feat: Phase 3 - per-peer internet routing via exit cell

Adds the ability to route a specific peer's internet traffic through a connected cell acting as an exit relay. Cell A side: - PUT /api/peers/<peer>/route-via {"via_cell": "cellB"} sets route_via - Updates WG AllowedIPs to include 0.0.0.0/0 for the exit cell peer - Adds ip rule + ip route in policy table inside cell-wireguard so the specific peer's traffic egresses via cellB's WG IP - Sets exit_relay_active on the cell link and pushes use_as_exit_relay=True to cellB via peer-sync Cell B side: - Receives use_as_exit_relay in the peer-sync payload - Calls apply_cell_rules(..., exit_relay=True) to add FORWARD -o eth0 ACCEPT - Stores remote_exit_relay_active flag for startup recovery Startup recovery: - apply_all_cell_rules passes exit_relay=remote_exit_relay_active (cellB) - _apply_startup_enforcement reapplies ip rule for each peer with route_via (cellA) since policy routing rules don't survive container restart peer_registry gets route_via field with lazy migration. 22 new tests across test_cell_link_manager, test_peer_registry, test_peer_route_via. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-01 16:23:31 -04:00
parent dcee03dd3f
commit 8ea834e108
11 changed files with 547 additions and 11 deletions
@@ -275,6 +275,19 @@ def _apply_startup_enforcement():
        firewall_manager.apply_all_dns_rules(peers, COREFILE_PATH, _configured_domain(),
                                             cell_links=cell_links)
        logger.info(f"Applied enforcement rules for {len(peers)} peers, {len(cell_links)} cells on startup")
        # Phase 3: reapply policy routing rules for peers whose internet traffic is
        # routed through an exit cell (ip rule entries don't survive container restart)
        cell_links_map = {l['cell_name']: l for l in cell_links}
        for peer in peers:
            via_cell = peer.get('route_via')
            if not via_cell:
                continue
            link = cell_links_map.get(via_cell)
            if not link:
                continue
            peer_ip = peer.get('ip', '').split('/')[0]
            if peer_ip:
                wireguard_manager.apply_peer_route_via(peer_ip, via_wg_ip=link['dns_ip'])
        sync_summary = cell_link_manager.replay_pending_pushes()
        if sync_summary.get('attempted'):
            logger.info(f"Startup permission sync: {sync_summary}")
@@ -84,6 +84,13 @@ class CellLinkManager:
                    if 'remote_exit_offered' not in link:
                        link['remote_exit_offered'] = False
                        changed = True
                    # Phase 3 migration: per-peer internet routing
                    if 'exit_relay_active' not in link:
                        link['exit_relay_active'] = False
                        changed = True
                    if 'remote_exit_relay_active' not in link:
                        link['remote_exit_relay_active'] = False
                        changed = True
                if changed:
                    self._save(links)
                return links
@@ -154,6 +161,7 @@ class CellLinkManager:
                'inbound':  dict(perms.get('outbound', {})),
            },
            'exit_offered': bool(link.get('exit_offered', False)),
            'use_as_exit_relay': bool(link.get('exit_relay_active', False)),
            'sent_at': datetime.utcnow().isoformat() + 'Z',
        }
        payload = json.dumps(body)
@@ -239,7 +247,8 @@ class CellLinkManager:
    def apply_remote_permissions(self, from_public_key: str,
                                 permissions: Dict[str, Any],
-                                 exit_offered: bool = False) -> Dict[str, Any]:
+                                 exit_offered: bool = False,
                                 use_as_exit_relay: bool = False) -> Dict[str, Any]:
        """Store permissions pushed by a remote cell (identified by WG public key).
        Validates service names, persists, and re-applies local iptables rules.
