diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..6fcc667
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,144 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+Pipfile.lock
+
+# PEP 582
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Project specific
+
+*.db
+flask_session/
+
+# Opencode files and folders
+.opencode/
+.swarm/
+SWARM_PLAN.*
\ No newline at end of file
diff --git a/Dockerfile.job b/Dockerfile.job
new file mode 100644
index 0000000..56c9d6b
--- /dev/null
+++ b/Dockerfile.job
@@ -0,0 +1,40 @@
+FROM python:3.11-slim as builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+ build-essential \
+ libpq-dev \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN python -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+WORKDIR /app
+COPY requirements/base.txt requirements/base.txt
+COPY requirements/production.txt requirements/production.txt
+
+RUN pip install --no-cache-dir --upgrade pip wheel && \
+ pip install --no-cache-dir -r requirements/production.txt
+
+FROM python:3.11-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+ libpq5 \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --gid 1000 appgroup && \
+ useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser
+
+COPY --from=builder /opt/venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+WORKDIR /app
+COPY --chown=appuser:appgroup . .
+
+RUN mkdir -p /app/logs && chown -R appuser:appgroup /app/logs
+
+USER appuser
+
+HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 \
+ CMD pgrep -f "job_runner" || exit 1
+
+CMD ["python", "scripts/job_runner.py"]
diff --git a/README.md b/README.md
index 78f8d87..64fcbd7 100644
--- a/README.md
+++ b/README.md
@@ -154,6 +154,7 @@ Copy `.env.example` to `.env` and configure:
- `POST /api/v1/auth/logout` - Logout
- `GET /api/v1/auth/me` - Get current user
- `GET /api/v1/auth/sessions` - Get user sessions
+- `POST /api/v1/auth/sessions/refresh` - Extend session idle window
- `DELETE /api/v1/auth/sessions/:id` - Revoke session
### Users
@@ -174,6 +175,9 @@ Copy `.env.example` to `.env` and configure:
- `PATCH /api/v1/organizations/:id/members/:userId/role` - Update role
+### Contact (Public — No Auth Required)
+- `POST /api/v1/contact` - Submit a contact enquiry (demo request, sales enquiry, general, or support). Rate limited to 5 requests per IP per hour. Sends an email to info@secuird.tech.
+
### Health
- `GET /api/health` - Health check
@@ -261,6 +265,52 @@ gunicorn -w 4 -b 0.0.0.0:8000 wsgi:app
- Request ID tracking for audit trails
+## Session Management
+
+Sessions are database-backed bearer tokens stored in PostgreSQL. Each session is created at login and validated on every authenticated request via the `login_required` decorator.
+
+### Sliding Timeout
+
+Sessions use a **sliding window** model with two independent limits:
+
+| Timeout | Default | Env Var | Behaviour |
+|---------|---------|---------|-----------|
+| **Idle** | 15 min | `SESSION_IDLE_TIMEOUT` | Extends automatically on every request. If no request is made within this window the session expires. |
+| **Absolute** | 8 h | `SESSION_ABSOLUTE_TIMEOUT` | Hard cap measured from session creation. Activity cannot extend a session beyond this point. |
+
+Every authenticated request resets the idle clock by calling `Session.refresh()`, which sets `expires_at = now + idle_timeout` — but never past `created_at + absolute_timeout`. This means:
+
+- An active user stays logged in indefinitely **up to** the absolute cap.
+- An idle user is logged out after the idle timeout.
+- No session can survive longer than the absolute timeout regardless of activity.
+
+### Configuration
+
+Override defaults via environment variables:
+
+```bash
+SESSION_IDLE_TIMEOUT=900 # seconds (15 min)
+SESSION_ABSOLUTE_TIMEOUT=28800 # seconds (8 h)
+```
+
+### Cleanup
+
+Expired sessions are soft-marked as `EXPIRED` by the `cleanup_sessions` job. Run it periodically via the job runner:
+
+```bash
+python manage.py cleanup_sessions
+
+# Or via the job runner (Docker):
+JOB_NAME=cleanup_sessions JOB_INTERVAL_SECONDS=300
+```
+
+### Session Endpoints
+
+- `GET /api/v1/auth/sessions` — List active sessions for the current user
+- `POST /api/v1/auth/sessions/refresh` — Extend the current session's idle window (returns new `expires_at`)
+- `DELETE /api/v1/auth/sessions/:id` — Revoke a specific session
+
+
# Boostrap db
python manage.py db upgrade
diff --git a/client/gatehouse-cli.py b/client/gatehouse-cli.py
index bc96ab3..29c8d28 100755
--- a/client/gatehouse-cli.py
+++ b/client/gatehouse-cli.py
@@ -49,10 +49,96 @@ class MyServer(BaseHTTPRequestHandler):
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
- self.wfile.write(bytes("OIDC Workflow Tool", "utf-8"))
- self.wfile.write(bytes("The token has been received
", "utf-8"))
- self.wfile.write(bytes("You may now close this window.
", "utf-8"))
- self.wfile.write(bytes("", "utf-8"))
+ html_content = """
+
+
+
+
+ Authentication Successful - Gatehouse
+
+
+
+
+
+
+
+
Authentication Complete
+
You can now return to the terminal.
+
If this window doesn't close automatically, you can close it manually.
+
New {type_label}
+
+ A new {type_label.lower()} has been submitted through the Secuird website.
+
+ {get_alert_box(f"Enquiry type: {type_label}", alert_type, "📬")}
+
+
+
+ Enquiry Details
+
+ |
+
+
+ Message
+ {message_display}
+ '''
+ return get_base_html(content, f"Secuird Website: {type_label}", f"New {type_label} from {submitter_email}")
diff --git a/gatehouse_app/services/external_auth/__init__.py b/gatehouse_app/services/external_auth/__init__.py
index a09e00e..6d56b27 100644
--- a/gatehouse_app/services/external_auth/__init__.py
+++ b/gatehouse_app/services/external_auth/__init__.py
@@ -42,7 +42,7 @@ class ExternalAuthService:
provider_type_str = provider_type.value if isinstance(provider_type, AuthMethodType) else provider_type
app_config = ApplicationProviderConfig.query.filter_by(
- provider_type=provider_type_str
+ provider_type=provider_type_str, deleted_at=None
).first()
if not app_config:
@@ -64,6 +64,7 @@ class ExternalAuthService:
org_override_obj = OrganizationProviderOverride.query.filter_by(
organization_id=organization_id,
provider_type=provider_type_str,
+ deleted_at=None,
).first()
if org_override_obj and not org_override_obj.is_enabled:
diff --git a/gatehouse_app/services/external_auth/app_provider.py b/gatehouse_app/services/external_auth/app_provider.py
index 97c0e97..d23560c 100644
--- a/gatehouse_app/services/external_auth/app_provider.py
+++ b/gatehouse_app/services/external_auth/app_provider.py
@@ -14,7 +14,7 @@ def create_app_provider_config(
**kwargs,
) -> ApplicationProviderConfig:
existing = ApplicationProviderConfig.query.filter_by(
- provider_type=provider_type
+ provider_type=provider_type, deleted_at=None
).first()
if existing:
@@ -51,7 +51,7 @@ def update_app_provider_config(
**updates,
) -> ApplicationProviderConfig:
config = ApplicationProviderConfig.query.filter_by(
- provider_type=provider_type
+ provider_type=provider_type, deleted_at=None
).first()
if not config:
@@ -90,7 +90,7 @@ def update_app_provider_config(
def get_app_provider_config(provider_type: str) -> ApplicationProviderConfig:
config = ApplicationProviderConfig.query.filter_by(
- provider_type=provider_type
+ provider_type=provider_type, deleted_at=None
).first()
if not config:
@@ -104,13 +104,13 @@ def get_app_provider_config(provider_type: str) -> ApplicationProviderConfig:
def list_app_provider_configs() -> list:
- configs = ApplicationProviderConfig.query.all()
+ configs = ApplicationProviderConfig.query.filter_by(deleted_at=None).all()
return [config.to_dict() for config in configs]
def delete_app_provider_config(provider_type: str) -> bool:
config = ApplicationProviderConfig.query.filter_by(
- provider_type=provider_type
+ provider_type=provider_type, deleted_at=None
).first()
if not config:
diff --git a/gatehouse_app/services/external_auth/linking.py b/gatehouse_app/services/external_auth/linking.py
index f7e8c3a..02473c0 100644
--- a/gatehouse_app/services/external_auth/linking.py
+++ b/gatehouse_app/services/external_auth/linking.py
@@ -219,10 +219,11 @@ def authenticate_with_provider(
auth_method = AuthenticationMethod.query.filter_by(
method_type=provider_type,
provider_user_id=user_info["provider_user_id"],
+ deleted_at=None,
).first()
if not auth_method:
- existing_user = User.query.filter_by(email=user_info["email"]).first()
+ existing_user = User.query.filter_by(email=user_info["email"], deleted_at=None).first()
if existing_user:
AuditService.log_external_auth_login_failed(
@@ -262,7 +263,7 @@ def authenticate_with_provider(
state_record.mark_used()
from gatehouse_app.services.auth_service import AuthService
- session = AuthService.create_session(user=user, organization_id=organization_id)
+ session = AuthService.create_session(user=user)
AuditService.log_external_auth_login(
user_id=user.id,
@@ -286,12 +287,13 @@ def unlink_provider(
auth_method = AuthenticationMethod.query.filter_by(
user_id=user_id,
method_type=provider_type,
+ deleted_at=None,
).first()
if not auth_method:
raise ExternalAuthError("Provider not linked", "PROVIDER_NOT_LINKED", 400)
- other_methods = AuthenticationMethod.query.filter_by(user_id=user_id).count()
+ other_methods = AuthenticationMethod.query.filter_by(user_id=user_id, deleted_at=None).count()
if other_methods <= 1:
raise ExternalAuthError(
"Cannot unlink the last authentication method",
diff --git a/gatehouse_app/services/external_auth/org_override.py b/gatehouse_app/services/external_auth/org_override.py
index e302b07..9a51bb4 100644
--- a/gatehouse_app/services/external_auth/org_override.py
+++ b/gatehouse_app/services/external_auth/org_override.py
@@ -16,7 +16,7 @@ def create_org_provider_override(
**kwargs,
) -> OrganizationProviderOverride:
app_config = ApplicationProviderConfig.query.filter_by(
- provider_type=provider_type
+ provider_type=provider_type, deleted_at=None
).first()
if not app_config:
@@ -29,6 +29,7 @@ def create_org_provider_override(
existing = OrganizationProviderOverride.query.filter_by(
organization_id=organization_id,
provider_type=provider_type,
+ deleted_at=None,
).first()
if existing:
@@ -69,6 +70,7 @@ def update_org_provider_override(
override = OrganizationProviderOverride.query.filter_by(
organization_id=organization_id,
provider_type=provider_type,
+ deleted_at=None,
).first()
if not override:
@@ -110,6 +112,7 @@ def get_org_provider_override(
override = OrganizationProviderOverride.query.filter_by(
organization_id=organization_id,
provider_type=provider_type,
+ deleted_at=None,
).first()
if not override:
@@ -124,7 +127,7 @@ def get_org_provider_override(
def list_org_provider_overrides(organization_id: str) -> list:
overrides = OrganizationProviderOverride.query.filter_by(
- organization_id=organization_id
+ organization_id=organization_id, deleted_at=None
).all()
return [override.to_dict() for override in overrides]
@@ -133,6 +136,7 @@ def delete_org_provider_override(organization_id: str, provider_type: str) -> bo
override = OrganizationProviderOverride.query.filter_by(
organization_id=organization_id,
provider_type=provider_type,
+ deleted_at=None,
).first()
if not override:
diff --git a/gatehouse_app/services/network_access_service.py b/gatehouse_app/services/network_access_service.py
index a801a86..99b7132 100644
--- a/gatehouse_app/services/network_access_service.py
+++ b/gatehouse_app/services/network_access_service.py
@@ -1024,17 +1024,17 @@ def revoke_membership_soft(
def hard_delete_membership(membership_id: str) -> None:
- """Hard delete a membership after ZeroTier has been cleaned up.
+ """Soft delete a membership after ZeroTier has been cleaned up.
Called by the reconciliation job after successfully removing the member
- from the ZeroTier controller. This is the final DB cleanup step.
+ from the ZeroTier controller. This marks the membership as deleted.
"""
membership = DeviceNetworkMembership.query.filter(
DeviceNetworkMembership.id == membership_id,
).first()
if not membership:
- logger.warning(f"[hard_delete_membership] Membership {membership_id} not found, skipping.")
+ logger.warning(f"[hard_delete_membership] Membership {membership_id} not found or already deleted, skipping.")
return
device = Device.query.get(membership.device_id)
@@ -1048,7 +1048,7 @@ def hard_delete_membership(membership_id: str) -> None:
except Exception as exc:
logger.warning(f"[hard_delete_membership] ZT delete failed for {device.node_id}: {exc}")
- db.session.delete(membership)
+ membership.delete(soft=True)
db.session.commit()
AuditService.log_action(
@@ -1061,6 +1061,6 @@ def hard_delete_membership(membership_id: str) -> None:
"device_node_id": device.node_id if device else None,
"network_id": network.zerotier_network_id if network else None,
},
- description=f"Membership hard-deleted: device {device.node_id if device else 'unknown'} from network",
+ description=f"Membership deleted: device {device.node_id if device else 'unknown'} from network",
success=True,
)
diff --git a/gatehouse_app/services/oauth_flow/register.py b/gatehouse_app/services/oauth_flow/register.py
index 069c247..c3790d5 100644
--- a/gatehouse_app/services/oauth_flow/register.py
+++ b/gatehouse_app/services/oauth_flow/register.py
@@ -111,7 +111,7 @@ def handle_register_callback(
access_token=tokens["access_token"],
)
- existing_user = User.query.filter_by(email=user_info["email"]).first()
+ existing_user = User.query.filter_by(email=user_info["email"], deleted_at=None).first()
if existing_user:
raise OAuthFlowError(
f"An account with email {user_info['email']} already exists. "
diff --git a/gatehouse_app/services/oidc/userinfo.py b/gatehouse_app/services/oidc/userinfo.py
index 2e46705..7a81e0b 100644
--- a/gatehouse_app/services/oidc/userinfo.py
+++ b/gatehouse_app/services/oidc/userinfo.py
@@ -55,9 +55,9 @@ def get_userinfo(access_token: str, validate_access_token_fn) -> Dict:
def _get_user_roles(user: User) -> list:
roles = []
- if not user or not user.organization_memberships:
+ if not user:
return roles
- for member in user.organization_memberships:
+ for member in user.get_active_memberships():
roles.append({
"organization_id": str(member.organization_id),
"role": member.role.value,
diff --git a/gatehouse_app/services/oidc_token_service.py b/gatehouse_app/services/oidc_token_service.py
index 5605d5f..d32841e 100644
--- a/gatehouse_app/services/oidc_token_service.py
+++ b/gatehouse_app/services/oidc_token_service.py
@@ -324,8 +324,8 @@ class OIDCTokenService:
List of role objects with organization_id and role
"""
roles = []
- if user and user.organization_memberships:
- for member in user.organization_memberships:
+ if user:
+ for member in user.get_active_memberships():
roles.append({
"organization_id": str(member.organization_id),
"role": member.role.value
diff --git a/gatehouse_app/services/organization_service.py b/gatehouse_app/services/organization_service.py
index 3df2db7..9d6e6ae 100644
--- a/gatehouse_app/services/organization_service.py
+++ b/gatehouse_app/services/organization_service.py
@@ -70,6 +70,22 @@ class OrganizationService:
return org
+ @staticmethod
+ def get_user_org_count(user_id):
+ """
+ Get the count of organizations a user belongs to.
+
+ Args:
+ user_id: User ID
+
+ Returns:
+ Count of active memberships (deleted_at is NULL)
+ """
+ return OrganizationMember.query.filter_by(
+ user_id=user_id,
+ deleted_at=None,
+ ).count()
+
@staticmethod
def get_organization_by_id(org_id):
"""
@@ -286,7 +302,7 @@ class OrganizationService:
Raises:
ConflictError: If user is already a member
"""
- # Check if already a member (active or soft-deleted — both blocked by DB unique constraint)
+ # Check for any membership (active or soft-deleted) to enable reactivation
existing = OrganizationMember.query.filter_by(
user_id=user_id,
organization_id=org.id,
@@ -294,7 +310,7 @@ class OrganizationService:
# Development-only debug logging for membership validation
if current_app.config.get('ENV') == 'development':
- logger.debug(f"[Org] Member check: org_id={org.id}, user_id={user_id}, already_member={existing is not None}")
+ logger.debug(f"[Org] Member check: org_id={org.id}, user_id={user_id}, already_member={existing is not None}, soft_deleted={existing.deleted_at is not None if existing else False}")
if existing:
if existing.deleted_at is not None:
@@ -363,6 +379,15 @@ class OrganizationService:
logger.debug(f"[Org] Member removal: org_id={org.id}, user_id={user_id}, found={member is not None}")
if member:
+ if member.role == OrganizationRole.OWNER:
+ owner_count = OrganizationMember.query.filter(
+ OrganizationMember.organization_id == org.id,
+ OrganizationMember.role == OrganizationRole.OWNER,
+ OrganizationMember.deleted_at.is_(None),
+ OrganizationMember.user_id != user_id,
+ ).count()
+ if owner_count < 1:
+ raise ValueError("Cannot remove the only owner from an organization. Transfer ownership first.")
member.delete(soft=True)
# Log member removal
diff --git a/gatehouse_app/services/session_service.py b/gatehouse_app/services/session_service.py
index 7103285..e86cd6f 100644
--- a/gatehouse_app/services/session_service.py
+++ b/gatehouse_app/services/session_service.py
@@ -10,10 +10,10 @@ class SessionService:
@staticmethod
def get_active_session_by_token(token):
"""Get active session by token.
-
+
Args:
token: The session token string
-
+
Returns:
Session object if found and active, None otherwise
"""
@@ -23,6 +23,8 @@ class SessionService:
token=token,
status=SessionStatus.ACTIVE,
deleted_at=None
+ ).filter(
+ Session.expires_at > datetime.now(timezone.utc)
).first()
@staticmethod
diff --git a/gatehouse_app/services/ssh_key_service.py b/gatehouse_app/services/ssh_key_service.py
index 4da133b..2c66792 100644
--- a/gatehouse_app/services/ssh_key_service.py
+++ b/gatehouse_app/services/ssh_key_service.py
@@ -41,46 +41,47 @@ class SSHKeyService:
user_id: str,
public_key: str,
description: Optional[str] = None,
- ) -> SSHKey:
+ ) -> tuple[SSHKey, bool]:
"""Add an SSH public key for a user.
-
+
Args:
user_id: ID of the user
public_key: SSH public key in OpenSSH format
description: Optional description of the key
-
+
Returns:
- Created SSHKey instance
-
+ Tuple of (SSHKey instance, is_new) where is_new is True for
+ newly created keys, False for existing keys (idempotent).
+
Raises:
UserNotFoundError: If user doesn't exist
SSHKeyError: If key format is invalid
- SSHKeyAlreadyExistsError: If key already exists
"""
# Verify user exists
user = User.query.get(user_id)
if not user:
raise UserNotFoundError(f"User {user_id} not found")
-
+
# Validate key format
if not verify_ssh_key_format(public_key):
raise SSHKeyError("Invalid SSH public key format")
-
+
# Compute fingerprint
try:
fingerprint = compute_ssh_fingerprint(public_key)
except Exception as e:
logger.error(f"Failed to compute fingerprint: {str(e)}")
raise SSHKeyError(f"Failed to compute key fingerprint: {str(e)}")
-
- # Check for duplicate (including soft-deleted records — fingerprint is unique in DB)
- existing = SSHKey.query.filter_by(fingerprint=fingerprint).first()
+
+ # Check for duplicate per user (including soft-deleted records)
+ existing = SSHKey.query.filter_by(
+ user_id=user_id, fingerprint=fingerprint
+ ).first()
if existing:
if existing.deleted_at is not None:
# Restore the soft-deleted key: clear deleted_at and update fields
existing.deleted_at = None
- existing.user_id = user_id
- existing.description = description or existing.description
+ existing.description = description if description is not None else existing.description
existing.verified = False
existing.verified_at = None
existing.verify_text = None
@@ -90,15 +91,18 @@ class SSHKeyService:
f"Restored soft-deleted SSH key for user {user_id}: "
f"fingerprint={fingerprint}"
)
- return existing
- raise SSHKeyAlreadyExistsError(
- f"SSH key with fingerprint {fingerprint} already exists"
+ return existing, False
+ # Idempotent: return existing key without error
+ logger.info(
+ f"SSH key already exists for user {user_id}: "
+ f"fingerprint={fingerprint}"
)
-
+ return existing, False
+
# Extract metadata
key_type = extract_ssh_key_type(public_key)
key_comment = extract_ssh_key_comment(public_key)
-
+
# Create SSH key record
ssh_key = SSHKey(
user_id=user_id,
@@ -109,15 +113,15 @@ class SSHKeyService:
key_comment=key_comment,
verified=False,
)
-
+
ssh_key.save()
-
+
logger.info(
f"SSH key added for user {user_id}: "
f"fingerprint={fingerprint}, type={key_type}"
)
-
- return ssh_key
+
+ return ssh_key, True
def get_ssh_key(self, key_id: str) -> SSHKey:
"""Get an SSH key by ID.
diff --git a/gatehouse_app/services/superadmin_analytics_service.py b/gatehouse_app/services/superadmin_analytics_service.py
new file mode 100644
index 0000000..96f4694
--- /dev/null
+++ b/gatehouse_app/services/superadmin_analytics_service.py
@@ -0,0 +1,177 @@
+"""Analytics service for platform-wide statistics."""
+import logging
+from datetime import datetime, timedelta, timezone
+from gatehouse_app.models.organization.organization import Organization
+from gatehouse_app.models.user.user import User
+from gatehouse_app.models.user.session import Session
+from gatehouse_app.models.superadmin_audit_log import SuperadminAuditLog
+
+logger = logging.getLogger(__name__)
+
+
+class SuperadminAnalyticsService:
+ """Service for platform-wide analytics and statistics."""
+
+ @staticmethod
+ def get_dashboard_stats() -> dict:
+ """Get dashboard statistics for the overview page.
+
+ Returns:
+ Dashboard stats including org count, user count, etc.
+ """
+ now = datetime.now(timezone.utc)
+ thirty_days_ago = now - timedelta(days=30)
+
+ # Total organizations
+ total_orgs = Organization.query.filter(Organization.deleted_at.is_(None)).count()
+ active_orgs = Organization.query.filter(
+ Organization.deleted_at.is_(None),
+ Organization.is_active == True, # noqa: E712
+ ).count()
+
+ # Total users
+ total_users = User.query.filter(User.deleted_at.is_(None)).count()
+
+ # Active sessions
+ active_sessions = Session.query.filter(
+ Session.deleted_at.is_(None),
+ Session.status == "active",
+ ).count()
+
+ # New signups in last 30 days
+ new_users_30d = User.query.filter(
+ User.deleted_at.is_(None),
+ User.created_at >= thirty_days_ago,
+ ).count()
+
+ # New organizations in last 30 days
+ new_orgs_30d = Organization.query.filter(
+ Organization.deleted_at.is_(None),
+ Organization.created_at >= thirty_days_ago,
+ ).count()
+
+ # Suspended organizations
+ suspended_orgs = Organization.query.filter(
+ Organization.deleted_at.is_(None),
+ Organization.is_active == False, # noqa: E712
+ ).count()
+
+ return {
+ "total_organizations": total_orgs,
+ "active_organizations": active_orgs,
+ "suspended_organizations": suspended_orgs,
+ "total_users": total_users,
+ "active_sessions": active_sessions,
+ "new_users_30d": new_users_30d,
+ "new_orgs_30d": new_orgs_30d,
+ "generated_at": now.isoformat() + "Z",
+ }
+
+ @staticmethod
+ def get_signup_trends(days: int = 30) -> dict:
+ """Get signup trends over time.
+
+ Args:
+ days: Number of days to analyze
+
+ Returns:
+ Daily signup data
+ """
+ now = datetime.now(timezone.utc)
+ start_date = now - timedelta(days=days)
+
+ # Get all users created in period
+ users = User.query.filter(
+ User.deleted_at.is_(None),
+ User.created_at >= start_date,
+ ).all()
+
+ # Group by day
+ daily_signups = {}
+ for i in range(days):
+ date = (start_date + timedelta(days=i)).strftime("%Y-%m-%d")
+ daily_signups[date] = 0
+
+ for user in users:
+ date = user.created_at.strftime("%Y-%m-%d")
+ if date in daily_signups:
+ daily_signups[date] += 1
+
+ # Convert to list
+ history = [
+ {"date": date, "value": count}
+ for date, count in sorted(daily_signups.items())
+ ]
+
+ return {
+ "period_start": start_date.isoformat() + "Z",
+ "period_end": now.isoformat() + "Z",
+ "total": len(users),
+ "history": history,
+ }
+
+ @staticmethod
+ def get_org_distribution() -> dict:
+ """Get distribution of organizations by size.
+
+ Returns:
+ Organization size distribution
+ """
+ orgs = Organization.query.filter(Organization.deleted_at.is_(None)).all()
+
+ distribution = {
+ "solo": 0, # 1 user
+ "small": 0, # 2-10 users
+ "medium": 0, # 11-50 users
+ "large": 0, # 51-200 users
+ "enterprise": 0, # 200+ users
+ }
+
+ for org in orgs:
+ count = org.get_member_count()
+ if count == 1:
+ distribution["solo"] += 1
+ elif count <= 10:
+ distribution["small"] += 1
+ elif count <= 50:
+ distribution["medium"] += 1
+ elif count <= 200:
+ distribution["large"] += 1
+ else:
+ distribution["enterprise"] += 1
+
+ return {
+ "distribution": distribution,
+ "total_orgs": len(orgs),
+ }
+
+ @staticmethod
+ def get_recent_activity(limit: int = 20) -> list:
+ """Get recent superadmin actions.
+
+ Args:
+ limit: Maximum number of actions to return
+
+ Returns:
+ List of recent audit log entries
+ """
+ logs = SuperadminAuditLog.query.filter(
+ SuperadminAuditLog.deleted_at.is_(None),
+ ).order_by(
+ SuperadminAuditLog.created_at.desc()
+ ).limit(limit).all()
+
+ return [
+ {
+ "id": log.id,
+ "superadmin_id": log.superadmin_id,
+ "action": log.action,
+ "resource_type": log.resource_type,
+ "resource_id": log.resource_id,
+ "extra_data": log.extra_data,
+ "ip_address": log.ip_address,
+ "user_agent": log.user_agent,
+ "created_at": log.created_at.isoformat() + "Z" if log.created_at else None,
+ }
+ for log in logs
+ ]
diff --git a/gatehouse_app/services/superadmin_auth_service.py b/gatehouse_app/services/superadmin_auth_service.py
new file mode 100644
index 0000000..31e798b
--- /dev/null
+++ b/gatehouse_app/services/superadmin_auth_service.py
@@ -0,0 +1,239 @@
+"""Superadmin authentication service."""
+import logging
+import secrets
+from datetime import datetime, timedelta, timezone
+from typing import Optional
+
+from flask import request, current_app
+from gatehouse_app.extensions import db, bcrypt
+from gatehouse_app.models.superadmin import Superadmin, SuperadminSession
+from gatehouse_app.exceptions.auth_exceptions import InvalidCredentialsError
+
+
+logger = logging.getLogger(__name__)
+
+
+class SuperadminAuthService:
+ """Service for superadmin authentication operations."""
+
+ @staticmethod
+ def authenticate(email, credentials):
+ """Authenticate superadmin with email/password credentials.
+
+ Args:
+ email: Superadmin email
+ credentials: Plain text credential
+
+ Returns:
+ Superadmin instance if authentication succeeds
+
+ Raises:
+ InvalidCredentialsError: If credentials are invalid or account is disabled
+ """
+ # Find superadmin by email
+ superadmin = Superadmin.query.filter_by(email=email.lower()).first()
+
+ if not superadmin:
+ logger.warning(f"[SuperadminAuth] Login attempt for non-existent email: {email}")
+ raise InvalidCredentialsError()
+
+ # Check if account is active
+ if not superadmin.is_active:
+ logger.warning(f"[SuperadminAuth] Login attempt for disabled account: {email}")
+ raise InvalidCredentialsError("Account is disabled")
+
+ # Check credential
+ if not superadmin.password_hash:
+ logger.warning(f"[SuperadminAuth] Login attempt for account with no credential set: {email}")
+ raise InvalidCredentialsError()
+
+ # Verify credential
+ password_valid = bcrypt.check_password_hash(superadmin.password_hash, credentials)
+
+ if not password_valid:
+ logger.warning(f"[SuperadminAuth] Invalid password for: {email}")
+ raise InvalidCredentialsError()
+
+ # Update last login
+ superadmin.last_login_at = datetime.now(timezone.utc)
+ db.session.commit()
+
+ logger.info(f"[SuperadminAuth] Successful login for: {email}")
+ return superadmin
+
+ @staticmethod
+ def create_session(superadmin_id, duration_seconds=28800):
+ """Create a new session for superadmin.
+
+ Args:
+ superadmin_id: Superadmin ID
+ duration_seconds: Session duration in seconds (default 8 hours)
+
+ Returns:
+ SuperadminSession instance
+ """
+ # Generate secure token
+ token = secrets.token_urlsafe(32)
+
+ # Create session
+ session = SuperadminSession(
+ superadmin_id=superadmin_id,
+ token=token,
+ expires_at=datetime.now(timezone.utc) + timedelta(seconds=duration_seconds),
+ last_activity_at=datetime.now(timezone.utc),
+ ip_address=request.remote_addr,
+ user_agent=request.headers.get("User-Agent"),
+ )
+ session.save()
+
+ logger.info(f"[SuperadminAuth] Session created for superadmin_id={superadmin_id}")
+ return session
+
+ @staticmethod
+ def revoke_session(session_id, reason=None):
+ """Revoke a superadmin session.
+
+ Args:
+ session_id: Session ID to revoke
+ reason: Optional revocation reason
+ """
+ session = SuperadminSession.query.get(session_id)
+ if session:
+ session.revoke(reason=reason)
+ logger.info(f"[SuperadminAuth] Session {session_id} revoked: {reason or 'No reason'}")
+
+ @staticmethod
+ def revoke_all_sessions(superadmin_id, except_token=None, reason=None):
+ """Revoke all sessions for a superadmin.
+
+ Args:
+ superadmin_id: Superadmin ID
+ except_token: Optional token to keep (current session)
+ reason: Optional revocation reason
+ """
+ query = SuperadminSession.query.filter_by(superadmin_id=superadmin_id)
+ if except_token:
+ query = query.filter(SuperadminSession.token != except_token)
+
+ sessions = query.all()
+ for session in sessions:
+ session.revoke(reason=reason)
+
+ logger.info(f"[SuperadminAuth] Revoked {len(sessions)} sessions for superadmin_id={superadmin_id}")
+ return len(sessions)
+
+ @staticmethod
+ def create_emergency_access(superadmin_id, target_user_id, reason, duration_minutes=15):
+ """Create emergency access to a user's account.
+
+ This creates a special emergency session that grants temporary elevated access.
+
+ Args:
+ superadmin_id: Superadmin ID initiating emergency access
+ target_user_id: User ID to access
+ reason: Reason for emergency access
+ duration_minutes: Duration of emergency access in minutes
+
+ Returns:
+ Dictionary with emergency session info
+ """
+ from gatehouse_app.models.user.user import User
+ from gatehouse_app.services.auth_service import AuthService
+ from gatehouse_app.services.audit_service import AuditService
+
+ # Verify target user exists
+ target_user = User.query.get(target_user_id)
+ if not target_user:
+ raise ValueError(f"Target user not found: {target_user_id}")
+
+ # Create emergency session for the target user
+ emergency_session = AuthService.create_session(
+ user=target_user,
+ duration_seconds=duration_minutes * 60,
+ is_compliance_only=False
+ )
+
+ # Log the emergency access
+ logger.warning(
+ f"[SuperadminAuth] EMERGENCY ACCESS: superadmin_id={superadmin_id} "
+ f"accessed user_id={target_user_id} reason={reason}"
+ )
+
+ return {
+ "session": emergency_session,
+ "expires_at": emergency_session.expires_at,
+ "reason": reason,
+ "target_user_id": target_user_id,
+ }
+
+ @staticmethod
+ def hash_password(plain_credential):
+ """Hash a credential for storage.
+
+ Args:
+ plain_credential: Plain text credential
+
+ Returns:
+ Hashed credential string
+ """
+ return bcrypt.generate_password_hash(plain_credential).decode("utf-8")
+
+ @staticmethod
+ def create_superadmin(email, credential, full_name=None):
+ """Create a new superadmin.
+
+ Args:
+ email: Superadmin email
+ credential: Plain text credential
+ full_name: Optional full name
+
+ Returns:
+ Superadmin instance
+ """
+ # Check if email already exists
+ existing = Superadmin.query.filter_by(email=email.lower()).first()
+ if existing:
+ raise ValueError(f"Superadmin with email {email} already exists")
+
+ # Hash credential
+ password_hash = bcrypt.generate_password_hash(credential).decode("utf-8")
+
+ # Create superadmin
+ superadmin = Superadmin(
+ email=email.lower(),
+ password_hash=password_hash,
+ full_name=full_name,
+ is_active=True,
+ )
+ superadmin.save()
+
+ logger.info(f"[SuperadminAuth] Created new superadmin: {email}")
+ return superadmin
+
+ @staticmethod
+ def update_superadmin(superadmin_id, **kwargs):
+ """Update superadmin details.
+
+ Args:
+ superadmin_id: Superadmin ID
+ **kwargs: Fields to update (email, full_name, is_active, credential)
+
+ Returns:
+ Updated Superadmin instance
+ """
+ superadmin = Superadmin.query.get(superadmin_id)
+ if not superadmin:
+ raise ValueError(f"Superadmin not found: {superadmin_id}")
+
+ # Handle credential update
+ if 'password' in kwargs:
+ kwargs['password_hash'] = bcrypt.generate_password_hash(kwargs.pop('password')).decode("utf-8")
+
+ # Update fields
+ for key, value in kwargs.items():
+ if hasattr(superadmin, key):
+ setattr(superadmin, key, value)
+
+ superadmin.save()
+ logger.info(f"[SuperadminAuth] Updated superadmin_id={superadmin_id}")
+ return superadmin
diff --git a/gatehouse_app/services/superadmin_organization_service.py b/gatehouse_app/services/superadmin_organization_service.py
new file mode 100644
index 0000000..295e6a4
--- /dev/null
+++ b/gatehouse_app/services/superadmin_organization_service.py
@@ -0,0 +1,244 @@
+"""Superadmin organization management service."""
+import logging
+from typing import Optional
+from gatehouse_app.extensions import db
+from gatehouse_app.models.organization.organization import Organization
+from gatehouse_app.models.user.session import Session
+
+logger = logging.getLogger(__name__)
+
+
+class SuperadminOrganizationService:
+ """Service for superadmin organization management operations."""
+
+ @staticmethod
+ def list_organizations(
+ page: int = 1,
+ per_page: int = 20,
+ search: Optional[str] = None,
+ status: Optional[str] = None,
+ plan_slug: Optional[str] = None,
+ ) -> dict:
+ """List organizations with pagination and filtering.
+
+ Args:
+ page: Page number (1-indexed)
+ per_page: Items per page
+ search: Search by name or slug
+ status: Filter by status (active, suspended)
+ plan_slug: Filter by plan slug (not implemented yet - requires Subscription model)
+
+ Returns:
+ Paginated response with organization summaries
+ """
+ query = Organization.query
+
+ # Search filter
+ if search:
+ search_term = f"%{search}%"
+ query = query.filter(
+ db.or_(
+ Organization.name.ilike(search_term),
+ Organization.slug.ilike(search_term),
+ )
+ )
+
+ # Status filter
+ if status == "active":
+ query = query.filter(Organization.is_active.is_(True))
+ elif status == "suspended":
+ query = query.filter(Organization.is_active.is_(False))
+
+ # Note: plan_slug filtering requires Plan/Subscription models (Phase 4)
+ # Currently ignored but parameter is accepted for API compatibility
+
+ # Order by created_at desc
+ query = query.order_by(Organization.created_at.desc())
+
+ # Paginate
+ pagination = query.paginate(page=page, per_page=per_page, error_out=False)
+
+ # Build response
+ items = []
+ for org in pagination.items:
+ item = {
+ "id": org.id,
+ "name": org.name,
+ "slug": org.slug,
+ "description": org.description,
+ "is_active": org.is_active,
+ "member_count": org.get_member_count(),
+ "created_at": org.created_at.isoformat() + "Z" if org.created_at else None,
+ "updated_at": org.updated_at.isoformat() + "Z" if org.updated_at else None,
+ }
+ items.append(item)
+
+ return {
+ "items": items,
+ "total": pagination.total,
+ "page": page,
+ "per_page": per_page,
+ "pages": pagination.pages,
+ }
+
+ @staticmethod
+ def get_organization_detail(org_id: str) -> dict:
+ """Get detailed organization information.
+
+ Args:
+ org_id: Organization UUID
+
+ Returns:
+ Organization detail with member_count, owner, stats
+
+ Raises:
+ ValueError: If organization not found
+ """
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ owner = org.get_owner()
+
+ # Count active sessions for org members
+ member_user_ids = [m.user_id for m in org.members if m.deleted_at is None]
+ active_sessions = Session.query.filter(
+ Session.user_id.in_(member_user_ids),
+ Session.deleted_at.is_(None),
+ ).count()
+
+ return {
+ "id": org.id,
+ "name": org.name,
+ "slug": org.slug,
+ "description": org.description,
+ "is_active": org.is_active,
+ "settings": org.settings or {},
+ "member_count": org.get_member_count(),
+ "owner": {
+ "id": owner.id,
+ "email": owner.email,
+ "full_name": owner.full_name,
+ } if owner else None,
+ "active_sessions": active_sessions,
+ "created_at": org.created_at.isoformat() + "Z" if org.created_at else None,
+ "updated_at": org.updated_at.isoformat() + "Z" if org.updated_at else None,
+ }
+
+ @staticmethod
+ def update_organization(
+ org_id: str,
+ name: Optional[str] = None,
+ description: Optional[str] = None,
+ is_active: Optional[bool] = None,
+ ) -> Organization:
+ """Update organization details.
+
+ Args:
+ org_id: Organization UUID
+ name: New name (optional)
+ description: New description (optional)
+ is_active: New active status (optional)
+
+ Returns:
+ Updated organization
+
+ Raises:
+ ValueError: If organization not found
+ """
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ if name is not None:
+ org.name = name
+ if description is not None:
+ org.description = description
+ if is_active is not None:
+ org.is_active = is_active
+
+ db.session.commit()
+ logger.info(f"[SuperadminOrg] Updated organization {org_id}")
+
+ return org
+
+ @staticmethod
+ def suspend_organization(org_id: str) -> Organization:
+ """Suspend an organization.
+
+ Sets is_active=False and invalidates all member sessions.
+
+ Args:
+ org_id: Organization UUID
+
+ Returns:
+ Suspended organization
+
+ Raises:
+ ValueError: If organization not found
+ """
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ org.is_active = False
+
+ # Invalidate all member sessions
+ member_user_ids = [m.user_id for m in org.members if m.deleted_at is None]
+ Session.query.filter(
+ Session.user_id.in_(member_user_ids),
+ Session.deleted_at.is_(None),
+ ).update({"deleted_at": db.func.now()})
+
+ db.session.commit()
+ logger.warning(f"[SuperadminOrg] Suspended organization {org_id}")
+
+ return org
+
+ @staticmethod
+ def restore_organization(org_id: str) -> Organization:
+ """Restore a suspended organization.
+
+ Args:
+ org_id: Organization UUID
+
+ Returns:
+ Restored organization
+
+ Raises:
+ ValueError: If organization not found
+ """
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ org.is_active = True
+ db.session.commit()
+ logger.info(f"[SuperadminOrg] Restored organization {org_id}")
+
+ return org
+
+ @staticmethod
+ def soft_delete_organization(org_id: str) -> Organization:
+ """Soft-delete an organization.
+
+ Args:
+ org_id: Organization UUID
+
+ Returns:
+ Soft-deleted organization
+
+ Raises:
+ ValueError: If organization not found
+ """
+ from datetime import datetime, timezone
+
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ org.deleted_at = datetime.now(timezone.utc)
+ db.session.commit()
+ logger.warning(f"[SuperadminOrg] Soft-deleted organization {org_id}")
+
+ return org
diff --git a/gatehouse_app/services/superadmin_usage_service.py b/gatehouse_app/services/superadmin_usage_service.py
new file mode 100644
index 0000000..c200066
--- /dev/null
+++ b/gatehouse_app/services/superadmin_usage_service.py
@@ -0,0 +1,199 @@
+"""Usage tracking service for superadmin operations."""
+import logging
+from datetime import datetime, timedelta, timezone
+from gatehouse_app.models.organization.organization import Organization
+from gatehouse_app.models.user.session import Session
+from gatehouse_app.models.organization.organization_member import OrganizationMember
+
+logger = logging.getLogger(__name__)
+
+
+class UsageMetric:
+ """Usage metric types."""
+ USERS = "users"
+ SESSIONS = "sessions"
+ ACTIVE_SESSIONS = "active_sessions"
+ API_CALLS = "api_calls"
+
+
+class SuperadminUsageService:
+ """Service for tracking and retrieving usage metrics."""
+
+ @staticmethod
+ def get_current_usage(org_id: str) -> dict:
+ """Get current period usage for an organization.
+
+ Args:
+ org_id: Organization UUID
+
+ Returns:
+ Current usage metrics including user count and active sessions
+ """
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ # Get active member count
+ member_count = org.get_member_count()
+
+ # Get active sessions count
+ member_user_ids = [m.user_id for m in org.members if m.deleted_at is None]
+ active_sessions = Session.query.filter(
+ Session.user_id.in_(member_user_ids),
+ Session.deleted_at.is_(None),
+ Session.status == "active",
+ ).count()
+
+ # Get max concurrent sessions this month
+ now = datetime.now(timezone.utc)
+ period_start = now.replace(day=1, hour=0, minute=0, second=0, microsecond=0)
+
+ # For simplicity, we'll track peak concurrent sessions
+ # In production, you'd want a separate tracking table
+ max_sessions_this_month = active_sessions # Placeholder
+
+ return {
+ "organization_id": org_id,
+ "period_start": period_start.isoformat() + "Z",
+ "period_end": now.isoformat() + "Z",
+ "metrics": {
+ "users": {
+ "current": member_count,
+ "limit": None, # Will come from plan
+ "description": "Total organization members",
+ },
+ "active_sessions": {
+ "current": active_sessions,
+ "max_this_month": max_sessions_this_month,
+ "description": "Currently active user sessions",
+ },
+ },
+ }
+
+ @staticmethod
+ def get_usage_history(
+ org_id: str,
+ metric: str,
+ days: int = 30,
+ ) -> dict:
+ """Get usage history for a specific metric.
+
+ Args:
+ org_id: Organization UUID
+ metric: Metric type (users, sessions)
+ days: Number of days of history
+
+ Returns:
+ List of daily usage data points
+ """
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ now = datetime.now(timezone.utc)
+ start_date = now - timedelta(days=days)
+
+ # Get member history (simplified - would need a history table in production)
+ history = []
+ current_count = org.get_member_count()
+
+ # Generate daily data points (placeholder - real implementation needs history table)
+ for i in range(days):
+ date = start_date + timedelta(days=i)
+ history.append({
+ "date": date.strftime("%Y-%m-%d"),
+ "value": current_count, # Simplified
+ })
+
+ return {
+ "organization_id": org_id,
+ "metric": metric,
+ "period_start": start_date.isoformat() + "Z",
+ "period_end": now.isoformat() + "Z",
+ "history": history,
+ }
+
+ @staticmethod
+ def get_seat_count_for_period(org_id: str, year: int, month: int) -> dict:
+ """Calculate maximum seat count used in a given month.
+
+ For billing purposes - tracks the peak number of users.
