diff --git a/crates/defguard_core/src/handlers/wireguard.rs b/crates/defguard_core/src/handlers/wireguard.rs index 2fe85234ef..1508bc7cdc 100644 --- a/crates/defguard_core/src/handlers/wireguard.rs +++ b/crates/defguard_core/src/handlers/wireguard.rs @@ -1299,6 +1299,18 @@ pub(crate) async fn download_config( Path((network_id, device_id)): Path<(i64, i64)>, ) -> Result { debug!("Creating config for device {device_id} in network {network_id}"); + + let settings = EnterpriseSettings::get(&appstate.pool).await?; + if settings.only_client_activation && !session.is_admin { + warn!( + "User {} tried to download device config, but manual device management is disaled", + session.user.username + ); + return Err(WebError::Forbidden( + "Manual device management is disabled".into(), + )); + } + let network = find_network(network_id, &appstate.pool).await?; let device = device_for_admin_or_self(&appstate.pool, &session, device_id).await?; let wireguard_network_device = diff --git a/crates/defguard_core/tests/integration/api/enterprise_settings.rs b/crates/defguard_core/tests/integration/api/enterprise_settings.rs index 8f29234797..675fc60a38 100644 --- a/crates/defguard_core/tests/integration/api/enterprise_settings.rs +++ b/crates/defguard_core/tests/integration/api/enterprise_settings.rs @@ -237,7 +237,7 @@ async fn dg25_12_test_enforce_client_activation_only(_: PgPoolOptions, options: .await; assert_eq!(response.status(), StatusCode::CREATED); - // setup admin devices management + // disable manual device management let settings = EnterpriseSettings { admin_device_management: false, disable_all_traffic: false, @@ -297,3 +297,61 @@ async fn dg25_12_test_enforce_client_activation_only(_: PgPoolOptions, options: assert_eq!(response.status(), StatusCode::FORBIDDEN); } + +#[sqlx::test] +async fn dg25_13_test_disable_device_config(_: PgPoolOptions, options: PgConnectOptions) { + let pool = setup_pool(options).await; + + // admin login + let (client, _) = make_test_client(pool).await; + let auth = Auth::new("admin", "pass123"); + let response = client.post("/api/v1/auth").json(&auth).send().await; + assert_eq!(response.status(), StatusCode::OK); + + exceed_enterprise_limits(&client).await; + + // create network + let response = client + .post("/api/v1/network") + .json(&make_network()) + .send() + .await; + assert_eq!(response.status(), StatusCode::CREATED); + + // disable manual device management + let settings = EnterpriseSettings { + admin_device_management: false, + disable_all_traffic: false, + only_client_activation: true, + }; + let response = client + .patch("/api/v1/settings_enterprise") + .json(&settings) + .send() + .await; + assert_eq!(response.status(), StatusCode::OK); + + // add device for normal user + let device = json!({ + "name": "device", + "wireguard_pubkey": "LQKsT6/3HWKuJmMulH63R8iK+5sI8FyYEL6WDIi6lQU=", + }); + let response = client + .post("/api/v1/device/hpotter") + .json(&device) + .send() + .await; + assert_eq!(response.status(), StatusCode::CREATED); + + // admin can view device config + let response = client.get("/api/v1/network/1/device/1/config").send().await; + assert_eq!(response.status(), StatusCode::OK); + + // ensure normal users can't access device config + let auth = Auth::new("hpotter", "pass123"); + let response = client.post("/api/v1/auth").json(&auth).send().await; + assert_eq!(response.status(), StatusCode::OK); + + let response = client.get("/api/v1/network/1/device/1/config").send().await; + assert_eq!(response.status(), StatusCode::FORBIDDEN); +}