diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 5fbbc15202..c195d24859 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -72,7 +72,7 @@ jobs: cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }} - name: Scan image with Trivy - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0.34.2 with: image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}" format: "table" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dd9c8de596..0dbe36fcfa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,7 +56,7 @@ jobs: submodules: recursive - name: Scan code with Trivy - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0.34.2 with: scan-type: 'fs' scan-ref: '.' diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 05951846ca..306f8677e3 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -35,7 +35,7 @@ jobs: submodules: recursive - name: Create SBOM with Trivy - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0.34.2 with: scan-type: 'fs' format: 'spdx-json' @@ -46,7 +46,7 @@ jobs: skip-dirs: "e2e" - name: Create docker image SBOM with Trivy - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0.34.2 with: image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}" scan-type: 'image' @@ -56,7 +56,7 @@ jobs: scanners: "vuln" - name: Create security advisory file with Trivy - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0.34.2 with: scan-type: 'fs' format: 'json' @@ -67,7 +67,7 @@ jobs: skip-dirs: "e2e" - name: Create docker image security advisory file with Trivy - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0.34.2 with: image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}" scan-type: 'image' diff --git a/Cargo.lock b/Cargo.lock index 5adc019416..5f858ba6b5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -154,9 +154,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.101" +version = "1.0.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f0e0fee31ef5ed1ba1316088939cea399010ed7731dba877ed44aeb407a75ea" +checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" [[package]] name = "ar_archive_writer" @@ -534,9 +534,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.19.1" +version = "3.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510" +checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb" [[package]] name = "byteorder" @@ -607,9 +607,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" [[package]] name = "chrono" -version = "0.4.43" +version = "0.4.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fac4744fb15ae8337dc853fee7fb3f4e48c0fbaa23d0afe49c447b4fab126118" +checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0" dependencies = [ "iana-time-zone", "js-sys", @@ -669,9 +669,9 @@ checksum = "bba18ee93d577a8428902687bcc2b6b45a56b1981a1f6d779731c86cc4c5db18" [[package]] name = "clap" -version = "4.5.59" +version = "4.5.60" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c5caf74d17c3aec5495110c34cc3f78644bfa89af6c8993ed4de2790e49b6499" +checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a" dependencies = [ "clap_builder", "clap_derive", @@ -679,9 +679,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.59" +version = "4.5.60" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "370daa45065b80218950227371916a1633217ae42b2715b2287b606dcd618e24" +checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876" dependencies = [ "anstream", "anstyle", @@ -1116,7 +1116,7 @@ dependencies = [ [[package]] name = "defguard_common" -version = "1.6.4" +version = "1.6.5" dependencies = [ "anyhow", "base64 0.22.1", @@ -1332,9 +1332,9 @@ dependencies = [ [[package]] name = "deranged" -version = "0.5.6" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc3dc5ad92c2e2d1c193bbbbdf2ea477cb81331de4f3103f267ca18368b988c4" +checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c" dependencies = [ "powerfmt", "serde_core", @@ -1447,9 +1447,9 @@ dependencies = [ [[package]] name = "dispatch2" -version = "0.3.0" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89a09f22a6c6069a18470eb92d2298acf25463f14256d24778e1230d789a2aec" +checksum = "1e0e367e4e7da84520dedcac1901e4da967309406d1e51017ae1abfb97adbd38" dependencies = [ "bitflags 2.11.0", "objc2", @@ -1936,20 +1936,20 @@ dependencies = [ "cfg-if", "js-sys", "libc", - "r-efi", + "r-efi 5.3.0", "wasip2", "wasm-bindgen", ] [[package]] name = "getrandom" -version = "0.4.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "139ef39800118c7683f2fd3c98c1b23c09ae076556b435f8e9064ae108aaeeec" +checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555" dependencies = [ "cfg-if", "libc", - "r-efi", + "r-efi 6.0.0", "wasip2", "wasip3", ] @@ -2526,9 +2526,9 @@ dependencies = [ [[package]] name = "ipnet" -version = "2.11.0" +version = "2.