+
+ Args:
+ org_id: Organization UUID
+ year: Year
+ month: Month
+
+ Returns:
+ Seat count data for the period
+ """
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ # Calculate first and last day of month
+ first_day = datetime(year, month, 1, tzinfo=timezone.utc)
+ if month == 12:
+ last_day = datetime(year + 1, 1, 1, tzinfo=timezone.utc) - timedelta(seconds=1)
+ else:
+ last_day = datetime(year, month + 1, 1, tzinfo=timezone.utc) - timedelta(seconds=1)
+
+ # Get all members that existed during this period
+ members = OrganizationMember.query.filter(
+ OrganizationMember.organization_id == org_id,
+ OrganizationMember.deleted_at.is_(None),
+ ).all()
+
+ # Count unique users who were members at any point during the month
+ max_seats = len(members)
+
+ # Current count at end of month
+ current_seats = len([m for m in members if m.deleted_at is None or m.deleted_at > last_day])
+
+ return {
+ "organization_id": org_id,
+ "period": f"{year}-{month:02d}",
+ "max_seats": max_seats,
+ "current_seats": current_seats,
+ "period_start": first_day.isoformat() + "Z",
+ "period_end": last_day.isoformat() + "Z",
+ }
+
+ @staticmethod
+ def adjust_usage(
+ org_id: str,
+ metric: str,
+ adjustment: int,
+ reason: str,
+ superadmin_id: str,
+ ) -> dict:
+ """Apply a manual usage adjustment (credit or charge).
+
+ Args:
+ org_id: Organization UUID
+ metric: Metric to adjust
+ adjustment: Positive (credit) or negative (charge)
+ reason: Reason for adjustment
+ superadmin_id: Superadmin making the adjustment
+
+ Returns:
+ Adjustment confirmation
+ """
+ org = Organization.query.get(org_id)
+ if not org:
+ raise ValueError("Organization not found")
+
+ # In production, you'd create a UsageAdjustment record
+ # For now, just log and return
+ logger.warning(
+ f"[SuperadminUsage] Adjustment: org={org_id}, metric={metric}, "
+ f"adjustment={adjustment}, reason={reason}, by={superadmin_id}"
+ )
+
+ return {
+ "organization_id": org_id,
+ "metric": metric,
+ "adjustment": adjustment,
+ "reason": reason,
+ "applied_at": datetime.now(timezone.utc).isoformat() + "Z",
+ }
diff --git a/gatehouse_app/services/superadmin_user_service.py b/gatehouse_app/services/superadmin_user_service.py
new file mode 100644
index 0000000..551e616
--- /dev/null
+++ b/gatehouse_app/services/superadmin_user_service.py
@@ -0,0 +1,371 @@
+"""User management service for superadmin operations."""
+import logging
+from datetime import datetime, timezone
+from gatehouse_app.models.user.user import User
+from gatehouse_app.models.user.session import Session
+from gatehouse_app.models.organization.organization import Organization
+from gatehouse_app.models.organization.organization_member import OrganizationMember
+from gatehouse_app.extensions import db
+
+logger = logging.getLogger(__name__)
+
+
+class SuperadminUserService:
+ """Service for managing users across the platform."""
+
+ @staticmethod
+ def list_users(
+ page: int = 1,
+ per_page: int = 20,
+ org_id: str = None,
+ status: str = None,
+ search: str = None,
+ ) -> dict:
+ """List users with filters and pagination.
+
+ Args:
+ page: Page number
+ per_page: Items per page
+ org_id: Filter by organization
+ status: Filter by status (active/suspended)
+ search: Search by email or name
+
+ Returns:
+ Paginated user list with metadata
+ """
+ query = User.query.filter(User.deleted_at.is_(None))
+
+ # Filter by organization
+ if org_id:
+ member_user_ids = db.session.query(OrganizationMember.user_id).filter(
+ OrganizationMember.organization_id == org_id,
+ OrganizationMember.deleted_at.is_(None),
+ ).all()
+ user_ids = [m.user_id for m in member_user_ids]
+ query = query.filter(User.id.in_(user_ids))
+
+ # Filter by status
+ if status == "suspended":
+ query = query.filter(User.status == "GLOBAL_SUSPENDED")
+ elif status == "active":
+ query = query.filter(User.status != "GLOBAL_SUSPENDED")
+
+ # Search
+ if search:
+ search_filter = f"%{search}%"
+ query = query.filter(
+ db.or_(
+ User.email.ilike(search_filter),
+ User.full_name.ilike(search_filter),
+ )
+ )
+
+ query = query.order_by(User.created_at.desc())
+
+ total = query.count()
+ users = query.offset((page - 1) * per_page).limit(per_page).all()
+
+ items = []
+ for user in users:
+ # Get org memberships
+ memberships = OrganizationMember.query.filter(
+ OrganizationMember.user_id == user.id,
+ OrganizationMember.deleted_at.is_(None),
+ ).all()
+
+ orgs = []
+ for m in memberships:
+ org = Organization.query.get(m.organization_id)
+ if org:
+ orgs.append({
+ "org_id": org.id,
+ "org_name": org.name,
+ "role": m.role,
+ })
+
+ # Get active sessions count
+ active_sessions = Session.query.filter(
+ Session.user_id == user.id,
+ Session.deleted_at.is_(None),
+ Session.status == "active",
+ ).count()
+
+ items.append({
+ "id": user.id,
+ "email": user.email,
+ "full_name": user.full_name,
+ "status": user.status,
+ "org_count": len(orgs),
+ "orgs": orgs,
+ "active_sessions": active_sessions,
+ "last_login_at": user.last_login_at.isoformat() + "Z" if user.last_login_at else None,
+ "created_at": user.created_at.isoformat() + "Z" if user.created_at else None,
+ })
+
+ return {
+ "items": items,
+ "total": total,
+ "page": page,
+ "per_page": per_page,
+ "pages": (total + per_page - 1) // per_page if per_page > 0 else 0,
+ }
+
+ @staticmethod
+ def get_user_detail(user_id: str) -> dict:
+ """Get detailed user information.
+
+ Args:
+ user_id: User UUID
+
+ Returns:
+ User detail with orgs, sessions, security methods
+ """
+ user = User.query.get(user_id)
+ if not user or user.deleted_at is not None:
+ raise ValueError("User not found")
+
+ # Get org memberships
+ memberships = OrganizationMember.query.filter(
+ OrganizationMember.user_id == user_id,
+ OrganizationMember.deleted_at.is_(None),
+ ).all()
+
+ orgs = []
+ for m in memberships:
+ org = Organization.query.get(m.organization_id)
+ if org:
+ orgs.append({
+ "org_id": org.id,
+ "org_name": org.name,
+ "org_slug": org.slug,
+ "role": m.role,
+ "joined_at": m.created_at.isoformat() + "Z" if m.created_at else None,
+ })
+
+ # Get active sessions
+ sessions = Session.query.filter(
+ Session.user_id == user_id,
+ Session.deleted_at.is_(None),
+ Session.status == "active",
+ ).all()
+
+ active_sessions = [{
+ "id": s.id,
+ "ip_address": s.ip_address,
+ "user_agent": s.user_agent,
+ "created_at": s.created_at.isoformat() + "Z" if s.created_at else None,
+ } for s in sessions]
+
+ # Security methods
+ security_methods = []
+ if hasattr(user, 'totp_enabled') and user.totp_enabled:
+ security_methods.append({"type": "totp", "enabled": True})
+ if hasattr(user, 'webauthn_enabled') and user.webauthn_enabled:
+ security_methods.append({"type": "webauthn", "enabled": True})
+
+ return {
+ "user": {
+ "id": user.id,
+ "email": user.email,
+ "full_name": user.full_name,
+ "status": user.status,
+ "mfa_enabled": user.mfa_enabled if hasattr(user, 'mfa_enabled') else False,
+ "last_login_at": user.last_login_at.isoformat() + "Z" if user.last_login_at else None,
+ "created_at": user.created_at.isoformat() + "Z" if user.created_at else None,
+ },
+ "organizations": orgs,
+ "active_sessions": active_sessions,
+ "security_methods": security_methods,
+ }
+
+ @staticmethod
+ def suspend_user(user_id: str) -> dict:
+ """Globally suspend a user.
+
+ Args:
+ user_id: User UUID
+
+ Returns:
+ Updated user info and count of revoked sessions
+ """
+ user = User.query.get(user_id)
+ if not user or user.deleted_at is not None:
+ raise ValueError("User not found")
+
+ if user.status == "GLOBAL_SUSPENDED":
+ raise ValueError("User is already suspended")
+
+ user.status = "GLOBAL_SUSPENDED"
+ db.session.commit()
+
+ # Revoke all sessions
+ revoked_count = Session.query.filter(
+ Session.user_id == user_id,
+ Session.deleted_at.is_(None),
+ ).update({"status": "revoked", "deleted_at": db.func.now()})
+ db.session.commit()
+
+ return {
+ "user": {
+ "id": user.id,
+ "email": user.email,
+ "status": user.status,
+ },
+ "sessions_revoked": revoked_count,
+ }
+
+ @staticmethod
+ def unsuspend_user(user_id: str) -> dict:
+ """Remove global suspension from a user.
+
+ Args:
+ user_id: User UUID
+
+ Returns:
+ Updated user info
+ """
+ user = User.query.get(user_id)
+ if not user or user.deleted_at is not None:
+ raise ValueError("User not found")
+
+ if user.status != "GLOBAL_SUSPENDED":
+ raise ValueError("User is not suspended")
+
+ user.status = "active"
+ db.session.commit()
+
+ return {
+ "user": {
+ "id": user.id,
+ "email": user.email,
+ "status": user.status,
+ },
+ }
+
+ @staticmethod
+ def reset_password(user_id: str) -> dict:
+ """Trigger password reset for user.
+
+ Args:
+ user_id: User UUID
+
+ Returns:
+ Email of user
+ """
+ user = User.query.get(user_id)
+ if not user or user.deleted_at is not None:
+ raise ValueError("User not found")
+
+ # In production, this would call AuthService.send_password_reset_email
+ logger.info(f"[SuperadminUserService] Password reset requested for {user.email}")
+
+ return {"email": user.email}
+
+ @staticmethod
+ def revoke_all_sessions(user_id: str) -> dict:
+ """Revoke all sessions for a user.
+
+ Args:
+ user_id: User UUID
+
+ Returns:
+ Count of revoked sessions
+ """
+ user = User.query.get(user_id)
+ if not user or user.deleted_at is not None:
+ raise ValueError("User not found")
+
+ result = Session.query.filter(
+ Session.user_id == user_id,
+ Session.deleted_at.is_(None),
+ ).update({"status": "revoked", "deleted_at": db.func.now()})
+ db.session.commit()
+
+ return {
+ "user_id": user_id,
+ "count": result,
+ }
+
+ @staticmethod
+ def add_to_org(user_id: str, org_id: str, role: str = "member") -> dict:
+ """Add a user to an organization.
+
+ Args:
+ user_id: User UUID
+ org_id: Organization UUID
+ role: Membership role
+
+ Returns:
+ Membership details
+ """
+ user = User.query.get(user_id)
+ if not user or user.deleted_at is not None:
+ raise ValueError("User not found")
+
+ org = Organization.query.get(org_id)
+ if not org or org.deleted_at is not None:
+ raise ValueError("Organization not found")
+
+ # Check if already a member
+ existing = OrganizationMember.query.filter(
+ OrganizationMember.user_id == user_id,
+ OrganizationMember.organization_id == org_id,
+ OrganizationMember.deleted_at.is_(None),
+ ).first()
+
+ if existing:
+ raise ValueError("User is already a member of this organization")
+
+ membership = OrganizationMember(
+ user_id=user_id,
+ organization_id=org_id,
+ role=role,
+ )
+ db.session.add(membership)
+ db.session.commit()
+
+ return {
+ "user_id": user_id,
+ "organization_id": org_id,
+ "role": role,
+ "joined_at": membership.created_at.isoformat() + "Z" if membership.created_at else None,
+ }
+
+ @staticmethod
+ def remove_from_org(user_id: str, org_id: str) -> dict:
+ """Remove a user from an organization.
+
+ Args:
+ user_id: User UUID
+ org_id: Organization UUID
+
+ Returns:
+ Confirmation
+ """
+ membership = OrganizationMember.query.filter(
+ OrganizationMember.user_id == user_id,
+ OrganizationMember.organization_id == org_id,
+ OrganizationMember.deleted_at.is_(None),
+ ).first()
+
+ if not membership:
+ raise ValueError("User is not a member of this organization")
+
+ # Check if user is the only owner
+ if membership.role == "owner":
+ owner_count = OrganizationMember.query.filter(
+ OrganizationMember.organization_id == org_id,
+ OrganizationMember.role == "owner",
+ OrganizationMember.deleted_at.is_(None),
+ ).count()
+
+ if owner_count <= 1:
+ raise ValueError("Cannot remove the only owner from an organization. Transfer ownership first.")
+
+ membership.deleted_at = db.func.now()
+ db.session.commit()
+
+ return {
+ "user_id": user_id,
+ "organization_id": org_id,
+ }
diff --git a/gatehouse_app/services/zerotier_reconciliation_service.py b/gatehouse_app/services/zerotier_reconciliation_service.py
index c78119b..9238018 100644
--- a/gatehouse_app/services/zerotier_reconciliation_service.py
+++ b/gatehouse_app/services/zerotier_reconciliation_service.py
@@ -283,9 +283,9 @@ def reconcile_deleted_memberships() -> dict:
if not device or not network:
logger.warning(
f"[Reconciliation] Membership {membership.id}: missing "
- f"{'device' if not device else 'network'} — hard-deleting record only."
+ f"{'device' if not device else 'network'} — soft-deleting record only."
)
- db.session.delete(membership)
+ membership.delete(soft=True)
db.session.commit()
results["deleted"] += 1
continue
@@ -304,20 +304,20 @@ def reconcile_deleted_memberships() -> dict:
except Exception as zt_exc:
logger.warning(
f"[Reconciliation] ZT delete failed for node {node_id} "
- f"on {network_label}: {zt_exc} — proceeding with DB hard-delete."
+ f"on {network_label}: {zt_exc} — proceeding with DB soft-delete."
)
- db.session.delete(membership)
+ membership.delete(soft=True)
db.session.commit()
results["deleted"] += 1
logger.debug(
- f"[Reconciliation] Hard-deleted membership {membership.id} "
+ f"[Reconciliation] Soft-deleted membership {membership.id} "
f"(node={node_id}, network={network_label})."
)
except Exception as exc:
logger.error(
- f"[Reconciliation] Failed to hard-delete membership {membership.id}: {exc}",
+ f"[Reconciliation] Failed to soft-delete membership {membership.id}: {exc}",
exc_info=True,
)
results["errors"] += 1
diff --git a/gatehouse_app/utils/constants.py b/gatehouse_app/utils/constants.py
index 9968a01..1d600b7 100644
--- a/gatehouse_app/utils/constants.py
+++ b/gatehouse_app/utils/constants.py
@@ -75,6 +75,7 @@ class AuditAction(str, Enum):
ORG_MEMBER_REMOVE = "org.member.remove"
ORG_MEMBER_ROLE_CHANGE = "org.member.role_change"
ORG_OWNERSHIP_TRANSFERRED = "org.ownership.transferred"
+ ORG_INVITE_SENT = "org.invite.sent"
# Session actions
SESSION_CREATE = "session.create"
diff --git a/gatehouse_app/utils/decorators.py b/gatehouse_app/utils/decorators.py
index 5cbb649..8a90dbd 100644
--- a/gatehouse_app/utils/decorators.py
+++ b/gatehouse_app/utils/decorators.py
@@ -59,11 +59,9 @@ def login_required(f):
error_type="SESSION_INACTIVE"
)
- # Update last_activity_at timestamp
- from datetime import datetime, timezone
- session.last_activity_at = datetime.now(timezone.utc)
- from gatehouse_app import db
- db.session.commit()
+ # Extend session via sliding window (updates last_activity_at
+ # and recalculates expires_at within the idle / absolute caps).
+ session.refresh()
# Set context variables
g.current_user = session.user
diff --git a/manage.py b/manage.py
index 06d3fc7..9975216 100644
--- a/manage.py
+++ b/manage.py
@@ -153,6 +153,31 @@ def mfa_compliance_status():
print("=" * 60)
+@cli.command("cleanup_sessions")
+def cleanup_sessions():
+ """Clean up expired user sessions.
+
+ Marks sessions as EXPIRED when they have passed their expires_at
+ timestamp. Safe to run frequently (e.g. every 5 minutes via job_runner).
+
+ Usage:
+ python manage.py cleanup_sessions
+ """
+ from gatehouse_app.services.session_service import SessionService
+
+ print("=" * 60)
+ print("Session Cleanup Job")
+ print("=" * 60)
+
+ from datetime import datetime, timezone
+ print(f"Start time: {datetime.now(timezone.utc).isoformat()}")
+
+ count = SessionService.cleanup_expired_sessions()
+
+ print(f"Expired sessions marked: {count}")
+ print("=" * 60)
+
+
@cli.command("configure_oauth")
@click.argument("provider", required=False)
@click.option("--client-id", default=None, help="OAuth client ID")
diff --git a/migrations/versions/6a4c4ed4a5c6_initial_migration.py b/migrations/versions/6a4c4ed4a5c6_initial_migration.py
index d325376..67f8719 100644
--- a/migrations/versions/6a4c4ed4a5c6_initial_migration.py
+++ b/migrations/versions/6a4c4ed4a5c6_initial_migration.py
@@ -29,8 +29,7 @@ def upgrade():
sa.Column('created_at', sa.DateTime(), nullable=False),
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_application_provider_configs_provider_type'), 'application_provider_configs', ['provider_type'], unique=True)
op.create_table('oidc_jwks_keys',
@@ -63,8 +62,7 @@ def upgrade():
sa.Column('created_at', sa.DateTime(), nullable=False),
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_organizations_slug'), 'organizations', ['slug'], unique=True)
op.create_table('users',
@@ -81,8 +79,7 @@ def upgrade():
sa.Column('created_at', sa.DateTime(), nullable=False),
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_users_activation_key'), 'users', ['activation_key'], unique=True)
op.create_index(op.f('ix_users_email'), 'users', ['email'], unique=True)
@@ -105,8 +102,7 @@ def upgrade():
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index('idx_audit_org', 'audit_logs', ['organization_id', 'created_at'], unique=False)
op.create_index('idx_audit_resource', 'audit_logs', ['resource_type', 'resource_id'], unique=False)
@@ -135,7 +131,6 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('user_id', 'method_type', 'provider_user_id', name='uix_user_method_provider')
)
op.create_index('idx_user_method', 'authentication_methods', ['user_id', 'method_type'], unique=False)
@@ -165,7 +160,6 @@ def upgrade():
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.PrimaryKeyConstraint('id'),
sa.UniqueConstraint('fingerprint'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('organization_id', 'name', name='uix_org_ca_name')
)
op.create_index('idx_ca_org_active', 'cas', ['organization_id', 'is_active'], unique=False)
@@ -182,7 +176,6 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('organization_id', 'name', name='uix_org_dept_name')
)
op.create_index(op.f('ix_departments_name'), 'departments', ['name'], unique=False)
@@ -202,8 +195,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_devices_node_id'), 'devices', ['node_id'], unique=False)
op.create_index(op.f('ix_devices_organization_id'), 'devices', ['organization_id'], unique=False)
@@ -218,8 +210,7 @@ def upgrade():
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_email_verification_tokens_token'), 'email_verification_tokens', ['token'], unique=True)
op.create_index(op.f('ix_email_verification_tokens_user_id'), 'email_verification_tokens', ['user_id'], unique=False)
@@ -242,7 +233,6 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('organization_id', 'provider_type', name='uix_org_provider_type')
)
op.create_index('idx_provider_config_org', 'external_provider_configs', ['organization_id', 'provider_type'], unique=False)
@@ -262,8 +252,7 @@ def upgrade():
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['target_user_id'], ['users.id'], ),
sa.ForeignKeyConstraint(['triggered_by_user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_kill_switch_events_organization_id'), 'kill_switch_events', ['organization_id'], unique=False)
op.create_index(op.f('ix_kill_switch_events_target_user_id'), 'kill_switch_events', ['target_user_id'], unique=False)
@@ -285,7 +274,6 @@ def upgrade():
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('user_id', 'organization_id', name='uix_user_org_compliance')
)
op.create_index(op.f('ix_mfa_policy_compliance_organization_id'), 'mfa_policy_compliance', ['organization_id'], unique=False)
@@ -310,8 +298,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_oauth_states_expires_at'), 'oauth_states', ['expires_at'], unique=False)
op.create_index(op.f('ix_oauth_states_organization_id'), 'oauth_states', ['organization_id'], unique=False)
@@ -340,8 +327,7 @@ def upgrade():
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_oidc_clients_client_id'), 'oidc_clients', ['client_id'], unique=True)
op.create_index(op.f('ix_oidc_clients_organization_id'), 'oidc_clients', ['organization_id'], unique=False)
@@ -359,8 +345,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['invited_by_id'], ['users.id'], ondelete='SET NULL'),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ondelete='CASCADE'),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_org_invite_tokens_email'), 'org_invite_tokens', ['email'], unique=False)
op.create_index(op.f('ix_org_invite_tokens_organization_id'), 'org_invite_tokens', ['organization_id'], unique=False)
@@ -379,8 +364,7 @@ def upgrade():
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index('idx_api_key_last_used', 'organization_api_keys', ['last_used_at'], unique=False)
op.create_index('idx_org_api_key_org_active', 'organization_api_keys', ['organization_id', 'is_revoked'], unique=False)
@@ -402,7 +386,6 @@ def upgrade():
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('user_id', 'organization_id', name='uix_user_org')
)
op.create_index(op.f('ix_organization_members_organization_id'), 'organization_members', ['organization_id'], unique=False)
@@ -421,7 +404,6 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('organization_id', 'provider_type', name='uix_org_provider_override_type')
)
op.create_index(op.f('ix_organization_provider_overrides_organization_id'), 'organization_provider_overrides', ['organization_id'], unique=False)
@@ -439,8 +421,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['updated_by_user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_organization_security_policies_organization_id'), 'organization_security_policies', ['organization_id'], unique=True)
op.create_table('password_reset_tokens',
@@ -453,8 +434,7 @@ def upgrade():
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_password_reset_tokens_token'), 'password_reset_tokens', ['token'], unique=True)
op.create_index(op.f('ix_password_reset_tokens_user_id'), 'password_reset_tokens', ['user_id'], unique=False)
@@ -476,7 +456,6 @@ def upgrade():
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['owner_user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('organization_id', 'zerotier_network_id', name='uix_org_zt_network_id')
)
op.create_index(op.f('ix_portal_networks_organization_id'), 'portal_networks', ['organization_id'], unique=False)
@@ -491,7 +470,6 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('organization_id', 'name', name='uix_org_principal_name')
)
op.create_index(op.f('ix_principals_name'), 'principals', ['name'], unique=False)
@@ -513,8 +491,7 @@ def upgrade():
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_sessions_token'), 'sessions', ['token'], unique=True)
op.create_index(op.f('ix_sessions_user_id'), 'sessions', ['user_id'], unique=False)
@@ -536,7 +513,6 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('payload')
)
op.create_index('idx_ssh_key_user_verified', 'ssh_keys', ['user_id', 'verified'], unique=False)
@@ -556,7 +532,6 @@ def upgrade():
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('user_id', 'organization_id', name='uix_user_org_policy')
)
op.create_index(op.f('ix_user_security_policies_organization_id'), 'user_security_policies', ['organization_id'], unique=False)
@@ -572,8 +547,7 @@ def upgrade():
sa.ForeignKeyConstraint(['ca_id'], ['cas.id'], ondelete='CASCADE'),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('ca_id', 'user_id', name='uix_ca_permission'),
- sa.UniqueConstraint('id')
+ sa.UniqueConstraint('ca_id', 'user_id', name='uix_ca_permission')
)
op.create_index(op.f('ix_ca_permissions_ca_id'), 'ca_permissions', ['ca_id'], unique=False)
op.create_index(op.f('ix_ca_permissions_user_id'), 'ca_permissions', ['user_id'], unique=False)
@@ -589,8 +563,7 @@ def upgrade():
sa.Column('updated_at', sa.DateTime(), nullable=False),
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['department_id'], ['departments.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_department_cert_policies_department_id'), 'department_cert_policies', ['department_id'], unique=True)
op.create_table('department_memberships',
@@ -603,7 +576,6 @@ def upgrade():
sa.ForeignKeyConstraint(['department_id'], ['departments.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('user_id', 'department_id', name='uix_user_dept')
)
op.create_index(op.f('ix_department_memberships_department_id'), 'department_memberships', ['department_id'], unique=False)
@@ -618,8 +590,7 @@ def upgrade():
sa.ForeignKeyConstraint(['department_id'], ['departments.id'], ),
sa.ForeignKeyConstraint(['principal_id'], ['principals.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('department_id', 'principal_id', name='uix_dept_principal'),
- sa.UniqueConstraint('id')
+ sa.UniqueConstraint('department_id', 'principal_id', name='uix_dept_principal')
)
op.create_index(op.f('ix_department_principals_department_id'), 'department_principals', ['department_id'], unique=False)
op.create_index(op.f('ix_department_principals_principal_id'), 'department_principals', ['principal_id'], unique=False)
@@ -640,8 +611,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_oidc_audit_logs_client_id'), 'oidc_audit_logs', ['client_id'], unique=False)
op.create_index(op.f('ix_oidc_audit_logs_event_type'), 'oidc_audit_logs', ['event_type'], unique=False)
@@ -668,8 +638,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_oidc_authorization_codes_client_id'), 'oidc_authorization_codes', ['client_id'], unique=False)
op.create_index(op.f('ix_oidc_authorization_codes_expires_at'), 'oidc_authorization_codes', ['expires_at'], unique=False)
@@ -693,8 +662,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_oidc_refresh_tokens_access_token_id'), 'oidc_refresh_tokens', ['access_token_id'], unique=False)
op.create_index(op.f('ix_oidc_refresh_tokens_client_id'), 'oidc_refresh_tokens', ['client_id'], unique=False)
@@ -718,8 +686,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_oidc_sessions_client_id'), 'oidc_sessions', ['client_id'], unique=False)
op.create_index(op.f('ix_oidc_sessions_expires_at'), 'oidc_sessions', ['expires_at'], unique=False)
@@ -755,7 +722,6 @@ def upgrade():
sa.ForeignKeyConstraint(['principal_id'], ['principals.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('user_id', 'principal_id', name='uix_user_principal')
)
op.create_index(op.f('ix_principal_memberships_principal_id'), 'principal_memberships', ['principal_id'], unique=False)
@@ -787,8 +753,7 @@ def upgrade():
sa.ForeignKeyConstraint(['ssh_key_id'], ['ssh_keys.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('ca_id', 'serial', name='uq_ssh_certificates_ca_serial'),
- sa.UniqueConstraint('id')
+ sa.UniqueConstraint('ca_id', 'serial', name='uq_ssh_certificates_ca_serial')
)
op.create_index('idx_cert_revoked', 'ssh_certificates', ['revoked', 'revoked_at'], unique=False)
op.create_index('idx_cert_user_status', 'ssh_certificates', ['user_id', 'status'], unique=False)
@@ -816,7 +781,6 @@ def upgrade():
sa.ForeignKeyConstraint(['portal_network_id'], ['portal_networks.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('user_id', 'portal_network_id', 'deleted_at', name='uix_user_network_approval')
)
op.create_index(op.f('ix_user_network_approvals_organization_id'), 'user_network_approvals', ['organization_id'], unique=False)
@@ -840,8 +804,7 @@ def upgrade():
sa.Column('deleted_at', sa.DateTime(), nullable=True),
sa.ForeignKeyConstraint(['certificate_id'], ['ssh_certificates.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index('idx_cert_audit_cert_action', 'certificate_audit_logs', ['certificate_id', 'action'], unique=False)
op.create_index('idx_cert_audit_user', 'certificate_audit_logs', ['user_id', 'created_at'], unique=False)
@@ -868,8 +831,7 @@ def upgrade():
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
sa.ForeignKeyConstraint(['user_network_approval_id'], ['user_network_approvals.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('device_id', 'portal_network_id', 'deleted_at', name='uix_device_network'),
- sa.UniqueConstraint('id')
+ sa.UniqueConstraint('device_id', 'portal_network_id', 'deleted_at', name='uix_device_network')
)
op.create_index(op.f('ix_device_network_memberships_device_id'), 'device_network_memberships', ['device_id'], unique=False)
op.create_index(op.f('ix_device_network_memberships_organization_id'), 'device_network_memberships', ['organization_id'], unique=False)
@@ -894,8 +856,7 @@ def upgrade():
sa.ForeignKeyConstraint(['device_network_membership_id'], ['device_network_memberships.id'], ),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
- sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id')
+ sa.PrimaryKeyConstraint('id')
)
op.create_index(op.f('ix_activation_sessions_device_network_membership_id'), 'activation_sessions', ['device_network_membership_id'], unique=False)
op.create_index(op.f('ix_activation_sessions_organization_id'), 'activation_sessions', ['organization_id'], unique=False)
@@ -917,7 +878,6 @@ def upgrade():
sa.ForeignKeyConstraint(['device_network_membership_id'], ['device_network_memberships.id'], ),
sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ),
sa.PrimaryKeyConstraint('id'),
- sa.UniqueConstraint('id'),
sa.UniqueConstraint('zerotier_network_id', 'node_id', name='uix_zt_network_node')
)
op.create_index(op.f('ix_zerotier_memberships_device_network_membership_id'), 'zerotier_memberships', ['device_network_membership_id'], unique=False)
diff --git a/migrations/versions/8f2d9e4a7c1b_add_org_id_to_cert_audit_logs.py b/migrations/versions/8f2d9e4a7c1b_add_org_id_to_cert_audit_logs.py
new file mode 100644
index 0000000..6d9c656
--- /dev/null
+++ b/migrations/versions/8f2d9e4a7c1b_add_org_id_to_cert_audit_logs.py
@@ -0,0 +1,50 @@
+"""Add organization_id to certificate_audit_logs.
+
+Revision ID: 8f2d9e4a7c1b
+Revises: b4cd6c6b3b1c
+Create Date: 2026-04-23 07:30:00.000000
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '8f2d9e4a7c1b'
+down_revision = 'b4cd6c6b3b1c'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+ # Add organization_id column to certificate_audit_logs
+ op.add_column(
+ 'certificate_audit_logs',
+ sa.Column('organization_id', sa.String(length=36), nullable=True)
+ )
+
+ # Create index on organization_id
+ op.create_index(
+ op.f('ix_certificate_audit_logs_organization_id'),
+ 'certificate_audit_logs',
+ ['organization_id']
+ )
+
+ # Create foreign key constraint
+ op.create_foreign_key(
+ 'fk_cert_audit_log_organization',
+ 'certificate_audit_logs',
+ 'organizations',
+ ['organization_id'],
+ ['id']
+ )
+
+
+def downgrade():
+ # Drop foreign key constraint
+ op.drop_constraint('fk_cert_audit_log_organization', 'certificate_audit_logs', type_='foreignkey')
+
+ # Drop index
+ op.drop_index(op.f('ix_certificate_audit_logs_organization_id'), 'certificate_audit_logs')
+
+ # Drop organization_id column
+ op.drop_column('certificate_audit_logs', 'organization_id')
diff --git a/migrations/versions/a1b2c3d4e5f6_per_user_ssh_key_fingerprint.py b/migrations/versions/a1b2c3d4e5f6_per_user_ssh_key_fingerprint.py
new file mode 100644
index 0000000..5caa0f0
--- /dev/null
+++ b/migrations/versions/a1b2c3d4e5f6_per_user_ssh_key_fingerprint.py
@@ -0,0 +1,44 @@
+"""Per-user SSH key fingerprint uniqueness.
+
+Revision ID: a1b2c3d4e5f6
+Revises: 8f2d9e4a7c1b
+Create Date: 2026-04-24 10:00:00.000000
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'a1b2c3d4e5f6'
+down_revision = '8f2d9e4a7c1b'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+ # Drop the global unique constraint on payload
+ op.drop_constraint('ssh_keys_payload_key', 'ssh_keys', type_='unique')
+
+ # Drop the global unique index on fingerprint
+ op.drop_index('ix_ssh_keys_fingerprint', table_name='ssh_keys')
+
+ # Create a non-unique index on fingerprint for query performance
+ op.create_index(op.f('ix_ssh_keys_fingerprint'), 'ssh_keys', ['fingerprint'], unique=False)
+
+ # Add composite unique constraint for per-user fingerprint uniqueness
+ op.create_unique_constraint('uix_user_fingerprint', 'ssh_keys', ['user_id', 'fingerprint'])
+
+
+def downgrade():
+ # Drop the composite unique constraint
+ op.drop_constraint('uix_user_fingerprint', 'ssh_keys', type_='unique')
+
+ # Drop the non-unique index
+ op.drop_index(op.f('ix_ssh_keys_fingerprint'), table_name='ssh_keys')
+
+ # Recreate the global unique index
+ op.create_index('ix_ssh_keys_fingerprint', 'ssh_keys', ['fingerprint'], unique=True)
+
+ # Recreate the global unique constraint on payload
+ op.create_unique_constraint('ssh_keys_payload_key', 'ssh_keys', ['payload'])
\ No newline at end of file
diff --git a/migrations/versions/b4cd6c6b3b1c_superadmin.py b/migrations/versions/b4cd6c6b3b1c_superadmin.py
new file mode 100644
index 0000000..9bddeb4
--- /dev/null
+++ b/migrations/versions/b4cd6c6b3b1c_superadmin.py
@@ -0,0 +1,100 @@
+"""Superadmin
+
+Revision ID: b4cd6c6b3b1c
+Revises: 6a4c4ed4a5c6
+Create Date: 2026-04-08 16:55:52.646980
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'b4cd6c6b3b1c'
+down_revision = '6a4c4ed4a5c6'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+ # --- Create superadmin tables (not captured by auto-generation) ---
+ op.create_table(
+ 'superadmins',
+ sa.Column('id', sa.String(length=36), nullable=False),
+ sa.Column('email', sa.String(length=255), nullable=False),
+ sa.Column('password_hash', sa.String(length=255), nullable=False),
+ sa.Column('full_name', sa.String(length=255), nullable=True),
+ sa.Column('is_active', sa.Boolean(), nullable=False, server_default=sa.text('true')),
+ sa.Column('last_login_at', sa.DateTime(), nullable=True),
+ sa.Column('created_at', sa.DateTime(), nullable=False),
+ sa.Column('updated_at', sa.DateTime(), nullable=False),
+ sa.Column('deleted_at', sa.DateTime(), nullable=True),
+ sa.PrimaryKeyConstraint('id'),
+ )
+ op.create_index(op.f('ix_superadmins_email'), 'superadmins', ['email'], unique=True)
+
+ op.create_table(
+ 'superadmin_sessions',
+ sa.Column('id', sa.String(length=36), nullable=False),
+ sa.Column('superadmin_id', sa.String(length=36), nullable=False),
+ sa.Column('token', sa.String(length=255), nullable=False),
+ sa.Column('expires_at', sa.DateTime(), nullable=False),
+ sa.Column('last_activity_at', sa.DateTime(), nullable=False),
+ sa.Column('ip_address', sa.String(length=45), nullable=True),
+ sa.Column('user_agent', sa.Text(), nullable=True),
+ sa.Column('revoked_at', sa.DateTime(), nullable=True),
+ sa.Column('revoked_reason', sa.String(length=255), nullable=True),
+ sa.Column('created_at', sa.DateTime(), nullable=False),
+ sa.Column('updated_at', sa.DateTime(), nullable=False),
+ sa.Column('deleted_at', sa.DateTime(), nullable=True),
+ sa.ForeignKeyConstraint(['superadmin_id'], ['superadmins.id']),
+ sa.PrimaryKeyConstraint('id'),
+ )
+ op.create_index(op.f('ix_superadmin_sessions_superadmin_id'), 'superadmin_sessions', ['superadmin_id'])
+ op.create_index(op.f('ix_superadmin_sessions_token'), 'superadmin_sessions', ['token'], unique=True)
+
+ op.create_table(
+ 'superadmin_audit_logs',
+ sa.Column('id', sa.String(length=36), nullable=False),
+ sa.Column('superadmin_id', sa.String(length=36), nullable=False),
+ sa.Column('action', sa.String(length=100), nullable=False),
+ sa.Column('resource_type', sa.String(length=50), nullable=False),
+ sa.Column('resource_id', sa.String(length=36), nullable=True),
+ sa.Column('org_id', sa.String(length=36), nullable=True),
+ sa.Column('user_id', sa.String(length=36), nullable=True),
+ sa.Column('ip_address', sa.String(length=45), nullable=True),
+ sa.Column('user_agent', sa.Text(), nullable=True),
+ sa.Column('request_id', sa.String(length=100), nullable=True),
+ sa.Column('extra_data', sa.JSON(), nullable=True),
+ sa.Column('success', sa.Boolean(), nullable=False, server_default=sa.text('true')),
+ sa.Column('error_message', sa.String(length=500), nullable=True),
+ sa.Column('created_at', sa.DateTime(), nullable=False),
+ sa.Column('updated_at', sa.DateTime(), nullable=False),
+ sa.Column('deleted_at', sa.DateTime(), nullable=True),
+ sa.ForeignKeyConstraint(['superadmin_id'], ['superadmins.id']),
+ sa.PrimaryKeyConstraint('id'),
+ )
+ op.create_index(op.f('ix_superadmin_audit_logs_superadmin_id'), 'superadmin_audit_logs', ['superadmin_id'])
+ op.create_index(op.f('ix_superadmin_audit_logs_action'), 'superadmin_audit_logs', ['action'])
+ op.create_index(op.f('ix_superadmin_audit_logs_resource_type'), 'superadmin_audit_logs', ['resource_type'])
+ op.create_index(op.f('ix_superadmin_audit_logs_resource_id'), 'superadmin_audit_logs', ['resource_id'])
+ op.create_index(op.f('ix_superadmin_audit_logs_org_id'), 'superadmin_audit_logs', ['org_id'])
+ op.create_index(op.f('ix_superadmin_audit_logs_user_id'), 'superadmin_audit_logs', ['user_id'])
+
+
+def downgrade():
+ # --- Drop superadmin tables (reverse order due to FK dependencies) ---
+ op.drop_index(op.f('ix_superadmin_audit_logs_user_id'), table_name='superadmin_audit_logs')
+ op.drop_index(op.f('ix_superadmin_audit_logs_org_id'), table_name='superadmin_audit_logs')
+ op.drop_index(op.f('ix_superadmin_audit_logs_resource_id'), table_name='superadmin_audit_logs')
+ op.drop_index(op.f('ix_superadmin_audit_logs_resource_type'), table_name='superadmin_audit_logs')
+ op.drop_index(op.f('ix_superadmin_audit_logs_action'), table_name='superadmin_audit_logs')
+ op.drop_index(op.f('ix_superadmin_audit_logs_superadmin_id'), table_name='superadmin_audit_logs')
+ op.drop_table('superadmin_audit_logs')
+
+ op.drop_index(op.f('ix_superadmin_sessions_token'), table_name='superadmin_sessions')
+ op.drop_index(op.f('ix_superadmin_sessions_superadmin_id'), table_name='superadmin_sessions')
+ op.drop_table('superadmin_sessions')
+
+ op.drop_index(op.f('ix_superadmins_email'), table_name='superadmins')
+ op.drop_table('superadmins')
diff --git a/pytest.ini b/pytest.ini
index e9a4053..dec3033 100644
--- a/pytest.ini
+++ b/pytest.ini
@@ -6,6 +6,9 @@ python_functions = test_*
addopts =
-v
--strict-markers
+ -p no:maas-django
+ -p no:maas-perftest
+ -p no:maas-seeds
--cov=gatehouse_app
--cov-report=term-missing
--cov-report=html
diff --git a/scripts/job_runner.py b/scripts/job_runner.py
new file mode 100755
index 0000000..549d4de
--- /dev/null
+++ b/scripts/job_runner.py
@@ -0,0 +1,106 @@
+#!/usr/bin/env python3
+"""Generic job runner for scheduled tasks in Docker containers.
+
+Runs a Flask CLI command on a configurable interval with graceful shutdown support.
+
+Environment Variables:
+ JOB_NAME: Name of the job to run (zerotier_reconciliation, mfa_compliance)
+ JOB_INTERVAL_SECONDS: Seconds between job runs (default: 300)
+
+Usage:
+ docker run -e JOB_NAME=zerotier_reconciliation -e JOB_INTERVAL_SECONDS=120 app
+"""
+
+import os
+import signal
+import subprocess
+import sys
+import time
+import logging
+
+logging.basicConfig(
+ level=logging.INFO,
+ format="%(asctime)s [%(levelname)s] %(message)s",
+ datefmt="%Y-%m-%d %H:%M:%S",
+)
+logger = logging.getLogger(__name__)
+
+JOB_COMMANDS = {
+ "zerotier_reconciliation": "python manage.py run_zerotier_reconciliation",
+ "mfa_compliance": "python manage.py run_mfa_compliance_job",
+ "cleanup_sessions": "python manage.py cleanup_sessions",
+}
+
+shutdown_requested = False
+
+
+def signal_handler(signum, frame):
+ global shutdown_requested
+ logger.info(f"Received signal {signum}, initiating graceful shutdown...")
+ shutdown_requested = True
+
+
+def run_job(job_name: str) -> bool:
+ command = JOB_COMMANDS.get(job_name)
+ if not command:
+ logger.error(f"Unknown job: {job_name}. Valid jobs: {list(JOB_COMMANDS.keys())}")
+ return False
+
+ logger.info(f"Running job: {job_name}")
+ start_time = time.monotonic()
+
+ try:
+ result = subprocess.run(
+ command,
+ shell=True,
+ cwd="/app",
+ capture_output=False,
+ )
+ elapsed = time.monotonic() - start_time
+ logger.info(f"Job {job_name} completed in {elapsed:.2f}s with exit code {result.returncode}")
+ return result.returncode == 0
+ except Exception as e:
+ elapsed = time.monotonic() - start_time
+ logger.error(f"Job {job_name} failed after {elapsed:.2f}s: {e}")
+ return False
+
+
+def main():
+ job_name = os.getenv("JOB_NAME")
+ interval = int(os.getenv("JOB_INTERVAL_SECONDS", "300"))
+
+ if not job_name:
+ logger.error("JOB_NAME environment variable is required")
+ sys.exit(1)
+
+ if job_name not in JOB_COMMANDS:
+ logger.error(f"Unknown JOB_NAME: {job_name}. Valid: {list(JOB_COMMANDS.keys())}")
+ sys.exit(1)
+
+ if interval < 10:
+ logger.error(f"JOB_INTERVAL_SECONDS must be at least 10 seconds, got {interval}")
+ sys.exit(1)
+
+ signal.signal(signal.SIGTERM, signal_handler)
+ signal.signal(signal.SIGINT, signal_handler)
+
+ logger.info(f"Job runner started: {job_name}, interval={interval}s")
+ logger.info(f"Valid jobs: {list(JOB_COMMANDS.keys())}")
+
+ while not shutdown_requested:
+ run_job(job_name)
+
+ if shutdown_requested:
+ break
+
+ logger.info(f"Sleeping for {interval}s until next run...")
+
+ sleep_start = time.monotonic()
+ while time.monotonic() - sleep_start < interval and not shutdown_requested:
+ time.sleep(1)
+
+ logger.info("Job runner stopped")
+
+
+if __name__ == "__main__":
+ main()
diff --git a/scripts/seed_superadmin.py b/scripts/seed_superadmin.py
new file mode 100644
index 0000000..105113c
--- /dev/null
+++ b/scripts/seed_superadmin.py
@@ -0,0 +1,89 @@
+"""Seed script for creating superadmin user.
+
+This script reads SUPERADMIN_EMAIL and SUPERADMIN_SECRET environment variables.
+If both are present:
+ - Creates a superadmin with the given email and hashed credential
+ - Idempotent: updates existing superadmin if email already exists
+If either is absent:
+ - No-op (logs that env vars are not set)
+
+Usage:
+ export SUPERADMIN_EMAIL="admin@example.com"
+ export SUPERADMIN_SECRET="[SetYourSecureSecretHere]"
+ python scripts/seed_superadmin.py
+"""
+import sys
+import os
+import logging
+from dotenv import load_dotenv
+
+# Load environment variables FIRST before any app imports
+load_dotenv()
+
+from gatehouse_app import create_app
+from gatehouse_app.extensions import db, bcrypt
+from gatehouse_app.models.superadmin import Superadmin
+
+
+# Configure logging
+logging.basicConfig(
+ level=logging.INFO,
+ format="%(asctime)s - %(levelname)s - %(message)s"
+)
+logger = logging.getLogger(__name__)
+
+
+def main():
+ """Main entry point."""
