Allowed groups

[moubctez]

No description provided.

[Copilot]

Pull request overview

Introduces an explicit allow_all_groups flag for WireGuard network access control, separating “everyone can access” from “only specific groups can access”, and propagates this through the DB schema, Rust backend logic, and the web UI.

Changes:

• Add allow_all_groups column + migrate existing data with a default.
• Update backend models/handlers and access checks to use allow_all_groups (and adjust group/network queries accordingly).
• Update web UI types and location add/edit/list flows to support the new access mode; update tests and SQLx offline metadata.

Reviewed changes

Copilot reviewed 67 out of 68 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
web/src/shared/api/types.ts	Adds allow_all_groups to location API types.
web/src/pages/LocationsPage/components/LocationsTable.tsx	Renders “All allowed” based on allow_all_groups.
web/src/pages/EditLocationPage/EditLocationPage.tsx	Adds form support for allow_all_groups and clears groups when enabled.
web/src/pages/AddLocationPage/useAddLocationStore.tsx	Adds allow_all_groups to add-location wizard state defaults.
web/src/pages/AddLocationPage/steps/AddLocationAccessStep.tsx	Adds UI toggle for “All groups have access” during location creation.
migrations/20260312110000_[2.0.0]_wireguard_network_allow_all_groups.up.sql	Adds allow_all_groups column with default.
migrations/20260312110000_[2.0.0]_wireguard_network_allow_all_groups.down.sql	Drops allow_all_groups column.
crates/defguard_setup/src/auto_adoption.rs	Updates WireguardNetwork constructor call with new parameter.
crates/defguard_session_manager/tests/common/mod.rs	Updates test helper constructor call with new parameter.
crates/defguard_gateway_manager/src/tests.rs	Updates gateway-manager tests for new constructor signature.
crates/defguard_core/tests/integration/grpc/gateway.rs	Updates gRPC integration tests for new constructor signature.
crates/defguard_core/tests/integration/api/wireguard_network_import.rs	Updates import API test payloads for allow_all_groups.
crates/defguard_core/tests/integration/api/wireguard_network_devices.rs	Updates device API tests to include new access fields.
crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs	Adjusts allowed-groups tests to new semantics.
crates/defguard_core/tests/integration/api/wireguard.rs	Updates wireguard API tests for new access behavior.
crates/defguard_core/tests/integration/api/enterprise_settings.rs	Inlines network creation in tests to set allow_all_groups.
crates/defguard_core/tests/integration/api/common/mod.rs	Updates shared network creation helper payload.
crates/defguard_core/tests/integration/api/acl/rules.rs	Updates ACL API tests for new constructor signature.
crates/defguard_core/src/wg_config.rs	Updates config parsing to pass allow_all_groups into network creation.
crates/defguard_core/src/location_management/tests.rs	Updates location-management tests for new field in model.
crates/defguard_core/src/location_management/mod.rs	Updates mapped-device handling to use allow_all_groups gating.
crates/defguard_core/src/location_management/allowed_peers.rs	Minor SQL boolean predicate simplification.
crates/defguard_core/src/lib.rs	Updates dev/init helpers to pass new constructor parameter.
crates/defguard_core/src/handlers/wireguard.rs	Adds request field + wiring for allow_all_groups across create/modify/import.
crates/defguard_core/src/handlers/group.rs	Adjusts groups-info query to include allow_all_groups networks.
crates/defguard_core/src/grpc/proxy/client_mfa.rs	Uses allow_all_groups in MFA access validation.
crates/defguard_core/src/enterprise/firewall/tests/mod.rs	Minor test struct init tweaks (defaults/types) and array literal adjustment.
crates/defguard_core/src/enterprise/firewall/mod.rs	Minor SQL boolean predicate simplification.
crates/defguard_core/src/enterprise/directory_sync/tests.rs	Updates tests for new set_allowed_groups signature and tweaks messages.
crates/defguard_core/src/enterprise/db/models/api_tokens.rs	Minor SQL boolean predicate simplification.
crates/defguard_core/src/enterprise/db/models/acl/tests.rs	Updates ACL model tests for new constructor signature.
crates/defguard_core/src/enterprise/db/models/acl.rs	Extends network selects with allow_all_groups + boolean predicate simplification.
crates/defguard_common/src/db/models/wizard.rs	Minor SQL boolean predicate simplification.
crates/defguard_common/src/db/models/wireguard.rs	Adds allow_all_groups, refactors allowed-groups API, and updates queries.
crates/defguard_common/src/db/models/user.rs	Minor SQL boolean predicate simplification.
crates/defguard_common/src/db/models/setup_auto_adoption.rs	Minor SQL boolean predicate simplification.
crates/defguard_common/src/db/models/migration_wizard.rs	Minor SQL boolean predicate simplification.
crates/defguard_common/src/db/models/initial_setup_wizard.rs	Minor SQL boolean predicate simplification.
