[fix] Ensure VpnClient post_delete signals fire on removal openwisp#1221

mn-ram · mn-ram · commit efeefce1e58b · 2026-03-15T23:01:39.000+05:30
Replace bulk QuerySet.delete() calls with per-instance deletions to ensure post_delete signals fire properly. Each deletion is wrapped in its own transaction.atomic() with try/except logging so the loop continues on failure. Iteration uses .order_by("pk") for deterministic processing order. Applied isolation to all three code paths: device deactivation, template removal, and API serializer. Added regression tests for template removal, device deactivation, and partial-failure scenarios. Fixes openwisp#1221
diff --git a/openwisp_controller/config/api/serializers.py b/openwisp_controller/config/api/serializers.py
@@ -1,3 +1,5 @@
+import logging
+
 from django.core.exceptions import ValidationError
 from django.db import transaction
 from django.db.models import Q
@@ -11,6 +13,8 @@
 from .. import settings as app_settings
 from ..whois.mixins import WHOISMixin
 
+logger = logging.getLogger(__name__)
+
 Template = load_model("config", "Template")
 Vpn = load_model("config", "Vpn")
 Device = load_model("config", "Device")
@@ -199,10 +203,29 @@ def _update_config(self, device, config_data):
             config = self._prepare_config(device, config_data)
             old_templates = list(config.templates.values_list("id", flat=True))
             if config_templates != old_templates:
+                vpn_list = config.templates.filter(type="vpn").values_list("vpn")
+                if vpn_list:
+                    # Use per-instance deletion to ensure post_delete
+                    # signals fire (peer cache, cert revocation, etc.)
+                    # Each deletion is wrapped in its own transaction so that
+                    # a failure in one does not roll back side effects
+                    # (cert revocation, IP release) of previously committed ones.
+                    for vpnclient in (
+                        config.vpnclient_set.select_related("vpn", "cert", "ip")
+                        .exclude(vpn__in=vpn_list)
+                        .order_by("pk")
+                        .iterator()
+                    ):
+                        try:
+                            with transaction.atomic():
+                                vpnclient.delete()
+                        except Exception:
+                            logger.exception(
+                                "Failed to delete VpnClient (id: %s) " "for Config %s",
+                                vpnclient.pk,
+                                config,
+                            )
                 with transaction.atomic():
-                    vpn_list = config.templates.filter(type="vpn").values_list("vpn")
-                    if vpn_list:
-                        config.vpnclient_set.exclude(vpn__in=vpn_list).delete()
                     config.templates.set(config_templates, clear=True)
             config.save()
         except ValidationError as error:
diff --git a/openwisp_controller/config/base/config.py b/openwisp_controller/config/base/config.py
@@ -338,7 +338,26 @@ def manage_vpn_clients(cls, action, instance, pk_set, **kwargs):
             if instance.is_deactivating_or_deactivated():
                 # If the device is deactivated or in the process of deactivating, then
                 # delete all vpn clients and return.
-                instance.vpnclient_set.all().delete()
+                # Use per-instance deletion to ensure post_delete signals fire,
+                # which handles peer cache invalidation, cert revocation,
+                # ZeroTier member removal, and IP address release.
+                # Each deletion is wrapped in its own transaction so that
+                # a failure in one does not roll back side effects
+                # (cert revocation, IP release) of previously committed ones.
+                for vpnclient in (
+                    instance.vpnclient_set.select_related("vpn", "cert", "ip")
+                    .order_by("pk")
+                    .iterator()
+                ):
+                    try:
+                        with transaction.atomic():
+                            vpnclient.delete()
+                    except Exception:
+                        logger.exception(
+                            "Failed to delete VpnClient (id: %s) " "for Config %s",
+                            vpnclient.pk,
+                            instance,
+                        )
             return
 