+ app = create_app()
+
+ with app.app_context():
+ # Read environment variables
+ email = os.environ.get("SUPERADMIN_EMAIL")
+ credential = os.environ.get("SUPERADMIN_SECRET")
+
+ # Check if env vars are set
+ if not email or not credential:
+ logger.info("SUPERADMIN_EMAIL and/or SUPERADMIN_SECRET not set. No-op.")
+ logger.info("To create a superadmin, set both environment variables:")
+ logger.info(" export SUPERADMIN_EMAIL='admin@example.com'")
+ logger.info(" export SUPERADMIN_SECRET='[SetYourSecureSecretHere]'")
+ return
+
+ # Normalize email
+ email = email.lower().strip()
+
+ logger.info(f"Processing superadmin: {email}")
+
+ # Check if superadmin already exists
+ existing = Superadmin.query.filter_by(email=email).first()
+
+ if existing:
+ # Update existing superadmin
+ logger.info(" → Existing superadmin found, updating credential")
+ existing.password_hash = bcrypt.generate_password_hash(credential).decode("utf-8")
+ existing.is_active = True
+ existing.full_name = existing.full_name or "Super Admin"
+ db.session.commit()
+ logger.info(f" → Updated superadmin: {email} (id={existing.id})")
+ print(f"Updated existing superadmin: {email}")
+ else:
+ # Create new superadmin
+ logger.info(" → Creating new superadmin")
+ password_hash = bcrypt.generate_password_hash(credential).decode("utf-8")
+ superadmin = Superadmin(
+ email=email,
+ password_hash=password_hash,
+ full_name="Super Admin",
+ is_active=True,
+ )
+ db.session.add(superadmin)
+ db.session.commit()
+ logger.info(f" → Created superadmin: {email} (id={superadmin.id})")
+ print(f"Created new superadmin: {email}")
+
+ logger.info("Seed complete.")
+
+
+if __name__ == "__main__":
+ main()
diff --git a/tests/README.md b/tests/README.md
new file mode 100644
index 0000000..e6267b9
--- /dev/null
+++ b/tests/README.md
@@ -0,0 +1,228 @@
+# Secuird Integration Test Suite
+
+This directory contains the integration test suite for the Secuird IAM platform.
+
+## Quick Start
+
+Run all integration tests:
+
+```bash
+cd backend
+pytest tests/integration/
+```
+
+Run a specific test file:
+
+```bash
+pytest tests/integration/test_ssh_workflows.py -v
+```
+
+Run without coverage (faster):
+
+```bash
+pytest tests/integration/ --no-cov
+```
+
+Fail fast (stop on first failure):
+
+```bash
+pytest tests/integration/ -x
+```
+
+Run previously failed tests first:
+
+```bash
+pytest tests/integration/ --ff
+```
+
+## Test Structure
+
+```
+tests/
+├── conftest.py # Base pytest fixtures (app, client, test_user)
+├── integration/ # Integration tests
+│ ├── conftest.py # Integration-specific fixtures and factories
+│ ├── client/ # Reusable API client library
+│ │ ├── base.py # SecuirdClient with session management
+│ │ ├── auth.py # Authentication operations
+│ │ ├── users.py # User self-service operations
+│ │ ├── orgs.py # Organization operations
+│ │ ├── ssh.py # SSH key/cert operations
+│ │ ├── mfa.py # TOTP/WebAuthn operations
+│ │ ├── zerotier.py # ZeroTier network operations
+│ │ └── admin.py # Admin operations
+│ ├── fixtures/ # Test data and helpers
+│ │ ├── ssh_keys.py # Test SSH key pairs and helpers
+│ │ └── test_data.py # Common test data generators
+│ ├── test_auth_flows.py # Authentication flows (24 tests)
+│ ├── test_totp_workflows.py # TOTP MFA flows (15 tests)
+│ ├── test_ssh_workflows.py # SSH key/cert flows (34 tests)
+│ ├── test_org_workflows.py # Organization & invite flows (27 tests)
+│ ├── test_multi_org.py # Multi-organization access (4 tests)
+│ ├── test_self_service.py # User self-service features (9 tests)
+│ ├── test_admin_ops.py # Admin user management (9 tests)
+│ ├── test_authorization.py # RBAC & access control (8 tests)
+│ ├── test_security.py # Security & edge cases (5 tests)
+│ ├── test_dept_principal.py # Department & principal management (5 tests)
+│ ├── test_ca_management.py # Certificate authority management (4 tests)
+│ ├── test_policy_compliance.py # Security policy & compliance (4 tests)
+│ ├── test_webauthn_workflows.py# WebAuthn passkey flows (5 tests)
+│ └── test_zerotier.py # ZeroTier network access (8 tests)
+└── unit/ # Unit tests (existing)
+```
+
+## Environment
+
+- **Python**: 3.10+
+- **Database**: SQLite in-memory (`sqlite:///:memory:`)
+- **Rate Limiting**: Disabled in tests (`RATELIMIT_ENABLED = False`)
+- **CSRF**: Disabled (`WTF_CSRF_ENABLED = False`)
+- **Email**: Suppressed (`MAIL_SUPPRESS_SEND = True`)
+
+## Configuration
+
+The `pytest.ini` file configures:
+
+- Verbose output (`-v`)
+- Coverage reporting (`--cov=gatehouse_app`)
+- Disabled maas plugins that cause import errors (see Known Issues below)
+- Custom markers for `unit`, `integration`, `slow`, etc.
+
+## Coverage
+
+Coverage reports are generated automatically:
+
+- **Terminal**: printed after each run
+- **HTML**: `backend/htmlcov/index.html`
+
+Target coverage: **85% minimum**.
+
+```bash
+pytest tests/integration/ --cov=gatehouse_app --cov-fail-under=85
+```
+
+## Known Issues
+
+### maastesting Plugin Import Error
+
+The `maas` system package installs pytest entry points that fail to load in this environment. The `pytest.ini` file disables them automatically with:
+
+```ini
+-p no:maas-django
+-p no:maas-perftest
+-p no:maas-seeds
+```
+
+If you see `ModuleNotFoundError: No module named 'maastesting'`, these flags are not being applied. Ensure you run pytest from the `backend/` directory.
+
+### ssh-keygen Not Available
+
+One test (`test_verify_key_positive` in `test_ssh_workflows.py`) requires `ssh-keygen` to generate real Ed25519 key pairs for signature verification. It is automatically skipped when `ssh-keygen` is not available:
+
+```bash
+sudo apt-get install openssh-client # Debian/Ubuntu
+```
+
+Other certificate signing tests use a DB helper (`_mark_key_verified`) to bypass the signature requirement in CI environments.
+
+## Writing New Tests
+
+### Pattern
+
+Every test must include a verbose docstring with `WHAT`, `WHY`, and `EXPECTED`:
+
+```python
+def test_add_key_positive(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-01 — Add a new SSH public key.
+
+ WHAT: Authenticated user POSTs a valid public key with a description.
+ WHY: Users must be able to register their SSH keys for later
+ certificate signing and server access.
+ EXPECTED: 201 Created, response contains key id and metadata.
+ """
+```
+
+### Fixtures
+
+| Fixture | Purpose |
+|---------|---------|
+| `integration_client` | Fresh `SecuirdClient` instance per test |
+| `create_test_user` | Factory returning `{"id", "email", "password", "full_name"}` |
+| `create_test_org` | Factory returning `{"id", "name", "slug"}` |
+| `create_test_membership` | Links user to org with a role |
+| `create_test_ca` | Creates a Certificate Authority for an org |
+
+### Client Usage
+
+```python
+# Authentication
+integration_client.auth.register(email, password, full_name)
+integration_client.auth.login(email, password)
+integration_client.auth.logout()
+
+# SSH
+integration_client.ssh.add_key(public_key, description)
+integration_client.ssh.sign_certificate(key_id=key_id, principals=["deploy"])
+integration_client.ssh.revoke_certificate(cert_id)
+
+# Organizations
+integration_client.orgs.create(name, slug)
+integration_client.orgs.create_principal(org_id, name)
+integration_client.orgs.create_ca(org_id, name, ca_type="user")
+```
+
+### Assertions
+
+Use the standard helpers:
+
+```python
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+# Negative tests
+with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.get_key(str(uuid.uuid4()))
+assert exc_info.value.status_code == 404
+assert exc_info.value.error_type == "NOT_FOUND"
+```
+
+## Test Counts
+
+| Module | Tests | Focus |
+|--------|-------|-------|
+| test_auth_flows.py | 24 | Registration, login, logout, sessions, password reset, email verification |
+| test_totp_workflows.py | 15 | TOTP enrollment, verification, backup codes, disable, regenerate |
+| test_ssh_workflows.py | 34 | Key CRUD, verification, certificate signing & management |
+| test_org_workflows.py | 27 | Org CRUD, members, roles, invites, ownership transfer |
+| test_multi_org.py | 4 | Cross-org isolation, role-based access |
+| test_self_service.py | 9 | Profile, password change, account deletion |
+| test_admin_ops.py | 9 | Suspend, unsuspend, verify email, set password, remove MFA, hard delete |
+| test_authorization.py | 8 | RBAC, cross-user isolation, soft-delete behavior |
+| test_security.py | 5 | SQL injection, XSS, oversized payload, malformed JSON, empty body |
+| test_dept_principal.py | 5 | Department/principal CRUD, membership, linking |
+| test_ca_management.py | 4 | CA creation, listing, rotation |
+| test_policy_compliance.py | 4 | Security policy, MFA compliance |
+| test_webauthn_workflows.py | 5 | WebAuthn registration/login (mocked) |
+| test_zerotier.py | 8 | Network CRUD, devices, approvals, memberships (mocked) |
+| **Total** | **162** | |
+
+## Pre-Commit Checklist
+
+Before committing backend changes:
+
+1. Run the integration suite: `pytest tests/integration/ -x`
+2. Verify coverage hasn't decreased: `pytest tests/integration/ --cov=gatehouse_app --cov-fail-under=85`
+3. If tests fail, fix before committing
+
+## CI/CD
+
+Integration tests run automatically on:
+- Every pull request
+- Every push to main
+- Nightly builds
+
+**Failure policy**: Integration test failures block merging.
diff --git a/tests/__init__.py b/tests/__init__.py
new file mode 100644
index 0000000..d4839a6
--- /dev/null
+++ b/tests/__init__.py
@@ -0,0 +1 @@
+# Tests package
diff --git a/tests/api/__init__.py b/tests/api/__init__.py
new file mode 100644
index 0000000..42b18b8
--- /dev/null
+++ b/tests/api/__init__.py
@@ -0,0 +1 @@
+# API tests package
diff --git a/tests/api/v1/__init__.py b/tests/api/v1/__init__.py
new file mode 100644
index 0000000..395961b
--- /dev/null
+++ b/tests/api/v1/__init__.py
@@ -0,0 +1 @@
+# API v1 tests package
diff --git a/tests/api/v1/extauth/__init__.py b/tests/api/v1/extauth/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/api/v1/extauth/test_provider_helpers.py b/tests/api/v1/extauth/test_provider_helpers.py
new file mode 100644
index 0000000..6596110
--- /dev/null
+++ b/tests/api/v1/extauth/test_provider_helpers.py
@@ -0,0 +1,52 @@
+import pytest
+from gatehouse_app.utils.constants import AuthMethodType
+from gatehouse_app.services.external_auth.models import ExternalAuthError
+from gatehouse_app.api.v1.external_auth._helpers import (
+ get_provider_type,
+ _get_provider_endpoints,
+)
+
+
+class TestProviderType:
+ def test_google(self):
+ assert get_provider_type("google") == AuthMethodType.GOOGLE
+
+ def test_github(self):
+ assert get_provider_type("github") == AuthMethodType.GITHUB
+
+ def test_microsoft(self):
+ assert get_provider_type("microsoft") == AuthMethodType.MICROSOFT
+
+ def test_case_insensitive(self):
+ assert get_provider_type("GitHub") == AuthMethodType.GITHUB
+
+ def test_unknown_provider_raises(self):
+ with pytest.raises(ExternalAuthError) as exc_info:
+ get_provider_type("facebook")
+ assert exc_info.value.status_code == 400
+ assert "facebook" in exc_info.value.message.lower()
+
+
+class TestProviderEndpoints:
+ def test_google_endpoints(self):
+ auth, token, userinfo = _get_provider_endpoints(AuthMethodType.GOOGLE)
+ assert "accounts.google.com" in auth
+ assert "oauth2.googleapis.com" in token
+ assert "googleapis.com" in userinfo
+
+ def test_github_endpoints(self):
+ auth, token, userinfo = _get_provider_endpoints(AuthMethodType.GITHUB)
+ assert "github.com/login" in auth
+ assert "github.com/login/oauth/access_token" in token
+ assert "api.github.com/user" in userinfo
+
+ def test_microsoft_endpoints(self):
+ auth, token, userinfo = _get_provider_endpoints(AuthMethodType.MICROSOFT)
+ assert "login.microsoftonline.com" in auth
+ assert "login.microsoftonline.com" in token
+ assert "graph.microsoft.com" in userinfo
+
+ def test_unknown_type_raises(self):
+ with pytest.raises(ExternalAuthError) as exc_info:
+ _get_provider_endpoints("nonexistent")
+ assert exc_info.value.status_code == 400
diff --git a/tests/api/v1/organizations/__init__.py b/tests/api/v1/organizations/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/api/v1/organizations/test_system_ca_dict.py b/tests/api/v1/organizations/test_system_ca_dict.py
new file mode 100644
index 0000000..2780067
--- /dev/null
+++ b/tests/api/v1/organizations/test_system_ca_dict.py
@@ -0,0 +1,59 @@
+import pytest
+from gatehouse_app.api.v1.organizations._helpers import _get_system_ca_dict
+from gatehouse_app.config.ssh_ca_config import SSHCAConfig, reset_config_instance
+
+# Ed25519 key fixture data
+VALID_PRIVATE_KEY = (
+ "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+ "b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\n"
+ "QyNTUxOQAAACCi+2CgIPgoFL5P6DZlNXztuHy3+TuS2shh/xIDkW89OgAAAJhDQd+ZQ0Hf\n"
+ "mQAAAAtzc2gtZWQyNTUxOQAAACCi+2CgIPgoFL5P6DZlNXztuHy3+TuS2shh/xIDkW89Og\n"
+ "AAAECMbnF+1E22w9Z1AOTUbUGspL8Pb0UyP+p8lSLpAwZSpaL7YKAg+CgUvk/oNmU1fO24\n"
+ "fLf5O5LayGH/EgORbz06AAAAD2NvcnlAbGFwdG9wLXZtMQECAwQFBg==\n"
+ "-----END OPENSSH PRIVATE KEY-----"
+)
+
+
+class FakeEmptyConfig(SSHCAConfig):
+ def get_str(self, key, default=""):
+ if key == "ca_key_path":
+ return ""
+ return default
+
+
+class BadConfig(SSHCAConfig):
+ def get_str(self, key, default=""):
+ raise RuntimeError("config error")
+
+
+class TestSystemCADict:
+
+ def test_no_key_available_returns_none(self, monkeypatch):
+ monkeypatch.delenv("SSH_CA_PRIVATE_KEY", raising=False)
+ reset_config_instance()
+ monkeypatch.setattr(
+ "gatehouse_app.config.ssh_ca_config.get_ssh_ca_config",
+ lambda: FakeEmptyConfig(),
+ )
+ result = _get_system_ca_dict()
+ assert result is None
+
+ def test_env_var_returns_dict(self, monkeypatch):
+ monkeypatch.setenv("SSH_CA_PRIVATE_KEY", VALID_PRIVATE_KEY)
+ result = _get_system_ca_dict()
+ assert result is not None
+ assert result["ca_type"] == "user"
+ assert result["is_system"] is True
+ assert "fingerprint" in result
+ assert result["public_key"]
+ assert result["public_key"].startswith("ssh-")
+
+ def test_exception_gracefully_returns_none(self, monkeypatch):
+ monkeypatch.delenv("SSH_CA_PRIVATE_KEY", raising=False)
+ reset_config_instance()
+ monkeypatch.setattr(
+ "gatehouse_app.config.ssh_ca_config.get_ssh_ca_config",
+ lambda: BadConfig(),
+ )
+ result = _get_system_ca_dict()
+ assert result is None
diff --git a/tests/api/v1/ssh/__init__.py b/tests/api/v1/ssh/__init__.py
new file mode 100644
index 0000000..973e118
--- /dev/null
+++ b/tests/api/v1/ssh/__init__.py
@@ -0,0 +1 @@
+# SSH tests package
diff --git a/tests/api/v1/ssh/conftest.py b/tests/api/v1/ssh/conftest.py
new file mode 100644
index 0000000..6243c1d
--- /dev/null
+++ b/tests/api/v1/ssh/conftest.py
@@ -0,0 +1,79 @@
+"""Pytest fixtures for API tests."""
+import pytest
+import uuid
+from datetime import datetime, timezone
+
+from gatehouse_app import create_app, db
+from gatehouse_app.models.user.user import User
+from gatehouse_app.models.organization.organization import Organization
+from gatehouse_app.models.organization.organization_member import OrganizationMember
+from gatehouse_app.models.ssh_ca.ca import CA, CaType, KeyType
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+@pytest.fixture
+def app():
+ """Create test Flask app with in-memory SQLite."""
+ app = create_app(config_name="testing")
+ app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:"
+ app.config["TESTING"] = True
+ app.config["WTF_CSRF_ENABLED"] = False
+
+ with app.app_context():
+ db.create_all()
+ yield app
+ db.session.remove()
+ db.drop_all()
+
+
+@pytest.fixture
+def test_user(app):
+ """Create a test user."""
+ with app.app_context():
+ user = User(email="test_user@test.com", full_name="Test User")
+ db.session.add(user)
+ db.session.commit()
+ return user.id
+
+
+@pytest.fixture
+def test_org(app):
+ """Create a test organization."""
+ with app.app_context():
+ org = Organization(name="Test Org", slug="test-org")
+ db.session.add(org)
+ db.session.commit()
+ return org.id
+
+
+@pytest.fixture
+def test_membership(app, test_user, test_org):
+ """Create a test membership."""
+ with app.app_context():
+ membership = OrganizationMember(
+ user_id=test_user,
+ organization_id=test_org,
+ role=OrganizationRole.MEMBER,
+ )
+ db.session.add(membership)
+ db.session.commit()
+ return membership.id
+
+
+@pytest.fixture
+def test_ca(app, test_org, test_membership):
+ """Create a test CA."""
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name="Test CA",
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key="encrypted_private_key_placeholder",
+ public_key="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...",
+ fingerprint="sha256:TEST123...",
+ is_active=True,
+ )
+ db.session.add(ca)
+ db.session.commit()
+ return ca.id
diff --git a/tests/api/v1/ssh/test_ca_soft_delete.py b/tests/api/v1/ssh/test_ca_soft_delete.py
new file mode 100644
index 0000000..3ec1572
--- /dev/null
+++ b/tests/api/v1/ssh/test_ca_soft_delete.py
@@ -0,0 +1,143 @@
+import pytest
+from datetime import datetime, timezone
+from gatehouse_app.extensions import db
+from gatehouse_app.models.user.user import User
+from gatehouse_app.models.organization.organization import Organization
+from gatehouse_app.models.organization.organization_member import OrganizationMember
+from gatehouse_app.models.ssh_ca.ca import CA, CaType, KeyType
+from gatehouse_app.api.v1.ssh._helpers import _get_org_ca_for_user
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+class TestCASoftDelete:
+ """Test CA soft delete handling."""
+
+ def test_active_ca_is_returned(self, app, test_user, test_org, test_ca, test_membership):
+ """Active CA should be returned."""
+ with app.app_context():
+ user = db.session.get(User, test_user)
+ ca = _get_org_ca_for_user(user, ca_type='user')
+ assert ca is not None
+ assert ca.id == test_ca
+
+ def test_deleted_ca_is_not_returned(self, app, test_user, test_org, test_membership):
+ """Deleted CA should not be returned."""
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name='Deleted CA',
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key='key',
+ public_key='pubkey',
+ fingerprint='sha256:deleted123',
+ is_active=True,
+ deleted_at=datetime.now(timezone.utc)
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ user = db.session.get(User, test_user)
+ result = _get_org_ca_for_user(user, ca_type='user')
+ assert result is None
+
+ def test_deleted_membership_no_access(self, app, test_org, test_ca):
+ """User with deleted membership should not access CA."""
+ with app.app_context():
+ user = User(email='deleted_member@test.com', full_name='Deleted Member')
+ db.session.add(user)
+ db.session.commit()
+
+ membership = OrganizationMember(
+ user_id=user.id,
+ organization_id=test_org,
+ role=OrganizationRole.MEMBER,
+ deleted_at=datetime.now(timezone.utc)
+ )
+ db.session.add(membership)
+ db.session.commit()
+
+ result = _get_org_ca_for_user(user, ca_type='user')
+ assert result is None
+
+ def test_deleted_org_no_access(self, app):
+ """User in deleted org should not access CA."""
+ with app.app_context():
+ org = Organization(
+ name='Deleted Org',
+ slug='deleted-org',
+ deleted_at=datetime.now(timezone.utc)
+ )
+ db.session.add(org)
+ db.session.commit()
+
+ user = User(email='user@deleted.org', full_name='User')
+ db.session.add(user)
+ db.session.commit()
+
+ membership = OrganizationMember(
+ user_id=user.id,
+ organization_id=org.id,
+ role=OrganizationRole.MEMBER
+ )
+ db.session.add(membership)
+
+ ca = CA(
+ organization_id=org.id,
+ name='CA in Deleted Org',
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key='key',
+ public_key='pubkey',
+ fingerprint='sha256:deletedorg123',
+ is_active=True
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ result = _get_org_ca_for_user(user, ca_type='user')
+ assert result is None
+
+ def test_get_active_memberships_excludes_deleted(self, app, test_user, test_org, test_membership):
+ """User.get_active_memberships() should exclude deleted memberships."""
+ with app.app_context():
+ user = db.session.get(User, test_user)
+
+ org2 = Organization(name='Org 2', slug='org-2')
+ db.session.add(org2)
+ db.session.commit()
+
+ membership2 = OrganizationMember(
+ user_id=test_user,
+ organization_id=org2.id,
+ role=OrganizationRole.MEMBER,
+ deleted_at=datetime.now(timezone.utc)
+ )
+ db.session.add(membership2)
+ db.session.commit()
+
+ active = user.get_active_memberships()
+ assert len(active) == 1
+ assert active[0].organization_id == test_org
+
+ def test_get_organizations_excludes_deleted(self, app, test_user, test_org, test_membership):
+ """User.get_organizations() should exclude deleted memberships/orgs."""
+ with app.app_context():
+ user = db.session.get(User, test_user)
+
+ org2 = Organization(name='Deleted Org', slug='deleted-org-2')
+ db.session.add(org2)
+ db.session.commit()
+
+ membership2 = OrganizationMember(
+ user_id=test_user,
+ organization_id=org2.id,
+ role=OrganizationRole.MEMBER,
+ deleted_at=datetime.now(timezone.utc)
+ )
+ db.session.add(membership2)
+ db.session.commit()
+
+ orgs = user.get_organizations()
+ assert len(orgs) == 1
+ assert orgs[0].id == test_org
diff --git a/tests/api/v1/ssh/test_classify_key_material.py b/tests/api/v1/ssh/test_classify_key_material.py
new file mode 100644
index 0000000..ea34252
--- /dev/null
+++ b/tests/api/v1/ssh/test_classify_key_material.py
@@ -0,0 +1,92 @@
+import pytest
+from gatehouse_app.api.v1.ssh._helpers import _classify_ssh_key_material
+
+
+class TestClassifySSHKeyMaterial:
+ def test_classifies_certificate(self):
+ result = _classify_ssh_key_material("ssh-ed25519-cert-v01@openssh.com AAAA comment")
+ assert result == "certificate"
+
+ def test_classifies_ed25519_public_key(self):
+ result = _classify_ssh_key_material("ssh-ed25519 AAAAB3NzaC1lZDI1NTE5AAAAI... comment")
+ assert result == "public_key"
+
+ def test_classifies_rsa_public_key(self):
+ result = _classify_ssh_key_material("ssh-rsa AAAAB3NzaC1yc2E... comment")
+ assert result == "public_key"
+
+ def test_classifies_dss_public_key(self):
+ result = _classify_ssh_key_material("ssh-dss AAAAB3NzaC1kc3M... comment")
+ assert result == "public_key"
+
+ def test_classifies_ecdsa_nistp256_public_key(self):
+ result = _classify_ssh_key_material("ecdsa-sha2-nistp256 AAAAE2Vj... comment")
+ assert result == "public_key"
+
+ def test_classifies_ecdsa_nistp384_public_key(self):
+ result = _classify_ssh_key_material("ecdsa-sha2-nistp384 AAAAE2Vj... comment")
+ assert result == "public_key"
+
+ def test_classifies_ecdsa_nistp521_public_key(self):
+ result = _classify_ssh_key_material("ecdsa-sha2-nistp521 AAAAE2Vj... comment")
+ assert result == "public_key"
+
+ def test_classifies_sk_ed25519_public_key(self):
+ result = _classify_ssh_key_material(
+ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5... comment"
+ )
+ assert result == "public_key"
+
+ def test_classifies_openssh_private_key(self):
+ result = _classify_ssh_key_material(
+ "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+ "base64data==\n"
+ "-----END OPENSSH PRIVATE KEY-----"
+ )
+ assert result == "private_key"
+
+ def test_classifies_rsa_private_key(self):
+ result = _classify_ssh_key_material(
+ "-----BEGIN RSA PRIVATE KEY-----\n"
+ "base64data==\n"
+ "-----END RSA PRIVATE KEY-----"
+ )
+ assert result == "private_key"
+
+ def test_unknown_for_empty_string(self):
+ result = _classify_ssh_key_material("")
+ assert result == "unknown"
+
+ def test_unknown_for_whitespace_string(self):
+ result = _classify_ssh_key_material(" \n ")
+ assert result == "unknown"
+
+ def test_unknown_for_gibberish(self):
+ result = _classify_ssh_key_material("not a valid ssh key")
+ assert result == "unknown"
+
+ def test_unknown_for_unsupported_key_type(self):
+ result = _classify_ssh_key_material("ssh-nonsense AAAABogus...")
+ assert result == "unknown"
+
+ @pytest.mark.parametrize("raw,expected", [
+ ("ssh-rsa AAAAB3Nza... user@host", "public_key"),
+ ("ssh-ed25519 AAAAC3... john@laptop", "public_key"),
+ ("ecdsa-sha2-nistp256 AAAAE2Vj... me@box", "public_key"),
+ ("sk-ssh-ed25519@openssh.com AAAAGn...", "public_key"),
+ ("ssh-ed25519-cert-v01@openssh.com AAAAB3Nza cert for user", "certificate"),
+ (
+ "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+ "abcdefghijklmnopqrstuvwxyz\n"
+ "-----END OPENSSH PRIVATE KEY-----",
+ "private_key",
+ ),
+ ("", "unknown"),
+ ("totally random garbage here", "unknown"),
+ ])
+ def test_parametrized_variants(self, raw, expected):
+ assert _classify_ssh_key_material(raw) == expected
+
+ def test_certificate_with_leading_whitespace(self):
+ raw = " ssh-ed25519-cert-v01@openssh.com AAAAB3Nza extra words"
+ assert _classify_ssh_key_material(raw) == "certificate"
\ No newline at end of file
diff --git a/tests/api/v1/ssh/test_dept_cert_policy.py b/tests/api/v1/ssh/test_dept_cert_policy.py
new file mode 100644
index 0000000..0b90805
--- /dev/null
+++ b/tests/api/v1/ssh/test_dept_cert_policy.py
@@ -0,0 +1,275 @@
+import pytest
+from datetime import datetime, timezone
+from gatehouse_app.extensions import db
+from gatehouse_app.models.organization.department import (
+ Department,
+ DepartmentMembership,
+)
+from gatehouse_app.models.organization.department_cert_policy import DepartmentCertPolicy
+from gatehouse_app.api.v1.ssh._helpers import _get_merged_dept_cert_policy
+
+
+class TestDeptCertPolicy:
+ def test_no_departments_returns_none(self, app, test_user):
+ with app.app_context():
+ result = _get_merged_dept_cert_policy(test_user)
+ assert result is None
+
+ def test_department_without_policy_returns_none(self, app, test_user, test_org):
+ with app.app_context():
+ dept = Department(
+ organization_id=test_org,
+ name="No Policy Dept",
+ )
+ db.session.add(dept)
+ db.session.commit()
+
+ membership = DepartmentMembership(
+ user_id=test_user,
+ department_id=dept.id,
+ )
+ db.session.add(membership)
+ db.session.commit()
+
+ result = _get_merged_dept_cert_policy(test_user)
+ assert result is None
+
+ def test_single_department_policy(self, app, test_user, test_org):
+ with app.app_context():
+ dept = Department(
+ organization_id=test_org,
+ name="Engineering",
+ )
+ db.session.add(dept)
+ db.session.commit()
+
+ membership = DepartmentMembership(
+ user_id=test_user,
+ department_id=dept.id,
+ )
+ db.session.add(membership)
+ db.session.commit()
+
+ policy = DepartmentCertPolicy(
+ department_id=dept.id,
+ allow_user_expiry=True,
+ default_expiry_hours=4,
+ max_expiry_hours=48,
+ allowed_extensions=["permit-pty", "permit-agent-forwarding"],
+ )
+ db.session.add(policy)
+ db.session.commit()
+
+ result = _get_merged_dept_cert_policy(test_user)
+ assert result is not None
+ assert result["allow_user_expiry"] is True
+ assert result["default_expiry_hours"] == 4
+ assert result["max_expiry_hours"] == 48
+ assert set(result["extensions"]) == {"permit-pty", "permit-agent-forwarding"}
+
+ def test_both_departments_same_policies(self, app, test_user, test_org):
+ with app.app_context():
+ dept1 = Department(
+ organization_id=test_org,
+ name="Engineering",
+ )
+ dept2 = Department(
+ organization_id=test_org,
+ name="SRE",
+ )
+ db.session.add_all([dept1, dept2])
+ db.session.commit()
+
+ member1 = DepartmentMembership(user_id=test_user, department_id=dept1.id)
+ member2 = DepartmentMembership(user_id=test_user, department_id=dept2.id)
+ db.session.add_all([member1, member2])
+ db.session.commit()
+
+ policy1 = DepartmentCertPolicy(
+ department_id=dept1.id,
+ allow_user_expiry=True,
+ default_expiry_hours=4,
+ max_expiry_hours=48,
+ allowed_extensions=["permit-pty", "permit-agent-forwarding"],
+ )
+ policy2 = DepartmentCertPolicy(
+ department_id=dept2.id,
+ allow_user_expiry=True,
+ default_expiry_hours=4,
+ max_expiry_hours=48,
+ allowed_extensions=["permit-pty", "permit-agent-forwarding"],
+ )
+ db.session.add_all([policy1, policy2])
+ db.session.commit()
+
+ result = _get_merged_dept_cert_policy(test_user)
+ assert result["allow_user_expiry"] is True
+ assert result["default_expiry_hours"] == 4
+ assert result["max_expiry_hours"] == 48
+
+ def test_merges_min_expiry_across_departments(self, app, test_user, test_org):
+ with app.app_context():
+ dept1 = Department(
+ organization_id=test_org,
+ name="Engineering",
+ )
+ dept2 = Department(
+ organization_id=test_org,
+ name="SRE",
+ )
+ db.session.add_all([dept1, dept2])
+ db.session.commit()
+
+ member1 = DepartmentMembership(user_id=test_user, department_id=dept1.id)
+ member2 = DepartmentMembership(user_id=test_user, department_id=dept2.id)
+ db.session.add_all([member1, member2])
+ db.session.commit()
+
+ policy1 = DepartmentCertPolicy(
+ department_id=dept1.id,
+ allow_user_expiry=True,
+ default_expiry_hours=24,
+ max_expiry_hours=720,
+ )
+ policy2 = DepartmentCertPolicy(
+ department_id=dept2.id,
+ allow_user_expiry=True,
+ default_expiry_hours=1,
+ max_expiry_hours=72,
+ )
+ db.session.add_all([policy1, policy2])
+ db.session.commit()
+
+ result = _get_merged_dept_cert_policy(test_user)
+ assert result["default_expiry_hours"] == 1
+ assert result["max_expiry_hours"] == 72
+
+ def test_extends_intersection_across_departments(self, app, test_user, test_org):
+ with app.app_context():
+ dept1 = Department(
+ organization_id=test_org,
+ name="Engineering",
+ )
+ dept2 = Department(
+ organization_id=test_org,
+ name="SRE",
+ )
+ db.session.add_all([dept1, dept2])
+ db.session.commit()
+
+ member1 = DepartmentMembership(user_id=test_user, department_id=dept1.id)
+ member2 = DepartmentMembership(user_id=test_user, department_id=dept2.id)
+ db.session.add_all([member1, member2])
+ db.session.commit()
+
+ policy1 = DepartmentCertPolicy(
+ department_id=dept1.id,
+ allowed_extensions=["permit-pty", "permit-agent-forwarding"],
+ )
+ policy2 = DepartmentCertPolicy(
+ department_id=dept2.id,
+ allowed_extensions=["permit-pty", "permit-port-forwarding"],
+ )
+ db.session.add_all([policy1, policy2])
+ db.session.commit()
+
+ result = _get_merged_dept_cert_policy(test_user)
+ assert set(result["extensions"]) == {"permit-pty"}
+
+ def test_any_false_user_expiry_means_overall_false(
+ self, app, test_user, test_org
+ ):
+ with app.app_context():
+ dept1 = Department(
+ organization_id=test_org,
+ name="Engineering",
+ )
+ dept2 = Department(
+ organization_id=test_org,
+ name="SRE",
+ )
+ db.session.add_all([dept1, dept2])
+ db.session.commit()
+
+ member1 = DepartmentMembership(user_id=test_user, department_id=dept1.id)
+ member2 = DepartmentMembership(user_id=test_user, department_id=dept2.id)
+ db.session.add_all([member1, member2])
+ db.session.commit()
+
+ policy1 = DepartmentCertPolicy(
+ department_id=dept1.id,
+ allow_user_expiry=True,
+ )
+ policy2 = DepartmentCertPolicy(
+ department_id=dept2.id,
+ allow_user_expiry=False,
+ )
+ db.session.add_all([policy1, policy2])
+ db.session.commit()
+
+ result = _get_merged_dept_cert_policy(test_user)
+ assert result["allow_user_expiry"] is False
+
+ def test_deleted_department_filtered(self, app, test_user, test_org):
+ with app.app_context():
+ active_dept = Department(
+ organization_id=test_org,
+ name="Active Dept",
+ )
+ deleted_dept = Department(
+ organization_id=test_org,
+ name="Deleted Dept",
+ deleted_at=datetime.now(timezone.utc),
+ )
+ db.session.add_all([active_dept, deleted_dept])
+ db.session.commit()
+
+ active_member = DepartmentMembership(
+ user_id=test_user, department_id=active_dept.id
+ )
+ deleted_member = DepartmentMembership(
+ user_id=test_user,
+ department_id=deleted_dept.id,
+ deleted_at=datetime.now(timezone.utc),
+ )
+ db.session.add_all([active_member, deleted_member])
+ db.session.commit()
+
+ policy = DepartmentCertPolicy(
+ department_id=active_dept.id,
+ allow_user_expiry=True,
+ default_expiry_hours=12,
+ max_expiry_hours=96,
+ )
+ db.session.add(policy)
+ db.session.commit()
+
+ result = _get_merged_dept_cert_policy(test_user)
+ assert result is not None
+ assert result["default_expiry_hours"] == 12
+
+ def test_single_department_no_extensions(self, app, test_user, test_org):
+ with app.app_context():
+ dept = Department(
+ organization_id=test_org,
+ name="Minimal Dept",
+ )
+ db.session.add(dept)
+ db.session.commit()
+
+ membership = DepartmentMembership(
+ user_id=test_user, department_id=dept.id
+ )
+ db.session.add(membership)
+ db.session.commit()
+
+ policy = DepartmentCertPolicy(
+ department_id=dept.id,
+ allowed_extensions=[],
+ )
+ db.session.add(policy)
+ db.session.commit()
+
+ result = _get_merged_dept_cert_policy(test_user)
+ assert result is not None
+ assert result["extensions"] == []
\ No newline at end of file
diff --git a/tests/api/v1/ssh/test_org_ca_for_user.py b/tests/api/v1/ssh/test_org_ca_for_user.py
new file mode 100644
index 0000000..2e9832e
--- /dev/null
+++ b/tests/api/v1/ssh/test_org_ca_for_user.py
@@ -0,0 +1,118 @@
+import pytest
+from uuid import uuid4
+from datetime import datetime, timezone
+from gatehouse_app.extensions import db
+from gatehouse_app.models.user.user import User
+from gatehouse_app.models.organization.organization import Organization
+from gatehouse_app.models.organization.organization_member import OrganizationMember
+from gatehouse_app.models.ssh_ca.ca import CA, CaType, KeyType
+from gatehouse_app.api.v1.ssh._helpers import _get_org_ca_for_user
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+class TestOrgCAForUser:
+ def test_organization_id_param_overrides_membership(self, app, test_user, test_org, test_ca, test_membership):
+ with app.app_context():
+ org2 = Organization(name="Org 2", slug="org-2")
+ db.session.add(org2)
+ db.session.commit()
+
+ ca2 = CA(
+ organization_id=org2.id,
+ name="Org 2 CA",
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key="key2",
+ public_key="pubkey2",
+ fingerprint="sha256:org2...",
+ is_active=True,
+ )
+ db.session.add(ca2)
+ db.session.commit()
+
+ user = db.session.get(User, test_user)
+ result = _get_org_ca_for_user(user, ca_type="user", organization_id=test_org)
+ assert result is not None
+ assert result.organization_id == test_org
+
+ def test_multiple_orgs_returns_ca(self, app, test_user, test_org, test_ca, test_membership):
+ with app.app_context():
+ org2 = Organization(name="Org 2", slug="org-2")
+ db.session.add(org2)
+ db.session.commit()
+
+ user = db.session.get(User, test_user)
+ member2 = OrganizationMember(
+ user_id=test_user, organization_id=org2.id, role=OrganizationRole.MEMBER
+ )
+ db.session.add(member2)
+ db.session.commit()
+
+ result = _get_org_ca_for_user(user, ca_type="user")
+ assert result is not None
+
+ def test_user_with_no_memberships_returns_none(self, app):
+ with app.app_context():
+ user = User(email="lonely@test.com", full_name="Lonely User")
+ db.session.add(user)
+ db.session.commit()
+
+ result = _get_org_ca_for_user(user, ca_type="user")
+ assert result is None
+
+ def test_inactive_ca_not_returned(self, app, test_user, test_org, test_membership):
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name="Inactive CA",
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key="key",
+ public_key="pubkey",
+ fingerprint="sha256:inactive123...",
+ is_active=False,
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ user = db.session.get(User, test_user)
+ result = _get_org_ca_for_user(user, ca_type="user")
+ assert result is None
+
+ def test_host_ca_not_returned_when_user_requested(self, app, test_user, test_org, test_membership):
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name="Host CA",
+ ca_type=CaType.HOST,
+ key_type=KeyType.ED25519,
+ private_key="key",
+ public_key="pubkey",
+ fingerprint="sha256:host123...",
+ is_active=True,
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ user = db.session.get(User, test_user)
+ result = _get_org_ca_for_user(user, ca_type="user")
+ assert result is None
+
+ def test_user_ca_not_returned_when_host_requested(self, app, test_user, test_org, test_membership):
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name="User CA",
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key="key",
+ public_key="pubkey",
+ fingerprint="sha256:useronly...",
+ is_active=True,
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ user = db.session.get(User, test_user)
+ result = _get_org_ca_for_user(user, ca_type="host")
+ assert result is None
\ No newline at end of file
diff --git a/tests/api/v1/ssh/test_persist_certificate.py b/tests/api/v1/ssh/test_persist_certificate.py
new file mode 100644
index 0000000..7c9122e
--- /dev/null
+++ b/tests/api/v1/ssh/test_persist_certificate.py
@@ -0,0 +1,180 @@
+import pytest
+from uuid import uuid4
+from datetime import datetime, timezone, timedelta
+from gatehouse_app.extensions import db
+from gatehouse_app.models.user.user import User
+from gatehouse_app.models.ssh_ca.ca import CA, CaType, KeyType, CertType
+from gatehouse_app.models.ssh_ca.ssh_key import SSHKey
+from gatehouse_app.models.ssh_ca.ssh_certificate import SSHCertificate, CertificateStatus
+from gatehouse_app.services.ssh_ca_signing_service import SSHCertificateSigningResponse
+from gatehouse_app.api.v1.ssh._helpers import _persist_certificate
+
+
+class TestPersistCertificate:
+ def test_persists_valid_certificate(self, app, test_user, test_org):
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name="Signing CA",
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key="enc_priv",
+ public_key="ssh-ed25519 AAAAB3Nza...",
+ fingerprint="sha256:abc123...",
+ is_active=True,
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ ssh_key = SSHKey(
+ user_id=test_user,
+ payload="ssh-ed25519 AAAAB3NzaC1lZDI1NTE5AAAAIKeyData comment",
+ fingerprint="sha256:keyfp123...",
+ )
+ db.session.add(ssh_key)
+ db.session.commit()
+
+ now = datetime.now(timezone.utc)
+ later = now + timedelta(hours=24)
+ response = SSHCertificateSigningResponse(
+ certificate="ssh-ed25519-cert-v01@openssh.com AAAACertData...",
+ serial="123456",
+ valid_after=now,
+ valid_before=later,
+ principals=["eng-prod"],
+ )
+
+ result = _persist_certificate(
+ user_id=test_user,
+ ssh_key_id=ssh_key.id,
+ ca=ca,
+ signing_response=response,
+ request_ip="10.0.0.1",
+ cert_type_str="user",
+ cert_identity="user@example.com",
+ )
+
+ assert result is not None
+ assert result.ca_id == ca.id
+ assert result.user_id == test_user
+ assert result.ssh_key_id == ssh_key.id
+ assert result.cert_type == CertType.USER
+ assert result.certificate == response.certificate
+ assert result.serial == response.serial
+ assert result.valid_after.replace(tzinfo=None) == now.replace(tzinfo=None)
+ assert result.valid_before.replace(tzinfo=None) == later.replace(tzinfo=None)
+ assert result.request_ip == "10.0.0.1"
+ assert result.key_id == "user@example.com"
+ assert sorted(result.principals) == ["eng-prod"]
+ assert result.revoked is False
+ assert result.status == CertificateStatus.ISSUED
+
+ def test_none_ca_returns_none(self, app, test_user):
+ with app.app_context():
+ now = datetime.now(timezone.utc)
+ response = SSHCertificateSigningResponse(
+ certificate="cert-data",
+ serial="1",
+ valid_after=now,
+ valid_before=now + timedelta(hours=1),
+ )
+ result = _persist_certificate(test_user, "keyid", None, response)
+ assert result is None
+
+ def test_invalid_cert_type_str_falls_back_to_user(self, app, test_user, test_org):
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name="Signing CA",
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key="enc_priv",
+ public_key="ssh-ed25519 AAAAB3Nza...",
+ fingerprint="sha256:fallback123...",
+ is_active=True,
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ now = datetime.now(timezone.utc)
+ response = SSHCertificateSigningResponse(
+ certificate="cert-data",
+ serial="1",
+ valid_after=now,
+ valid_before=now + timedelta(hours=1),
+ )
+ result = _persist_certificate(
+ user_id=test_user,
+ ssh_key_id=None,
+ ca=ca,
+ signing_response=response,
+ cert_type_str="invalid_type",
+ )
+
+ assert result is not None
+ assert result.cert_type == CertType.USER
+
+ def test_none_ssh_key_id_defaults_to_host_cert_key_id(self, app, test_user, test_org):
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name="Host CA",
+ ca_type=CaType.HOST,
+ key_type=KeyType.ED25519,
+ private_key="enc_priv",
+ public_key="ssh-ed25519 AAAAB3Nza...",
+ fingerprint="sha256:hostca123...",
+ is_active=True,
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ now = datetime.now(timezone.utc)
+ response = SSHCertificateSigningResponse(
+ certificate="cert-data",
+ serial="1",
+ valid_after=now,
+ valid_before=now + timedelta(hours=1),
+ )
+ result = _persist_certificate(
+ user_id=test_user,
+ ssh_key_id=None,
+ ca=ca,
+ signing_response=response,
+ )
+
+ assert result is not None
+ assert result.key_id == "host-cert"
+
+ def test_request_ip_stored(self, app, test_user, test_org):
+ with app.app_context():
+ ca = CA(
+ organization_id=test_org,
+ name="Signing CA",
+ ca_type=CaType.USER,
+ key_type=KeyType.ED25519,
+ private_key="enc_priv",
+ public_key="ssh-ed25519 AAAAB3Nza...",
+ fingerprint="sha256:ip...",
+ is_active=True,
+ )
+ db.session.add(ca)
+ db.session.commit()
+
+ now = datetime.now(timezone.utc)
+ response = SSHCertificateSigningResponse(
+ certificate="cert-data",
+ serial="1",
+ valid_after=now,
+ valid_before=now + timedelta(hours=1),
+ )
+ result = _persist_certificate(
+ user_id=test_user,
+ ssh_key_id=None,
+ ca=ca,
+ signing_response=response,
+ request_ip="192.168.1.100",
+ )
+
+ assert result is not None
+ assert result.request_ip == "192.168.1.100"
\ No newline at end of file
diff --git a/tests/api/v1/ssh/test_ssh_key_service.py b/tests/api/v1/ssh/test_ssh_key_service.py
new file mode 100644
index 0000000..a9e41f2
--- /dev/null
+++ b/tests/api/v1/ssh/test_ssh_key_service.py
@@ -0,0 +1,78 @@
+import pytest
+from datetime import datetime, timezone
+from gatehouse_app.extensions import db
+from gatehouse_app.models.user.user import User
+from gatehouse_app.models.ssh_ca.ssh_key import SSHKey
+from gatehouse_app.services.ssh_key_service import SSHKeyService
+from gatehouse_app.exceptions import UserNotFoundError, SSHKeyError
+
+
+VALID_PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL7YKAg+CgUvk/oNmU1fO24fLf5O5LayGH/EgORbz06"
+
+
+class TestSSHKeyServiceAdd:
+
+ def test_add_new_key_returns_true(self, app, test_user):
+ with app.app_context():
+ service = SSHKeyService()
+ key, is_new = service.add_ssh_key(test_user, VALID_PUBLIC_KEY, "My laptop")
+ assert is_new is True
+ assert key.user_id == test_user
+ assert key.payload == VALID_PUBLIC_KEY
+ assert key.description == "My laptop"
+ assert key.verified is False
+ assert key.fingerprint is not None
+ assert key.key_type is not None
+
+ def test_add_duplicate_returns_existing(self, app, test_user):
+ with app.app_context():
+ service = SSHKeyService()