@@ -257,13 +266,15 @@ class CellLinkManager:
        link['permissions'] = {'inbound': clean_inbound, 'outbound': clean_outbound}
        link['remote_exit_offered'] = bool(exit_offered)
        link['remote_exit_relay_active'] = bool(use_as_exit_relay)
        link['last_remote_update_at'] = datetime.utcnow().isoformat()
        self._save(links)
        inbound_list = [s for s, v in clean_inbound.items() if v]
        try:
            import firewall_manager as _fm
-            _fm.apply_cell_rules(link['cell_name'], link['vpn_subnet'], inbound_list)
+            _fm.apply_cell_rules(link['cell_name'], link['vpn_subnet'], inbound_list,
                                 exit_relay=use_as_exit_relay)
        except Exception as e:
            logger.warning(
                f"apply_cell_rules after remote push for '{link['cell_name']}' "
@@ -470,6 +481,22 @@ class CellLinkManager:
        self._try_push(cell_name, link)
        return link
    def set_exit_relay_active(self, cell_name: str, active: bool) -> Dict[str, Any]:
        """Record that THIS cell is routing a peer's internet traffic via cell_name.
        Persists the flag locally and pushes updated state to the remote cell so
        it can enable/disable the FORWARD-to-eth0 rule on its side.
        Returns the updated link record.
        """
        links = self._load()
        link = next((l for l in links if l['cell_name'] == cell_name), None)
        if not link:
            raise ValueError(f"Cell '{cell_name}' not found")
        link['exit_relay_active'] = bool(active)
        self._save(links)
        self._try_push(cell_name, link)
        return link
    def get_connection_status(self, cell_name: str) -> Dict[str, Any]:
        """Return link record enriched with live WireGuard handshake status."""
        links = self._load()
@@ -262,7 +262,8 @@ def _get_cell_api_ip() -> Optional[str]:
    return r.stdout.strip()
-def apply_cell_rules(cell_name: str, vpn_subnet: str, inbound_services: List[str]) -> bool:
+def apply_cell_rules(cell_name: str, vpn_subnet: str, inbound_services: List[str],
                     exit_relay: bool = False) -> bool:
    """Apply FORWARD rules for a cell-to-cell peer.
    Traffic from vpn_subnet is allowed only to service VIPs listed in
@@ -270,10 +271,15 @@ def apply_cell_rules(cell_name: str, vpn_subnet: str, inbound_services: List[str
    internet or peer access — only explicit service VIPs, plus the
    cell-api port (3000) for permission-sync pushes arriving via DNAT.
-    Rule insertion order (last inserted → top of chain):
+    When exit_relay=True, the remote cell's peers can route internet
    traffic through this cell (Phase 3).  A broad ACCEPT for traffic
    going out eth0 is added below per-service rules but above catch-all.
    Rule insertion order (first inserted = bottom, last inserted = top):
      1. Catch-all DROP for the subnet           (inserted first → bottom)
-      2. Per-service ACCEPT/DROP      (inserted in reversed() order)
+      2. Exit relay ACCEPT (-o eth0)             (if exit_relay, above catch-all)
-      3. API-sync ACCEPT              (inserted last → top, above catch-all)
+      3. Per-service ACCEPT/DROP                 (inserted in reversed() order)
      4. API-sync ACCEPT                         (inserted last → top)
    """
    try:
        tag = _cell_tag(cell_name)
@@ -283,6 +289,13 @@ def apply_cell_rules(cell_name: str, vpn_subnet: str, inbound_services: List[str
        _iptables(['-I', 'FORWARD', '-s', vpn_subnet,
                   '-m', 'comment', '--comment', tag, '-j', 'DROP'])