         vpn_client_model = cls.vpn.through
@@ -370,9 +389,29 @@ def manage_vpn_clients(cls, action, instance, pk_set, **kwargs):
             # signal is triggered again—after all templates, including the required
             # ones, have been fully added. At that point, we can identify and
             # delete VpnClient objects not linked to the final template set.
-            instance.vpnclient_set.exclude(
-                template_id__in=instance.templates.values_list("id", flat=True)
-            ).delete()
+            # Use per-instance deletion to ensure post_delete signals fire,
+            # which handles peer cache invalidation, cert revocation,
+            # ZeroTier member removal, and IP address release.
+            # Each deletion is wrapped in its own transaction so that
+            # a failure in one does not roll back side effects
+            # (cert revocation, IP release) of previously committed ones.
+            for vpnclient in (
+                instance.vpnclient_set.select_related("vpn", "cert", "ip")
+                .exclude(
+                    template_id__in=instance.templates.values_list("id", flat=True)
+                )
+                .order_by("pk")
+                .iterator()
+            ):
+                try:
+                    with transaction.atomic():
+                        vpnclient.delete()
+                except Exception:
+                    logger.exception(
+                        "Failed to delete VpnClient (id: %s) " "for Config %s",
+                        vpnclient.pk,
+                        instance,
+                    )
 
         if action == "post_add":
             for template in templates.filter(type="vpn"):
diff --git a/openwisp_controller/config/tests/test_vpn.py b/openwisp_controller/config/tests/test_vpn.py
@@ -286,6 +286,173 @@ def _assert_vpn_client_cert(cert, vpn_client, cert_ct, vpn_client_ct):
             vpnclient.save()
             _assert_vpn_client_cert(cert, vpnclient, 1, 0)
 