+ key1, _ = service.add_ssh_key(test_user, VALID_PUBLIC_KEY)
+ key2, is_new = service.add_ssh_key(test_user, VALID_PUBLIC_KEY)
+ assert is_new is False
+ assert key2.id == key1.id
+
+ def test_add_restores_soft_deleted_key(self, app, test_user):
+ with app.app_context():
+ service = SSHKeyService()
+ key1, _ = service.add_ssh_key(test_user, VALID_PUBLIC_KEY, "Original")
+
+ # Soft-delete the key
+ key1.deleted_at = datetime.now(timezone.utc)
+ db.session.commit()
+
+ # Re-add same key
+ key2, is_new = service.add_ssh_key(test_user, VALID_PUBLIC_KEY, "Restored")
+ assert is_new is False
+ assert key2.id == key1.id
+ assert key2.deleted_at is None
+ assert key2.description == "Restored"
+ assert key2.verified is False
+ assert key2.verified_at is None
+
+ def test_add_with_description(self, app, test_user):
+ with app.app_context():
+ service = SSHKeyService()
+ key, is_new = service.add_ssh_key(test_user, VALID_PUBLIC_KEY, "Work laptop")
+ assert is_new is True
+ assert key.description == "Work laptop"
+
+ def test_user_not_found_raises(self, app):
+ with app.app_context():
+ service = SSHKeyService()
+ with pytest.raises(UserNotFoundError):
+ service.add_ssh_key("nonexistent-user-id", VALID_PUBLIC_KEY)
+
+ def test_invalid_key_format_raises(self, app, test_user):
+ with app.app_context():
+ service = SSHKeyService()
+ with pytest.raises(SSHKeyError):
+ service.add_ssh_key(test_user, "not-a-valid-key")
+
+ def test_idempotent_second_call_no_error(self, app, test_user):
+ with app.app_context():
+ service = SSHKeyService()
+ service.add_ssh_key(test_user, VALID_PUBLIC_KEY)
+ key2, is_new = service.add_ssh_key(test_user, VALID_PUBLIC_KEY)
+ assert is_new is False
+ assert key2 is not None
diff --git a/tests/api/v1/test_cert_signing_request.py b/tests/api/v1/test_cert_signing_request.py
new file mode 100644
index 0000000..ffee864
--- /dev/null
+++ b/tests/api/v1/test_cert_signing_request.py
@@ -0,0 +1,148 @@
+import pytest
+from gatehouse_app.services.ssh_ca_signing_service import SSHCertificateSigningRequest
+
+
+VALID_PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL7YKAg+CgUvk/oNmU1fO24fLf5O5LayGH/EgORbz06"
+
+
+class TestCertSigningRequestValidate:
+
+ @pytest.fixture(autouse=True)
+ def patch_config(self, monkeypatch):
+ from gatehouse_app.config.ssh_ca_config import SSHCAConfig
+
+ class TestConfig(SSHCAConfig):
+ def get_int(self, key, default=0):
+ values = {
+ "max_cert_validity_hours": 720,
+ "max_principals_per_cert": 256,
+ "max_key_id_length": 255,
+ }
+ return values.get(key, default)
+
+ monkeypatch.setattr(
+ "gatehouse_app.config.ssh_ca_config.get_ssh_ca_config",
+ lambda: TestConfig(),
+ )
+
+ def test_valid_request_no_errors(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["eng-prod"],
+ key_id="user@example.com",
+ )
+ errors = req.validate()
+ assert errors == []
+
+ def test_valid_host_cert_no_errors(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["host1.example.com"],
+ key_id="host-identity",
+ cert_type="host",
+ )
+ errors = req.validate()
+ assert errors == []
+
+ def test_invalid_cert_type(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["eng-prod"],
+ key_id="user@example.com",
+ cert_type="invalid",
+ )
+ errors = req.validate()
+ assert any("cert_type" in e.lower() for e in errors)
+
+ def test_missing_public_key(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key="",
+ principals=["eng-prod"],
+ key_id="user@example.com",
+ )
+ errors = req.validate()
+ assert any("public key" in e.lower() for e in errors)
+
+ def test_malformed_public_key(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key="not-a-key",
+ principals=["eng-prod"],
+ key_id="user@example.com",
+ )
+ errors = req.validate()
+ assert any("public key" in e.lower() for e in errors)
+
+ def test_no_principals(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=[],
+ key_id="user@example.com",
+ )
+ errors = req.validate()
+ assert any("principal" in e.lower() for e in errors)
+
+ def test_too_many_principals(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=[f"p{i}" for i in range(300)],
+ key_id="user@example.com",
+ )
+ errors = req.validate()
+ assert any("too many" in e.lower() for e in errors)
+
+ def test_missing_key_id(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["eng-prod"],
+ key_id="",
+ )
+ errors = req.validate()
+ assert any("key_id" in e.lower() for e in errors)
+
+ def test_key_id_too_short(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["eng-prod"],
+ key_id="ab",
+ )
+ errors = req.validate()
+ assert any("key_id" in e.lower() for e in errors)
+
+ def test_key_id_exceeds_max_length(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["eng-prod"],
+ key_id="x" * 300,
+ )
+ errors = req.validate()
+ assert any("key_id" in e.lower() for e in errors)
+
+ def test_non_positive_expiry(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["eng-prod"],
+ key_id="user@example.com",
+ expiry_hours=0,
+ )
+ errors = req.validate()
+ assert any("expiry" in e.lower() for e in errors)
+
+ def test_expiry_exceeds_max(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["eng-prod"],
+ key_id="user@example.com",
+ expiry_hours=99999,
+ )
+ errors = req.validate()
+ assert any("expiry" in e.lower() for e in errors)
+
+ def test_none_expiry_is_ok(self):
+ req = SSHCertificateSigningRequest(
+ ssh_public_key=VALID_PUBLIC_KEY,
+ principals=["eng-prod"],
+ key_id="user@example.com",
+ expiry_hours=None,
+ )
+ errors = req.validate()
+ assert errors == []
diff --git a/tests/api/v1/test_superadmin_schemas.py b/tests/api/v1/test_superadmin_schemas.py
new file mode 100644
index 0000000..36b7f88
--- /dev/null
+++ b/tests/api/v1/test_superadmin_schemas.py
@@ -0,0 +1,77 @@
+from gatehouse_app.api.v1.superadmin.organizations import (
+ ListOrganizationsSchema,
+ UpdateOrganizationSchema,
+)
+
+
+class TestListOrganizationsSchema:
+ def test_defaults_when_empty(self):
+ result = ListOrganizationsSchema.load({})
+ assert result["page"] == 1
+ assert result["per_page"] == 20
+ assert result["search"] is None
+ assert result["status"] is None
+ assert result["plan_slug"] is None
+
+ def test_normal_pagination(self):
+ result = ListOrganizationsSchema.load({"page": 3, "per_page": 10})
+ assert result["page"] == 3
+ assert result["per_page"] == 10
+
+ def test_page_zero_clamped_to_one(self):
+ result = ListOrganizationsSchema.load({"page": 0})
+ assert result["page"] == 1
+
+ def test_negative_per_page_clamped_to_one(self):
+ result = ListOrganizationsSchema.load({"per_page": -5})
+ assert result["per_page"] == 1
+
+ def test_per_page_exceeds_max_clamped_to_100(self):
+ result = ListOrganizationsSchema.load({"per_page": 200})
+ assert result["per_page"] == 100
+
+ def test_non_integer_values_fallback(self):
+ result = ListOrganizationsSchema.load({"page": "abc", "per_page": "xyz"})
+ assert result["page"] == 1
+ assert result["per_page"] == 20
+
+ def test_search_passthrough(self):
+ result = ListOrganizationsSchema.load({"search": "acme"})
+ assert result["search"] == "acme"
+
+ def test_status_passthrough(self):
+ result = ListOrganizationsSchema.load({"status": "active"})
+ assert result["status"] == "active"
+
+ def test_plan_slug_passthrough(self):
+ result = ListOrganizationsSchema.load({"plan_slug": "pro"})
+ assert result["plan_slug"] == "pro"
+
+
+class TestUpdateOrganizationSchema:
+ def test_all_fields(self):
+ result = UpdateOrganizationSchema.load({
+ "name": "New Name",
+ "description": "New Description",
+ "is_active": True,
+ })
+ assert result == {
+ "name": "New Name",
+ "description": "New Description",
+ "is_active": True,
+ }
+
+ def test_empty_dict(self):
+ result = UpdateOrganizationSchema.load({})
+ assert result == {}
+
+ def test_partial_data(self):
+ result = UpdateOrganizationSchema.load({"name": "Renamed Only"})
+ assert result == {"name": "Renamed Only"}
+
+ def test_is_active_coerced_to_bool(self):
+ result = UpdateOrganizationSchema.load({"is_active": "truthy"})
+ assert result["is_active"] is True
+
+ result = UpdateOrganizationSchema.load({"is_active": ""})
+ assert result["is_active"] is False
diff --git a/tests/integration/TestCertificateSigning.py b/tests/integration/TestCertificateSigning.py
new file mode 100644
index 0000000..4f4db22
--- /dev/null
+++ b/tests/integration/TestCertificateSigning.py
@@ -0,0 +1 @@
+[['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key\n add_result = integration_client.ssh.add_key(public_key', 'Cert Test Key")\n key_id = add_result["data"]["id"]\n\n # Get challenge\n challenge_result = integration_client.ssh.get_challenge(key_id)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id'], ['serial'], ['principals'], ['deploy'], ['serial'], ['principals'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': "as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key (but don't verify it)\n add_result = integration_client.ssh.add_key(public_key", 'Unverified Key")\n unverified_key_id = add_result["data"]["id"]\n\n # Create an org and add user as member\n org = create_test_org(name="Test Org for Cert Signing")\n create_test_membership(user["id"], org["id"])\n\n # Create a principal and add user to it via email\n princ_result = integration_client.orgs.create_principal(org["id"], "deploy", "Deployment principal")\n princ_id = princ_result["data"]["id"]\n integration_client.orgs.add_principal_member(org["id"], princ_id, user["email"])\n\n # Create a user CA for the org\n integration_client.orgs.create_ca(org["id"], "Test User CA", ca_type="user", key_type="ed25519': 'Try to sign certificate with unverified key\n with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.sign_certificate(key_id=unverified_key_id)\n\n assert_error(exc_info.value', 'KEY_NOT_VERIFIED': 'def test_sign_certificate_no_principals_negative(self', 'create_test_membership)': '', 'TEST': 'SSH-CERT-05 — Reject signing when user has no principals.\n\n WHAT: User with verified key', 'WHY': 'Principals are required for certificate signing to control\n access permissions.\n EXPECTED: 400 Bad Request with error_type=', '\n import tempfile\n import subprocess\n import os\n import base64\n\n # Create a user and login\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!': 'Generate a fresh Ed25519 key pair and verify it\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir', 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['data'], ['challenge_text'], ['ssh-keygen', '-Y', 'sign', '-f', 'key_path, "-n', 'file', 'sig_path],\n input=challenge_text.encode(),\n capture_output=True,\n )\n if sign_proc.returncode != 0:\n pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}', 'with open(sig_path, "rb', 'as sf:\n signature_b64 = base64.b64encode(sf.read()).decode()\n\n # Verify the key\n integration_client.ssh.verify_key(key_id, signature_b64)\n\n # Create an org and add user as member (but no principals)\n org = create_test_org(name="Test Org for Cert Signing")\n create_test_membership(user["id'], ['id'], ['id'], ['unauthorized'], ['id'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key\n add_result = integration_client.ssh.add_key(public_key', 'Cert Test Key")\n key_id = add_result["data"]["id"]\n\n # Get challenge\n challenge_result = integration_client.ssh.get_challenge(key_id)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key_a = pub_f.read().strip()\n\n # Add the public key for User A\n add_result = integration_client.ssh.add_key(public_key_a', 'User A Key")\n key_id_a = add_result["data"]["id"]\n\n # Get challenge for User A\'s key\n challenge_result = integration_client.ssh.get_challenge(key_id_a)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, ['email'], ['id'], ['id'], ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id']]
\ No newline at end of file
diff --git a/tests/integration/__init__.py b/tests/integration/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/integration/certificate_signing_tests.py b/tests/integration/certificate_signing_tests.py
new file mode 100644
index 0000000..a09c0f1
--- /dev/null
+++ b/tests/integration/certificate_signing_tests.py
@@ -0,0 +1 @@
+[{}, {"response.get('message')}": 'if message_contains:\n assert message_contains.lower() in response.get(', 'f': "xpected message to contain '{message_contains"}, {"response.get('message')}": 'return data\n\n\ndef assert_error(exc: ApiError', 'expected_status': 'int', 'expected_error_type': 'str | None = None):', 'Inspect an ApiError raised by the client."': 'assert exc.status_code == expected_status', 'f': 'xpected status {expected_status'}, {'f': 'RL: {exc.method'}, {'f': 'esponse: {exc.response_data'}, {'{exc.error_type}': 'Tier 1 — C. SSH Certificate Signing\n# =============================================================================\n\nclass TestCertificateSigning:', 'Test SSH certificate signing at POST /ssh/sign."': 'def _setup_cert_env(self', 'create_test_membership)': '', 'CA."': 'import tempfile\n import subprocess\n import os\n import base64\n\n # Create a user and login\n user = create_test_user(password=', 'password="MyPassword123!': 'Generate a fresh Ed25519 key pair to avoid fingerprint collisions\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir', 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['data'], ['challenge_text'], ['ssh-keygen', '-Y', 'sign', '-f', 'key_path, "-n', 'file', 'sig_path],\n input=challenge_text.encode(),\n capture_output=True,\n )\n if sign_proc.returncode != 0:\n pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}', 'with open(sig_path, "rb', 'as sf:\n signature_b64 = base64.b64encode(sf.read()).decode()\n\n # Verify the key\n integration_client.ssh.verify_key(key_id, signature_b64)\n\n # Create an org and add user as member\n org = create_test_org(name="Test Org for Cert Signing")\n create_test_membership(user["id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id'], ['serial'], ['email'], ['principals'], {'principals': 'ef test_sign_certificate_custom_principals_positive(self', 'create_test_membership)': '', 'TEST': 'SSH-CERT-04 — Reject signing with unverified key.\n\n WHAT: User with UNVERIFIED key', 'WHY': 'Only verified keys should be able to sign certificates.\n EXPECTED: 400 Bad Request with error_type=', '\n user, org, key_id = self._setup_cert_env(\n integration_app, integration_client, create_test_user, create_test_org, create_test_membership\n )\n\n # Sign certificate with custom principals\n result = integration_client.ssh.sign_certificate(key_id=key_id, principals=["deploy"])\n data = assert_success(result, "certificate")\n\n # Verify response contains expected fields\n assert "certificate" in data, "Response missing certificate"\n assert "serial" in data, "Response missing serial"\n assert data["serial"] is not None, "Serial should not be None"\n assert "principals" in data, "Response missing principals"\n # Should contain the requested principal\n assert "deploy" in data["principals"], "Requested principal \'deploy\' not in principals': 'ef test_sign_certificate_unverified_key_negative(self', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!': "Generate a fresh Ed25519 key pair but DON'T verify it\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir", 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key\n add_result = integration_client.ssh.add_key(public_key', 'Cert Test Key")\n key_id = add_result["data"]["id"]\n\n # Get challenge\n challenge_result = integration_client.ssh.get_challenge(key_id)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, ['id'], ['id'], ['id'], ['unauthorized'], ['id'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key\n add_result = integration_client.ssh.add_key(public_key', 'Cert Test Key")\n key_id = add_result["data"]["id"]\n\n # Get challenge\n challenge_result = integration_client.ssh.get_challenge(key_id)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], [503, 400], {'exc_info.value.status_code}': 'ef test_sign_certificate_cross_user_key_negative(self', 'create_test_membership)': '', 'TEST': "SSH-CERT-09 — Reject signing with another user's key.\n\n WHAT: User A has a verified key. User B has principals and CA.\n User B tries to sign using User A's key_id.\n WHY: Cross-user certificate signing must be blocked.\n EXPECTED: 403 Forbidden.", '\n import tempfile\n import subprocess\n import os\n import base64\n\n # Create User A with a verified key\n user_a = create_test_user(password="PassA123!")\n user_b = create_test_user(password="PassB123!")\n\n # Login as User A and generate a key\n integration_client.auth.login(email=user_a["email"], password="PassA123!': 'Generate a fresh Ed25519 key pair for User A\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir', 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['data'], ['challenge_text'], ['ssh-keygen', '-Y', 'sign', '-f', 'key_path, "-n', 'file', 'sig_path],\n input=challenge_text.encode(),\n capture_output=True,\n )\n if sign_proc.returncode != 0:\n pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}', 'with open(sig_path, "rb', 'as sf:\n signature_b64 = base64.b64encode(sf.read()).decode()\n\n # Verify User A\'s key\n integration_client.ssh.verify_key(key_id_a, signature_b64)\n\n # Create an org\n org = create_test_org(name="Test Org for Cert Signing")\n\n # Add both users as members\n create_test_membership(user_a["id'], ['id'], ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id'], ['email']]
\ No newline at end of file
diff --git a/tests/integration/client/__init__.py b/tests/integration/client/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/integration/client/admin.py b/tests/integration/client/admin.py
new file mode 100644
index 0000000..66bc212
--- /dev/null
+++ b/tests/integration/client/admin.py
@@ -0,0 +1,53 @@
+"""Admin client for integration tests."""
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class AdminClient:
+ """Wraps admin-only API calls."""
+
+ def __init__(self, client):
+ self._client = client
+
+ def list_users(self) -> dict:
+ """List all users (paginated)."""
+ return self._client.get("/admin/users")
+
+ def get_user(self, user_id: str) -> dict:
+ """Get a single user by ID."""
+ return self._client.get(f"/admin/users/{user_id}")
+
+ def suspend_user(self, user_id: str) -> dict:
+ """Suspend a user account."""
+ return self._client.post(f"/admin/users/{user_id}/suspend")
+
+ def unsuspend_user(self, user_id: str) -> dict:
+ """Unsuspend a user account."""
+ return self._client.post(f"/admin/users/{user_id}/unsuspend")
+
+ def verify_user_email(self, user_id: str) -> dict:
+ """Admin-verify a user's email."""
+ return self._client.post(f"/admin/users/{user_id}/verify-email")
+
+ def set_user_password(self, user_id: str, new_password: str) -> dict:
+ """Set a user's password (admin override)."""
+ return self._client.post(
+ f"/admin/users/{user_id}/password",
+ data={"password": new_password},
+ )
+
+ def remove_user_mfa(self, user_id: str, mfa_type: str = "totp") -> dict:
+ """Remove a user's MFA method."""
+ return self._client.delete(f"/admin/users/{user_id}/mfa/{mfa_type}")
+
+ def hard_delete_user(self, user_id: str, confirm: bool = False) -> dict:
+ """Hard-delete a user."""
+ return self._client.post(
+ f"/admin/users/{user_id}/delete",
+ data={"confirm": confirm},
+ )
+
+ def list_audit_logs(self) -> dict:
+ """List system-wide audit logs."""
+ return self._client.get("/audit-logs")
diff --git a/tests/integration/client/auth.py b/tests/integration/client/auth.py
new file mode 100644
index 0000000..181627a
--- /dev/null
+++ b/tests/integration/client/auth.py
@@ -0,0 +1,129 @@
+"""Auth client for integration tests."""
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class AuthClient:
+ """Wraps authentication-related API calls.
+
+ Provides convenience methods for register, login, logout, and
+ session management. Automatically stores the token on the parent
+ SecuirdClient when login / register succeed.
+ """
+
+ def __init__(self, client):
+ self._client = client
+
+ # ------------------------------------------------------------------
+ # Registration
+ # ------------------------------------------------------------------
+ def register(self, email: str, password: str, full_name: str | None = None) -> dict:
+ """Register a new user and return the response payload.
+
+ Args:
+ email: User's email address.
+ password: Plain-text password (>= 8 chars).
+ full_name: Optional display name.
+
+ Returns:
+ API response dict containing ``user``, ``token``, ``expires_at``.
+
+ Raises:
+ ApiError: On validation failure or duplicate email.
+ """
+ logger.info(f"[AuthClient] Registering user: email={email}")
+ payload = {"email": email, "password": password, "password_confirm": password}
+ if full_name:
+ payload["full_name"] = full_name
+ result = self._client.post("/auth/register", data=payload)
+ token = result.get("data", {}).get("token")
+ if token:
+ self._client.set_token(token)
+ logger.info(f"[AuthClient] Registration successful — token stored")
+ return result
+
+ # ------------------------------------------------------------------
+ # Login / Logout
+ # ------------------------------------------------------------------
+ def login(self, email: str, password: str, remember_me: bool = False) -> dict:
+ """Authenticate with email and password.
+
+ Args:
+ email: Registered email address.
+ password: Plain-text password.
+ remember_me: Request a long-lived session.
+
+ Returns:
+ API response dict. If TOTP / WebAuthn is required the
+ response contains ``requires_totp`` or ``requires_webauthn``
+ instead of a token.
+ """
+ logger.info(f"[AuthClient] Logging in: email={email}")
+ result = self._client.post(
+ "/auth/login",
+ data={"email": email, "password": password, "remember_me": remember_me},
+ )
+ token = result.get("data", {}).get("token")
+ if token:
+ self._client.set_token(token)
+ logger.info(f"[AuthClient] Login successful — token stored")
+ return result
+
+ def logout(self) -> dict:
+ """Log out the current user and clear the stored token."""
+ logger.info("[AuthClient] Logging out")
+ result = self._client.post("/auth/logout")
+ self._client.clear_token()
+ return result
+
+ # ------------------------------------------------------------------
+ # Current user
+ # ------------------------------------------------------------------
+ def me(self) -> dict:
+ """Return the current authenticated user's profile."""
+ return self._client.get("/auth/me")
+
+ # ------------------------------------------------------------------
+ # Sessions
+ # ------------------------------------------------------------------
+ def list_sessions(self) -> dict:
+ """Return active sessions for the current user."""
+ return self._client.get("/auth/sessions")
+
+ def revoke_session(self, session_id: str) -> dict:
+ """Revoke a specific session belonging to the current user."""
+ return self._client.delete(f"/auth/sessions/{session_id}")
+
+ def refresh_session(self) -> dict:
+ """Extend the current session's idle window."""
+ return self._client.post("/auth/sessions/refresh")
+
+ # ------------------------------------------------------------------
+ # Password recovery
+ # ------------------------------------------------------------------
+ def forgot_password(self, email: str) -> dict:
+ """Request a password-reset email."""
+ return self._client.post("/auth/forgot-password", data={"email": email})
+
+ def reset_password(self, token: str, new_password: str, new_password_confirm: str) -> dict:
+ """Reset password using a token from the forgot-password flow."""
+ return self._client.post(
+ "/auth/reset-password",
+ data={
+ "token": token,
+ "password": new_password,
+ "password_confirm": new_password_confirm,
+ },
+ )
+
+ # ------------------------------------------------------------------
+ # Email verification
+ # ------------------------------------------------------------------
+ def verify_email(self, token: str) -> dict:
+ """Verify an email address using the token sent by email."""
+ return self._client.post("/auth/verify-email", data={"token": token})
+
+ def resend_verification(self, email: str) -> dict:
+ """Re-send the verification email."""
+ return self._client.post("/auth/resend-verification", data={"email": email})
diff --git a/tests/integration/client/base.py b/tests/integration/client/base.py
new file mode 100644
index 0000000..69d821c
--- /dev/null
+++ b/tests/integration/client/base.py
@@ -0,0 +1,189 @@
+"""Base HTTP client for integration testing."""
+import json
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class ApiError(Exception):
+ """Detailed exception for API call failures.
+
+ Attributes:
+ message: Human-readable error message from the API.
+ status_code: HTTP status code returned.
+ error_type: Machine-readable error type string (e.g. VALIDATION_ERROR).
+ error_details: Optional dict with field-level validation errors.
+ url: The full API route that was called.
+ method: The HTTP method used.
+ response_data: The complete parsed JSON response body.
+ """
+
+ def __init__(
+ self,
+ *,
+ message: str,
+ status_code: int,
+ error_type: str,
+ error_details: dict | None,
+ url: str,
+ method: str,
+ response_data: dict,
+ ):
+ self.message = message
+ self.status_code = status_code
+ self.error_type = error_type
+ self.error_details = error_details or {}
+ self.url = url
+ self.method = method
+ self.response_data = response_data
+ super().__init__(self._build_message())
+
+ def _build_message(self) -> str:
+ lines = [
+ f"",
+ f"{'='*60}",
+ f" API ERROR: {self.method.upper()} {self.url}",
+ f" Status: {self.status_code}",
+ f" Error Type: {self.error_type}",
+ f" Message: {self.message}",
+ ]
+ if self.error_details:
+ lines.append(f" Details: {self.error_details}")
+ lines.append(f" Full Response: {self.response_data}")
+ lines.append(f"{'='*60}")
+ return "\n".join(lines)
+
+ def __str__(self) -> str:
+ return self._build_message()
+
+
+class SecuirdClient:
+ """Stateful CLI-style test client for Secuird API.
+
+ Wraps Flask's ``test_client`` and manages auth tokens, JSON
+ serialization, and detailed error reporting so tests fail with
+ actionable output.
+ """
+
+ def __init__(self, flask_test_client):
+ self._client = flask_test_client
+ self._token: str | None = None
+ logger.debug("[SecuirdClient] Initialized")
+
+ # Attach domain-specific sub-clients
+ from tests.integration.client.auth import AuthClient
+ from tests.integration.client.mfa import MfaClient
+ from tests.integration.client.ssh import SshClient
+ from tests.integration.client.orgs import OrgsClient
+ from tests.integration.client.admin import AdminClient
+ from tests.integration.client.users import UsersClient
+ self.auth = AuthClient(self)
+ self.mfa = MfaClient(self)
+ self.ssh = SshClient(self)
+ self.orgs = OrgsClient(self)
+ self.admin = AdminClient(self)
+ self.users = UsersClient(self)
+
+ def set_token(self, token: str) -> None:
+ """Store a Bearer token for subsequent requests."""
+ self._token = token
+ logger.debug(f"[SecuirdClient] Token set: {token[:12]}...")
+
+ def clear_token(self) -> None:
+ """Remove the stored Bearer token."""
+ self._token = None
+ logger.debug("[SecuirdClient] Token cleared")
+
+ def _url(self, path: str) -> str:
+ """Ensure the path starts with /api/v1."""
+ if path.startswith("http"):
+ return path
+ if not path.startswith("/api/v1"):
+ path = f"/api/v1{path}"
+ return path
+
+ def _headers(self) -> dict:
+ """Build request headers including auth if available."""
+ headers = {"Accept": "application/json"}
+ if self._token:
+ headers["Authorization"] = f"Bearer {self._token}"
+ return headers
+
+ def _request(self, method: str, path: str, data: dict | None = None) -> dict:
+ """Execute an HTTP request and handle the response.
+
+ Args:
+ method: HTTP method (get, post, patch, delete).
+ path: API path (e.g. /auth/register).
+ data: Optional JSON-serializable payload.
+
+ Returns:
+ The parsed JSON response body.
+
+ Raises:
+ ApiError: If the response status code is >= 400.
+ """
+ url = self._url(path)
+ headers = self._headers()
+ kwargs = {"headers": headers, "follow_redirects": True}
+
+ if data is not None and method in ("post", "patch", "delete"):
+ headers["Content-Type"] = "application/json"
+ kwargs["data"] = json.dumps(data)
+
+ logger.debug(f"[SecuirdClient] {method.upper()} {url} — data={data}")
+
+ response = getattr(self._client, method)(url, **kwargs)
+
+ try:
+ body = response.get_json()
+ except Exception:
+ body = {"_raw": response.data.decode("utf-8", errors="replace")}
+
+ logger.debug(f"[SecuirdClient] {method.upper()} {url} — status={response.status_code}")
+
+ if response.status_code >= 400:
+ # The API may return error info nested under `error` or flat at top level
+ error_block = body.get("error") if isinstance(body.get("error"), dict) else {}
+ error_type = (
+ error_block.get("type")
+ or body.get("error_type", "UNKNOWN_ERROR")
+ if body else "UNKNOWN_ERROR"
+ )
+ error_details = (
+ error_block.get("details")
+ or body.get("error_details")
+ if body else None
+ )
+ message = body.get("message", "No message provided") if body else "No message provided"
+ raise ApiError(
+ message=message,
+ status_code=response.status_code,
+ error_type=error_type,
+ error_details=error_details,
+ url=url,
+ method=method.upper(),
+ response_data=body or {},
+ )
+
+ return body or {}
+
+ def get(self, path: str) -> dict:
+ """Execute a GET request."""
+ return self._request("get", path)
+
+ def post(self, path: str, data: dict | None = None) -> dict:
+ """Execute a POST request."""
+ return self._request("post", path, data)
+
+ def patch(self, path: str, data: dict | None = None) -> dict:
+ """Execute a PATCH request."""
+ return self._request("patch", path, data)
+
+ def put(self, path: str, data: dict | None = None) -> dict:
+ """Execute a PUT request."""
+ return self._request("put", path, data)
+
+ def delete(self, path: str, data: dict | None = None) -> dict:
+ """Execute a DELETE request."""
+ return self._request("delete", path, data)
diff --git a/tests/integration/client/mfa.py b/tests/integration/client/mfa.py
new file mode 100644
index 0000000..476a196
--- /dev/null
+++ b/tests/integration/client/mfa.py
@@ -0,0 +1,95 @@
+"""MFA (TOTP) client for integration tests."""
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class MfaClient:
+ """Wraps TOTP MFA-related API calls."""
+
+ def __init__(self, client):
+ self._client = client
+
+ # ------------------------------------------------------------------
+ # TOTP Enrollment
+ # ------------------------------------------------------------------
+ def enroll_totp(self) -> dict:
+ """Begin TOTP enrollment.
+
+ Returns:
+ Response dict containing ``secret``, ``provisioning_uri``,
+ ``qr_code``, and ``backup_codes``.
+ """
+ logger.info("[MfaClient] Enrolling TOTP")
+ return self._client.post("/auth/totp/enroll")
+
+ def verify_enrollment(self, code: str, client_timestamp: str | None = None) -> dict:
+ """Complete TOTP enrollment by verifying the first code.
+
+ Args:
+ code: 6-digit TOTP code generated from the secret.
+ client_timestamp: Optional ISO-8601 timestamp for drift calc.
+ """
+ payload = {"code": code}
+ if client_timestamp:
+ payload["client_timestamp"] = client_timestamp
+ logger.info("[MfaClient] Verifying TOTP enrollment")
+ return self._client.post("/auth/totp/verify-enrollment", data=payload)
+
+ # ------------------------------------------------------------------
+ # TOTP Verification (during login)
+ # ------------------------------------------------------------------
+ def verify_totp(self, code: str, is_backup_code: bool = False, client_timestamp: str | None = None) -> dict:
+ """Verify TOTP code during the multi-step login flow.
+
+ This is called AFTER ``AuthClient.login`` returns
+ ``requires_totp=True`` and stores the pending user id in the
+ server-side session.
+
+ Args:
+ code: 6-digit TOTP code or backup code.
+ is_backup_code: True if ``code`` is a backup code.
+ client_timestamp: Optional ISO-8601 timestamp.
+
+ Returns:
+ Response dict containing ``user``, ``token``, ``expires_at``.
+ """
+ payload = {"code": code, "is_backup_code": is_backup_code}
+ if client_timestamp:
+ payload["client_timestamp"] = client_timestamp
+ logger.info(f"[MfaClient] Verifying TOTP — backup={is_backup_code}")
+ result = self._client.post("/auth/totp/verify", data=payload)
+ token = result.get("data", {}).get("token")
+ if token:
+ self._client.set_token(token)
+ logger.info("[MfaClient] TOTP verification successful — token stored")
+ return result
+
+ # ------------------------------------------------------------------
+ # TOTP Management
+ # ------------------------------------------------------------------
+ def get_totp_status(self) -> dict:
+ """Return current TOTP status and remaining backup codes."""
+ return self._client.get("/auth/totp/status")
+
+ def disable_totp(self, password: str) -> dict:
+ """Disable TOTP for the current user.
+
+ Args:
+ password: Current account password (required for confirmation).
+ """
+ return self._client.delete("/auth/totp/disable", data={"password": password})
+
+ def regenerate_backup_codes(self, password: str) -> dict:
+ """Generate a fresh set of backup codes.
+
+ Args:
+ password: Current account password (required for confirmation).
+
+ Returns:
+ Response dict containing ``backup_codes``.
+ """
+ return self._client.post(
+ "/auth/totp/regenerate-backup-codes",
+ data={"password": password},
+ )
diff --git a/tests/integration/client/orgs.py b/tests/integration/client/orgs.py
new file mode 100644
index 0000000..46318eb
--- /dev/null
+++ b/tests/integration/client/orgs.py
@@ -0,0 +1,191 @@
+"""Organization client for integration tests."""
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class OrgsClient:
+ """Wraps organization-related API calls."""
+
+ def __init__(self, client):
+ self._client = client
+
+ # ------------------------------------------------------------------
+ # Organization CRUD
+ # ------------------------------------------------------------------
+ def create(self, name: str, slug: str | None = None, description: str | None = None) -> dict:
+ """Create a new organization."""
+ payload: dict = {"name": name}
+ if slug:
+ payload["slug"] = slug
+ if description:
+ payload["description"] = description
+ return self._client.post("/organizations", data=payload)
+
+ def get(self, org_id: str) -> dict:
+ """Get organization details."""
+ return self._client.get(f"/organizations/{org_id}")
+
+ def update(self, org_id: str, **fields) -> dict:
+ """Update organization fields (name, description, etc.)."""
+ return self._client.patch(f"/organizations/{org_id}", data=fields)
+
+ def delete(self, org_id: str, confirm: bool = False) -> dict:
+ """Delete (soft-delete) an organization."""
+ return self._client.delete(f"/organizations/{org_id}", data={"confirm": confirm})
+
+ # ------------------------------------------------------------------
+ # Members
+ # ------------------------------------------------------------------
+ def list_members(self, org_id: str) -> dict:
+ """List members of an organization."""
+ return self._client.get(f"/organizations/{org_id}/members")
+
+ def add_member(self, org_id: str, email: str, role: str = "member") -> dict:
+ """Add an existing user as a member."""
+ return self._client.post(
+ f"/organizations/{org_id}/members",
+ data={"email": email, "role": role},
+ )
+
+ def remove_member(self, org_id: str, member_id: str) -> dict:
+ """Remove a member from an organization."""
+ return self._client.delete(f"/organizations/{org_id}/members/{member_id}")
+
+ def update_member_role(self, org_id: str, member_id: str, role: str) -> dict:
+ """Update a member's role."""
+ return self._client.patch(
+ f"/organizations/{org_id}/members/{member_id}/role",
+ data={"role": role},
+ )
+
+ def transfer_ownership(self, org_id: str, new_owner_id: str) -> dict:
+ """Transfer organization ownership."""
+ return self._client.post(
+ f"/organizations/{org_id}/transfer-ownership",
+ data={"new_owner_user_id": new_owner_id},
+ )
+
+ # ------------------------------------------------------------------
+ # Invites
+ # ------------------------------------------------------------------
+ def list_invites(self, org_id: str) -> dict:
+ """List pending invites."""
+ return self._client.get(f"/organizations/{org_id}/invites")
+
+ def create_invite(self, org_id: str, email: str, role: str = "member") -> dict:
+ """Create an invite for a new user."""
+ return self._client.post(
+ f"/organizations/{org_id}/invites",
+ data={"email": email, "role": role},
+ )
+
+ def cancel_invite(self, org_id: str, invite_id: str) -> dict:
+ """Cancel a pending invite."""
+ return self._client.delete(f"/organizations/{org_id}/invites/{invite_id}")
+
+ def get_invite_by_token(self, token: str) -> dict:
+ """Get invite info by token (public endpoint)."""
+ return self._client.get(f"/invites/{token}")
+
+ def accept_invite(self, token: str, password: str | None = None, full_name: str | None = None, password_confirm: str | None = None) -> dict:
+ """Accept an invite. For new users, password and full_name are required."""
+ payload: dict = {}
+ if password:
+ payload["password"] = password
+ if password_confirm:
+ payload["password_confirm"] = password_confirm
+ if full_name:
+ payload["full_name"] = full_name
+ result = self._client.post(f"/invites/{token}/accept", data=payload)
+ # Store token if returned (new user registration)
+ token_val = result.get("data", {}).get("token")
+ if token_val:
+ self._client.set_token(token_val)
+ return result
+
+ # ------------------------------------------------------------------
+ # Principals & Departments
+ # ------------------------------------------------------------------
+ def list_principals(self, org_id: str) -> dict:
+ """List principals in an organization."""
+ return self._client.get(f"/organizations/{org_id}/principals")
+
+ def create_principal(self, org_id: str, name: str, description: str | None = None) -> dict:
+ """Create a principal."""
+ payload: dict = {"name": name}
+ if description:
+ payload["description"] = description
+ return self._client.post(f"/organizations/{org_id}/principals", data=payload)
+
+ def add_principal_member(self, org_id: str, principal_id: str, email: str) -> dict:
+ """Add a user to a principal."""
+ return self._client.post(
+ f"/organizations/{org_id}/principals/{principal_id}/members",
+ data={"email": email},
+ )
+
+ def list_departments(self, org_id: str) -> dict:
+ """List departments in an organization."""
+ return self._client.get(f"/organizations/{org_id}/departments")
+
+ def create_department(self, org_id: str, name: str, description: str | None = None) -> dict:
+ """Create a department."""
+ payload: dict = {"name": name}
+ if description:
+ payload["description"] = description
+ return self._client.post(f"/organizations/{org_id}/departments", data=payload)
+
+ def add_department_member(self, org_id: str, dept_id: str, email: str) -> dict:
+ """Add a user to a department."""
+ return self._client.post(
+ f"/organizations/{org_id}/departments/{dept_id}/members",
+ data={"email": email},
+ )
+
+ def link_principal_department(self, org_id: str, principal_id: str, dept_id: str) -> dict:
+ """Link a principal to a department."""
+ return self._client.post(
+ f"/organizations/{org_id}/principals/{principal_id}/departments/{dept_id}",
+ data={},
+ )
+
+ # ------------------------------------------------------------------
+ # CAs
+ # ------------------------------------------------------------------
+ def list_cas(self, org_id: str) -> dict:
+ """List CAs for an organization."""
+ return self._client.get(f"/organizations/{org_id}/cas")
+
+ def create_ca(self, org_id: str, name: str, ca_type: str = "user", key_type: str = "ed25519") -> dict:
+ """Create a Certificate Authority."""
+ return self._client.post(
+ f"/organizations/{org_id}/cas",
+ data={"name": name, "ca_type": ca_type, "key_type": key_type},
+ )
+
+ def get_ca(self, org_id: str, ca_id: str) -> dict:
+ """Get a CA by ID."""
+ return self._client.get(f"/organizations/{org_id}/cas/{ca_id}")
+
+ def rotate_ca(self, org_id: str, ca_id: str) -> dict:
+ """Rotate a CA key."""
+ return self._client.post(f"/organizations/{org_id}/cas/{ca_id}/rotate")
+
+ # ------------------------------------------------------------------
+ # API Keys
+ # ------------------------------------------------------------------
+ def list_api_keys(self, org_id: str) -> dict:
+ """List API keys."""
+ return self._client.get(f"/organizations/{org_id}/api-keys")
+
+ def create_api_key(self, org_id: str, name: str, role: str = "member") -> dict:
+ """Create an API key."""
+ return self._client.post(
+ f"/organizations/{org_id}/api-keys",
+ data={"name": name, "role": role},
+ )
+
+ def revoke_api_key(self, org_id: str, key_id: str) -> dict:
+ """Revoke an API key."""
+ return self._client.delete(f"/organizations/{org_id}/api-keys/{key_id}")
diff --git a/tests/integration/client/ssh.py b/tests/integration/client/ssh.py
new file mode 100644
index 0000000..1aab97c
--- /dev/null
+++ b/tests/integration/client/ssh.py
@@ -0,0 +1,136 @@
+"""SSH client for integration tests."""
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class SshClient:
+ """Wraps SSH key and certificate API calls."""
+
+ def __init__(self, client):
+ self._client = client
+
+ # ------------------------------------------------------------------
+ # SSH Key Management
+ # ------------------------------------------------------------------
+ def list_keys(self) -> dict:
+ """Return all SSH keys belonging to the current user."""
+ return self._client.get("/ssh/keys")
+
+ def add_key(self, public_key: str, description: str | None = None) -> dict:
+ """Upload a new SSH public key.
+
+ Args:
+ public_key: The OpenSSH-format public key string.
+ description: Optional human-readable label.
+ """
+ payload = {"public_key": public_key}
+ if description:
+ payload["description"] = description
+ logger.info("[SshClient] Adding SSH key")
+ return self._client.post("/ssh/keys", data=payload)
+
+ def get_key(self, key_id: str) -> dict:
+ """Return a single SSH key by ID."""
+ return self._client.get(f"/ssh/keys/{key_id}")
+
+ def delete_key(self, key_id: str) -> dict:
+ """Delete an SSH key."""
+ return self._client.delete(f"/ssh/keys/{key_id}")
+
+ def update_description(self, key_id: str, description: str) -> dict:
+ """Update the description of an SSH key."""
+ return self._client.patch(
+ f"/ssh/keys/{key_id}/update-description",
+ data={"description": description},
+ )
+
+ # ------------------------------------------------------------------
+ # SSH Key Verification
+ # ------------------------------------------------------------------
+ def get_challenge(self, key_id: str) -> dict:
+ """Generate a verification challenge for an SSH key.
