[fix] Ensure VpnClient post_delete signals fire on removal openwisp#1221

Signed-off-by: prakash-kalwaniya <kalwaniyaprakash1@gmail.com>

Author: mn-ram

openwisp_controller/config/api/serializers.py

@@ -202,7 +202,14 @@ def _update_config(self, device, config_data):
                 with transaction.atomic():
                     vpn_list = config.templates.filter(type="vpn").values_list("vpn")
                     if vpn_list:
-                        config.vpnclient_set.exclude(vpn__in=vpn_list).delete()
+                        # Use per-instance deletion to ensure post_delete
+                        # signals fire (peer cache, cert revocation, etc.)
+                        for vpnclient in (
+                            config.vpnclient_set.select_related("vpn", "cert", "ip")
+                            .exclude(vpn__in=vpn_list)
+                            .iterator()
+                        ):
+                            vpnclient.delete()
                     config.templates.set(config_templates, clear=True)
             config.save()
         except ValidationError as error:

openwisp_controller/config/base/config.py

@@ -338,7 +338,14 @@ def manage_vpn_clients(cls, action, instance, pk_set, **kwargs):
             if instance.is_deactivating_or_deactivated():
                 # If the device is deactivated or in the process of deactivating, then
                 # delete all vpn clients and return.
-                instance.vpnclient_set.all().delete()
+                # Use per-instance deletion to ensure post_delete signals fire,
+                # which handles peer cache invalidation, cert revocation,
+                # ZeroTier member removal, and IP address release.
+                with transaction.atomic():
+                    for vpnclient in instance.vpnclient_set.select_related(
+                        "vpn", "cert", "ip"
+                    ).iterator():
+                        vpnclient.delete()
             return
 
         vpn_client_model = cls.vpn.through
@@ -370,9 +377,18 @@ def manage_vpn_clients(cls, action, instance, pk_set, **kwargs):
             # signal is triggered again—after all templates, including the required
             # ones, have been fully added. At that point, we can identify and
             # delete VpnClient objects not linked to the final template set.
-            instance.vpnclient_set.exclude(
-                template_id__in=instance.templates.values_list("id", flat=True)
-            ).delete()
+            # Use per-instance deletion to ensure post_delete signals fire,
+            # which handles peer cache invalidation, cert revocation,
+            # ZeroTier member removal, and IP address release.
+            with transaction.atomic():
+                for vpnclient in (
+                    instance.vpnclient_set.select_related("vpn", "cert", "ip")
+                    .exclude(
+                        template_id__in=instance.templates.values_list("id", flat=True)
+                    )
+                    .iterator()
+                ):
+                    vpnclient.delete()
 
         if action == "post_add":
             for template in templates.filter(type="vpn"):

openwisp_controller/config/tests/test_vpn.py

@@ -286,6 +286,45 @@ def _assert_vpn_client_cert(cert, vpn_client, cert_ct, vpn_client_ct):
             vpnclient.save()
             _assert_vpn_client_cert(cert, vpnclient, 1, 0)
 
+    def test_vpn_client_post_delete_on_template_removal(self):
+        """Regression test for #1221: VpnClient.post_delete must fire
+        when a VPN template is removed so that peer cache is invalidated
+        and certificates are properly revoked."""
+        org = self._get_org()
+        vpn = self._create_vpn()
+        t = self._create_template(name="vpn-test", type="vpn", vpn=vpn, auto_cert=True)
+        c = self._create_config(organization=org)
+        c.templates.add(t)
+        vpnclient = c.vpnclient_set.first()
+        self.assertIsNotNone(vpnclient)
+        cert_pk = vpnclient.cert.pk
+        with mock.patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+            c.templates.remove(t)
+            mock_invalidate.assert_called()
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+        # Certificate should be revoked (auto_cert=True)
+        self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
+    def test_vpn_client_post_delete_on_device_deactivation(self):
+        """Regression test for #1221: VpnClient.post_delete must fire
+        when a device is deactivated so that peer cache is invalidated
+        and certificates are properly revoked."""
+        org = self._get_org()
+        vpn = self._create_vpn()
+        t = self._create_template(name="vpn-test", type="vpn", vpn=vpn, auto_cert=True)
+        d = self._create_device(organization=org)
+        c = self._create_config(device=d)
+        c.templates.add(t)
+        vpnclient = c.vpnclient_set.first()
+        self.assertIsNotNone(vpnclient)
+        cert_pk = vpnclient.cert.pk
+        with mock.patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+            d.deactivate()
+            mock_invalidate.assert_called()
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+        # Certificate should be revoked (auto_cert=True)
+        self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
     def test_vpn_client_get_common_name(self):
         vpn = self._create_vpn()
         d = self._create_device()