        # Exit relay ACCEPT — allow internet-bound traffic from this cell's peers.
        # Inserted ABOVE catch-all but BELOW per-service rules so service-level
        # DROP rules still take effect for specific service VIPs.
        if exit_relay:
            _iptables(['-I', 'FORWARD', '-s', vpn_subnet, '-o', 'eth0',
                       '-m', 'comment', '--comment', tag, '-j', 'ACCEPT'])
        # Per-service rules — inserted in reverse dict order, highest-priority last
        for service, svc_ip in reversed(list(SERVICE_IPS.items())):
            target = 'ACCEPT' if service in inbound_services else 'DROP'
@@ -298,7 +311,10 @@ def apply_cell_rules(cell_name: str, vpn_subnet: str, inbound_services: List[str
                       '-p', 'tcp', '--dport', '3000',
                       '-m', 'comment', '--comment', tag, '-j', 'ACCEPT'])
-        logger.info(f"Applied cell rules for {cell_name} ({vpn_subnet}): inbound={inbound_services}")
+        logger.info(
            f"Applied cell rules for {cell_name} ({vpn_subnet}): "
            f"inbound={inbound_services} exit_relay={exit_relay}"
        )
        return True
    except Exception as e:
        logger.error(f"apply_cell_rules({cell_name}): {e}")
@@ -314,7 +330,8 @@ def apply_all_cell_rules(cell_links: List[Dict[str, Any]]) -> None:
            continue
        perms = link.get('permissions', {})
        inbound = [s for s, v in perms.get('inbound', {}).items() if v]
-        apply_cell_rules(name, subnet, inbound)
+        exit_relay = bool(link.get('remote_exit_relay_active', False))
        apply_cell_rules(name, subnet, inbound, exit_relay=exit_relay)
 def ensure_cell_api_dnat() -> bool:
@@ -193,6 +193,14 @@ class PeerRegistry(BaseServiceManager):
                    except Exception as e:
                        self.logger.error(f"Error loading peers: {e}")
                        self.peers = []
                # Phase 3 migration: per-peer internet routing
                changed = False
                for peer in self.peers:
                    if 'route_via' not in peer:
                        peer['route_via'] = None
                        changed = True
                if changed:
                    self._save_peers()
            else:
                self.peers = []
                self.logger.info("No peers file found, starting with empty registry")
@@ -326,6 +334,18 @@ class PeerRegistry(BaseServiceManager):
            self.logger.error(f"Error updating peer {name} IP: {e}")
            return False
    def set_route_via(self, peer_name: str, via_cell: Optional[str]) -> Dict[str, Any]:
        """Set or clear the route_via field on a peer. Returns the updated peer dict."""
        with self.lock:
            for peer in self.peers:
                if peer.get('peer') == peer_name:
                    peer['route_via'] = via_cell
                    peer['updated_at'] = datetime.utcnow().isoformat()
                    self._save_peers()
                    self.logger.info(f"Set route_via for {peer_name}: {via_cell!r}")
                    return dict(peer)
        raise ValueError(f"Peer '{peer_name}' not found")
    def get_peer_stats(self) -> Dict[str, Any]:
        """Get peer registry statistics"""
        try:
@@ -219,8 +219,11 @@ def peer_sync_permissions():
                    return jsonify({'ok': False, 'error': f'unknown service: {svc!r}'}), 400
        exit_offered = bool(data.get('exit_offered', False))
        use_as_exit_relay = bool(data.get('use_as_exit_relay', False))
        from app import cell_link_manager
-        cell_link_manager.apply_remote_permissions(sender_pubkey, perms, exit_offered=exit_offered)
+        cell_link_manager.apply_remote_permissions(sender_pubkey, perms,
                                                   exit_offered=exit_offered,
                                                   use_as_exit_relay=use_as_exit_relay)
        return jsonify({'ok': True, 'applied_at': datetime.utcnow().isoformat()})
    except ValueError as e:
        return jsonify({'ok': False, 'error': str(e)}), 404
@@ -183,6 +183,77 @@ def update_peer(peer_name):
        return jsonify({"error": str(e)}), 500
@bp.route('/api/peers/<peer_name>/route-via', methods=['PUT'])
 def set_peer_route_via(peer_name):
    """Route a peer's internet traffic through a connected exit cell.
    Body: {"via_cell": "cellB"} to enable, {"via_cell": null} to disable.
    On enable: updates WG AllowedIPs and adds policy routing rule inside
    cell-wireguard so the peer's packets egress through the exit cell.
    On disable: reverts AllowedIPs and removes the ip rule.
    Also signals the exit cell to add/remove the FORWARD-to-eth0 firewall rule.