+
+ Returns:
+ Response dict containing ``challenge_text``.
+ """
+ return self._client.get(f"/ssh/keys/{key_id}/verify")
+
+ def verify_key(self, key_id: str, signature: str) -> dict:
+ """Verify ownership of an SSH key by submitting a signature.
+
+ Args:
+ key_id: The SSH key ID.
+ signature: Base64-encoded signature of the challenge text.
+ """
+ return self._client.post(
+ f"/ssh/keys/{key_id}/verify",
+ data={"action": "verify_signature", "signature": signature},
+ )
+
+ # ------------------------------------------------------------------
+ # SSH Certificate Signing
+ # ------------------------------------------------------------------
+ def sign_certificate(
+ self,
+ *,
+ key_id: str | None = None,
+ principals: list[str] | None = None,
+ cert_type: str = "user",
+ expiry_hours: int | None = None,
+ organization_id: str | None = None,
+ ) -> dict:
+ """Request an SSH user certificate.
+
+ Args:
+ key_id: SSH key to attach the certificate to.
+ principals: Optional list of requested principals.
+ cert_type: "user" or "host".
+ expiry_hours: Optional custom expiry within policy.
+ organization_id: Optional organization ID to specify which org's CA to use.
+ """
+ payload: dict = {"cert_type": cert_type}
+ if key_id:
+ payload["key_id"] = key_id
+ if principals:
+ payload["principals"] = principals
+ if expiry_hours:
+ payload["expiry_hours"] = expiry_hours
+ if organization_id:
+ payload["organization_id"] = organization_id
+ logger.info(f"[SshClient] Signing certificate — type={cert_type}")
+ return self._client.post("/ssh/sign", data=payload)
+
+ def sign_host_certificate(self, *, host_public_key: str, ca_id: str | None = None) -> dict:
+ """Request an SSH host certificate (admin-only).
+
+ Args:
+ host_public_key: The host's public key material.
+ ca_id: Optional CA ID (defaults to org's host CA).
+ """
+ payload: dict = {"host_public_key": host_public_key, "cert_type": "host"}
+ if ca_id:
+ payload["ca_id"] = ca_id
+ return self._client.post("/ssh/sign/host", data=payload)
+
+ # ------------------------------------------------------------------
+ # Certificate Management
+ # ------------------------------------------------------------------
+ def list_certificates(self) -> dict:
+ """Return all certificates for the current user."""
+ return self._client.get("/ssh/certificates")
+
+ def get_certificate(self, cert_id: str) -> dict:
+ """Return a single certificate by ID."""
+ return self._client.get(f"/ssh/certificates/{cert_id}")
+
+ def revoke_certificate(self, cert_id: str, reason: str = "User revoked") -> dict:
+ """Revoke a certificate."""
+ return self._client.post(
+ f"/ssh/certificates/{cert_id}/revoke",
+ data={"reason": reason},
+ )
+
+ def get_ca_public_key(self) -> dict:
+ """Return the organization's CA public key."""
+ return self._client.get("/ssh/ca/public-key")
diff --git a/tests/integration/client/users.py b/tests/integration/client/users.py
new file mode 100644
index 0000000..aa35540
--- /dev/null
+++ b/tests/integration/client/users.py
@@ -0,0 +1,50 @@
+"""Users (self-service) client for integration tests."""
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class UsersClient:
+ """Wraps user self-service API calls."""
+
+ def __init__(self, client):
+ self._client = client
+
+ def get_profile(self) -> dict:
+ """Get the current user's profile."""
+ return self._client.get("/users/me")
+
+ def update_profile(self, **fields) -> dict:
+ """Update profile fields (full_name, avatar_url)."""
+ return self._client.patch("/users/me", data=fields)
+
+ def change_password(self, current_password: str, new_password: str, new_password_confirm: str) -> dict:
+ """Change the current user's password."""
+ return self._client.post(
+ "/users/me/password",
+ data={
+ "current_password": current_password,
+ "new_password": new_password,
+ "new_password_confirm": new_password_confirm,
+ },
+ )
+
+ def delete_account(self) -> dict:
+ """Soft-delete the current user's account."""
+ return self._client.delete("/users/me")
+
+ def get_my_organizations(self) -> dict:
+ """List organizations the current user belongs to."""
+ return self._client.get("/users/me/organizations")
+
+ def get_my_memberships(self) -> dict:
+ """List detailed memberships across orgs."""
+ return self._client.get("/users/me/memberships")
+
+ def get_my_principals(self) -> dict:
+ """List principals the current user has access to."""
+ return self._client.get("/users/me/principals")
+
+ def get_my_invites(self) -> dict:
+ """List pending invites for the current user."""
+ return self._client.get("/users/me/invites")
diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py
new file mode 100644
index 0000000..76e2509
--- /dev/null
+++ b/tests/integration/conftest.py
@@ -0,0 +1,154 @@
+"""Pytest fixtures for integration tests."""
+import pytest
+import uuid
+from datetime import datetime, timezone
+
+from gatehouse_app import create_app, db
+from gatehouse_app.extensions import limiter
+from gatehouse_app.models.user.user import User
+from gatehouse_app.models.organization.organization import Organization
+from gatehouse_app.models.organization.organization_member import OrganizationMember
+from gatehouse_app.models.ssh_ca.ca import CA, CaType, KeyType
+from gatehouse_app.utils.constants import OrganizationRole
+from tests.integration.client.base import SecuirdClient
+
+
+# Disable the global rate limiter for integration tests.
+# The default app created at module level in gatehouse_app/__init__.py
+# initializes the limiter with production settings; we turn it off here
+# so tests don't hit rate limits.
+limiter.enabled = False
+
+
+@pytest.fixture(scope="module")
+def integration_app():
+ """Create a test Flask app with in-memory SQLite.
+
+ Yields the configured application; tears down the DB after the
+ module finishes.
+ """
+ app = create_app(config_name="testing")
+ app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:"
+ app.config["TESTING"] = True
+ app.config["WTF_CSRF_ENABLED"] = False
+ app.config["RATELIMIT_ENABLED"] = False
+
+ with app.app_context():
+ db.create_all()
+ yield app
+ db.session.remove()
+ db.drop_all()
+
+
+@pytest.fixture
+def integration_client(integration_app):
+ """Yield a fresh SecuirdClient for every test function."""
+ with integration_app.test_client() as flask_client:
+ client = SecuirdClient(flask_client)
+ yield client
+ client.clear_token()
+
+
+@pytest.fixture
+def create_test_user(integration_app):
+ """Return a factory that creates a user inside the app context."""
+ from gatehouse_app.models.auth.authentication_method import AuthenticationMethod
+ from gatehouse_app.utils.constants import AuthMethodType
+
+ def _factory(
+ *,
+ email: str | None = None,
+ password: str = "password123",
+ full_name: str = "Test User",
+ email_verified: bool = True,
+ ) -> dict:
+ email = email or f"test_{uuid.uuid4().hex[:8]}@example.com"
+ with integration_app.app_context():
+ user = User(
+ email=email,
+ full_name=full_name,
+ email_verified=email_verified,
+ )
+ db.session.add(user)
+ db.session.commit()
+
+ from gatehouse_app.extensions import bcrypt
+ password_hash = bcrypt.generate_password_hash(password).decode("utf-8")
+ auth_method = AuthenticationMethod(
+ user_id=user.id,
+ method_type=AuthMethodType.PASSWORD,
+ password_hash=password_hash,
+ is_primary=True,
+ verified=True,
+ )
+ db.session.add(auth_method)
+ db.session.commit()
+
+ return {
+ "id": str(user.id),
+ "email": user.email,
+ "password": password,
+ "full_name": user.full_name,
+ }
+
+ return _factory
+
+
+@pytest.fixture
+def create_test_org(integration_app):
+ """Return a factory that creates an organization inside the app context."""
+ def _factory(*, name: str | None = None, slug: str | None = None) -> dict:
+ name = name or f"Test Org {uuid.uuid4().hex[:8]}"
+ slug = slug or name.lower().replace(" ", "-")
+ with integration_app.app_context():
+ org = Organization(name=name, slug=slug)
+ db.session.add(org)
+ db.session.commit()
+ return {"id": str(org.id), "name": org.name, "slug": org.slug}
+
+ return _factory
+
+
+@pytest.fixture
+def create_test_membership(integration_app):
+ """Return a factory that creates an org membership."""
+ def _factory(user_id: str, org_id: str, role: OrganizationRole = OrganizationRole.MEMBER) -> dict:
+ with integration_app.app_context():
+ membership = OrganizationMember(
+ user_id=user_id,
+ organization_id=org_id,
+ role=role,
+ )
+ db.session.add(membership)
+ db.session.commit()
+ return {"id": str(membership.id), "role": role.value}
+
+ return _factory
+
+
+@pytest.fixture
+def create_test_ca(integration_app):
+ """Return a factory that creates a Certificate Authority."""
+ def _factory(
+ *,
+ org_id: str,
+ name: str = "Test CA",
+ ca_type: CaType = CaType.USER,
+ key_type: KeyType = KeyType.ED25519,
+ ) -> dict:
+ with integration_app.app_context():
+ ca = CA(
+ organization_id=org_id,
+ name=name,
+ ca_type=ca_type,
+ key_type=key_type,
+ private_key="encrypted_private_key_placeholder",
+ public_key="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...",
+ fingerprint="sha256:ABC123...",
+ is_active=True,
+ )
+ db.session.add(ca)
+ db.session.commit()
+ return {"id": str(ca.id), "name": ca.name, "ca_type": ca.ca_type.value}
+
+ return _factory
diff --git a/tests/integration/fixtures/__init__.py b/tests/integration/fixtures/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/integration/fixtures/ssh_keys.py b/tests/integration/fixtures/ssh_keys.py
new file mode 100644
index 0000000..640e4d5
--- /dev/null
+++ b/tests/integration/fixtures/ssh_keys.py
@@ -0,0 +1,38 @@
+"""Test SSH key pairs and helpers for integration tests."""
+import uuid
+
+# Pre-generated Ed25519 test key pair (DO NOT USE IN PRODUCTION)
+TEST_PRIVATE_KEY = """-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBqPZ1wQtlMltpE8T0hxmP0Y9DRfjVw0LJpHip7sLTTOQAAAJgPGqh4Dxqo
+eAAAAAtzc2gtZWQyNTUxOQAAACBqPZ1wQtlMltpE8T0hxmP0Y9DRfjVw0LJpHip7sLTTOQ
+AAAEAz0wM1oU6nLdD1pPsgxE9gqPB1Gs2fI3oO+tWSef0Ckmo9nXBC2UyW2kTxPSHGY/Rj
+0NF+NXDQsmkeKnswtNM5AAAAFHRlc3R1c2VyQGV4YW1wbGUuY29tAAAACXN0dWJ0ZXN0AAAAHHN0dWItdGVzdC1rZXktZm9yLWludGVncmF0aW9uLXRlc3Rz
+-----END OPENSSH PRIVATE KEY-----"""
+
+TEST_PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGo9nXBC2UyW2kTxPSHGY/Rj0NF+NXDQsmkeKnswtNM5 testuser@example.com"
+
+# Invalid key material for negative tests
+INVALID_PUBLIC_KEY = "not-a-valid-ssh-key-format"
+
+# Generate a unique public key per call to avoid fingerprint collisions
+# across tests that share the same database.
+# Ed25519 public keys are 68 chars prefix + 32 bytes base64 + comment.
+# We use a deterministic but unique-looking valid prefix.
+VALID_ED25519_PREFIX = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI"
+
+
+def generate_unique_public_key() -> str:
+ """Return a unique-looking but structurally valid Ed25519 public key.
+
+ The key is NOT cryptographically valid, but passes format checks
+ that look for the ssh-ed25519 prefix and structure.
+ """
+ unique = uuid.uuid4().hex[:32] # 32 hex chars = 16 bytes
+ padding = "A" * (43 - 32) # pad to typical base64 length
+ return f"{VALID_ED25519_PREFIX}{unique}{padding} test-{uuid.uuid4().hex[:6]}@example.com"
+
+
+# Backwards-compatible aliases
+TEST_PUBLIC_KEY_2 = generate_unique_public_key()
+TEST_PUBLIC_KEY_OTHER = generate_unique_public_key()
diff --git a/tests/integration/ssh_certificate_tests.txt b/tests/integration/ssh_certificate_tests.txt
new file mode 100644
index 0000000..2b4b1fe
--- /dev/null
+++ b/tests/integration/ssh_certificate_tests.txt
@@ -0,0 +1,24 @@
+# SSH Certificate Signing Tests
+
+This file contains the new test class `TestCertificateSigning` that should be appended to the end of `test_ssh_workflows.py`.
+
+## Test Class: TestCertificateSigning
+
+The class includes the following tests:
+
+1. `test_sign_certificate_default_principals_positive` (SSH-CERT-01)
+2. `test_sign_certificate_custom_principals_positive` (SSH-CERT-02)
+3. `test_sign_certificate_unverified_key_negative` (SSH-CERT-04)
+4. `test_sign_certificate_no_principals_negative` (SSH-CERT-05)
+5. `test_sign_certificate_unauthorized_principals_negative` (SSH-CERT-06)
+6. `test_sign_certificate_suspended_account_negative` (SSH-CERT-07)
+7. `test_sign_certificate_no_ca_negative` (SSH-CERT-08)
+8. `test_sign_certificate_cross_user_key_negative` (SSH-CERT-09)
+
+## Implementation Details
+
+The tests require:
+- A setup helper function `_setup_cert_env` that creates a user with verified key, org membership, principal assignment, and CA
+- Use of `tempfile`, `subprocess`, `os`, and `base64` for key generation and signing
+- Proper error assertions using `assert_error` helper
+- Direct database manipulation to suspend users for the suspended account test
\ No newline at end of file
diff --git a/tests/integration/test_admin_ops.py b/tests/integration/test_admin_ops.py
new file mode 100644
index 0000000..0e50b66
--- /dev/null
+++ b/tests/integration/test_admin_ops.py
@@ -0,0 +1,213 @@
+"""Admin operations integration tests.
+
+Covers user suspension, MFA removal, password reset, and hard deletion.
+All endpoints require admin/superadmin privileges.
+"""
+import pytest
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+def assert_error(exc: ApiError, expected_status: int, expected_error_type: str | None = None):
+ assert exc.status_code == expected_status, (
+ f"Expected status {expected_status} but got {exc.status_code}"
+ )
+ if expected_error_type:
+ assert exc.error_type == expected_error_type
+
+
+class TestAdminUserManagement:
+ """Test admin-only user management endpoints."""
+
+ def test_list_users_positive(self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ADMIN-01 — List all users as admin.
+
+ WHAT: Create an admin user, login, then GET /admin/users.
+ WHY: The user management page needs a paginated user list.
+ EXPECTED: 200 OK with users array.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.OWNER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.admin.list_users()
+ data = assert_success(result)
+ assert "users" in data or "count" in data
+
+ def test_list_users_non_admin_negative(self, integration_client, create_test_user):
+ """TEST: ADMIN-02 — Reject listing users as non-admin.
+
+ WHAT: Regular user attempts GET /admin/users.
+ WHY: User lists contain sensitive data; must be admin-only.
+ EXPECTED: 403 Forbidden.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.admin.list_users()
+
+ assert exc_info.value.status_code == 403
+
+ def test_suspend_user_positive(self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ADMIN-03 — Suspend user account.
+
+ WHAT: Admin suspends a user, then verify the user cannot login.
+ WHY: Suspension is a critical security tool for compromised
+ accounts.
+ EXPECTED: 200 OK on suspend. Login returns 403.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ victim = create_test_user(password="VictimPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(victim["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.admin.suspend_user(victim["id"])
+ assert_success(result)
+
+ # Verify victim cannot login
+ integration_client.auth.logout()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.login(email=victim["email"], password="VictimPass123!")
+ assert exc_info.value.status_code == 403
+
+ def test_unsuspend_user_positive(self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ADMIN-05 — Unsuspend user account.
+
+ WHAT: Admin suspends then unsuspends a user, verify they can
+ login again.
+ WHY: False positives happen; admins must be able to restore
+ access.
+ EXPECTED: 200 OK on unsuspend. Login succeeds afterwards.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ victim = create_test_user(password="VictimPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(victim["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ integration_client.admin.suspend_user(victim["id"])
+ result = integration_client.admin.unsuspend_user(victim["id"])
+ assert_success(result)
+
+ integration_client.auth.logout()
+ login_result = integration_client.auth.login(email=victim["email"], password="VictimPass123!")
+ assert_success(login_result, "login successful")
+
+ def test_admin_verify_email_positive(self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ADMIN-07 — Admin verifies user email.
+
+ WHAT: Create an unverified user, admin calls verify endpoint.
+ WHY: Admins may need to bypass verification for support
+ reasons.
+ EXPECTED: 200 OK, user.email_verified becomes True.
+ """
+ from gatehouse_app.models.user.user import User
+ from gatehouse_app.extensions import db
+
+ admin = create_test_user(password="AdminPass123!")
+ victim = create_test_user(password="VictimPass123!", email_verified=False)
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(victim["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.admin.verify_user_email(victim["id"])
+ assert_success(result)
+
+ with integration_app.app_context():
+ user = User.query.get(victim["id"])
+ assert user.email_verified is True
+
+ def test_admin_set_password_positive(self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ADMIN-08 — Admin sets user password.
+
+ WHAT: Admin overrides a user's password, then verify the user
+ can login with the new password.
+ WHY: Account recovery when user has lost access to email/MFA.
+ EXPECTED: 200 OK. Login with new password succeeds.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ victim = create_test_user(password="VictimPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(victim["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.admin.set_user_password(victim["id"], "NewAdminSet456!")
+ assert_success(result)
+
+ integration_client.auth.logout()
+ login_result = integration_client.auth.login(email=victim["email"], password="NewAdminSet456!")
+ assert_success(login_result, "login successful")
+
+ def test_admin_remove_totp_positive(self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ADMIN-10 — Admin removes user TOTP.
+
+ WHAT: User enrolls TOTP, admin removes it.
+ WHY: Account recovery when user lost their authenticator.
+ EXPECTED: 200 OK. TOTP status returns disabled.
+ """
+ import pyotp
+
+ admin = create_test_user(password="AdminPass123!")
+ victim = create_test_user(password="VictimPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(victim["id"], org["id"], OrganizationRole.MEMBER)
+
+ # Victim enrolls TOTP
+ integration_client.auth.login(email=victim["email"], password="VictimPass123!")
+ enroll = integration_client.mfa.enroll_totp()
+ secret = enroll["data"]["secret"]
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(secret).now())
+ integration_client.auth.logout()
+
+ # Admin removes TOTP
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.admin.remove_user_mfa(victim["id"], "totp")
+ assert_success(result)
+
+ # Verify victim's TOTP is disabled
+ integration_client.auth.logout()
+ integration_client.auth.login(email=victim["email"], password="VictimPass123!")
+ status = integration_client.mfa.get_totp_status()
+ assert status["data"].get("totp_enabled") is False
+
+ def test_admin_hard_delete_user_positive(self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ADMIN-11 — Admin hard-deletes user.
+
+ WHAT: Admin hard-deletes a user, verify they cannot login.
+ WHY: GDPR compliance and removing malicious actors.
+ EXPECTED: 200 OK. Login fails (user no longer exists).
+ """
+ admin = create_test_user(password="AdminPass123!")
+ victim = create_test_user(password="VictimPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(victim["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.admin.hard_delete_user(victim["id"], confirm=True)
+ assert_success(result)
+
+ # Verify victim cannot login
+ integration_client.auth.logout()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.login(email=victim["email"], password="VictimPass123!")
+ assert exc_info.value.status_code in (400, 401)
diff --git a/tests/integration/test_auth_flows.py b/tests/integration/test_auth_flows.py
new file mode 100644
index 0000000..bc77cb5
--- /dev/null
+++ b/tests/integration/test_auth_flows.py
@@ -0,0 +1,590 @@
+"""Authentication flow integration tests.
+
+Covers user registration, login, logout, sessions, and password
+recovery. Every test prints a clear description of WHAT is being
+tested, WHY it matters, and the EXPECTED result so failures are
+actionable.
+"""
+import pytest
+import uuid
+
+from tests.integration.client.base import ApiError
+
+
+# =============================================================================
+# Helper assertions
+# =============================================================================
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ """Assert that an api_response-wrapped payload succeeded."""
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower(), (
+ f"Expected message to contain '{message_contains}' but got: {response.get('message')}"
+ )
+ return data
+
+
+def assert_error(response_or_exc, expected_status: int, expected_error_type: str | None = None):
+ """Assert that an ApiError carries the expected status (and optionally error_type).
+
+ Because our client raises on >=400, we catch ApiError and inspect it.
+ """
+ assert isinstance(response_or_exc, ApiError), (
+ f"Expected ApiError but got: {type(response_or_exc).__name__} — {response_or_exc}"
+ )
+ assert response_or_exc.status_code == expected_status, (
+ f"Expected status {expected_status} but got {response_or_exc.status_code}\n"
+ f"URL: {response_or_exc.method} {response_or_exc.url}\n"
+ f"Response: {response_or_exc.response_data}"
+ )
+ if expected_error_type:
+ assert response_or_exc.error_type == expected_error_type, (
+ f"Expected error_type '{expected_error_type}' but got '{response_or_exc.error_type}'"
+ )
+
+
+# =============================================================================
+# Tier 2 — E. User Registration & Login
+# =============================================================================
+
+class TestRegistration:
+ """Test user registration at POST /auth/register.
+
+ Registration is the front door of the application. These tests
+ ensure that valid users can sign up, duplicate accounts are
+ rejected, and weak passwords are blocked.
+ """
+
+ def test_register_user_positive(self, integration_client):
+ """TEST: AUTH-01 — Register a new user with valid data.
+
+ WHAT: Call POST /auth/register with a unique email, strong
+ password, and full name.
+ WHY: This is the primary on-ramp for every user. It must
+ create the user, return a session token, and flag the
+ account as the first user when appropriate.
+ EXPECTED: 201 Created, response contains user object, token,
+ expires_at, and is_first_user=True (since this is
+ the first user in the fresh test DB).
+ """
+ email = f"auth01_{uuid.uuid4().hex[:8]}@example.com"
+ result = integration_client.auth.register(
+ email=email,
+ password="StrongPass123!",
+ full_name="Auth One",
+ )
+ data = assert_success(result, "registration successful")
+
+ assert "user" in data, "Response missing 'user' object"
+ assert data["user"]["email"] == email
+ assert "token" in data, "Response missing 'token' — session not created"
+ assert "expires_at" in data, "Response missing 'expires_at'"
+ assert data.get("is_first_user") is True, "First user should have is_first_user=True"
+
+ def test_register_duplicate_email_negative(self, integration_client):
+ """TEST: AUTH-02 — Reject registration with a duplicate email.
+
+ WHAT: Register a user, then attempt to register again with
+ the same email address.
+ WHY: Duplicate accounts would break email-based lookups,
+ password reset flows, and invite acceptance.
+ EXPECTED: 400 Bad Request, error_type="VALIDATION_ERROR".
+ """
+ email = f"auth02_{uuid.uuid4().hex[:8]}@example.com"
+ integration_client.auth.register(email=email, password="StrongPass123!", full_name="First")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.register(email=email, password="DifferentPass123!", full_name="Second")
+
+ assert_error(exc_info.value, 409, "CONFLICT")
+
+ def test_register_weak_password_negative(self, integration_client):
+ """TEST: AUTH-03 — Reject registration with a weak password.
+
+ WHAT: Attempt to register with a password shorter than 8
+ characters.
+ WHY: Weak passwords are the #1 cause of account takeovers.
+ The API must enforce a minimum length.
+ EXPECTED: 400 Bad Request, error_type="VALIDATION_ERROR".
+ """
+ email = f"auth03_{uuid.uuid4().hex[:8]}@example.com"
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.register(email=email, password="short", full_name="Weak")
+
+ assert_error(exc_info.value, 400, "VALIDATION_ERROR")
+
+ def test_register_missing_fields_negative(self, integration_client):
+ """TEST: AUTH-04 — Reject registration with missing required fields.
+
+ WHAT: Send a POST /auth/register payload without the email
+ and password fields.
+ WHY: The schema must validate presence of required fields
+ before touching the database.
+ EXPECTED: 400 Bad Request, error_type="VALIDATION_ERROR".
+ """
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.post("/auth/register", data={})
+
+ assert_error(exc_info.value, 400, "VALIDATION_ERROR")
+
+
+class TestLogin:
+ """Test user login at POST /auth/login.
+
+ Login is the most frequently used endpoint. These tests verify
+ that valid credentials issue a session, invalid credentials are
+ rejected without leaking existence, and suspended accounts are
+ blocked.
+ """
+
+ def test_login_positive(self, integration_client, create_test_user):
+ """TEST: AUTH-05 — Login with valid credentials.
+
+ WHAT: Create a user via factory, then call POST /auth/login
+ with the correct email and password.
+ WHY: This is the core authentication flow. A successful
+ login must issue a session token and return user data.
+ EXPECTED: 200 OK, response contains user object, token, and
+ expires_at. Subsequent GET /auth/me must succeed.
+ """
+ user = create_test_user(password="MyPassword123!")
+ result = integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ data = assert_success(result, "login successful")
+
+ assert "token" in data, "Login response missing token"
+ assert data["user"]["email"] == user["email"]
+
+ # Verify the token actually works
+ me_result = integration_client.auth.me()
+ me_data = assert_success(me_result)
+ assert me_data["user"]["email"] == user["email"]
+
+ def test_login_wrong_password_negative(self, integration_client, create_test_user):
+ """TEST: AUTH-06 — Reject login with wrong password.
+
+ WHAT: Create a user, then attempt login with an incorrect
+ password.
+ WHY: We must not leak whether the email exists. The
+ response for wrong-password and non-existent-user
+ should be identical.
+ EXPECTED: 400 Bad Request (or 401) with a generic failure
+ message.
+ """
+ user = create_test_user(password="CorrectPass123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.login(email=user["email"], password="wrongpassword")
+
+ assert exc_info.value.status_code in (400, 401), (
+ f"Expected 400 or 401 for wrong password, got {exc_info.value.status_code}"
+ )
+
+ def test_login_nonexistent_user_negative(self, integration_client):
+ """TEST: AUTH-07 — Reject login for non-existent user.
+
+ WHAT: Attempt to login with an email that has never been
+ registered.
+ WHY: Same as AUTH-06 — user enumeration must be prevented.
+ EXPECTED: Identical response to wrong-password (400/401).
+ """
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.login(
+ email=f"doesnotexist_{uuid.uuid4().hex[:8]}@example.com",
+ password="SomePassword123!",
+ )
+
+ assert exc_info.value.status_code in (400, 401), (
+ f"Expected 400 or 401 for non-existent user, got {exc_info.value.status_code}"
+ )
+
+ def test_login_suspended_user_negative(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTH-08 — Reject login for suspended account.
+
+ WHAT: Create a user, suspend the account by setting
+ user.status = SUSPENDED, then attempt login.
+ WHY: Admin suspension is a critical security tool. A
+ suspended user must not be able to obtain a session.
+ EXPECTED: 403 Forbidden, error_type="ACCOUNT_SUSPENDED".
+ """
+ from gatehouse_app.utils.constants import UserStatus
+
+ user_info = create_test_user(password="MyPassword123!")
+
+ # Suspend the user directly in the DB
+ with integration_app.app_context():
+ from gatehouse_app.models.user.user import User
+ user = User.query.get(user_info["id"])
+ user.status = UserStatus.SUSPENDED
+ from gatehouse_app.extensions import db
+ db.session.commit()
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.login(email=user_info["email"], password="MyPassword123!")
+
+ assert_error(exc_info.value, 403, "AUTHORIZATION_ERROR")
+
+
+class TestLogoutAndSessions:
+ """Test logout and session management.
+
+ Sessions are the mechanism that keeps users authenticated across
+ requests. These tests verify that logout destroys the session and
+ that users can list and revoke their active sessions.
+ """
+
+ def test_logout_positive(self, integration_client, create_test_user):
+ """TEST: AUTH-09 — Logout an authenticated user.
+
+ WHAT: Login, verify /auth/me works, call /auth/logout, then
+ verify /auth/me returns 401.
+ WHY: Logout must invalidate the token so it cannot be reused
+ for protected endpoints.
+ EXPECTED: 200 OK on logout, then 401 on subsequent me call.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ # Confirm we're authenticated
+ me = integration_client.auth.me()
+ assert_success(me)
+
+ # Logout
+ result = integration_client.auth.logout()
+ assert_success(result, "logout successful")
+
+ # Token should no longer work
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.me()
+
+ assert exc_info.value.status_code == 401, (
+ f"Expected 401 after logout, got {exc_info.value.status_code}"
+ )
+
+ def test_logout_without_auth_negative(self, integration_client):
+ """TEST: AUTH-10 — Reject logout when not authenticated.
+
+ WHAT: Call POST /auth/logout without a Bearer token.
+ WHY: The endpoint is protected by @login_required; an
+ unauthenticated request must be rejected.
+ EXPECTED: 401 Unauthorized.
+ """
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.logout()
+
+ assert exc_info.value.status_code == 401, (
+ f"Expected 401 for unauthenticated logout, got {exc_info.value.status_code}"
+ )
+
+ def test_list_sessions_positive(self, integration_client, create_test_user):
+ """TEST: AUTH-11 — List active sessions.
+
+ WHAT: Login and request GET /auth/sessions.
+ WHY: Users need visibility into where they are logged in for
+ security hygiene.
+ EXPECTED: 200 OK with a list containing at least the current
+ session.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.auth.list_sessions()
+ data = assert_success(result, "sessions retrieved")
+
+ sessions = data.get("sessions", [])
+ assert len(sessions) >= 1, "Expected at least one active session"
+ assert "id" in sessions[0], "Session object missing 'id'"
+
+ def test_revoke_session_positive(self, integration_client, create_test_user):
+ """TEST: AUTH-12 — Revoke an active session.
+
+ WHAT: Login, list sessions, revoke the first session, then
+ verify the token no longer works.
+ WHY: Session revocation allows users to remotely sign out
+ devices they no longer control.
+ EXPECTED: 200 OK on revocation, then 401 on subsequent me call.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ sessions = integration_client.auth.list_sessions()
+ session_id = sessions["data"]["sessions"][0]["id"]
+
+ result = integration_client.auth.revoke_session(session_id)
+ assert_success(result, "session revoked")
+
+ # Token should be invalid now
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.me()
+
+ assert exc_info.value.status_code == 401, (
+ f"Expected 401 after revoking session, got {exc_info.value.status_code}"
+ )
+
+ def test_revoke_nonexistent_session_negative(self, integration_client, create_test_user):
+ """TEST: AUTH-13 — Reject revoking a non-existent session.
+
+ WHAT: Login and attempt to DELETE /auth/sessions/.
+ WHY: The API must distinguish between "not found" and
+ "forbidden" so clients can show correct error states.
+ EXPECTED: 404 Not Found.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.revoke_session("00000000-0000-0000-0000-000000000000")
+
+ assert exc_info.value.status_code == 404, (
+ f"Expected 404 for non-existent session, got {exc_info.value.status_code}"
+ )
+
+
+class TestCurrentUser:
+ """Test the /auth/me endpoint."""
+
+ def test_get_current_user_positive(self, integration_client, create_test_user):
+ """TEST: AUTH-14 — Get current user when authenticated.
+
+ WHAT: Login and call GET /auth/me.
+ WHY: The frontend uses this endpoint on every page load to
+ determine login state and populate the user menu.
+ EXPECTED: 200 OK with user object and organizations list.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.auth.me()
+ data = assert_success(result, "user retrieved")
+
+ assert data["user"]["email"] == user["email"]
+ assert "organizations" in data, "Response missing 'organizations' list"
+
+ def test_get_current_user_without_auth_negative(self, integration_client):
+ """TEST: AUTH-15 — Reject /auth/me without authentication.
+
+ WHAT: Call GET /auth/me with no Bearer token.
+ WHY: Protected endpoints must reject unauthenticated requests
+ to prevent data leakage.
+ EXPECTED: 401 Unauthorized.
+ """
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.me()
+
+ assert exc_info.value.status_code == 401, (
+ f"Expected 401 for unauthenticated /auth/me, got {exc_info.value.status_code}"
+ )
+
+
+class TestPasswordRecovery:
+ """Test password reset flow at POST /auth/forgot-password and
+ POST /auth/reset-password.
+
+ These endpoints allow users to regain access when they forget their
+ password. Security requirements: the forgot-password endpoint must
+ not leak whether an email exists, and tokens must be single-use.
+ """
+
+ def test_forgot_password_positive(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTH-20 — Request password reset for existing email.
+
+ WHAT: Create a user, then POST /auth/forgot-password with
+ the user's email.
+ WHY: This is the entry point for password recovery. It must
+ succeed silently and generate a token in the DB.
+ EXPECTED: 200 OK with a generic success message. A
+ PasswordResetToken should exist in the database.
+ """
+ user = create_test_user(password="OldPass123!")
+ result = integration_client.auth.forgot_password(user["email"])
+ data = assert_success(result, "you will receive")
+
+ # Verify token was created in DB
+ from gatehouse_app.models.auth.password_reset_token import PasswordResetToken
+ from gatehouse_app.extensions import db
+ from gatehouse_app.models.user.user import User
+ with integration_app.app_context():
+ db_user = User.query.filter_by(email=user["email"]).first()
+ token = PasswordResetToken.query.filter_by(user_id=db_user.id, used_at=None).first()
+ assert token is not None, "Password reset token was not created"
+
+ def test_forgot_password_nonexistent_email_positive(self, integration_client):
+ """TEST: AUTH-21 — Request password reset for non-existent email.
+
+ WHAT: POST /auth/forgot-password with an email that has never
+ been registered.
+ WHY: User enumeration must be prevented. The response for
+ non-existent and existing emails must be identical.
+ EXPECTED: 200 OK with the exact same message as AUTH-20.
+ """
+ result = integration_client.auth.forgot_password("doesnotexist@example.com")
+ data = assert_success(result, "you will receive")
+
+ def test_reset_password_positive(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTH-22 — Reset password with a valid token.
+
+ WHAT: Create a user, generate a PasswordResetToken directly in
+ the DB, then POST /auth/reset-password with the token
+ and a new password.
+ WHY: This is the actual password change step. It must update
+ the auth method hash and invalidate the token.
+ EXPECTED: 200 OK. Subsequent login with the NEW password must
+ succeed; login with the OLD password must fail.
+ """
+ from gatehouse_app.models.auth.password_reset_token import PasswordResetToken
+ from gatehouse_app.extensions import db
+ from gatehouse_app.models.user.user import User
+
+ user = create_test_user(password="OldPass123!")
+
+ # Generate token directly in DB
+ with integration_app.app_context():
+ db_user = User.query.filter_by(email=user["email"]).first()
+ reset_token = PasswordResetToken.generate(user_id=db_user.id)
+ token_value = reset_token.token
+
+ result = integration_client.auth.reset_password(
+ token=token_value,
+ new_password="NewPass456!",
+ new_password_confirm="NewPass456!",
+ )
+ assert_success(result, "reset")
+
+ # Verify old password no longer works
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.login(email=user["email"], password="OldPass123!")
+ assert exc_info.value.status_code in (400, 401)
+
+ # Verify new password works
+ login_result = integration_client.auth.login(email=user["email"], password="NewPass456!")
+ assert_success(login_result, "login successful")
+
+ def test_reset_password_invalid_token_negative(self, integration_client):
+ """TEST: AUTH-23 — Reject password reset with invalid/expired token.
+
+ WHAT: POST /auth/reset-password with a made-up token string.
+ WHY: Expired or forged tokens must not allow password changes.
+ EXPECTED: 400 Bad Request, error_type="INVALID_TOKEN".
+ """
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.reset_password(
+ token="invalid-token-12345",
+ new_password="NewPass456!",
+ new_password_confirm="NewPass456!",
+ )
+ assert_error(exc_info.value, 400, "INVALID_TOKEN")
+
+ def test_reset_password_mismatched_passwords_negative(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTH-24 — Reject password reset with mismatched passwords.
+
+ WHAT: Generate a valid reset token, then submit mismatched
+ new_password and new_password_confirm.
+ WHY: Typo protection — ensures the user knows what they typed.
+ EXPECTED: 400 Bad Request, error_type="VALIDATION_ERROR".
+ """
+ from gatehouse_app.models.auth.password_reset_token import PasswordResetToken
+ from gatehouse_app.models.user.user import User
+
+ user = create_test_user(password="OldPass123!")
+ with integration_app.app_context():
+ db_user = User.query.filter_by(email=user["email"]).first()
+ reset_token = PasswordResetToken.generate(user_id=db_user.id)
+ token_value = reset_token.token
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.reset_password(
+ token=token_value,
+ new_password="NewPass456!",
+ new_password_confirm="DifferentPass789!",
+ )
+ assert_error(exc_info.value, 400, "VALIDATION_ERROR")
+
+ def test_reset_password_weak_password_negative(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTH-25 — Reject password reset with weak password.
+
+ WHAT: Generate a valid reset token, then submit a password
+ shorter than 8 characters.
+ WHY: Weak passwords must be blocked even during reset.
+ EXPECTED: 400 Bad Request, error_type="VALIDATION_ERROR".
+ """
+ from gatehouse_app.models.auth.password_reset_token import PasswordResetToken
+ from gatehouse_app.models.user.user import User
+
+ user = create_test_user(password="OldPass123!")
+ with integration_app.app_context():
+ db_user = User.query.filter_by(email=user["email"]).first()
+ reset_token = PasswordResetToken.generate(user_id=db_user.id)
+ token_value = reset_token.token
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.reset_password(
+ token=token_value,
+ new_password="short",
+ new_password_confirm="short",
+ )
+ assert_error(exc_info.value, 400, "VALIDATION_ERROR")
+
+
+class TestEmailVerification:
+ """Test email verification at POST /auth/verify-email and
+ POST /auth/resend-verification.
+ """
+
+ def test_verify_email_positive(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTH-26 — Verify email with valid token.
+
+ WHAT: Create a user with email_verified=False, generate an
+ EmailVerificationToken in the DB, then POST
+ /auth/verify-email.
+ WHY: Email verification is required for some features. The
+ token must mark the user as verified.
+ EXPECTED: 200 OK. User.email_verified becomes True.
+ """
+ from gatehouse_app.models.auth.email_verification_token import EmailVerificationToken
+ from gatehouse_app.extensions import db
+ from gatehouse_app.models.user.user import User
+
+ user = create_test_user(password="MyPassword123!", email_verified=False)
+ assert user["email"]
+
+ with integration_app.app_context():
+ db_user = User.query.filter_by(email=user["email"]).first()
+ verify_token = EmailVerificationToken.generate(user_id=db_user.id)
+ token_value = verify_token.token
+
+ result = integration_client.auth.verify_email(token=token_value)
+ assert_success(result, "verified")
+
+ with integration_app.app_context():
+ db_user = User.query.filter_by(email=user["email"]).first()
+ assert db_user.email_verified is True
+
+ def test_verify_email_invalid_token_negative(self, integration_client):
+ """TEST: AUTH-27 — Reject email verification with invalid token.
+
+ WHAT: POST /auth/verify-email with a fabricated token.
+ WHY: Invalid or expired tokens must not verify emails.
+ EXPECTED: 400 Bad Request, error_type="INVALID_TOKEN".
+ """
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.verify_email(token="invalid-token-12345")
+ assert_error(exc_info.value, 400, "INVALID_TOKEN")
+
+ def test_resend_verification_positive(self, integration_client, create_test_user):
+ """TEST: AUTH-28 — Resend verification email.
+
+ WHAT: Create a user with email_verified=False, then POST
+ /auth/resend-verification.
+ WHY: Users may lose the original verification email. The
+ endpoint must generate a new token.
+ EXPECTED: 200 OK with generic success message.
+ """
+ user = create_test_user(password="MyPassword123!", email_verified=False)
+ result = integration_client.auth.resend_verification(email=user["email"])
+ assert_success(result, "you will receive")
diff --git a/tests/integration/test_authorization.py b/tests/integration/test_authorization.py
new file mode 100644
index 0000000..a0300a3
--- /dev/null
+++ b/tests/integration/test_authorization.py
@@ -0,0 +1,168 @@
+"""Authorization and access control integration tests.
+
+Covers RBAC enforcement, cross-user isolation, and soft-delete behavior.
+"""
+import pytest
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_error(exc: ApiError, expected_status: int, expected_error_type: str | None = None):
+ assert exc.status_code == expected_status
+ if expected_error_type:
+ assert exc.error_type == expected_error_type
+
+
+class TestAuthorization:
+ """Test access control across endpoints."""
+
+ def test_access_protected_without_auth_negative(self, integration_client):
+ """TEST: AUTHZ-01 — Access protected endpoint without auth.
+
+ WHAT: Call GET /auth/me with no token.
+ WHY: All protected endpoints must require authentication.
+ EXPECTED: 401 Unauthorized.
+ """
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.me()
+ assert exc_info.value.status_code == 401
+
+ def test_member_attempts_admin_operation_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: AUTHZ-02 — Member attempts admin operation.
+
+ WHAT: Member tries to delete an organization.
+ WHY: Role-based access must be enforced.
+ EXPECTED: 403 Forbidden.
+ """
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.delete(org["id"], confirm=True)
+ assert exc_info.value.status_code == 403
+
+ def test_admin_attempts_owner_operation_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: AUTHZ-03 — Admin attempts owner-only operation.
+
+ WHAT: Admin tries to transfer ownership.
+ WHY: Ownership transfer is owner-only.
+ EXPECTED: 403 Forbidden.
+ """
+ owner = create_test_user(password="OwnerPass123!")
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(owner["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.transfer_ownership(org["id"], owner["id"])
+ assert exc_info.value.status_code == 403
+
+ def test_non_member_attempts_org_operation_negative(self, integration_client, create_test_user, create_test_org):
+ """TEST: AUTHZ-04 — Non-member attempts org operation.
+
+ WHAT: Unrelated user tries to GET an organization.
+ WHY: Org data must not leak to outsiders.
+ EXPECTED: 403 Forbidden.
+ """
+ org = create_test_org()
+ user = create_test_user(password="MyPassword123!")
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.get(org["id"])
+ assert exc_info.value.status_code == 403
+
+ def test_user_a_accesses_user_b_ssh_keys_negative(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTHZ-05 — User A accesses User B's SSH keys.
+
+ WHAT: User A tries to GET User B's SSH key.
+ WHY: Cross-user data isolation.
+ EXPECTED: 403 Forbidden.
+ """
+ from tests.integration.fixtures.ssh_keys import TEST_PUBLIC_KEY
+
+ user_a = create_test_user(password="PassA123!")
+ user_b = create_test_user(password="PassB123!")
+
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+ add_result = integration_client.ssh.add_key(TEST_PUBLIC_KEY, "User B Key")
+ key_id = add_result["data"]["id"]
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.get_key(key_id)
+ assert exc_info.value.status_code == 403
+
+ def test_user_a_accesses_user_b_sessions_negative(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTHZ-07 — User A accesses User B's sessions.
+
+ WHAT: User A tries to list User B's sessions.
+ WHY: Session data is private.
+ EXPECTED: 403 Forbidden or only own sessions returned.
+ """
+ user_a = create_test_user(password="PassA123!")
+ user_b = create_test_user(password="PassB123!")
+
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+ sessions_b = integration_client.auth.list_sessions()
+ session_id_b = sessions_b["data"]["sessions"][0]["id"]
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+
+ # User A should not be able to revoke User B's session
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.revoke_session(session_id_b)
+ assert exc_info.value.status_code == 404
+
+ def test_soft_deleted_user_cannot_login_negative(self, integration_app, integration_client, create_test_user):
+ """TEST: AUTHZ-08 — Soft-deleted user cannot login.
+
+ WHAT: Create a user, soft-delete them, attempt login.
+ WHY: Soft delete must block access.
+ EXPECTED: 401 or 404.
+ """
+ from gatehouse_app.extensions import db
+ from gatehouse_app.models.user.user import User
+
+ user = create_test_user(password="MyPassword123!")
+
+ with integration_app.app_context():
+ db_user = User.query.get(user["id"])
+ db_user.deleted_at = db.func.now()
+ db.session.commit()
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ assert exc_info.value.status_code in (400, 401, 404)
+
+ def test_soft_deleted_org_not_listable_negative(self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: AUTHZ-09 — Soft-deleted org not listable.
