "ipv6": None}],
"rules": [],
}])
batch_cmds = mock_batch.call_args[0][0]
batch_text = "\n".join(batch_cmds)
assert "delete chain" not in batch_text

239
tests/test_integration_mfa.py
View file

@ -1,239 +0,0 @@
"""Integration tests for MFA — full registration and authentication flows through the database."""
import pyotp
from sqlmodel import func, select
from wiregui.auth.mfa import generate_totp_secret, verify_totp_code
from wiregui.auth.passwords import hash_password, verify_password
from wiregui.auth.session import authenticate_user
from wiregui.models.mfa_method import MFAMethod
from wiregui.models.user import User
from wiregui.utils.time import utcnow
async def test_full_totp_registration_flow(session, monkeypatch):
"""End-to-end: create user → generate secret → verify code → store method → re-verify from DB."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
# Create user with password
user = User(email="mfa-flow@example.com", password_hash=hash_password("secure123"))
session.add(user)
await session.flush()
# Step 1: Generate TOTP secret (happens in account page)
secret = generate_totp_secret()
# Step 2: User scans QR, enters code from their authenticator
totp = pyotp.TOTP(secret)
code = totp.now()
# Step 3: Verify the code is correct before saving
assert verify_totp_code(secret, code) is True
# Step 4: Save the MFA method to DB
method = MFAMethod(
name="My Authenticator",
type="totp",
payload={"secret": secret},
user_id=user.id,
)
session.add(method)
await session.flush()
# Step 5: Simulate future login — load method from DB and verify a fresh code
fetched_methods = (await session.execute(
select(MFAMethod).where(MFAMethod.user_id == user.id)
)).scalars().all()
assert len(fetched_methods) == 1
stored_secret = fetched_methods[0].payload["secret"]
fresh_code = pyotp.TOTP(stored_secret).now()
assert verify_totp_code(stored_secret, fresh_code) is True
async def test_mfa_blocks_login_without_code(session, monkeypatch):
"""User with MFA should not be fully authenticated without completing MFA challenge."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.session.async_session", mock_session)
# Create user with MFA
user = User(email="mfa-block@example.com", password_hash=hash_password("password1"))
session.add(user)
await session.flush()
secret = generate_totp_secret()
method = MFAMethod(name="Phone", type="totp", payload={"secret": secret}, user_id=user.id)
session.add(method)
await session.flush()
# Password auth succeeds
authed_user = await authenticate_user("mfa-block@example.com", "password1")
assert authed_user is not None
# But MFA methods exist — login page would redirect to /mfa instead of completing login
mfa_methods = (await session.execute(
select(MFAMethod).where(MFAMethod.user_id == authed_user.id)
)).scalars().all()
assert len(mfa_methods) > 0 # Login flow would check this and redirect to /mfa
async def test_mfa_wrong_code_rejected(session):
"""Wrong TOTP code should be rejected even if method is valid."""
user = User(email="mfa-wrong@example.com", password_hash=hash_password("pw"))
session.add(user)
await session.flush()
secret = generate_totp_secret()
method = MFAMethod(name="Auth", type="totp", payload={"secret": secret}, user_id=user.id)
session.add(method)
await session.flush()
# Load from DB and try wrong code
fetched = (await session.execute(
select(MFAMethod).where(MFAMethod.user_id == user.id)
)).scalar_one()
assert verify_totp_code(fetched.payload["secret"], "000000") is False
assert verify_totp_code(fetched.payload["secret"], "123456") is False
async def test_mfa_multiple_methods_any_valid_code_works(session):
"""If user has multiple TOTP methods, a valid code from any should work."""
user = User(email="mfa-multi@example.com")
session.add(user)
await session.flush()
secret1 = generate_totp_secret()
secret2 = generate_totp_secret()
session.add(MFAMethod(name="Phone", type="totp", payload={"secret": secret1}, user_id=user.id))
session.add(MFAMethod(name="Backup", type="totp", payload={"secret": secret2}, user_id=user.id))
await session.flush()
methods = (await session.execute(
select(MFAMethod).where(MFAMethod.user_id == user.id)
)).scalars().all()
# Code from method 1 should verify against method 1's secret
code1 = pyotp.TOTP(secret1).now()
verified = False
for m in methods:
if verify_totp_code(m.payload["secret"], code1):
verified = True
break
assert verified is True
# Code from method 2 should also work
code2 = pyotp.TOTP(secret2).now()
verified2 = False
for m in methods:
if verify_totp_code(m.payload["secret"], code2):
verified2 = True
break
assert verified2 is True
async def test_mfa_method_last_used_tracking(session):
"""Verifying MFA should update last_used_at timestamp."""
user = User(email="mfa-tracking@example.com")
session.add(user)
await session.flush()
secret = generate_totp_secret()
method = MFAMethod(name="Auth", type="totp", payload={"secret": secret}, user_id=user.id)
session.add(method)
await session.flush()
assert method.last_used_at is None
# Simulate successful verification and update
code = pyotp.TOTP(secret).now()
assert verify_totp_code(secret, code) is True
method.last_used_at = utcnow()
session.add(method)
await session.flush()
fetched = await session.get(MFAMethod, method.id)
assert fetched.last_used_at is not None
async def test_mfa_delete_method_allows_login_without_mfa(session, monkeypatch):
"""After removing all MFA methods, user should not be redirected to MFA challenge."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.session.async_session", mock_session)
user = User(email="mfa-remove@example.com", password_hash=hash_password("pw"))
session.add(user)
await session.flush()
secret = generate_totp_secret()
method = MFAMethod(name="Temp", type="totp", payload={"secret": secret}, user_id=user.id)
session.add(method)
await session.flush()
# MFA exists
count = (await session.execute(
select(func.count()).select_from(MFAMethod).where(MFAMethod.user_id == user.id)
)).scalar()
assert count == 1
# Delete it
await session.delete(method)
await session.flush()
count = (await session.execute(
select(func.count()).select_from(MFAMethod).where(MFAMethod.user_id == user.id)
)).scalar()
assert count == 0
# Password auth still works
authed = await authenticate_user("mfa-remove@example.com", "pw")
assert authed is not None
# No MFA methods — login flow would skip MFA challenge
mfa_check = (await session.execute(
select(MFAMethod).where(MFAMethod.user_id == authed.id)
)).scalars().all()
assert len(mfa_check) == 0
async def test_disabled_user_with_mfa_cannot_login(session, monkeypatch):
"""Disabled user should be rejected at password stage, never reaching MFA."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.session.async_session", mock_session)
user = User(
email="mfa-disabled@example.com",
password_hash=hash_password("pw"),
disabled_at=utcnow(),
)
session.add(user)
await session.flush()
secret = generate_totp_secret()
session.add(MFAMethod(name="Auth", type="totp", payload={"secret": secret}, user_id=user.id))
await session.flush()
# Password auth rejects disabled user before MFA is ever checked
result = await authenticate_user("mfa-disabled@example.com", "pw")
assert result is None

309
tests/test_integration_oidc.py
View file

@ -1,309 +0,0 @@
"""Integration tests for OIDC — mock provider endpoints, test full auth code flow."""
import json
import time
from unittest.mock import patch
from uuid import uuid4
import respx
from httpx import Response
from jose import jwt
from sqlmodel import select
from wiregui.auth.oidc import get_provider_config, load_providers, oauth, register_providers
from wiregui.config import get_settings
from wiregui.models.configuration import Configuration
from wiregui.models.oidc_connection import OIDCConnection
from wiregui.models.user import User
# --- Helper to create a fake OIDC provider config in the DB ---
async def _setup_oidc_config(session) -> Configuration:
"""Insert a Configuration with a test OIDC provider."""
config = Configuration(
openid_connect_providers=[
{
"id": "test-idp",
"label": "Test IdP",
"scope": "openid email profile",
"response_type": "code",
"client_id": "test-client-id",
"client_secret": "test-client-secret",
"discovery_document_uri": "https://idp.example.com/.well-known/openid-configuration",
"auto_create_users": True,
}
],
)
session.add(config)
await session.commit()
return config
def _mock_discovery():
"""Mock OIDC discovery document response."""
return {
"issuer": "https://idp.example.com",
"authorization_endpoint": "https://idp.example.com/authorize",
"token_endpoint": "https://idp.example.com/token",
"userinfo_endpoint": "https://idp.example.com/userinfo",
"jwks_uri": "https://idp.example.com/.well-known/jwks.json",
}
def _mock_token_response(email: str = "oidc-user@example.com"):
"""Mock OIDC token endpoint response with ID token."""
now = int(time.time())
id_token_payload = {
"iss": "https://idp.example.com",
"sub": "oidc-subject-123",
"aud": "test-client-id",
"email": email,
"name": "OIDC User",
"iat": now,
"exp": now + 3600,
"nonce": "test-nonce",
}
# Sign with a simple secret (in real life this would be RSA)
id_token = jwt.encode(id_token_payload, "fake-secret", algorithm="HS256")
return {
"access_token": "mock-access-token",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "mock-refresh-token",
"id_token": id_token,
}
# --- Provider config loading ---
async def test_load_providers_from_config(session, monkeypatch):
"""Providers should be loaded from the Configuration table."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.oidc.async_session", mock_session)
await _setup_oidc_config(session)
providers = await load_providers()
assert len(providers) == 1
assert providers[0]["id"] == "test-idp"
assert providers[0]["client_id"] == "test-client-id"
async def test_load_providers_empty_when_no_config(session, monkeypatch):
"""Should return empty list when no Configuration exists."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.oidc.async_session", mock_session)
providers = await load_providers()
assert providers == []
async def test_get_provider_config_by_id(session, monkeypatch):
"""Should find a specific provider by ID."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.auth.oidc.async_session", mock_session)
await _setup_oidc_config(session)
config = await get_provider_config("test-idp")
assert config is not None
assert config["label"] == "Test IdP"
config_missing = await get_provider_config("nonexistent")
assert config_missing is None
# --- OIDC connection storage ---
async def test_oidc_connection_created_on_login(session):
"""Simulates what the callback route does: create user + OIDC connection."""
user = User(email="oidc-new@example.com", role="unprivileged")
session.add(user)
await session.flush()
token_data = _mock_token_response("oidc-new@example.com")
conn = OIDCConnection(
provider="test-idp",
refresh_token=token_data["refresh_token"],
refresh_response=token_data,
user_id=user.id,
)
session.add(conn)
await session.flush()
# Verify it was stored
fetched = (await session.execute(
select(OIDCConnection).where(OIDCConnection.user_id == user.id)
)).scalar_one()
assert fetched.provider == "test-idp"
assert fetched.refresh_token == "mock-refresh-token"
assert fetched.refresh_response["access_token"] == "mock-access-token"
async def test_oidc_connection_updated_on_re_login(session):
"""Re-login should update the existing OIDC connection, not create a duplicate."""
user = User(email="oidc-relogin@example.com")
session.add(user)
await session.flush()
# First login
conn = OIDCConnection(
provider="test-idp",
refresh_token="old-refresh-token",
user_id=user.id,
)
session.add(conn)
await session.flush()
# Re-login — update existing connection (as the callback route does)
existing = (await session.execute(
select(OIDCConnection).where(
OIDCConnection.user_id == user.id,
OIDCConnection.provider == "test-idp",
)
)).scalar_one()
existing.refresh_token = "new-refresh-token"
from wiregui.utils.time import utcnow
existing.refreshed_at = utcnow()
session.add(existing)
await session.flush()
# Should still be one connection
from sqlmodel import func
count = (await session.execute(
select(func.count()).select_from(OIDCConnection).where(OIDCConnection.user_id == user.id)
)).scalar()
assert count == 1
fetched = (await session.execute(
select(OIDCConnection).where(OIDCConnection.user_id == user.id)
)).scalar_one()
assert fetched.refresh_token == "new-refresh-token"
async def test_oidc_auto_create_user(session):
"""When auto_create_users is True, a new user should be created from OIDC email."""
email = "auto-created@example.com"
# Verify user doesn't exist
existing = (await session.execute(select(User).where(User.email == email))).scalar_one_or_none()
assert existing is None
# Simulate what callback does with auto_create
user = User(email=email, role="unprivileged")
session.add(user)
await session.flush()
from wiregui.utils.time import utcnow
user.last_signed_in_at = utcnow()
user.last_signed_in_method = "oidc:test-idp"
session.add(user)
await session.flush()
created = (await session.execute(select(User).where(User.email == email))).scalar_one()
assert created.role == "unprivileged"
assert created.last_signed_in_method == "oidc:test-idp"
async def test_oidc_disabled_user_rejected(session):
"""Disabled users should not be logged in via OIDC."""
from wiregui.utils.time import utcnow
user = User(email="oidc-disabled@example.com", disabled_at=utcnow())
session.add(user)
await session.flush()
# The callback route checks disabled_at before creating session
assert user.disabled_at is not None # Would redirect to /login
async def test_oidc_user_without_auto_create_rejected(session):
"""When auto_create is False and user doesn't exist, login should fail."""
email = "no-auto-create@example.com"
existing = (await session.execute(select(User).where(User.email == email))).scalar_one_or_none()
assert existing is None
# The callback route checks auto_create_users from provider config
# With auto_create=False and no existing user, it would redirect to /login
# This verifies the precondition
# --- OIDC refresh token flow ---
async def test_oidc_refresh_stores_new_token(session):
"""Simulates a successful token refresh updating the connection."""
user = User(email="oidc-refresh-test@example.com")
session.add(user)
await session.flush()
conn = OIDCConnection(
provider="test-idp",
refresh_token="old-refresh",
user_id=user.id,
)
session.add(conn)
await session.flush()
# Simulate refresh result
new_token = {
"access_token": "new-access",
"refresh_token": "new-refresh",
"expires_in": 3600,
}
conn.refresh_token = new_token.get("refresh_token", conn.refresh_token)
conn.refresh_response = new_token
from wiregui.utils.time import utcnow
conn.refreshed_at = utcnow()
session.add(conn)
await session.flush()
fetched = await session.get(OIDCConnection, conn.id)
assert fetched.refresh_token == "new-refresh"
assert fetched.refresh_response["access_token"] == "new-access"
assert fetched.refreshed_at is not None
async def test_oidc_multiple_providers_per_user(session):
"""User can have connections to multiple OIDC providers."""
user = User(email="multi-provider@example.com")
session.add(user)
await session.flush()
for provider in ["google", "okta", "azure-ad"]:
session.add(OIDCConnection(
provider=provider,
refresh_token=f"token-{provider}",
user_id=user.id,
))
await session.flush()
conns = (await session.execute(
select(OIDCConnection).where(OIDCConnection.user_id == user.id).order_by(OIDCConnection.provider)
)).scalars().all()
assert len(conns) == 3
assert [c.provider for c in conns] == ["azure-ad", "google", "okta"]

49
tests/test_magic_link.py
View file

@ -1,34 +1,6 @@
"""Tests for magic link authentication flow.""" """Tests for magic link authentication — token subject validation."""
from datetime import timedelta
from wiregui.auth.jwt import create_access_token, decode_access_token from wiregui.auth.jwt import create_access_token, decode_access_token
from wiregui.auth.passwords import hash_password
from wiregui.models.user import User
def test_magic_link_token_creation():
"""Magic link token should be a valid JWT with short expiry."""
token = create_access_token(
user_id="user-123",
role="unprivileged",
expires_delta=timedelta(minutes=15),
)
payload = decode_access_token(token)
assert payload is not None
assert payload["sub"] == "user-123"
assert payload["role"] == "unprivileged"
def test_magic_link_token_expired():
"""Expired magic link token should be rejected."""
token = create_access_token(
user_id="user-123",
role="admin",
expires_delta=timedelta(minutes=-1), # Already expired
)
payload = decode_access_token(token)
assert payload is None
def test_magic_link_token_wrong_user(): def test_magic_link_token_wrong_user():
@ -37,22 +9,3 @@ def test_magic_link_token_wrong_user():
payload = decode_access_token(token) payload = decode_access_token(token)
assert payload["sub"] == "user-A" assert payload["sub"] == "user-A"
# Caller is responsible for checking sub matches the URL user_id # Caller is responsible for checking sub matches the URL user_id
async def test_magic_link_disabled_user_rejected(session):
"""Disabled users should not be able to use magic links."""
from wiregui.utils.time import utcnow
user = User(
email="disabled-magic@example.com",
password_hash=hash_password("pw"),
disabled_at=utcnow(),
)
session.add(user)
await session.flush()
# The token would be valid but the page handler checks disabled_at
token = create_access_token(user_id=str(user.id), role="unprivileged")
payload = decode_access_token(token)
assert payload is not None # Token itself is valid
assert user.disabled_at is not None # But user is disabled — handler would reject

62
tests/test_mfa.py
View file

@ -1,4 +1,4 @@
"""Tests for TOTP MFA functionality.""" """Tests for TOTP MFA — URI format, edge cases, QR generation, DB relationships."""
import pyotp import pyotp
@ -12,22 +12,7 @@ from wiregui.models.mfa_method import MFAMethod
from wiregui.models.user import User from wiregui.models.user import User
# --- TOTP secret generation --- # --- TOTP URI format ---
def test_generate_secret():
secret = generate_totp_secret()
assert len(secret) == 32 # base32 encoded
assert secret.isalpha() or any(c.isdigit() for c in secret)
def test_generate_secret_unique():
s1 = generate_totp_secret()
s2 = generate_totp_secret()
assert s1 != s2
# --- TOTP URI ---
def test_get_totp_uri(): def test_get_totp_uri():
@ -43,19 +28,7 @@ def test_get_totp_uri_custom_issuer():
assert "issuer=MyVPN" in uri assert "issuer=MyVPN" in uri
# --- TOTP verification --- # --- TOTP verification edge cases ---
def test_verify_valid_code():
secret = generate_totp_secret()
totp = pyotp.TOTP(secret)
code = totp.now()
assert verify_totp_code(secret, code) is True
def test_verify_invalid_code():
secret = generate_totp_secret()
assert verify_totp_code(secret, "000000") is False
def test_verify_wrong_secret(): def test_verify_wrong_secret():
@ -80,34 +53,7 @@ def test_generate_qr_svg():
assert "</svg>" in svg assert "</svg>" in svg
# --- MFA method model integration --- # --- MFA method DB relationships ---
async def test_create_totp_method(session):
user = User(email="mfa-test@example.com")
session.add(user)
await session.flush()
secret = generate_totp_secret()
method = MFAMethod(
name="My Phone",
type="totp",
payload={"secret": secret},
user_id=user.id,
)
session.add(method)
await session.flush()
from sqlmodel import select
fetched = (await session.execute(
select(MFAMethod).where(MFAMethod.user_id == user.id)
)).scalar_one()
assert fetched.name == "My Phone"
assert fetched.type == "totp"
stored_secret = fetched.payload["secret"]
code = pyotp.TOTP(stored_secret).now()
assert verify_totp_code(stored_secret, code) is True
async def test_user_multiple_mfa_methods(session): async def test_user_multiple_mfa_methods(session):