    """
    try:
        from app import peer_registry, wireguard_manager, cell_link_manager
        data = request.get_json(silent=True)
        if data is None or 'via_cell' not in data:
            return jsonify({'error': 'via_cell field required (string or null)'}), 400
        via_cell = data['via_cell']
        if via_cell is not None and not isinstance(via_cell, str):
            return jsonify({'error': 'via_cell must be a string or null'}), 400
        peer = peer_registry.get_peer(peer_name)
        if not peer:
            return jsonify({'error': 'Peer not found'}), 404
        peer_ip = peer.get('ip', '').split('/')[0]
        if not peer_ip:
            return jsonify({'error': 'Peer has no IP assigned'}), 400
        old_via = peer.get('route_via')
        # Remove old routing if switching away from a previous exit cell
        if old_via and old_via != via_cell:
            old_link = next(
                (l for l in cell_link_manager.list_connections()
                 if l['cell_name'] == old_via), None
            )
            if old_link:
                wireguard_manager.update_cell_peer_allowed_ips(
                    old_link['public_key'], old_link['vpn_subnet'],
                    add_default_route=False)
            wireguard_manager.remove_peer_route_via(peer_ip)
            try:
                cell_link_manager.set_exit_relay_active(old_via, False)
            except Exception as e:
                logger.warning(f"set_exit_relay_active(False) for {old_via!r} failed: {e}")
        # Apply new routing
        if via_cell:
            link = next(
                (l for l in cell_link_manager.list_connections()
                 if l['cell_name'] == via_cell), None
            )
            if not link:
                return jsonify({'error': f"Cell {via_cell!r} not connected"}), 404
            wireguard_manager.update_cell_peer_allowed_ips(
                link['public_key'], link['vpn_subnet'], add_default_route=True)
            wireguard_manager.apply_peer_route_via(peer_ip, via_wg_ip=link['dns_ip'])
            try:
                cell_link_manager.set_exit_relay_active(via_cell, True)
            except Exception as e:
                logger.warning(f"set_exit_relay_active(True) for {via_cell!r} failed: {e}")
        updated_peer = peer_registry.set_route_via(peer_name, via_cell)
        return jsonify({'message': f"Route-via for '{peer_name}' updated", 'peer': updated_peer})
    except ValueError as e:
        return jsonify({'error': str(e)}), 404
    except Exception as e:
        logger.error(f"Error setting route-via for {peer_name}: {e}")
        return jsonify({'error': str(e)}), 500
@bp.route('/api/peers/<peer_name>/clear-reinstall', methods=['POST'])
 def clear_peer_reinstall(peer_name):
    try:
@@ -573,6 +573,80 @@ class WireGuardManager(BaseServiceManager):
        except Exception as e:
            logger.warning(f'sync_cell_routes failed (non-fatal): {e}')
    def update_cell_peer_allowed_ips(self, public_key: str,
                                     vpn_subnet: str,
                                     add_default_route: bool = False) -> bool:
        """Update AllowedIPs for a cell peer to optionally include 0.0.0.0/0.
        When add_default_route=True, appends 0.0.0.0/0 to AllowedIPs so that
        traffic destined for the internet is routed through this cell peer
        (Phase 3 exit-relay routing).
        At most one WireGuard peer can have 0.0.0.0/0 in AllowedIPs per
        interface (v1 constraint); callers must remove it from any other cell
        peer before adding it here.
        """
        try:
            if add_default_route:
                new_ips = f'{vpn_subnet}, 0.0.0.0/0'
            else:
                new_ips = vpn_subnet
            return self.update_peer_ip(public_key, new_ips)
        except Exception as e:
            logger.error(f'update_cell_peer_allowed_ips failed: {e}')
            return False
    def apply_peer_route_via(self, peer_ip: str, via_wg_ip: str,
                             table: int = 100) -> bool:
        """Add policy routing inside cell-wireguard so peer_ip traffic uses via_wg_ip.
        Creates a dedicated routing table (table) with a default route via the
        exit cell's WG IP, then adds an ip rule so traffic sourced from peer_ip
        uses that table.
        This is the cell-A side of Phase 3 routing: after this, traffic from
        the local peer (at peer_ip) is sent through the WG tunnel to cell B
        (at via_wg_ip) for internet egress.
        Idempotent: adding a duplicate route/rule returns 0 or EEXIST, which is
        treated as success.
