diff --git a/Cargo.lock b/Cargo.lock index a5bb989fbe..9eef7ef279 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1488,6 +1488,7 @@ dependencies = [ "defguard_version", "hyper-rustls", "hyper-util", + "prost-types", "reqwest", "semver", "serde_json", @@ -1559,6 +1560,7 @@ version = "0.0.0" dependencies = [ "defguard_common", "prost", + "prost-types", "serde", "tonic", "tonic-prost", diff --git a/Cargo.toml b/Cargo.toml index d73543e7d7..73416b02ba 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -76,6 +76,7 @@ parse_link_header = "0.4" paste = "1.0" pgp = { version = "0.19", default-features = false } prost = "0.14" +prost-types = "0.14" pulldown-cmark = "0.13" # match version used by sqlx rand = "0.8" diff --git a/crates/defguard_core/src/enterprise/firewall/mod.rs b/crates/defguard_core/src/enterprise/firewall/mod.rs index 8b960ba5f4..bf4b793c83 100644 --- a/crates/defguard_core/src/enterprise/firewall/mod.rs +++ b/crates/defguard_core/src/enterprise/firewall/mod.rs @@ -559,6 +559,7 @@ fn get_source_addrs( None } } + IpVersion::Unspecified => None, }) .collect(); diff --git a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs index 6b595cde4f..0d794e5f9a 100644 --- a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs +++ b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs @@ -1,5 +1,8 @@ use defguard_common::{db::models::Settings, types::AuthFlowType}; -use defguard_proto::proxy::{ClientMfaOidcAuthenticateRequest, DeviceInfo, MfaMethod}; +use defguard_proto::{ + client_types::MfaMethod, + proxy::{ClientMfaOidcAuthenticateRequest, DeviceInfo}, +}; use openidconnect::{AuthorizationCode, Nonce}; use tonic::Status; diff --git a/crates/defguard_core/src/enterprise/grpc/polling.rs b/crates/defguard_core/src/enterprise/grpc/polling.rs index fef268fcbb..43bd272c20 100644 --- a/crates/defguard_core/src/enterprise/grpc/polling.rs +++ b/crates/defguard_core/src/enterprise/grpc/polling.rs @@ -2,7 +2,10 @@ use defguard_common::db::{ Id, models::{Device, polling_token::PollingToken, user::User}, }; -use defguard_proto::proxy::{DeviceInfo, InstanceInfoRequest, InstanceInfoResponse}; +use defguard_proto::{ + client_types::{InstanceInfoRequest, InstanceInfoResponse}, + proxy::DeviceInfo, +}; use sqlx::PgPool; use tonic::Status; diff --git a/crates/defguard_core/src/events.rs b/crates/defguard_core/src/events.rs index 93b0697fe9..0366f9a31e 100644 --- a/crates/defguard_core/src/events.rs +++ b/crates/defguard_core/src/events.rs @@ -8,7 +8,7 @@ use defguard_common::db::{ gateway::Gateway, group::Group, oauth2client::OAuth2Client, proxy::Proxy, }, }; -use defguard_proto::proxy::MfaMethod; +use defguard_proto::client_types::MfaMethod; use crate::{ db::WebHook, diff --git a/crates/defguard_core/src/grpc/client_version.rs b/crates/defguard_core/src/grpc/client_version.rs index af2c03cf0b..cc4a038fe1 100644 --- a/crates/defguard_core/src/grpc/client_version.rs +++ b/crates/defguard_core/src/grpc/client_version.rs @@ -1,5 +1,5 @@ use base64::{Engine, prelude::BASE64_STANDARD}; -use defguard_proto::proxy::{ClientPlatformInfo, DeviceInfo}; +use defguard_proto::{client_types::ClientPlatformInfo, proxy::DeviceInfo}; use prost::Message; use semver::Version; diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs index eb68fcb26a..e56186a850 100644 --- a/crates/defguard_core/src/grpc/mod.rs +++ b/crates/defguard_core/src/grpc/mod.rs @@ -194,7 +194,7 @@ impl InstanceInfo { } } -impl From for defguard_proto::proxy::InstanceInfo { +impl From for defguard_proto::client_types::InstanceInfo { fn from(instance: InstanceInfo) -> Self { Self { name: instance.name, diff --git a/crates/defguard_core/src/grpc/proxy/client_mfa.rs b/crates/defguard_core/src/grpc/proxy/client_mfa.rs index 42e1b9677c..5f5c6dc8e2 100644 --- a/crates/defguard_core/src/grpc/proxy/client_mfa.rs +++ b/crates/defguard_core/src/grpc/proxy/client_mfa.rs @@ -19,11 +19,16 @@ use defguard_common::{ types::user_info::UserInfo, }; use defguard_mail::templates::mfa_code_mail; -use defguard_proto::proxy::{ - self, AwaitRemoteMfaFinishRequest, AwaitRemoteMfaFinishResponse, ClientMfaFinishRequest, - ClientMfaFinishResponse, ClientMfaStartRequest, ClientMfaStartResponse, - ClientMfaTokenValidationRequest, ClientMfaTokenValidationResponse, CoreResponse, MfaMethod, - core_response::Payload, +use defguard_proto::{ + client_types::{ + ClientMfaFinishRequest, ClientMfaFinishResponse, ClientMfaStartRequest, + ClientMfaStartResponse, MfaMethod, + }, + proxy::{ + self, AwaitRemoteMfaFinishRequest, AwaitRemoteMfaFinishResponse, + ClientMfaTokenValidationRequest, ClientMfaTokenValidationResponse, CoreResponse, + core_response::Payload, + }, }; use sqlx::{PgConnection, PgPool}; use thiserror::Error; diff --git a/crates/defguard_core/src/grpc/utils.rs b/crates/defguard_core/src/grpc/utils.rs index a9ac22b5fc..801ed626bc 100644 --- a/crates/defguard_core/src/grpc/utils.rs +++ b/crates/defguard_core/src/grpc/utils.rs @@ -11,9 +11,12 @@ use defguard_common::{ }, }, }; -use defguard_proto::proxy::{ - DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, DeviceInfo, - LocationMfaMode as ProtoLocationMfaMode, +use defguard_proto::{ + client_types::{ + DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, + LocationMfaMode as ProtoLocationMfaMode, + }, + proxy::DeviceInfo, }; use sqlx::PgPool; use tonic::Status; @@ -94,33 +97,31 @@ pub async fn build_device_config_response( // DEPRECATED(1.5): superseeded by location_mfa_mode let mfa_enabled = network.location_mfa_mode == LocationMfaMode::Internal; - let config = - ProtoDeviceConfig { - config: Device::create_config(&network, &wireguard_network_device), - network_id: network.id, - network_name: network.name, - assigned_ip: wireguard_network_device.wireguard_ips.as_csv(), - endpoint: format!("{}:{}", network.endpoint, network.port), - pubkey: network.pubkey, - allowed_ips: network.allowed_ips.as_csv(), - dns: network.dns, - keepalive_interval: network.keepalive_interval, - #[allow(deprecated)] - mfa_enabled, - location_mfa_mode: Some( - >::into( - network.location_mfa_mode, - ) - .into(), - ), - service_location_mode: - Some( - >::into(network.service_location_mode) - .into(), - ), - }; + let config = ProtoDeviceConfig { + config: Device::create_config(&network, &wireguard_network_device), + network_id: network.id, + network_name: network.name, + assigned_ip: wireguard_network_device.wireguard_ips.as_csv(), + endpoint: format!("{}:{}", network.endpoint, network.port), + pubkey: network.pubkey, + allowed_ips: network.allowed_ips.as_csv(), + dns: network.dns, + keepalive_interval: network.keepalive_interval, + #[allow(deprecated)] + mfa_enabled, + location_mfa_mode: Some( + >::into( + network.location_mfa_mode, + ) + .into(), + ), + service_location_mode: Some( + >::into(network.service_location_mode) + .into(), + ), + }; configs.push(config); } } else { @@ -173,13 +174,12 @@ pub async fn build_device_config_response( ) .into(), ), - service_location_mode: - Some( - >::into(network.service_location_mode) - .into(), - ), + service_location_mode: Some( + >::into(network.service_location_mode) + .into(), + ), }; configs.push(config); } diff --git a/crates/defguard_core/src/handlers/component_setup.rs b/crates/defguard_core/src/handlers/component_setup.rs index 94fc628f8b..2b79aff10b 100644 --- a/crates/defguard_core/src/handlers/component_setup.rs +++ b/crates/defguard_core/src/handlers/component_setup.rs @@ -29,10 +29,11 @@ use defguard_common::{ types::proxy::ProxyControlMessage, }; use defguard_proto::{ + common::{CertificateInfo, DerPayload}, gateway::gateway_setup_client::GatewaySetupClient, proxy::{ - AcmeChallenge, AcmeLogs, AcmeStep, CertificateInfo, DerPayload, acme_issue_event, - proxy_client::ProxyClient, proxy_setup_client::ProxySetupClient, + AcmeChallenge, AcmeLogs, AcmeStep, acme_issue_event, proxy_client::ProxyClient, + proxy_setup_client::ProxySetupClient, }, }; use defguard_version::{Version, client::ClientVersionInterceptor}; @@ -946,7 +947,7 @@ pub async fn setup_gateway_tls_stream( }; let csr_response = match client - .get_csr(defguard_proto::gateway::CertificateInfo { + .get_csr(CertificateInfo { cert_hostname: hostname.to_string(), }) .await @@ -1007,7 +1008,7 @@ pub async fn setup_gateway_tls_stream( // Step 6: Configure TLS yield Ok(flow.step(SetupStep::ConfiguringTls)); - let response = defguard_proto::gateway::DerPayload { + let response = DerPayload { der_data: cert.der().to_vec(), }; diff --git a/crates/defguard_core/src/lib.rs b/crates/defguard_core/src/lib.rs index 7042efa8bb..e108ab6167 100644 --- a/crates/defguard_core/src/lib.rs +++ b/crates/defguard_core/src/lib.rs @@ -1046,7 +1046,7 @@ pub async fn gateway_config( let mut config = Configuration::new(&location, peers, maybe_firewall_config); // overwrite private key just in case - config.prvkey = "REDACTED".into(); + config.private_key = "REDACTED".into(); Ok(config) } diff --git a/crates/defguard_core/tests/integration/grpc/health.rs b/crates/defguard_core/tests/integration/grpc/health.rs index c2e1e5a348..ac6c15f89e 100644 --- a/crates/defguard_core/tests/integration/grpc/health.rs +++ b/crates/defguard_core/tests/integration/grpc/health.rs @@ -13,7 +13,7 @@ async fn worker_service_health_is_serving(_: PgPoolOptions, options: PgConnectOp let response = client .check(HealthCheckRequest { - service: "worker.WorkerService".into(), + service: "defguard.worker.v1.WorkerService".into(), }) .await .expect("health check should succeed") diff --git a/crates/defguard_gateway_manager/Cargo.toml b/crates/defguard_gateway_manager/Cargo.toml index 9afb53828e..f7fbdb262d 100644 --- a/crates/defguard_gateway_manager/Cargo.toml +++ b/crates/defguard_gateway_manager/Cargo.toml @@ -18,6 +18,7 @@ defguard_version.workspace = true anyhow.workspace = true chrono.workspace = true hyper-rustls.workspace = true +prost-types.workspace = true reqwest.workspace = true semver.workspace = true serde_json.workspace = true diff --git a/crates/defguard_gateway_manager/src/handler.rs b/crates/defguard_gateway_manager/src/handler.rs index 6609c3222b..1bbb95bc73 100644 --- a/crates/defguard_gateway_manager/src/handler.rs +++ b/crates/defguard_gateway_manager/src/handler.rs @@ -32,8 +32,8 @@ use defguard_grpc_tls::{certs as tls_certs, connector::HttpsSchemeConnector}; use defguard_proto::{ enterprise::firewall::FirewallConfig, gateway::{ - Configuration, CoreResponse, Peer, PeerStats, Update, core_request, core_response, - gateway_client, update, + Configuration, CoreResponse, Peer, PeerStats, Update, UpdateType, core_request, + core_response, gateway_client, update, }, }; use defguard_version::client::ClientVersionInterceptor; @@ -429,7 +429,7 @@ impl GatewayHandler { debug!("Message from Gateway {uri}"); match received.payload { - Some(core_request::Payload::ConfigRequest(_config_request)) => { + Some(core_request::Payload::ConfigRequest(())) => { if config_sent { warn!( "Ignoring repeated configuration request from {}", @@ -686,7 +686,12 @@ impl GatewayUpdatesHandler { let result = match update { GatewayEvent::NetworkCreated(network_id, network) => { if network_id == self.network_id { - self.send_network_update(&network, Vec::new(), None, 0) + self.send_network_update( + &network, + Vec::new(), + None, + UpdateType::Create as i32, + ) } else { Ok(()) } @@ -698,8 +703,12 @@ impl GatewayUpdatesHandler { maybe_firewall_config, ) => { if network_id == self.network_id { - let result = - self.send_network_update(&network, peers, maybe_firewall_config, 1); + let result = self.send_network_update( + &network, + peers, + maybe_firewall_config, + UpdateType::Modify as i32, + ); // update stored network data self.network = network; result @@ -725,7 +734,7 @@ impl GatewayUpdatesHandler { &device.device.name, device.device.wireguard_pubkey, network_info, - 0, + UpdateType::Create as i32, ), None => Ok(()), } @@ -741,7 +750,7 @@ impl GatewayUpdatesHandler { &device.device.name, device.device.wireguard_pubkey, network_info, - 1, + UpdateType::Modify as i32, ), None => Ok(()), } @@ -791,7 +800,7 @@ impl GatewayUpdatesHandler { &device.name, device.wireguard_pubkey, &network_info, - 0, + UpdateType::Create as i32, ) } else { Ok(()) @@ -823,7 +832,7 @@ impl GatewayUpdatesHandler { update_type, update: Some(update::Update::Network(Configuration { name: network.name.clone(), - prvkey: network.prvkey.clone(), + private_key: network.prvkey.clone(), addresses: network.address().iter().map(ToString::to_string).collect(), port: network.port.cast_unsigned(), peers, @@ -836,7 +845,11 @@ impl GatewayUpdatesHandler { let msg = format!( "Failed to send network update, network {network}, update type: {update_type} \ ({}), error: {err}", - if update_type == 0 { "CREATE" } else { "MODIFY" }, + if update_type == UpdateType::Create as i32 { + "CREATE" + } else { + "MODIFY" + }, ); error!(msg); return Err(Status::new(Code::Internal, msg)); @@ -854,10 +867,10 @@ impl GatewayUpdatesHandler { if let Err(err) = self.tx.send(CoreResponse { id: 0, payload: Some(core_response::Payload::Update(Update { - update_type: 2, + update_type: UpdateType::Delete as i32, update: Some(update::Update::Network(Configuration { name: network_name.to_string(), - prvkey: String::new(), + private_key: String::new(), addresses: Vec::new(), port: 0, peers: Vec::new(), @@ -892,7 +905,11 @@ impl GatewayUpdatesHandler { "Failed to send peer update for network {}, update type: {update_type} ({}), \ error: {err}", self.network, - if update_type == 0 { "CREATE" } else { "MODIFY" }, + if update_type == UpdateType::Create as i32 { + "CREATE" + } else { + "MODIFY" + }, ); error!