168
tests/test_models.py
View file

@ -1,168 +0,0 @@
"""Tests for SQLModel table definitions."""
import pytest # noqa: F401 — needed for pytest.raises
from sqlmodel import select
from wiregui.models.api_token import ApiToken
from wiregui.models.configuration import Configuration
from wiregui.models.connectivity_check import ConnectivityCheck
from wiregui.models.device import Device
from wiregui.models.mfa_method import MFAMethod
from wiregui.models.oidc_connection import OIDCConnection
from wiregui.models.rule import Rule
from wiregui.models.user import User
async def test_create_user(session):
user = User(email="alice@example.com", role="admin")
session.add(user)
await session.flush()
result = await session.execute(select(User).where(User.email == "alice@example.com"))
fetched = result.scalar_one()
assert fetched.id == user.id
assert fetched.role == "admin"
assert fetched.disabled_at is None
async def test_create_device_with_user(session):
user = User(email="bob@example.com")
session.add(user)
await session.flush()
device = Device(
name="laptop",
public_key="pk-test-device-001",
user_id=user.id,
)
session.add(device)
await session.flush()
result = await session.execute(select(Device).where(Device.public_key == "pk-test-device-001"))
fetched = result.scalar_one()
assert fetched.name == "laptop"
assert fetched.user_id == user.id
assert fetched.use_default_dns is True
assert fetched.use_default_allowed_ips is True
assert fetched.rx_bytes is None
async def test_device_unique_public_key(session):
user = User(email="carol@example.com")
session.add(user)
await session.flush()
d1 = Device(name="d1", public_key="duplicate-key", user_id=user.id)
session.add(d1)
await session.flush()
d2 = Device(name="d2", public_key="duplicate-key", user_id=user.id)
session.add(d2)
with pytest.raises(Exception): # IntegrityError
await session.flush()
async def test_create_rule(session):
user = User(email="dave@example.com")
session.add(user)
await session.flush()
rule = Rule(action="accept", destination="10.0.0.0/8", user_id=user.id)
session.add(rule)
await session.flush()
result = await session.execute(select(Rule).where(Rule.user_id == user.id))
fetched = result.scalar_one()
assert fetched.action == "accept"
assert fetched.destination == "10.0.0.0/8"
assert fetched.port_type is None
assert fetched.port_range is None
async def test_create_rule_with_port(session):
rule = Rule(
action="drop",
destination="192.168.0.0/16",
port_type="tcp",
port_range="80-443",
)
session.add(rule)
await session.flush()
fetched = (await session.execute(select(Rule).where(Rule.id == rule.id))).scalar_one()
assert fetched.port_type == "tcp"
assert fetched.port_range == "80-443"
assert fetched.user_id is None # global rule
async def test_create_mfa_method(session):
user = User(email="eve@example.com")
session.add(user)
await session.flush()
mfa = MFAMethod(
name="My Authenticator",
type="totp",
payload={"secret": "JBSWY3DPEHPK3PXP"},
user_id=user.id,
)
session.add(mfa)
await session.flush()
fetched = (await session.execute(select(MFAMethod).where(MFAMethod.user_id == user.id))).scalar_one()
assert fetched.type == "totp"
assert fetched.payload["secret"] == "JBSWY3DPEHPK3PXP"
async def test_create_oidc_connection(session):
user = User(email="frank@example.com")
session.add(user)
await session.flush()
conn = OIDCConnection(provider="google", refresh_token="tok_abc", user_id=user.id)
session.add(conn)
await session.flush()
fetched = (await session.execute(select(OIDCConnection).where(OIDCConnection.user_id == user.id))).scalar_one()
assert fetched.provider == "google"
assert fetched.refresh_token == "tok_abc"
async def test_create_api_token(session):
user = User(email="grace@example.com")
session.add(user)
await session.flush()
token = ApiToken(token_hash="sha256_fake_hash", user_id=user.id)
session.add(token)
await session.flush()
fetched = (await session.execute(select(ApiToken).where(ApiToken.user_id == user.id))).scalar_one()
assert fetched.token_hash == "sha256_fake_hash"
assert fetched.expires_at is None
async def test_create_connectivity_check(session):
check = ConnectivityCheck(url="https://example.com", response_code=200)
session.add(check)
await session.flush()
fetched = (await session.execute(select(ConnectivityCheck).where(ConnectivityCheck.id == check.id))).scalar_one()
assert fetched.response_code == 200
async def test_configuration_defaults(session):
config = Configuration()
session.add(config)
await session.flush()
fetched = (await session.execute(select(Configuration).where(Configuration.id == config.id))).scalar_one()
assert fetched.allow_unprivileged_device_management is True
assert fetched.local_auth_enabled is True
assert fetched.default_client_mtu == 1280
assert fetched.default_client_persistent_keepalive == 25
assert fetched.default_client_dns == ["1.1.1.1", "1.0.0.1"]
assert fetched.default_client_allowed_ips == ["0.0.0.0/0", "::/0"]
assert fetched.vpn_session_duration == 0
assert fetched.openid_connect_providers == []
assert fetched.saml_identity_providers == []

89
tests/test_notifications.py
View file

@ -1,89 +0,0 @@
"""Tests for the notification service."""
from wiregui.services import notifications
def setup_function():
"""Clear notifications before each test."""
notifications.clear_all()
def test_add_notification():
n = notifications.add("info", "Test message")
assert n.severity == "info"
assert n.message == "Test message"
assert n.user is None
assert n.id is not None
assert n.timestamp is not None
def test_add_notification_with_user():
n = notifications.add("error", "Something broke", user="admin@example.com")
assert n.user == "admin@example.com"
assert n.severity == "error"
def test_current_returns_newest_first():
notifications.add("info", "First")
notifications.add("warning", "Second")
notifications.add("error", "Third")
current = notifications.current()
assert len(current) == 3
assert current[0].message == "Third"
assert current[1].message == "Second"
assert current[2].message == "First"
def test_count():
assert notifications.count() == 0
notifications.add("info", "One")
notifications.add("info", "Two")
assert notifications.count() == 2
def test_clear_specific():
n1 = notifications.add("info", "Keep this")
n2 = notifications.add("error", "Remove this")
notifications.clear(n2.id)
current = notifications.current()
assert len(current) == 1
assert current[0].id == n1.id
def test_clear_nonexistent_id_is_noop():
notifications.add("info", "Test")
notifications.clear("nonexistent-id")
assert notifications.count() == 1
def test_clear_all():
notifications.add("info", "One")
notifications.add("info", "Two")
notifications.add("info", "Three")
assert notifications.count() == 3
notifications.clear_all()
assert notifications.count() == 0
assert notifications.current() == []
def test_to_dict():
n = notifications.add("warning", "Test dict", user="someone@example.com")
d = n.to_dict()
assert d["severity"] == "warning"
assert d["message"] == "Test dict"
assert d["user"] == "someone@example.com"
assert "id" in d
assert "timestamp" in d
def test_max_notifications():
"""Deque should cap at MAX_NOTIFICATIONS."""
for i in range(notifications.MAX_NOTIFICATIONS + 10):
notifications.add("info", f"Notification {i}")
assert notifications.count() == notifications.MAX_NOTIFICATIONS
# Newest should be the last one added
assert notifications.current()[0].message == f"Notification {notifications.MAX_NOTIFICATIONS + 9}"

60
tests/test_server_key.py Normal file
View file

@ -0,0 +1,60 @@
"""Tests for server public key retrieval from Configuration table."""
import pytest
from wiregui.models.configuration import Configuration
from wiregui.utils.server_key import get_server_public_key
async def test_get_server_public_key_returns_key(session, monkeypatch):
"""Returns the public key when configured."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.utils.server_key.async_session", mock_session)
c = Configuration(server_public_key="TestServerPubKey123456789012345678901234w=")
session.add(c)
await session.flush()
result = await get_server_public_key()
assert result == "TestServerPubKey123456789012345678901234w="
async def test_get_server_public_key_raises_when_missing(session, monkeypatch):
"""Raises RuntimeError when server_public_key is None."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.utils.server_key.async_session", mock_session)
c = Configuration(server_public_key=None)
session.add(c)
await session.flush()
with pytest.raises(RuntimeError, match="not configured"):
await get_server_public_key()
async def test_get_server_public_key_raises_when_empty_string(session, monkeypatch):
"""Raises RuntimeError when server_public_key is empty string."""
from contextlib import asynccontextmanager
@asynccontextmanager
async def mock_session():
yield session
monkeypatch.setattr("wiregui.utils.server_key.async_session", mock_session)
c = Configuration(server_public_key="")
session.add(c)
await session.flush()
with pytest.raises(RuntimeError, match="not configured"):
await get_server_public_key()

49
tests/test_services.py
View file

@ -1,4 +1,4 @@
"""Tests for services — WireGuard and events.""" """Tests for services — WireGuard event error handling and rule events."""
from unittest.mock import AsyncMock, patch from unittest.mock import AsyncMock, patch
@ -20,53 +20,6 @@ def _make_device(**kwargs) -> Device:
return Device(**defaults) return Device(**defaults)
# --- Events (with WG enabled) ---
@patch("wiregui.services.events.get_settings")
@patch("wiregui.services.events.firewall")
@patch("wiregui.services.events.wireguard")
async def test_on_device_created_calls_add_peer(mock_wg, mock_fw, mock_settings):
mock_settings.return_value.wg_enabled = True
mock_wg.add_peer = AsyncMock()
mock_fw.add_user_chain = AsyncMock()
mock_fw.add_device_jump_rule = AsyncMock()
device = _make_device()
await on_device_created(device)
mock_wg.add_peer.assert_awaited_once_with(
public_key="pk-test",
allowed_ips=["10.3.2.5/32", "fd00::3:2:5/128"],
preshared_key="psk-test",
)
mock_fw.add_device_jump_rule.assert_awaited_once()
@patch("wiregui.services.events.get_settings")
@patch("wiregui.services.events.wireguard")
async def test_on_device_deleted_calls_remove_peer(mock_wg, mock_settings):
mock_settings.return_value.wg_enabled = True
mock_wg.remove_peer = AsyncMock()
device = _make_device()
await on_device_deleted(device)
mock_wg.remove_peer.assert_awaited_once_with(public_key="pk-test")
@patch("wiregui.services.events.get_settings")
@patch("wiregui.services.events.wireguard")
async def test_on_device_updated_calls_add_peer(mock_wg, mock_settings):
mock_settings.return_value.wg_enabled = True
mock_wg.add_peer = AsyncMock()
device = _make_device()
await on_device_updated(device)
mock_wg.add_peer.assert_awaited_once()
# --- Events (WG disabled) --- # --- Events (WG disabled) ---

3
tests/test_services_extended.py
View file

@ -128,8 +128,9 @@ async def test_apply_rule(mock_batch):
assert any("10.0.0.0/8" in c and "accept" in c and "tcp dport 80-443" in c for c in cmds) assert any("10.0.0.0/8" in c and "accept" in c and "tcp dport 80-443" in c for c in cmds)
@patch("wiregui.services.firewall._list_user_chains", new_callable=AsyncMock, return_value=set())
@patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock) @patch("wiregui.services.firewall._nft_batch", new_callable=AsyncMock)
async def test_rebuild_all_rules(mock_batch): async def test_rebuild_all_rules(mock_batch, mock_list):
from wiregui.services.firewall import rebuild_all_rules from wiregui.services.firewall import rebuild_all_rules
await rebuild_all_rules([ await rebuild_all_rules([
{ {

114
tests/test_wireguard_extended.py Normal file
View file

@ -0,0 +1,114 @@
"""Tests for WireGuard service — ensure_interface, set_private_key, set_listen_port, configure_interface."""
from unittest.mock import AsyncMock, patch, call
from wiregui.services.wireguard import (
ensure_interface,
set_private_key,
set_listen_port,
configure_interface,
)
# ========== ensure_interface ==========
@patch("wiregui.services.wireguard._run", new_callable=AsyncMock)
async def test_ensure_interface_already_exists(mock_run):
"""If interface exists (ip link show succeeds), do nothing."""
mock_run.return_value = ""
await ensure_interface(iface="wg-test")
# Only called once for ip link show
mock_run.assert_awaited_once_with(["ip", "link", "show", "wg-test"])
@patch("wiregui.services.wireguard._run", new_callable=AsyncMock)
async def test_ensure_interface_creates_new(mock_run):
"""If interface doesn't exist, create it, assign IPs, bring up."""
call_count = 0
async def side_effect(args, input_data=None):
nonlocal call_count
call_count += 1
if call_count == 1 and args == ["ip", "link", "show", "wg-test"]:
raise RuntimeError("Device not found")
return ""
mock_run.side_effect = side_effect
await ensure_interface(iface="wg-test")
# Should have called: ip link show (fails), ip link add, ip addr add x2, ip link set up
assert mock_run.await_count == 5
calls = [c[0][0] for c in mock_run.call_args_list]
assert calls[1] == ["ip", "link", "add", "wg-test", "type", "wireguard"]
assert calls[2][0:3] == ["ip", "address", "add"]
assert calls[3][0:3] == ["ip", "address", "add"]
assert calls[4] == ["ip", "link", "set", "wg-test", "up"]
# ========== set_private_key ==========
@patch("wiregui.services.wireguard._run", new_callable=AsyncMock)
async def test_set_private_key(mock_run):
"""set_private_key calls wg set with private-key path."""
mock_run.return_value = ""
await set_private_key("/tmp/test.key", iface="wg-test")
mock_run.assert_awaited_once_with(["wg", "set", "wg-test", "private-key", "/tmp/test.key"])
# ========== set_listen_port ==========
@patch("wiregui.services.wireguard._run", new_callable=AsyncMock)
async def test_set_listen_port(mock_run):
"""set_listen_port calls wg set with listen-port."""
mock_run.return_value = ""
await set_listen_port(51820, iface="wg-test")
mock_run.assert_awaited_once_with(["wg", "set", "wg-test", "listen-port", "51820"])
# ========== configure_interface ==========
@patch("wiregui.services.wireguard._run", new_callable=AsyncMock)
@patch("wiregui.db.async_session")
async def test_configure_interface_no_config(mock_session_cls, mock_run):
"""If no Configuration row exists, do not call wg set."""
from unittest.mock import MagicMock
mock_session = AsyncMock()
mock_result = MagicMock()
mock_result.scalar_one_or_none.return_value = None
mock_session.execute.return_value = mock_result
mock_session_cls.return_value.__aenter__ = AsyncMock(return_value=mock_session)
mock_session_cls.return_value.__aexit__ = AsyncMock(return_value=False)
await configure_interface(iface="wg-test")
mock_run.assert_not_awaited()
@patch("wiregui.services.wireguard._run", new_callable=AsyncMock)
@patch("wiregui.db.async_session")
async def test_configure_interface_sets_key_and_port(mock_session_cls, mock_run):
"""With valid config, writes key to temp file and calls wg set."""
from unittest.mock import MagicMock
mock_config = MagicMock()
mock_config.server_private_key = "test-private-key-value"
mock_session = AsyncMock()
mock_result = MagicMock()
mock_result.scalar_one_or_none.return_value = mock_config
mock_session.execute.return_value = mock_result
mock_session_cls.return_value.__aenter__ = AsyncMock(return_value=mock_session)
mock_session_cls.return_value.__aexit__ = AsyncMock(return_value=False)
mock_run.return_value = ""
await configure_interface(iface="wg-test")
mock_run.assert_awaited_once()
args = mock_run.call_args[0][0]
assert args[0:3] == ["wg", "set", "wg-test"]
assert "private-key" in args
assert "listen-port" in args