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130" +checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" [[package]] name = "ipnetwork" @@ -2591,9 +2591,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.85" +version = "0.3.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3" +checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c" dependencies = [ "once_cell", "wasm-bindgen", @@ -2740,9 +2740,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.182" +version = "0.2.183" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" +checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d" [[package]] name = "libgit2-sys" @@ -2764,13 +2764,14 @@ checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" [[package]] name = "libredox" -version = "0.1.12" +version = "0.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d0b95e02c851351f877147b7deea7b1afb1df71b63aa5f8270716e0c5720616" +checksum = "1744e39d1d6a9948f4f388969627434e31128196de472883b39f148769bfe30a" dependencies = [ "bitflags 2.11.0", "libc", - "redox_syscall 0.7.1", + "plain", + "redox_syscall 0.7.3", ] [[package]] @@ -2785,9 +2786,9 @@ dependencies = [ [[package]] name = "libz-sys" -version = "1.1.23" +version = "1.1.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15d118bbf3771060e7311cc7bb0545b01d08a8b4a7de949198dec1fa0ca1c0f7" +checksum = "d52f4c29e2a68ac30c9087e1b772dc9f44a2b66ed44edf2266cf2be9b03dafc1" dependencies = [ "cc", "libc", @@ -2797,9 +2798,9 @@ dependencies = [ [[package]] name = "linux-raw-sys" -version = "0.11.0" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039" +checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53" [[package]] name = "litemap" @@ -2973,9 +2974,9 @@ checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084" [[package]] name = "native-tls" -version = "0.2.16" +version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d5d26952a508f321b4d3d2e80e78fc2603eaefcdf0c30783867f19586518bdc" +checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2" dependencies = [ "libc", "log", @@ -3167,9 +3168,9 @@ dependencies = [ [[package]] name = "objc2" -version = "0.6.3" +version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b7c2599ce0ec54857b29ce62166b0ed9b4f6f1a70ccc9a71165b6154caca8c05" +checksum = "3a12a8ed07aefc768292f076dc3ac8c48f3781c8f2d5851dd3d98950e8c5a89f" dependencies = [ "objc2-encode", ] @@ -3793,18 +3794,18 @@ dependencies = [ [[package]] name = "pin-project" -version = "1.1.10" +version = "1.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "677f1add503faace112b9f1373e43e9e054bfdd22ff1a63c1bc485eaec6a6a8a" +checksum = "f1749c7ed4bcaf4c3d0a3efc28538844fb29bcdd7d2b67b2be7e20ba861ff517" dependencies = [ "pin-project-internal", ] [[package]] name = "pin-project-internal" -version = "1.1.10" +version = "1.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861" +checksum = "d9b20ed30f105399776b9c883e68e536ef602a16ae6f596d2c473591d6ad64c6" dependencies = [ "proc-macro2", "quote", @@ -3813,9 +3814,9 @@ dependencies = [ [[package]] name = "pin-project-lite" -version = "0.2.16" +version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b" +checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd" [[package]] name = "pin-utils" @@ -3850,6 +3851,12 @@ version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" +[[package]] +name = "plain" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6" + [[package]] name = "polyval" version = "0.6.2" @@ -3913,9 +3920,9 @@ dependencies = [ [[package]] name = "proc-macro-crate" -version = "3.4.0" +version = "3.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "219cb19e96be00ab2e37d6e299658a0cfa83e52429179969b0f0121b4ac46983" +checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f" dependencies = [ "toml_edit", ] @@ -4010,9 +4017,9 @@ dependencies = [ [[package]] name = "pulldown-cmark" -version = "0.13.0" +version = "0.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e8bbe1a966bd2f362681a44f6edce3c2310ac21e4d5067a6e7ec396297a6ea0" +checksum = "83c41efbf8f90ac44de7f3a868f0867851d261b56291732d0cbf7cceaaeb55a6" dependencies = [ "bitflags 2.11.0", "getopts", @@ -4058,9 +4065,9 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.13" +version = "0.11.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31" +checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" dependencies = [ "bytes", "getrandom 0.3.4", @@ -4093,9 +4100,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.44" +version = "1.0.