(msg); return Err(Status::new(Code::Internal, msg)); @@ -907,7 +924,7 @@ impl GatewayUpdatesHandler { if let Err(err) = self.tx.send(CoreResponse { id: 0, payload: Some(core_response::Payload::Update(Update { - update_type: 2, + update_type: UpdateType::Delete as i32, update: Some(update::Update::Peer(Peer { pubkey: peer_pubkey.into(), allowed_ips: Vec::new(), @@ -937,7 +954,7 @@ impl GatewayUpdatesHandler { if let Err(err) = self.tx.send(CoreResponse { id: 0, payload: Some(core_response::Payload::Update(Update { - update_type: 1, + update_type: UpdateType::Modify as i32, update: Some(update::Update::FirewallConfig(firewall_config)), })), }) { @@ -961,7 +978,7 @@ impl GatewayUpdatesHandler { if let Err(err) = self.tx.send(CoreResponse { id: 0, payload: Some(core_response::Payload::Update(Update { - update_type: 2, + update_type: UpdateType::Delete as i32, update: Some(update::Update::DisableFirewall(())), })), }) { @@ -987,8 +1004,9 @@ fn try_protos_into_stats_message( // try to parse endpoint let endpoint = proto_stats.endpoint.parse().ok()?; - let latest_handshake = DateTime::from_timestamp(proto_stats.latest_handshake as i64, 0) - .unwrap_or_default() + let latest_handshake = proto_stats + .latest_handshake + .and_then(|ts| DateTime::from_timestamp(ts.seconds, ts.nanos as u32))? .naive_utc(); Some(PeerStatsUpdate::new( @@ -1020,6 +1038,7 @@ mod tests { }; use defguard_core::grpc::GatewayEvent; use defguard_proto::gateway::{Configuration, Peer, PeerStats, core_response}; + use prost_types::Timestamp; use sqlx::postgres::{PgConnectOptions, PgPoolOptions}; use tokio::sync::{broadcast, mpsc::unbounded_channel, watch}; @@ -1050,7 +1069,10 @@ mod tests { upload: 123, download: 456, keepalive_interval: 25, - latest_handshake: 1_700_000_000, + latest_handshake: Some(prost_types::Timestamp { + seconds: 1_700_000_000, + nanos: 0, + }), allowed_ips: "10.10.0.2/32".to_string(), } } @@ -1110,21 +1132,34 @@ mod tests { } #[test] - fn try_protos_into_stats_message_falls_back_to_default_timestamp() { + fn try_protos_into_stats_message_returns_none_for_missing_handshake() { let stats = try_protos_into_stats_message( PeerStats { - latest_handshake: i64::MAX as u64, + latest_handshake: None, ..build_peer_stats("203.0.113.10:51820") }, 11, 22, - ) - .expect("valid endpoint should still produce stats"); + ); - assert_eq!( - stats.latest_handshake, - DateTime::::default().naive_utc() + assert!(stats.is_none()); + } + + #[test] + fn try_protos_into_stats_message_returns_none_for_invalid_timestamp() { + let stats = try_protos_into_stats_message( + PeerStats { + latest_handshake: Some(Timestamp { + seconds: i64::MAX, + nanos: 0, + }), + ..build_peer_stats("203.0.113.10:51820") + }, + 11, + 22, ); + + assert!(stats.is_none()); } #[test] @@ -1146,7 +1181,7 @@ mod tests { assert_eq!(config.name, "test-network"); assert_eq!(config.port, 51820); - assert_eq!(config.prvkey, "network-private-key"); + assert_eq!(config.private_key, "network-private-key"); assert_eq!(config.addresses, vec!["10.10.0.1/24", "fd00::1/64"]); assert_eq!(config.mtu, 1420); assert_eq!(config.fwmark, 4321); diff --git a/crates/defguard_gateway_manager/src/tests/common/mod.rs b/crates/defguard_gateway_manager/src/tests/common/mod.rs index 9be0a715de..10962eef6e 100644 --- a/crates/defguard_gateway_manager/src/tests/common/mod.rs +++ b/crates/defguard_gateway_manager/src/tests/common/mod.rs @@ -22,9 +22,8 @@ use defguard_common::{ messages::peer_stats_update::PeerStatsUpdate, }; use defguard_core::grpc::GatewayEvent; -use defguard_proto::gateway::{ - ConfigurationRequest, CoreRequest, CoreResponse, PeerStats, core_request, gateway_server, -}; +use defguard_proto::gateway::{CoreRequest, CoreResponse, PeerStats, core_request, gateway_server}; +use prost_types::Timestamp; use sqlx::{PgPool, postgres::PgConnectOptions}; use tokio::{ net::UnixListener, @@ -259,13 +258,9 @@ impl MockGatewayHarness { } pub(crate) fn send_config_request(&self) { - let request = ConfigurationRequest { - hostname: "mock-gateway".to_string(), - ..Default::default() - }; self.send_request(CoreRequest { id: self.next_message_id.fetch_add(1, Ordering::Relaxed), - payload: Some(core_request::Payload::ConfigRequest(request)), + payload: Some(core_request::Payload::ConfigRequest(())), }); } @@ -668,7 +663,10 @@ pub(crate) fn build_peer_stats(endpoint: &str) -> PeerStats { upload: 123, download: 456, keepalive_interval: 25, - latest_handshake: 1_700_000_000, + latest_handshake: Some(Timestamp { + seconds: 1_700_000_000, + nanos: 0, + }), allowed_ips: "10.10.0.2/32".to_string(), } } diff --git a/crates/defguard_proto/Cargo.toml b/crates/defguard_proto/Cargo.toml index 3400b5ed92..dbdd111dee 100644 --- a/crates/defguard_proto/Cargo.toml +++ b/crates/defguard_proto/Cargo.toml @@ -10,6 +10,7 @@ rust-version.workspace = true [dependencies] defguard_common.workspace = true prost.workspace = true +prost-types.workspace = true serde.workspace = true tonic.workspace = true tonic-prost.workspace = true diff --git a/crates/defguard_proto/build.rs b/crates/defguard_proto/build.rs index 367ccb94c7..ad682baf13 100644 --- a/crates/defguard_proto/build.rs +++ b/crates/defguard_proto/build.rs @@ -1,4 +1,6 @@ -fn main() -> Result<(), Box> { +use std::error::Error; + +fn main() -> Result<(), Box> { tonic_prost_build::configure() // These types contain sensitive data. .skip_debug([ @@ -17,18 +19,16 @@ fn main() -> Result<(), Box> { .protoc_arg("--experimental_allow_proto3_optional") .compile_protos( &[ - "../../proto/core/proxy.proto", - "../../proto/worker/worker.proto", - "../../proto/wireguard/gateway.proto", - "../../proto/enterprise/firewall/firewall.proto", - ], - &[ - "../../proto/core", - "../../proto/worker", - "../../proto/wireguard", - "../../proto/enterprise/firewall", + "../../proto/v1/worker/worker.proto", + "../../proto/v2/common.proto", + "../../proto/v2/proxy.proto", + "../../proto/v2/gateway.proto", + "../../proto/enterprise/v2/firewall/firewall.proto", + "../../proto/common/client_types.proto", ], + &["../../proto"], )?; + println!("cargo:rerun-if-changed=../../proto"); Ok(()) } diff --git a/crates/defguard_proto/src/lib.rs b/crates/defguard_proto/src/lib.rs index ae1a525952..26fc0d5756 100644 --- a/crates/defguard_proto/src/lib.rs +++ b/crates/defguard_proto/src/lib.rs @@ -1,20 +1,72 @@ use std::fmt; +mod generated { + pub mod defguard { + pub mod proxy { + pub mod v2 { + tonic::include_proto!("defguard.proxy.v2"); + } + } + + pub mod gateway { + pub mod v2 { + tonic::include_proto!("defguard.gateway.v2"); + } + } + + pub mod worker { + pub mod v1 { + tonic::include_proto!("defguard.worker.v1"); + } + } + + pub mod enterprise { + pub mod firewall { + pub mod v2 { + tonic::include_proto!("defguard.enterprise.firewall.v2"); + } + } + } + + pub mod client_types { + tonic::include_proto!("defguard.client_types"); + } + + pub mod common { + pub mod v2 { + tonic::include_proto!("defguard.common.v2"); + } + } + } +} + pub mod proxy { - tonic::include_proto!("defguard.proxy"); + pub use crate::generated::defguard::proxy::v2::*; } + pub mod gateway { - tonic::include_proto!("gateway"); + pub use crate::generated::defguard::gateway::v2::*; } + pub mod worker { - tonic::include_proto!("worker"); + pub use crate::generated::defguard::worker::v1::*; } + pub mod enterprise { pub mod firewall { - tonic::include_proto!("enterprise.firewall"); + pub use crate::generated::defguard::enterprise::firewall::v2::*; } } +pub mod client_types { + pub use crate::generated::defguard::client_types::*; +} + +pub mod common { + pub use crate::generated::defguard::common::v2::*; +} + +use client_types::MfaMethod; use defguard_common::{ csv::AsCsv, db::{ @@ -26,7 +78,7 @@ use defguard_common::{ }, }, }; -use proxy::{CoreError, MfaMethod}; +use proxy::CoreError; use serde::Serialize; use tonic::Status; @@ -86,7 +138,7 @@ impl From for CoreError { } } -impl From for proxy::DeviceConfig { +impl From for client_types::DeviceConfig { fn from(config: DeviceConfig) -> Self { // DEPRECATED(1.5): superseeded by location_mfa_mode let mfa_enabled = config.location_mfa_mode == LocationMfaMode::Internal; @@ -103,11 +155,13 @@ impl From for proxy::DeviceConfig { #[allow(deprecated)] mfa_enabled, location_mfa_mode: Some( - >::into(config.location_mfa_mode) - .into(), + >::into( + config.location_mfa_mode, + ) + .into(), ), service_location_mode: Some( - >::into( + >::into( config.service_location_mode, ) .into(), @@ -116,7 +170,7 @@ impl From for proxy::DeviceConfig { } } -impl From> for proxy::Device { +impl From> for client_types::Device { fn from(device: Device) -> Self { Self { id: device.id, @@ -128,7 +182,7 @@ impl From> for proxy::Device { } } -impl From> for proxy::AdminInfo { +impl From> for client_types::AdminInfo { fn from(admin: User) -> Self { Self { name: format!