+    def test_vpn_client_post_delete_on_template_removal(self):
+        """Regression test for #1221: VpnClient.post_delete must fire
+        when a VPN template is removed so that peer cache is invalidated
+        and certificates are properly revoked."""
+        org = self._get_org()
+        vpn = self._create_vpn()
+        t = self._create_template(name="vpn-test", type="vpn", vpn=vpn, auto_cert=True)
+        c = self._create_config(organization=org)
+        c.templates.add(t)
+        vpnclient = c.vpnclient_set.first()
+        self.assertIsNotNone(vpnclient)
+        cert_pk = vpnclient.cert.pk
+        with mock.patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+            c.templates.remove(t)
+            mock_invalidate.assert_called()
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+        # Certificate should be revoked (auto_cert=True)
+        self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
+    def test_vpn_client_post_delete_on_device_deactivation(self):
+        """Regression test for #1221: VpnClient.post_delete must fire
+        when a device is deactivated so that peer cache is invalidated
+        and certificates are properly revoked."""
+        org = self._get_org()
+        vpn = self._create_vpn()
+        t = self._create_template(name="vpn-test", type="vpn", vpn=vpn, auto_cert=True)
+        d = self._create_device(organization=org)
+        c = self._create_config(device=d)
+        c.templates.add(t)
+        vpnclient = c.vpnclient_set.first()
+        self.assertIsNotNone(vpnclient)
+        cert_pk = vpnclient.cert.pk
+        with mock.patch.object(Vpn, "_invalidate_peer_cache") as mock_invalidate:
+            d.deactivate()
+            mock_invalidate.assert_called()
+        self.assertFalse(VpnClient.objects.filter(pk=vpnclient.pk).exists())
+        # Certificate should be revoked (auto_cert=True)
+        self.assertTrue(Cert.objects.get(pk=cert_pk).revoked)
+
+    def test_vpnclient_delete_partial_failure_on_deactivation(self):
+        """Regression test for #1221: if one VpnClient deletion fails
+        during device deactivation, remaining VpnClients should still
+        be deleted with their side effects (cert revocation) intact."""
+        org = self._get_org()
+        vpn1 = self._create_vpn(name="vpn1")
+        vpn2 = self._create_vpn(name="vpn2")
+        t1 = self._create_template(
+            name="vpn-test-1", type="vpn", vpn=vpn1, auto_cert=True
+        )
+        t2 = self._create_template(
+            name="vpn-test-2", type="vpn", vpn=vpn2, auto_cert=True
+        )
+        d = self._create_device(organization=org)
+        c = self._create_config(device=d)
+        c.templates.add(t1, t2)
+        vc1, vc2 = list(c.vpnclient_set.order_by("pk"))
+        vc1_pk = vc1.pk
+        vc2_pk = vc2.pk
+        cert2_pk = vc2.cert.pk
+
+        original_delete = VpnClient.delete
+        call_count = 0
+
+        def failing_delete(self):
+            nonlocal call_count
+            call_count += 1
+            if call_count == 1:
+                raise Exception("simulated failure")
+            return original_delete(self)
+
+        with mock.patch.object(VpnClient, "delete", failing_delete):
+            with self.assertLogs(
+                "openwisp_controller.config.base.config", level="ERROR"
+            ) as log_cm:
+                d.deactivate()
+        # First VpnClient delete failed, so it should still exist
+        self.assertTrue(VpnClient.objects.filter(pk=vc1_pk).exists())
+        # Second VpnClient should be deleted
+        self.assertFalse(VpnClient.objects.filter(pk=vc2_pk).exists())
+        # Second cert should be revoked
+        self.assertTrue(Cert.objects.get(pk=cert2_pk).revoked)
+        # Error log should contain the VpnClient PK
+        self.assertTrue(
+            any(str(vc1_pk) in msg for msg in log_cm.output),
+            f"Expected VpnClient PK {vc1_pk} in log output",
+        )
+
+    def test_vpnclient_delete_partial_failure_on_template_removal(self):
+        """Regression test for #1221: if one VpnClient deletion fails
+        during template removal, remaining VpnClients should still
+        be deleted with their side effects (cert revocation) intact."""
+        org = self._get_org()
+        vpn1 = self._create_vpn(name="vpn1")
+        vpn2 = self._create_vpn(name="vpn2")
+        t1 = self._create_template(
+            name="vpn-test-1", type="vpn", vpn=vpn1, auto_cert=True
+        )
+        t2 = self._create_template(
+            name="vpn-test-2", type="vpn", vpn=vpn2, auto_cert=True
+        )
+        c = self._create_config(organization=org)
+        c.templates.add(t1, t2)
+        vc1, vc2 = list(c.vpnclient_set.order_by("pk"))
+        vc1_pk = vc1.pk
+        vc2_pk = vc2.pk
+        cert2_pk = vc2.cert.pk
+
+        original_delete = VpnClient.delete
+        call_count = 0
+
+        def failing_delete(self):
+            nonlocal call_count
+            call_count += 1
+            if call_count == 1:
+                raise Exception("simulated failure")
+            return original_delete(self)
+
+        with mock.patch.object(VpnClient, "delete", failing_delete):
+            with self.assertLogs(
+                "openwisp_controller.config.base.config", level="ERROR"
+            ) as log_cm:
+                c.templates.remove(t1, t2)
+        # First VpnClient delete failed, so it should still exist
+        self.assertTrue(VpnClient.objects.filter(pk=vc1_pk).exists())
+        # Second VpnClient should be deleted
+        self.assertFalse(VpnClient.objects.filter(pk=vc2_pk).exists())
+        # Second cert should be revoked
+        self.assertTrue(Cert.objects.get(pk=cert2_pk).revoked)
+        # Error log should contain the VpnClient PK
+        self.assertTrue(
+            any(str(vc1_pk) in msg for msg in log_cm.output),
+            f"Expected VpnClient PK {vc1_pk} in log output",
+        )
+
+    def test_vpnclient_delete_all_fail_no_crash(self):
+        """Regression test for #1221: if all VpnClient deletions fail,
+        the method should not raise and should log each failure."""
+        org = self._get_org()
+        vpn1 = self._create_vpn(name="vpn1")
+        vpn2 = self._create_vpn(name="vpn2")
+        t1 = self._create_template(
+            name="vpn-test-1", type="vpn", vpn=vpn1, auto_cert=True
+        )
+        t2 = self._create_template(
+            name="vpn-test-2", type="vpn", vpn=vpn2, auto_cert=True
+        )
+        d = self._create_device(organization=org)
+        c = self._create_config(device=d)
+        c.templates.add(t1, t2)
+        vc1_pk, vc2_pk = list(
+            c.vpnclient_set.order_by("pk").values_list("pk", flat=True)
+        )
+
+        with mock.patch.object(
+            VpnClient, "delete", side_effect=Exception("simulated failure")
+        ):
+            with self.assertLogs(
+                "openwisp_controller.config.base.config", level="ERROR"
+            ) as log_cm:
+                d.deactivate()
+        # Both VpnClients should still exist (all deletes failed)
+        self.assertTrue(VpnClient.objects.filter(pk=vc1_pk).exists())
+        self.assertTrue(VpnClient.objects.filter(pk=vc2_pk).exists())
+        # Should have logged 2 errors
+        error_msgs = [msg for msg in log_cm.output if "Failed to delete" in msg]
+        self.assertEqual(len(error_msgs), 2)
+
     def test_vpn_client_get_common_name(self):
         vpn = self._create_vpn()
         d = self._create_device()