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4" +checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924" dependencies = [ "proc-macro2", ] @@ -4112,6 +4119,12 @@ version = "5.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" +[[package]] +name = "r-efi" +version = "6.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" + [[package]] name = "radium" version = "0.7.0" @@ -4188,9 +4201,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.7.1" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35985aa610addc02e24fc232012c86fd11f14111180f902b67e2d5331f8ebf2b" +checksum = "6ce70a74e890531977d37e532c34d45e9055d2409ed08ddba14529471ed0be16" dependencies = [ "bitflags 2.11.0", ] @@ -4240,9 +4253,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.9" +version = "0.8.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c" +checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a" [[package]] name = "replace_with" @@ -4391,13 +4404,12 @@ dependencies = [ [[package]] name = "rust-ini" -version = "0.21.1" +version = "0.21.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e310ef0e1b6eeb79169a1171daf9abcb87a2e17c03bee2c4bb100b55c75409f" +checksum = "796e8d2b6696392a43bea58116b667fb4c29727dc5abd27d6acf338bb4f688c7" dependencies = [ "cfg-if", "ordered-multimap", - "trim-in-place", ] [[package]] @@ -4426,9 +4438,9 @@ dependencies = [ [[package]] name = "rustix" -version = "1.1.3" +version = "1.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34" +checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190" dependencies = [ "bitflags 2.11.0", "errno", @@ -4439,9 +4451,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.36" +version = "0.23.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b" +checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4" dependencies = [ "log", "once_cell", @@ -4508,9 +4520,9 @@ dependencies = [ [[package]] name = "schannel" -version = "0.1.28" +version = "0.1.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1" +checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939" dependencies = [ "windows-sys 0.61.2", ] @@ -4572,9 +4584,9 @@ dependencies = [ [[package]] name = "security-framework" -version = "3.6.0" +version = "3.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d17b898a6d6948c3a8ee4372c17cb384f90d2e6e912ef00895b14fd7ab54ec38" +checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d" dependencies = [ "bitflags 2.11.0", "core-foundation 0.10.1", @@ -4585,9 +4597,9 @@ dependencies = [ [[package]] name = "security-framework-sys" -version = "2.16.0" +version = "2.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "321c8673b092a9a42605034a9879d73cb79101ed5fd117bc9a597b89b4e9e61a" +checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3" dependencies = [ "core-foundation-sys", "libc", @@ -4735,9 +4747,9 @@ dependencies = [ [[package]] name = "serde_with" -version = "3.16.1" +version = "3.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4fa237f2807440d238e0364a218270b98f767a00d3dada77b1c53ae88940e2e7" +checksum = "381b283ce7bc6b476d903296fb59d0d36633652b633b27f64db4fb46dcbfc3b9" dependencies = [ "base64 0.22.1", "chrono", @@ -4754,9 +4766,9 @@ dependencies = [ [[package]] name = "serde_with_macros" -version = "3.16.1" +version = "3.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52a8e3ca0ca629121f70ab50f95249e5a6f925cc0f6ffe8256c45b728875706c" +checksum = "a6d4e30573c8cb306ed6ab1dca8423eec9a463ea0e155f45399455e0368b27e0" dependencies = [ "darling 0.21.3", "proc-macro2", @@ -4961,12 +4973,12 @@ dependencies = [ [[package]] name = "socket2" -version = "0.6.2" +version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "86f4aa3ad99f2088c990dfa82d367e19cb29268ed67c574d10d0a4bfe71f07e0" +checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e" dependencies = [ "libc", - "windows-sys 0.60.2", + "windows-sys 0.61.2", ] [[package]] @@ -5338,9 +5350,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.116" +version = "2.0.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" dependencies = [ "proc-macro2", "quote", @@ -5396,12 +5408,12 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "tempfile" -version = "3.25.0" +version = "3.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0136791f7c95b1f6dd99f9cc786b91bb81c3800b639b3478e561ddb7be95e5f1" +checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0" dependencies = [ "fastrand", - "getrandom 0.4.1", + "getrandom 0.4.2", "once_cell", "rustix", "windows-sys 0.61.2", @@ -5558,9 +5570,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.49.0" +version = "1.50.