        """
        real_conf = self._config_file()
        if '/tmp/' in real_conf or 'pytest' in real_conf:
            return True
        try:
            def _wg(cmd):
                return subprocess.run(
                    ['docker', 'exec', 'cell-wireguard'] + cmd,
                    capture_output=True, text=True, timeout=5
                )
            # Add default route in the policy table (idempotent via || true)
            _wg(['ip', 'route', 'add', 'default', 'via', via_wg_ip,
                 'dev', 'wg0', 'table', str(table)])
            # Add ip rule: traffic FROM peer_ip uses this table
            _wg(['ip', 'rule', 'add', 'from', f'{peer_ip}/32',
                 'pref', str(table), 'lookup', str(table)])
            logger.info(f'apply_peer_route_via: {peer_ip} → {via_wg_ip} table {table}')
            return True
        except Exception as e:
            logger.error(f'apply_peer_route_via failed: {e}')
            return False
    def remove_peer_route_via(self, peer_ip: str, table: int = 100) -> None:
        """Remove the ip rule for peer_ip added by apply_peer_route_via. Non-fatal."""
        real_conf = self._config_file()
        if '/tmp/' in real_conf or 'pytest' in real_conf:
            return
        try:
            subprocess.run(
                ['docker', 'exec', 'cell-wireguard',
                 'ip', 'rule', 'del', 'from', f'{peer_ip}/32',
                 'pref', str(table), 'lookup', str(table)],
                capture_output=True, timeout=5
            )
        except Exception:
            pass
    def remove_peer(self, public_key: str) -> bool:
        """Remove the [Peer] block matching public_key from wg0.conf."""
        try:
@@ -641,7 +641,8 @@ class TestPermissionSync(unittest.TestCase):
                {'inbound': {'calendar': True, 'files': False, 'mail': False, 'webdav': False},
                 'outbound': {}},
            )
-        mock_rules.assert_called_once_with('office', '10.1.0.0/24', ['calendar'])
+        mock_rules.assert_called_once_with('office', '10.1.0.0/24', ['calendar'],
                                              exit_relay=False)
    # ── replay_pending_pushes ─────────────────────────────────────────────────
@@ -848,5 +849,124 @@ class TestExitOffer(unittest.TestCase):
        self.assertFalse(links[0]['remote_exit_offered'])
 class TestExitRelay(unittest.TestCase):
    """Tests for Phase 3: per-peer internet routing via exit cell."""
    INVITE = {
        'cell_name': 'office',
        'public_key': 'officepubkey=',
        'endpoint': '5.5.5.5:51820',
        'vpn_subnet': '10.1.0.0/24',
        'dns_ip': '10.1.0.1',
        'domain': 'office',
    }
    def setUp(self):
        self.test_dir = tempfile.mkdtemp()
        self.data_dir = os.path.join(self.test_dir, 'data')
        self.config_dir = os.path.join(self.test_dir, 'config')
        os.makedirs(self.data_dir, exist_ok=True)
        os.makedirs(self.config_dir, exist_ok=True)
        self.wg = _make_wg_mock()
        self.net = _make_nm_mock()
        self.mgr = CellLinkManager(self.data_dir, self.config_dir, self.wg, self.net)
    def tearDown(self):
        shutil.rmtree(self.test_dir)
    def _add_office(self):
        with patch('cell_link_manager.CellLinkManager._local_identity',
                   return_value={'cell_name': 'home', 'public_key': 'homepubkey='}), \
             patch('cell_link_manager.CellLinkManager._push_permissions_to_remote',
                   return_value={'ok': True, 'error': None}):
            self.mgr.add_connection(self.INVITE)
    def test_phase3_migration_adds_exit_relay_fields(self):
        """Existing links without Phase 3 fields get them on load."""
