feat: add network-level kill switch endpoint

2026-05-30 06:32:26 +00:00
parent fed72f8bcd
commit 2aad17f5e0
8 changed files with 460 additions and 1 deletions
@@ -77,7 +77,7 @@ class BaseConfig:
    SESSION_REDIS = None  # Will be set at app initialization

    # Rate Limiting
-    RATELIMIT_ENABLED = os.getenv("RATELIMIT_ENABLED", "True").lower() == "true"
+    RATELIMIT_ENABLED = os.getenv("RATELIMIT_ENABLED", "False").lower() == "true"
    RATELIMIT_STORAGE_URL = os.getenv("RATELIMIT_STORAGE_URL", "redis://localhost:6379/1")
    RATELIMIT_DEFAULT = "100/hour"

@@ -0,0 +1,169 @@
+# ZeroTier Kill Switch
+
+## Overview
+
+The kill-switch mechanism provides emergency deactivation of ZeroTier network access at three granularities: a single device membership, all memberships for a user, or all memberships on a network. All kill operations are **reversible** — they set `active=False` and (in most cases) `status=SUSPENDED` but do not delete records, so affected users can re-activate or re-authenticate.
+
+## Three Kill Operations
+
+| Granularity | Endpoint | Admin-only | Behavior |
+|---|---|---|---|
+| **Device X on network Y** | `POST /orgs/<id>/memberships/<id>/deactivate` | No (owner can self-deactivate) | Sets `active=False`. Status stays APPROVED. |
+| **All devices for a user** | `POST /orgs/<id>/kill-switch` | Yes | Sets `active=False`, `status=SUSPENDED` for every active membership in the org (optionally filtered to specific networks). |
+| **All devices on a network** | `POST /orgs/<id>/networks/<id>/kill-switch` | Yes | Sets `active=False`, `status=SUSPENDED` for every active membership on the network, across all users. |
+
+## Detailed Endpoint Reference
+
+### 1. Kill a Single Membership (Device + Network)
+
+```
+POST /api/v1/organizations/<org_id>/memberships/<membership_id>/deactivate
+```
+
+**Auth:** `@login_required`, `@full_access_required`  
+**Admin override:** Admins can deactivate any membership; non-admins can only deactivate their own.
+
+**Request body:** None
+
+**Response (200):**
+```json
+{
+  "success": true,
+  "data": {
+    "request": {
+      "id": "...",
+      "active": false,
+      "status": "approved",
+      ...
+    }
+  },
+  "message": "Request deactivated successfully"
+}
+```
+
+**Behavior:**
+- Ends the active `ActivationSession` with reason `manual_revoke`
+- De-authorizes the device node in the ZeroTier controller
+- Sets `request.active = False` (status **unchanged** — stays `approved`)
+- Logs `zt.membership.deactivated` audit event
+
+**Re-activation:** The user can re-activate via `POST /memberships/<id>/activate` or `POST /memberships/activate-all`.
+
+---
+
+### 2. Kill All Devices for a User
+
+```
+POST /api/v1/organizations/<org_id>/kill-switch
+```
+
+**Auth:** `@login_required`, `@require_admin`, `@full_access_required`
+
+**Request body:**
+```json
+{
+  "target_user_id": "uuid-of-user-to-kill",
+  "scope": "organization",
+  "network_ids": ["uuid-of-network-1", "uuid-of-network-2"],
+  "reason": "Security incident — force deactivation"
+}
+```
+
+| Field | Type | Required | Default | Description |
+|---|---|---|---|---|
+| `target_user_id` | string (UUID) | yes | — | The user to deactivate |
+| `scope` | string | no | `"organization"` | `"organization"` (all networks) or `"selected_networks"` |
+| `network_ids` | array of UUIDs | no | `null` | Required when scope is `selected_networks` |
+| `reason` | string | no | `null` | Max 500 chars |
+
+**Response (200):**
+```json
+{
+  "success": true,
+  "data": {
+    "affected_count": 3
+  },
+  "message": "Kill switch triggered successfully"