318
uv.lock generated
View file

@ -358,16 +358,85 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/ae/3a/dbeec9d1ee0844c679f6bb5d6ad4e9f198b1224f4e7a32825f47f6192b0c/cffi-2.0.0-cp314-cp314t-win_arm64.whl", hash = "sha256:0a1527a803f0a659de1af2e1fd700213caba79377e27e4693648c2923da066f9", size = 184195, upload-time = "2025-09-08T23:23:43.004Z" }, { url = "https://files.pythonhosted.org/packages/ae/3a/dbeec9d1ee0844c679f6bb5d6ad4e9f198b1224f4e7a32825f47f6192b0c/cffi-2.0.0-cp314-cp314t-win_arm64.whl", hash = "sha256:0a1527a803f0a659de1af2e1fd700213caba79377e27e4693648c2923da066f9", size = 184195, upload-time = "2025-09-08T23:23:43.004Z" },
] ]
[[package]]
name = "charset-normalizer"
version = "3.4.6"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/7b/60/e3bec1881450851b087e301bedc3daa9377a4d45f1c26aa90b0b235e38aa/charset_normalizer-3.4.6.tar.gz", hash = "sha256:1ae6b62897110aa7c79ea2f5dd38d1abca6db663687c0b1ad9aed6f6bae3d9d6", size = 143363, upload-time = "2026-03-15T18:53:25.478Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/1e/1d/4fdabeef4e231153b6ed7567602f3b68265ec4e5b76d6024cf647d43d981/charset_normalizer-3.4.6-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:11afb56037cbc4b1555a34dd69151e8e069bee82e613a73bef6e714ce733585f", size = 294823, upload-time = "2026-03-15T18:51:15.755Z" },
{ url = "https://files.pythonhosted.org/packages/47/7b/20e809b89c69d37be748d98e84dce6820bf663cf19cf6b942c951a3e8f41/charset_normalizer-3.4.6-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:423fb7e748a08f854a08a222b983f4df1912b1daedce51a72bd24fe8f26a1843", size = 198527, upload-time = "2026-03-15T18:51:17.177Z" },
{ url = "https://files.pythonhosted.org/packages/37/a6/4f8d27527d59c039dce6f7622593cdcd3d70a8504d87d09eb11e9fdc6062/charset_normalizer-3.4.6-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:d73beaac5e90173ac3deb9928a74763a6d230f494e4bfb422c217a0ad8e629bf", size = 218388, upload-time = "2026-03-15T18:51:18.934Z" },
{ url = "https://files.pythonhosted.org/packages/f6/9b/4770ccb3e491a9bacf1c46cc8b812214fe367c86a96353ccc6daf87b01ec/charset_normalizer-3.4.6-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d60377dce4511655582e300dc1e5a5f24ba0cb229005a1d5c8d0cb72bb758ab8", size = 214563, upload-time = "2026-03-15T18:51:20.374Z" },
{ url = "https://files.pythonhosted.org/packages/2b/58/a199d245894b12db0b957d627516c78e055adc3a0d978bc7f65ddaf7c399/charset_normalizer-3.4.6-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:530e8cebeea0d76bdcf93357aa5e41336f48c3dc709ac52da2bb167c5b8271d9", size = 206587, upload-time = "2026-03-15T18:51:21.807Z" },
{ url = "https://files.pythonhosted.org/packages/7e/70/3def227f1ec56f5c69dfc8392b8bd63b11a18ca8178d9211d7cc5e5e4f27/charset_normalizer-3.4.6-cp313-cp313-manylinux_2_31_armv7l.whl", hash = "sha256:a26611d9987b230566f24a0a125f17fe0de6a6aff9f25c9f564aaa2721a5fb88", size = 194724, upload-time = "2026-03-15T18:51:23.508Z" },
{ url = "https://files.pythonhosted.org/packages/58/ab/9318352e220c05efd31c2779a23b50969dc94b985a2efa643ed9077bfca5/charset_normalizer-3.4.6-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:34315ff4fc374b285ad7f4a0bf7dcbfe769e1b104230d40f49f700d4ab6bbd84", size = 202956, upload-time = "2026-03-15T18:51:25.239Z" },
{ url = "https://files.pythonhosted.org/packages/75/13/f3550a3ac25b70f87ac98c40d3199a8503676c2f1620efbf8d42095cfc40/charset_normalizer-3.4.6-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:5f8ddd609f9e1af8c7bd6e2aca279c931aefecd148a14402d4e368f3171769fd", size = 201923, upload-time = "2026-03-15T18:51:26.682Z" },
{ url = "https://files.pythonhosted.org/packages/1b/db/c5c643b912740b45e8eec21de1bbab8e7fc085944d37e1e709d3dcd9d72f/charset_normalizer-3.4.6-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:80d0a5615143c0b3225e5e3ef22c8d5d51f3f72ce0ea6fb84c943546c7b25b6c", size = 195366, upload-time = "2026-03-15T18:51:28.129Z" },
{ url = "https://files.pythonhosted.org/packages/5a/67/3b1c62744f9b2448443e0eb160d8b001c849ec3fef591e012eda6484787c/charset_normalizer-3.4.6-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:92734d4d8d187a354a556626c221cd1a892a4e0802ccb2af432a1d85ec012194", size = 219752, upload-time = "2026-03-15T18:51:29.556Z" },
{ url = "https://files.pythonhosted.org/packages/f6/98/32ffbaf7f0366ffb0445930b87d103f6b406bc2c271563644bde8a2b1093/charset_normalizer-3.4.6-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:613f19aa6e082cf96e17e3ffd89383343d0d589abda756b7764cf78361fd41dc", size = 203296, upload-time = "2026-03-15T18:51:30.921Z" },
{ url = "https://files.pythonhosted.org/packages/41/12/5d308c1bbe60cabb0c5ef511574a647067e2a1f631bc8634fcafaccd8293/charset_normalizer-3.4.6-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:2b1a63e8224e401cafe7739f77efd3f9e7f5f2026bda4aead8e59afab537784f", size = 215956, upload-time = "2026-03-15T18:51:32.399Z" },
{ url = "https://files.pythonhosted.org/packages/53/e9/5f85f6c5e20669dbe56b165c67b0260547dea97dba7e187938833d791687/charset_normalizer-3.4.6-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6cceb5473417d28edd20c6c984ab6fee6c6267d38d906823ebfe20b03d607dc2", size = 208652, upload-time = "2026-03-15T18:51:34.214Z" },
{ url = "https://files.pythonhosted.org/packages/f1/11/897052ea6af56df3eef3ca94edafee410ca699ca0c7b87960ad19932c55e/charset_normalizer-3.4.6-cp313-cp313-win32.whl", hash = "sha256:d7de2637729c67d67cf87614b566626057e95c303bc0a55ffe391f5205e7003d", size = 143940, upload-time = "2026-03-15T18:51:36.15Z" },
{ url = "https://files.pythonhosted.org/packages/a1/5c/724b6b363603e419829f561c854b87ed7c7e31231a7908708ac086cdf3e2/charset_normalizer-3.4.6-cp313-cp313-win_amd64.whl", hash = "sha256:572d7c822caf521f0525ba1bce1a622a0b85cf47ffbdae6c9c19e3b5ac3c4389", size = 154101, upload-time = "2026-03-15T18:51:37.876Z" },
{ url = "https://files.pythonhosted.org/packages/01/a5/7abf15b4c0968e47020f9ca0935fb3274deb87cb288cd187cad92e8cdffd/charset_normalizer-3.4.6-cp313-cp313-win_arm64.whl", hash = "sha256:a4474d924a47185a06411e0064b803c68be044be2d60e50e8bddcc2649957c1f", size = 143109, upload-time = "2026-03-15T18:51:39.565Z" },
{ url = "https://files.pythonhosted.org/packages/25/6f/ffe1e1259f384594063ea1869bfb6be5cdb8bc81020fc36c3636bc8302a1/charset_normalizer-3.4.6-cp314-cp314-macosx_10_15_universal2.whl", hash = "sha256:9cc6e6d9e571d2f863fa77700701dae73ed5f78881efc8b3f9a4398772ff53e8", size = 294458, upload-time = "2026-03-15T18:51:41.134Z" },
{ url = "https://files.pythonhosted.org/packages/56/60/09bb6c13a8c1016c2ed5c6a6488e4ffef506461aa5161662bd7636936fb1/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ef5960d965e67165d75b7c7ffc60a83ec5abfc5c11b764ec13ea54fbef8b4421", size = 199277, upload-time = "2026-03-15T18:51:42.953Z" },
{ url = "https://files.pythonhosted.org/packages/00/50/dcfbb72a5138bbefdc3332e8d81a23494bf67998b4b100703fd15fa52d81/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:b3694e3f87f8ac7ce279d4355645b3c878d24d1424581b46282f24b92f5a4ae2", size = 218758, upload-time = "2026-03-15T18:51:44.339Z" },
{ url = "https://files.pythonhosted.org/packages/03/b3/d79a9a191bb75f5aa81f3aaaa387ef29ce7cb7a9e5074ba8ea095cc073c2/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5d11595abf8dd942a77883a39d81433739b287b6aa71620f15164f8096221b30", size = 215299, upload-time = "2026-03-15T18:51:45.871Z" },
{ url = "https://files.pythonhosted.org/packages/76/7e/bc8911719f7084f72fd545f647601ea3532363927f807d296a8c88a62c0d/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:7bda6eebafd42133efdca535b04ccb338ab29467b3f7bf79569883676fc628db", size = 206811, upload-time = "2026-03-15T18:51:47.308Z" },
{ url = "https://files.pythonhosted.org/packages/e2/40/c430b969d41dda0c465aa36cc7c2c068afb67177bef50905ac371b28ccc7/charset_normalizer-3.4.6-cp314-cp314-manylinux_2_31_armv7l.whl", hash = "sha256:bbc8c8650c6e51041ad1be191742b8b421d05bbd3410f43fa2a00c8db87678e8", size = 193706, upload-time = "2026-03-15T18:51:48.849Z" },
{ url = "https://files.pythonhosted.org/packages/48/15/e35e0590af254f7df984de1323640ef375df5761f615b6225ba8deb9799a/charset_normalizer-3.4.6-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:22c6f0c2fbc31e76c3b8a86fba1a56eda6166e238c29cdd3d14befdb4a4e4815", size = 202706, upload-time = "2026-03-15T18:51:50.257Z" },
{ url = "https://files.pythonhosted.org/packages/5e/bd/f736f7b9cc5e93a18b794a50346bb16fbfd6b37f99e8f306f7951d27c17c/charset_normalizer-3.4.6-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7edbed096e4a4798710ed6bc75dcaa2a21b68b6c356553ac4823c3658d53743a", size = 202497, upload-time = "2026-03-15T18:51:52.012Z" },
{ url = "https://files.pythonhosted.org/packages/9d/ba/2cc9e3e7dfdf7760a6ed8da7446d22536f3d0ce114ac63dee2a5a3599e62/charset_normalizer-3.4.6-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:7f9019c9cb613f084481bd6a100b12e1547cf2efe362d873c2e31e4035a6fa43", size = 193511, upload-time = "2026-03-15T18:51:53.723Z" },
{ url = "https://files.pythonhosted.org/packages/9e/cb/5be49b5f776e5613be07298c80e1b02a2d900f7a7de807230595c85a8b2e/charset_normalizer-3.4.6-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:58c948d0d086229efc484fe2f30c2d382c86720f55cd9bc33591774348ad44e0", size = 220133, upload-time = "2026-03-15T18:51:55.333Z" },
{ url = "https://files.pythonhosted.org/packages/83/43/99f1b5dad345accb322c80c7821071554f791a95ee50c1c90041c157ae99/charset_normalizer-3.4.6-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:419a9d91bd238052642a51938af8ac05da5b3343becde08d5cdeab9046df9ee1", size = 203035, upload-time = "2026-03-15T18:51:56.736Z" },
{ url = "https://files.pythonhosted.org/packages/87/9a/62c2cb6a531483b55dddff1a68b3d891a8b498f3ca555fbcf2978e804d9d/charset_normalizer-3.4.6-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:5273b9f0b5835ff0350c0828faea623c68bfa65b792720c453e22b25cc72930f", size = 216321, upload-time = "2026-03-15T18:51:58.17Z" },
{ url = "https://files.pythonhosted.org/packages/6e/79/94a010ff81e3aec7c293eb82c28f930918e517bc144c9906a060844462eb/charset_normalizer-3.4.6-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:0e901eb1049fdb80f5bd11ed5ea1e498ec423102f7a9b9e4645d5b8204ff2815", size = 208973, upload-time = "2026-03-15T18:51:59.998Z" },
{ url = "https://files.pythonhosted.org/packages/2a/57/4ecff6d4ec8585342f0c71bc03efaa99cb7468f7c91a57b105bcd561cea8/charset_normalizer-3.4.6-cp314-cp314-win32.whl", hash = "sha256:b4ff1d35e8c5bd078be89349b6f3a845128e685e751b6ea1169cf2160b344c4d", size = 144610, upload-time = "2026-03-15T18:52:02.213Z" },
{ url = "https://files.pythonhosted.org/packages/80/94/8434a02d9d7f168c25767c64671fead8d599744a05d6a6c877144c754246/charset_normalizer-3.4.6-cp314-cp314-win_amd64.whl", hash = "sha256:74119174722c4349af9708993118581686f343adc1c8c9c007d59be90d077f3f", size = 154962, upload-time = "2026-03-15T18:52:03.658Z" },
{ url = "https://files.pythonhosted.org/packages/46/4c/48f2cdbfd923026503dfd67ccea45c94fd8fe988d9056b468579c66ed62b/charset_normalizer-3.4.6-cp314-cp314-win_arm64.whl", hash = "sha256:e5bcc1a1ae744e0bb59641171ae53743760130600da8db48cbb6e4918e186e4e", size = 143595, upload-time = "2026-03-15T18:52:05.123Z" },
{ url = "https://files.pythonhosted.org/packages/31/93/8878be7569f87b14f1d52032946131bcb6ebbd8af3e20446bc04053dc3f1/charset_normalizer-3.4.6-cp314-cp314t-macosx_10_15_universal2.whl", hash = "sha256:ad8faf8df23f0378c6d527d8b0b15ea4a2e23c89376877c598c4870d1b2c7866", size = 314828, upload-time = "2026-03-15T18:52:06.831Z" },
{ url = "https://files.pythonhosted.org/packages/06/b6/fae511ca98aac69ecc35cde828b0a3d146325dd03d99655ad38fc2cc3293/charset_normalizer-3.4.6-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:f5ea69428fa1b49573eef0cc44a1d43bebd45ad0c611eb7d7eac760c7ae771bc", size = 208138, upload-time = "2026-03-15T18:52:08.239Z" },
{ url = "https://files.pythonhosted.org/packages/54/57/64caf6e1bf07274a1e0b7c160a55ee9e8c9ec32c46846ce59b9c333f7008/charset_normalizer-3.4.6-cp314-cp314t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:06a7e86163334edfc5d20fe104db92fcd666e5a5df0977cb5680a506fe26cc8e", size = 224679, upload-time = "2026-03-15T18:52:10.043Z" },
{ url = "https://files.pythonhosted.org/packages/aa/cb/9ff5a25b9273ef160861b41f6937f86fae18b0792fe0a8e75e06acb08f1d/charset_normalizer-3.4.6-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:e1f6e2f00a6b8edb562826e4632e26d063ac10307e80f7461f7de3ad8ef3f077", size = 223475, upload-time = "2026-03-15T18:52:11.854Z" },
{ url = "https://files.pythonhosted.org/packages/fc/97/440635fc093b8d7347502a377031f9605a1039c958f3cd18dcacffb37743/charset_normalizer-3.4.6-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:95b52c68d64c1878818687a473a10547b3292e82b6f6fe483808fb1468e2f52f", size = 215230, upload-time = "2026-03-15T18:52:13.325Z" },
{ url = "https://files.pythonhosted.org/packages/cd/24/afff630feb571a13f07c8539fbb502d2ab494019492aaffc78ef41f1d1d0/charset_normalizer-3.4.6-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:7504e9b7dc05f99a9bbb4525c67a2c155073b44d720470a148b34166a69c054e", size = 199045, upload-time = "2026-03-15T18:52:14.752Z" },
{ url = "https://files.pythonhosted.org/packages/e5/17/d1399ecdaf7e0498c327433e7eefdd862b41236a7e484355b8e0e5ebd64b/charset_normalizer-3.4.6-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:172985e4ff804a7ad08eebec0a1640ece87ba5041d565fff23c8f99c1f389484", size = 211658, upload-time = "2026-03-15T18:52:16.278Z" },
{ url = "https://files.pythonhosted.org/packages/b5/38/16baa0affb957b3d880e5ac2144caf3f9d7de7bc4a91842e447fbb5e8b67/charset_normalizer-3.4.6-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:4be9f4830ba8741527693848403e2c457c16e499100963ec711b1c6f2049b7c7", size = 210769, upload-time = "2026-03-15T18:52:17.782Z" },
{ url = "https://files.pythonhosted.org/packages/05/34/c531bc6ac4c21da9ddfddb3107be2287188b3ea4b53b70fc58f2a77ac8d8/charset_normalizer-3.4.6-cp314-cp314t-musllinux_1_2_armv7l.whl", hash = "sha256:79090741d842f564b1b2827c0b82d846405b744d31e84f18d7a7b41c20e473ff", size = 201328, upload-time = "2026-03-15T18:52:19.553Z" },
{ url = "https://files.pythonhosted.org/packages/fa/73/a5a1e9ca5f234519c1953608a03fe109c306b97fdfb25f09182babad51a7/charset_normalizer-3.4.6-cp314-cp314t-musllinux_1_2_ppc64le.whl", hash = "sha256:87725cfb1a4f1f8c2fc9890ae2f42094120f4b44db9360be5d99a4c6b0e03a9e", size = 225302, upload-time = "2026-03-15T18:52:21.043Z" },
{ url = "https://files.pythonhosted.org/packages/ba/f6/cd782923d112d296294dea4bcc7af5a7ae0f86ab79f8fefbda5526b6cfc0/charset_normalizer-3.4.6-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:fcce033e4021347d80ed9c66dcf1e7b1546319834b74445f561d2e2221de5659", size = 211127, upload-time = "2026-03-15T18:52:22.491Z" },
{ url = "https://files.pythonhosted.org/packages/0e/c5/0b6898950627af7d6103a449b22320372c24c6feda91aa24e201a478d161/charset_normalizer-3.4.6-cp314-cp314t-musllinux_1_2_s390x.whl", hash = "sha256:ca0276464d148c72defa8bb4390cce01b4a0e425f3b50d1435aa6d7a18107602", size = 222840, upload-time = "2026-03-15T18:52:24.113Z" },
{ url = "https://files.pythonhosted.org/packages/7d/25/c4bba773bef442cbdc06111d40daa3de5050a676fa26e85090fc54dd12f0/charset_normalizer-3.4.6-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:197c1a244a274bb016dd8b79204850144ef77fe81c5b797dc389327adb552407", size = 216890, upload-time = "2026-03-15T18:52:25.541Z" },
{ url = "https://files.pythonhosted.org/packages/35/1a/05dacadb0978da72ee287b0143097db12f2e7e8d3ffc4647da07a383b0b7/charset_normalizer-3.4.6-cp314-cp314t-win32.whl", hash = "sha256:2a24157fa36980478dd1770b585c0f30d19e18f4fb0c47c13aa568f871718579", size = 155379, upload-time = "2026-03-15T18:52:27.05Z" },
{ url = "https://files.pythonhosted.org/packages/5d/7a/d269d834cb3a76291651256f3b9a5945e81d0a49ab9f4a498964e83c0416/charset_normalizer-3.4.6-cp314-cp314t-win_amd64.whl", hash = "sha256:cd5e2801c89992ed8c0a3f0293ae83c159a60d9a5d685005383ef4caca77f2c4", size = 169043, upload-time = "2026-03-15T18:52:28.502Z" },
{ url = "https://files.pythonhosted.org/packages/23/06/28b29fba521a37a8932c6a84192175c34d49f84a6d4773fa63d05f9aff22/charset_normalizer-3.4.6-cp314-cp314t-win_arm64.whl", hash = "sha256:47955475ac79cc504ef2704b192364e51d0d473ad452caedd0002605f780101c", size = 148523, upload-time = "2026-03-15T18:52:29.956Z" },
{ url = "https://files.pythonhosted.org/packages/2a/68/687187c7e26cb24ccbd88e5069f5ef00eba804d36dde11d99aad0838ab45/charset_normalizer-3.4.6-py3-none-any.whl", hash = "sha256:947cf925bc916d90adba35a64c82aace04fa39b46b52d4630ece166655905a69", size = 61455, upload-time = "2026-03-15T18:53:23.833Z" },
]
[[package]] [[package]]
name = "click" name = "click"
version = "8.3.1" version = "8.1.8"
source = { registry = "https://pypi.org/simple" } source = { registry = "https://pypi.org/simple" }
dependencies = [ dependencies = [
{ name = "colorama", marker = "sys_platform == 'win32'" }, { name = "colorama", marker = "sys_platform == 'win32'" },
] ]
sdist = { url = "https://files.pythonhosted.org/packages/3d/fa/656b739db8587d7b5dfa22e22ed02566950fbfbcdc20311993483657a5c0/click-8.3.1.tar.gz", hash = "sha256:12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a", size = 295065, upload-time = "2025-11-15T20:45:42.706Z" } sdist = { url = "https://files.pythonhosted.org/packages/b9/2e/0090cbf739cee7d23781ad4b89a9894a41538e4fcf4c31dcdd705b78eb8b/click-8.1.8.tar.gz", hash = "sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a", size = 226593, upload-time = "2024-12-21T18:38:44.339Z" }
wheels = [ wheels = [
{ url = "https://files.pythonhosted.org/packages/98/78/01c019cdb5d6498122777c1a43056ebb3ebfeef2076d9d026bfe15583b2b/click-8.3.1-py3-none-any.whl", hash = "sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6", size = 108274, upload-time = "2025-11-15T20:45:41.139Z" }, { url = "https://files.pythonhosted.org/packages/7e/d4/7ebdbd03970677812aac39c869717059dbb71a4cfc033ca6e5221787892c/click-8.1.8-py3-none-any.whl", hash = "sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2", size = 98188, upload-time = "2024-12-21T18:38:41.666Z" },