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86" +checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d" dependencies = [ "bytes", "libc", @@ -5574,9 +5586,9 @@ dependencies = [ [[package]] name = "tokio-macros" -version = "2.6.0" +version = "2.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5" +checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c" dependencies = [ "proc-macro2", "quote", @@ -5630,18 +5642,18 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.7.5+spec-1.1.0" +version = "1.0.0+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92e1cfed4a3038bc5a127e35a2d360f145e1f4b971b551a2ba5fd7aedf7e1347" +checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e" dependencies = [ "serde_core", ] [[package]] name = "toml_edit" -version = "0.23.10+spec-1.0.0" +version = "0.25.4+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "84c8b9f757e028cee9fa244aea147aab2a9ec09d5325a9b01e0a49730c2b5269" +checksum = "7193cbd0ce53dc966037f54351dbbcf0d5a642c7f0038c382ef9e677ce8c13f2" dependencies = [ "indexmap 2.13.0", "toml_datetime", @@ -5660,9 +5672,9 @@ dependencies = [ [[package]] name = "tonic" -version = "0.14.4" +version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f32a6f80051a4111560201420c7885d0082ba9efe2ab61875c587bb6b18b9a0" +checksum = "fec7c61a0695dc1887c1b53952990f3ad2e3a31453e1f49f10e75424943a93ec" dependencies = [ "async-trait", "axum", @@ -5692,9 +5704,9 @@ dependencies = [ [[package]] name = "tonic-build" -version = "0.14.4" +version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce6d8958ed3be404120ca43ffa0fb1e1fc7be214e96c8d33bd43a131b6eebc9e" +checksum = "1882ac3bf5ef12877d7ed57aad87e75154c11931c2ba7e6cde5e22d63522c734" dependencies = [ "prettyplease", "proc-macro2", @@ -5704,9 +5716,9 @@ dependencies = [ [[package]] name = "tonic-health" -version = "0.14.4" +version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "163e5ad9be2924d9cef75f02fcd44c1803a5af250f4ef7e085992270ac51fb9b" +checksum = "f4ff0636fef47afb3ec02818f5bceb4377b8abb9d6a386aeade18bd6212f8eb7" dependencies = [ "prost", "tokio", @@ -5717,9 +5729,9 @@ dependencies = [ [[package]] name = "tonic-prost" -version = "0.14.4" +version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f86539c0089bfd09b1f8c0ab0239d80392af74c21bc9e0f15e1b4aca4c1647f" +checksum = "a55376a0bbaa4975a3f10d009ad763d8f4108f067c7c2e74f3001fb49778d309" dependencies = [ "bytes", "prost", @@ -5728,9 +5740,9 @@ dependencies = [ [[package]] name = "tonic-prost-build" -version = "0.14.4" +version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65873ace111e90344b8973e94a1fc817c924473affff24629281f90daed1cd2e" +checksum = "f3144df636917574672e93d0f56d7edec49f90305749c668df5101751bb8f95a" dependencies = [ "prettyplease", "proc-macro2", @@ -5886,12 +5898,6 @@ dependencies = [ "syn", ] -[[package]] -name = "trim-in-place" -version = "0.1.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "343e926fc669bc8cde4fa3129ab681c63671bae288b1f1081ceee6d9d37904fc" - [[package]] name = "try-lock" version = "0.2.5" @@ -6089,11 +6095,11 @@ checksum = "e2eebbbfe4093922c2b6734d7c679ebfebd704a0d7e56dfcb0d05818ce28977d" [[package]] name = "uuid" -version = "1.21.0" +version = "1.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb" +checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37" dependencies = [ - "getrandom 0.4.1", + "getrandom 0.4.2", "js-sys", "serde_core", "wasm-bindgen", @@ -6207,9 +6213,9 @@ checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b" [[package]] name = "wasm-bindgen" -version = "0.2.108" +version = "0.2.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566" +checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e" dependencies = [ "cfg-if", "once_cell", @@ -6220,9 +6226,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.58" +version = "0.4.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70a6e77fd0ae8029c9ea0063f87c46fde723e7d887703d74ad2616d792e51e6f" +checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8" dependencies = [ "cfg-if", "futures-util", @@ -6234,9 +6240,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.108" +version = "0.2.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608" +checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -6244,9 +6250,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.108" +version = "0.2.