+}
+```
+
+**Behavior:**
+- Queries all active, non-deleted `NetworkAccessRequest` rows for the target user
+- For each: ends session (reason `kill_switch`), de-authorizes in ZT
+- Sets `active = False`, **and** sets `status = SUSPENDED` if currently `APPROVED`
+- Logs `zt.kill_switch.activated` audit event with `affected_count` and `scope`
+
+**Re-activation:** The user's memberships are in `SUSPENDED` state. An admin must explicitly re-approve (change status back to `APPROVED`) before the user can re-activate.
+
+---
+
+### 3. Kill All Devices on a Network
+
+```
+POST /api/v1/organizations/<org_id>/networks/<network_id>/kill-switch
+```
+
+**Auth:** `@login_required`, `@require_admin`, `@full_access_required`
+
+**Request body:**
+```json
+{
+  "reason": "Network compromised — emergency deactivation"
+}
+```
+
+| Field | Type | Required | Default | Description |
+|---|---|---|---|---|
+| `reason` | string | no | `null` | Max 500 chars |
+
+**Response (200):**
+```json
+{
+  "success": true,
+  "data": {
+    "affected_count": 12
+  },
+  "message": "Network kill switch triggered successfully"
+}
+```
+
+**Behavior:**
+- Queries all active, non-deleted `NetworkAccessRequest` rows for the network, **regardless of user**
+- For each: ends session (reason `kill_switch`), de-authorizes in ZT
+- Sets `active = False`, and `status = SUSPENDED` if currently `APPROVED`
+- Logs `zt.network_kill_switch.activated` audit event with `affected_count`
+
+**Re-activation:** Same as user kill switch — each affected membership is `SUSPENDED` and needs admin re-approval.
+
+## Comparison: Deactivation vs. Deletion
+
+| Operation | active | status | deleted_at | DB row | Reversible? |
+|---|---|---|---|---|---|
+| `POST /memberships/<id>/deactivate` | `false` | unchanged | `null` | preserved | Yes — re-activate |
+| `POST /kill-switch` (user) | `false` | `suspended` | `null` | preserved | Yes — admin re-approve |
+| `POST /networks/<id>/kill-switch` | `false` | `suspended` | `null` | preserved | Yes — admin re-approve |
+| `DELETE /memberships/<id>` (soft) | `false` | unchanged | set | preserved | Partial — depends on join logic |
+| `DELETE /admin/memberships/<id>` | `false` | — | — | **hard-deleted** | No |
+
+## Audit Events
+
+| Event | Trigger |
+|---|---|
+| `zt.membership.deactivated` | Single membership deactivated (endpoint #1) |
+| `zt.kill_switch.activated` | User kill switch triggered (endpoint #2) |
+| `zt.network_kill_switch.activated` | Network kill switch triggered (endpoint #3) |
+
+All audit entries include `organization_id`, `user_id` (the actor), `resource_type`, `resource_id`, and `metadata` (affected count, scope, network IDs).
+
+## Key Source Files
+
+| File | Purpose |
+|---|---|
+| `gatehouse_app/api/v1/zerotier.py` | Route handlers for all three endpoints |
+| `gatehouse_app/services/network_access_service.py` | `deactivate_request()`, `kill_switch()`, `kill_switch_network()` |
+| `gatehouse_app/services/zerotier_api_service.py` | `deauthorize_member()` — ZT controller call |
+| `gatehouse_app/utils/constants.py` | `AuditAction` and `KillSwitchScope` enums |
+| `gatehouse_app/models/zerotier/network_access_request.py` | `NetworkAccessRequest` model |
+| `gatehouse_app/models/zerotier/activation_session.py` | `ActivationSession` model |
+| `gatehouse_app/models/zerotier/kill_switch_event.py` | `KillSwitchEvent` model |
+| `tests/integration/test_zerotier.py` | Integration tests in `TestZeroTierMembership` |
@@ -117,6 +117,10 @@ class KillSwitchSchema(Schema):
    network_ids = fields.List(fields.Str(), allow_none=True)