]
[[package]]
name = "click-option-group"
version = "0.5.9"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "click" },
]
sdist = { url = "https://files.pythonhosted.org/packages/ef/ff/d291d66595b30b83d1cb9e314b2c9be7cfc7327d4a0d40a15da2416ea97b/click_option_group-0.5.9.tar.gz", hash = "sha256:f94ed2bc4cf69052e0f29592bd1e771a1789bd7bfc482dd0bc482134aff95823", size = 22222, upload-time = "2025-10-09T09:38:01.474Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/75/45/54bb2d8d4138964a94bef6e9afe48b0be4705ba66ac442ae7d8a8dc4ffef/click_option_group-0.5.9-py3-none-any.whl", hash = "sha256:ad2599248bd373e2e19bec5407967c3eec1d0d4fc4a5e77b08a0481e75991080", size = 11553, upload-time = "2025-10-09T09:38:00.066Z" },
] ]
[[package]] [[package]]
@ -501,6 +570,18 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/1b/82/ca4893968aeb2709aacfb57a30dec6fa2ab25b10fa9f064b8882ce33f599/cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f", size = 3471160, upload-time = "2026-03-25T23:34:37.191Z" }, { url = "https://files.pythonhosted.org/packages/1b/82/ca4893968aeb2709aacfb57a30dec6fa2ab25b10fa9f064b8882ce33f599/cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f", size = 3471160, upload-time = "2026-03-25T23:34:37.191Z" },
] ]
[[package]]
name = "deprecated"
version = "1.3.1"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "wrapt" },
]
sdist = { url = "https://files.pythonhosted.org/packages/49/85/12f0a49a7c4ffb70572b6c2ef13c90c88fd190debda93b23f026b25f9634/deprecated-1.3.1.tar.gz", hash = "sha256:b1b50e0ff0c1fddaa5708a2c6b0a6588bb09b892825ab2b214ac9ea9d92a5223", size = 2932523, upload-time = "2025-10-30T08:19:02.757Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/84/d0/205d54408c08b13550c733c4b85429e7ead111c7f0014309637425520a9a/deprecated-1.3.1-py2.py3-none-any.whl", hash = "sha256:597bfef186b6f60181535a29fbe44865ce137a5079f295b479886c82729d5f3f", size = 11298, upload-time = "2025-10-30T08:19:00.758Z" },
]
[[package]] [[package]]
name = "docutils" name = "docutils"
version = "0.22.4" version = "0.22.4"
@ -510,6 +591,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/02/10/5da547df7a391dcde17f59520a231527b8571e6f46fc8efb02ccb370ab12/docutils-0.22.4-py3-none-any.whl", hash = "sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de", size = 633196, upload-time = "2025-12-18T19:00:18.077Z" }, { url = "https://files.pythonhosted.org/packages/02/10/5da547df7a391dcde17f59520a231527b8571e6f46fc8efb02ccb370ab12/docutils-0.22.4-py3-none-any.whl", hash = "sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de", size = 633196, upload-time = "2025-12-18T19:00:18.077Z" },
] ]
[[package]]
name = "dotty-dict"
version = "1.3.1"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/6a/ab/88d67f02024700b48cd8232579ad1316aa9df2272c63049c27cc094229d6/dotty_dict-1.3.1.tar.gz", hash = "sha256:4b016e03b8ae265539757a53eba24b9bfda506fb94fbce0bee843c6f05541a15", size = 7699, upload-time = "2022-07-09T18:50:57.727Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/1a/91/e0d457ee03ec33d79ee2cd8d212debb1bc21dfb99728ae35efdb5832dc22/dotty_dict-1.3.1-py3-none-any.whl", hash = "sha256:5022d234d9922f13aa711b4950372a06a6d64cb6d6db9ba43d0ba133ebfce31f", size = 7014, upload-time = "2022-07-09T18:50:55.058Z" },
]
[[package]] [[package]]
name = "ecdsa" name = "ecdsa"
version = "0.19.2" version = "0.19.2"
@ -611,6 +701,30 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/9a/9a/e35b4a917281c0b8419d4207f4334c8e8c5dbf4f3f5f9ada73958d937dcc/frozenlist-1.8.0-py3-none-any.whl", hash = "sha256:0c18a16eab41e82c295618a77502e17b195883241c563b00f0aa5106fc4eaa0d", size = 13409, upload-time = "2025-10-06T05:38:16.721Z" }, { url = "https://files.pythonhosted.org/packages/9a/9a/e35b4a917281c0b8419d4207f4334c8e8c5dbf4f3f5f9ada73958d937dcc/frozenlist-1.8.0-py3-none-any.whl", hash = "sha256:0c18a16eab41e82c295618a77502e17b195883241c563b00f0aa5106fc4eaa0d", size = 13409, upload-time = "2025-10-06T05:38:16.721Z" },
] ]
[[package]]
name = "gitdb"
version = "4.0.12"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "smmap" },
]
sdist = { url = "https://files.pythonhosted.org/packages/72/94/63b0fc47eb32792c7ba1fe1b694daec9a63620db1e313033d18140c2320a/gitdb-4.0.12.tar.gz", hash = "sha256:5ef71f855d191a3326fcfbc0d5da835f26b13fbcba60c32c21091c349ffdb571", size = 394684, upload-time = "2025-01-02T07:20:46.413Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/a0/61/5c78b91c3143ed5c14207f463aecfc8f9dbb5092fb2869baf37c273b2705/gitdb-4.0.12-py3-none-any.whl", hash = "sha256:67073e15955400952c6565cc3e707c554a4eea2e428946f7a4c162fab9bd9bcf", size = 62794, upload-time = "2025-01-02T07:20:43.624Z" },
]
[[package]]
name = "gitpython"
version = "3.1.46"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "gitdb" },
]
sdist = { url = "https://files.pythonhosted.org/packages/df/b5/59d16470a1f0dfe8c793f9ef56fd3826093fc52b3bd96d6b9d6c26c7e27b/gitpython-3.1.46.tar.gz", hash = "sha256:400124c7d0ef4ea03f7310ac2fbf7151e09ff97f2a3288d64a440c584a29c37f", size = 215371, upload-time = "2026-01-01T15:37:32.073Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/6a/09/e21df6aef1e1ffc0c816f0522ddc3f6dcded766c3261813131c78a704470/gitpython-3.1.46-py3-none-any.whl", hash = "sha256:79812ed143d9d25b6d176a10bb511de0f9c67b1fa641d82097b0ab90398a2058", size = 208620, upload-time = "2026-01-01T15:37:30.574Z" },
]
[[package]] [[package]]
name = "greenlet" name = "greenlet"
version = "3.3.2" version = "3.3.2"
@ -722,6 +836,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/9c/1f/19ebc343cc71a7ffa78f17018535adc5cbdd87afb31d7c34874680148b32/ifaddr-0.2.0-py3-none-any.whl", hash = "sha256:085e0305cfe6f16ab12d72e2024030f5d52674afad6911bb1eee207177b8a748", size = 12314, upload-time = "2022-06-15T21:40:25.756Z" }, { url = "https://files.pythonhosted.org/packages/9c/1f/19ebc343cc71a7ffa78f17018535adc5cbdd87afb31d7c34874680148b32/ifaddr-0.2.0-py3-none-any.whl", hash = "sha256:085e0305cfe6f16ab12d72e2024030f5d52674afad6911bb1eee207177b8a748", size = 12314, upload-time = "2022-06-15T21:40:25.756Z" },
] ]
[[package]]
name = "importlib-resources"
version = "6.5.2"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/cf/8c/f834fbf984f691b4f7ff60f50b514cc3de5cc08abfc3295564dd89c5e2e7/importlib_resources-6.5.2.tar.gz", hash = "sha256:185f87adef5bcc288449d98fb4fba07cea78bc036455dd44c5fc4a2fe78fed2c", size = 44693, upload-time = "2025-01-03T18:51:56.698Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/a4/ed/1f1afb2e9e7f38a545d628f864d562a5ae64fe6f7a10e28ffb9b185b4e89/importlib_resources-6.5.2-py3-none-any.whl", hash = "sha256:789cfdc3ed28c78b67a06acb8126751ced69a3d5f79c095a98298cd8a760ccec", size = 37461, upload-time = "2025-01-03T18:51:54.306Z" },
]
[[package]] [[package]]
name = "iniconfig" name = "iniconfig"
version = "2.3.0" version = "2.3.0"
@ -860,6 +983,18 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/87/fb/99f81ac72ae23375f22b7afdb7642aba97c00a713c217124420147681a2f/mako-1.3.10-py3-none-any.whl", hash = "sha256:baef24a52fc4fc514a0887ac600f9f1cff3d82c61d4d700a1fa84d597b88db59", size = 78509, upload-time = "2025-04-10T12:50:53.297Z" }, { url = "https://files.pythonhosted.org/packages/87/fb/99f81ac72ae23375f22b7afdb7642aba97c00a713c217124420147681a2f/mako-1.3.10-py3-none-any.whl", hash = "sha256:baef24a52fc4fc514a0887ac600f9f1cff3d82c61d4d700a1fa84d597b88db59", size = 78509, upload-time = "2025-04-10T12:50:53.297Z" },
] ]
[[package]]
name = "markdown-it-py"
version = "4.0.0"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "mdurl" },
]
sdist = { url = "https://files.pythonhosted.org/packages/5b/f5/4ec618ed16cc4f8fb3b701563655a69816155e79e24a17b651541804721d/markdown_it_py-4.0.0.tar.gz", hash = "sha256:cb0a2b4aa34f932c007117b194e945bd74e0ec24133ceb5bac59009cda1cb9f3", size = 73070, upload-time = "2025-08-11T12:57:52.854Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/94/54/e7d793b573f298e1c9013b8c4dade17d481164aa517d1d7148619c2cedbf/markdown_it_py-4.0.0-py3-none-any.whl", hash = "sha256:87327c59b172c5011896038353a81343b6754500a08cd7a4973bb48c6d578147", size = 87321, upload-time = "2025-08-11T12:57:51.923Z" },
]
[[package]] [[package]]
name = "markdown2" name = "markdown2"
version = "2.5.5" version = "2.5.5"
@ -921,6 +1056,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/70/bc/6f1c2f612465f5fa89b95bead1f44dcb607670fd42891d8fdcd5d039f4f4/markupsafe-3.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:32001d6a8fc98c8cb5c947787c5d08b0a50663d139f1305bac5885d98d9b40fa", size = 14146, upload-time = "2025-09-27T18:37:28.327Z" }, { url = "https://files.pythonhosted.org/packages/70/bc/6f1c2f612465f5fa89b95bead1f44dcb607670fd42891d8fdcd5d039f4f4/markupsafe-3.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:32001d6a8fc98c8cb5c947787c5d08b0a50663d139f1305bac5885d98d9b40fa", size = 14146, upload-time = "2025-09-27T18:37:28.327Z" },
] ]
[[package]]
name = "mdurl"
version = "0.1.2"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/d6/54/cfe61301667036ec958cb99bd3efefba235e65cdeb9c84d24a8293ba1d90/mdurl-0.1.2.tar.gz", hash = "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba", size = 8729, upload-time = "2022-08-14T12:40:10.846Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/b3/38/89ba8ad64ae25be8de66a6d463314cf1eb366222074cfda9ee839c56a4b4/mdurl-0.1.2-py3-none-any.whl", hash = "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8", size = 9979, upload-time = "2022-08-14T12:40:09.779Z" },
]
[[package]] [[package]]
name = "multidict" name = "multidict"
version = "6.7.1" version = "6.7.1"
@ -1442,6 +1586,19 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/aa/54/0cce26da03a981f949bb8449c9778537f75f5917c172e1d2992ff25cb57d/python_engineio-4.13.1-py3-none-any.whl", hash = "sha256:f32ad10589859c11053ad7d9bb3c9695cdf862113bfb0d20bc4d890198287399", size = 59847, upload-time = "2026-02-06T23:38:04.861Z" }, { url = "https://files.pythonhosted.org/packages/aa/54/0cce26da03a981f949bb8449c9778537f75f5917c172e1d2992ff25cb57d/python_engineio-4.13.1-py3-none-any.whl", hash = "sha256:f32ad10589859c11053ad7d9bb3c9695cdf862113bfb0d20bc4d890198287399", size = 59847, upload-time = "2026-02-06T23:38:04.861Z" },
] ]
[[package]]
name = "python-gitlab"
version = "6.5.0"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "requests" },
{ name = "requests-toolbelt" },
]
sdist = { url = "https://files.pythonhosted.org/packages/9a/bd/b30f1d3b303cb5d3c72e2d57a847d699e8573cbdfd67ece5f1795e49da1c/python_gitlab-6.5.0.tar.gz", hash = "sha256:97553652d94b02de343e9ca92782239aa2b5f6594c5482331a9490d9d5e8737d", size = 400591, upload-time = "2025-10-17T21:40:02.89Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/34/bd/b0d440685fbcafee462bed793a74aea88541887c4c30556a55ac64914b8d/python_gitlab-6.5.0-py3-none-any.whl", hash = "sha256:494e1e8e5edd15286eaf7c286f3a06652688f1ee20a49e2a0218ddc5cc475e32", size = 144419, upload-time = "2025-10-17T21:40:01.233Z" },
]
[[package]] [[package]]
name = "python-jose" name = "python-jose"
version = "3.5.0" version = "3.5.0"
@ -1470,6 +1627,30 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/1b/d0/397f9626e711ff749a95d96b7af99b9c566a9bb5129b8e4c10fc4d100304/python_multipart-0.0.22-py3-none-any.whl", hash = "sha256:2b2cd894c83d21bf49d702499531c7bafd057d730c201782048f7945d82de155", size = 24579, upload-time = "2026-01-25T10:15:54.811Z" }, { url = "https://files.pythonhosted.org/packages/1b/d0/397f9626e711ff749a95d96b7af99b9c566a9bb5129b8e4c10fc4d100304/python_multipart-0.0.22-py3-none-any.whl", hash = "sha256:2b2cd894c83d21bf49d702499531c7bafd057d730c201782048f7945d82de155", size = 24579, upload-time = "2026-01-25T10:15:54.811Z" },
] ]
[[package]]
name = "python-semantic-release"
version = "10.5.3"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "click" },
{ name = "click-option-group" },
{ name = "deprecated" },
{ name = "dotty-dict" },
{ name = "gitpython" },
{ name = "importlib-resources" },
{ name = "jinja2" },
{ name = "pydantic" },
{ name = "python-gitlab" },
{ name = "requests" },
{ name = "rich" },
{ name = "shellingham" },
{ name = "tomlkit" },
]
sdist = { url = "https://files.pythonhosted.org/packages/19/3a/7332b822825ed0e902c6e950e0d1e90e8f666fd12eb27855d1c8b6677eff/python_semantic_release-10.5.3.tar.gz", hash = "sha256:de4da78635fa666e5774caaca2be32063cae72431eb75e2ac23b9f2dfd190785", size = 618034, upload-time = "2025-12-14T22:37:29.782Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/6b/01/ada29a1215df601bded0a2efd3b6d53864a0a9e0a9ea52aeaebe14fd03fd/python_semantic_release-10.5.3-py3-none-any.whl", hash = "sha256:1be0e07c36fa1f1ec9da4f438c1f6bbd7bc10eb0d6ac0089b0643103708c2823", size = 152716, upload-time = "2025-12-14T22:37:28.089Z" },
]
[[package]] [[package]]
name = "python-socketio" name = "python-socketio"
version = "5.16.1" version = "5.16.1"
@ -1564,6 +1745,33 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/74/3a/95deec7db1eb53979973ebd156f3369a72732208d1391cd2e5d127062a32/redis-7.4.0-py3-none-any.whl", hash = "sha256:a9c74a5c893a5ef8455a5adb793a31bb70feb821c86eccb62eebef5a19c429ec", size = 409772, upload-time = "2026-03-24T09:14:35.968Z" }, { url = "https://files.pythonhosted.org/packages/74/3a/95deec7db1eb53979973ebd156f3369a72732208d1391cd2e5d127062a32/redis-7.4.0-py3-none-any.whl", hash = "sha256:a9c74a5c893a5ef8455a5adb793a31bb70feb821c86eccb62eebef5a19c429ec", size = 409772, upload-time = "2026-03-24T09:14:35.968Z" },
] ]
[[package]]
name = "requests"
version = "2.33.1"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "certifi" },
{ name = "charset-normalizer" },
{ name = "idna" },
{ name = "urllib3" },
]
sdist = { url = "https://files.pythonhosted.org/packages/5f/a4/98b9c7c6428a668bf7e42ebb7c79d576a1c3c1e3ae2d47e674b468388871/requests-2.33.1.tar.gz", hash = "sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517", size = 134120, upload-time = "2026-03-30T16:09:15.531Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/d7/8e/7540e8a2036f79a125c1d2ebadf69ed7901608859186c856fa0388ef4197/requests-2.33.1-py3-none-any.whl", hash = "sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a", size = 64947, upload-time = "2026-03-30T16:09:13.83Z" },
]
[[package]]
name = "requests-toolbelt"
version = "1.0.0"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "requests" },
]
sdist = { url = "https://files.pythonhosted.org/packages/f3/61/d7545dafb7ac2230c70d38d31cbfe4cc64f7144dc41f6e4e4b78ecd9f5bb/requests-toolbelt-1.0.0.tar.gz", hash = "sha256:7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6", size = 206888, upload-time = "2023-05-01T04:11:33.229Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/3f/51/d4db610ef29373b879047326cbf6fa98b6c1969d6f6dc423279de2b1be2c/requests_toolbelt-1.0.0-py2.py3-none-any.whl", hash = "sha256:cccfdd665f0a24fcf4726e690f65639d272bb0637b9b92dfd91a5568ccf6bd06", size = 54481, upload-time = "2023-05-01T04:11:28.427Z" },
]
[[package]] [[package]]
name = "respx" name = "respx"
version = "0.22.0" version = "0.22.0"
@ -1576,6 +1784,19 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/8e/67/afbb0978d5399bc9ea200f1d4489a23c9a1dad4eee6376242b8182389c79/respx-0.22.0-py2.py3-none-any.whl", hash = "sha256:631128d4c9aba15e56903fb5f66fb1eff412ce28dd387ca3a81339e52dbd3ad0", size = 25127, upload-time = "2024-12-19T22:33:57.837Z" }, { url = "https://files.pythonhosted.org/packages/8e/67/afbb0978d5399bc9ea200f1d4489a23c9a1dad4eee6376242b8182389c79/respx-0.22.0-py2.py3-none-any.whl", hash = "sha256:631128d4c9aba15e56903fb5f66fb1eff412ce28dd387ca3a81339e52dbd3ad0", size = 25127, upload-time = "2024-12-19T22:33:57.837Z" },
] ]
[[package]]
name = "rich"
version = "14.3.3"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "markdown-it-py" },
{ name = "pygments" },
]
sdist = { url = "https://files.pythonhosted.org/packages/b3/c6/f3b320c27991c46f43ee9d856302c70dc2d0fb2dba4842ff739d5f46b393/rich-14.3.3.tar.gz", hash = "sha256:b8daa0b9e4eef54dd8cf7c86c03713f53241884e814f4e2f5fb342fe520f639b", size = 230582, upload-time = "2026-02-19T17:23:12.474Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/14/25/b208c5683343959b670dc001595f2f3737e051da617f66c31f7c4fa93abc/rich-14.3.3-py3-none-any.whl", hash = "sha256:793431c1f8619afa7d3b52b2cdec859562b950ea0d4b6b505397612db8d5362d", size = 310458, upload-time = "2026-02-19T17:23:13.732Z" },
]
[[package]] [[package]]
name = "rsa" name = "rsa"
version = "4.9.1" version = "4.9.1"
@ -1588,6 +1809,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/64/8d/0133e4eb4beed9e425d9a98ed6e081a55d195481b7632472be1af08d2f6b/rsa-4.9.1-py3-none-any.whl", hash = "sha256:68635866661c6836b8d39430f97a996acbd61bfa49406748ea243539fe239762", size = 34696, upload-time = "2025-04-16T09:51:17.142Z" }, { url = "https://files.pythonhosted.org/packages/64/8d/0133e4eb4beed9e425d9a98ed6e081a55d195481b7632472be1af08d2f6b/rsa-4.9.1-py3-none-any.whl", hash = "sha256:68635866661c6836b8d39430f97a996acbd61bfa49406748ea243539fe239762", size = 34696, upload-time = "2025-04-16T09:51:17.142Z" },
] ]
[[package]]
name = "shellingham"
version = "1.5.4"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/58/15/8b3609fd3830ef7b27b655beb4b4e9c62313a4e8da8c676e142cc210d58e/shellingham-1.5.4.tar.gz", hash = "sha256:8dbca0739d487e5bd35ab3ca4b36e11c4078f3a234bfce294b0a0291363404de", size = 10310, upload-time = "2023-10-24T04:13:40.426Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/e0/f9/0595336914c5619e5f28a1fb793285925a8cd4b432c9da0a987836c7f822/shellingham-1.5.4-py2.py3-none-any.whl", hash = "sha256:7ecfff8f2fd72616f7481040475a65b2bf8af90a56c89140852d1120324e8686", size = 9755, upload-time = "2023-10-24T04:13:38.866Z" },
]
[[package]] [[package]]
name = "simple-websocket" name = "simple-websocket"
version = "1.1.0" version = "1.1.0"
