roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: prevent test runs from corrupting live WG state; sync wg0.conf on IP change

Browse Source 
Three fixes:

1. Extend the docker-exec safety guard in wireguard_manager to also check
   for 'wg_confs' in the config path.  When running unit tests on the host
   the API uses /app/config/wireguard/wg0.conf (no wg_confs subdir), so the
   old '/tmp/' | 'pytest' check didn't fire — _syncconf and friends were
   executing live 'docker exec cell-wireguard wg set' calls against the
   running container, removing real VPN peers that didn't appear in the
   test config.  The wg_confs subdir only exists inside the container mount,
   so its presence reliably gates live calls.

2. Fix get_split_tunnel_ips() wrong path: self.data_dir + 'api/cell_links.json'
   → self.data_dir + 'cell_links.json'.  The extra 'api/' segment produced
   /app/data/api/cell_links.json inside the container instead of the real
   /app/data/cell_links.json, so connected cells were silently excluded from
   split-tunnel CIDRs.

3. update_peer_ip_registry and ip_update now also call
   wireguard_manager.update_peer_ip so wg0.conf AllowedIPs stay in sync when
   a peer's VPN IP changes at runtime (previously only peers.json was updated).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-05-02 07:45:28 -04:00
parent 99c1d9cd92
commit 0e16d6968a
3 changed files with 26 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_wireguard_manager.py
+2 -2
View File
@@ -828,7 +828,7 @@ class TestCellRoutes(unittest.TestCase):
def test_ensure_cell_route_calls_ip_route_add(self):
"""Outside test dirs, _ensure_cell_route calls docker exec ip route add."""
with patch.object(self.wg, '_config_file', return_value='/app/config/wireguard/wg0.conf'):
with patch.object(self.wg, '_config_file', return_value='/app/config/wireguard/wg_confs/wg0.conf'):
with patch('subprocess.run') as mock_run:
mock_run.return_value = MagicMock(returncode=0)
self.wg._ensure_cell_route('10.1.0.0/24')
@@ -849,7 +849,7 @@ class TestCellRoutes(unittest.TestCase):
'[Peer]\n# alice\nPublicKey = YWxpY2VwdWJrZXlfZm9yX3Rlc3RzX3dndGVzdDEyMyE=\n'
'AllowedIPs = 10.0.0.2/32\nPersistentKeepalive = 25\n'
)
with patch.object(self.wg, '_config_file', return_value='/app/config/wireguard/wg0.conf'):
with patch.object(self.wg, '_config_file', return_value='/app/config/wireguard/wg_confs/wg0.conf'):
with patch.object(self.wg, '_read_config', return_value=conf):
with patch('subprocess.run') as mock_run:
mock_run.return_value = MagicMock(returncode=0)