From bf5d0865059bfdefde10198003eae0647b4e37f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Tue, 10 Jun 2025 20:32:10 +0200 Subject: [PATCH 1/5] pass device management flag in enrollment settings --- crates/defguard_core/src/grpc/enrollment.rs | 3 ++- proto | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs index 2fe63f82d5..a8d71cca3e 100644 --- a/crates/defguard_core/src/grpc/enrollment.rs +++ b/crates/defguard_core/src/grpc/enrollment.rs @@ -227,9 +227,10 @@ impl EnrollmentServer { error!("Failed to get enterprise settings: {err}"); Status::internal("unexpected error") })?; - let enrollment_settings = super::proto::proxy::Settings { + let enrollment_settings = super::proto::proxy::EnrollmentSettings { vpn_setup_optional, only_client_activation: enterprise_settings.only_client_activation, + admin_device_management: enterprise_settings.admin_device_management, }; let response = super::proto::proxy::EnrollmentStartResponse { admin: admin_info, diff --git a/proto b/proto index d72ced8984..96ad724101 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit d72ced898411c4b8144bb13a9ad48f65e2f6a1ec +Subproject commit 96ad7241017222d97c2e14412e22fce4f677d643 From a5261103b55795701a58a5c7d1fd63290210050c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Tue, 10 Jun 2025 20:32:26 +0200 Subject: [PATCH 2/5] return error if device management is disabled --- crates/defguard_core/src/grpc/enrollment.rs | 45 +++++++++++++-------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs index a8d71cca3e..131937e0a5 100644 --- a/crates/defguard_core/src/grpc/enrollment.rs +++ b/crates/defguard_core/src/grpc/enrollment.rs @@ -380,6 +380,34 @@ impl EnrollmentServer { // fetch related users let user = enrollment_token.fetch_user(&self.pool).await?; + // check if adding device by non-admin users is allowed + debug!( + "Fetching enterprise settings for device creation process for user {}({:?})", + user.username, user.id, + ); + let enterprise_settings = EnterpriseSettings::get(&self.pool).await.map_err(|err| { + error!( + "Failed to fetch enterprise settings for device creation process for user {}({:?}): \ + {err}", + user.username, user.id, + ); + Status::internal("unexpected error") + })?; + debug!("Enterprise settings: {enterprise_settings:?}"); + + if !user.is_admin(&self.pool).await.map_err(|err| { + error!( + "Failed to fetch admin status for user {}({:?}): {err}", + user.username, user.id, + ); + Status::internal("unexpected error") + })? && enterprise_settings.admin_device_management + { + return Err(Status::invalid_argument( + "only admin users can manage devices", + )); + } + // add device debug!( "Verifying if user {}({:?}) is active", @@ -609,23 +637,6 @@ impl EnrollmentServer { let settings = Settings::get_current_settings(); debug!("Settings: {settings:?}"); - debug!( - "Fetching enterprise settings for device {} creation process for user {}({:?})", - device.wireguard_pubkey, user.username, user.id, - ); - let enterprise_settings = - EnterpriseSettings::get(&mut *transaction) - .await - .map_err(|err| { - error!( - "Failed to fetch enterprise settings for device {} creation process for user {}({:?}): \ - {err}", - device.wireguard_pubkey, user.username, user.id, - ); - Status::internal("unexpected error") - })?; - debug!("Enterprise settings: {enterprise_settings:?}"); - // create polling token for further client communication debug!( "Creating polling token for further client communication for device {}, user {}({:?})", From 33ec98bc8247f90cddf546479bf2e2e75e18f215 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 11 Jun 2025 10:07:34 +0200 Subject: [PATCH 3/5] add admin flag to enrollment response --- crates/defguard_core/src/grpc/enrollment.rs | 2 ++ proto | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs index 131937e0a5..ef43511c71 100644 --- a/crates/defguard_core/src/grpc/enrollment.rs +++ b/crates/defguard_core/src/grpc/enrollment.rs @@ -742,6 +742,7 @@ impl InitialUserInfo { let enrolled = user.is_enrolled(); let devices = user.user_devices(pool).await?; let device_names = devices.into_iter().map(|dev| dev.device.name).collect(); + let is_admin = user.is_admin(pool).await?; Ok(Self { first_name: user.first_name, last_name: user.last_name, @@ -751,6 +752,7 @@ impl InitialUserInfo { is_active: user.is_active, device_names, enrolled, + is_admin, }) } } diff --git a/proto b/proto index 96ad724101..6500e8503d 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit 96ad7241017222d97c2e14412e22fce4f677d643 +Subproject commit 6500e8503d58014717ebcabb7642b623f6879b46 From aad1594d88c9150f5b884fb3d0726e52bdd3a57a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 12 Jun 2025 12:42:08 +0200 Subject: [PATCH 4/5] update protos --- proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proto b/proto index 6500e8503d..ee9a80fed0 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit 6500e8503d58014717ebcabb7642b623f6879b46 +Subproject commit ee9a80fed04271ca117a6387e0f6ce50e3263228 From ec66d52c005ba99ad04d262257703380ebfe5016 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 12 Jun 2025 12:55:12 +0200 Subject: [PATCH 5/5] update protos --- proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proto b/proto index ee9a80fed0..20fe30dfa1 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit ee9a80fed04271ca117a6387e0f6ce50e3263228 +Subproject commit 20fe30dfa1c2985bb7a6afe1c74dd9a709e034c6