        raw = [{'cell_name': 'office', 'public_key': 'officepubkey=',
                'vpn_subnet': '10.1.0.0/24', 'dns_ip': '10.1.0.1',
                'domain': 'office', 'endpoint': '5.5.5.5:51820',
                'permissions': {'inbound': {}, 'outbound': {}},
                'remote_api_url': 'http://10.1.0.1:3000',
                'last_push_status': 'ok', 'last_push_at': None,
                'last_push_error': None, 'pending_push': False,
                'last_remote_update_at': None,
                'exit_offered': False, 'remote_exit_offered': False}]
        with open(os.path.join(self.data_dir, 'cell_links.json'), 'w') as f:
            json.dump(raw, f)
        links = self.mgr.list_connections()
        self.assertIn('exit_relay_active', links[0])
        self.assertIn('remote_exit_relay_active', links[0])
        self.assertFalse(links[0]['exit_relay_active'])
        self.assertFalse(links[0]['remote_exit_relay_active'])
    def test_set_exit_relay_active_persists(self):
        self._add_office()
        with patch('cell_link_manager.CellLinkManager._try_push'):
            link = self.mgr.set_exit_relay_active('office', True)
        self.assertTrue(link['exit_relay_active'])
        self.assertTrue(self.mgr.list_connections()[0]['exit_relay_active'])
    def test_set_exit_relay_active_false_persists(self):
        self._add_office()
        with patch('cell_link_manager.CellLinkManager._try_push'):
            self.mgr.set_exit_relay_active('office', True)
            link = self.mgr.set_exit_relay_active('office', False)
        self.assertFalse(link['exit_relay_active'])
    def test_set_exit_relay_active_triggers_push(self):
        self._add_office()
        push_mock = MagicMock()
        with patch('cell_link_manager.CellLinkManager._try_push', push_mock):
            self.mgr.set_exit_relay_active('office', True)
        push_mock.assert_called_once()
    def test_set_exit_relay_active_unknown_cell_raises(self):
        with self.assertRaises(ValueError):
            self.mgr.set_exit_relay_active('nobody', True)
    def test_push_includes_use_as_exit_relay_true(self):
        self._add_office()
        with patch('cell_link_manager.CellLinkManager._try_push'):
            self.mgr.set_exit_relay_active('office', True)
        captured = []
        def fake_run(cmd, **kw):
            captured.append(cmd)
            r = MagicMock()
            r.returncode = 0
            r.stdout = '200'
            return r
        import json as _json
        with patch('cell_link_manager.CellLinkManager._local_identity',
                   return_value={'cell_name': 'home', 'public_key': 'homepubkey='}), \
             patch('cell_link_manager.subprocess.run', side_effect=fake_run), \
             patch('cell_link_manager.CellLinkManager._local_wg_ip', return_value=None):
            self.mgr._try_push('office', self.mgr.list_connections()[0])
        flat = [arg for cmd in captured for arg in cmd]
        payload_str = next(a for a in flat if a.startswith('{'))
        body = _json.loads(payload_str)
        self.assertIn('use_as_exit_relay', body)
        self.assertTrue(body['use_as_exit_relay'])
    def test_apply_remote_permissions_stores_remote_exit_relay_active(self):
        self._add_office()
        with patch('firewall_manager.apply_cell_rules'):
            self.mgr.apply_remote_permissions('officepubkey=', {},
                                               use_as_exit_relay=True)
        link = self.mgr.list_connections()[0]
        self.assertTrue(link['remote_exit_relay_active'])
    def test_apply_remote_permissions_calls_apply_cell_rules_with_exit_relay_true(self):
        self._add_office()
        with patch('firewall_manager.apply_cell_rules') as mock_rules:
            self.mgr.apply_remote_permissions('officepubkey=', {},
                                               use_as_exit_relay=True)
        mock_rules.assert_called_once_with('office', '10.1.0.0/24', [],
                                           exit_relay=True)
 if __name__ == '__main__':
    unittest.main()
@@ -572,6 +572,7 @@ class TestPeerSyncPermissionsEndpoint(unittest.TestCase):
        mock_clm.apply_remote_permissions.assert_called_once_with(
            'officepubkey=', self._VALID_BODY['permissions'],
            exit_offered=False,
            use_as_exit_relay=False,
        )
    @patch('app.cell_link_manager')
@@ -77,5 +77,35 @@ class TestPeerRegistry(unittest.TestCase):
        registry = PeerRegistry(data_dir=self.test_dir, config_dir=self.test_dir)
        self.assertEqual(registry.list_peers(), [])
    def test_route_via_migration_adds_field(self):
        """Existing peers without route_via get it as None on load."""