("{} {}", admin.first_name, admin.last_name), @@ -138,22 +192,22 @@ impl From> for proxy::AdminInfo { } } -impl From for proxy::LocationMfaMode { +impl From for client_types::LocationMfaMode { fn from(value: LocationMfaMode) -> Self { match value { - LocationMfaMode::Disabled => proxy::LocationMfaMode::Disabled, - LocationMfaMode::Internal => proxy::LocationMfaMode::Internal, - LocationMfaMode::External => proxy::LocationMfaMode::External, + LocationMfaMode::Disabled => client_types::LocationMfaMode::Disabled, + LocationMfaMode::Internal => client_types::LocationMfaMode::Internal, + LocationMfaMode::External => client_types::LocationMfaMode::External, } } } -impl From for proxy::ServiceLocationMode { +impl From for client_types::ServiceLocationMode { fn from(value: ServiceLocationMode) -> Self { match value { - ServiceLocationMode::Disabled => proxy::ServiceLocationMode::Disabled, - ServiceLocationMode::PreLogon => proxy::ServiceLocationMode::Prelogon, - ServiceLocationMode::AlwaysOn => proxy::ServiceLocationMode::Alwayson, + ServiceLocationMode::Disabled => client_types::ServiceLocationMode::Disabled, + ServiceLocationMode::PreLogon => client_types::ServiceLocationMode::Prelogon, + ServiceLocationMode::AlwaysOn => client_types::ServiceLocationMode::Alwayson, } } } @@ -167,7 +221,7 @@ impl Configuration { Self { name: location.name.clone(), port: location.port.cast_unsigned(), - prvkey: location.prvkey.clone(), + private_key: location.prvkey.clone(), addresses: location.address().iter().map(ToString::to_string).collect(), peers, firewall_config: maybe_firewall_config, diff --git a/crates/defguard_proxy_manager/src/handler.rs b/crates/defguard_proxy_manager/src/handler.rs index 7e3387690f..09c81397fc 100644 --- a/crates/defguard_proxy_manager/src/handler.rs +++ b/crates/defguard_proxy_manager/src/handler.rs @@ -37,10 +37,12 @@ use defguard_core::{ version::{IncompatibleComponents, IncompatibleProxyData, is_proxy_version_supported}, }; use defguard_grpc_tls::{certs as tls_certs, connector::HttpsSchemeConnector}; -use defguard_proto::proxy::{ - AuthCallbackResponse, AuthFlowType as ProtoAuthFlowType, AuthInfoResponse, CoreError, - CoreRequest, CoreResponse, HttpsCerts, InitialInfo, core_request, core_response, - proxy_client::ProxyClient, +use defguard_proto::{ + client_types::AuthFlowType as ProtoAuthFlowType, + proxy::{ + AuthCallbackResponse, AuthInfoResponse, CoreError, CoreRequest, CoreResponse, HttpsCerts, + InitialInfo, core_request, core_response, proxy_client::ProxyClient, + }, }; use defguard_version::{ ComponentInfo, DefguardComponent, client::ClientVersionInterceptor, get_tracing_variables, diff --git a/crates/defguard_proxy_manager/src/servers/enrollment.rs b/crates/defguard_proxy_manager/src/servers/enrollment.rs index bbbc27f5f0..d950e0dc91 100644 --- a/crates/defguard_proxy_manager/src/servers/enrollment.rs +++ b/crates/defguard_proxy_manager/src/servers/enrollment.rs @@ -33,7 +33,7 @@ use defguard_mail::templates::{ TemplateLocation, enrollment_admin_notification, mfa_activation_mail, mfa_configured_mail, new_device_added_mail, }; -use defguard_proto::proxy::{ +use defguard_proto::client_types::{ ActivateUserRequest, AdminInfo, CodeMfaSetupFinishRequest, CodeMfaSetupFinishResponse, CodeMfaSetupStartRequest, CodeMfaSetupStartResponse, DeviceConfigResponse, EnrollmentStartRequest, EnrollmentStartResponse, ExistingDevice, InitialUserInfo, MfaMethod, @@ -258,14 +258,14 @@ impl EnrollmentServer { .fetch_one(&self.pool) .await .map_err(|_| Status::internal("Failed to read data".to_string()))?; - let enrollment_settings = defguard_proto::proxy::EnrollmentSettings { + let enrollment_settings = defguard_proto::client_types::EnrollmentSettings { vpn_setup_optional, smtp_configured, only_client_activation: enterprise_settings.only_client_activation, admin_device_management: enterprise_settings.admin_device_management, mfa_required: instance_has_internal_mfa, }; - let response = defguard_proto::proxy::EnrollmentStartResponse { + let response = defguard_proto::client_types::EnrollmentStartResponse { admin: admin_info, user: Some(user_info), deadline_timestamp: session_deadline.and_utc().timestamp(), diff --git a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/enrollment.rs b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/enrollment.rs index c42f98cfe2..39867b0c20 100644 --- a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/enrollment.rs +++ b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/enrollment.rs @@ -6,9 +6,9 @@ use defguard_core::{ events::{BidiStreamEventType, EnrollmentEvent}, grpc::GatewayEvent, }; -use defguard_proto::proxy::{ - CoreRequest, ExistingDevice, MfaMethod, NewDevice, RegisterMobileAuthRequest, core_request, - core_response, +use defguard_proto::{ + client_types::{ExistingDevice, MfaMethod, NewDevice, RegisterMobileAuthRequest}, + proxy::{CoreRequest, core_request, core_response}, }; use sqlx::postgres::{PgConnectOptions, PgPoolOptions}; use tokio::time::timeout; diff --git a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/mfa.rs b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/mfa.rs index 76b76182d9..57b946312a 100644 --- a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/mfa.rs +++ b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/mfa.rs @@ -2,9 +2,9 @@ use std::time::Duration; use defguard_common::db::Id; use defguard_core::grpc::GatewayEvent; -use defguard_proto::proxy::{ - AwaitRemoteMfaFinishRequest, ClientMfaFinishRequest, ClientMfaStartRequest, CoreRequest, - MfaMethod, core_request, core_response, +use defguard_proto::{ + client_types::{ClientMfaFinishRequest, ClientMfaStartRequest, MfaMethod}, + proxy::{AwaitRemoteMfaFinishRequest, CoreRequest, core_request, core_response}, }; use sqlx::postgres::{PgConnectOptions, PgPoolOptions}; use tokio::{task, time::timeout}; diff --git a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/oidc.rs b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/oidc.rs index ee31cf7d3c..cb152ba301 100644 --- a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/oidc.rs +++ b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/oidc.rs @@ -1,8 +1,11 @@ #![allow(deprecated)] use defguard_core::db::models::enrollment::Token; -use defguard_proto::proxy::{ - AuthCallbackRequest, AuthFlowType, AuthInfoRequest, ClientMfaOidcAuthenticateRequest, - CoreRequest, MfaMethod, core_request, core_response, +use defguard_proto::{ + client_types::{AuthFlowType, AuthInfoRequest, MfaMethod}, + proxy::{ + AuthCallbackRequest, ClientMfaOidcAuthenticateRequest, CoreRequest, core_request, + core_response, + }, }; use sqlx::postgres::{PgConnectOptions, PgPoolOptions}; @@ -42,7 +45,6 @@ async fn test_auth_callback_creates_new_user_on_first_login( payload: Some(core_request::Payload::AuthCallback(AuthCallbackRequest { code: code.clone(), nonce: raw_nonce.to_string(), - callback_url: String::new(), // ignored in v2 path (handler uses settings) })), }); @@ -104,9 +106,9 @@ async fn test_auth_info_enrollment_returns_authorize_url( id: 40, device_info: None, payload: Some(core_request::Payload::AuthInfo(AuthInfoRequest { - redirect_url: String::new(), // deprecated; ignored when auth_flow_type is set state: None, auth_flow_type: AuthFlowType::Enrollment as i32, + ..Default::default() })), }); @@ -166,9 +168,9 @@ async fn test_auth_info_mfa_returns_authorize_url(_: PgPoolOptions, options: PgC id: 50, device_info: None, payload: Some(core_request::Payload::AuthInfo(AuthInfoRequest { - redirect_url: String::new(), state: None, auth_flow_type: AuthFlowType::Mfa as i32, + ..Default::default() })), }); @@ -216,9 +218,9 @@ async fn test_auth_info_requires_license(_: PgPoolOptions, options: PgConnectOpt id: 60, device_info: None, payload: Some(core_request::Payload::AuthInfo(AuthInfoRequest { - redirect_url: String::new(), state: None, auth_flow_type: AuthFlowType::Enrollment as i32, + ..Default::default() })), }); @@ -247,9 +249,9 @@ async fn test_auth_info_requires_oidc_provider(_: PgPoolOptions, options: PgConn id: 70, device_info: None, payload: Some(core_request::Payload::AuthInfo(AuthInfoRequest { - redirect_url: String::new(), state: None, auth_flow_type: AuthFlowType::Enrollment as i32, + ..Default::default() })), }); @@ -308,7 +310,6 @@ async fn test_mfa_oidc_full_flow(_: PgPoolOptions, options: PgConnectOptions) { ClientMfaOidcAuthenticateRequest { code: code.clone(), state: state.clone(), - callback_url: String::new(), // unused in handler (uses settings) nonce: raw_nonce.to_string(), }, )), @@ -369,7 +370,6 @@ async fn test_auth_callback_exchanges_code_for_enrollment_token( payload: