DefGuard · wojcik91 · Jul 2, 2025 · Jun 16, 2025 · Jun 16, 2025 · Jun 16, 2025
diff --git a/.sqlx/query-0c18e9d0f192e36ed65569c0ef124d6ab73bee88929ad223c46bb9b2892150f3.json b/.sqlx/query-0c18e9d0f192e36ed65569c0ef124d6ab73bee88929ad223c46bb9b2892150f3.json
diff --git a/.sqlx/query-0effde2f87ca6a7d9ce34daedb6462deb43863778ea17a47696912f412714741.json b/.sqlx/query-0effde2f87ca6a7d9ce34daedb6462deb43863778ea17a47696912f412714741.json
diff --git a/.sqlx/query-6175d2d008ccf7860ebe9f1b2e12d7dd30dac5aa72e015c19931c84010ebfcf5.json b/.sqlx/query-6175d2d008ccf7860ebe9f1b2e12d7dd30dac5aa72e015c19931c84010ebfcf5.json
diff --git a/.sqlx/query-876e1659850a050155f3938231e801b381b112d54971c86beaad5fd679fbd5ac.json b/.sqlx/query-876e1659850a050155f3938231e801b381b112d54971c86beaad5fd679fbd5ac.json
diff --git a/.sqlx/query-87868c21e47dd3b55ba1aefb690ce4ea9b463d7e71533e9c6312939a3d77b49e.json b/.sqlx/query-87868c21e47dd3b55ba1aefb690ce4ea9b463d7e71533e9c6312939a3d77b49e.json
diff --git a/.sqlx/query-8d8416a6cc1f0bae02e126ca398e87000f305499668455d7e4d949f7d0a7be9a.json b/.sqlx/query-8d8416a6cc1f0bae02e126ca398e87000f305499668455d7e4d949f7d0a7be9a.json
diff --git a/.sqlx/query-cda76abbdfed425c3b06c5b64115529ffe33c7290a63adfbaaa416efeffefac3.json b/.sqlx/query-cda76abbdfed425c3b06c5b64115529ffe33c7290a63adfbaaa416efeffefac3.json
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/defguard_core/migrations/20250616071627_add_user_snat.down.sql b/crates/defguard_core/migrations/20250616071627_add_user_snat.down.sql
@@ -0,0 +1 @@
+DROP TABLE user_snat_binding;
diff --git a/crates/defguard_core/migrations/20250616071627_add_user_snat.up.sql b/crates/defguard_core/migrations/20250616071627_add_user_snat.up.sql
@@ -0,0 +1,9 @@
+CREATE TABLE user_snat_binding (
+    id bigserial PRIMARY KEY,
+    user_id bigint NOT NULL,
+    location_id bigint NOT NULL,
+    public_ip inet NOT NULL,
+    FOREIGN KEY(user_id) REFERENCES "user"(id) ON DELETE CASCADE,
+    FOREIGN KEY(location_id) REFERENCES "wireguard_network"(id) ON DELETE CASCADE,
+    CONSTRAINT user_location UNIQUE (user_id, location_id)
+);
diff --git a/crates/defguard_core/src/enterprise/db/models/mod.rs b/crates/defguard_core/src/enterprise/db/models/mod.rs
@@ -3,3 +3,4 @@ pub mod activity_log_stream;
 pub mod api_tokens;
 pub mod enterprise_settings;
 pub mod openid_provider;
+pub mod snat;
diff --git a/crates/defguard_core/src/enterprise/db/models/snat.rs b/crates/defguard_core/src/enterprise/db/models/snat.rs
@@ -0,0 +1,69 @@
+use std::net::IpAddr;
+
+use crate::{
+    db::{Id, NoId},
+    enterprise::snat::error::UserSnatBindingError,
+};
+use model_derive::Model;
+use serde::Serialize;
+use sqlx::{query_as, PgExecutor};
+use utoipa::ToSchema;
+
+#[derive(Debug, Model, Serialize, ToSchema)]
+#[table(user_snat_binding)]
+pub struct UserSnatBinding<I = NoId> {
+    pub id: I,
+    pub user_id: Id,
+    pub location_id: Id,
+    #[model(ip)]
+    #[schema(value_type = String)]
+    pub public_ip: IpAddr,
+}
+
+impl UserSnatBinding {
+    pub fn new(user_id: Id, location_id: Id, public_ip: IpAddr) -> Self {
+        Self {
+            id: NoId,
+            user_id,
+            location_id,
+            public_ip,
+        }
+    }
+}
+
+impl UserSnatBinding<Id> {
+    pub async fn find_binding<'e, E>(
+        executor: E,
+        location_id: Id,
+        user_id: Id,
+    ) -> Result<Self, UserSnatBindingError>
+    where
+        E: PgExecutor<'e>,
+    {
+        let binding = query_as!(Self,
+	        "SELECT id, user_id, location_id, \"public_ip\" \"public_ip: IpAddr\" FROM user_snat_binding WHERE location_id = $1 AND user_id = $2",
+	        location_id, user_id
+    	).fetch_one(executor).await?;
+
+        Ok(binding)
+    }
+
+    pub async fn all_for_location<'e, E>(
+        executor: E,
+        location_id: Id,
+    ) -> Result<Vec<Self>, sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
+        let bindings = query_as!(Self,
+	        "SELECT id, user_id, location_id, \"public_ip\" \"public_ip: IpAddr\" FROM user_snat_binding WHERE location_id = $1",
+	        location_id
+    	).fetch_all(executor).await?;
+
+        Ok(bindings)
+    }
+
+    pub fn update_ip(&mut self, new_public_ip: IpAddr) {
+        self.public_ip = new_public_ip;
+    }
+}