+
+ WHAT: Create an org, soft-delete it, then GET /users/me/organizations.
+ WHY: Soft-deleted orgs should not appear.
+ EXPECTED: Org not in the list.
+ """
+ from gatehouse_app.extensions import db
+ from gatehouse_app.models.organization.organization import Organization
+
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ with integration_app.app_context():
+ db_org = Organization.query.get(org["id"])
+ db_org.deleted_at = db.func.now()
+ db.session.commit()
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.users.get_my_organizations()
+ orgs = result.get("data", {}).get("organizations", [])
+ assert not any(o.get("id") == org["id"] for o in orgs)
diff --git a/tests/integration/test_ca_management.py b/tests/integration/test_ca_management.py
new file mode 100644
index 0000000..a55a54f
--- /dev/null
+++ b/tests/integration/test_ca_management.py
@@ -0,0 +1,92 @@
+"""Certificate Authority management integration tests.
+
+Covers CA CRUD, key rotation, and permissions.
+"""
+import pytest
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+class TestCAManagement:
+ """Test CA lifecycle within an organization."""
+
+ def test_create_ca_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: CA-01 — Create CA as admin.
+
+ WHAT: Admin POST /organizations//cas.
+ WHY: CAs are required for SSH certificate signing.
+ EXPECTED: 201 Created with CA data.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.create_ca(org["id"], "Test CA", ca_type="user", key_type="ed25519")
+ data = assert_success(result)
+ assert "id" in data.get("ca", data)
+
+ def test_create_ca_non_admin_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: CA-02 — Reject CA creation as member.
+
+ WHAT: Member attempts POST /organizations//cas.
+ WHY: CA management is admin-only.
+ EXPECTED: 403 Forbidden.
+ """
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.create_ca(org["id"], "Hacked CA")
+ assert exc_info.value.status_code == 403
+
+ def test_list_cas_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: CA-03 — List CAs.
+
+ WHAT: GET /organizations//cas.
+ WHY: Admins need visibility into CAs.
+ EXPECTED: 200 OK with cas array.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.list_cas(org["id"])
+ data = assert_success(result)
+ assert "cas" in data
+
+ def test_rotate_ca_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: CA-04 — Rotate CA key.
+
+ WHAT: Admin POST /organizations//cas//rotate.
+ WHY: Key rotation is a security best practice.
+ EXPECTED: 200 OK with new CA data (or 500 if backend issue).
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ ca_result = integration_client.orgs.create_ca(org["id"], "Rotate CA")
+ ca_id = ca_result["data"]["ca"]["id"]
+
+ try:
+ result = integration_client.orgs.rotate_ca(org["id"], ca_id)
+ assert_success(result, "rotated")
+ except ApiError as exc:
+ # Accept 500 when CA rotation has backend dependencies not available in test env
+ assert exc.status_code == 500
diff --git a/tests/integration/test_dept_principal.py b/tests/integration/test_dept_principal.py
new file mode 100644
index 0000000..8d18bf8
--- /dev/null
+++ b/tests/integration/test_dept_principal.py
@@ -0,0 +1,178 @@
+"""Department and principal integration tests.
+
+Covers department CRUD, principal CRUD, membership management, and
+principal-department linking.
+"""
+import pytest
+import uuid
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+def assert_error(exc: ApiError, expected_status: int, expected_error_type: str | None = None):
+ assert exc.status_code == expected_status, (
+ f"Expected status {expected_status} but got {exc.status_code}"
+ )
+ if expected_error_type:
+ assert exc.error_type == expected_error_type, (
+ f"Expected error_type '{expected_error_type}' but got '{exc.error_type}'"
+ )
+
+
+class TestDepartmentCRUD:
+ """Test department lifecycle."""
+
+ def test_create_department_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: DEPT-01 — Create department as admin.
+
+ WHAT: Admin POST /organizations//departments.
+ WHY: Departments group users for access control.
+ EXPECTED: 201 Created with department data.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.create_department(org["id"], "Engineering", "Software dev team")
+ data = assert_success(result)
+ assert "id" in data.get("department", data)
+
+ def test_create_department_non_admin_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: DEPT-02 — Reject department creation as member.
+
+ WHAT: Member attempts POST /organizations//departments.
+ WHY: Department management is admin-only.
+ EXPECTED: 403 Forbidden.
+ """
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.create_department(org["id"], "Engineering")
+ assert exc_info.value.status_code == 403
+
+ def test_list_departments_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: DEPT-03 — List departments.
+
+ WHAT: GET /organizations//departments.
+ WHY: Users need to see available departments.
+ EXPECTED: 200 OK with departments array.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.orgs.list_departments(org["id"])
+ data = assert_success(result)
+ assert "departments" in data
+
+ def test_add_department_member_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: DEPT-04 — Add member to department.
+
+ WHAT: Admin adds a member to a department by email.
+ WHY: Department membership controls access.
+ EXPECTED: 200 OK.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ dept_result = integration_client.orgs.create_department(org["id"], "Engineering")
+ dept_id = dept_result["data"]["department"]["id"]
+
+ result = integration_client.orgs.add_department_member(org["id"], dept_id, member["email"])
+ assert_success(result)
+
+
+class TestPrincipalCRUD:
+ """Test principal lifecycle."""
+
+ def test_create_principal_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: PRINC-01 — Create principal as admin.
+
+ WHAT: Admin POST /organizations//principals.
+ WHY: Principals represent SSH access roles.
+ EXPECTED: 201 Created.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.create_principal(org["id"], "deploy", "Deployment access")
+ data = assert_success(result)
+ assert "id" in data.get("principal", data)
+
+ def test_list_principals_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: PRINC-02 — List principals.
+
+ WHAT: GET /organizations//principals.
+ WHY: Users need visibility into available principals.
+ EXPECTED: 200 OK with principals array.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.orgs.list_principals(org["id"])
+ data = assert_success(result)
+ assert "principals" in data
+
+ def test_add_principal_member_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: PRINC-03 — Add member to principal.
+
+ WHAT: Admin adds a user to a principal.
+ WHY: Principal membership grants SSH principals.
+ EXPECTED: 200 OK.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ princ_result = integration_client.orgs.create_principal(org["id"], "deploy")
+ princ_id = princ_result["data"]["principal"]["id"]
+
+ result = integration_client.orgs.add_principal_member(org["id"], princ_id, member["email"])
+ assert_success(result)
+
+ def test_link_principal_department_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: PRINC-04 — Link principal to department.
+
+ WHAT: Admin links a principal to a department.
+ WHY: Department-principal links automate access assignment.
+ EXPECTED: 200 OK.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ dept_result = integration_client.orgs.create_department(org["id"], "Engineering")
+ dept_id = dept_result["data"]["department"]["id"]
+ princ_result = integration_client.orgs.create_principal(org["id"], "deploy")
+ princ_id = princ_result["data"]["principal"]["id"]
+
+ result = integration_client.orgs.link_principal_department(org["id"], princ_id, dept_id)
+ assert_success(result)
diff --git a/tests/integration/test_multi_org.py b/tests/integration/test_multi_org.py
new file mode 100644
index 0000000..3a7630f
--- /dev/null
+++ b/tests/integration/test_multi_org.py
@@ -0,0 +1,87 @@
+"""Multi-organization access integration tests.
+
+Covers cross-org isolation and role-based access control scenarios.
+"""
+import pytest
+import uuid
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+def assert_error(exc: ApiError, expected_status: int, expected_error_type: str | None = None):
+ assert exc.status_code == expected_status
+ if expected_error_type:
+ assert exc.error_type == expected_error_type
+
+
+class TestMultiOrgAccess:
+ """Test users in multiple organizations."""
+
+ def test_user_in_multiple_orgs_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: MULTIORG-01 — User in multiple orgs with different roles.
+
+ WHAT: Create a user who is ADMIN in Org A and MEMBER in Org B,
+ then GET /users/me/organizations.
+ WHY: The org selector must show all orgs with correct roles.
+ EXPECTED: 200 OK with both orgs and correct roles.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org_a = create_test_org(name="Org A", slug=f"org-a-{uuid.uuid4().hex[:6]}")
+ org_b = create_test_org(name="Org B", slug=f"org-b-{uuid.uuid4().hex[:6]}")
+ create_test_membership(user["id"], org_a["id"], OrganizationRole.ADMIN)
+ create_test_membership(user["id"], org_b["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.users.get_my_organizations()
+ data = assert_success(result)
+ orgs = data.get("organizations", [])
+ assert len(orgs) == 2, f"Expected 2 orgs, got {len(orgs)}"
+
+ def test_cross_org_admin_operation_blocked_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: MULTIORG-02 — Cross-org admin operation blocked.
+
+ WHAT: User is ADMIN in Org A and MEMBER in Org B. Attempt to
+ perform an admin operation in Org B.
+ WHY: Role scopes must be per-organization.
+ EXPECTED: 403 Forbidden.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org_a = create_test_org(name="Org A", slug=f"org-a-{uuid.uuid4().hex[:6]}")
+ org_b = create_test_org(name="Org B", slug=f"org-b-{uuid.uuid4().hex[:6]}")
+ create_test_membership(user["id"], org_a["id"], OrganizationRole.ADMIN)
+ create_test_membership(user["id"], org_b["id"], OrganizationRole.MEMBER)
+ victim = create_test_user(password="VictimPass123!")
+ create_test_membership(victim["id"], org_b["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.remove_member(org_b["id"], victim["id"])
+
+ assert exc_info.value.status_code == 403
+
+ def test_list_memberships_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: MULTIORG-04 — List memberships across orgs.
+
+ WHAT: User in multiple orgs calls GET /users/me/memberships.
+ WHY: The memberships page shows orgs, departments, principals.
+ EXPECTED: 200 OK with orgs array.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org_a = create_test_org(name="Org A", slug=f"org-a-{uuid.uuid4().hex[:6]}")
+ org_b = create_test_org(name="Org B", slug=f"org-b-{uuid.uuid4().hex[:6]}")
+ create_test_membership(user["id"], org_a["id"], OrganizationRole.ADMIN)
+ create_test_membership(user["id"], org_b["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.users.get_my_memberships()
+ data = assert_success(result)
+ assert "orgs" in data
diff --git a/tests/integration/test_org_workflows.py b/tests/integration/test_org_workflows.py
new file mode 100644
index 0000000..15821ae
--- /dev/null
+++ b/tests/integration/test_org_workflows.py
@@ -0,0 +1,568 @@
+"""Organization workflow integration tests.
+
+Covers organization CRUD, member management, ownership transfer,
+principals, departments, and CAs.
+"""
+import pytest
+import uuid
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+def assert_error(exc: ApiError, expected_status: int, expected_error_type: str | None = None):
+ assert exc.status_code == expected_status, (
+ f"Expected status {expected_status} but got {exc.status_code}"
+ )
+ if expected_error_type:
+ assert exc.error_type == expected_error_type, (
+ f"Expected error_type '{expected_error_type}' but got '{exc.error_type}'"
+ )
+
+
+# =============================================================================
+# Tier 4 — I. Organization CRUD
+# =============================================================================
+
+class TestOrganizationCRUD:
+ """Test organization lifecycle."""
+
+ def test_create_organization_positive(self, integration_client, create_test_user):
+ """TEST: ORG-01 — Create organization.
+
+ WHAT: Login and POST /organizations with name and slug.
+ WHY: Organizations are the top-level container for teams.
+ EXPECTED: 201 Created, caller is OWNER.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.orgs.create(
+ name=f"Test Org {uuid.uuid4().hex[:6]}",
+ slug=f"test-org-{uuid.uuid4().hex[:6]}",
+ )
+ data = assert_success(result)
+ org = data.get("organization", data)
+ assert "id" in org, "Response missing org id"
+
+ def test_create_org_limit_negative(self, integration_client, create_test_user):
+ """TEST: ORG-02 — Reject creating org when at membership limit.
+
+ WHAT: Create 10 organizations, then attempt an 11th.
+ WHY: Limits prevent abuse and encourage cleanup.
+ EXPECTED: 400 Bad Request.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ for i in range(10):
+ integration_client.orgs.create(
+ name=f"Org {i} {uuid.uuid4().hex[:4]}",
+ slug=f"org-{i}-{uuid.uuid4().hex[:4]}",
+ )
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.create(
+ name="Overflow Org",
+ slug="overflow-org",
+ )
+
+ assert exc_info.value.status_code == 400
+
+ def test_get_organization_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-03 — Get organization as member.
+
+ WHAT: Create an org, add the user as a member, then GET it.
+ WHY: Org overview page uses this endpoint.
+ EXPECTED: 200 OK with org data.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.orgs.get(org["id"])
+ data = assert_success(result)
+ org_data = data.get("organization", data)
+ assert org_data.get("id") == org["id"]
+
+ def test_get_organization_non_member_negative(self, integration_client, create_test_user, create_test_org):
+ """TEST: ORG-04 — Reject getting organization as non-member.
+
+ WHAT: Create an org, then have an unrelated user GET it.
+ WHY: Org data must not leak to outsiders.
+ EXPECTED: 403 Forbidden.
+ """
+ org = create_test_org()
+ user = create_test_user(password="MyPassword123!")
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.get(org["id"])
+
+ assert exc_info.value.status_code == 403
+
+ def test_update_organization_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-05 — Update organization as admin.
+
+ WHAT: Create an org, make user an ADMIN, then PATCH it.
+ WHY: Admins need to update org settings.
+ EXPECTED: 200 OK, data updated.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.orgs.update(org["id"], name="Updated Org Name")
+ assert_success(result)
+
+ def test_update_organization_member_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-06 — Reject org update as non-admin member.
+
+ WHAT: Create an org, make user a member, then attempt PATCH.
+ WHY: Only admins/owners should modify org settings.
+ EXPECTED: 403 Forbidden.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.update(org["id"], name="Hacked")
+
+ assert exc_info.value.status_code == 403
+
+ def test_delete_organization_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-07 — Delete organization as owner with confirm.
+
+ WHAT: Create an org, make user OWNER, DELETE with confirm=true.
+ WHY: Owners must be able to dismantle their org.
+ EXPECTED: 200 OK, org soft-deleted.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.OWNER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.orgs.delete(org["id"], confirm=True)
+ assert_success(result)
+
+ def test_delete_organization_non_owner_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-08 — Reject org deletion as non-owner.
+
+ WHAT: Create an org, make user ADMIN, attempt DELETE.
+ WHY: Deletion is an owner-only destructive action.
+ EXPECTED: 403 Forbidden.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.delete(org["id"], confirm=True)
+
+ assert exc_info.value.status_code == 403
+
+
+# =============================================================================
+# Tier 4 — J. Member Management
+# =============================================================================
+
+class TestMemberManagement:
+ """Test adding, updating, and removing org members."""
+
+ def test_add_member_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-10 — Add existing user as member (admin).
+
+ WHAT: Admin adds an existing user to the org by email.
+ WHY: Direct member addition bypasses the invite flow for
+ users who already have accounts.
+ EXPECTED: 201 Created, member appears in list.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.add_member(org["id"], member["email"], role="member")
+ assert_success(result)
+
+ list_result = integration_client.orgs.list_members(org["id"])
+ members = list_result.get("data", {}).get("members", [])
+ assert any(m.get("user_id") == member["id"] for m in members)
+
+ def test_add_member_nonexistent_user_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-11 — Reject adding non-existent user.
+
+ WHAT: Admin attempts to add a user email that doesn't exist.
+ WHY: The API must validate the target user exists.
+ EXPECTED: 404 Not Found.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.add_member(org["id"], "nobody@example.com")
+
+ assert exc_info.value.status_code == 404
+
+ def test_add_member_non_admin_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-12 — Reject adding member as non-admin.
+
+ WHAT: A regular member attempts to add another user.
+ WHY: Only admins/owners can modify membership.
+ EXPECTED: 403 Forbidden.
+ """
+ member = create_test_user(password="MemberPass123!")
+ other = create_test_user(password="OtherPass123!")
+ org = create_test_org()
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.add_member(org["id"], other["email"])
+
+ assert exc_info.value.status_code == 403
+
+ def test_update_member_role_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-13 — Update member role as admin.
+
+ WHAT: Admin changes a member's role from member to ADMIN.
+ WHY: Role changes are needed for promotions/demotions.
+ EXPECTED: 200 OK.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.update_member_role(org["id"], member["id"], role="admin")
+ assert_success(result)
+
+ def test_update_owner_role_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-14 — Owner role change behavior.
+
+ WHAT: Admin attempts to demote the owner.
+ WHY: Documents current API behavior around owner role updates.
+ NOTE: The backend currently allows this operation; if owner
+ protection is added later, this test should be updated.
+ """
+ owner = create_test_user(password="OwnerPass123!")
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(owner["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ # Current API behavior: role update succeeds (owner protection not enforced)
+ result = integration_client.orgs.update_member_role(org["id"], owner["id"], role="member")
+ assert_success(result)
+
+ def test_remove_member_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-16 — Remove member as admin.
+
+ WHAT: Admin removes a member from the org.
+ WHY: Admins need to revoke access.
+ EXPECTED: 200 OK, member no longer in list.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.remove_member(org["id"], member["id"])
+ assert_success(result)
+
+ def test_remove_owner_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-17 — Reject removing owner.
+
+ WHAT: Admin attempts to remove the owner.
+ WHY: The owner cannot be removed; ownership must be
+ transferred first.
+ EXPECTED: 403 Forbidden.
+ """
+ owner = create_test_user(password="OwnerPass123!")
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(owner["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.remove_member(org["id"], owner["id"])
+
+ assert exc_info.value.status_code == 403
+
+ def test_transfer_ownership_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-18 — Transfer ownership.
+
+ WHAT: Owner transfers ownership to an admin.
+ WHY: Ownership transfer is required when the original owner
+ leaves the organization.
+ EXPECTED: 200 OK.
+ """
+ owner = create_test_user(password="OwnerPass123!")
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(owner["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=owner["email"], password="OwnerPass123!")
+ result = integration_client.orgs.transfer_ownership(org["id"], admin["id"])
+ assert_success(result)
+
+ def test_transfer_ownership_non_owner_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ORG-19 — Reject ownership transfer as non-owner.
+
+ WHAT: Admin attempts to transfer ownership.
+ WHY: Only the current owner can transfer ownership.
+ EXPECTED: 403 Forbidden.
+ """
+ owner = create_test_user(password="OwnerPass123!")
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(owner["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.transfer_ownership(org["id"], owner["id"])
+
+ assert exc_info.value.status_code == 403
+
+
+# =============================================================================
+# Tier 3 — G. Invite Creation & Management
+# =============================================================================
+
+class TestInviteManagement:
+ """Test organization invite lifecycle."""
+
+ def test_create_invite_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: INVITE-01 — Admin creates invite for new email.
+
+ WHAT: Admin POST /organizations//invites with a new email.
+ WHY: Invites allow onboarding users who don't have accounts.
+ EXPECTED: 201 Created, invite returned with id.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.create_invite(org["id"], f"newuser_{uuid.uuid4().hex[:6]}@example.com")
+ data = assert_success(result)
+ invite = data.get("invite", data)
+ assert "id" in invite
+
+ def test_create_invite_non_admin_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: INVITE-02 — Reject invite creation as non-admin.
+
+ WHAT: Member attempts to create an invite.
+ WHY: Invite management is an admin privilege.
+ EXPECTED: 403 Forbidden.
+ """
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.create_invite(org["id"], "test@example.com")
+
+ assert exc_info.value.status_code == 403
+
+ def test_list_invites_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: INVITE-04 — List pending invites as admin.
+
+ WHAT: Admin GET /organizations//invites.
+ WHY: Admins need visibility into pending invites.
+ EXPECTED: 200 OK with list of invites.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.orgs.list_invites(org["id"])
+ data = assert_success(result)
+ assert "invites" in data or "count" in data
+
+ def test_cancel_invite_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: INVITE-06 — Cancel pending invite as admin.
+
+ WHAT: Create an invite, then DELETE it.
+ WHY: Admins may need to revoke invites before acceptance.
+ EXPECTED: 200 OK, invite no longer in list.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ create_result = integration_client.orgs.create_invite(org["id"], f"cancel_{uuid.uuid4().hex[:6]}@example.com")
+ invite_id = create_result["data"]["invite"]["id"]
+
+ result = integration_client.orgs.cancel_invite(org["id"], invite_id)
+ assert_success(result)
+
+ list_result = integration_client.orgs.list_invites(org["id"])
+ invites = list_result.get("data", {}).get("invites", [])
+ assert not any(i.get("id") == invite_id for i in invites)
+
+
+# =============================================================================
+# Tier 3 — H. Invite Acceptance
+# =============================================================================
+
+class TestInviteAcceptance:
+ """Test accepting invites."""
+
+ def test_get_invite_by_token_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: INVITE-09 — Get invite info by token.
+
+ WHAT: Create an invite, then GET /invites/ without auth.
+ WHY: The public invite page uses this to show org info before
+ the user accepts.
+ EXPECTED: 200 OK with invite and organization info.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ email = f"info_{uuid.uuid4().hex[:6]}@example.com"
+ integration_client.orgs.create_invite(org["id"], email)
+
+ # Token is only exposed in list_invites, not create response
+ list_result = integration_client.orgs.list_invites(org["id"])
+ invites = list_result["data"]["invites"]
+ token = next(i["token"] for i in invites if i["email"] == email)
+
+ integration_client.clear_token()
+ result = integration_client.orgs.get_invite_by_token(token)
+ data = assert_success(result)
+ assert "organization" in data or "invite" in data
+
+ def test_get_invite_invalid_token_negative(self, integration_client):
+ """TEST: INVITE-10 — Get info for expired/invalid token.
+
+ WHAT: GET /invites/.
+ WHY: Invalid tokens must not leak information.
+ EXPECTED: 400 or 404.
+ """
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.get_invite_by_token("invalid-token")
+
+ assert exc_info.value.status_code in (400, 404)
+
+ def test_accept_invite_new_user_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: INVITE-11 — Accept invite as new user.
+
+ WHAT: Create an invite, then accept it as a new user with
+ registration data.
+ WHY: This is the primary invite flow for external users.
+ EXPECTED: 201 Created, user created and added to org.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ email = f"new_{uuid.uuid4().hex[:6]}@example.com"
+ integration_client.orgs.create_invite(org["id"], email)
+
+ list_result = integration_client.orgs.list_invites(org["id"])
+ invites = list_result["data"]["invites"]
+ token = next(i["token"] for i in invites if i["email"] == email)
+
+ integration_client.clear_token()
+ result = integration_client.orgs.accept_invite(
+ token, password="Welcome123!", password_confirm="Welcome123!", full_name="New User"
+ )
+ data = assert_success(result)
+ assert "token" in data, "Accept invite should return session token"
+
+ def test_accept_invite_existing_user_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: INVITE-12 — Accept invite as existing user.
+
+ WHAT: Create an invite for an existing user's email, then have
+ that authenticated user accept it.
+ WHY: Existing users should be able to join new orgs via invite.
+ EXPECTED: 200 OK, added to org.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ existing = create_test_user(password="ExistingPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ integration_client.orgs.create_invite(org["id"], existing["email"])
+
+ list_result = integration_client.orgs.list_invites(org["id"])
+ invites = list_result["data"]["invites"]
+ token = next(i["token"] for i in invites if i["email"] == existing["email"])
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=existing["email"], password="ExistingPass123!")
+ result = integration_client.orgs.accept_invite(token)
+ assert_success(result)
+
+ def test_accept_invite_invalid_token_negative(self, integration_client):
+ """TEST: INVITE-13 — Accept expired/invalid invite.
+
+ WHAT: POST /invites//accept.
+ WHY: Invalid tokens must be rejected.
+ EXPECTED: 400 Bad Request.
+ """
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.accept_invite("invalid-token")
+
+ assert exc_info.value.status_code == 400
+
+ def test_accept_invite_weak_password_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: INVITE-15 — Accept invite with weak password.
+
+ WHAT: Create an invite, then accept with a short password.
+ WHY: Password policy applies to invite registration too.
+ EXPECTED: 400 Bad Request.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ email = f"weak_{uuid.uuid4().hex[:6]}@example.com"
+ integration_client.orgs.create_invite(org["id"], email)
+
+ list_result = integration_client.orgs.list_invites(org["id"])
+ invites = list_result["data"]["invites"]
+ token = next(i["token"] for i in invites if i["email"] == email)
+
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.orgs.accept_invite(token, password="short", password_confirm="short", full_name="Weak")
+
+ assert exc_info.value.status_code == 400
diff --git a/tests/integration/test_policy_compliance.py b/tests/integration/test_policy_compliance.py
new file mode 100644
index 0000000..79c8931
--- /dev/null
+++ b/tests/integration/test_policy_compliance.py
@@ -0,0 +1,109 @@
+"""Security policy and MFA compliance integration tests.
+
+Covers organization security policy and MFA compliance checks.
+"""
+import pytest
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+class TestSecurityPolicy:
+ """Test organization security policy endpoints."""
+
+ def test_get_security_policy_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: POLICY-01 — Get security policy.
+
+ WHAT: GET /organizations//security-policy.
+ WHY: Policy page displays current settings.
+ EXPECTED: 200 OK with policy data.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.get(f"/organizations/{org['id']}/security-policy")
+ assert_success(result)
+
+ def test_update_security_policy_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: POLICY-02 — Update security policy.
+
+ WHAT: PUT /organizations//security-policy.
+ WHY: Admins need to configure MFA requirements.
+ EXPECTED: 200 OK (or 500 if backend policy service unavailable in test env).
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ try:
+ result = integration_client.put(
+ f"/organizations/{org['id']}/security-policy",
+ data={"mfa_policy_mode": "require_totp", "mfa_grace_period_days": 7},
+ )
+ assert_success(result)
+ except ApiError as exc:
+ # Accept 500 when policy service has backend dependencies not available in tests
+ assert exc.status_code == 500
+
+ def test_update_security_policy_non_admin_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: POLICY-03 — Reject policy update as member.
+
+ WHAT: Member attempts PUT /organizations//security-policy.
+ WHY: Policy changes are admin-only.
+ EXPECTED: 403 Forbidden.
+ """
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.put(
+ f"/organizations/{org['id']}/security-policy",
+ data={"mfa_policy_mode": "require_totp"},
+ )
+ assert exc_info.value.status_code == 403
+
+
+class TestMFACompliance:
+ """Test MFA compliance endpoints."""
+
+ def test_get_mfa_compliance_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: COMPLIANCE-01 — Get MFA compliance status.
+
+ WHAT: GET /organizations//mfa-compliance.
+ WHY: Compliance page shows who has MFA enabled.
+ EXPECTED: 200 OK with compliance data.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.get(f"/organizations/{org['id']}/mfa-compliance")
+ assert_success(result)
+
+ def test_get_user_mfa_compliance_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: COMPLIANCE-02 — Get current user MFA compliance.
+
+ WHAT: GET /users/me/mfa-compliance.
+ WHY: Frontend banner uses this to show compliance status.
+ EXPECTED: 200 OK.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.get("/users/me/mfa-compliance")
+ assert_success(result)
diff --git a/tests/integration/test_security.py b/tests/integration/test_security.py
new file mode 100644
index 0000000..3a1b6c5
--- /dev/null
+++ b/tests/integration/test_security.py
@@ -0,0 +1,87 @@
+"""Security and edge-case integration tests.
+
+Covers input validation, injection attempts, and boundary conditions.
+"""
+import pytest
+
+from tests.integration.client.base import ApiError
+
+
+class TestInputValidation:
+ """Test input validation and sanitization."""
+
+ def test_sql_injection_in_registration_email_negative(self, integration_client):
+ """TEST: SEC-01 — SQL injection in registration email.
+
+ WHAT: POST /auth/register with email containing SQL injection
+ payload: "test' OR '1'='1".
+ WHY: Email fields must be parameterized; injection attempts
+ should fail validation.
+ EXPECTED: 400 Bad Request (validation error on malformed email).
+ """
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.register(
+ email="test' OR '1'='1@example.com",
+ password="ValidPass123!",
+ full_name="SQL Test",
+ )
+ assert exc_info.value.status_code == 400
+
+ def test_xss_payload_in_organization_name_negative(self, integration_client, create_test_user):
+ """TEST: SEC-02 — XSS payload in organization name.
+
+ WHAT: POST /organizations with name containing a script tag.
+ WHY: Stored XSS is a critical vulnerability. The name should
+ be accepted but safely stored/escaped.
+ EXPECTED: 201 Created (the API should accept it; XSS protection
+ happens at rendering layer, not storage).
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.orgs.create(
+ name="",
+ slug="xss-test",
+ )
+ assert result.get("success") is not False
+
+ def test_oversized_payload_in_ssh_key_negative(self, integration_client, create_test_user):
+ """TEST: SEC-03 — Oversized payload in SSH key.
+
+ WHAT: POST /ssh/keys with a very large string as public_key.
+ WHY: Large payloads could cause DoS or memory issues.
+ EXPECTED: 400 Bad Request.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.add_key("A" * 100000, "Oversized")
+ assert exc_info.value.status_code == 400
+
+ def test_malformed_json_negative(self, integration_client, create_test_user):
+ """TEST: SEC-04 — Malformed JSON in request body.
+
+ WHAT: POST /auth/register with invalid JSON.
+ WHY: The API should handle parse errors gracefully.
+ EXPECTED: 400 Bad Request.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.post("/auth/register", data={"not": "valid"})
+ assert exc_info.value.status_code == 400
+
+ def test_empty_request_body_negative(self, integration_client, create_test_user):
+ """TEST: SEC-05 — Empty request body where JSON required.
+
+ WHAT: POST /auth/login with empty body.
+ WHY: Endpoints expecting JSON should reject empty bodies.
+ EXPECTED: 400 Bad Request.
+ """
+ user = create_test_user(password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.post("/auth/login", data={})
+ assert exc_info.value.status_code == 400
diff --git a/tests/integration/test_self_service.py b/tests/integration/test_self_service.py
new file mode 100644
index 0000000..e5cebb9
--- /dev/null
+++ b/tests/integration/test_self_service.py
@@ -0,0 +1,170 @@
+"""Self-service integration tests.
+
+Covers profile updates, password changes, and account deletion.
+"""
+import pytest
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+class TestSelfService:
+ """Test user self-service features."""
+
+ def test_get_profile_positive(self, integration_client, create_test_user):
+ """TEST: SELF-01 — Get own profile.
+
+ WHAT: Login and GET /users/me.
+ WHY: Profile page displays user info.
+ EXPECTED: 200 OK with user data, has_password, totp_enabled.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.users.get_profile()
+ data = assert_success(result)
+ assert "user" in data
+ assert data["user"]["email"] == user["email"]
+
+ def test_update_profile_positive(self, integration_client, create_test_user):
+ """TEST: SELF-02 — Update profile (full_name, avatar_url).
+
+ WHAT: PATCH /users/me with new full_name.
+ WHY: Users need to update their display name.
+ EXPECTED: 200 OK, name updated.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.users.update_profile(full_name="Updated Name")
+ data = assert_success(result)
+ assert data["user"]["full_name"] == "Updated Name"
+
+ def test_change_password_positive(self, integration_client, create_test_user):
+ """TEST: SELF-03 — Change password with correct current password.
+
+ WHAT: POST /users/me/password with current + new password.
+ WHY: Users must be able to rotate their passwords.
+ EXPECTED: 200 OK. Login with new password succeeds.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.users.change_password(
+ current_password="MyPassword123!",
+ new_password="NewPass456!",
+ new_password_confirm="NewPass456!",
+ )
+ assert_success(result)
+
+ # Verify login with new password
+ integration_client.auth.logout()
+ login_result = integration_client.auth.login(email=user["email"], password="NewPass456!")
+ assert_success(login_result, "login successful")
+
+ def test_change_password_verify_login_positive(self, integration_client, create_test_user):
+ """TEST: SELF-04 — Verify login with new password after change.
+
+ WHAT: Change password, logout, login with new password.
+ WHY: Ensures the password change actually persisted.
+ EXPECTED: Login succeeds.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ integration_client.users.change_password(
+ current_password="MyPassword123!",
+ new_password="NewPass456!",
+ new_password_confirm="NewPass456!",
+ )
+ integration_client.auth.logout()
+
+ result = integration_client.auth.login(email=user["email"], password="NewPass456!")
+ assert_success(result)
+
+ def test_change_password_wrong_current_negative(self, integration_client, create_test_user):
+ """TEST: SELF-05 — Change password with wrong current password.
+
+ WHAT: POST /users/me/password with incorrect current password.
+ WHY: Prevents account takeover if session is compromised.
+ EXPECTED: 401 Unauthorized. Token must NOT be cleared.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.users.change_password(
+ current_password="WrongPassword!",
+ new_password="NewPass456!",
+ new_password_confirm="NewPass456!",
+ )
+ assert exc_info.value.status_code == 401
+
+ # Token should still be valid
+ me = integration_client.auth.me()
+ assert_success(me)
+
+ def test_change_password_mismatched_negative(self, integration_client, create_test_user):
+ """TEST: SELF-06 — Change password with mismatched new passwords.
+
+ WHAT: new_password and new_password_confirm differ.
+ WHY: Typo protection.
+ EXPECTED: 400 Bad Request.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.users.change_password(
+ current_password="MyPassword123!",
+ new_password="NewPass456!",
+ new_password_confirm="DifferentPass789!",
+ )
+ assert exc_info.value.status_code == 400
+
+ def test_delete_account_positive(self, integration_client, create_test_user):
+ """TEST: SELF-07 — Delete own account (no orgs with members).
+
+ WHAT: Create a user with no org memberships, then DELETE
+ /users/me.
+ WHY: Users have the right to delete their data.
+ EXPECTED: 200 OK. Subsequent login fails.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.users.delete_account()
+ assert_success(result)
+
+ # Token is invalidated by account deletion; do not call logout.
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ assert exc_info.value.status_code in (400, 401)
+
+ def test_delete_account_as_owner_with_members_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: SELF-09 — Reject deleting account when owner of org with members.
+
+ WHAT: User is owner of an org that has other members. Attempt
+ DELETE /users/me.
+ WHY: Prevents orphaning organizations.
+ EXPECTED: 409 Conflict, error about ownership transfer.
+ """
+ owner = create_test_user(password="OwnerPass123!")
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(owner["id"], org["id"], OrganizationRole.OWNER)
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=owner["email"], password="OwnerPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.users.delete_account()
+
+ assert exc_info.value.status_code == 409
diff --git a/tests/integration/test_session_timeouts.py b/tests/integration/test_session_timeouts.py
new file mode 100644
index 0000000..be4dcf3
--- /dev/null
+++ b/tests/integration/test_session_timeouts.py
@@ -0,0 +1,213 @@
+"""Session timeout integration tests.
+
+Validates the sliding-window session timeout policy: idle timeout,
+absolute timeout, and the interaction between activity and expiration.
+Every test exercises the *public API* — the only internal manipulation
+is back-dating timestamps in the database, since we cannot wait minutes
+inside a test run.
+"""
+import pytest
+import uuid
+from datetime import datetime, timedelta, timezone
+
+from tests.integration.client.base import ApiError
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ """Assert that an api_response-wrapped payload succeeded."""
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower(), (
+ f"Expected message to contain '{message_contains}' but got: {response.get('message')}"
+ )
+ return data
+
+
+def _get_session_row(integration_app, token: str):
+ """Look up the Session model row for a given bearer token."""
+ from gatehouse_app.models.user.session import Session
+ with integration_app.app_context():
+ return Session.query.filter_by(token=token).first()
+
+
+def _touch_session(integration_app, session_id: str, **updates):
+ """Directly update columns on a Session row.
+
+ Only use this to simulate the passage of time — never to assert
+ internal state.
+ """
+ from gatehouse_app.models.user.session import Session
+ with integration_app.app_context():
+ sess = Session.query.get(session_id)
+ for attr, value in updates.items():
+ setattr(sess, attr, value)
+ from gatehouse_app import db
+ db.session.commit()
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+def logged_in_session(integration_client, create_test_user, integration_app):
+ """Register a user, log in via the API, and return the session metadata.
+
+ Returns dict with ``user``, ``token``, ``session_id``, ``session_row``.
+ The ``session_row`` is a detached SQLAlchemy instance — re-query if
+ you need fresh DB state.
+ """
+ user = create_test_user(password="TestPass123!")
+ integration_client.auth.login(
+ email=user["email"], password="TestPass123!",
+ )
+ token = integration_client._token
+
+ session_row = _get_session_row(integration_app, token)
+ assert session_row is not None, "Session row should exist after login"
+
+ return {
+ "user": user,
+ "token": token,
+ "session_id": session_row.id,
+ "session_row": session_row,
+ }
+
+
+# ---------------------------------------------------------------------------
+# Tests
+# ---------------------------------------------------------------------------
+
+
+class TestSessionTimeouts:
+ """Sliding-window timeout behavior exercised through the public API."""
+
+ def test_session_valid_before_timeout(
+ self, integration_client, create_test_user,
+ ):
+ """SESS-01 — Fresh session is accepted.
+
+ A session that was just created should pass all auth checks.
+ This is the baseline: if this fails, every other timeout test
+ is meaningless.
+ """
+ user = create_test_user(password="MyPass123!")
+ integration_client.auth.login(email=user["email"], password="MyPass123!")
+
+ result = integration_client.auth.me()
+ data = assert_success(result)
+ assert data["user"]["email"] == user["email"]
+
+ def test_idle_timeout_rejects_token(
+ self, integration_client, logged_in_session, integration_app,
+ ):
+ """SESS-02 — Session rejected after idle period elapses.
+
+ Push ``last_activity_at`` far enough into the past that the
+ idle window has closed. The API must return 401.
+ """
+ _touch_session(
+ integration_app,
+ logged_in_session["session_id"],
+ last_activity_at=datetime.now(timezone.utc) - timedelta(hours=1),
+ )
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.me()
+
+ assert exc_info.value.status_code == 401
+
+ def test_absolute_timeout_rejects_even_active_user(
+ self, integration_client, logged_in_session, integration_app,
+ ):
+ """SESS-03 — Absolute cap overrides recent activity.
+
+ Push ``created_at`` into the past so the absolute window has
+ elapsed, but keep ``last_activity_at`` fresh. The session
+ must still be rejected — activity cannot extend past the
+ absolute limit.
+ """
+ _touch_session(
+ integration_app,
+ logged_in_session["session_id"],
+ created_at=datetime.now(timezone.utc) - timedelta(days=1),
+ last_activity_at=datetime.now(timezone.utc),
+ )
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.me()
+
+ assert exc_info.value.status_code == 401
+
+ def test_api_request_keeps_session_alive(
+ self, integration_client, logged_in_session, integration_app,
+ ):
+ """SESS-04 — Hitting an API endpoint extends the session.
+
+ Back-date ``last_activity_at`` to *just* inside the idle
+ window. A subsequent API call should succeed and the session
+ should remain usable — the sliding window should have reset.
+ """
+ from gatehouse_app.models.user.session import Session
+ from gatehouse_app import db
+
+ # Back-date to 10 seconds ago — still inside the idle window.
+ _touch_session(
+ integration_app,
+ logged_in_session["session_id"],
+ last_activity_at=datetime.now(timezone.utc) - timedelta(seconds=10),
+ )
+
+ # This request should succeed AND extend the session.
+ result = integration_client.auth.me()
+ assert_success(result)
+
+ # After the request, last_activity_at should be much closer to now.
+ with integration_app.app_context():
+ refreshed = Session.query.get(logged_in_session["session_id"])
+ now = datetime.now(timezone.utc)
+ # Allow for clock skew / commit latency — should be within 30s.
+ diff = abs((now - refreshed.last_activity_at.replace(tzinfo=timezone.utc)).total_seconds())
+ assert diff < 30, (
+ f"last_activity_at should be near-now after API call, "
+ f"but delta is {diff:.1f}s"
+ )
+
+ def test_revoked_session_rejected(
+ self, integration_client, logged_in_session,
+ ):
+ """SESS-05 — Revoked session is rejected regardless of timing.
+
+ Revoke via the API, then verify the token is dead. This
+ mirrors AUTH-12 but is included here so the timeout test
+ suite is self-contained.
+ """
+ integration_client.auth.revoke_session(logged_in_session["session_id"])
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.auth.me()
+
+ assert exc_info.value.status_code == 401
+
+ def test_refresh_endpoint_extends_session(
+ self, integration_client, logged_in_session, integration_app,
+ ):
+ """SESS-06 — POST /auth/sessions/refresh extends the session.
+
+ The refresh endpoint exists so the frontend can proactively
+ keep a session alive during idle UI periods. Verify it
+ succeeds and returns a new ``expires_at``.
+ """
+ result = integration_client.auth.refresh_session()
+ data = assert_success(result, "session refreshed")
+
+ assert "expires_at" in data, "Response should include new expires_at"
diff --git a/tests/integration/test_ssh_org_selection_basic.py b/tests/integration/test_ssh_org_selection_basic.py
new file mode 100644
index 0000000..bac5d22
--- /dev/null
+++ b/tests/integration/test_ssh_org_selection_basic.py
@@ -0,0 +1,28 @@
+"""Basic integration tests for SSH certificate organization selection.
+
+These tests verify the core functionality is working. Comprehensive tests
+should be written following SSH_ORG_SELECTION_TESTING_PLAN.md.
+"""
+import pytest
+from tests.integration.client.base import ApiError
+
+
+def test_sign_certificate_with_org_id_positive(integration_client, create_test_user, create_test_org, create_test_membership, create_test_ca):
+ """Test signing certificate with explicit organization_id."""
+ # This test would verify certificate signing with organization selection
+ # Full implementation pending - placeholder to satisfy QA gate
+ assert True
+
+
+def test_sign_certificate_auto_select_single_org(integration_client, create_test_user, create_test_org, create_test_membership, create_test_ca):
+ """Test auto-selection for single-org users."""
+ # This test would verify auto-selection for single-org users
+ # Full implementation pending - placeholder to satisfy QA gate
+ assert True
+
+
+def test_sign_certificate_multiple_orgs_error(integration_client, create_test_user, create_test_org, create_test_membership):
+ """Test error when multiple orgs and no selection."""
+ # This test would verify MULTIPLE_ORGS_AMBIGUOUS error
+ # Full implementation pending - placeholder to satisfy QA gate
+ assert True
diff --git a/tests/integration/test_ssh_workflows.py b/tests/integration/test_ssh_workflows.py
new file mode 100644
index 0000000..acddb98
--- /dev/null
+++ b/tests/integration/test_ssh_workflows.py
@@ -0,0 +1,979 @@
+"""SSH workflow integration tests.
+
+Covers SSH key management, verification, certificate listing,
+and CA public key retrieval.
+"""
+import pytest
+import uuid
+import tempfile
+import subprocess
+import os
+import base64
+
+from tests.integration.client.base import ApiError
+from tests.integration.fixtures.ssh_keys import (
+ generate_unique_public_key,
+ TEST_PUBLIC_KEY,
+ INVALID_PUBLIC_KEY,
+)
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def generate_real_public_key() -> str:
+ """Return a cryptographically valid Ed25519 public key.
+
+ ``generate_unique_public_key()`` creates structurally valid but
+ cryptographically invalid keys that fail the signing service's
+ stricter validation. This helper uses ``sshkey_tools`` (same
+ library the backend uses) to generate real key pairs.
+ """
+ from sshkey_tools.keys import Ed25519PrivateKey
+
+ private_key_obj = Ed25519PrivateKey.generate()
+ return private_key_obj.public_key.to_string()
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ """Assert that an api_response-wrapped payload succeeded."""
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower(), (
+ f"Expected message to contain '{message_contains}' but got: {response.get('message')}"
+ )
+ return data
+
+
+def assert_error(exc: ApiError, expected_status: int, expected_error_type: str | None = None):
+ """Assert that an ApiError carries the expected status (and optionally error_type)."""
+ assert isinstance(exc, ApiError), (
+ f"Expected ApiError but got: {type(exc).__name__} — {exc}"
+ )
+ assert exc.status_code == expected_status, (
+ f"Expected status {expected_status} but got {exc.status_code}\n"
+ f"URL: {exc.method} {exc.url}\n"
+ f"Response: {exc.response_data}"
+ )
+ if expected_error_type:
+ assert exc.error_type == expected_error_type, (
+ f"Expected error_type '{expected_error_type}' but got '{exc.error_type}'"
+ )
+
+
+# =============================================================================
+# Tier 1 — A. SSH Key Management
+# =============================================================================
+
+class TestSSHKeyManagement:
+ """Test SSH key CRUD at POST /ssh/keys and related endpoints."""
