[tests] Add multi-VPN client regression test for openwisp#1221

Verify that when a device has multiple VPN templates and is deactivated,
every VpnClient is deleted, peer cache is invalidated for each VPN server,
and all auto-created certificates are revoked.

Related to openwisp#1221
Co-Authored-By: mn-ram <mn-ram@users.noreply.github.com>

Author: mn-ram

openwisp_controller/config/tests/test_vpn.py

@@ -325,6 +325,35 @@ def test_vpn_client_post_delete_on_device_deactivation(self):
         # Certificate should be revoked (auto_cert=True)
         self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
 
+    def test_vpn_client_post_delete_multiple_clients(self):
+        """Regression test for #1221: when a device has multiple VPN templates,
+        removing all of them must delete every VpnClient, invalidate peer cache
+        for each VPN, and revoke all auto-created certificates."""
+        org = self._get_org()
+        vpn1 = self._create_vpn(name="vpn1")
+        vpn2 = self._create_vpn(name="vpn2", ca=vpn1.ca)
+        t1 = self._create_template(
+            name="vpn-t1", type="vpn", vpn=vpn1, auto_cert=True
+        )
+        t2 = self._create_template(
+            name="vpn-t2", type="vpn", vpn=vpn2, auto_cert=True
+        )
+        d = self._create_device(organization=org)
+        c = self._create_config(device=d)
+        c.templates.add(t1, t2)
+        self.assertEqual(c.vpnclient_set.count(), 2)
+        vpnclient1 = c.vpnclient_set.get(vpn=vpn1)
+        vpnclient2 = c.vpnclient_set.get(vpn=vpn2)
+        cert_pk1 = vpnclient1.cert.pk
+        cert_pk2 = vpnclient2.cert.pk
+        with mock.patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+            d.deactivate()
+            self.assertEqual(mock_invalidate.call_count, 2)
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient1.pk).exists())
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient2.pk).exists())
+        self.assertTrue(Cert.objects.get(pk=cert_pk1).revoked)
+        self.assertTrue(Cert.objects.get(pk=cert_pk2).revoked)
+
     def test_vpn_client_get_common_name(self):
         vpn = self._create_vpn()
         d = self._create_device()