Merge branch 'dev' of github.com:DefGuard/defguard into dev

Author: moubctez

.sqlx/query-226259d2006f1a0bc904f5a25f9bbc71c19a867b626493b9f973a5cc09f5e3c0.json

@@ -73,7 +73,7 @@ sqlx = { version = "0.7", features = [
     "uuid",
 ] }
 ssh-key = "0.6"
-struct-patch = "0.7"
+struct-patch = "0.8"
 tera = "1.20"
 thiserror = "1.0"
 # match axum-extra -> cookies

.sqlx/query-30b117d8b863a0785fcb164bc428ea5591fe28ea9e07170906eb78c3ae4531d8.json

@@ -0,0 +1 @@
+DROP TABLE enterprisesettings;

.sqlx/query-a1836fa232271fdd5d61f0d34048741a269f654ef6eb1fa2f6b95e68ed7e04e1.json

@@ -0,0 +1,6 @@
+CREATE TABLE enterprisesettings (
+    id bigserial PRIMARY KEY,
+    admin_device_management BOOLEAN NOT NULL DEFAULT false
+);
+
+INSERT INTO enterprisesettings (admin_device_management) values (false);

.sqlx/query-bcba1892b88c1aecf5fb4112c03b4ec9ffc2f61e38c74630dac5e32f3736c113.json

@@ -163,34 +163,6 @@ pub struct DefGuardConfig {
     #[serde(skip_serializing)]
     pub gateway_disconnection_notification_timeout: Duration,
 
-    #[arg(
-        long,
-        env = "DEFGUARD_LICENSE_SERVER_URL",
-        default_value = "https://update-service-dev.teonite.net/api/license/refresh"
-    )]
-    #[serde(skip_serializing)]
-    pub license_server_url: String,
-
-    #[arg(long, env = "DEFGUARD_LICENSE_CHECK_PERIOD", default_value = "10s")]
-    #[serde(skip_serializing)]
-    pub license_check_period: Duration,
-
-    #[arg(
-        long,
-        env = "DEFGUARD_LICENSE_CHECK_PERIOD_RENEWAL_WINDOW",
-        default_value = "5s"
-    )]
-    #[serde(skip_serializing)]
-    pub license_check_period_renewal_window: Duration,
-
-    #[arg(
-        long,
-        env = "DEFGUARD_LICENSE_CHECK_PERIOD_NO_LICENSE",
-        default_value = "15s"
-    )]
-    #[serde(skip_serializing)]
-    pub license_check_period_no_license: Duration,
-
     #[command(subcommand)]
     #[serde(skip_serializing)]
     pub cmd: Option<Command>,

.sqlx/query-c0883840b92550c4a2ba682d15ee4841bf9cdce2d87fa952457b157afbe2d756.json

@@ -0,0 +1,47 @@
+use model_derive::Model;
+use sqlx::PgExecutor;
+use struct_patch::Patch;
+
+use crate::enterprise::license::{get_cached_license, validate_license};
+
+#[derive(Model, Deserialize, Serialize, Patch)]
+#[patch(attribute(derive(Serialize, Deserialize)))]
+pub struct EnterpriseSettings {
+    #[serde(skip)]
+    pub id: Option<i64>,
+    // If true, only admins can manage devices
+    pub admin_device_management: bool,
+}
+
+// We want to be conscious of what the defaults are here
+#[allow(clippy::derivable_impls)]
+impl Default for EnterpriseSettings {
+    fn default() -> Self {
+        Self {
+            id: None,
+            admin_device_management: false,
+        }
+    }
+}
+
+impl EnterpriseSettings {
+    /// If license is valid returns current [`EnterpriseSettings`] object.
+    /// Otherwise returns [`EnterpriseSettings::default()`].
+    pub async fn get<'e, E>(executor: E) -> Result<Self, sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
+        // avoid holding the rwlock across await, makes the future !Send
+        // and therefore unusable in axum handlers
+        let is_valid = {
+            let license = get_cached_license();
+            validate_license(license.as_ref()).is_ok()
+        };
+        if is_valid {
+            let settings = Self::find_by_id(executor, 1).await?;
+            Ok(settings.expect("EnterpriseSettings not found"))
+        } else {
+            Ok(EnterpriseSettings::default())
+        }
+    }
+}

