ACL 2.0 migration

crates/defguard/src/main.rs

@@ -26,6 +26,7 @@ use defguard_core::{
         limits::update_counts,
     },
     events::{ApiEvent, BidiStreamEvent},
+    gateway_config,
     grpc::{GatewayEvent, WorkerState, run_grpc_server},
     init_dev_env, init_vpn_location, run_web_server,
     setup_logs::CoreSetupLogLayer,
@@ -83,6 +84,29 @@ async fn main() -> Result<(), anyhow::Error> {
     )
     .await;
 
+    if config.openid_signing_key.is_some() {
+        info!("Using RSA OpenID signing key");
+    } else {
+        info!("Using HMAC OpenID signing key");
+    }
+
+    // initialize global settings struct
+    initialize_current_settings(&pool).await?;
+
+    debug!("Checking enterprise license status");
+    match License::load_or_renew(&pool).await {
+        Ok(license) => {
+            set_cached_license(license);
+        }
+        Err(err) => {
+            warn!(
+                "There was an error while loading the license, error: {err}. The enterprise \
+                features will be disabled."
+            );
+            set_cached_license(None);
+        }
+    }
+
     // handle optional subcommands
     if let Some(command) = &config.cmd {
         match command {
@@ -93,21 +117,16 @@ async fn main() -> Result<(), anyhow::Error> {
                 let token = init_vpn_location(&pool, args).await?;
                 println!("{token}");
             }
+            Command::GatewayConfig(args) => {
+                let config = gateway_config(&pool, args).await?;
+                println!("{config:#?}");
+            }
         }
 
         // return early
         return Ok(());
     }
 
-    if config.openid_signing_key.is_some() {
-        info!("Using RSA OpenID signing key");
-    } else {
-        info!("Using HMAC OpenID signing key");
-    }
-
-    // initialize global settings struct
-    initialize_current_settings(&pool).await?;
-
     let has_auto_adopt_flags = config.adopt_edge.is_some() || config.adopt_gateway.is_some();
     let wizard = Wizard::init(&pool, has_auto_adopt_flags).await?;
     let mut ini_server_config = true;
@@ -207,20 +226,6 @@ async fn main() -> Result<(), anyhow::Error> {
 
     update_counts(&pool).await?;
 
-    debug!("Checking enterprise license status");
-    match License::load_or_renew(&pool).await {
-        Ok(license) => {
-            set_cached_license(license);
-        }
-        Err(err) => {
-            warn!(
-                "There was an error while loading the license, error: {err}. The enterprise \
-                features will be disabled."
-            );
-            set_cached_license(None);
-        }
-    }
-
     let (proxy_control_tx, proxy_control_rx) = channel::<ProxyControlMessage>(100);
     let proxy_secret_key = settings.secret_key_required()?;
     let proxy_manager = ProxyManager::new(

crates/defguard_common/src/config.rs

@@ -196,6 +196,8 @@ pub enum Command {
         about = "Add a new VPN location and return a gateway token. Used for automated setup."
     )]
     InitVpnLocation(InitVpnLocationArgs),
+    #[command(about = "Output the gateway gRPC configuration payload for a VPN location by ID.")]
+    GatewayConfig(GatewayConfigArgs),
 }
 
 #[derive(Args, Debug, Clone)]
@@ -220,6 +222,12 @@ pub struct InitVpnLocationArgs {
     pub id: Option<i64>,
 }
 
+#[derive(Args, Debug, Clone)]
+pub struct GatewayConfigArgs {
+    #[arg(long)]
+    pub location_id: i64,
+}
+
 impl DefGuardConfig {
     #[must_use]
     pub fn new() -> Self {

crates/defguard_core/src/lib.rs

@@ -16,7 +16,7 @@ use defguard_certs::CertificateAuthority;
 use defguard_common::{
     VERSION,
     auth::claims::{Claims, ClaimsType},
-    config::{DefGuardConfig, InitVpnLocationArgs, server_config},
+    config::{DefGuardConfig, GatewayConfigArgs, InitVpnLocationArgs, server_config},
     db::{
         init_db,
         models::{
@@ -31,6 +31,7 @@ use defguard_common::{
     },
     types::proxy::ProxyControlMessage,
 };
+use defguard_proto::gateway::Configuration;
 use defguard_version::server::DefguardVersionLayer;
 use defguard_web_ui::{index, svg, web_asset};
 use events::ApiEvent;
@@ -79,6 +80,7 @@ use crate::{
     auth::failed_login::FailedLoginMap,
     db::AppEvent,
     enterprise::{
+        firewall::try_get_location_firewall_config,
         handlers::{
             acl::{
                 alias::{
@@ -169,7 +171,9 @@ use crate::{
         },
         worker::{create_job, create_worker_token, job_status, list_workers, remove_worker},
     },
-    location_management::sync_location_allowed_devices,
+    location_management::{
+        allowed_peers::get_location_allowed_peers, sync_location_allowed_devices,
+    },
     version::IncompatibleComponents,
 };
 