@ -1609,6 +1839,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274", size = 11050, upload-time = "2024-12-04T17:35:26.475Z" }, { url = "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274", size = 11050, upload-time = "2024-12-04T17:35:26.475Z" },
] ]
[[package]]
name = "smmap"
version = "5.0.3"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/1f/ea/49c993d6dfdd7338c9b1000a0f36817ed7ec84577ae2e52f890d1a4ff909/smmap-5.0.3.tar.gz", hash = "sha256:4d9debb8b99007ae47165abc08670bd74cb74b5227dda7f643eccc4e9eb5642c", size = 22506, upload-time = "2026-03-09T03:43:26.1Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/c1/d4/59e74daffcb57a07668852eeeb6035af9f32cbfd7a1d2511f17d2fe6a738/smmap-5.0.3-py3-none-any.whl", hash = "sha256:c106e05d5a61449cf6ba9a1e650227ecfb141590d2a98412103ff35d89fc7b2f", size = 24390, upload-time = "2026-03-09T03:43:24.361Z" },
]
[[package]] [[package]]
name = "sqlalchemy" name = "sqlalchemy"
version = "2.0.48" version = "2.0.48"
@ -1673,6 +1912,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/0b/c9/584bc9651441b4ba60cc4d557d8a547b5aff901af35bda3a4ee30c819b82/starlette-1.0.0-py3-none-any.whl", hash = "sha256:d3ec55e0bb321692d275455ddfd3df75fff145d009685eb40dc91fc66b03d38b", size = 72651, upload-time = "2026-03-22T18:29:45.111Z" }, { url = "https://files.pythonhosted.org/packages/0b/c9/584bc9651441b4ba60cc4d557d8a547b5aff901af35bda3a4ee30c819b82/starlette-1.0.0-py3-none-any.whl", hash = "sha256:d3ec55e0bb321692d275455ddfd3df75fff145d009685eb40dc91fc66b03d38b", size = 72651, upload-time = "2026-03-22T18:29:45.111Z" },
] ]
[[package]]
name = "tomlkit"
version = "0.13.3"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/cc/18/0bbf3884e9eaa38819ebe46a7bd25dcd56b67434402b66a58c4b8e552575/tomlkit-0.13.3.tar.gz", hash = "sha256:430cf247ee57df2b94ee3fbe588e71d362a941ebb545dec29b53961d61add2a1", size = 185207, upload-time = "2025-06-05T07:13:44.947Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/bd/75/8539d011f6be8e29f339c42e633aae3cb73bffa95dd0f9adec09b9c58e85/tomlkit-0.13.3-py3-none-any.whl", hash = "sha256:c89c649d79ee40629a9fda55f8ace8c6a1b42deb912b2a8fd8d942ddadb606b0", size = 38901, upload-time = "2025-06-05T07:13:43.546Z" },
]
[[package]] [[package]]
name = "typing-extensions" name = "typing-extensions"
version = "4.15.0" version = "4.15.0"
@ -1694,6 +1942,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/dc/9b/47798a6c91d8bdb567fe2698fe81e0c6b7cb7ef4d13da4114b41d239f65d/typing_inspection-0.4.2-py3-none-any.whl", hash = "sha256:4ed1cacbdc298c220f1bd249ed5287caa16f34d44ef4e9c3d0cbad5b521545e7", size = 14611, upload-time = "2025-10-01T02:14:40.154Z" }, { url = "https://files.pythonhosted.org/packages/dc/9b/47798a6c91d8bdb567fe2698fe81e0c6b7cb7ef4d13da4114b41d239f65d/typing_inspection-0.4.2-py3-none-any.whl", hash = "sha256:4ed1cacbdc298c220f1bd249ed5287caa16f34d44ef4e9c3d0cbad5b521545e7", size = 14611, upload-time = "2025-10-01T02:14:40.154Z" },
] ]
[[package]]
name = "urllib3"
version = "2.6.3"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
]
[[package]] [[package]]
name = "uvicorn" name = "uvicorn"
version = "0.42.0" version = "0.42.0"
@ -1892,6 +2149,7 @@ dev = [
{ name = "pytest" }, { name = "pytest" },
{ name = "pytest-asyncio" }, { name = "pytest-asyncio" },
{ name = "pytest-cov" }, { name = "pytest-cov" },
{ name = "python-semantic-release" },
{ name = "respx" }, { name = "respx" },
] ]
@ -1923,9 +2181,63 @@ dev = [
{ name = "pytest", specifier = ">=8.0" }, { name = "pytest", specifier = ">=8.0" },
{ name = "pytest-asyncio", specifier = ">=0.24" }, { name = "pytest-asyncio", specifier = ">=0.24" },
{ name = "pytest-cov", specifier = ">=7.1.0" }, { name = "pytest-cov", specifier = ">=7.1.0" },
{ name = "python-semantic-release", specifier = ">=9.0" },
{ name = "respx", specifier = ">=0.22.0" }, { name = "respx", specifier = ">=0.22.0" },
] ]
[[package]]
name = "wrapt"
version = "2.1.2"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/2e/64/925f213fdcbb9baeb1530449ac71a4d57fc361c053d06bf78d0c5c7cd80c/wrapt-2.1.2.tar.gz", hash = "sha256:3996a67eecc2c68fd47b4e3c564405a5777367adfd9b8abb58387b63ee83b21e", size = 81678, upload-time = "2026-03-06T02:53:25.134Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/4c/7a/d936840735c828b38d26a854e85d5338894cda544cb7a85a9d5b8b9c4df7/wrapt-2.1.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:787fd6f4d67befa6fe2abdffcbd3de2d82dfc6fb8a6d850407c53332709d030b", size = 61259, upload-time = "2026-03-06T02:53:41.922Z" },
{ url = "https://files.pythonhosted.org/packages/5e/88/9a9b9a90ac8ca11c2fdb6a286cb3a1fc7dd774c00ed70929a6434f6bc634/wrapt-2.1.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:4bdf26e03e6d0da3f0e9422fd36bcebf7bc0eeb55fdf9c727a09abc6b9fe472e", size = 61851, upload-time = "2026-03-06T02:52:48.672Z" },
{ url = "https://files.pythonhosted.org/packages/03/a9/5b7d6a16fd6533fed2756900fc8fc923f678179aea62ada6d65c92718c00/wrapt-2.1.2-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:bbac24d879aa22998e87f6b3f481a5216311e7d53c7db87f189a7a0266dafffb", size = 121446, upload-time = "2026-03-06T02:54:14.013Z" },
{ url = "https://files.pythonhosted.org/packages/45/bb/34c443690c847835cfe9f892be78c533d4f32366ad2888972c094a897e39/wrapt-2.1.2-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:16997dfb9d67addc2e3f41b62a104341e80cac52f91110dece393923c0ebd5ca", size = 123056, upload-time = "2026-03-06T02:54:10.829Z" },
{ url = "https://files.pythonhosted.org/packages/93/b9/ff205f391cb708f67f41ea148545f2b53ff543a7ac293b30d178af4d2271/wrapt-2.1.2-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:162e4e2ba7542da9027821cb6e7c5e068d64f9a10b5f15512ea28e954893a267", size = 117359, upload-time = "2026-03-06T02:53:03.623Z" },
{ url = "https://files.pythonhosted.org/packages/1f/3d/1ea04d7747825119c3c9a5e0874a40b33594ada92e5649347c457d982805/wrapt-2.1.2-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f29c827a8d9936ac320746747a016c4bc66ef639f5cd0d32df24f5eacbf9c69f", size = 121479, upload-time = "2026-03-06T02:53:45.844Z" },
{ url = "https://files.pythonhosted.org/packages/78/cc/ee3a011920c7a023b25e8df26f306b2484a531ab84ca5c96260a73de76c0/wrapt-2.1.2-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:a9dd9813825f7ecb018c17fd147a01845eb330254dff86d3b5816f20f4d6aaf8", size = 116271, upload-time = "2026-03-06T02:54:46.356Z" },
{ url = "https://files.pythonhosted.org/packages/98/fd/e5ff7ded41b76d802cf1191288473e850d24ba2e39a6ec540f21ae3b57cb/wrapt-2.1.2-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6f8dbdd3719e534860d6a78526aafc220e0241f981367018c2875178cf83a413", size = 120573, upload-time = "2026-03-06T02:52:50.163Z" },
{ url = "https://files.pythonhosted.org/packages/47/c5/242cae3b5b080cd09bacef0591691ba1879739050cc7c801ff35c8886b66/wrapt-2.1.2-cp313-cp313-win32.whl", hash = "sha256:5c35b5d82b16a3bc6e0a04349b606a0582bc29f573786aebe98e0c159bc48db6", size = 58205, upload-time = "2026-03-06T02:53:47.494Z" },
{ url = "https://files.pythonhosted.org/packages/12/69/c358c61e7a50f290958809b3c61ebe8b3838ea3e070d7aac9814f95a0528/wrapt-2.1.2-cp313-cp313-win_amd64.whl", hash = "sha256:f8bc1c264d8d1cf5b3560a87bbdd31131573eb25f9f9447bb6252b8d4c44a3a1", size = 60452, upload-time = "2026-03-06T02:53:30.038Z" },
{ url = "https://files.pythonhosted.org/packages/8e/66/c8a6fcfe321295fd8c0ab1bd685b5a01462a9b3aa2f597254462fc2bc975/wrapt-2.1.2-cp313-cp313-win_arm64.whl", hash = "sha256:3beb22f674550d5634642c645aba4c72a2c66fb185ae1aebe1e955fae5a13baf", size = 58842, upload-time = "2026-03-06T02:52:52.114Z" },
{ url = "https://files.pythonhosted.org/packages/da/55/9c7052c349106e0b3f17ae8db4b23a691a963c334de7f9dbd60f8f74a831/wrapt-2.1.2-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:0fc04bc8664a8bc4c8e00b37b5355cffca2535209fba1abb09ae2b7c76ddf82b", size = 63075, upload-time = "2026-03-06T02:53:19.108Z" },
{ url = "https://files.pythonhosted.org/packages/09/a8/ce7b4006f7218248dd71b7b2b732d0710845a0e49213b18faef64811ffef/wrapt-2.1.2-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:a9b9d50c9af998875a1482a038eb05755dfd6fe303a313f6a940bb53a83c3f18", size = 63719, upload-time = "2026-03-06T02:54:33.452Z" },
{ url = "https://files.pythonhosted.org/packages/e4/e5/2ca472e80b9e2b7a17f106bb8f9df1db11e62101652ce210f66935c6af67/wrapt-2.1.2-cp313-cp313t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:2d3ff4f0024dd224290c0eabf0240f1bfc1f26363431505fb1b0283d3b08f11d", size = 152643, upload-time = "2026-03-06T02:52:42.721Z" },
{ url = "https://files.pythonhosted.org/packages/36/42/30f0f2cefca9d9cbf6835f544d825064570203c3e70aa873d8ae12e23791/wrapt-2.1.2-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3278c471f4468ad544a691b31bb856374fbdefb7fee1a152153e64019379f015", size = 158805, upload-time = "2026-03-06T02:54:25.441Z" },
{ url = "https://files.pythonhosted.org/packages/bb/67/d08672f801f604889dcf58f1a0b424fe3808860ede9e03affc1876b295af/wrapt-2.1.2-cp313-cp313t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a8914c754d3134a3032601c6984db1c576e6abaf3fc68094bb8ab1379d75ff92", size = 145990, upload-time = "2026-03-06T02:53:57.456Z" },
{ url = "https://files.pythonhosted.org/packages/68/a7/fd371b02e73babec1de6ade596e8cd9691051058cfdadbfd62a5898f3295/wrapt-2.1.2-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:ff95d4264e55839be37bafe1536db2ab2de19da6b65f9244f01f332b5286cfbf", size = 155670, upload-time = "2026-03-06T02:54:55.309Z" },
{ url = "https://files.pythonhosted.org/packages/86/2d/9fe0095dfdb621009f40117dcebf41d7396c2c22dca6eac779f4c007b86c/wrapt-2.1.2-cp313-cp313t-musllinux_1_2_riscv64.whl", hash = "sha256:76405518ca4e1b76fbb1b9f686cff93aebae03920cc55ceeec48ff9f719c5f67", size = 144357, upload-time = "2026-03-06T02:54:24.092Z" },
{ url = "https://files.pythonhosted.org/packages/0e/b6/ec7b4a254abbe4cde9fa15c5d2cca4518f6b07d0f1b77d4ee9655e30280e/wrapt-2.1.2-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:c0be8b5a74c5824e9359b53e7e58bef71a729bacc82e16587db1c4ebc91f7c5a", size = 150269, upload-time = "2026-03-06T02:53:31.268Z" },
{ url = "https://files.pythonhosted.org/packages/6e/6b/2fabe8ebf148f4ee3c782aae86a795cc68ffe7d432ef550f234025ce0cfa/wrapt-2.1.2-cp313-cp313t-win32.whl", hash = "sha256:f01277d9a5fc1862f26f7626da9cf443bebc0abd2f303f41c5e995b15887dabd", size = 59894, upload-time = "2026-03-06T02:54:15.391Z" },
{ url = "https://files.pythonhosted.org/packages/ca/fb/9ba66fc2dedc936de5f8073c0217b5d4484e966d87723415cc8262c5d9c2/wrapt-2.1.2-cp313-cp313t-win_amd64.whl", hash = "sha256:84ce8f1c2104d2f6daa912b1b5b039f331febfeee74f8042ad4e04992bd95c8f", size = 63197, upload-time = "2026-03-06T02:54:41.943Z" },
{ url = "https://files.pythonhosted.org/packages/c0/1c/012d7423c95d0e337117723eb8ecf73c622ce15a97847e84cf3f8f26cd7e/wrapt-2.1.2-cp313-cp313t-win_arm64.whl", hash = "sha256:a93cd767e37faeddbe07d8fc4212d5cba660af59bdb0f6372c93faaa13e6e679", size = 60363, upload-time = "2026-03-06T02:54:48.093Z" },
{ url = "https://files.pythonhosted.org/packages/39/25/e7ea0b417db02bb796182a5316398a75792cd9a22528783d868755e1f669/wrapt-2.1.2-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:1370e516598854e5b4366e09ce81e08bfe94d42b0fd569b88ec46cc56d9164a9", size = 61418, upload-time = "2026-03-06T02:53:55.706Z" },
{ url = "https://files.pythonhosted.org/packages/ec/0f/fa539e2f6a770249907757eaeb9a5ff4deb41c026f8466c1c6d799088a9b/wrapt-2.1.2-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:6de1a3851c27e0bd6a04ca993ea6f80fc53e6c742ee1601f486c08e9f9b900a9", size = 61914, upload-time = "2026-03-06T02:52:53.37Z" },
{ url = "https://files.pythonhosted.org/packages/53/37/02af1867f5b1441aaeda9c82deed061b7cd1372572ddcd717f6df90b5e93/wrapt-2.1.2-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:de9f1a2bbc5ac7f6012ec24525bdd444765a2ff64b5985ac6e0692144838542e", size = 120417, upload-time = "2026-03-06T02:54:30.74Z" },
{ url = "https://files.pythonhosted.org/packages/c3/b7/0138a6238c8ba7476c77cf786a807f871672b37f37a422970342308276e7/wrapt-2.1.2-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:970d57ed83fa040d8b20c52fe74a6ae7e3775ae8cff5efd6a81e06b19078484c", size = 122797, upload-time = "2026-03-06T02:54:51.539Z" },
{ url = "https://files.pythonhosted.org/packages/e1/ad/819ae558036d6a15b7ed290d5b14e209ca795dd4da9c58e50c067d5927b0/wrapt-2.1.2-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:3969c56e4563c375861c8df14fa55146e81ac11c8db49ea6fb7f2ba58bc1ff9a", size = 117350, upload-time = "2026-03-06T02:54:37.651Z" },
{ url = "https://files.pythonhosted.org/packages/8b/2d/afc18dc57a4600a6e594f77a9ae09db54f55ba455440a54886694a84c71b/wrapt-2.1.2-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:57d7c0c980abdc5f1d98b11a2aa3bb159790add80258c717fa49a99921456d90", size = 121223, upload-time = "2026-03-06T02:54:35.221Z" },
{ url = "https://files.pythonhosted.org/packages/b9/5b/5ec189b22205697bc56eb3b62aed87a1e0423e9c8285d0781c7a83170d15/wrapt-2.1.2-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:776867878e83130c7a04237010463372e877c1c994d449ca6aaafeab6aab2586", size = 116287, upload-time = "2026-03-06T02:54:19.654Z" },
{ url = "https://files.pythonhosted.org/packages/f7/2d/f84939a7c9b5e6cdd8a8d0f6a26cabf36a0f7e468b967720e8b0cd2bdf69/wrapt-2.1.2-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:fab036efe5464ec3291411fabb80a7a39e2dd80bae9bcbeeca5087fdfa891e19", size = 119593, upload-time = "2026-03-06T02:54:16.697Z" },
{ url = "https://files.pythonhosted.org/packages/0b/fe/ccd22a1263159c4ac811ab9374c061bcb4a702773f6e06e38de5f81a1bdc/wrapt-2.1.2-cp314-cp314-win32.whl", hash = "sha256:e6ed62c82ddf58d001096ae84ce7f833db97ae2263bff31c9b336ba8cfe3f508", size = 58631, upload-time = "2026-03-06T02:53:06.498Z" },
{ url = "https://files.pythonhosted.org/packages/65/0a/6bd83be7bff2e7efaac7b4ac9748da9d75a34634bbbbc8ad077d527146df/wrapt-2.1.2-cp314-cp314-win_amd64.whl", hash = "sha256:467e7c76315390331c67073073d00662015bb730c566820c9ca9b54e4d67fd04", size = 60875, upload-time = "2026-03-06T02:53:50.252Z" },
{ url = "https://files.pythonhosted.org/packages/6c/c0/0b3056397fe02ff80e5a5d72d627c11eb885d1ca78e71b1a5c1e8c7d45de/wrapt-2.1.2-cp314-cp314-win_arm64.whl", hash = "sha256:da1f00a557c66225d53b095a97eace0fc5349e3bfda28fa34ffae238978ee575", size = 59164, upload-time = "2026-03-06T02:53:59.128Z" },
{ url = "https://files.pythonhosted.org/packages/71/ed/5d89c798741993b2371396eb9d4634f009ff1ad8a6c78d366fe2883ea7a6/wrapt-2.1.2-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:62503ffbc2d3a69891cf29beeaccdb4d5e0a126e2b6a851688d4777e01428dbb", size = 63163, upload-time = "2026-03-06T02:52:54.873Z" },
{ url = "https://files.pythonhosted.org/packages/c6/8c/05d277d182bf36b0a13d6bd393ed1dec3468a25b59d01fba2dd70fe4d6ae/wrapt-2.1.2-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:c7e6cd120ef837d5b6f860a6ea3745f8763805c418bb2f12eeb1fa6e25f22d22", size = 63723, upload-time = "2026-03-06T02:52:56.374Z" },
{ url = "https://files.pythonhosted.org/packages/f4/27/6c51ec1eff4413c57e72d6106bb8dec6f0c7cdba6503d78f0fa98767bcc9/wrapt-2.1.2-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:3769a77df8e756d65fbc050333f423c01ae012b4f6731aaf70cf2bef61b34596", size = 152652, upload-time = "2026-03-06T02:53:23.79Z" },
{ url = "https://files.pythonhosted.org/packages/db/4c/d7dd662d6963fc7335bfe29d512b02b71cdfa23eeca7ab3ac74a67505deb/wrapt-2.1.2-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:a76d61a2e851996150ba0f80582dd92a870643fa481f3b3846f229de88caf044", size = 158807, upload-time = "2026-03-06T02:53:35.742Z" },
{ url = "https://files.pythonhosted.org/packages/b4/4d/1e5eea1a78d539d346765727422976676615814029522c76b87a95f6bcdd/wrapt-2.1.2-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:6f97edc9842cf215312b75fe737ee7c8adda75a89979f8e11558dfff6343cc4b", size = 146061, upload-time = "2026-03-06T02:52:57.574Z" },
{ url = "https://files.pythonhosted.org/packages/89/bc/62cabea7695cd12a288023251eeefdcb8465056ddaab6227cb78a2de005b/wrapt-2.1.2-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:4006c351de6d5007aa33a551f600404ba44228a89e833d2fadc5caa5de8edfbf", size = 155667, upload-time = "2026-03-06T02:53:39.422Z" },
{ url = "https://files.pythonhosted.org/packages/e9/99/6f2888cd68588f24df3a76572c69c2de28287acb9e1972bf0c83ce97dbc1/wrapt-2.1.2-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:a9372fc3639a878c8e7d87e1556fa209091b0a66e912c611e3f833e2c4202be2", size = 144392, upload-time = "2026-03-06T02:54:22.41Z" },
{ url = "https://files.pythonhosted.org/packages/40/51/1dfc783a6c57971614c48e361a82ca3b6da9055879952587bc99fe1a7171/wrapt-2.1.2-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:3144b027ff30cbd2fca07c0a87e67011adb717eb5f5bd8496325c17e454257a3", size = 150296, upload-time = "2026-03-06T02:54:07.848Z" },
{ url = "https://files.pythonhosted.org/packages/6c/38/cbb8b933a0201076c1f64fc42883b0023002bdc14a4964219154e6ff3350/wrapt-2.1.2-cp314-cp314t-win32.whl", hash = "sha256:3b8d15e52e195813efe5db8cec156eebe339aaf84222f4f4f051a6c01f237ed7", size = 60539, upload-time = "2026-03-06T02:54:00.594Z" },
{ url = "https://files.pythonhosted.org/packages/82/dd/e5176e4b241c9f528402cebb238a36785a628179d7d8b71091154b3e4c9e/wrapt-2.1.2-cp314-cp314t-win_amd64.whl", hash = "sha256:08ffa54146a7559f5b8df4b289b46d963a8e74ed16ba3687f99896101a3990c5", size = 63969, upload-time = "2026-03-06T02:54:39Z" },
{ url = "https://files.pythonhosted.org/packages/5c/99/79f17046cf67e4a95b9987ea129632ba8bcec0bc81f3fb3d19bdb0bd60cd/wrapt-2.1.2-cp314-cp314t-win_arm64.whl", hash = "sha256:72aaa9d0d8e4ed0e2e98019cea47a21f823c9dd4b43c7b77bba6679ffcca6a00", size = 60554, upload-time = "2026-03-06T02:53:14.132Z" },
{ url = "https://files.pythonhosted.org/packages/1a/c7/8528ac2dfa2c1e6708f647df7ae144ead13f0a31146f43c7264b4942bf12/wrapt-2.1.2-py3-none-any.whl", hash = "sha256:b8fd6fa2b2c4e7621808f8c62e8317f4aae56e59721ad933bac5239d913cf0e8", size = 43993, upload-time = "2026-03-06T02:53:12.905Z" },
]
[[package]] [[package]]
name = "wsproto" name = "wsproto"
version = "1.3.2" version = "1.3.2"

