roof
7d2979b8af
config_manager: make per-file copy errors non-fatal during restore (resolves test failures when /app/config/* is not writable by test runner) test_live_api.py: fix NameError (_req.Session not requests.Session) test_negative_scenarios.py: replace raw requests.* with authenticated _S.* (all endpoints now require auth; unauthenticated calls return 401) wg/conftest.py: fix wg_server_info — public key is at /api/wireguard/keys test_admin_navigation.py, test_peer_acl.py: add .first to ambiguous locators to avoid Playwright strict-mode errors when desktop+mobile nav both mount Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
115 lines
3.2 KiB
Python
115 lines
3.2 KiB
Python
import os
|
|
import pytest
|
|
import tempfile
|
|
import secrets
|
|
from helpers.wg_runner import WGInterface, build_wg_config, cleanup_stale_e2e_interfaces
|
|
|
|
|
|
@pytest.fixture(scope='session', autouse=True)
|
|
def cleanup_stale_wg_interfaces():
|
|
cleanup_stale_e2e_interfaces()
|
|
yield
|
|
cleanup_stale_e2e_interfaces()
|
|
|
|
|
|
@pytest.fixture(scope='session')
|
|
def wg_server_info(admin_client, pic_host):
|
|
"""Get server public key and listen port from the running API."""
|
|
# Public key lives at /api/wireguard/keys
|
|
keys_r = admin_client.get('/api/wireguard/keys')
|
|
keys = keys_r.json()
|
|
server_pubkey = keys.get('public_key', '')
|
|
|
|
# Port comes from the WireGuard config or status
|
|
port = 51820
|
|
try:
|
|
status = admin_client.get('/api/wireguard/status').json()
|
|
port = (
|
|
status.get('listen_port') or
|
|
status.get('port') or
|
|
status.get('ListenPort') or
|
|
51820
|
|
)
|
|
except Exception:
|
|
pass
|
|
|
|
return {
|
|
'public_key': server_pubkey,
|
|
'endpoint': pic_host,
|
|
'port': int(port),
|
|
}
|
|
|
|
|
|
@pytest.fixture
|
|
def connected_peer(make_peer, wg_server_info, tmp_path):
|
|
"""
|
|
Creates a peer, builds its WireGuard config, brings the tunnel up, yields,
|
|
then tears everything down.
|
|
|
|
Requires: sudo wg-quick available on the test runner.
|
|
"""
|
|
peer = make_peer('e2etest-wg-basic', service_access=['calendar', 'files', 'mail', 'webdav'])
|
|
|
|
iface_name = f"pic-e2e-{secrets.token_hex(3)}"
|
|
conf_path = str(tmp_path / f"{iface_name}.conf")
|
|
|
|
config_text = build_wg_config(
|
|
private_key=peer['private_key'],
|
|
peer_ip=peer['ip'],
|
|
server_pubkey=wg_server_info['public_key'],
|
|
server_endpoint=wg_server_info['endpoint'],
|
|
server_port=wg_server_info['port'],
|
|
allowed_ips='10.0.0.0/24',
|
|
)
|
|
|
|
# Write config with restricted permissions
|
|
with open(conf_path, 'w') as f:
|
|
f.write(config_text)
|
|
os.chmod(conf_path, 0o600)
|
|
|
|
iface = WGInterface(conf_path, iface_name)
|
|
try:
|
|
iface.bring_up()
|
|
peer['iface'] = iface
|
|
peer['conf_path'] = conf_path
|
|
yield peer
|
|
finally:
|
|
iface.bring_down()
|
|
try:
|
|
os.unlink(conf_path)
|
|
except Exception:
|
|
pass
|
|
|
|
|
|
@pytest.fixture
|
|
def full_tunnel_peer(make_peer, wg_server_info, tmp_path):
|
|
"""Like connected_peer but with AllowedIPs=0.0.0.0/0 (full tunnel)."""
|
|
peer = make_peer('e2etest-wg-fulltunnel')
|
|
iface_name = f"pic-e2e-{secrets.token_hex(3)}"
|
|
conf_path = str(tmp_path / f"{iface_name}.conf")
|
|
|
|
config_text = build_wg_config(
|
|
private_key=peer['private_key'],
|
|
peer_ip=peer['ip'],
|
|
server_pubkey=wg_server_info['public_key'],
|
|
server_endpoint=wg_server_info['endpoint'],
|
|
server_port=wg_server_info['port'],
|
|
allowed_ips='0.0.0.0/0',
|
|
)
|
|
with open(conf_path, 'w') as f:
|
|
f.write(config_text)
|
|
os.chmod(conf_path, 0o600)
|
|
|
|
iface = WGInterface(conf_path, iface_name)
|
|
try:
|
|
iface.bring_up()
|
|
peer['iface'] = iface
|
|
peer['conf_path'] = conf_path
|
|
yield peer
|
|
finally:
|
|
iface.bring_down()
|
|
try:
|
|
os.unlink(conf_path)
|
|
except Exception:
|
|
pass
|