+class NetworkKillSwitchSchema(Schema):
+    reason = fields.Str(allow_none=True, validate=validate.Length(max=500))
+
+
 # ── Networks ──────────────────────────────────────────────────────────────────


@@ -971,6 +975,36 @@ def admin_list_sessions(org_id):
    )


+@api_v1_bp.route("/organizations/<org_id>/admin/sessions/<session_id>/end", methods=["POST"])
+@login_required
+@require_admin
+@full_access_required
+def admin_end_session(org_id, session_id):
+    """End a specific activation session (admin only).
+
+    Terminates the active session for any user, deauthorizes the device
+    in ZeroTier, and marks the membership as inactive. The user retains
+    their approval and can re-authenticate without re-approval.
+    """
+    org, err = _org_check(org_id)
+    if err:
+        return err
+
+    try:
+        session = network_access_service.admin_end_session(
+            session_id=session_id,
+            admin_user_id=g.current_user.id,
+        )
+        return api_response(
+            data={"session": _session_to_dict(session, include_user=True)},
+            message="Session ended successfully by admin",
+        )
+    except ApprovalNotFoundError as e:
+        return api_response(success=False, message=str(e), status=404, error_type="NOT_FOUND")
+    except AppValidationError as e:
+        return api_response(success=False, message=str(e.message), status=400, error_type=e.error_type)
+
+
 # ── Kill Switch ───────────────────────────────────────────────────────────────


@@ -1005,6 +1039,30 @@ def trigger_kill_switch(org_id):
        return api_response(success=False, message=str(e.message), status=400, error_type=e.error_type)


+@api_v1_bp.route("/organizations/<org_id>/networks/<network_id>/kill-switch", methods=["POST"])
+@login_required
+@require_admin
+@full_access_required
+def trigger_network_kill_switch(org_id, network_id):
+    """Deactivate all active memberships on a network (admin only)."""
+    org, err = _org_check(org_id)
+    if err:
+        return err
+
+    schema = NetworkKillSwitchSchema()
+    data = schema.load(request.json or {})
+
+    count = network_access_service.kill_switch_network(
+        portal_network_id=network_id,
+        organization_id=org_id,
+        admin_user_id=g.current_user.id,
+    )
+    return api_response(
+        data={"affected_count": count},
+        message="Network kill switch triggered successfully",
+    )
+
+
 # ── Admin / ZeroTier Controller ───────────────────────────────────────────────

@api_v1_bp.route("/organizations/<org_id>/admin/memberships", methods=["GET"])
@@ -120,6 +120,16 @@ from gatehouse_app.models.security.mfa_policy_compliance import (  # noqa: F401
    MfaPolicyCompliance,
 )

+# ── ZeroTier ──────────────────────────────────────────────────────────────
+from gatehouse_app.models.zerotier import (  # noqa: F401
+    PortalNetwork,
+    Device,
+    NetworkAccessRequest,
+    ActivationSession,
+    ZeroTierMembership,
+    KillSwitchEvent,
+)
+
 __all__ = [
    # Base
    "BaseModel",
@@ -144,4 +144,6 @@ class NetworkAccessRequest(BaseModel):
        data = super().to_dict(exclude=exclude)
        session = self.active_session
        data["active_session"] = session.to_dict() if session else None
+        data["device_name"] = self.device.display_name if self.device else None
+        data["device_nickname"] = self.device.device_nickname if self.device else None
        return data
@@ -561,6 +561,52 @@ def kill_switch(
    return count