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55" +checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3" dependencies = [ "bumpalo", "proc-macro2", @@ -6257,9 +6263,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.108" +version = "0.2.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12" +checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16" dependencies = [ "unicode-ident", ] @@ -6313,9 +6319,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.85" +version = "0.3.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "312e32e551d92129218ea9a2452120f4aabc03529ef03e4d0d82fb2780608598" +checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9" dependencies = [ "js-sys", "wasm-bindgen", @@ -6775,9 +6781,9 @@ checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650" [[package]] name = "winnow" -version = "0.7.14" +version = "0.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829" +checksum = "df79d97927682d2fd8adb29682d1140b343be4ac0f08fd68b7765d9c059d3945" dependencies = [ "memchr", ] @@ -6948,18 +6954,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.39" +version = "0.8.42" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db6d35d663eadb6c932438e763b262fe1a70987f9ae936e60158176d710cae4a" +checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.39" +version = "0.8.42" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517" +checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f" dependencies = [ "proc-macro2", "quote", @@ -7056,9 +7062,9 @@ dependencies = [ [[package]] name = "zlib-rs" -version = "0.6.0" +version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7948af682ccbc3342b6e9420e8c51c1fe5d7bf7756002b4a3c6cabfe96a7e3c" +checksum = "3be3d40e40a133f9c916ee3f9f4fa2d9d63435b5fbe1bfc6d9dae0aa0ada1513" [[package]] name = "zmij" diff --git a/Cargo.toml b/Cargo.toml index 02513af505..e23fa11b2b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,7 +11,7 @@ resolver = "2" [workspace.dependencies] # internal crates -defguard_common = { path = "./crates/defguard_common", version = "1.6.4" } +defguard_common = { path = "./crates/defguard_common", version = "1.6.5" } defguard_core = { path = "./crates/defguard_core", version = "0.0.0" } defguard_event_logger = { path = "./crates/defguard_event_logger", version = "0.0.0" } defguard_event_router = { path = "./crates/defguard_event_router", version = "0.0.0" } diff --git a/crates/defguard_common/Cargo.toml b/crates/defguard_common/Cargo.toml index d4b6b6f8ce..ceb794d141 100644 --- a/crates/defguard_common/Cargo.toml +++ b/crates/defguard_common/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "defguard_common" -version = "1.6.4" +version = "1.6.5" edition.workspace = true license-file.workspace = true homepage.workspace = true diff --git a/crates/defguard_core/src/enterprise/firewall/mod.rs b/crates/defguard_core/src/enterprise/firewall/mod.rs index c6d594e1bf..b0a3fdd69d 100644 --- a/crates/defguard_core/src/enterprise/firewall/mod.rs +++ b/crates/defguard_core/src/enterprise/firewall/mod.rs @@ -13,10 +13,7 @@ use ipnetwork::IpNetwork; use sqlx::{Error as SqlxError, PgConnection, query_as, query_scalar}; use super::{ - db::models::acl::{ - AclAliasDestinationRange, AclRule, AclRuleDestinationRange, AclRuleInfo, PortRange, - Protocol, - }, + db::models::acl::{AclRule, AclRuleInfo, PortRange, Protocol}, utils::merge_ranges, }; use crate::{ @@ -120,7 +117,7 @@ pub async fn generate_firewall_rules_from_acls( .into_iter() .partition(|alias| alias.kind == AliasKind::Destination); - // store alias ranges separately since they use a different struct + // store alias ranges separately until they are folded into the common range iterator let mut alias_destination_ranges = Vec::new(); // process component aliases by appending destination parameters from each of them to @@ -136,8 +133,12 @@ pub async fn generate_firewall_rules_from_acls( } // prepare destination addresses + let destination_ranges = destination_ranges + .iter() + .map(RangeInclusive::from) + .chain(alias_destination_ranges.iter().map(RangeInclusive::from)); let (dest_addrs_v4, dest_addrs_v6) = - process_destination_addrs(&destination, &destination_ranges); + process_destination_addrs(&destination, destination_ranges); // prepare destination ports let destination_ports = merge_port_ranges(ports); @@ -212,8 +213,10 @@ pub async fn generate_firewall_rules_from_acls( let alias_destination_ranges = alias.get_destination_ranges(&mut *conn).await?; // combine destination addrs + let alias_destination_ranges = + alias_destination_ranges.iter().map(RangeInclusive::from); let (dest_addrs_v4, dest_addrs_v6) = - process_alias_destination_addrs(&alias.destination, &alias_destination_ranges); + process_destination_addrs(&alias.destination, alias_destination_ranges); // process alias ports let alias_ports = alias.ports.into_iter().map(Into::into).collect::>(); @@ -427,19 +430,21 @@ fn get_source_addrs( merge_addrs(source_addrs) } -/// Convert destination networks and ranges configured in an ACL rule -/// into the correct format for a firewall rule. This includes: -/// - combining all addr lists -/// - converting to gRPC IpAddress struct -/// - merging into the smallest possible list of non-overlapping ranges, -/// subnets and addresses +/// Converts destination networks and IP ranges into firewall-rule destination addresses. +/// +/// The function keeps IPv4 and IPv6 data separate, ignores mixed-version ranges, converts +/// compatible networks to inclusive IP ranges, and merges the result into the smallest possible +/// list of non-overlapping subnets, ranges, and single addresses. /// -/// Return a 2-tuple of `Vec` with all IPv4 addresses in the -/// first field and IPv6 addresses in the second. -fn process_destination_addrs( +/// Returns a 2-tuple of `Vec` with IPv4 destinations first and IPv6 destinations +/// second. +fn process_destination_addrs( dest_ipnets: &[IpNetwork], - dest_ranges: &[AclRuleDestinationRange], -) -> (Vec, Vec) { + dest_ranges: I, +) -> (Vec, Vec) +where + I: IntoIterator>, +{ // Separate IP v4 and v6 addresses and convert networks to intermediate range representation for merging let ipv4_dest_net_addrs = dest_ipnets .iter() @@ -456,59 +461,19 @@ fn process_destination_addrs( }); // Separate IP v4 and v6 ranges. - let ipv4_dest_ranges = dest_ranges - .iter() - .filter(|dst| dst.start.is_ipv4() && dst.end.is_ipv4()) - .map(RangeInclusive::from); - let ipv6_dest_ranges = dest_ranges - .iter() - .filter(|dst| dst.start.is_ipv6() && dst.end.is_ipv6()) - .map(RangeInclusive::from); - - // combine iterators - let ipv4_dest_addrs = ipv4_dest_net_addrs.chain(ipv4_dest_ranges).collect(); - let ipv6_dest_addrs = ipv6_dest_net_addrs.chain(ipv6_dest_ranges).collect(); + let mut ipv4_dest_ranges = Vec::new(); + let mut ipv6_dest_ranges = Vec::new(); - (merge_addrs(ipv4_dest_addrs), merge_addrs(ipv6_dest_addrs)) -} - -/// Convert destination networks and ranges configured in an ACL alias -/// into the correct format for a firewall rule. This includes: -/// - combining all addr lists -/// - converting to gRPC IpAddress struct -/// - merging into the smallest possible list of non-overlapping ranges, -/// subnets and addresses -/// -/// Return a 2-tuple of `Vec` with all IPv4 addresses in the -/// first field and IPv6 addresses in the second. -fn process_alias_destination_addrs( - dest_ipnets: &[IpNetwork], - dest_ranges: &[AclAliasDestinationRange], -) -> (Vec, Vec) { - // Separate IP v4 and v6 addresses and convert networks to intermediate range representation for merging - let ipv4_dest_net_addrs = dest_ipnets - .iter() - .filter(|dst| dst.is_ipv4()) - .map(|dst| dst.network()..=dst.broadcast()); - let ipv6_dest_net_addrs = dest_ipnets.iter().filter_map(|dst| { - if let IpNetwork::V6(subnet) = dst { - let range_start = subnet.network().into(); - let range_end = get_last_ip_in_v6_subnet(subnet); - Some(range_start..=range_end) - } else { - None + for dest_range in dest_ranges { + if dest_range.start().is_ipv4() && dest_range.end().is_ipv4() { + ipv4_dest_ranges.push(dest_range); + continue; } - }); - // Separate IP v4 and v6 ranges. - let ipv4_dest_ranges = dest_ranges - .iter() - .filter(|dst| dst.start.is_ipv4() && dst.end.is_ipv4()) - .map(RangeInclusive::from); - let ipv6_dest_ranges = dest_ranges - .iter() - .filter(|dst| dst.start.is_ipv6() && dst.end.is_ipv6()) - .map(RangeInclusive::from); + if dest_range.start().is_ipv6() && dest_range.end().is_ipv6() { + ipv6_dest_ranges.push(dest_range); + } + } // combine iterators let ipv4_dest_addrs = ipv4_dest_net_addrs.chain(ipv4_dest_ranges).collect(); diff --git a/crates/defguard_core/src/enterprise/firewall/tests.rs b/crates/defguard_core/src/enterprise/firewall/tests.rs index fb1722d0e1..c4975e7074 100644 --- a/crates/defguard_core/src/enterprise/firewall/tests.rs +++ b/crates/defguard_core/src/enterprise/firewall/tests.rs @@ -33,17 +33,6 @@ use crate::{ }, }; -impl Default for AclRuleDestinationRange { - fn default() -> Self { - Self { - id: Id::default(), - rule_id: Id::default(), - start: IpAddr::V4(Ipv4Addr::UNSPECIFIED), - end: IpAddr::V4(Ipv4Addr::UNSPECIFIED), - } - } -} - fn