2
wiregui/auth/saml.py
View file

@ -17,7 +17,7 @@ def _build_saml_settings(provider_config: dict) -> dict:
idp_settings = idp_data.get("idp", {}) idp_settings = idp_data.get("idp", {})
return { return {
"strict": True, "strict": provider_config.get("strict", True),
"debug": False, "debug": False,
"sp": { "sp": {
"entityId": f"{base_url}/auth/saml/{provider_config['id']}/metadata", "entityId": f"{base_url}/auth/saml/{provider_config['id']}/metadata",

176
wiregui/collector.py Normal file
View file

@ -0,0 +1,176 @@
"""WireGuard metrics collector — standalone process for high-frequency stats polling.
Run as: python -m wiregui.collector
Polls `wg show <iface> dump` at a configurable interval, updates device rows
in PostgreSQL, and optionally pushes Prometheus-format metrics to VictoriaMetrics.
"""
import asyncio
import signal
import time
import httpx
from loguru import logger
from sqlmodel import select
from wiregui.config import get_settings
from wiregui.db import async_session, engine
from wiregui.log_config import setup_logging
from wiregui.models.device import Device
from wiregui.models.user import User
from wiregui.services.wireguard import PeerInfo, get_peers
_shutdown = asyncio.Event()
def _handle_signal() -> None:
logger.info("Shutdown signal received")
_shutdown.set()
async def _update_db(peers: list[PeerInfo]) -> dict[str, dict]:
"""Update device rows in DB and return metadata for metrics labels.
Returns: {public_key: {"device_name": ..., "user_email": ...}}
"""
if not peers:
return {}
peer_map = {p.public_key: p for p in peers}
async with async_session() as session:
result = await session.execute(
select(Device, User.email).join(User).where(
Device.public_key.in_(list(peer_map.keys()))
)
)
rows = result.all()
labels = {}
updated = 0
for device, user_email in rows:
peer = peer_map.get(device.public_key)
if peer is None:
continue
# Only write connection status to PostgreSQL — traffic metrics go to VictoriaMetrics
device.latest_handshake = peer.latest_handshake
device.remote_ip = peer.endpoint.split(":")[0] if peer.endpoint else None
device.rx_bytes = peer.rx_bytes
device.tx_bytes = peer.tx_bytes
session.add(device)
updated += 1
labels[device.public_key] = {
"device_name": device.name,
"user_email": user_email,
}
if updated:
await session.commit()
logger.debug("Updated stats for {} devices", updated)
return labels
def _build_prometheus_payload(peers: list[PeerInfo], labels: dict[str, dict]) -> str:
"""Build Prometheus exposition format text for VictoriaMetrics import."""
now_ms = int(time.time() * 1000)
lines = []
active_count = 0
for peer in peers:
meta = labels.get(peer.public_key)
if not meta:
continue
tag = (
f'public_key="{peer.public_key[:16]}",'
f'device_name="{meta["device_name"]}",'
f'user_email="{meta["user_email"]}"'
)
lines.append(f"wiregui_peer_rx_bytes{{{tag}}} {peer.rx_bytes} {now_ms}")
lines.append(f"wiregui_peer_tx_bytes{{{tag}}} {peer.tx_bytes} {now_ms}")
handshake_ts = int(peer.latest_handshake.timestamp()) if peer.latest_handshake else 0
lines.append(f"wiregui_peer_latest_handshake_seconds{{{tag}}} {handshake_ts} {now_ms}")
connected = 1 if (handshake_ts and (time.time() - handshake_ts) < 180) else 0
lines.append(f"wiregui_peer_connected{{{tag}}} {connected} {now_ms}")
if connected:
active_count += 1
lines.append(f"wiregui_peers_total {active_count} {now_ms}")
return "\n".join(lines) + "\n"
async def _push_metrics(client: httpx.AsyncClient, url: str, payload: str) -> None:
"""Push Prometheus-format metrics to VictoriaMetrics."""
try:
resp = await client.post(
f"{url}/api/v1/import/prometheus",
content=payload,
headers={"Content-Type": "text/plain"},
)
if resp.status_code >= 400:
logger.warning("VictoriaMetrics push failed (HTTP {}): {}", resp.status_code, resp.text[:200])
except httpx.HTTPError as e:
logger.warning("VictoriaMetrics push error: {}", e)
async def run() -> None:
"""Main collector loop."""
settings = get_settings()
interval = settings.metrics_poll_interval
vm_url = settings.victoriametrics_url
logger.info(
"Collector started: interval={}s, victoriametrics={}",
interval, vm_url or "disabled",
)
client = httpx.AsyncClient(timeout=5) if vm_url else None
try:
while not _shutdown.is_set():
try:
peers = await get_peers()
labels = await _update_db(peers)
if client and vm_url and peers:
payload = _build_prometheus_payload(peers, labels)
await _push_metrics(client, vm_url, payload)
except asyncio.CancelledError:
break
except Exception as e:
logger.error("Collector poll failed: {}", e)
try:
await asyncio.wait_for(_shutdown.wait(), timeout=interval)
break # shutdown signalled
except asyncio.TimeoutError:
pass # normal — interval elapsed, loop again
finally:
if client:
await client.aclose()
await engine.dispose()
logger.info("Collector stopped")
def main() -> None:
setup_logging(log_to_file=get_settings().log_to_file)
loop = asyncio.new_event_loop()
for sig in (signal.SIGTERM, signal.SIGINT):
loop.add_signal_handler(sig, _handle_signal)
try:
loop.run_until_complete(run())
finally:
loop.close()
if __name__ == "__main__":
main()

7
wiregui/config.py
View file

@ -41,11 +41,16 @@ class Settings(BaseSettings):
smtp_password: str | None = None smtp_password: str | None = None
smtp_from: str = "wiregui@localhost" smtp_from: str = "wiregui@localhost"
# Metrics collector
metrics_enabled: bool = False # run separate collector process for high-frequency stats
metrics_poll_interval: int = 5 # seconds between wg show polls (collector process)
victoriametrics_url: str | None = None # e.g. http://localhost:8428
# IdP provisioning # IdP provisioning
idp_config_file: str | None = None # path to YAML file with IdP definitions idp_config_file: str | None = None # path to YAML file with IdP definitions
# Logging # Logging
log_to_file: bool = True # write timestamped log file to logs/ directory log_to_file: bool = False # write timestamped log file to logs/ directory
# App # App
host: str = "0.0.0.0" host: str = "0.0.0.0"

2
wiregui/logging.py → wiregui/log_config.py
View file

@ -17,7 +17,7 @@ def setup_logging(log_to_file: bool = False) -> None:
) )
if log_to_file: if log_to_file:
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") timestamp = datetime.now().strftime("%Y%m%d")
logger.add( logger.add(
f"logs/wiregui_{timestamp}.log", f"logs/wiregui_{timestamp}.log",
format="{time:YYYY-MM-DD HH:mm:ss.SSS} | {level:<7} | {name}:{function}:{line} - {message}", format="{time:YYYY-MM-DD HH:mm:ss.SSS} | {level:<7} | {name}:{function}:{line} - {message}",

37
wiregui/main.py
View file

@ -7,6 +7,9 @@ from wiregui.config import get_settings
from wiregui.db import init_db from wiregui.db import init_db
from wiregui.log_config import setup_logging from wiregui.log_config import setup_logging
# Serve static assets (logo, images)
app.add_static_files("/img", "img")
# Mount REST API # Mount REST API
app.include_router(api_router, prefix="/api") app.include_router(api_router, prefix="/api")
@ -59,13 +62,17 @@ async def startup() -> None:
from wiregui.services.firewall import setup_base_tables, setup_masquerade from wiregui.services.firewall import setup_base_tables, setup_masquerade
from wiregui.services.wireguard import configure_interface, ensure_interface from wiregui.services.wireguard import configure_interface, ensure_interface
from wiregui.tasks.reconcile import reconcile from wiregui.tasks.reconcile import reconcile
from wiregui.tasks.stats import stats_loop
await ensure_interface() await ensure_interface()
await configure_interface() await configure_interface()
await setup_base_tables() await setup_base_tables()
await setup_masquerade() await setup_masquerade()
await reconcile() await reconcile()
if settings.metrics_enabled:
_start_collector()
else:
from wiregui.tasks.stats import stats_loop
register_task(stats_loop(), name="wg-stats") register_task(stats_loop(), name="wg-stats")
register_task(vpn_session_loop(), name="vpn-session-expiry") register_task(vpn_session_loop(), name="vpn-session-expiry")
else: else:
@ -74,10 +81,37 @@ async def startup() -> None:
logger.info("WireGUI ready") logger.info("WireGUI ready")
_collector_proc = None
def _start_collector() -> None:
"""Spawn the metrics collector as a subprocess sharing our network namespace."""
import subprocess
import sys
global _collector_proc
_collector_proc = subprocess.Popen(
[sys.executable, "-m", "wiregui.collector"],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
)
logger.info("Metrics collector started (pid={})", _collector_proc.pid)
async def shutdown() -> None: async def shutdown() -> None:
from wiregui.tasks import cancel_all from wiregui.tasks import cancel_all
await cancel_all() await cancel_all()
global _collector_proc
if _collector_proc and _collector_proc.poll() is None:
logger.info("Stopping metrics collector (pid={})", _collector_proc.pid)
_collector_proc.terminate()
try:
_collector_proc.wait(timeout=5)
except Exception:
_collector_proc.kill()
_collector_proc = None
app.on_startup(startup) app.on_startup(startup)
app.on_shutdown(shutdown) app.on_shutdown(shutdown)
@ -89,6 +123,7 @@ def main() -> None:
host=settings.host, host=settings.host,
port=settings.port, port=settings.port,
title="WireGUI", title="WireGUI",
favicon="img/wiregui.svg",
storage_secret=settings.secret_key, storage_secret=settings.secret_key,
reload=True, reload=True,
) )