        peers_file = os.path.join(self.test_dir, 'peers.json')
        raw = [{'peer': 'alice', 'ip': '10.0.0.5', 'public_key': 'key=',
                'active': True, 'created_at': '2026-01-01T00:00:00'}]
        with open(peers_file, 'w') as f:
            json.dump(raw, f)
        reg = PeerRegistry(data_dir=self.test_dir, config_dir=self.test_dir)
        peer = reg.get_peer('alice')
        self.assertIn('route_via', peer)
        self.assertIsNone(peer['route_via'])
    def test_set_route_via_persists(self):
        self.registry.add_peer({'peer': 'alice', 'ip': '10.0.0.5'})
        updated = self.registry.set_route_via('alice', 'exit-cell')
        self.assertEqual(updated['route_via'], 'exit-cell')
        # Verify it survives a reload
        reloaded = PeerRegistry(data_dir=self.test_dir, config_dir=self.test_dir)
        self.assertEqual(reloaded.get_peer('alice')['route_via'], 'exit-cell')
    def test_set_route_via_clear(self):
        self.registry.add_peer({'peer': 'alice', 'ip': '10.0.0.5'})
        self.registry.set_route_via('alice', 'exit-cell')
        updated = self.registry.set_route_via('alice', None)
        self.assertIsNone(updated['route_via'])
    def test_set_route_via_unknown_peer_raises(self):
        with self.assertRaises(ValueError):
            self.registry.set_route_via('nobody', 'exit-cell')
 if __name__ == '__main__':
    unittest.main() 
@@ -0,0 +1,160 @@
 #!/usr/bin/env python3
 """
 Tests for PUT /api/peers/<peer_name>/route-via.
 Covers:
  - missing via_cell field → 400
  - peer not found → 404
  - connected cell not found → 404
  - enable route-via: calls wg methods and set_exit_relay_active(True)
  - disable route-via: clears wg methods and set_exit_relay_active(False)
  - switching from one exit cell to another removes old routing first
 """
 import sys
 import json
 import unittest
 from pathlib import Path
 from unittest.mock import patch, MagicMock
 api_dir = Path(__file__).parent.parent / 'api'
 sys.path.insert(0, str(api_dir))
 from app import app
 _PEER = {
    'peer': 'alice',
    'ip': '10.0.0.5',
    'public_key': 'alicepubkey=',
    'route_via': None,
    'internet_access': True,
    'service_access': [],
 }
 _CELL_LINK = {
    'cell_name': 'exit-cell',
    'public_key': 'exitcellpubkey=',
    'vpn_subnet': '10.1.0.0/24',
    'dns_ip': '10.1.0.1',
    'remote_exit_relay_active': False,
 }
 class TestSetPeerRouteVia(unittest.TestCase):
    def setUp(self):
        app.config['TESTING'] = True
        self.client = app.test_client()
    def _put(self, peer_name, body):
        return self.client.put(
            f'/api/peers/{peer_name}/route-via',
            data=json.dumps(body),
            content_type='application/json',
        )
    @patch('app.cell_link_manager')
    @patch('app.wireguard_manager')
    @patch('app.peer_registry')
    def test_missing_via_cell_returns_400(self, mock_reg, mock_wg, mock_clm):
        r = self._put('alice', {})
        self.assertEqual(r.status_code, 400)
        data = json.loads(r.data)
        self.assertIn('via_cell', data['error'])
    @patch('app.cell_link_manager')
    @patch('app.wireguard_manager')
    @patch('app.peer_registry')
    def test_peer_not_found_returns_404(self, mock_reg, mock_wg, mock_clm):
        mock_reg.get_peer.return_value = None
        r = self._put('nobody', {'via_cell': 'exit-cell'})
        self.assertEqual(r.status_code, 404)
    @patch('app.cell_link_manager')
    @patch('app.wireguard_manager')
    @patch('app.peer_registry')
    def test_unknown_cell_returns_404(self, mock_reg, mock_wg, mock_clm):
        mock_reg.get_peer.return_value = _PEER
        mock_clm.list_connections.return_value = []
        r = self._put('alice', {'via_cell': 'no-such-cell'})
        self.assertEqual(r.status_code, 404)
    @patch('app.cell_link_manager')
    @patch('app.wireguard_manager')
    @patch('app.peer_registry')
    def test_enable_route_via_calls_wg_methods(self, mock_reg, mock_wg, mock_clm):