random_user_with_id(rng: &mut R, id: Id) -> User { let mut user: User = rng.r#gen(); user.id = id; @@ -248,6 +237,18 @@ async fn add_alias_destination_range(pool: &PgPool, alias_id: Id, start: IpAddr, .unwrap(); } +async fn add_rule_destination_range(pool: &PgPool, rule_id: Id, start: IpAddr, end: IpAddr) { + AclRuleDestinationRange { + id: NoId, + rule_id, + start, + end, + } + .save(pool) + .await + .unwrap(); +} + async fn fetch_firewall_rules( pool: &PgPool, location: &WireguardNetwork, @@ -483,19 +484,12 @@ fn test_process_destination_addrs_v4() { ]; let destination_ranges = [ - AclRuleDestinationRange { - start: IpAddr::V4(Ipv4Addr::new(10, 0, 3, 255)), - end: IpAddr::V4(Ipv4Addr::new(10, 0, 4, 0)), - ..Default::default() - }, - AclRuleDestinationRange { - start: IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 0, 0, 0, 0, 0, 1)), // Should be filtered out - end: IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 0, 0, 0, 0, 0, 100)), - ..Default::default() - }, + IpAddr::V4(Ipv4Addr::new(10, 0, 3, 255))..=IpAddr::V4(Ipv4Addr::new(10, 0, 4, 0)), + IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 0, 0, 0, 0, 0, 1)) + ..=IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 0, 0, 0, 0, 0, 100)), // Should be filtered out ]; - let destination_addrs = process_destination_addrs(&destination_ips, &destination_ranges); + let destination_addrs = process_destination_addrs(&destination_ips, destination_ranges); assert_eq!( destination_addrs.0, @@ -519,11 +513,12 @@ fn test_process_destination_addrs_v4() { ); // Test with empty input - let empty_addrs = process_destination_addrs(&[], &[]); + let empty_addrs = process_destination_addrs(&[], std::iter::empty()); assert!(empty_addrs.0.is_empty()); // Test with only IPv6 addresses - should return empty result for IPv4 - let ipv6_only = process_destination_addrs(&["2001:db8::/64".parse().unwrap()], &[]); + let ipv6_only = + process_destination_addrs(&["2001:db8::/64".parse().unwrap()], std::iter::empty()); assert!(ipv6_only.0.is_empty()); } @@ -538,19 +533,12 @@ fn test_process_destination_addrs_v6() { ]; let destination_ranges = vec![ - AclRuleDestinationRange { - start: IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 4, 0, 0, 0, 0, 1)), - end: IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 4, 0, 0, 0, 0, 3)), - ..Default::default() - }, - AclRuleDestinationRange { - start: IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1)), // Should be filtered out - end: IpAddr::V4(Ipv4Addr::new(192, 168, 1, 100)), - ..Default::default() - }, + IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 4, 0, 0, 0, 0, 1)) + ..=IpAddr::V6(Ipv6Addr::new(0x2001, 0xdb8, 4, 0, 0, 0, 0, 3)), + IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1))..=IpAddr::V4(Ipv4Addr::new(192, 168, 1, 100)), // Should be filtered out ]; - let destination_addrs = process_destination_addrs(&destination_ips, &destination_ranges); + let destination_addrs = process_destination_addrs(&destination_ips, destination_ranges); assert_eq!( destination_addrs.1, @@ -574,11 +562,12 @@ fn test_process_destination_addrs_v6() { ); // Test with empty input - let empty_addrs = process_destination_addrs(&[], &[]); + let empty_addrs = process_destination_addrs(&[], std::iter::empty()); assert!(empty_addrs.1.is_empty()); // Test with only IPv4 addresses - should return empty result for IPv6 - let ipv4_only = process_destination_addrs(&["192.168.1.0/24".parse().unwrap()], &[]); + let ipv4_only = + process_destination_addrs(&["192.168.1.0/24".parse().unwrap()], std::iter::empty()); assert!(ipv4_only.1.is_empty()); } @@ -4726,6 +4715,162 @@ async fn test_component_alias_combines_with_manual_destinations( ); } +#[sqlx::test] +async fn test_component_alias_ipv6_destination_range_with_ipv4_acl_destination( + _: PgPoolOptions, + options: PgConnectOptions, +) { + let pool = setup_pool(options).await; + + let location = create_location_dual_stack(&pool, Some(false)).await; + create_user_device_assigned(&pool, &location).await; + + let acl_rule = create_acl_rule_basic( + &pool, + "Manual with Component Range", + vec!["192.168.50.0/24".parse().unwrap()], + Vec::new(), + Vec::new(), + true, + false, + false, + ) + .await; + + let component_alias = create_component_alias( + &pool, + "component alias range", + Vec::new(), + Vec::new(), + Vec::new(), + ) + .await; + add_alias_destination_range( + &pool, + component_alias.id, + IpAddr::V6(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 0)), + IpAddr::V6(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 1)), + ) + .await; + + attach_alias_to_rule(&pool, acl_rule.id, component_alias.id).await; + attach_rule_to_location(&pool, acl_rule.id, location.id).await; + + let generated_firewall_rules = fetch_firewall_rules(&pool, &location).await; + assert_eq!