Some(core_request::Payload::AuthCallback(AuthCallbackRequest { code: code.clone(), nonce: raw_nonce.to_string(), - callback_url: String::new(), })), }); diff --git a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/polling.rs b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/polling.rs index 8f33a14da2..726f87b360 100644 --- a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/polling.rs +++ b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/polling.rs @@ -1,6 +1,10 @@ -use defguard_proto::proxy::{CoreRequest, InstanceInfoRequest, core_request, core_response}; use sqlx::postgres::{PgConnectOptions, PgPoolOptions}; +use defguard_proto::{ + client_types::InstanceInfoRequest, + proxy::{CoreRequest, core_request, core_response}, +}; + use super::support::{ assert_error_response, clear_test_license, complete_proxy_handshake, create_device_for_user, create_network, create_polling_token, create_user, create_user_with_device, diff --git a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/support.rs b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/support.rs index 0eb7bf7dc7..9536271c8c 100644 --- a/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/support.rs +++ b/crates/defguard_proxy_manager/src/tests/proxy_manager/handler/support.rs @@ -28,12 +28,17 @@ use defguard_core::{ }, events::{BidiStreamEvent, BidiStreamEventType, DesktopClientMfaEvent}, }; -use defguard_proto::proxy::{ - ActivateUserRequest, ClientMfaFinishRequest, ClientMfaStartRequest, - ClientMfaTokenValidationRequest, CodeMfaSetupFinishRequest, CodeMfaSetupStartRequest, - CoreRequest, CoreResponse, DeviceConfigResponse, DeviceInfo, EnrollmentStartRequest, MfaMethod, - PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest, core_request, - core_response, +use defguard_proto::{ + client_types::{ + ActivateUserRequest, ClientMfaFinishRequest, ClientMfaStartRequest, + CodeMfaSetupFinishRequest, CodeMfaSetupStartRequest, DeviceConfigResponse, + EnrollmentStartRequest, MfaMethod, + }, + proxy::{ + ClientMfaTokenValidationRequest, CoreRequest, CoreResponse, DeviceInfo, + PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest, + core_request, core_response, + }, }; use ipnetwork::IpNetwork; use sqlx::PgPool; diff --git a/crates/defguard_setup/src/auto_adoption.rs b/crates/defguard_setup/src/auto_adoption.rs index c933c11c2d..999bc535fd 100644 --- a/crates/defguard_setup/src/auto_adoption.rs +++ b/crates/defguard_setup/src/auto_adoption.rs @@ -25,14 +25,9 @@ use defguard_core::{ version::{MIN_GATEWAY_VERSION, MIN_PROXY_VERSION}, }; use defguard_proto::{ - gateway::{ - CertificateInfo as GatewayCertificateInfo, DerPayload as GatewayDerPayload, - gateway_setup_client::GatewaySetupClient, - }, - proxy::{ - CertificateInfo as ProxyCertificateInfo, DerPayload as ProxyDerPayload, - proxy_setup_client::ProxySetupClient, - }, + common::{CertificateInfo as ProtoCertificateInfo, DerPayload as ProtoDerPayload}, + gateway::gateway_setup_client::GatewaySetupClient, + proxy::proxy_setup_client::ProxySetupClient, }; use defguard_version::{Version, client::ClientVersionInterceptor}; use ipnetwork::IpNetwork; @@ -420,7 +415,7 @@ async fn run_edge_adoption_attempt_scoped( debug!("Requesting CSR from proxy hostname={hostname}"); let csr_response = match client - .get_csr(ProxyCertificateInfo { + .get_csr(ProtoCertificateInfo { cert_hostname: hostname.to_string(), }) .await @@ -471,7 +466,7 @@ async fn run_edge_adoption_attempt_scoped( debug!("CSR signed for proxy hostname={hostname}; sending certificate"); if let Err(err) = client - .send_cert(ProxyDerPayload { + .send_cert(ProtoDerPayload { der_data: cert.der().to_vec(), }) .await @@ -729,7 +724,7 @@ async fn run_gateway_adoption_attempt_scoped( debug!("Requesting CSR from gateway hostname={hostname}"); let csr_response = match client - .get_csr(GatewayCertificateInfo { + .get_csr(ProtoCertificateInfo { cert_hostname: hostname.to_string(), }) .await @@ -780,7 +775,7 @@ async fn run_gateway_adoption_attempt_scoped( debug!("CSR signed for gateway hostname={hostname}; sending certificate"); if let Err(err) = client - .send_cert(GatewayDerPayload { + .send_cert(ProtoDerPayload { der_data: cert.der().to_vec(), }) .await diff --git a/proto b/proto index f600c25c27..7adfe3bfd1 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit f600c25c2715d798225cc2441c4f79fdbba48af8 +Subproject commit 7adfe3bfd1b7b701e58d25ddadd0c0c7a4a3e046