Implement admin enrollment APIs

Data/Engine/tests/test_http_admin.py

@@ -0,0 +1,111 @@
+import base64
+import sqlite3
+from datetime import datetime, timezone
+
+from .test_http_auth import _login, prepared_app
+
+
+def test_enrollment_codes_require_authentication(prepared_app):
+    client = prepared_app.test_client()
+    resp = client.get("/api/admin/enrollment-codes")
+    assert resp.status_code == 401
+
+
+def test_enrollment_code_workflow(prepared_app):
+    client = prepared_app.test_client()
+    _login(client)
+
+    payload = {"ttl_hours": 3, "max_uses": 4}
+    resp = client.post("/api/admin/enrollment-codes", json=payload)
+    assert resp.status_code == 201
+    created = resp.get_json()
+    assert created["max_uses"] == 4
+    assert created["status"] == "active"
+
+    resp = client.get("/api/admin/enrollment-codes")
+    assert resp.status_code == 200
+    codes = resp.get_json().get("codes", [])
+    assert any(code["id"] == created["id"] for code in codes)
+
+    resp = client.delete(f"/api/admin/enrollment-codes/{created['id']}")
+    assert resp.status_code == 200
+
+
+def test_device_approvals_listing(prepared_app, engine_settings):
+    client = prepared_app.test_client()
+    _login(client)
+
+    conn = sqlite3.connect(engine_settings.database.path)
+    cur = conn.cursor()
+
+    now = datetime.now(tz=timezone.utc)
+    cur.execute(
+        "INSERT INTO sites (name, description, created_at) VALUES (?, ?, ?)",
+        ("HQ", "Primary", int(now.timestamp())),
+    )
+    site_id = cur.lastrowid
+
+    cur.execute(
+        """
+        INSERT INTO devices (guid, hostname, created_at, last_seen, ssl_key_fingerprint, status)
+        VALUES (?, ?, ?, ?, ?, 'active')
+        """,
+        (
+            "22222222-2222-2222-2222-222222222222",
+            "approval-host",
+            int(now.timestamp()),
+            int(now.timestamp()),
+            "deadbeef",
+        ),
+    )
+    cur.execute(
+        "INSERT INTO device_sites (device_hostname, site_id, assigned_at) VALUES (?, ?, ?)",
+        ("approval-host", site_id, int(now.timestamp())),
+    )
+
+    now_iso = now.isoformat()
+    cur.execute(
+        """
+        INSERT INTO device_approvals (
+            id,
+            approval_reference,
+            guid,
+            hostname_claimed,
+            ssl_key_fingerprint_claimed,
+            enrollment_code_id,
+            status,
+            client_nonce,
+            server_nonce,
+            created_at,
+            updated_at,
+            approved_by_user_id,
+            agent_pubkey_der
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+        """,
+        (
+            "approval-http",
+            "REFHTTP",
+            None,
+            "approval-host",
+            "deadbeef",
+            "code-http",
+            "pending",
+            base64.b64encode(b"client").decode(),
+            base64.b64encode(b"server").decode(),
+            now_iso,
+            now_iso,
+            None,
+            b"pub",
+        ),
+    )
+    conn.commit()
+    conn.close()
+
+    resp = client.get("/api/admin/device-approvals")
+    assert resp.status_code == 200
+    body = resp.get_json()
+    approvals = body.get("approvals", [])
+    assert any(a["id"] == "approval-http" for a in approvals)
+    record = next(a for a in approvals if a["id"] == "approval-http")
+    assert record.get("hostname_conflict", {}).get("fingerprint_match") is True
+