(generated_firewall_rules.len(), 4); + + let allow_rule_ipv4 = &generated_firewall_rules[0]; + assert_eq!(allow_rule_ipv4.verdict, i32::from(FirewallPolicy::Allow)); + assert_eq!(allow_rule_ipv4.ip_version, i32::from(IpVersion::Ipv4)); + assert_eq!( + allow_rule_ipv4.destination_addrs, + vec![IpAddress { + address: Some(Address::IpSubnet("192.168.50.0/24".to_string())) + }] + ); + + let allow_rule_ipv6 = &generated_firewall_rules[1]; + assert_eq!(allow_rule_ipv6.verdict, i32::from(FirewallPolicy::Allow)); + assert_eq!(allow_rule_ipv6.ip_version, i32::from(IpVersion::Ipv6)); + assert_eq!( + allow_rule_ipv6.destination_addrs, + vec![IpAddress { + address: Some(Address::IpSubnet("fc00::/127".to_string())) + }] + ); + + let deny_rule_ipv4 = &generated_firewall_rules[2]; + assert_eq!(deny_rule_ipv4.verdict, i32::from(FirewallPolicy::Deny)); + assert_eq!(deny_rule_ipv4.ip_version, i32::from(IpVersion::Ipv4)); + assert_eq!( + deny_rule_ipv4.destination_addrs, + vec![IpAddress { + address: Some(Address::IpSubnet("192.168.50.0/24".to_string())) + }] + ); + + let deny_rule_ipv6 = &generated_firewall_rules[3]; + assert_eq!(deny_rule_ipv6.verdict, i32::from(FirewallPolicy::Deny)); + assert_eq!(deny_rule_ipv6.ip_version, i32::from(IpVersion::Ipv6)); + assert_eq!( + deny_rule_ipv6.destination_addrs, + vec![IpAddress { + address: Some(Address::IpSubnet("fc00::/127".to_string())) + }] + ); +} + +#[sqlx::test] +async fn test_component_alias_destination_ranges_merge_with_acl_destination_ranges( + _: PgPoolOptions, + options: PgConnectOptions, +) { + let pool = setup_pool(options).await; + + let location = create_location_dual_stack(&pool, Some(false)).await; + create_user_device_assigned(&pool, &location).await; + + let acl_rule = create_acl_rule_basic( + &pool, + "ACL and Component Ranges", + Vec::new(), + Vec::new(), + Vec::new(), + true, + false, + false, + ) + .await; + add_rule_destination_range( + &pool, + acl_rule.id, + IpAddr::V4(Ipv4Addr::new(10, 10, 10, 0)), + IpAddr::V4(Ipv4Addr::new(10, 10, 10, 3)), + ) + .await; + + let component_alias = create_component_alias( + &pool, + "component alias range", + Vec::new(), + Vec::new(), + Vec::new(), + ) + .await; + add_alias_destination_range( + &pool, + component_alias.id, + IpAddr::V4(Ipv4Addr::new(10, 10, 20, 0)), + IpAddr::V4(Ipv4Addr::new(10, 10, 20, 1)), + ) + .await; + + attach_alias_to_rule(&pool, acl_rule.id, component_alias.id).await; + attach_rule_to_location(&pool, acl_rule.id, location.id).await; + + let generated_firewall_rules = fetch_firewall_rules(&pool, &location).await; + assert_eq!(generated_firewall_rules.len(), 2); + + let expected_destination_addrs = vec![ + IpAddress { + address: Some(Address::IpSubnet("10.10.10.0/30".to_string())), + }, + IpAddress { + address: Some(Address::IpSubnet("10.10.20.0/31".to_string())), + }, + ]; + + let allow_rule = &generated_firewall_rules[0]; + assert_eq!(allow_rule.verdict, i32::from(FirewallPolicy::Allow)); + assert_eq!(allow_rule.ip_version, i32::from(IpVersion::Ipv4)); + assert_eq!(allow_rule.destination_addrs, expected_destination_addrs); + + let deny_rule = &generated_firewall_rules[1]; + assert_eq!(deny_rule.verdict, i32::from(FirewallPolicy::Deny)); + assert_eq!(deny_rule.ip_version, i32::from(IpVersion::Ipv4)); + assert_eq!(deny_rule.destination_addrs, expected_destination_addrs); +} + #[sqlx::test] async fn test_acl_with_no_allow_sources_creates_only_deny_rules( _: PgPoolOptions, diff --git a/flake.lock b/flake.lock index fc64b1c654..4aa1b2cc67 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1770115704, - "narHash": "sha256-KHFT9UWOF2yRPlAnSXQJh6uVcgNcWlFqqiAZ7OVlHNc=", + "lastModified": 1772963539, + "narHash": "sha256-9jVDGZnvCckTGdYT53d/EfznygLskyLQXYwJLKMPsZs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e6eae2ee2110f3d31110d5c222cd395303343b08", + "rev": "9dcb002ca1690658be4a04645215baea8b95f31d", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1770174315, - "narHash": "sha256-GUaMxDmJB1UULsIYpHtfblskVC6zymAaQ/Zqfo+13jc=", + "lastModified": 1773115373, + "narHash": "sha256-bfK9FJFcQth6f3ydYggS5m0z2NRGF/PY6Y2XgZDJ6pg=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "095c394bb91342882f27f6c73f64064fb9de9f2a", + "rev": "1924b4672a2b8e4aee6e6652ec2e59a8d3c5648e", "type": "github" }, "original": {