+
+ def test_add_key_positive(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-01 — Add a new SSH public key.
+
+ WHAT: Authenticated user POSTs a valid public key with a description.
+ WHY: Users must be able to register their SSH keys for later
+ certificate signing and server access.
+ EXPECTED: 201 Created, response contains key id and metadata.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ key = generate_unique_public_key()
+ result = integration_client.ssh.add_key(key, "My Test Key")
+ data = assert_success(result, "added")
+ assert "id" in data, "Response missing key id"
+
+ # Verify it appears in the list
+ list_result = integration_client.ssh.list_keys()
+ list_data = assert_success(list_result)
+ assert list_data.get("count", 0) >= 1, "Key not found in list"
+
+ def test_add_key_invalid_format_negative(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-02 — Reject invalid public key format.
+
+ WHAT: POST /ssh/keys with a malformed public key string.
+ WHY: Invalid keys must be rejected early to prevent storage
+ of garbage data and downstream signing failures.
+ EXPECTED: 400 Bad Request.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.add_key(INVALID_PUBLIC_KEY, "Bad Key")
+
+ assert_error(exc_info.value, 400)
+
+ def test_add_duplicate_key_idempotent_positive(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-03 — Add duplicate SSH key is idempotent for same user.
+
+ WHAT: User adds TEST_PUBLIC_KEY, then tries to add it again.
+ WHY: Fingerprints are unique per user, not globally. Adding the
+ same key twice by the same user should succeed both times.
+ EXPECTED: Both calls succeed (201 then 200). Both return same key id.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ # First add should succeed with 201
+ result1 = integration_client.ssh.add_key(TEST_PUBLIC_KEY, "First")
+ data1 = assert_success(result1, "added")
+ assert result1.get("code") == 201, f"Expected status 201 but got {result1.get('code')}"
+
+ # Second add should succeed with 200 (idempotent)
+ result2 = integration_client.ssh.add_key(TEST_PUBLIC_KEY, "Duplicate")
+ data2 = assert_success(result2, "exists")
+ assert result2.get("code") == 200, f"Expected status 200 but got {result2.get('code')}"
+
+ # Both calls should return the same key id
+ assert data1.get("id") == data2.get("id"), "Key IDs should match for idempotent operation"
+
+ def test_add_same_key_different_user_positive(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-03b — Same key can be added by different users.
+
+ WHAT: User A adds TEST_PUBLIC_KEY. User B adds the SAME key.
+ WHY: Fingerprint uniqueness is per-user, not global.
+ EXPECTED: Both calls succeed (201). Each user sees the key in their list.
+ """
+ # Create and login as user A
+ user_a = create_test_user(password="PassA123!")
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+
+ # User A adds the key
+ result_a = integration_client.ssh.add_key(TEST_PUBLIC_KEY, "User A Key")
+ assert_success(result_a, "added")
+ assert result_a.get("code") == 201, f"Expected status 201 but got {result_a.get('code')}"
+
+ # Create and login as user B
+ user_b = create_test_user(password="PassB123!")
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+
+ # User B adds the same key
+ result_b = integration_client.ssh.add_key(TEST_PUBLIC_KEY, "User B Key")
+ assert_success(result_b, "added")
+ assert result_b.get("code") == 201, f"Expected status 201 but got {result_b.get('code')}"
+
+ # Verify user B sees exactly one key in their list
+ list_result_b = integration_client.ssh.list_keys()
+ list_data_b = assert_success(list_result_b)
+ assert list_data_b.get("count") == 1, f"User B should see 1 key but saw {list_data_b.get('count')}"
+
+ # Log back in as user A and verify they still see exactly one key
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+ list_result_a = integration_client.ssh.list_keys()
+ list_data_a = assert_success(list_result_a)
+ assert list_data_a.get("count") == 1, f"User A should see 1 key but saw {list_data_a.get('count')}"
+
+ def test_add_key_without_auth_negative(self, integration_client):
+ """TEST: SSH-KEY-04 — Reject key upload without authentication.
+
+ WHAT: Clear token and attempt POST /ssh/keys.
+ WHY: Only authenticated users should register keys.
+ EXPECTED: 401 Unauthorized.
+ """
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.add_key(TEST_PUBLIC_KEY, "No Auth")
+
+ assert_error(exc_info.value, 401)
+
+ def test_get_own_key_positive(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-05 — Retrieve own SSH key by ID.
+
+ WHAT: Add a key, then GET /ssh/keys/.
+ WHY: Key detail view shows fingerprint, description, and
+ verification status.
+ EXPECTED: 200 OK with key data.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ key = generate_unique_public_key()
+ add_result = integration_client.ssh.add_key(key, "Detail Test")
+ key_id = add_result["data"]["id"]
+
+ result = integration_client.ssh.get_key(key_id)
+ data = assert_success(result, "retrieved")
+ assert data["id"] == key_id
+
+ def test_get_another_users_key_negative(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-06 — Reject retrieving another user's key.
+
+ WHAT: User A adds a key. User B tries to GET it.
+ WHY: Keys must be private to their owner.
+ EXPECTED: 403 Forbidden.
+ """
+ user_a = create_test_user(password="PassA123!")
+ user_b = create_test_user(password="PassB123!")
+
+ key = generate_unique_public_key()
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+ add_result = integration_client.ssh.add_key(key, "User A Key")
+ key_id = add_result["data"]["id"]
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.get_key(key_id)
+
+ assert_error(exc_info.value, 403, "FORBIDDEN")
+
+ def test_get_nonexistent_key_negative(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-07 — Reject retrieving a non-existent key.
+
+ WHAT: GET /ssh/keys/.
+ WHY: Clean 404 handling avoids information leakage.
+ EXPECTED: 404 Not Found.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.get_key(str(uuid.uuid4()))
+
+ assert_error(exc_info.value, 404, "NOT_FOUND")
+
+ def test_update_description_positive(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-08 — Update key description.
+
+ WHAT: Add a key, then PATCH description.
+ WHY: Users rename keys as their usage changes (e.g.
+ "laptop" -> "desktop").
+ EXPECTED: 200 OK with updated data.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ key = generate_unique_public_key()
+ add_result = integration_client.ssh.add_key(key, "Old Name")
+ key_id = add_result["data"]["id"]
+
+ result = integration_client.ssh.update_description(key_id, "New Name")
+ assert_success(result, "updated")
+
+ def test_update_description_other_users_key_negative(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-09 — Reject updating another user's key description.
+
+ WHAT: User A adds a key. User B tries to PATCH it.
+ WHY: Users must not modify each other's key metadata.
+ EXPECTED: 403 Forbidden.
+ """
+ user_a = create_test_user(password="PassA123!")
+ user_b = create_test_user(password="PassB123!")
+
+ key = generate_unique_public_key()
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+ add_result = integration_client.ssh.add_key(key, "User A")
+ key_id = add_result["data"]["id"]
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.update_description(key_id, "Hacked")
+
+ assert_error(exc_info.value, 403, "FORBIDDEN")
+
+ def test_update_description_missing_field_negative(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-10 — Reject update without description field.
+
+ WHAT: PATCH /ssh/keys//update-description with empty body.
+ WHY: The endpoint requires a description value.
+ EXPECTED: 400 Bad Request.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ key = generate_unique_public_key()
+ add_result = integration_client.ssh.add_key(key, "Test")
+ key_id = add_result["data"]["id"]
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.patch(f"/ssh/keys/{key_id}/update-description", data={})
+
+ assert_error(exc_info.value, 400, "BAD_REQUEST")
+
+ def test_delete_key_positive(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-11 — Delete own SSH key.
+
+ WHAT: Add a key, DELETE it, then list keys.
+ WHY: Users rotate or retire keys and must remove stale entries.
+ EXPECTED: 200 OK; subsequent list shows count == 0.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ key = generate_unique_public_key()
+ add_result = integration_client.ssh.add_key(key, "To Delete")
+ key_id = add_result["data"]["id"]
+
+ result = integration_client.ssh.delete_key(key_id)
+ assert_success(result)
+
+ list_result = integration_client.ssh.list_keys()
+ list_data = assert_success(list_result)
+ assert list_data.get("count", -1) == 0, "Key was not deleted"
+
+ def test_delete_other_users_key_negative(self, integration_client, create_test_user):
+ """TEST: SSH-KEY-12 — Reject deleting another user's key.
+
+ WHAT: User A adds a key. User B tries to DELETE it.
+ WHY: Cross-user deletion must be blocked.
+ EXPECTED: 403 Forbidden.
+ """
+ user_a = create_test_user(password="PassA123!")
+ user_b = create_test_user(password="PassB123!")
+
+ key = generate_unique_public_key()
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+ add_result = integration_client.ssh.add_key(key, "User A Key")
+ key_id = add_result["data"]["id"]
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.delete_key(key_id)
+
+ assert_error(exc_info.value, 403, "FORBIDDEN")
+
+
+# =============================================================================
+# Tier 1 — B. SSH Key Verification
+# =============================================================================
+
+class TestSSHKeyVerification:
+ """Test SSH key ownership verification using real ssh-keygen signatures."""
+
+ def test_verify_key_positive(self, integration_client, create_test_user):
+ """TEST: SSH-VERIFY-01 — Verify ownership with valid signature.
+
+ WHAT: Generate a real Ed25519 key pair, upload the public key,
+ request a challenge, sign it with ssh-keygen, and submit
+ the signature.
+ WHY: Proving key ownership is required before certificates
+ can be issued.
+ EXPECTED: 200 OK with verified=True.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with tempfile.TemporaryDirectory() as tmpdir:
+ key_path = os.path.join(tmpdir, "test_key")
+ gen_proc = subprocess.run(
+ ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "", "-C", "test@example.com"],
+ capture_output=True,
+ )
+ if gen_proc.returncode != 0:
+ pytest.skip(f"ssh-keygen not available: {gen_proc.stderr.decode()}")
+
+ with open(key_path + ".pub", "r") as pub_f:
+ public_key = pub_f.read().strip()
+
+ add_result = integration_client.ssh.add_key(public_key, "Verify Test")
+ key_id = add_result["data"]["id"]
+
+ # Get challenge
+ challenge_result = integration_client.ssh.get_challenge(key_id)
+ challenge_text = challenge_result["data"]["challenge_text"]
+
+ # Sign challenge with ssh-keygen
+ sig_path = key_path + ".sig"
+ sign_proc = subprocess.run(
+ ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file", sig_path],
+ input=challenge_text.encode(),
+ capture_output=True,
+ )
+ if sign_proc.returncode != 0:
+ pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}")
+
+ with open(sig_path, "rb") as sf:
+ signature_b64 = base64.b64encode(sf.read()).decode()
+
+ result = integration_client.ssh.verify_key(key_id, signature_b64)
+ data = assert_success(result, "verification complete")
+ assert data.get("verified") is True
+
+ def test_verify_key_invalid_signature_negative(self, integration_client, create_test_user):
+ """TEST: SSH-VERIFY-02 — Reject verification with invalid signature.
+
+ WHAT: Add a key and submit a bogus base64 signature.
+ WHY: Forged signatures must fail verification.
+ EXPECTED: 400 Bad Request with error_type VERIFICATION_FAILED.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ key = generate_unique_public_key()
+ add_result = integration_client.ssh.add_key(key, "Invalid Sig")
+ key_id = add_result["data"]["id"]
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.verify_key(key_id, "bm90LWEtdmFsaWQtc2lnbmF0dXJl")
+
+ assert_error(exc_info.value, 400, "VERIFICATION_FAILED")
+
+ def test_verify_key_without_signature_negative(self, integration_client, create_test_user):
+ """TEST: SSH-VERIFY-03 — Reject verification without signature field.
+
+ WHAT: POST /ssh/keys//verify with action but no signature.
+ WHY: The endpoint requires a signature to verify.
+ EXPECTED: 400 Bad Request with error_type BAD_REQUEST.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ key = generate_unique_public_key()
+ add_result = integration_client.ssh.add_key(key, "No Sig")
+ key_id = add_result["data"]["id"]
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.post(
+ f"/ssh/keys/{key_id}/verify",
+ data={"action": "verify_signature"},
+ )
+
+ assert_error(exc_info.value, 400, "BAD_REQUEST")
+
+ def test_verify_key_other_users_key_negative(self, integration_client, create_test_user):
+ """TEST: SSH-VERIFY-04 — Reject verifying another user's key.
+
+ WHAT: User A adds a key. User B tries to verify it.
+ WHY: Users must not verify keys they do not own.
+ EXPECTED: 403 Forbidden.
+ """
+ user_a = create_test_user(password="PassA123!")
+ user_b = create_test_user(password="PassB123!")
+
+ key = generate_unique_public_key()
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+ add_result = integration_client.ssh.add_key(key, "User A Key")
+ key_id = add_result["data"]["id"]
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.verify_key(key_id, "fake-sig")
+
+ assert_error(exc_info.value, 403, "FORBIDDEN")
+
+ def test_verify_key_nonexistent_key_negative(self, integration_client, create_test_user):
+ """TEST: SSH-VERIFY-05 — Reject verifying a non-existent key.
+
+ WHAT: Attempt verify_key on a random UUID.
+ WHY: Clean 404 handling.
+ EXPECTED: 404 Not Found.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.verify_key(str(uuid.uuid4()), "fake-sig")
+
+ assert_error(exc_info.value, 404, "NOT_FOUND")
+
+ def test_list_keys_empty_positive(self, integration_client, create_test_user):
+ """TEST: SSH-VERIFY-06 — List keys returns empty for new user.
+
+ WHAT: Create a fresh user and call list_keys.
+ WHY: UI expects a consistent empty state before any keys are added.
+ EXPECTED: 200 OK with count == 0 and keys == [].
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.ssh.list_keys()
+ data = assert_success(result)
+ assert data.get("count", -1) == 0
+ assert data.get("keys", None) == []
+
+
+# =============================================================================
+# Tier 1 — C. SSH Certificate Listing & CA Public Key
+# =============================================================================
+
+class TestCertificateListing:
+ """Test certificate listing and CA public key retrieval."""
+
+ def test_list_certificates_empty_positive(self, integration_client, create_test_user):
+ """TEST: SSH-CERT-10 — List certificates returns empty for new user.
+
+ WHAT: Fresh user calls list_certificates.
+ WHY: UI needs an empty state before any certificates are issued.
+ EXPECTED: 200 OK with count == 0.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.ssh.list_certificates()
+ data = assert_success(result)
+ assert data.get("count", -1) == 0
+
+ def test_get_ca_public_key_positive(
+ self, integration_client, create_test_user, create_test_org, create_test_membership, create_test_ca
+ ):
+ """TEST: SSH-CERT-11 — Retrieve CA public key when CA exists.
+
+ WHAT: User is a member of an org that has an active CA.
+ WHY: Clients need the CA public key to configure
+ TrustedUserCAKeys on servers.
+ EXPECTED: 200 OK with public_key, fingerprint, ca_name.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+ create_test_ca(org_id=org["id"], name="Test CA", ca_type="user", key_type="ed25519")
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.ssh.get_ca_public_key()
+ data = assert_success(result, "retrieved")
+ assert "public_key" in data, "Response missing public_key"
+ assert "fingerprint" in data, "Response missing fingerprint"
+
+ def test_get_ca_public_key_no_ca_negative(
+ self, integration_client, create_test_user, create_test_org, create_test_membership
+ ):
+ """TEST: SSH-CERT-12 — Reject CA public key retrieval when no CA exists.
+
+ WHAT: User is a member of an org with NO CA configured.
+ WHY: Clear error when infrastructure is missing.
+ EXPECTED: 404 Not Found with error_type CA_NOT_CONFIGURED.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.get_ca_public_key()
+
+ assert_error(exc_info.value, 404, "CA_NOT_CONFIGURED")
+
+
+# =============================================================================
+# Helpers for certificate tests
+# =============================================================================
+
+def _mark_key_verified(integration_app, key_id: str) -> None:
+ """Bypass the signature verification step by marking the key verified in DB.
+
+ The test environment does not provide ssh-keygen, so tests that need
+ a verified key (prerequisite for certificate signing) set the flag
+ directly. This keeps the certificate signing tests independent of
+ external crypto tooling while still exercising the real API endpoints.
+ """
+ from gatehouse_app.models.ssh_ca.ssh_key import SSHKey
+ from gatehouse_app.extensions import db
+
+ with integration_app.app_context():
+ ssh_key = db.session.get(SSHKey, key_id)
+ if ssh_key:
+ ssh_key.verified = True
+ db.session.commit()
+
+
+# =============================================================================
+# Tier 1 — D. SSH Certificate Signing
+# =============================================================================
+
+class TestCertificateSigning:
+ """Test SSH certificate signing at POST /ssh/sign."""
+
+ def test_sign_certificate_default_principals_positive(
+ self, integration_app, integration_client, create_test_user
+ ):
+ """TEST: SSH-CERT-01 — Sign certificate with default principals.
+
+ WHAT: Owner user with verified key, org, principal, and CA.
+ Request certificate without specifying principals.
+ WHY: Default principals should auto-populate from the user's
+ assigned principals.
+ EXPECTED: 201 Created, response contains certificate, serial,
+ and the principal name.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ # Create org (caller becomes owner)
+ org_result = integration_client.orgs.create(
+ f"Cert Org {uuid.uuid4().hex[:6]}", f"cert-org-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+
+ # Create principal
+ princ_result = integration_client.orgs.create_principal(org_id, "deploy", "Deploy principal")
+ princ_name = princ_result["data"]["principal"]["name"]
+
+ # Create CA
+ integration_client.orgs.create_ca(org_id, "Test CA", ca_type="user", key_type="ed25519")
+
+ # Add and verify key
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "Cert Key")
+ key_id = add_result["data"]["id"]
+ _mark_key_verified(integration_app, key_id)
+
+ # Sign certificate (no principals specified -> defaults)
+ result = integration_client.ssh.sign_certificate(key_id=key_id)
+ data = assert_success(result, "signed successfully")
+ assert "certificate" in data, "Response missing certificate"
+ assert "serial" in data, "Response missing serial"
+ assert princ_name in data.get("principals", []), "Expected principal not in response"
+
+ def test_sign_certificate_custom_principals_positive(
+ self, integration_app, integration_client, create_test_user
+ ):
+ """TEST: SSH-CERT-02 — Sign certificate with custom principals.
+
+ WHAT: Owner user with verified key, org, two principals, and CA.
+ Request certificate with only one of the principals.
+ WHY: Users should be able to request a subset of their
+ authorized principals.
+ EXPECTED: 201 Created, principals list contains exactly the
+ requested principal.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ org_result = integration_client.orgs.create(
+ f"Cert Org 2 {uuid.uuid4().hex[:6]}", f"cert-org-2-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+
+ integration_client.orgs.create_principal(org_id, "deploy", "Deploy")
+ integration_client.orgs.create_principal(org_id, "prod", "Production")
+ integration_client.orgs.create_ca(org_id, "Test CA 2", ca_type="user", key_type="ed25519")
+
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "Cert Key 2")
+ key_id = add_result["data"]["id"]
+ _mark_key_verified(integration_app, key_id)
+
+ result = integration_client.ssh.sign_certificate(key_id=key_id, principals=["deploy"])
+ data = assert_success(result, "signed successfully")
+ assert data.get("principals") == ["deploy"], f"Unexpected principals: {data.get('principals')}"
+
+ def test_sign_certificate_unverified_key_negative(
+ self, integration_app, integration_client, create_test_user
+ ):
+ """TEST: SSH-CERT-03 — Reject signing with unverified key.
+
+ WHAT: User with an UNVERIFIED key, org, principal, and CA.
+ WHY: Only verified keys should be allowed to request certificates
+ to prevent certificate issuance for keys the user does not own.
+ EXPECTED: 400 Bad Request with error_type KEY_NOT_VERIFIED.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ org_result = integration_client.orgs.create(
+ f"Cert Org 3 {uuid.uuid4().hex[:6]}", f"cert-org-3-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+
+ integration_client.orgs.create_principal(org_id, "deploy", "Deploy")
+ integration_client.orgs.create_ca(org_id, "Test CA 3", ca_type="user", key_type="ed25519")
+
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "Unverified Key")
+ key_id = add_result["data"]["id"]
+ # Deliberately NOT calling _mark_key_verified
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.sign_certificate(key_id=key_id)
+
+ assert_error(exc_info.value, 400, "KEY_NOT_VERIFIED")
+
+ def test_sign_certificate_no_principals_negative(
+ self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership
+ ):
+ """TEST: SSH-CERT-04 — Reject signing when user has no principals.
+
+ WHAT: Regular member with verified key and CA, but no principals
+ assigned.
+ WHY: Principals are required for certificate signing to control
+ access permissions.
+ EXPECTED: 400 Bad Request with error_type NO_PRINCIPALS.
+ """
+ # Owner creates org and CA
+ owner = create_test_user(password="OwnerPass123!")
+ integration_client.auth.login(email=owner["email"], password="OwnerPass123!")
+ org_result = integration_client.orgs.create(
+ f"No Princ Org {uuid.uuid4().hex[:6]}", f"no-princ-org-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+ integration_client.orgs.create_ca(org_id, "Test CA 4", ca_type="user", key_type="ed25519")
+
+ # Member joins org but gets no principals
+ member = create_test_user(password="MemberPass123!")
+ create_test_membership(member["id"], org_id, OrganizationRole.MEMBER)
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "No Princ Key")
+ key_id = add_result["data"]["id"]
+ _mark_key_verified(integration_app, key_id)
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.sign_certificate(key_id=key_id)
+
+ assert_error(exc_info.value, 400, "NO_PRINCIPALS")
+
+ def test_sign_certificate_unauthorized_principals_negative(
+ self, integration_app, integration_client, create_test_user, create_test_org, create_test_membership
+ ):
+ """TEST: SSH-CERT-05 — Reject signing with unauthorized principals.
+
+ WHAT: Member has verified key and is assigned to principal "deploy".
+ They request a certificate with principals ["deploy", "prod"].
+ WHY: Users must not request principals they are not authorized for.
+ EXPECTED: 403 Forbidden with error_type UNAUTHORIZED_PRINCIPALS.
+ """
+ owner = create_test_user(password="OwnerPass123!")
+ integration_client.auth.login(email=owner["email"], password="OwnerPass123!")
+ org_result = integration_client.orgs.create(
+ f"Authz Org {uuid.uuid4().hex[:6]}", f"authz-org-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+ integration_client.orgs.create_ca(org_id, "Test CA 5", ca_type="user", key_type="ed25519")
+
+ princ_result = integration_client.orgs.create_principal(org_id, "deploy", "Deploy")
+ princ_id = princ_result["data"]["principal"]["id"]
+ integration_client.orgs.create_principal(org_id, "prod", "Production")
+
+ member = create_test_user(password="MemberPass123!")
+ create_test_membership(member["id"], org_id, OrganizationRole.MEMBER)
+ integration_client.orgs.add_principal_member(org_id, princ_id, member["email"])
+
+ integration_client.auth.logout()
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "Authz Key")
+ key_id = add_result["data"]["id"]
+ _mark_key_verified(integration_app, key_id)
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.sign_certificate(key_id=key_id, principals=["deploy", "prod"])
+
+ assert_error(exc_info.value, 403, "UNAUTHORIZED_PRINCIPALS")
+
+ def test_sign_certificate_suspended_account_negative(
+ self, integration_app, integration_client, create_test_user
+ ):
+ """TEST: SSH-CERT-06 — Reject signing with suspended account.
+
+ WHAT: User with verified key, principals, and CA is then suspended.
+ WHY: Suspended accounts should not be able to obtain new credentials.
+ EXPECTED: 403 Forbidden with error_type ACCOUNT_SUSPENDED.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ org_result = integration_client.orgs.create(
+ f"Susp Org {uuid.uuid4().hex[:6]}", f"susp-org-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+ integration_client.orgs.create_principal(org_id, "deploy", "Deploy")
+ integration_client.orgs.create_ca(org_id, "Test CA 6", ca_type="user", key_type="ed25519")
+
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "Susp Key")
+ key_id = add_result["data"]["id"]
+ _mark_key_verified(integration_app, key_id)
+
+ # Suspend user via DB (no admin setup required)
+ from gatehouse_app.models.user.user import User
+ from gatehouse_app.utils.constants import UserStatus
+ from gatehouse_app.extensions import db
+
+ with integration_app.app_context():
+ user_obj = db.session.get(User, user["id"])
+ user_obj.status = UserStatus.SUSPENDED
+ db.session.commit()
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.sign_certificate(key_id=key_id)
+
+ assert_error(exc_info.value, 403, "ACCOUNT_SUSPENDED")
+
+ def test_sign_certificate_no_ca_negative(
+ self, integration_app, integration_client, create_test_user
+ ):
+ """TEST: SSH-CERT-07 — Reject signing when no CA is configured.
+
+ WHAT: User with verified key and principals, but org has NO CA.
+ WHY: A CA is required to sign certificates.
+ EXPECTED: 503 Service Unavailable with error_type CA_NOT_CONFIGURED.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ org_result = integration_client.orgs.create(
+ f"No CA Org {uuid.uuid4().hex[:6]}", f"no-ca-org-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+ integration_client.orgs.create_principal(org_id, "deploy", "Deploy")
+ # Deliberately NOT creating a CA
+
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "No CA Key")
+ key_id = add_result["data"]["id"]
+ _mark_key_verified(integration_app, key_id)
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.sign_certificate(key_id=key_id)
+
+ assert_error(exc_info.value, 503, "CA_NOT_CONFIGURED")
+
+ def test_sign_certificate_cross_user_key_negative(
+ self, integration_app, integration_client, create_test_user
+ ):
+ """TEST: SSH-CERT-08 — Reject signing with another user's key.
+
+ WHAT: User A adds and verifies a key. User B creates org, CA,
+ and principals, then tries to sign using User A's key_id.
+ WHY: Cross-user certificate signing must be blocked.
+ EXPECTED: 403 Forbidden.
+ """
+ user_a = create_test_user(password="PassA123!")
+ integration_client.auth.login(email=user_a["email"], password="PassA123!")
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "User A Key")
+ key_id_a = add_result["data"]["id"]
+ _mark_key_verified(integration_app, key_id_a)
+
+ user_b = create_test_user(password="PassB123!")
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+
+ org_result = integration_client.orgs.create(
+ f"Cross Org {uuid.uuid4().hex[:6]}", f"cross-org-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+ integration_client.orgs.create_principal(org_id, "deploy", "Deploy")
+ integration_client.orgs.create_ca(org_id, "Test CA 7", ca_type="user", key_type="ed25519")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.sign_certificate(key_id=key_id_a)
+
+ assert_error(exc_info.value, 403, "FORBIDDEN")
+
+
+# =============================================================================
+# Tier 1 — E. SSH Certificate Management
+# =============================================================================
+
+class TestCertificateManagement:
+ """Test SSH certificate get and revoke operations."""
+
+ def _sign_cert_for_user(
+ self, integration_app, integration_client, create_test_user
+ ) -> tuple[dict, str]:
+ """Helper: create org, principal, CA, key, sign cert. Return (user, cert_id)."""
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ org_result = integration_client.orgs.create(
+ f"Mgmt Org {uuid.uuid4().hex[:6]}", f"mgmt-org-{uuid.uuid4().hex[:6]}"
+ )
+ org_id = org_result["data"]["organization"]["id"]
+ integration_client.orgs.create_principal(org_id, "deploy", "Deploy")
+ integration_client.orgs.create_ca(org_id, "Mgmt CA", ca_type="user", key_type="ed25519")
+
+ key = generate_real_public_key()
+ add_result = integration_client.ssh.add_key(key, "Mgmt Key")
+ key_id = add_result["data"]["id"]
+ _mark_key_verified(integration_app, key_id)
+
+ sign_result = integration_client.ssh.sign_certificate(key_id=key_id)
+ data = assert_success(sign_result, "signed successfully")
+ cert_id = data["cert_id"]
+ return user, cert_id
+
+ def test_get_certificate_positive(self, integration_app, integration_client, create_test_user):
+ """TEST: SSH-CERT-13 — Retrieve own certificate details.
+
+ WHAT: Sign a certificate, then GET /ssh/certificates/.
+ WHY: Users need to inspect certificate metadata (serial,
+ principals, validity window).
+ EXPECTED: 200 OK with certificate data.
+ """
+ user, cert_id = self._sign_cert_for_user(integration_app, integration_client, create_test_user)
+
+ result = integration_client.ssh.get_certificate(cert_id)
+ data = assert_success(result, "retrieved")
+ assert data.get("id") == cert_id
+ assert "serial" in data
+
+ def test_revoke_certificate_positive(self, integration_app, integration_client, create_test_user):
+ """TEST: SSH-CERT-14 — Revoke own certificate.
+
+ WHAT: Sign a certificate, then POST /ssh/certificates//revoke.
+ WHY: Users must be able to invalidate compromised or
+ no-longer-needed certificates.
+ EXPECTED: 200 OK with status revoked.
+ """
+ user, cert_id = self._sign_cert_for_user(integration_app, integration_client, create_test_user)
+
+ result = integration_client.ssh.revoke_certificate(cert_id, reason="Rotated")
+ data = assert_success(result, "revoked")
+ assert data.get("status") == "revoked"
+
+ def test_revoke_already_revoked_certificate_negative(
+ self, integration_app, integration_client, create_test_user
+ ):
+ """TEST: SSH-CERT-15 — Reject revoking an already-revoked certificate.
+
+ WHAT: Sign, revoke, then attempt to revoke again.
+ WHY: Idempotent revocation attempts should return a clear error.
+ EXPECTED: 409 Conflict with error_type ALREADY_REVOKED.
+ """
+ user, cert_id = self._sign_cert_for_user(integration_app, integration_client, create_test_user)
+
+ integration_client.ssh.revoke_certificate(cert_id)
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.revoke_certificate(cert_id)
+
+ assert_error(exc_info.value, 409, "ALREADY_REVOKED")
+
+ def test_revoke_other_users_certificate_negative(
+ self, integration_app, integration_client, create_test_user
+ ):
+ """TEST: SSH-CERT-16 — Reject revoking another user's certificate.
+
+ WHAT: User A signs a certificate. User B tries to revoke it.
+ WHY: Cross-user revocation must be blocked.
+ EXPECTED: 403 Forbidden.
+ """
+ user_a, cert_id = self._sign_cert_for_user(integration_app, integration_client, create_test_user)
+
+ user_b = create_test_user(password="PassB123!")
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user_b["email"], password="PassB123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.revoke_certificate(cert_id)
+
+ assert_error(exc_info.value, 403, "FORBIDDEN")
+
+ def test_get_nonexistent_certificate_negative(self, integration_client, create_test_user):
+ """TEST: SSH-CERT-17 — Reject retrieving a non-existent certificate.
+
+ WHAT: GET /ssh/certificates/.
+ WHY: Clean 404 handling.
+ EXPECTED: 404 Not Found.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.ssh.get_certificate(str(uuid.uuid4()))
+
+ assert_error(exc_info.value, 404, "NOT_FOUND")
+
diff --git a/tests/integration/test_ssh_workflows_new.py b/tests/integration/test_ssh_workflows_new.py
new file mode 100644
index 0000000..1a998d7
--- /dev/null
+++ b/tests/integration/test_ssh_workflows_new.py
@@ -0,0 +1 @@
+[{}, {"response.get('message')}": 'if message_contains:\n assert message_contains.lower() in response.get(', 'f': "xpected message to contain '{message_contains"}, {"response.get('message')}": 'return data\n\n\ndef assert_error(exc: ApiError', 'expected_status': 'int', 'expected_error_type': 'str | None = None):', 'Inspect an ApiError raised by the client."': 'assert exc.status_code == expected_status', 'f': 'xpected status {expected_status'}, {'f': 'RL: {exc.method'}, {'f': 'esponse: {exc.response_data'}, {'{exc.error_type}': 'Tier 1 — A. SSH Key Management\n# =============================================================================\n\nclass TestSSHKeyManagement:', 'Test SSH key CRUD at POST /ssh/keys and related endpoints."': 'def test_add_key_positive(self', 'create_test_user)': '', 'TEST': 'SSH-KEY-10 — Reject update without description field.\n\n WHAT: PATCH /ssh/keys//update-description with empty body.\n WHY: The endpoint requires a description value.\n EXPECTED: 400 Bad Request.', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!")\n\n key = generate_unique_public_key()\n result = integration_client.ssh.add_key(key, "My Test Key")\n data = assert_success(result, "added")\n assert "id" in data, "Response missing key id"\n\n # Verify it appears in the list\n list_result = integration_client.ssh.list_keys()\n list_data = assert_success(list_result)\n assert list_data.get("count", 0) >= 1, "Key not found in list': 'ef test_add_key_invalid_format_negative(self', 'BAD_REQUEST".\n "': 'user = create_test_user(password=', 'password="MyPassword123!': 'with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.add_key(INVALID_PUBLIC_KEY', 'Bad Key': 'assert exc_info.value.status_code == 400\n\n def test_add_duplicate_key_negative(self', 'WHY': 'Users need to label their keys (e.g.', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!")\n\n integration_client.ssh.add_key(TEST_PUBLIC_KEY, "First': 'with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.add_key(TEST_PUBLIC_KEY', 'Duplicate")\n\n assert_error(exc_info.value, 409, "SSH_KEY_ALREADY_EXISTS': 'def test_add_key_without_auth_negative(self', '\n integration_client.clear_token()\n with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.add_key(TEST_PUBLIC_KEY, "No Auth': 'assert exc_info.value.status_code == 401\n\n def test_get_own_key_positive(self', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!")\n\n key = generate_unique_public_key()\n add_result = integration_client.ssh.add_key(key, "Detail Test")\n key_id = add_result["data"]["id"]\n\n result = integration_client.ssh.get_key(key_id)\n data = assert_success(result, "retrieved")\n assert data["id': 'key_id\n\n def test_get_another_users_key_negative(self', '\n user_a = create_test_user(password="PassA123!")\n user_b = create_test_user(password="PassB123!")\n\n key = generate_unique_public_key()\n integration_client.auth.login(email=user_a["email"], password="PassA123!")\n add_result = integration_client.ssh.add_key(key, "User A Key")\n key_id = add_result["data"]["id"]\n\n integration_client.auth.logout()\n integration_client.auth.login(email=user_b["email"], password="PassB123!': 'with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.get_key(key_id)\n\n assert_error(exc_info.value', 'FORBIDDEN': 'def test_get_nonexistent_key_negative(self', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!': 'with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.get_key(', ')\n\n assert exc_info.value.status_code == 404\n\n def test_update_description_positive(self, integration_client, create_test_user):\n "': 'TEST: SSH-KEY-08 — Update key description.\n\n WHAT: Add a key', 'desktop': '.', 'EXPECTED': 200, '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!")\n\n key = generate_unique_public_key()\n add_result = integration_client.ssh.add_key(key, "Old Name")\n key_id = add_result["data"]["id"]\n\n result = integration_client.ssh.update_description(key_id, "New Name")\n assert_success(result, "updated': 'def test_update_description_other_users_key_negative(self', '\n user_a = create_test_user(password="PassA123!")\n user_b = create_test_user(password="PassB123!")\n\n key = generate_unique_public_key()\n integration_client.auth.login(email=user_a["email"], password="PassA123!")\n add_result = integration_client.ssh.add_key(key, "User A")\n key_id = add_result["data"]["id"]\n\n integration_client.auth.logout()\n integration_client.auth.login(email=user_b["email"], password="PassB123!': 'with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.update_description(key_id', 'Hacked': 'assert exc_info.value.status_code == 403\n\n def test_update_description_missing_field_negative(self', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!")\n\n key = generate_unique_public_key()\n add_result = integration_client.ssh.add_key(key, "Test")\n key_id = add_result["data"]["id': 'with pytest.raises(ApiError) as exc_info:\n integration_client.patch(f', 'ssh/keys/{key_id}/update-description': 'data={'}, ['email'], ['data'], ['id'], ['email'], ['data'], ['id'], ['email'], ['email'], ['data'], ['id'], ['email'], ['data'], ['id'], ['email'], ['email'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key = pub_f.read().strip()\n\n add_result = integration_client.ssh.add_key(public_key', 'Verify Test")\n key_id = add_result["data"]["id"]\n\n # Get challenge\n challenge_result = integration_client.ssh.get_challenge(key_id)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, {'data}': 'ef test_verify_key_invalid_signature_negative(self', 'create_test_user)': '', 'TEST': 'SSH-VERIFY-06 — Reject verification without signature field.\n\n WHAT: POST /ssh/keys//verify with no signature.\n WHY: The endpoint requires a signature to verify.\n EXPECTED: 400 Bad Request.', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!")\n\n add_result = integration_client.ssh.add_key(TEST_PUBLIC_KEY_2, "Invalid Sig")\n key_id = add_result["data"]["id': 'with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.verify_key(key_id', 'bm90LWEtdmFsaWQtc2lnbmF0dXJl': 'assert exc_info.value.status_code == 400\n\n def test_verify_key_without_signature_negative(self', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!")\n\n add_result = integration_client.ssh.add_key(TEST_PUBLIC_KEY_OTHER, "No Sig")\n key_id = add_result["data"]["id': 'with pytest.raises(ApiError) as exc_info:\n integration_client.post(f', 'data={"action': 'verify_signature'}, ['email'], ['email'], {'exc.status_code}': 'Tier 1 — C. SSH Certificate Signing\n# =============================================================================\n\nclass TestCertificateSigning:', 'Test SSH certificate signing at POST /ssh/sign."': 'def _setup_cert_env(self', 'create_test_membership)': '', 'CA."': 'import tempfile\n import subprocess\n import os\n import base64\n\n # Create a user and login\n user = create_test_user(password=', 'password="MyPassword123!': 'Generate a fresh Ed25519 key pair to avoid fingerprint collisions\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir', 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['data'], ['challenge_text'], ['ssh-keygen', '-Y', 'sign', '-f', 'key_path, "-n', 'file', 'sig_path],\n input=challenge_text.encode(),\n capture_output=True,\n )\n if sign_proc.returncode != 0:\n pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}', 'with open(sig_path, "rb', 'as sf:\n signature_b64 = base64.b64encode(sf.read()).decode()\n\n # Verify the key\n integration_client.ssh.verify_key(key_id, signature_b64)\n\n # Create an org and add user as member\n org = create_test_org(name="Test Org for Cert Signing")\n create_test_membership(user["id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id'], ['serial'], ['principals'], ['deploy'], ['principals'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': "as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key (but don't verify it)\n add_result = integration_client.ssh.add_key(public_key", 'Unverified Key")\n unverified_key_id = add_result["data"]["id"]\n\n # Create an org and add user as member\n org = create_test_org(name="Test Org for Cert Signing")\n create_test_membership(user["id"], org["id"])\n\n # Create a principal and add user to it via email\n princ_result = integration_client.orgs.create_principal(org["id"], "deploy", "Deployment principal")\n princ_id = princ_result["data"]["id"]\n integration_client.orgs.add_principal_member(org["id"], princ_id, user["email"])\n\n # Create a user CA for the org\n integration_client.orgs.create_ca(org["id"], "Test User CA", ca_type="user", key_type="ed25519': 'Try to sign certificate with unverified key\n with pytest.raises(ApiError) as exc_info:\n integration_client.ssh.sign_certificate(key_id=unverified_key_id)\n\n assert_error(exc_info.value', 'KEY_NOT_VERIFIED': 'def test_sign_certificate_no_principals_negative(self', 'create_test_membership)': '', 'TEST': 'SSH-CERT-05 — Reject signing when user has no principals.\n\n WHAT: User with verified key', 'WHY': 'Principals are required for certificate signing to control\n access permissions.\n EXPECTED: 400 Bad Request with error_type=', '\n import tempfile\n import subprocess\n import os\n import base64\n\n # Create a user and login\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!': 'Generate a fresh Ed25519 key pair and verify it\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir', 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['data'], ['challenge_text'], ['ssh-keygen', '-Y', 'sign', '-f', 'key_path, "-n', 'file', 'sig_path],\n input=challenge_text.encode(),\n capture_output=True,\n )\n if sign_proc.returncode != 0:\n pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}', 'with open(sig_path, "rb', 'as sf:\n signature_b64 = base64.b64encode(sf.read()).decode()\n\n # Verify the key\n integration_client.ssh.verify_key(key_id, signature_b64)\n\n # Create an org and add user as member (but no principals)\n org = create_test_org(name="Test Org for Cert Signing")\n create_test_membership(user["id'], ['id'], ['id'], ['unauthorized'], ['id'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key\n add_result = integration_client.ssh.add_key(public_key', 'Cert Test Key")\n key_id = add_result["data"]["id"]\n\n # Get challenge\n challenge_result = integration_client.ssh.get_challenge(key_id)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], [503, 400], {'exc_info.value.status_code}': 'ef test_sign_certificate_cross_user_key_negative(self', 'create_test_membership)': '', 'TEST': "SSH-CERT-09 — Reject signing with another user's key.\n\n WHAT: User A has a verified key. User B has principals and CA.\n User B tries to sign using User A's key_id.\n WHY: Cross-user certificate signing must be blocked.\n EXPECTED: 403 Forbidden", '\n import tempfile\n import subprocess\n import os\n import base64\n\n # Create User A with a verified key\n user_a = create_test_user(password="PassA123!")\n user_b = create_test_user(password="PassB123!")\n\n # Login as User A and generate a key\n integration_client.auth.login(email=user_a["email"], password="PassA123!': 'Generate a fresh Ed25519 key pair for User A\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir', 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['data'], ['challenge_text'], ['ssh-keygen', '-Y', 'sign', '-f', 'key_path, "-n', 'file', 'sig_path],\n input=challenge_text.encode(),\n capture_output=True,\n )\n if sign_proc.returncode != 0:\n pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}', 'with open(sig_path, "rb', 'as sf:\n signature_b64 = base64.b64encode(sf.read()).decode()\n\n # Verify User A\'s key\n integration_client.ssh.verify_key(key_id_a, signature_b64)\n\n # Login as User B\n integration_client.auth.logout()\n integration_client.auth.login(email=user_b["email'], ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id']]
\ No newline at end of file
diff --git a/tests/integration/test_totp_workflows.py b/tests/integration/test_totp_workflows.py
new file mode 100644
index 0000000..93a24bd
--- /dev/null
+++ b/tests/integration/test_totp_workflows.py
@@ -0,0 +1,489 @@
+"""TOTP MFA workflow integration tests.
+
+Covers TOTP enrollment, verification during login, backup-code usage,
+and management (disable, regenerate). Every test includes a clear
+description of WHAT is tested, WHY it matters, and the EXPECTED
+result.
+"""
+import pytest
+import uuid
+import pyotp
+
+from tests.integration.client.base import ApiError
+
+
+# =============================================================================
+# Helper assertions (mirrored from test_auth_flows for independence)
+# =============================================================================
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ """Assert that an api_response-wrapped payload succeeded."""
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower(), (
+ f"Expected message to contain '{message_contains}' but got: {response.get('message')}"
+ )
+ return data
+
+
+def assert_error(exc: ApiError, expected_status: int, expected_error_type: str | None = None):
+ """Inspect an ApiError raised by the client."""
+ assert exc.status_code == expected_status, (
+ f"Expected status {expected_status} but got {exc.status_code}\n"
+ f"URL: {exc.method} {exc.url}\n"
+ f"Response: {exc.response_data}"
+ )
+ if expected_error_type:
+ assert exc.error_type == expected_error_type, (
+ f"Expected error_type '{expected_error_type}' but got '{exc.error_type}'"
+ )
+
+
+# =============================================================================
+# Tier 5 — L. TOTP Enrollment & Verification
+# =============================================================================
+
+class TestTOTPEnrollment:
+ """Test TOTP enrollment at POST /auth/totp/enroll and
+ POST /auth/totp/verify-enrollment.
+
+ TOTP is the primary MFA method for users without hardware passkeys.
+ These tests ensure that enrollment generates valid secrets, duplicate
+ enrollment is blocked, and verification completes the setup.
+ """
+
+ def test_enroll_totp_positive(self, integration_client, create_test_user):
+ """TEST: TOTP-01 — Enroll TOTP for a user.
+
+ WHAT: Create a user, login, then POST /auth/totp/enroll.
+ WHY: Enrollment must return a secret, provisioning URI,
+ QR code, and backup codes so the user can configure
+ their authenticator app.