        mock_reg.get_peer.return_value = _PEER
        mock_reg.set_route_via.return_value = dict(_PEER, route_via='exit-cell')
        mock_clm.list_connections.return_value = [_CELL_LINK]
        r = self._put('alice', {'via_cell': 'exit-cell'})
        self.assertEqual(r.status_code, 200)
        mock_wg.update_cell_peer_allowed_ips.assert_called_once_with(
            'exitcellpubkey=', '10.1.0.0/24', add_default_route=True)
        mock_wg.apply_peer_route_via.assert_called_once_with(
            '10.0.0.5', via_wg_ip='10.1.0.1')
    @patch('app.cell_link_manager')
    @patch('app.wireguard_manager')
    @patch('app.peer_registry')
    def test_enable_route_via_signals_exit_relay_active(self, mock_reg, mock_wg, mock_clm):
        mock_reg.get_peer.return_value = _PEER
        mock_reg.set_route_via.return_value = dict(_PEER, route_via='exit-cell')
        mock_clm.list_connections.return_value = [_CELL_LINK]
        self._put('alice', {'via_cell': 'exit-cell'})
        mock_clm.set_exit_relay_active.assert_called_once_with('exit-cell', True)
    @patch('app.cell_link_manager')
    @patch('app.wireguard_manager')
    @patch('app.peer_registry')
    def test_disable_route_via_clears_old_routing(self, mock_reg, mock_wg, mock_clm):
        peer_with_via = dict(_PEER, route_via='exit-cell')
        mock_reg.get_peer.return_value = peer_with_via
        mock_reg.set_route_via.return_value = dict(_PEER, route_via=None)
        mock_clm.list_connections.return_value = [_CELL_LINK]
        r = self._put('alice', {'via_cell': None})
        self.assertEqual(r.status_code, 200)
        mock_wg.update_cell_peer_allowed_ips.assert_called_once_with(
            'exitcellpubkey=', '10.1.0.0/24', add_default_route=False)
        mock_wg.remove_peer_route_via.assert_called_once_with('10.0.0.5')
        mock_clm.set_exit_relay_active.assert_called_once_with('exit-cell', False)
    @patch('app.cell_link_manager')
    @patch('app.wireguard_manager')
    @patch('app.peer_registry')
    def test_enable_route_via_persists_field(self, mock_reg, mock_wg, mock_clm):
        mock_reg.get_peer.return_value = _PEER
        updated = dict(_PEER, route_via='exit-cell')
        mock_reg.set_route_via.return_value = updated
        mock_clm.list_connections.return_value = [_CELL_LINK]
        r = self._put('alice', {'via_cell': 'exit-cell'})
        self.assertEqual(r.status_code, 200)
        mock_reg.set_route_via.assert_called_once_with('alice', 'exit-cell')
        data = json.loads(r.data)
        self.assertEqual(data['peer']['route_via'], 'exit-cell')
    @patch('app.cell_link_manager')
    @patch('app.wireguard_manager')
    @patch('app.peer_registry')
    def test_switch_exit_cell_removes_old_before_adding_new(self, mock_reg, mock_wg, mock_clm):
        old_link = dict(_CELL_LINK, cell_name='old-exit', public_key='oldpubkey=',
                        vpn_subnet='10.2.0.0/24', dns_ip='10.2.0.1')
        new_link = dict(_CELL_LINK, cell_name='new-exit', public_key='newpubkey=')
        peer_with_old = dict(_PEER, route_via='old-exit')
        mock_reg.get_peer.return_value = peer_with_old
        mock_reg.set_route_via.return_value = dict(_PEER, route_via='new-exit')
        mock_clm.list_connections.return_value = [old_link, new_link]
        self._put('alice', {'via_cell': 'new-exit'})
        calls = mock_wg.update_cell_peer_allowed_ips.call_args_list
        # First call removes old (add_default_route=False), second adds new (True)
        self.assertEqual(len(calls), 2)
        self.assertFalse(calls[0].kwargs['add_default_route'])
        self.assertTrue(calls[1].kwargs['add_default_route'])
        # set_exit_relay_active called twice: False for old, True for new
        relay_calls = mock_clm.set_exit_relay_active.call_args_list
        self.assertEqual(len(relay_calls), 2)
        self.assertEqual(relay_calls[0].args, ('old-exit', False))
        self.assertEqual(relay_calls[1].args, ('new-exit', True))
 if __name__ == '__main__':
    unittest.main()