crates/defguard_common/src/db/models/group.rs	Updates group->vpn-location query to include allow_all_groups networks.
crates/defguard_common/src/db/models/device.rs	Extends network selects with allow_all_groups and formats query.
Cargo.lock	Dependency lockfile updates.
.sqlx/query-f946b5af07deecd30171260b8b760c27581ac94753f81a529b7814c23748d3db.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-f475c5922df8b773a594e80e252a456bd6e531036a0046ba87f5ea9834d88a8f.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-eedf2266dbae38e45b9bc4e9a41352324d9d3d567b4c35957997c0b52092cfe1.json	Updates SQLx offline metadata (select adds allow_all_groups).
.sqlx/query-eabe841f211c8fab042d3dbb0166610188ce73aa66e76726aeaedfbb4ecf3290.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-df601202e8bf0cb5978581ebea3b5799549a3a4bf9735f7fd160b359653e5fe5.json	Updates SQLx offline metadata (groups-info join change).
.sqlx/query-d77e4f1215408d6ac39fa8315dded8326e6d79958b6fdfe9252aefa00b81c375.json	Updates SQLx offline metadata (wizard predicate change).
.sqlx/query-d0f1dff40c9ebff747315a9230ca76689c92a45a6ead1f7b821ca680f8ac7055.json	Updates SQLx offline metadata (select adds allow_all_groups).
.sqlx/query-c58c7b4dc7463a93895b17d591e3e4a83ac3623590674e47bb1a1dbf9c25d77f.json	Updates SQLx offline metadata (select adds allow_all_groups).
.sqlx/query-bd0af2042bc33fdfc894514961af7a2b5bc013082b961d1f667b5fe55a7f996a.json	Updates SQLx offline metadata (select adds allow_all_groups).
.sqlx/query-b51c57865a5585c28061462655fbcd5a6f22b46090aff2bfe2af5f04cee4fcb4.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-ab17ac33cd462975a6e8975d4a8cc6700f42030c507917ef9fb3acf3523a802b.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-a7e7af2754523b08fae3a2b79557db912ffd435531786493413df45b255adae9.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-9ef3bbc058409f578f68a6a186dc0d60a34a755bf3acbdbc5620ba88be00872d.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-9b1906f583d613959baa6dbe348cc57742b3e19a2548d2631a72108d737c7c29.json	Updates SQLx offline metadata (select adds allow_all_groups).
.sqlx/query-97a72f3016ead166cb12b02a88df534fa5fb4148d65585ffa445e6b8faf5a30b.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-8c17a407e2ded35ca49180b1dc56e10ef743bc4ddbdd6bf7d801a782d2e03e1f.json	Updates SQLx offline metadata (select adds allow_all_groups).
.sqlx/query-68612652f823a456563f91e69f99a0cb01b856ebf973cca2dd6ab9ec46a98e33.json	Updates SQLx offline metadata (update adds allow_all_groups).
.sqlx/query-685781e7a9a4971124f3fda74cda168898beb739aa3ff7abf9e625918034c436.json	Updates SQLx offline metadata (insert adds allow_all_groups).
.sqlx/query-660bd0146db2168c27775429cd3557040f57dae496d43dea49289f9a5d907129.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-60e52199fdb9ac82621147e70e463f9afa2f96d12730d0bff07945b8a67884e3.json	Updates SQLx offline metadata (select adds allow_all_groups).
.sqlx/query-54fada56be8b91633550c77f7259703bcc3163f4935898d0988a6045c29e7dd8.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-40a3146c95620a9c4632b9529bc3eaf179e9b8ad4657a50cdbf19e3c599b5496.json	Updates SQLx offline metadata (query formatting change).
.sqlx/query-26291ea69ff50ad4cc2a0ab014225da834839d7a4934331ea8d993e1043c359d.json	Updates SQLx offline metadata (group vpn locations query change).
.sqlx/query-21a3c5d3ea54a1b78bb6012e59c49216864fb05871f92a87110e99a05ace14ee.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-14f22dfa4eb01052c552ca6b05746c4b49b4766c0fd2d4144bcd5c252222d7e7.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-1151dfec098a686f3d15154de87b701cc13c06dacb8981cba46c9d5a1fcc69e7.json	Updates SQLx offline metadata (boolean predicate change).
.sqlx/query-0798f7c6357c0017eda60fc08cf778914258ea9837bd59df7a1f8384fa436307.json	Updates SQLx offline metadata (boolean predicate change).

Comments suppressed due to low confidence (2)

web/src/pages/AddLocationPage/useAddLocationStore.tsx:36

• Defaulting allow_all_groups to false means a new location will become admin-only if the user doesn’t select any groups (since empty allowed_groups no longer implies "all" on the backend). If the intended default is the previous behavior, set this default to true and/or ensure the UI makes the "no groups selected" semantics explicit.
  crates/defguard_core/src/handlers/wireguard.rs:74
• allow_all_groups is a required field on WireguardNetworkData. Any existing API clients that POST/PUT networks without this new field will fail JSON deserialization (breaking change). Consider adding a serde default (ideally defaulting to true to preserve the previous "empty allowed_groups means allow all" behavior) or making the field optional and applying a server-side default in create/modify handlers.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@moubctez I've opened a new pull request, #2337, to work on those changes. Once the pull request is ready, I'll request review from you.