Cargo.lock

@@ -1 +1,2 @@
+pub mod enterprise_settings;
 pub mod openid_provider;

Cargo.toml

@@ -0,0 +1,49 @@
+use axum::{extract::State, http::StatusCode, Json};
+use serde_json::json;
+use struct_patch::Patch;
+
+use super::LicenseInfo;
+use crate::{
+    appstate::AppState,
+    auth::{AdminRole, SessionInfo},
+    enterprise::db::models::enterprise_settings::{EnterpriseSettings, EnterpriseSettingsPatch},
+    handlers::{ApiResponse, ApiResult},
+};
+
+pub async fn get_enterprise_settings(
+    session: SessionInfo,
+    State(appstate): State<AppState>,
+) -> ApiResult {
+    debug!(
+        "User {} retrieving enterprise settings",
+        session.user.username
+    );
+    let settings = EnterpriseSettings::get(&appstate.pool).await?;
+    info!(
+        "User {} retrieved enterprise settings",
+        session.user.username
+    );
+    Ok(ApiResponse {
+        json: json!(settings),
+        status: StatusCode::OK,
+    })
+}
+
+pub async fn patch_enterprise_settings(
+    _license: LicenseInfo,
+    _admin: AdminRole,
+    State(appstate): State<AppState>,
+    session: SessionInfo,
+    Json(data): Json<EnterpriseSettingsPatch>,
+) -> ApiResult {
+    debug!(
+        "Admin {} patching enterprise settings.",
+        session.user.username,
+    );
+    let mut settings = EnterpriseSettings::get(&appstate.pool).await?;
+
+    settings.apply(data);
+    settings.save(&appstate.pool).await?;
+    info!("Admin {} patched settings.", session.user.username);
+    Ok(ApiResponse::default())
+}

migrations/20240819134151_enterprise_settings.down.sql

@@ -1,8 +1,10 @@
 use crate::{
+    auth::SessionInfo,
     enterprise::license::validate_license,
     handlers::{ApiResponse, ApiResult},
 };
 
+pub mod enterprise_settings;
 pub mod openid_login;
 pub mod openid_providers;
 
@@ -12,13 +14,16 @@ use axum::{
     http::{request::Parts, StatusCode},
 };
 
-use super::license::get_cached_license;
+use super::{db::models::enterprise_settings::EnterpriseSettings, license::get_cached_license};
 use crate::{appstate::AppState, error::WebError};
 
 pub struct LicenseInfo {
     pub valid: bool,
 }
 
+/// Used to check if user is allowed to manage his devices.
+pub struct CanManageDevices;
+
 #[async_trait]
 impl<S> FromRequestParts<S> for LicenseInfo
 where
@@ -30,7 +35,7 @@ where
     async fn from_request_parts(_parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
         let license = get_cached_license();
 
-        match validate_license((*license).as_ref()) {
+        match validate_license(license.as_ref()) {
             // Useless struct, but may come in handy later
             Ok(_) => Ok(LicenseInfo { valid: true }),
             Err(e) => Err(WebError::Forbidden(e.to_string())),
@@ -41,10 +46,34 @@ where
 pub async fn check_enterprise_status() -> ApiResult {
     let license = get_cached_license();
 
-    let valid = validate_license((*license).as_ref()).is_ok();
+    let valid = validate_license((license).as_ref()).is_ok();
 
     Ok(ApiResponse {
         json: serde_json::json!({ "enabled": valid }),
         status: StatusCode::OK,
     })
 }
+
+#[async_trait]
+impl<S> FromRequestParts<S> for CanManageDevices
+where
+    S: Send + Sync,
+    AppState: FromRef<S>,
+{
+    type Rejection = WebError;
+
+    /// Returns an error if current session user is not allowed to manage devices.
+    /// The permission is defined by [`EnterpriseSettings::admin_device_management`] setting.
+    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+        let appstate = AppState::from_ref(state);
+        let session = SessionInfo::from_request_parts(parts, state).await?;
+        let settings = EnterpriseSettings::get(&appstate.pool).await?;
+        if settings.admin_device_management && !session.is_admin {
+            Err(WebError::Forbidden(
+                "Only admin users can manage devices".into(),
+            ))
+        } else {
+            Ok(Self)
+        }
+    }
+}