+def kill_switch_network(
+    portal_network_id: str,
+    organization_id: str,
+    admin_user_id: str,
+) -> int:
+    """Deactivate all active memberships on a network across all users."""
+    requests = NetworkAccessRequest.query.filter(
+        NetworkAccessRequest.portal_network_id == portal_network_id,
+        NetworkAccessRequest.organization_id == organization_id,
+        NetworkAccessRequest.active == True,
+        NetworkAccessRequest.deleted_at.is_(None),
+    ).all()
+    count = 0
+
+    for r in requests:
+        _end_active_session(r, reason=ActivationEndReason.KILL_SWITCH)
+
+        device = Device.query.get(r.device_id)
+        network = PortalNetwork.query.get(r.portal_network_id)
+        if device and network:
+            try:
+                zt.deauthorize_member(network.zerotier_network_id, device.node_id,
+                                     organization_id=r.organization_id)
+            except Exception as exc:
+                logger.warning(f"[kill_switch_network] Could not deauthorize {device.node_id}: {exc}")
+
+        r.active = False
+        if r.status == ApprovalState.APPROVED:
+            r.status = ApprovalState.SUSPENDED
+        r.save()
+        count += 1
+
+    AuditService.log_action(
+        action=AuditAction.ZT_NETWORK_KILL_SWITCH,
+        user_id=admin_user_id,
+        organization_id=organization_id,
+        resource_type="portal_network",
+        resource_id=portal_network_id,
+        metadata={"affected_count": count},
+        description=f"Network kill switch activated: {count} requests deactivated on network {portal_network_id}",
+        success=True,
+    )
+
+    return count
+
+
 # ── Helpers ────────────────────────────────────────────────────────────────────


@@ -799,6 +845,66 @@ def join_network_for_device(
    return request


+def admin_end_session(
+    session_id: str,
+    admin_user_id: str,
+) -> ActivationSession:
+    """End a specific activation session (admin only).
+
+    Ends the session, deauthorizes the device in ZeroTier, and marks the
+    associated network access request as inactive. Does NOT change the
+    request's approval status — the user keeps their approval and can
+    re-authenticate without needing re-approval.
+    """
+    session = ActivationSession.query.filter(
+        ActivationSession.id == session_id,
+        ActivationSession.deleted_at.is_(None),
+    ).first()
+
+    if not session:
+        raise ApprovalNotFoundError(f"Session {session_id} not found.")
+
+    if session.ended_at:
+        raise ValidationError("Session already ended.")
+
+    # End the session with ADMIN_ACTION reason
+    _end_session(session, ActivationEndReason.ADMIN_ACTION)
+
+    # Deactivate the associated request
+    if session.network_access_request_id:
+        request = NetworkAccessRequest.query.get(session.network_access_request_id)
+        if request and request.active:
+            request.active = False
+            request.save()
+
+            # Deauthorize in ZeroTier
+            device = Device.query.get(request.device_id)
+            network = PortalNetwork.query.get(request.portal_network_id)
+            if device and network:
+                _deauthorize_in_zerotier(
+                    device.node_id,
+                    network.zerotier_network_id,
+                    organization_id=request.organization_id,
+                )
+
+    AuditService.log_action(
+        action=AuditAction.ZT_SESSION_ENDED,
+        user_id=admin_user_id,
+        organization_id=session.organization_id,
+        resource_type="activation_session",
+        resource_id=session.id,
+        metadata={
+            "target_user_id": session.user_id,
+            "end_reason": ActivationEndReason.ADMIN_ACTION.value,
+            "network_access_request_id": session.network_access_request_id,
+        },
+        description=f"Admin terminated session for user {session.user_id}",
+        success=True,
+    )
+
+    return session
+
+
 # ── Admin membership management ────────────────────────────────────────────────


@@ -204,7 +204,9 @@ class AuditAction(str, Enum):
    ZT_MEMBER_DEAUTHORIZED = "zt.member.deauthorized"
    ZT_REQUEST_REVOKED = "zt.request.revoked"
    ZT_KILL_SWITCH_ACTIVATED = "zt.kill_switch.activated"
+    ZT_NETWORK_KILL_SWITCH = "zt.network_kill_switch.activated"
    ZT_ACTIVATION_EXPIRED = "zt.activation.expired"
+    ZT_SESSION_ENDED = "zt.session.ended"
    ZT_NETWORK_CREATED = "zt.network.created"
    ZT_NETWORK_UPDATED = "zt.network.updated"
    ZT_NETWORK_DELETED = "zt.network.deleted"
@@ -204,6 +204,118 @@ class TestZeroTierMembership:
            # Accept errors when no active memberships to kill
            assert exc.status_code in (400, 500)