3
wiregui/pages/account.py
View file

@ -70,7 +70,8 @@ async def account_page():
ui.label("Rules:").classes("text-bold") ui.label("Rules:").classes("text-bold")
ui.label(str(rule_count)) ui.label(str(rule_count))
# ===== Change Password ===== # ===== Change Password (only for users with a local password) =====
if user.password_hash:
with ui.card().classes("w-full q-mt-md"): with ui.card().classes("w-full q-mt-md"):
ui.label("Change Password").classes("text-subtitle1 text-bold") ui.label("Change Password").classes("text-subtitle1 text-bold")
ui.separator() ui.separator()

43
wiregui/pages/admin/devices.py
View file

@ -63,6 +63,7 @@ async def admin_devices_page():
} }
async def load_devices(user_filter: str | None = None) -> list[dict]: async def load_devices(user_filter: str | None = None) -> list[dict]:
from wiregui.utils.time import connection_status
async with async_session() as session: async with async_session() as session:
stmt = select(Device).order_by(Device.inserted_at.desc()) stmt = select(Device).order_by(Device.inserted_at.desc())
if user_filter and user_filter != "all": if user_filter and user_filter != "all":
@ -73,6 +74,8 @@ async def admin_devices_page():
"id": str(d.id), "id": str(d.id),
"name": d.name, "name": d.name,
"user": user_map.get(str(d.user_id), "Unknown"), "user": user_map.get(str(d.user_id), "Unknown"),
"status_color": connection_status(d.latest_handshake)[0],
"status_label": connection_status(d.latest_handshake)[1],
"ipv4": d.ipv4 or "-", "ipv4": d.ipv4 or "-",
"ipv6": d.ipv6 or "-", "ipv6": d.ipv6 or "-",
"public_key": d.public_key[:16] + "...", "public_key": d.public_key[:16] + "...",
@ -262,6 +265,7 @@ async def admin_devices_page():
ui.button("Add Device", icon="add", on_click=lambda: create_dialog.open()).props("color=primary") ui.button("Add Device", icon="add", on_click=lambda: create_dialog.open()).props("color=primary")
columns = [ columns = [
{"name": "status", "label": "", "field": "status_label", "align": "center"},
{"name": "name", "label": "Name", "field": "name", "align": "left", "sortable": True}, {"name": "name", "label": "Name", "field": "name", "align": "left", "sortable": True},
{"name": "user", "label": "User", "field": "user", "align": "left", "sortable": True}, {"name": "user", "label": "User", "field": "user", "align": "left", "sortable": True},
{"name": "ipv4", "label": "IPv4", "field": "ipv4", "align": "left"}, {"name": "ipv4", "label": "IPv4", "field": "ipv4", "align": "left"},
@ -273,6 +277,15 @@ async def admin_devices_page():
{"name": "actions", "label": "", "field": "id", "align": "center"}, {"name": "actions", "label": "", "field": "id", "align": "center"},
] ]
table = ui.table(columns=columns, rows=[], row_key="id").classes("w-full") table = ui.table(columns=columns, rows=[], row_key="id").classes("w-full")
table.add_slot(
"body-cell-status",
'''
<q-td :props="props">
<q-badge :color="props.row.status_color" rounded class="q-mr-sm" />
<span class="text-caption">{{ props.row.status_label }}</span>
</q-td>
''',
)
table.add_slot( table.add_slot(
"body-cell-actions", "body-cell-actions",
''' '''
@ -284,6 +297,11 @@ async def admin_devices_page():
</q-td> </q-td>
''', ''',
) )
def on_admin_row_click(e):
# Quasar rowClick args: [evt, row, index] or just row depending on NiceGUI version
row = e.args[1] if isinstance(e.args, list) else e.args
ui.navigate.to(f"/devices/{row['id']}")
table.on("rowClick", on_admin_row_click)
table.on("edit", lambda e: open_edit(e.args)) table.on("edit", lambda e: open_edit(e.args))
table.on("delete", lambda e: delete_device(e.args)) table.on("delete", lambda e: delete_device(e.args))
@ -356,22 +374,27 @@ async def admin_devices_page():
await refresh_table() await refresh_table()
# Auto-refresh stats every 30 seconds ui.timer(5, refresh_table)
ui.timer(30, refresh_table)
def _show_config_dialog(device_name: str, config_text: str): def _show_config_dialog(device_name: str, config_text: str):
with ui.dialog(value=True) as dialog: with ui.dialog(value=True) as dialog:
with ui.card().classes("w-96"): with ui.card().classes("w-[700px] max-w-[90vw]"):
ui.label(f"Config for {device_name}").classes("text-h6") ui.label(f"Config for {device_name}").classes("text-h6")
ui.label("Save this — the private key won't be shown again.").classes("text-caption text-negative") ui.label("Save this — the private key won't be shown again.").classes("text-caption text-negative q-mb-sm")
ui.textarea(value=config_text).props("readonly outlined").classes("w-full font-mono text-xs q-mt-sm").style("min-height: 200px") ui.code(config_text, language="ini").classes("w-full")
try: try:
qr = qrcode.make(config_text, image_factory=qrcode.image.svg.SvgPathImage) import base64
qr = qrcode.make(config_text)
buf = io.BytesIO() buf = io.BytesIO()
qr.save(buf) qr.save(buf, format="PNG")
ui.html(buf.getvalue().decode()).classes("w-full q-mt-sm").style("background: white; padding: 8px; border-radius: 8px") b64 = base64.b64encode(buf.getvalue()).decode()
with ui.row().classes("w-full justify-center q-mt-md"):
ui.image(f"data:image/png;base64,{b64}").style(
"width: 200px; height: 200px; border-radius: 8px"
)
except Exception: except Exception:
pass pass
ui.button("Download .conf", on_click=lambda: ui.download(config_text.encode(), f"{device_name}.conf")).props("color=primary unelevated").classes("w-full q-mt-sm") with ui.row().classes("w-full gap-2 q-mt-md"):
ui.button("Close", on_click=dialog.close).props("flat").classes("w-full") ui.button("Download .conf", on_click=lambda: ui.download(config_text.encode(), f"{device_name}.conf")).props("color=primary unelevated").classes("flex-grow")
ui.button("Close", on_click=dialog.close).props("flat")

2
wiregui/pages/admin/diagnostics.py
View file

@ -106,7 +106,7 @@ async def diagnostics_page():
async with async_session() as session: async with async_session() as session:
result = await session.execute( result = await session.execute(
select(ConnectivityCheck).order_by(ConnectivityCheck.inserted_at.desc()).limit(20) select(ConnectivityCheck).order_by(ConnectivityCheck.inserted_at.desc()).limit(10)
) )
checks = result.scalars().all() checks = result.scalars().all()

6
wiregui/pages/admin/rules.py
View file

@ -166,13 +166,11 @@ async def rules_page():
async def show_nft_rules(): async def show_nft_rules():
ruleset = await get_ruleset() ruleset = await get_ruleset()
with ui.dialog(value=True) as dlg: with ui.dialog(value=True) as dlg:
with ui.card().classes("w-[800px]"): with ui.card().classes("w-[900px] max-w-[90vw]"):
ui.label("nftables Ruleset").classes("text-subtitle1 text-bold") ui.label("nftables Ruleset").classes("text-subtitle1 text-bold")
ui.label("Current system firewall rules for troubleshooting.").classes("text-caption text-grey") ui.label("Current system firewall rules for troubleshooting.").classes("text-caption text-grey")
ui.separator() ui.separator()
ui.textarea(value=ruleset).props("readonly outlined").classes( ui.code(ruleset, language="bash").classes("w-full")
"w-full font-mono text-xs"
).style("min-height: 400px; white-space: pre")
with ui.row().classes("w-full justify-end q-mt-sm"): with ui.row().classes("w-full justify-end q-mt-sm"):
ui.button("Close", on_click=dlg.close).props("flat") ui.button("Close", on_click=dlg.close).props("flat")

1
wiregui/pages/admin/settings.py
View file

@ -6,6 +6,7 @@ from loguru import logger
from nicegui import app, ui from nicegui import app, ui
from sqlmodel import select from sqlmodel import select
from wiregui.config import get_settings
from wiregui.db import async_session from wiregui.db import async_session
from wiregui.models.configuration import Configuration from wiregui.models.configuration import Configuration
from wiregui.pages.layout import layout from wiregui.pages.layout import layout

70
wiregui/pages/auth_oidc.py
View file

@ -1,7 +1,7 @@
"""OIDC authentication routes — redirect to provider and handle callback.""" """OIDC authentication routes — redirect to provider and handle callback."""
from loguru import logger from loguru import logger
from nicegui import app from nicegui import app, ui
from fastapi import Request from fastapi import Request
from fastapi.responses import RedirectResponse from fastapi.responses import RedirectResponse
@ -43,17 +43,42 @@ async def oidc_callback(provider_id: str, request: Request):
logger.error("OIDC token exchange failed for {}: {}", provider_id, e) logger.error("OIDC token exchange failed for {}: {}", provider_id, e)
return RedirectResponse(url="/login") return RedirectResponse(url="/login")
# Extract user info: try userinfo from token, then userinfo endpoint, then ID token claims
userinfo = token.get("userinfo") userinfo = token.get("userinfo")
if not userinfo: if not userinfo:
try: try:
userinfo = await client.userinfo() userinfo = await client.userinfo(token=token)
except Exception as e: except Exception as e:
logger.error("OIDC userinfo failed for {}: {}", provider_id, e) logger.debug("OIDC userinfo endpoint failed for {}: {}", provider_id, e)
return RedirectResponse(url="/login") userinfo = None
email = userinfo.get("email") # Fallback: decode the ID token for claims
if not userinfo or not userinfo.get("email"):
id_token = token.get("id_token")
if id_token:
try:
from jose import jwt as jose_jwt
# Decode without verification — we already verified during token exchange
claims = jose_jwt.get_unverified_claims(id_token)
userinfo = userinfo or {}
if not userinfo.get("email"):
userinfo["email"] = claims.get("email")
if not userinfo.get("sub"):
userinfo["sub"] = claims.get("sub")
logger.debug("OIDC: extracted claims from ID token: {}", claims)
except Exception as e:
logger.debug("OIDC: failed to decode ID token: {}", e)
email = (userinfo or {}).get("email")
# Fallback: if sub looks like an email, use it
if not email: if not email:
logger.error("OIDC provider {} did not return email", provider_id) sub = (userinfo or {}).get("sub", "")
if "@" in sub:
email = sub
logger.debug("OIDC: using sub as email: {}", email)
if not email:
logger.error("OIDC provider {} did not return email. Token keys: {}, userinfo: {}",
provider_id, list(token.keys()), userinfo)
return RedirectResponse(url="/login") return RedirectResponse(url="/login")
provider_config = await get_provider_config(provider_id) provider_config = await get_provider_config(provider_id)
@ -111,11 +136,30 @@ async def oidc_callback(provider_id: str, request: Request):
logger.info("OIDC login: {} via {}", email, provider_id) logger.info("OIDC login: {} via {}", email, provider_id)
# Set NiceGUI session — store in Starlette session since we're in a plain route # Store auth data in Starlette session — will be picked up by /auth/complete
request.session["authenticated"] = True request.session["oidc_user_id"] = str(user.id)
request.session["user_id"] = str(user.id) request.session["oidc_email"] = user.email
request.session["email"] = user.email request.session["oidc_role"] = user.role
request.session["role"] = user.role
request.session["theme_preference"] = user.theme_preference
return RedirectResponse(url="/") return RedirectResponse(url="/auth/complete")
@ui.page("/auth/complete")
def auth_complete_page(request: Request):
"""Bridge page: transfer OIDC auth from Starlette session to NiceGUI storage."""
user_id = request.session.pop("oidc_user_id", None)
email = request.session.pop("oidc_email", None)
role = request.session.pop("oidc_role", None)
if not user_id or not email:
logger.warning("Auth complete page called without OIDC session data")
return ui.navigate.to("/login")
app.storage.user.update(
authenticated=True,
user_id=user_id,
email=email,
role=role or "unprivileged",
)
logger.info("OIDC auth completed for {} — session transferred to NiceGUI", email)
ui.navigate.to("/")

11
wiregui/pages/auth_saml.py
View file

@ -101,14 +101,13 @@ async def saml_callback(provider_id: str, request: Request):
session.add(user) session.add(user)
await session.commit() await session.commit()
request.session["authenticated"] = True # Store auth data in Starlette session — picked up by /auth/complete
request.session["user_id"] = str(user.id) request.session["oidc_user_id"] = str(user.id)
request.session["email"] = user.email request.session["oidc_email"] = user.email
request.session["role"] = user.role request.session["oidc_role"] = user.role
request.session["theme_preference"] = user.theme_preference
logger.info("SAML login: {} via {}", email, provider_id) logger.info("SAML login: {} via {}", email, provider_id)
return RedirectResponse(url="/", status_code=303) return RedirectResponse(url="/auth/complete", status_code=303)
except Exception as e: except Exception as e:
logger.error("SAML callback failed for {}: {}", provider_id, e) logger.error("SAML callback failed for {}: {}", provider_id, e)