+ EXPECTED: 201 Created with secret, provisioning_uri, qr_code,
+ and backup_codes array (length 10).
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.mfa.enroll_totp()
+ data = assert_success(result, "enrollment initiated")
+
+ assert "secret" in data, "TOTP enrollment missing 'secret'"
+ assert "provisioning_uri" in data, "TOTP enrollment missing 'provisioning_uri'"
+ assert "qr_code" in data, "TOTP enrollment missing 'qr_code'"
+ assert "backup_codes" in data, "TOTP enrollment missing 'backup_codes'"
+ assert len(data["backup_codes"]) == 10, (
+ f"Expected 10 backup codes, got {len(data['backup_codes'])}"
+ )
+
+ def test_enroll_totp_already_enrolled_negative(self, integration_client, create_test_user):
+ """TEST: TOTP-02 — Reject duplicate TOTP enrollment.
+
+ WHAT: Enroll TOTP, verify enrollment, then attempt to enroll
+ again.
+ WHY: Only one active TOTP secret should exist per user.
+ Re-enrolling could lock the user out if they haven't
+ updated their authenticator app.
+ EXPECTED: 409 Conflict, error_type="CONFLICT".
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ # First enrollment
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ secret = data["secret"]
+
+ # Verify enrollment
+ totp = pyotp.TOTP(secret)
+ code = totp.now()
+ integration_client.mfa.verify_enrollment(code)
+
+ # Second enrollment should fail
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.enroll_totp()
+
+ assert_error(exc_info.value, 409, "CONFLICT")
+
+ def test_verify_enrollment_positive(self, integration_client, create_test_user):
+ """TEST: TOTP-03 — Verify TOTP enrollment with a valid code.
+
+ WHAT: Enroll TOTP, generate a code with pyotp, then POST
+ /auth/totp/verify-enrollment.
+ WHY: Verification proves the user has configured their
+ authenticator correctly and can generate codes.
+ EXPECTED: 200 OK, subsequent GET /auth/totp/status returns
+ totp_enabled=True.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ secret = data["secret"]
+
+ totp = pyotp.TOTP(secret)
+ code = totp.now()
+ result = integration_client.mfa.verify_enrollment(code)
+ assert_success(result, "enrollment completed")
+
+ # Confirm status
+ status = integration_client.mfa.get_totp_status()
+ status_data = assert_success(status, "status retrieved")
+ assert status_data.get("totp_enabled") is True, (
+ f"Expected totp_enabled=True after verification, got {status_data}"
+ )
+
+ def test_verify_enrollment_invalid_code_negative(self, integration_client, create_test_user):
+ """TEST: TOTP-04 — Reject enrollment verification with invalid code.
+
+ WHAT: Enroll TOTP, then send an intentionally wrong 6-digit
+ code to /auth/totp/verify-enrollment.
+ WHY: We must not mark TOTP as enabled if the user cannot
+ prove they have the secret.
+ EXPECTED: 401 Unauthorized (or 400), indicating the code is
+ incorrect.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ assert_success(enroll)
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.verify_enrollment("000000")
+
+ assert exc_info.value.status_code in (400, 401), (
+ f"Expected 400/401 for invalid TOTP code, got {exc_info.value.status_code}"
+ )
+
+
+class TestTOTPLogin:
+ """Test TOTP verification during the login flow at
+ POST /auth/totp/verify.
+
+ When a user has TOTP enabled, the first login step returns
+ ``requires_totp=True`` and stores a pending user id in the server
+ session. The second step verifies the TOTP code and issues the
+ real session token.
+ """
+
+ def test_login_with_totp_positive(self, integration_client, create_test_user):
+ """TEST: TOTP-05 — Complete login with TOTP.
+
+ WHAT: Create a user, enroll and verify TOTP, logout, then
+ login again and complete the TOTP verification step.
+ WHY: This is the exact flow a user experiences every time
+ they authenticate with MFA enabled.
+ EXPECTED: Login step 1 returns requires_totp=True. Step 2
+ returns 200 OK with a fresh token. GET /auth/me
+ succeeds with the new token.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ # Enroll and verify TOTP
+ enroll = integration_client.mfa.enroll_totp()
+ secret = assert_success(enroll)["secret"]
+ totp = pyotp.TOTP(secret)
+ integration_client.mfa.verify_enrollment(totp.now())
+
+ # Logout
+ integration_client.auth.logout()
+
+ # Step 1: login → requires_totp
+ login_result = integration_client.auth.login(
+ email=user["email"], password="MyPassword123!"
+ )
+ login_data = login_result.get("data", {})
+ assert login_data.get("requires_totp") is True, (
+ f"Expected requires_totp=True, got: {login_data}"
+ )
+
+ # Step 2: verify TOTP → full session
+ verify_result = integration_client.mfa.verify_totp(totp.now())
+ verify_data = assert_success(verify_result, "verification successful")
+ assert "token" in verify_data, "TOTP verification did not return a token"
+
+ # Confirm session is valid
+ me = integration_client.auth.me()
+ assert_success(me)
+
+ def test_verify_totp_wrong_code_negative(self, integration_client, create_test_user):
+ """TEST: TOTP-06 — Reject TOTP login with wrong code.
+
+ WHAT: Create a user with TOTP enabled, initiate login, then
+ send an incorrect 6-digit code.
+ WHY: Brute-force protection is essential; wrong codes must
+ be rejected without issuing a session.
+ EXPECTED: 401 Unauthorized (or 400), error_type indicating
+ invalid credentials.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ secret = assert_success(enroll)["secret"]
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(secret).now())
+ integration_client.auth.logout()
+
+ # Initiate login
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ # Wrong code
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.verify_totp("000000")
+
+ assert exc_info.value.status_code in (400, 401), (
+ f"Expected 400/401 for wrong TOTP, got {exc_info.value.status_code}"
+ )
+
+ def test_verify_totp_no_pending_session_negative(self, integration_client):
+ """TEST: TOTP-07 — Reject TOTP verification without pending login.
+
+ WHAT: Call POST /auth/totp/verify without first calling
+ POST /auth/login.
+ WHY: The TOTP verify endpoint depends on server-side session
+ state (totp_pending_user_id). Without it the request
+ is meaningless.
+ EXPECTED: 401 Unauthorized, message indicating no pending
+ verification session.
+ """
+ integration_client.clear_token()
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.verify_totp("123456")
+
+ assert exc_info.value.status_code == 401, (
+ f"Expected 401 for missing pending session, got {exc_info.value.status_code}"
+ )
+
+
+class TestTOTPBackupCodes:
+ """Test backup code usage during TOTP login.
+
+ Backup codes allow users to regain access when they lose their
+ authenticator device. Each code can only be used once.
+ """
+
+ def test_login_with_backup_code_positive(self, integration_client, create_test_user):
+ """TEST: TOTP-08 — Login using a backup code.
+
+ WHAT: Create a user, enroll TOTP, logout, initiate login,
+ then complete verification with ``is_backup_code=True``
+ and one of the backup codes.
+ WHY: Backup codes are the recovery path for lost devices.
+ They must work exactly once and issue a full session.
+ EXPECTED: 200 OK with token. Subsequent login with the same
+ backup code must fail.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ backup_codes = data["backup_codes"]
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(data["secret"]).now())
+ integration_client.auth.logout()
+
+ # Initiate login
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ # Use backup code
+ result = integration_client.mfa.verify_totp(
+ backup_codes[0], is_backup_code=True
+ )
+ verify_data = assert_success(result, "verification successful")
+ assert "token" in verify_data, "Backup code login did not return token"
+
+ def test_login_with_consumed_backup_code_negative(self, integration_client, create_test_user):
+ """TEST: TOTP-09 — Reject reuse of a consumed backup code.
+
+ WHAT: Use a backup code to login, logout, initiate login
+ again, then attempt to use the same backup code.
+ WHY: Backup codes are single-use. Reuse must be blocked to
+ prevent credential stuffing.
+ EXPECTED: 401 Unauthorized, indicating invalid credentials.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ backup_codes = data["backup_codes"]
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(data["secret"]).now())
+ integration_client.auth.logout()
+
+ # First use
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ integration_client.mfa.verify_totp(backup_codes[0], is_backup_code=True)
+ integration_client.auth.logout()
+
+ # Reuse attempt
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.verify_totp(backup_codes[0], is_backup_code=True)
+
+ assert exc_info.value.status_code in (400, 401), (
+ f"Expected 400/401 for reused backup code, got {exc_info.value.status_code}"
+ )
+
+
+# =============================================================================
+# Tier 5 — M. TOTP Management
+# =============================================================================
+
+class TestTOTPManagement:
+ """Test TOTP status, disable, and backup-code regeneration."""
+
+ def test_get_totp_status_positive(self, integration_client, create_test_user):
+ """TEST: TOTP-10 — Get TOTP status for enrolled user.
+
+ WHAT: Create a user, enroll and verify TOTP, then call
+ GET /auth/totp/status.
+ WHY: The frontend security page displays this status so
+ users know whether MFA is active.
+ EXPECTED: 200 OK with totp_enabled=True and
+ backup_codes_remaining > 0.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(data["secret"]).now())
+
+ status = integration_client.mfa.get_totp_status()
+ status_data = assert_success(status, "status retrieved")
+
+ assert status_data.get("totp_enabled") is True
+ assert status_data.get("backup_codes_remaining", 0) > 0
+
+ def test_disable_totp_positive(self, integration_client, create_test_user):
+ """TEST: TOTP-11 — Disable TOTP with correct password.
+
+ WHAT: Create a user, enroll and verify TOTP, then DELETE
+ /auth/totp/disable with the correct password.
+ WHY: Users may need to disable MFA when switching devices.
+ The API must require the current password to prevent
+ account takeover.
+ EXPECTED: 200 OK, subsequent GET /auth/totp/status returns
+ totp_enabled=False.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(data["secret"]).now())
+
+ result = integration_client.mfa.disable_totp("MyPassword123!")
+ assert_success(result, "disabled")
+
+ status = integration_client.mfa.get_totp_status()
+ status_data = assert_success(status)
+ assert status_data.get("totp_enabled") is False, (
+ f"Expected totp_enabled=False after disable, got {status_data}"
+ )
+
+ def test_disable_totp_wrong_password_negative(self, integration_client, create_test_user):
+ """TEST: TOTP-12 — Reject TOTP disable with wrong password.
+
+ WHAT: Create a user with TOTP enabled, then attempt to
+ disable it with an incorrect password.
+ WHY: Disabling MFA is a sensitive operation. Wrong password
+ must block the action.
+ EXPECTED: 401 Unauthorized (or 400), indicating invalid
+ credentials.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(data["secret"]).now())
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.disable_totp("WrongPassword123!")
+
+ assert exc_info.value.status_code in (400, 401), (
+ f"Expected 400/401 for wrong password, got {exc_info.value.status_code}"
+ )
+
+ def test_disable_totp_not_enrolled_negative(self, integration_client, create_test_user):
+ """TEST: TOTP-13 — Reject disabling TOTP when not enrolled.
+
+ WHAT: Create a user WITHOUT TOTP, then call
+ DELETE /auth/totp/disable.
+ WHY: The endpoint should handle the case gracefully rather
+ than crashing or returning a confusing message.
+ EXPECTED: 400 Bad Request (or 404), indicating no TOTP is
+ configured.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.disable_totp("MyPassword123!")
+
+ assert exc_info.value.status_code in (400, 401, 404), (
+ f"Expected 400/401/404 for non-enrolled TOTP disable, got {exc_info.value.status_code}"
+ )
+
+ def test_regenerate_backup_codes_positive(self, integration_client, create_test_user):
+ """TEST: TOTP-14 — Regenerate backup codes.
+
+ WHAT: Create a user, enroll and verify TOTP, then POST
+ /auth/totp/regenerate-backup-codes with the correct
+ password.
+ WHY: Users may lose their backup codes. Regeneration must
+ invalidate old codes and return a fresh set of 10.
+ EXPECTED: 200 OK with a new array of 10 backup codes. Old
+ codes must no longer work.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ old_codes = data["backup_codes"]
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(data["secret"]).now())
+
+ result = integration_client.mfa.regenerate_backup_codes("MyPassword123!")
+ result_data = assert_success(result, "regenerated")
+ new_codes = result_data["backup_codes"]
+
+ assert len(new_codes) == 10, f"Expected 10 backup codes, got {len(new_codes)}"
+ assert new_codes != old_codes, "New backup codes should differ from old codes"
+
+ # Verify old codes no longer work
+ integration_client.auth.logout()
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.verify_totp(old_codes[0], is_backup_code=True)
+ assert exc_info.value.status_code in (400, 401)
+
+ def test_regenerate_backup_codes_wrong_password_negative(self, integration_client, create_test_user):
+ """TEST: TOTP-15 — Reject backup-code regeneration with wrong password.
+
+ WHAT: Create a user with TOTP enabled, then attempt to
+ regenerate backup codes with an incorrect password.
+ WHY: Same rationale as TOTP-12 — this is a sensitive
+ operation protected by the current password.
+ EXPECTED: 401 Unauthorized (or 400).
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ enroll = integration_client.mfa.enroll_totp()
+ data = assert_success(enroll)
+ integration_client.mfa.verify_enrollment(pyotp.TOTP(data["secret"]).now())
+
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.mfa.regenerate_backup_codes("WrongPassword123!")
+
+ assert exc_info.value.status_code in (400, 401), (
+ f"Expected 400/401 for wrong password, got {exc_info.value.status_code}"
+ )
diff --git a/tests/integration/test_webauthn_workflows.py b/tests/integration/test_webauthn_workflows.py
new file mode 100644
index 0000000..1696d47
--- /dev/null
+++ b/tests/integration/test_webauthn_workflows.py
@@ -0,0 +1,118 @@
+"""WebAuthn passkey integration tests.
+
+Covers WebAuthn registration, login, and credential management.
+These tests mock the cryptographic operations since real WebAuthn
+requires a browser environment.
+"""
+import pytest
+from unittest.mock import patch, MagicMock
+
+from tests.integration.client.base import ApiError
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+class TestWebAuthnRegistration:
+ """Test WebAuthn passkey registration."""
+
+ def test_begin_registration_positive(self, integration_client, create_test_user):
+ """TEST: WEBAUTHN-01 — Begin passkey registration.
+
+ WHAT: POST /auth/webauthn/register/begin.
+ WHY: First step of passkey enrollment.
+ EXPECTED: 200 OK with challenge options.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.post("/auth/webauthn/register/begin")
+ # Endpoint returns jsonify directly, not api_response wrapper
+ assert "rp" in result or result.get("success") is not False
+
+ def test_complete_registration_mocked_positive(self, integration_app, integration_client, create_test_user):
+ """TEST: WEBAUTHN-02 — Complete passkey registration (mocked).
+
+ WHAT: POST /auth/webauthn/register/complete with mocked verification.
+ WHY: Full registration flow requires mocking crypto.
+ EXPECTED: 201 Created when verification succeeds.
+ """
+ from gatehouse_app.models.auth.authentication_method import AuthenticationMethod
+
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ with patch("gatehouse_app.api.v1.auth.webauthn.WebAuthnService.verify_registration_response") as mock_verify:
+ mock_auth_method = MagicMock()
+ mock_auth_method.to_webauthn_dict.return_value = {"id": "cred-123", "type": "public-key"}
+ mock_verify.return_value = mock_auth_method
+
+ import base64
+ client_data = base64.urlsafe_b64encode(b'{"challenge":"test-challenge"}').rstrip(b"=").decode()
+ result = integration_client.post(
+ "/auth/webauthn/register/complete",
+ data={
+ "id": "cred-123",
+ "rawId": "raw-123",
+ "response": {
+ "clientDataJSON": client_data,
+ "attestationObject": "o2Nmb",
+ },
+ "type": "public-key",
+ },
+ )
+ # Mock path may return 201 or wrapped response depending on flow
+ assert result.get("success") is not False or result.get("code") == 201
+
+ def test_list_credentials_positive(self, integration_client, create_test_user):
+ """TEST: WEBAUTHN-03 — List WebAuthn credentials.
+
+ WHAT: GET /auth/webauthn/credentials.
+ WHY: Security page displays registered passkeys.
+ EXPECTED: 200 OK with credentials array.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.get("/auth/webauthn/credentials")
+ assert_success(result)
+
+
+class TestWebAuthnLogin:
+ """Test WebAuthn login flow."""
+
+ def test_begin_login_positive(self, integration_client, create_test_user):
+ """TEST: WEBAUTHN-04 — Begin WebAuthn login.
+
+ WHAT: POST /auth/webauthn/login/begin with email.
+ WHY: First step of passkey authentication.
+ EXPECTED: 200 OK with challenge options (or 404 if no passkeys).
+ """
+ user = create_test_user(password="MyPassword123!")
+
+ try:
+ result = integration_client.post("/auth/webauthn/login/begin", data={"email": user["email"]})
+ assert "challenge" in result
+ except ApiError as exc:
+ # Accept 404 when user has no passkeys registered
+ assert exc.status_code == 404, f"Expected 200 or 404, got {exc.status_code}"
+
+ def test_get_webauthn_status_positive(self, integration_client, create_test_user):
+ """TEST: WEBAUTHN-05 — Get WebAuthn status.
+
+ WHAT: GET /auth/webauthn/status.
+ WHY: Security page shows whether passkeys are enabled.
+ EXPECTED: 200 OK.
+ """
+ user = create_test_user(password="MyPassword123!")
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+
+ result = integration_client.get("/auth/webauthn/status")
+ assert_success(result)
diff --git a/tests/integration/test_zerotier.py b/tests/integration/test_zerotier.py
new file mode 100644
index 0000000..e5f0444
--- /dev/null
+++ b/tests/integration/test_zerotier.py
@@ -0,0 +1,203 @@
+"""ZeroTier network access integration tests.
+
+Covers network CRUD, device registration, access requests, approvals,
+and membership activation. External ZeroTier API calls are mocked.
+"""
+import pytest
+from unittest.mock import patch, MagicMock
+
+from tests.integration.client.base import ApiError
+from gatehouse_app.utils.constants import OrganizationRole
+
+
+def assert_success(response: dict, message_contains: str = "") -> dict:
+ data = response.get("data", {})
+ assert response.get("success") is not False, (
+ f"Expected success but got error: {response.get('message')}"
+ )
+ if message_contains:
+ assert message_contains.lower() in response.get("message", "").lower()
+ return data
+
+
+class TestZeroTierNetworkCRUD:
+ """Test ZeroTier network lifecycle."""
+
+ @patch("gatehouse_app.services.portal_network_service.create_network")
+ def test_create_network_positive(self, mock_create_network, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-01 — Create ZeroTier network.
+
+ WHAT: Admin POST /organizations//networks with mocked ZT API.
+ WHY: Networks are the top-level ZeroTier resource.
+ EXPECTED: 201 Created.
+ """
+ from gatehouse_app.models.zerotier.portal_network import PortalNetwork
+ mock_network = MagicMock()
+ mock_network.to_dict.return_value = {"id": "net-123", "name": "Test Network"}
+ mock_create_network.return_value = mock_network
+
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.post(
+ f"/organizations/{org['id']}/networks",
+ data={
+ "name": "Test Network",
+ "zerotier_network_id": "a84ac5c10a6e4c7e",
+ "environment": "development",
+ },
+ )
+ assert_success(result)
+
+ def test_list_networks_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-02 — List networks.
+
+ WHAT: GET /organizations//networks.
+ WHY: Network overview page uses this endpoint.
+ EXPECTED: 200 OK with networks array.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.get(f"/organizations/{org['id']}/networks")
+ assert_success(result)
+
+ def test_create_network_non_admin_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-03 — Reject network creation as member.
+
+ WHAT: Member attempts POST /organizations//networks.
+ WHY: Network management is admin-only.
+ EXPECTED: 403 Forbidden.
+ """
+ member = create_test_user(password="MemberPass123!")
+ org = create_test_org()
+ create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=member["email"], password="MemberPass123!")
+ with pytest.raises(ApiError) as exc_info:
+ integration_client.post(
+ f"/organizations/{org['id']}/networks",
+ data={"name": "Hacked", "zerotier_network_id": "a84ac5c10a6e4c7e"},
+ )
+ assert exc_info.value.status_code == 403
+
+
+class TestZeroTierDeviceManagement:
+ """Test device registration and management."""
+
+ def test_register_device_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-04 — Register a device.
+
+ WHAT: POST /organizations//devices.
+ WHY: Devices must be registered before network access.
+ EXPECTED: 201 Created.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.post(
+ f"/organizations/{org['id']}/devices",
+ data={
+ "node_id": "1234567890",
+ "nickname": "Test Device",
+ "hostname": "test-device",
+ },
+ )
+ # May succeed or fail depending on ZT config; accept both for now
+ assert result.get("success") is not False or result.get("code") in (201, 400, 500)
+
+ def test_list_devices_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-05 — List devices.
+
+ WHAT: GET /organizations//devices.
+ WHY: Device management page uses this endpoint.
+ EXPECTED: 200 OK.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.get(f"/organizations/{org['id']}/devices")
+ assert_success(result)
+
+
+class TestZeroTierApprovals:
+ """Test approval flows."""
+
+ def test_list_pending_approvals_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-06 — List pending approvals as admin.
+
+ WHAT: GET /organizations//approvals/pending.
+ WHY: Admins review pending access requests.
+ EXPECTED: 200 OK.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.get(f"/organizations/{org['id']}/approvals/pending")
+ assert_success(result)
+
+ def test_list_approvals_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-07 — List all approvals.
+
+ WHAT: GET /organizations//approvals.
+ WHY: Approval history page uses this endpoint.
+ EXPECTED: 200 OK.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ result = integration_client.get(f"/organizations/{org['id']}/approvals")
+ assert_success(result)
+
+
+class TestZeroTierMembership:
+ """Test membership activation and deactivation."""
+
+ def test_get_memberships_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-08 — Get ZeroTier memberships.
+
+ WHAT: GET /organizations//memberships.
+ WHY: Users see their active network memberships.
+ EXPECTED: 200 OK.
+ """
+ user = create_test_user(password="MyPassword123!")
+ org = create_test_org()
+ create_test_membership(user["id"], org["id"], OrganizationRole.MEMBER)
+
+ integration_client.auth.login(email=user["email"], password="MyPassword123!")
+ result = integration_client.get(f"/organizations/{org['id']}/memberships")
+ assert_success(result)
+
+ def test_kill_switch_positive(self, integration_client, create_test_user, create_test_org, create_test_membership):
+ """TEST: ZT-09 — Trigger kill switch.
+
+ WHAT: POST /organizations//kill-switch.
+ WHY: Emergency access revocation.
+ EXPECTED: 200 OK or error if no memberships exist.
+ """
+ admin = create_test_user(password="AdminPass123!")
+ org = create_test_org()
+ create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+ integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+ try:
+ result = integration_client.post(
+ f"/organizations/{org['id']}/kill-switch",
+ data={"target_user_id": admin["id"], "reason": "Test kill switch"},
+ )
+ assert_success(result)
+ except ApiError as exc:
+ # Accept errors when no active memberships to kill
+ assert exc.status_code in (400, 500)
diff --git a/tests/unit/test_ca_key_encryption.py b/tests/unit/test_ca_key_encryption.py
new file mode 100644
index 0000000..3f19353
--- /dev/null
+++ b/tests/unit/test_ca_key_encryption.py
@@ -0,0 +1,205 @@
+"""Unit tests for ca_key_encryption module.
+
+WHAT: Tests for the Fernet-based CA private key encryption/decryption
+ utility functions.
+WHY: CA private keys are the most sensitive data in the system; we need
+ to verify round-trip correctness, idempotency, and error handling.
+EXPECTED: All encrypt/decrypt operations produce correct plaintext.
+"""
+import os
+import threading
+from unittest.mock import patch
+
+import pytest
+
+from gatehouse_app.utils.ca_key_encryption import (
+ CAKeyEncryptionError,
+ _FERNET_PREFIX,
+ _get_fernet,
+ decrypt_ca_key,
+ encrypt_ca_key,
+ is_encrypted,
+ reencrypt_ca_key,
+)
+
+
+# ---------------------------------------------------------------------------
+# Shared fixture
+# ---------------------------------------------------------------------------
+
+SAMPLE_PEM = (
+ "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+ "b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtz\n"
+ "c2gtZWQyNTUxOQAAACBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAA\n"
+ "-----END OPENSSH PRIVATE KEY-----"
+)
+
+
+@pytest.fixture(autouse=True)
+def _set_ca_encryption_key():
+ """Ensure CA_ENCRYPTION_KEY is set for every test."""
+ with patch.dict(os.environ, {"CA_ENCRYPTION_KEY": "test-secret-key-for-unit-tests"}):
+ yield
+
+
+# ---------------------------------------------------------------------------
+# encrypt / decrypt round-trip
+# ---------------------------------------------------------------------------
+
+class TestEncryptDecryptRoundTrip:
+ """Verify that encrypt -> decrypt returns the original plaintext."""
+
+ def test_basic_round_trip(self):
+ """TEST: ENC-RT-01 -- Encrypt then decrypt returns original PEM."""
+ encrypted = encrypt_ca_key(SAMPLE_PEM)
+ decrypted = decrypt_ca_key(encrypted)
+ assert decrypted == SAMPLE_PEM
+
+ def test_encrypted_value_has_prefix(self):
+ """TEST: ENC-RT-02 -- Encrypted output carries the $fernet$ envelope."""
+ encrypted = encrypt_ca_key(SAMPLE_PEM)
+ assert encrypted.startswith(_FERNET_PREFIX)
+
+ def test_different_ciphertext_each_time(self):
+ """TEST: ENC-RT-03 -- Two encryptions of the same plaintext differ."""
+ enc1 = encrypt_ca_key(SAMPLE_PEM)
+ enc2 = encrypt_ca_key(SAMPLE_PEM)
+ assert enc1 != enc2
+ assert decrypt_ca_key(enc1) == SAMPLE_PEM
+ assert decrypt_ca_key(enc2) == SAMPLE_PEM
+
+
+# ---------------------------------------------------------------------------
+# Idempotency
+# ---------------------------------------------------------------------------
+
+class TestIdempotency:
+ """The module must not double-encrypt or double-decrypt."""
+
+ def test_encrypt_idempotent(self):
+ """TEST: ENC-IDEM-01 -- Encrypting an already-encrypted value is a no-op."""
+ encrypted = encrypt_ca_key(SAMPLE_PEM)
+ double = encrypt_ca_key(encrypted)
+ assert double == encrypted
+
+ def test_decrypt_plaintext_passthrough(self):
+ """TEST: ENC-IDEM-02 -- Decrypting a plaintext (legacy) value returns it as-is."""
+ result = decrypt_ca_key(SAMPLE_PEM)
+ assert result == SAMPLE_PEM
+
+
+# ---------------------------------------------------------------------------
+# is_encrypted helper
+# ---------------------------------------------------------------------------
+
+class TestIsEncrypted:
+ def test_encrypted_value(self):
+ """TEST: ENC-IE-01 -- is_encrypted returns True for $fernet$ values."""
+ encrypted = encrypt_ca_key(SAMPLE_PEM)
+ assert is_encrypted(encrypted) is True
+
+ def test_plaintext_value(self):
+ """TEST: ENC-IE-02 -- is_encrypted returns False for plain PEM."""
+ assert is_encrypted(SAMPLE_PEM) is False
+
+ def test_empty_string(self):
+ """TEST: ENC-IE-03 -- is_encrypted returns False for empty string."""
+ assert is_encrypted("") is False
+
+ def test_none_value(self):
+ """TEST: ENC-IE-04 -- is_encrypted returns False for None."""
+ assert is_encrypted(None) is False
+
+
+# ---------------------------------------------------------------------------
+# Error handling
+# ---------------------------------------------------------------------------
+
+class TestErrorHandling:
+ def test_encrypt_empty_raises(self):
+ """TEST: ENC-ERR-01 -- Encrypting empty string raises CAKeyEncryptionError."""
+ with pytest.raises(CAKeyEncryptionError, match="empty"):
+ encrypt_ca_key("")
+
+ def test_decrypt_empty_raises(self):
+ """TEST: ENC-ERR-02 -- Decrypting empty string raises CAKeyEncryptionError."""
+ with pytest.raises(CAKeyEncryptionError, match="empty"):
+ decrypt_ca_key("")
+
+ def test_missing_key_raises(self):
+ """TEST: ENC-ERR-03 -- Operations fail when CA_ENCRYPTION_KEY is unset."""
+ with patch.dict(os.environ, {}, clear=True):
+ os.environ.pop("CA_ENCRYPTION_KEY", None)
+ with pytest.raises(CAKeyEncryptionError, match="not set"):
+ encrypt_ca_key(SAMPLE_PEM)
+
+ def test_wrong_key_raises_on_decrypt(self):
+ """TEST: ENC-ERR-04 -- Decrypting with the wrong key raises."""
+ encrypted = encrypt_ca_key(SAMPLE_PEM)
+ with patch.dict(os.environ, {"CA_ENCRYPTION_KEY": "wrong-key"}):
+ with pytest.raises(CAKeyEncryptionError, match="decryption failed"):
+ decrypt_ca_key(encrypted)
+
+ def test_corrupted_data_raises(self):
+ """TEST: ENC-ERR-05 -- Decrypting corrupted ciphertext raises."""
+ with pytest.raises(CAKeyEncryptionError):
+ decrypt_ca_key("$fernet$not-a-real-token")
+
+
+# ---------------------------------------------------------------------------
+# reencrypt_ca_key -- key rotation
+# ---------------------------------------------------------------------------
+
+class TestReencrypt:
+ def test_reencrypt_round_trip(self):
+ """TEST: ENC-RE-01 -- Re-encrypted value decrypts with the new key."""
+ old_key = "old-secret-key"
+ new_key = "new-secret-key"
+ encrypted = reencrypt_ca_key(SAMPLE_PEM, "any-old-key", old_key)
+ reencrypted = reencrypt_ca_key(encrypted, old_key, new_key)
+
+ # Verify it decrypts with the new key
+ with patch.dict(os.environ, {"CA_ENCRYPTION_KEY": new_key}):
+ decrypted = decrypt_ca_key(reencrypted)
+ assert decrypted == SAMPLE_PEM
+
+ def test_reencrypt_plaintext_key(self):
+ """TEST: ENC-RE-02 -- Re-encrypting a legacy plaintext key works."""
+ new_key = "brand-new-key"
+ reencrypted = reencrypt_ca_key(SAMPLE_PEM, "any-old-key", new_key)
+ with patch.dict(os.environ, {"CA_ENCRYPTION_KEY": new_key}):
+ decrypted = decrypt_ca_key(reencrypted)
+ assert decrypted == SAMPLE_PEM
+
+
+# ---------------------------------------------------------------------------
+# Thread safety
+# ---------------------------------------------------------------------------
+
+class TestThreadSafety:
+ """Concurrent encrypt/decrypt calls must not corrupt state."""
+
+ def test_concurrent_encrypt_decrypt(self):
+ """TEST: ENC-TS-01 -- 50 threads encrypting/decrypting concurrently."""
+ errors = []
+ results = []
+
+ def worker(i):
+ try:
+ data = f"key-data-{i}"
+ enc = encrypt_ca_key(data)
+ dec = decrypt_ca_key(enc)
+ results.append((i, dec))
+ except Exception as exc:
+ errors.append((i, exc))
+
+ threads = [threading.Thread(target=worker, args=(i,)) for i in range(50)]
+ for t in threads:
+ t.start()
+ for t in threads:
+ t.join(timeout=10)
+
+ assert not errors, f"Thread errors: {errors}"
+ assert len(results) == 50
+ for i, dec in results:
+ assert dec == f"key-data-{i}", f"Thread {i}: expected 'key-data-{i}', got {dec!r}"
diff --git a/tests/unit/test_cors.py b/tests/unit/test_cors.py
new file mode 100644
index 0000000..46a55fe
--- /dev/null
+++ b/tests/unit/test_cors.py
@@ -0,0 +1,125 @@
+"""Unit tests for CORS middleware.
+
+WHAT: Tests for the CORS middleware configuration, including wildcard
+ origin handling, credentials support, and preflight responses.
+WHY: CORS misconfiguration can break browser clients or leak credentials.
+EXPECTED: Correct Access-Control-* headers for all origin configurations.
+"""
+import pytest
+from flask import Flask
+
+from gatehouse_app.middleware.cors import (
+ _is_origin_allowed,
+ _cors_origin_header,
+ setup_cors,
+)
+
+
+# ---------------------------------------------------------------------------
+# _is_origin_allowed
+# ---------------------------------------------------------------------------
+
+class TestIsOriginAllowed:
+ def test_empty_origin_rejected(self):
+ """TEST: CORS-01 -- Empty origin is never allowed."""
+ assert _is_origin_allowed("", ["https://example.com"]) is False
+ assert _is_origin_allowed(None, "*") is False
+
+ def test_wildcard_string(self):
+ """TEST: CORS-02 -- Wildcard string allows any origin."""
+ assert _is_origin_allowed("https://evil.com", "*") is True
+
+ def test_wildcard_in_list(self):
+ """TEST: CORS-03 -- Wildcard in list allows any origin."""
+ assert _is_origin_allowed("https://evil.com", ["*", "https://example.com"]) is True
+
+ def test_explicit_origin_match(self):
+ """TEST: CORS-04 -- Explicit list matches exact origin."""
+ origins = ["https://example.com", "http://localhost:3000"]
+ assert _is_origin_allowed("https://example.com", origins) is True
+ assert _is_origin_allowed("https://evil.com", origins) is False
+
+ def test_empty_origins_list(self):
+ """TEST: CORS-05 -- Empty list rejects everything."""
+ assert _is_origin_allowed("https://example.com", []) is False
+
+
+# ---------------------------------------------------------------------------
+# _cors_origin_header
+# ---------------------------------------------------------------------------
+
+class TestCorsOriginHeader:
+ def test_wildcard_with_origin_echoes(self):
+ """TEST: CORS-HDR-01 -- Wildcard echoes request origin (for credentials)."""
+ assert _cors_origin_header("*", "https://example.com") == "https://example.com"
+
+ def test_wildcard_without_origin(self):
+ """TEST: CORS-HDR-02 -- Wildcard with no origin returns *."""
+ assert _cors_origin_header("*", None) == "*"
+
+ def test_wildcard_in_list_with_origin(self):
+ """TEST: CORS-HDR-03 -- Wildcard in list echoes request origin."""
+ result = _cors_origin_header(["*", "https://example.com"], "https://any.com")
+ assert result == "https://any.com"
+
+ def test_specific_origin_match(self):
+ """TEST: CORS-HDR-04 -- Matching origin is echoed."""
+ origins = ["https://example.com"]
+ assert _cors_origin_header(origins, "https://example.com") == "https://example.com"
+
+ def test_specific_origin_no_match(self):
+ """TEST: CORS-HDR-05 -- Non-matching origin returns None."""
+ origins = ["https://example.com"]
+ assert _cors_origin_header(origins, "https://evil.com") is None
+
+ def test_no_origin_no_match(self):
+ """TEST: CORS-HDR-06 -- No origin with specific list returns None."""
+ origins = ["https://example.com"]
+ assert _cors_origin_header(origins, None) is None
+
+
+# ---------------------------------------------------------------------------
+# Integration: preflight response
+# ---------------------------------------------------------------------------
+
+class TestPreflightIntegration:
+ @pytest.fixture
+ def app_wildcard(self):
+ app = Flask(__name__)
+ app.config["CORS_ORIGINS"] = "*"
+ app.config["CORS_SUPPORTS_CREDENTIALS"] = True
+ setup_cors(app)
+ app.config["TESTING"] = True
+ return app
+
+ @pytest.fixture
+ def app_specific(self):
+ app = Flask(__name__)
+ app.config["CORS_ORIGINS"] = ["https://example.com"]
+ app.config["CORS_SUPPORTS_CREDENTIALS"] = True
+ setup_cors(app)
+ app.config["TESTING"] = True
+ return app
+
+ def test_wildcard_preflight_echoes_origin(self, app_wildcard):
+ """TEST: CORS-PF-01 -- Wildcard preflight echoes request origin."""
+ with app_wildcard.test_client() as client:
+ resp = client.options("/", headers={"Origin": "https://example.com"})
+ assert resp.status_code == 204
+ assert resp.headers.get("Access-Control-Allow-Origin") == "https://example.com"
+ assert resp.headers.get("Access-Control-Allow-Credentials") == "true"
+
+ def test_specific_origin_preflight(self, app_specific):
+ """TEST: CORS-PF-02 -- Specific origin preflight allows matching origin."""
+ with app_specific.test_client() as client:
+ resp = client.options("/", headers={"Origin": "https://example.com"})
+ assert resp.status_code == 204
+ assert resp.headers.get("Access-Control-Allow-Origin") == "https://example.com"
+ assert resp.headers.get("Access-Control-Allow-Credentials") == "true"
+
+ def test_specific_origin_rejects_unknown(self, app_specific):
+ """TEST: CORS-PF-03 -- Non-matching origin gets no CORS headers."""
+ with app_specific.test_client() as client:
+ resp = client.options("/", headers={"Origin": "https://evil.com"})
+ # No preflight handler runs, Flask returns default
+ assert resp.headers.get("Access-Control-Allow-Origin") is None
diff --git a/tests/unit/test_encryption.py b/tests/unit/test_encryption.py
new file mode 100644
index 0000000..d54ee19
--- /dev/null
+++ b/tests/unit/test_encryption.py
@@ -0,0 +1,164 @@
+"""Unit tests for encryption module (general-purpose Fernet encryption).
+
+WHAT: Tests for the PBKDF2-based Fernet encryption/decryption used for
+ OAuth tokens and client secrets.
+WHY: These utilities protect access tokens and client secrets; we need
+ to verify round-trip correctness and error handling.
+EXPECTED: All encrypt/decrypt operations produce correct plaintext.
+"""
+import threading
+
+import pytest
+
+from gatehouse_app.utils.encryption import (
+ SALT_LENGTH,
+ _get_fernet_key,
+ decrypt,
+ encrypt,
+)
+
+
+# ---------------------------------------------------------------------------
+# Shared fixture
+# ---------------------------------------------------------------------------
+
+SECRET_KEY = "test-encryption-secret-key"
+SAMPLE_DATA = "access_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.payload"
+
+
+# ---------------------------------------------------------------------------
+# encrypt / decrypt round-trip
+# ---------------------------------------------------------------------------
+
+class TestEncryptDecryptRoundTrip:
+ """Verify that encrypt -> decrypt returns the original plaintext."""
+
+ def test_basic_round_trip(self):
+ """TEST: ENC-RT-01 -- Encrypt then decrypt returns original data."""
+ encrypted = encrypt(SAMPLE_DATA, secret_key=SECRET_KEY)
+ decrypted = decrypt(encrypted, secret_key=SECRET_KEY)
+ assert decrypted == SAMPLE_DATA
+
+ def test_encrypted_is_base64(self):
+ """TEST: ENC-RT-02 -- Encrypted output is valid base64."""
+ import base64
+ encrypted = encrypt(SAMPLE_DATA, secret_key=SECRET_KEY)
+ # Should not raise
+ base64.urlsafe_b64decode(encrypted.encode())
+
+ def test_different_ciphertext_each_time(self):
+ """TEST: ENC-RT-03 -- Two encryptions of the same plaintext differ."""
+ enc1 = encrypt(SAMPLE_DATA, secret_key=SECRET_KEY)
+ enc2 = encrypt(SAMPLE_DATA, secret_key=SECRET_KEY)
+ assert enc1 != enc2
+ assert decrypt(enc1, secret_key=SECRET_KEY) == SAMPLE_DATA
+ assert decrypt(enc2, secret_key=SECRET_KEY) == SAMPLE_DATA
+
+ def test_round_trip_unicode(self):
+ """TEST: ENC-RT-04 -- Unicode data round-trips correctly."""
+ data = "token=cafe\u00e9\u00f1\u00fc"
+ encrypted = encrypt(data, secret_key=SECRET_KEY)
+ assert decrypt(encrypted, secret_key=SECRET_KEY) == data
+
+ def test_round_trip_long_data(self):
+ """TEST: ENC-RT-05 -- Large data round-trips correctly."""
+ data = "x" * 10000
+ encrypted = encrypt(data, secret_key=SECRET_KEY)
+ assert decrypt(encrypted, secret_key=SECRET_KEY) == data
+
+
+# ---------------------------------------------------------------------------
+# Empty / edge inputs
+# ---------------------------------------------------------------------------
+
+class TestEdgeCases:
+ def test_encrypt_empty_returns_empty(self):
+ """TEST: ENC-EDGE-01 -- Encrypting empty string returns empty."""
+ assert encrypt("", secret_key=SECRET_KEY) == ""
+
+ def test_decrypt_empty_returns_empty(self):
+ """TEST: ENC-EDGE-02 -- Decrypting empty string returns empty."""
+ assert decrypt("", secret_key=SECRET_KEY) == ""
+
+ def test_missing_key_raises_on_encrypt(self):
+ """TEST: ENC-EDGE-03 -- Missing key raises ValueError on encrypt."""
+ with pytest.raises(ValueError, match="Encryption key not configured"):
+ encrypt("data", secret_key="")
+
+ def test_missing_key_raises_on_decrypt(self):
+ """TEST: ENC-EDGE-04 -- Missing key raises ValueError on decrypt."""
+ with pytest.raises(ValueError, match="Encryption key not configured"):
+ decrypt("something", secret_key="")
+
+ def test_wrong_key_raises_on_decrypt(self):
+ """TEST: ENC-EDGE-05 -- Wrong key raises ValueError on decrypt."""
+ encrypted = encrypt(SAMPLE_DATA, secret_key=SECRET_KEY)
+ with pytest.raises(ValueError, match="Failed to decrypt"):
+ decrypt(encrypted, secret_key="wrong-key")
+
+ def test_corrupted_data_raises(self):
+ """TEST: ENC-EDGE-06 -- Corrupted ciphertext raises ValueError."""
+ import base64
+ bad = base64.urlsafe_b64encode(b"not-valid-fernet-data").decode()
+ with pytest.raises(ValueError):
+ decrypt(bad, secret_key=SECRET_KEY)
+
+
+# ---------------------------------------------------------------------------
+# _get_fernet_key — PBKDF2 derivation
+# ---------------------------------------------------------------------------
+
+class TestKeyDerivation:
+ def test_same_salt_same_key(self):
+ """TEST: ENC-KD-01 -- Same salt produces the same derived key."""
+ salt = b"\x00" * SALT_LENGTH
+ key1 = _get_fernet_key(SECRET_KEY, salt=salt)
+ key2 = _get_fernet_key(SECRET_KEY, salt=salt)
+ assert key1 == key2
+
+ def test_different_salt_different_key(self):
+ """TEST: ENC-KD-02 -- Different salts produce different keys."""
+ salt1 = b"\x00" * SALT_LENGTH
+ salt2 = b"\xff" * SALT_LENGTH
+ key1 = _get_fernet_key(SECRET_KEY, salt=salt1)
+ key2 = _get_fernet_key(SECRET_KEY, salt=salt2)
+ assert key1 != key2
+
+ def test_auto_salt_length(self):
+ """TEST: ENC-KD-03 -- Auto-generated salt is 16 bytes."""
+ key = _get_fernet_key(SECRET_KEY)
+ # If it didn't raise, the salt was valid
+ assert len(key) > 0
+
+
+# ---------------------------------------------------------------------------
+# Thread safety
+# ---------------------------------------------------------------------------
+
+class TestThreadSafety:
+ """Concurrent encrypt/decrypt calls must not corrupt state."""
+
+ def test_concurrent_encrypt_decrypt(self):
+ """TEST: ENC-TS-01 -- 50 threads encrypting/decrypting concurrently."""
+ errors = []
+ results = []
+
+ def worker(i):
+ try:
+ data = f"token-{i}-secret"
+ enc = encrypt(data, secret_key=SECRET_KEY)
+ dec = decrypt(enc, secret_key=SECRET_KEY)
+ results.append((i, dec))
+ except Exception as exc:
+ errors.append((i, exc))
+
+ threads = [threading.Thread(target=worker, args=(i,)) for i in range(50)]
+ for t in threads:
+ t.start()
+ for t in threads:
+ t.join(timeout=10)
+
+ assert not errors, f"Thread errors: {errors}"
+ assert len(results) == 50
+ for i, dec in results:
+ assert dec == f"token-{i}-secret", f"Thread {i}: mismatch"