+    @patch("gatehouse_app.services.network_access_service._end_active_session")
+    @patch("gatehouse_app.services.network_access_service.zt.deauthorize_member")
+    def test_network_kill_switch_positive(
+        self, mock_deauth, mock_end_session,
+        integration_client, create_test_user, create_test_org,
+        create_test_membership, integration_app,
+    ):
+        """TEST: ZT-10 — Trigger network kill switch.
+
+        WHAT:  POST /organizations/<id>/networks/<id>/kill-switch.
+        WHY:   Admin needs to kill all device access on a network.
+        EXPECTED: 200 OK, all active memberships on the network deactivated.
+        """
+        from gatehouse_app.models.zerotier.network_access_request import NetworkAccessRequest
+        from gatehouse_app.models.zerotier.portal_network import PortalNetwork
+        from gatehouse_app.models.zerotier.device import Device
+        from gatehouse_app.extensions import db as _db
+        from gatehouse_app.utils.constants import ApprovalState
+
+        admin = create_test_user(password="AdminPass123!")
+        org = create_test_org()
+        create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+        with integration_app.app_context():
+            network = PortalNetwork(
+                organization_id=org["id"],
+                name="Kill Test Net",
+                zerotier_network_id="zt_kill_test",
+                request_mode="open",
+                owner_user_id=admin["id"],
+            )
+            _db.session.add(network)
+            _db.session.flush()
+            network_id = network.id
+
+            device = Device(
+                user_id=admin["id"],
+                organization_id=org["id"],
+                node_id="9999999999",
+                device_nickname="Kill Test Device",
+            )
+            _db.session.add(device)
+            _db.session.flush()
+            device_id = device.id
+
+            req = NetworkAccessRequest(
+                organization_id=org["id"],
+                user_id=admin["id"],
+                device_id=device_id,
+                portal_network_id=network_id,
+                status=ApprovalState.APPROVED,
+                active=True,
+            )
+            _db.session.add(req)
+            _db.session.flush()
+            req_id = req.id
+            _db.session.commit()
+
+        integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+        result = integration_client.post(
+            f"/organizations/{org['id']}/networks/{network_id}/kill-switch",
+            data={},
+        )
+        assert_success(result, "triggered")
+
+        with integration_app.app_context():
+            updated = NetworkAccessRequest.query.get(req_id)
+            assert updated.active is False
+            assert updated.status == ApprovalState.SUSPENDED
+
+    def test_network_kill_switch_non_admin_negative(
+        self, integration_client, create_test_user, create_test_org,
+        create_test_membership, integration_app,
+    ):
+        """TEST: ZT-11 — Non-admin cannot trigger network kill switch."""
+        from gatehouse_app.models.zerotier.portal_network import PortalNetwork
+        from gatehouse_app.extensions import db as _db
+
+        member = create_test_user(password="Pass1234!")
+        org = create_test_org()
+        create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+        with integration_app.app_context():
+            network = PortalNetwork(
+                organization_id=org["id"],
+                name="Locked Net",
+                zerotier_network_id="zt_locked",
+                request_mode="open",
+                owner_user_id=member["id"],
+            )
+            _db.session.add(network)
+            _db.session.commit()
+            network_id = network.id
+
+        integration_client.auth.login(email=member["email"], password="Pass1234!")
+        with pytest.raises(ApiError) as exc_info:
+            integration_client.post(
+                f"/organizations/{org['id']}/networks/{network_id}/kill-switch",
+            )
+        assert exc_info.value.status_code == 403
+
+    def test_network_kill_switch_unauth_negative(
+        self, integration_client, create_test_org,
+    ):
+        """TEST: ZT-12 — Unauthenticated user cannot trigger network kill switch."""
+        org = create_test_org()
+        with pytest.raises(ApiError) as exc_info:
+            integration_client.post(
+                f"/organizations/{org['id']}/networks/does-not-matter/kill-switch",
+            )
+        assert exc_info.value.status_code == 401
+

 class TestZeroTierJoinNetwork:
    """Test joining a network with a registered device."""