154
wiregui/pages/devices.py
View file

@ -60,12 +60,15 @@ async def devices_page():
return list(result.scalars().all()) return list(result.scalars().all())
async def refresh_table(): async def refresh_table():
from wiregui.utils.time import connection_status
devices = await load_devices() devices = await load_devices()
table.rows = [ table.rows = [
{ {
"id": str(d.id), "id": str(d.id),
"name": d.name, "name": d.name,
"description": d.description or "", "description": d.description or "",
"status_color": connection_status(d.latest_handshake)[0],
"status_label": connection_status(d.latest_handshake)[1],
"ipv4": d.ipv4 or "-", "ipv4": d.ipv4 or "-",
"ipv6": d.ipv6 or "-", "ipv6": d.ipv6 or "-",
"public_key": d.public_key[:16] + "...", "public_key": d.public_key[:16] + "...",
@ -173,7 +176,8 @@ async def devices_page():
await refresh_table() await refresh_table()
def on_row_click(e): def on_row_click(e):
ui.navigate.to(f"/devices/{e.args['id']}") row = e.args[1] if isinstance(e.args, list) else e.args
ui.navigate.to(f"/devices/{row['id']}")
# --- Page content --- # --- Page content ---
with ui.column().classes("w-full p-4"): with ui.column().classes("w-full p-4"):
@ -182,6 +186,7 @@ async def devices_page():
ui.button("Add Device", icon="add", on_click=lambda: create_dialog.open()).props("color=primary") ui.button("Add Device", icon="add", on_click=lambda: create_dialog.open()).props("color=primary")
columns = [ columns = [
{"name": "status", "label": "", "field": "status_label", "align": "center"},
{"name": "name", "label": "Name", "field": "name", "align": "left", "sortable": True}, {"name": "name", "label": "Name", "field": "name", "align": "left", "sortable": True},
{"name": "ipv4", "label": "IPv4", "field": "ipv4", "align": "left"}, {"name": "ipv4", "label": "IPv4", "field": "ipv4", "align": "left"},
{"name": "ipv6", "label": "IPv6", "field": "ipv6", "align": "left"}, {"name": "ipv6", "label": "IPv6", "field": "ipv6", "align": "left"},
@ -193,6 +198,15 @@ async def devices_page():
] ]
table = ui.table(columns=columns, rows=[], row_key="id").classes("w-full") table = ui.table(columns=columns, rows=[], row_key="id").classes("w-full")
table.on("rowClick", on_row_click) table.on("rowClick", on_row_click)
table.add_slot(
"body-cell-status",
'''
<q-td :props="props">
<q-badge :color="props.row.status_color" rounded class="q-mr-sm" />
<span class="text-caption">{{ props.row.status_label }}</span>
</q-td>
''',
)
table.add_slot( table.add_slot(
"body-cell-actions", "body-cell-actions",
''' '''
@ -248,8 +262,7 @@ async def devices_page():
await refresh_table() await refresh_table()
# Auto-refresh stats every 30 seconds ui.timer(5, refresh_table)
ui.timer(30, refresh_table)
@ui.page("/devices/{device_id}") @ui.page("/devices/{device_id}")
@ -260,9 +273,10 @@ async def device_detail_page(device_id: str):
layout() layout()
user_id = UUID(app.storage.user["user_id"]) user_id = UUID(app.storage.user["user_id"])
role = app.storage.user.get("role", "")
async with async_session() as sess: async with async_session() as sess:
device = await sess.get(Device, UUID(device_id)) device = await sess.get(Device, UUID(device_id))
if not device or device.user_id != user_id: if not device or (device.user_id != user_id and role != "admin"):
ui.label("Device not found").classes("text-h5 text-negative p-4") ui.label("Device not found").classes("text-h5 text-negative p-4")
return return
@ -341,32 +355,133 @@ async def device_detail_page(device_id: str):
# Traffic stats (live-updating) # Traffic stats (live-updating)
with ui.card().classes("w-full q-mt-md"): with ui.card().classes("w-full q-mt-md"):
ui.label("Traffic Stats").classes("text-subtitle1 text-bold") ui.label("Traffic Stats").classes("text-subtitle1 text-bold")
ui.label("Auto-refreshes every 30s").classes("text-caption text-grey")
ui.separator() ui.separator()
with ui.grid(columns=2).classes("w-full gap-2 q-pa-sm"): from wiregui.utils.time import connection_status
_color, _label = connection_status(device.latest_handshake)
with ui.row().classes("items-center gap-2 q-pa-sm"):
stat_badge = ui.badge("", color=_color).props("rounded")
stat_status = ui.label(_label).classes("text-caption")
with ui.grid(columns=3).classes("w-full gap-2 q-pa-sm"):
ui.label("RX:").classes("text-bold") ui.label("RX:").classes("text-bold")
stat_rx = ui.label(_format_bytes(device.rx_bytes)) stat_rx = ui.label(_format_bytes(device.rx_bytes))
stat_rx_rate = ui.label("").classes("text-caption text-grey")
ui.label("TX:").classes("text-bold") ui.label("TX:").classes("text-bold")
stat_tx = ui.label(_format_bytes(device.tx_bytes)) stat_tx = ui.label(_format_bytes(device.tx_bytes))
stat_tx_rate = ui.label("").classes("text-caption text-grey")
ui.label("Last Handshake:").classes("text-bold") ui.label("Last Handshake:").classes("text-bold")
stat_handshake = ui.label(str(device.latest_handshake)[:19] if device.latest_handshake else "-") stat_handshake = ui.label(str(device.latest_handshake)[:19] if device.latest_handshake else "-")
ui.label("") # spacer
ui.label("Remote IP:").classes("text-bold") ui.label("Remote IP:").classes("text-bold")
stat_remote = ui.label(device.remote_ip or "-") stat_remote = ui.label(device.remote_ip or "-")
ui.label("") # spacer
# Traffic chart
MAX_CHART_POINTS = 60
_chart_times: list[str] = []
_chart_rx: list[float] = []
_chart_tx: list[float] = []
with ui.card().classes("w-full q-mt-md"):
ui.label("Traffic Rate").classes("text-subtitle1 text-bold")
ui.separator()
traffic_chart = ui.echart({
"tooltip": {
"trigger": "axis",
":valueFormatter": """(v) => {
if (v >= 1048576) return (v / 1048576).toFixed(1) + ' MB/s';
if (v >= 1024) return (v / 1024).toFixed(1) + ' KB/s';
return v.toFixed(0) + ' B/s';
}""",
},
"legend": {"data": ["RX/s", "TX/s"], "right": 20, "top": 5},
"xAxis": {"type": "category", "data": [], "boundaryGap": False},
"yAxis": {
"type": "value",
"axisLabel": {
":formatter": """(v) => {
if (v >= 1073741824) return (v / 1073741824).toFixed(1) + ' GB/s';
if (v >= 1048576) return (v / 1048576).toFixed(1) + ' MB/s';
if (v >= 1024) return (v / 1024).toFixed(1) + ' KB/s';
return v.toFixed(0) + ' B/s';
}""",
},
},
"series": [
{
"name": "RX/s",
"type": "line",
"smooth": True,
"symbol": "none",
"areaStyle": {"opacity": 0.15},
"lineStyle": {"width": 2},
"itemStyle": {"color": "#3598C3"},
"data": [],
},
{
"name": "TX/s",
"type": "line",
"smooth": True,
"symbol": "none",
"areaStyle": {"opacity": 0.15},
"lineStyle": {"width": 2},
"itemStyle": {"color": "#5AA6B9"},
"data": [],
},
],
"grid": {"left": 60, "right": 20, "top": 40, "bottom": 30},
}).classes("w-full").style("height: 250px")
_prev_rx = device.rx_bytes or 0
_prev_tx = device.tx_bytes or 0
_prev = {"rx": _prev_rx, "tx": _prev_tx}
async def refresh_stats(): async def refresh_stats():
from wiregui.utils.time import connection_status
from datetime import datetime
async with async_session() as session: async with async_session() as session:
d = await session.get(Device, UUID(device_id)) d = await session.get(Device, UUID(device_id))
if not d: if not d:
return return
# Compute rates
cur_rx = d.rx_bytes or 0
cur_tx = d.tx_bytes or 0
rx_rate = max(0, (cur_rx - _prev["rx"]) / 5)
tx_rate = max(0, (cur_tx - _prev["tx"]) / 5)
_prev["rx"] = cur_rx
_prev["tx"] = cur_tx
# Update labels
stat_rx.text = _format_bytes(d.rx_bytes) stat_rx.text = _format_bytes(d.rx_bytes)
stat_tx.text = _format_bytes(d.tx_bytes) stat_tx.text = _format_bytes(d.tx_bytes)
stat_rx_rate.text = f"({_format_bytes(int(rx_rate))}/s)"
stat_tx_rate.text = f"({_format_bytes(int(tx_rate))}/s)"
stat_handshake.text = str(d.latest_handshake)[:19] if d.latest_handshake else "-" stat_handshake.text = str(d.latest_handshake)[:19] if d.latest_handshake else "-"
stat_remote.text = d.remote_ip or "-" stat_remote.text = d.remote_ip or "-"
color, label = connection_status(d.latest_handshake)
stat_badge.props(f'color={color}')
stat_status.text = label
ui.timer(30, refresh_stats) # Update chart
now = datetime.now().strftime("%H:%M:%S")
_chart_times.append(now)
_chart_rx.append(round(rx_rate, 1))
_chart_tx.append(round(tx_rate, 1))
if len(_chart_times) > MAX_CHART_POINTS:
_chart_times.pop(0)
_chart_rx.pop(0)
_chart_tx.pop(0)
traffic_chart.options["xAxis"]["data"] = _chart_times
traffic_chart.options["series"][0]["data"] = _chart_rx
traffic_chart.options["series"][1]["data"] = _chart_tx
traffic_chart.update()
ui.timer(5, refresh_stats)
# Active configuration # Active configuration
with ui.card().classes("w-full q-mt-md"): with ui.card().classes("w-full q-mt-md"):
@ -463,25 +578,28 @@ async def device_detail_page(device_id: str):
def _show_config_dialog(device_name: str, config_text: str): def _show_config_dialog(device_name: str, config_text: str):
"""Show a dialog with the WireGuard client configuration and QR code.""" """Show a dialog with the WireGuard client configuration and QR code."""
with ui.dialog(value=True) as dialog: with ui.dialog(value=True) as dialog:
with ui.card().classes("w-96"): with ui.card().classes("w-[700px] max-w-[90vw]"):
ui.label(f"Config for {device_name}").classes("text-h6") ui.label(f"Config for {device_name}").classes("text-h6")
ui.label("Save this — the private key won't be shown again.").classes("text-caption text-negative") ui.label("Save this — the private key won't be shown again.").classes("text-caption text-negative q-mb-sm")
ui.textarea(value=config_text).props("readonly outlined").classes( ui.code(config_text, language="ini").classes("w-full")
"w-full font-mono text-xs q-mt-sm"
).style("min-height: 200px")
try: try:
qr = qrcode.make(config_text, image_factory=qrcode.image.svg.SvgPathImage) import base64
qr = qrcode.make(config_text)
buf = io.BytesIO() buf = io.BytesIO()
qr.save(buf) qr.save(buf, format="PNG")
ui.html(buf.getvalue().decode()).classes("w-full q-mt-sm").style("background: white; padding: 8px; border-radius: 8px") b64 = base64.b64encode(buf.getvalue()).decode()
with ui.row().classes("w-full justify-center q-mt-md"):
ui.image(f"data:image/png;base64,{b64}").style(
"width: 200px; height: 200px; border-radius: 8px"
)
except Exception: except Exception:
ui.label("QR code generation failed").classes("text-caption text-grey") ui.label("QR code generation failed").classes("text-caption text-grey")
with ui.row().classes("w-full gap-2 q-mt-md"):
ui.button( ui.button(
"Download .conf", "Download .conf",
on_click=lambda: ui.download(config_text.encode(), f"{device_name}.conf"), on_click=lambda: ui.download(config_text.encode(), f"{device_name}.conf"),
).props("color=primary unelevated").classes("w-full q-mt-sm") ).props("color=primary unelevated").classes("flex-grow")
ui.button("Close", on_click=dialog.close).props("flat")
ui.button("Close", on_click=dialog.close).props("flat").classes("w-full")

1
wiregui/pages/layout.py
View file

@ -64,6 +64,7 @@ def layout(title: str = "WireGUI"):
with ui.header().classes("items-center justify-between"): with ui.header().classes("items-center justify-between"):
with ui.row().classes("items-center"): with ui.row().classes("items-center"):
ui.button(icon="menu", on_click=lambda: drawer.toggle()).props("flat color=white") ui.button(icon="menu", on_click=lambda: drawer.toggle()).props("flat color=white")
ui.image("/img/wiregui.svg").classes("w-8 h-8")
ui.label("WireGUI").classes("text-h6") ui.label("WireGUI").classes("text-h6")
with ui.row().classes("items-center"): with ui.row().classes("items-center"):
if role == "admin": if role == "admin":

24
wiregui/pages/login.py
View file

@ -1,4 +1,4 @@
"""Login page — email/password, MFA redirect, OIDC provider buttons.""" """Login page — email/password, MFA redirect, OIDC/SAML provider buttons."""
from nicegui import app, ui from nicegui import app, ui
from sqlmodel import select from sqlmodel import select
@ -6,6 +6,7 @@ from sqlmodel import select
from wiregui.auth.oidc import load_providers from wiregui.auth.oidc import load_providers
from wiregui.auth.session import authenticate_user from wiregui.auth.session import authenticate_user
from wiregui.db import async_session from wiregui.db import async_session
from wiregui.models.configuration import Configuration
from wiregui.models.mfa_method import MFAMethod from wiregui.models.mfa_method import MFAMethod
from wiregui.pages.style import apply_style from wiregui.pages.style import apply_style
from wiregui.utils.time import utcnow from wiregui.utils.time import utcnow
@ -18,9 +19,13 @@ async def login_page():
apply_style() apply_style()
# Load OIDC providers for SSO buttons # Load SSO providers for login buttons
oidc_providers = await load_providers() oidc_providers = await load_providers()
async with async_session() as session:
config = (await session.execute(select(Configuration).limit(1))).scalar_one_or_none()
saml_providers = config.saml_identity_providers if config else []
async def try_login(): async def try_login():
user = await authenticate_user(email.value, password.value) user = await authenticate_user(email.value, password.value)
if user is None: if user is None:
@ -62,6 +67,8 @@ async def login_page():
ui.navigate.to("/") ui.navigate.to("/")
with ui.column().classes("absolute-center items-center"): with ui.column().classes("absolute-center items-center"):
with ui.row().classes("items-center gap-3"):
ui.image("/img/wiregui.svg").classes("w-16 h-16")
ui.label("WireGUI").classes("text-h4 text-bold") ui.label("WireGUI").classes("text-h4 text-bold")
ui.label("Sign in to your account").classes("text-subtitle1 q-mb-md") ui.label("Sign in to your account").classes("text-subtitle1 q-mb-md")
@ -74,8 +81,8 @@ async def login_page():
password.on("keydown.enter", try_login) password.on("keydown.enter", try_login)
# OIDC provider buttons # SSO provider buttons
if oidc_providers: if oidc_providers or saml_providers:
ui.separator().classes("q-my-md") ui.separator().classes("q-my-md")
ui.label("Or sign in with").classes("text-caption text-center w-full") ui.label("Or sign in with").classes("text-caption text-center w-full")
for provider in oidc_providers: for provider in oidc_providers:
@ -83,5 +90,12 @@ async def login_page():
label = provider.get("label", pid) label = provider.get("label", pid)
ui.button( ui.button(
label, label,
on_click=lambda p=pid: ui.navigate.to(f"/auth/oidc/{p}"), on_click=lambda p=pid: ui.run_javascript(f"window.location.href='/auth/oidc/{p}'"),
).props("color=primary unelevated").classes("w-full q-mt-xs")
for provider in saml_providers:
pid = provider.get("id", "")
label = provider.get("label", pid)
ui.button(
label,
on_click=lambda p=pid: ui.run_javascript(f"window.location.href='/auth/saml/{p}'"),
).props("color=primary unelevated").classes("w-full q-mt-xs") ).props("color=primary unelevated").classes("w-full q-mt-xs")

58
wiregui/pages/style.py
View file

@ -2,19 +2,65 @@
from nicegui import ui from nicegui import ui
# Logo palette
_NAVY = "#0E2747"
_BLUE = "#3598C3"
_TEAL = "#5AA6B9"
_TEAL_LIGHT = "#7AC7D6"
_MID_BLUE = "#325F7B"
def apply_style(): def apply_style():
"""Add Manrope font and global CSS overrides. Call once per page.""" """Add Manrope font, logo-based color theme, and global CSS overrides. Call once per page."""
ui.add_head_html( ui.add_head_html(
'<link rel="preconnect" href="https://fonts.googleapis.com">' '<link rel="preconnect" href="https://fonts.googleapis.com">'
'<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>' '<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>'
'<link href="https://fonts.googleapis.com/css2?family=Manrope:wght@200..800&display=swap" rel="stylesheet">' '<link href="https://fonts.googleapis.com/css2?family=Manrope:wght@200..800&display=swap" rel="stylesheet">'
) )
ui.add_css(""" ui.add_css(f"""
body, input, button, select, textarea { body, input, button, select, textarea {{
font-family: 'Manrope', sans-serif !important; font-family: 'Manrope', sans-serif !important;
} }}
code, .font-mono, .q-table__container .monospace { code, .font-mono, .q-table__container .monospace {{
font-family: 'JetBrains Mono', 'Fira Code', monospace !important; font-family: 'JetBrains Mono', 'Fira Code', monospace !important;
} }}
/* ---- Light theme colors ---- */
:root {{
--q-primary: {_BLUE};
--q-secondary: {_TEAL};
--q-accent: {_TEAL_LIGHT};
--q-dark: {_NAVY};
--q-positive: #21BA45;
--q-negative: #C10015;
--q-info: {_MID_BLUE};
--q-warning: #F2C037;
}}
/* Header bar */
.q-header {{
background: linear-gradient(135deg, {_NAVY} 0%, {_MID_BLUE} 100%) !important;
}}
/* Left drawer */
.q-drawer {{
border-right-color: {_TEAL}33 !important;
}}
/* ---- Dark theme overrides ---- */
body.body--dark {{
--q-primary: {_TEAL};
--q-secondary: {_BLUE};
--q-accent: {_TEAL_LIGHT};
--q-dark: {_NAVY};
--q-info: {_TEAL_LIGHT};
}}
body.body--dark .q-header {{
background: linear-gradient(135deg, {_NAVY} 0%, #1a3a5c 100%) !important;
}}
body.body--dark .q-drawer {{
border-right-color: {_MID_BLUE}44 !important;
}}
""") """)

31
wiregui/services/firewall.py
View file

@ -129,10 +129,17 @@ async def apply_rule(user_id: str, destination: str, action: str, port_type: str
async def rebuild_all_rules(users_devices_rules: list[dict]) -> None: async def rebuild_all_rules(users_devices_rules: list[dict]) -> None:
"""Full reconciliation: flush and rebuild all per-user chains from DB state. """Full reconciliation: flush and rebuild all per-user chains from DB state.
Removes orphaned user chains that are no longer in the DB.
Args: Args:
users_devices_rules: list of dicts with keys: users_devices_rules: list of dicts with keys:
user_id, devices (list of {ipv4, ipv6}), rules (list of {destination, action, port_type, port_range}) user_id, devices (list of {ipv4, ipv6}), rules (list of {destination, action, port_type, port_range})
""" """
# Discover existing user_ chains so we can remove orphans
existing_user_chains = await _list_user_chains()
expected_chains = {_user_chain_name(e["user_id"]) for e in users_devices_rules}
orphaned_chains = existing_user_chains - expected_chains
commands = [] commands = []
for entry in users_devices_rules: for entry in users_devices_rules:
@ -162,8 +169,15 @@ async def rebuild_all_rules(users_devices_rules: list[dict]) -> None:
if dev.get("ipv6"): if dev.get("ipv6"):
commands.append(f"add rule inet {TABLE_NAME} forward ip6 saddr {dev['ipv6']} jump {chain}") commands.append(f"add rule inet {TABLE_NAME} forward ip6 saddr {dev['ipv6']} jump {chain}")
if commands: # Remove orphaned user chains (must happen after forward chain is flushed
# so there are no remaining jump references to these chains)
for chain in orphaned_chains:
commands.append(f"flush chain inet {TABLE_NAME} {chain}")
commands.append(f"delete chain inet {TABLE_NAME} {chain}")
await _nft_batch(commands) await _nft_batch(commands)
if orphaned_chains:
logger.info("Removed {} orphaned firewall chain(s): {}", len(orphaned_chains), orphaned_chains)
logger.info("Firewall rules rebuilt for {} users", len(users_devices_rules)) logger.info("Firewall rules rebuilt for {} users", len(users_devices_rules))
@ -235,6 +249,21 @@ async def get_ruleset() -> str:
return "nftables is not available.\n\nThis requires root/NET_ADMIN privileges (production container)." return "nftables is not available.\n\nThis requires root/NET_ADMIN privileges (production container)."
async def _list_user_chains() -> set[str]:
"""Return the set of user_ chain names currently in the wiregui table."""
try:
output = await _nft(f"list table inet {TABLE_NAME}")
except RuntimeError:
return set()
chains = set()
for line in output.splitlines():
line = line.strip()
if line.startswith("chain user_"):
name = line.split()[1]
chains.add(name)
return chains
def _user_chain_name(user_id: str) -> str: def _user_chain_name(user_id: str) -> str:
"""Generate a deterministic chain name from a user ID.""" """Generate a deterministic chain name from a user ID."""
# Use first 12 chars of UUID (without hyphens) to keep names short # Use first 12 chars of UUID (without hyphens) to keep names short

1
wiregui/tasks/reconcile.py
View file

@ -83,7 +83,6 @@ async def _reconcile_firewall(devices: list[Device], rules: list[Rule]) -> None:
], ],
}) })
if entries:
try: try:
await firewall.rebuild_all_rules(entries) await firewall.rebuild_all_rules(entries)
except Exception as e: except Exception as e:

17
wiregui/utils/time.py
View file

@ -4,3 +4,20 @@ from datetime import UTC, datetime
def utcnow() -> datetime: def utcnow() -> datetime:
"""Return current UTC time as a naive datetime (for Postgres TIMESTAMP WITHOUT TIME ZONE).""" """Return current UTC time as a naive datetime (for Postgres TIMESTAMP WITHOUT TIME ZONE)."""
return datetime.now(UTC).replace(tzinfo=None) return datetime.now(UTC).replace(tzinfo=None)
def connection_status(latest_handshake: datetime | None) -> tuple[str, str]:
"""Return (color, label) based on handshake age.
Green: handshake < 2 min
Yellow: handshake < 5 min
Red: no recent handshake or never connected
"""
if latest_handshake is None:
return "red", "offline"
age = (utcnow() - latest_handshake).total_seconds()
if age < 120:
return "green", "online"
if age < 300:
return "yellow", "idle"
return "red", "offline"