@@ -936,6 +940,46 @@ pub async fn init_vpn_location(
     Ok(token)
 }
 
+pub async fn gateway_config(
+    pool: &PgPool,
+    args: &GatewayConfigArgs,
+) -> Result<Configuration, anyhow::Error> {
+    let location_id = args.location_id;
+
+    let mut conn = pool.acquire().await?;
+
+    // fetch specified location
+    let location = match WireguardNetwork::find_by_id(&mut *conn, location_id).await {
+        Ok(Some(network)) => network,
+        Ok(None) => return Err(anyhow!("Location {location_id} not found")),
+        Err(err) => {
+            return Err(anyhow!(
+                "Failed to rerieve location {location_id} with error: {err}"
+            ));
+        }
+    };
+
+    // get peers
+    let peers = get_location_allowed_peers(&location, &mut *conn)
+        .await
+        .map_err(|err| anyhow!("Failed to get peers for location {location} with error: {err}"))?;
+
+    // prepare firewall config
+    let maybe_firewall_config = try_get_location_firewall_config(&location, &mut conn)
+        .await
+        .map_err(|err| {
+            anyhow!("Failed to prepare firewall config for location {location} with error: {err}")
+        })?;
+
+    // generate config
+    let mut config = Configuration::new(&location, peers, maybe_firewall_config);
+
+    // overwrite private key just in case
+    config.prvkey = "REDACTED".into();
+
+    Ok(config)
+}
+
 pub fn is_valid_phone_number(number: &str) -> bool {
     PHONE_NUMBER_REGEX.is_match(number)
 }

crates/defguard_gateway_manager/src/handler.rs

@@ -143,7 +143,7 @@ impl GatewayHandler {
         let peers = get_location_allowed_peers(&network, &self.pool).await?;
 
         let maybe_firewall_config = try_get_location_firewall_config(&network, &mut conn).await?;
-        let payload = Some(core_response::Payload::Config(gen_config(
+        let payload = Some(core_response::Payload::Config(Configuration::new(
             &network,
             peers,
             maybe_firewall_config,
@@ -790,20 +790,3 @@ fn try_protos_into_stats_message(
         latest_handshake,
     ))
 }
-
-fn gen_config(
-    network: &WireguardNetwork<Id>,
-    peers: Vec<Peer>,
-    maybe_firewall_config: Option<FirewallConfig>,
-) -> Configuration {
-    Configuration {
-        name: network.name.clone(),
-        port: network.port.cast_unsigned(),
-        prvkey: network.prvkey.clone(),
-        addresses: network.address.iter().map(ToString::to_string).collect(),
-        peers,
-        firewall_config: maybe_firewall_config,
-        mtu: network.mtu.cast_unsigned(),
-        fwmark: network.fwmark as u32,
-    }
-}

crates/defguard_proto/src/lib.rs

@@ -23,7 +23,7 @@ use defguard_common::{
     db::{
         Id,
         models::{
-            Device, DeviceConfig, User,
+            Device, DeviceConfig, User, WireguardNetwork,
             vpn_client_session::VpnClientMfaMethod,
             wireguard::{LocationMfaMode, ServiceLocationMode},
         },
@@ -33,6 +33,11 @@ use proxy::{CoreError, MfaMethod};
 use serde::Serialize;
 use tonic::Status;
 
+use crate::{
+    enterprise::firewall::FirewallConfig,
+    gateway::{Configuration, Peer},
+};
+
 // Client MFA methods
 impl fmt::Display for MfaMethod {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
@@ -159,3 +164,22 @@ impl From<ServiceLocationMode> for proxy::ServiceLocationMode {
         }
     }
 }
+
+impl Configuration {
+    pub fn new(
+        location: &WireguardNetwork<Id>,
+        peers: Vec<Peer>,
+        maybe_firewall_config: Option<FirewallConfig>,
+    ) -> Self {
+        Self {
+            name: location.name.clone(),
+            port: location.port.cast_unsigned(),
+            prvkey: location.prvkey.clone(),
+            addresses: location.address.iter().map(ToString::to_string).collect(),
+            peers,
+            firewall_config: maybe_firewall_config,
+            mtu: location.mtu.cast_unsigned(),
+            fwmark: location.fwmark as u32,
+        }
+    }
+}

migrations/20251218140442_[2.0.0]_initial.down.sql

@@ -18,6 +18,11 @@ DROP FUNCTION row_change();
 DROP TABLE gateway;
 
 -- Restore ACL naming and flags from before 2.0.0.
+ALTER TABLE aclrule RENAME COLUMN addresses TO destination;
+ALTER TABLE aclrule RENAME COLUMN all_locations TO all_networks;
+
+ALTER TABLE aclalias RENAME COLUMN addresses TO destination;
+
 ALTER TABLE aclrule
     DROP COLUMN any_address,
     DROP COLUMN any_port,
@@ -26,16 +31,11 @@ ALTER TABLE aclrule
     DROP COLUMN allow_all_groups,
     DROP COLUMN deny_all_groups;
 
-ALTER TABLE aclrule RENAME COLUMN addresses TO destination;
-ALTER TABLE aclrule RENAME COLUMN all_locations TO all_networks;
-
 ALTER TABLE aclalias
     DROP COLUMN any_address,
     DROP COLUMN any_port,
     DROP COLUMN any_protocol;
 
-ALTER TABLE aclalias RENAME COLUMN addresses TO destination;
-
 -- Remove 2.0.0 OpenID provider extensions.
 ALTER TABLE openidprovider DROP COLUMN kind;
 DROP TYPE openid_provider_kind;