Trim Gateways and Edges on licence expiration

.github/workflows/build-docker.yml

@@ -72,7 +72,7 @@ jobs:
           cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }}
 
       - name: Scan image with Trivy
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.2
         env:
           TRIVY_SHOW_SUPPRESSED: 1
           TRIVY_IGNOREFILE: "./.trivyignore.yaml"
@@ -96,7 +96,7 @@ jobs:
 
     steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.9.2
+        uses: sigstore/cosign-installer@v3.10.1
 
       - name: Docker meta
         id: meta

.github/workflows/ci.yml

@@ -59,7 +59,7 @@ jobs:
           submodules: recursive
 
       - name: Scan code with Trivy
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.2
         env:
           TRIVY_SHOW_SUPPRESSED: 1
           TRIVY_IGNOREFILE: "./.trivyignore.yaml"

.github/workflows/sbom.yml

@@ -35,7 +35,7 @@ jobs:
           submodules: recursive
 
       - name: Create SBOM with Trivy
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.2
         with:
           scan-type: 'fs'
           format: 'spdx-json'
@@ -46,7 +46,7 @@ jobs:
           skip-dirs: "e2e"
 
       - name: Create docker image SBOM with Trivy
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.2
         with:
           image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'
@@ -56,7 +56,7 @@ jobs:
           scanners: "vuln"
 
       - name: Create security advisory file with Trivy
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.2
         with:
           scan-type: 'fs'
           format: 'json'
@@ -67,7 +67,7 @@ jobs:
           skip-dirs: "e2e"
 
       - name: Create docker image security advisory file with Trivy
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.34.2
         with:
           image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'

crates/defguard/src/main.rs

@@ -212,15 +212,15 @@ async fn main() -> Result<(), anyhow::Error> {
             failed_logins,
             api_event_tx,
             incompatible_components,
-            proxy_control_tx
+            proxy_control_tx.clone()
         ) => error!("Web server returned early: {res:?}"),
         res = run_periodic_stats_purge(
             pool.clone(),
             config.stats_purge_frequency.into(),
             config.stats_purge_threshold.into()
         ), if !config.disable_stats_purge =>
             error!("Periodic stats purge task returned early: {res:?}"),
-        res = run_periodic_license_check(&pool) =>
+        res = run_periodic_license_check(&pool, proxy_control_tx) =>
             error!("Periodic license check task returned early: {res:?}"),
         res = run_utility_thread(&pool, gateway_tx.clone()) =>
             error!("Utility thread returned early: {res:?}"),

crates/defguard_certs/src/lib.rs

@@ -391,7 +391,7 @@ mod tests {
         let days = (not_after - not_before).whole_days();
 
         assert!(
-            (valid_days as i64 - 1..=valid_days as i64 + 1).contains(&days),
+            (i64::from(valid_days) - 1..=i64::from(valid_days) + 1).contains(&days),
             "expected validity of {valid_days} days (±1), got {days} days"
         );
         assert!(
@@ -448,8 +448,7 @@ mod tests {
 
         assert!(
             email_found,
-            "Email '{}' should be present in Subject Alternative Names",
-            expected_email
+            "Email '{expected_email}' should be present in Subject Alternative Names"
         );
     }
 

crates/defguard_common/src/db/models/gateway.rs

@@ -3,7 +3,7 @@ use std::fmt;
 use chrono::{NaiveDateTime, Timelike, Utc};
 use model_derive::Model;
 use serde::{Deserialize, Serialize};
-use sqlx::{PgExecutor, query, query_as};
+use sqlx::{PgExecutor, query, query_as, query_scalar};
 
 use crate::db::{Id, NoId};
 
@@ -89,7 +89,7 @@ impl Gateway<Id> {
     }
 
     /// Update `connected_at` to the current time and save it to the database.
-    pub async fn touch_connected<'e, E>(&mut self, executor: E) -> Result<(), sqlx::Error>
+    pub async fn touch_connected<'e, E>(&mut self, executor: E) -> sqlx::Result<()>
     where
         E: PgExecutor<'e>,
     {
@@ -106,7 +106,7 @@ impl Gateway<Id> {
     }
 
     /// Set `disconnected_at` to the current time and save it to the database.
-    pub async fn touch_disconnected<'e, E>(&mut self, executor: E) -> Result<(), sqlx::Error>
+    pub async fn touch_disconnected<'e, E>(&mut self, executor: E) -> sqlx::Result<()>
     where
         E: PgExecutor<'e>,
     {
@@ -122,11 +122,11 @@ impl Gateway<Id> {
         Ok(())
     }
 
-    pub async fn delete_by_id<'e, E>(executor: E, id: Id) -> Result<(), sqlx::Error>
+    pub async fn delete_by_id<'e, E>(executor: E, id: Id) -> sqlx::Result<()>
     where
         E: PgExecutor<'e>,
     {
-        sqlx::query!("DELETE FROM \"gateway\" WHERE id = $1", id,)
+        query!("DELETE FROM \"gateway\" WHERE id = $1", id,)
             .execute(executor)
             .await?;
 
@@ -138,7 +138,7 @@ impl Gateway<Id> {
         executor: E,
         address: &str,
         port: u16,
-    ) -> Result<Option<Self>, sqlx::Error>
+    ) -> sqlx::Result<Option<Self>>
     where
         E: PgExecutor<'e>,
     {
@@ -154,10 +154,29 @@ impl Gateway<Id> {
         Ok(record)
     }
 
+    /// Return address and port as URL with HTTP scheme.
     #[must_use]
     pub fn url(&self) -> String {
         format!("http://{}:{}", self.address, self.port)
     }
+
+    /// Disable all Gateways except one. Used for expired licence.
+    pub async fn leave_one_enabled<'e, E>(executor: E) -> sqlx::Result<()>
+    where
+        E: PgExecutor<'e>,
+    {
+        let result = query_scalar!(
+            "UPDATE gateway SET enabled = false WHERE enabled AND id NOT IN (\
+                SELECT id FROM gateway WHERE enabled LIMIT 1
+            )"
+        )
+        .execute(executor)
+        .await?;
+
+        tracing::debug!("Disabled {} Gateways", result.rows_affected());
+
+        Ok(())
+    }
 }
 
 impl fmt::Display for Gateway<Id> {

crates/defguard_common/src/db/models/proxy.rs

@@ -112,4 +112,19 @@ impl Proxy<Id> {
 
         Ok(())
     }
+
+    /// Fetch all enabled, but one. Used for expired licence.
+    pub async fn leave_one_enabled<'e, E>(executor: E) -> sqlx::Result<Vec<Self>>
+    where
+        E: sqlx::PgExecutor<'e>,
+    {
+        sqlx::query_as!(
+            Self,
+            "SELECT * FROM proxy WHERE enabled AND id NOT IN (\
+                SELECT id FROM proxy WHERE enabled LIMIT 1
+            )"
+        )
+        .fetch_all(executor)
+        .await
+    }
 }

crates/defguard_common/src/db/models/user.rs

@@ -1160,6 +1160,7 @@ impl User<Id> {
         .await
     }
 
+    #[must_use]
     pub fn fullname(&self) -> String {
         format!("{} {}", self.first_name, self.last_name)
     }