feat: add option to prevent routing all traffic through the vpn

migrations/20240902103930_add_option_to_disable_all_traffic.down.sql

@@ -0,0 +1 @@
+ALTER TABLE enterprisesettings DROP COLUMN disable_all_traffic;

migrations/20240902103930_add_option_to_disable_all_traffic.up.sql

@@ -0,0 +1 @@
+ALTER TABLE enterprisesettings ADD COLUMN disable_all_traffic BOOLEAN NOT NULL DEFAULT FALSE;

src/db/models/polling_token.rs

@@ -2,9 +2,8 @@ use chrono::{NaiveDateTime, Utc};
 use model_derive::Model;
 use sqlx::{query_as, Error as SqlxError};
 
-use crate::random::gen_alphanumeric;
-
 use super::DbPool;
+use crate::random::gen_alphanumeric;
 
 // Token used for polling requests.
 #[derive(Clone, Debug, Model)]

src/enterprise/db/models/enterprise_settings.rs

@@ -11,6 +11,8 @@ pub struct EnterpriseSettings {
     pub id: Option<i64>,
     // If true, only admins can manage devices
     pub admin_device_management: bool,
+    // If true, the option to route all traffic through the vpn is disabled in the client
+    pub disable_all_traffic: bool,
     // If true, manual WireGuard setup is disabled
     pub only_client_activation: bool,
 }
@@ -22,6 +24,7 @@ impl Default for EnterpriseSettings {
         Self {
             id: None,
             admin_device_management: false,
+            disable_all_traffic: false,
             only_client_activation: false,
         }
     }

src/enterprise/grpc/polling.rs

@@ -1,11 +1,13 @@
+use tonic::Status;
+
 use crate::{
     db::{models::polling_token::PollingToken, DbPool, Device, User},
     enterprise::license::{get_cached_license, validate_license},
-    grpc::utils::build_device_config_response,
+    grpc::{
+        proto::{InstanceInfoRequest, InstanceInfoResponse},
+        utils::{build_device_config_response, build_instance_config_response},
+    },
 };
-use tonic::Status;
-
-use crate::grpc::proto::{InstanceInfoRequest, InstanceInfoResponse};
 
 pub struct PollingServer {
     pool: DbPool,
@@ -81,8 +83,10 @@ impl PollingServer {
         // Build & return polling info
         let device_config =
             build_device_config_response(&self.pool, &device.wireguard_pubkey).await?;
+        let instance_config = build_instance_config_response(&self.pool).await?;
         Ok(InstanceInfoResponse {
             device_config: Some(device_config),
+            instance_config: Some(instance_config),
         })
     }
 }

src/enterprise/handlers/openid_login.rs

@@ -1,32 +1,38 @@
-use axum::extract::State;
-use axum::http::StatusCode;
-use axum::Json;
+use axum::{extract::State, http::StatusCode, Json};
 use axum_client_ip::{InsecureClientIp, LeftmostXForwardedFor};
-use axum_extra::extract::cookie::{Cookie, SameSite};
-use axum_extra::extract::{CookieJar, PrivateCookieJar};
-use axum_extra::headers::UserAgent;
-use axum_extra::TypedHeader;
-use openidconnect::core::{
-    CoreClient, CoreGenderClaim, CoreJsonWebKeyType, CoreJweContentEncryptionAlgorithm,
-    CoreJwsSigningAlgorithm, CoreResponseType,
+use axum_extra::{
+    extract::{
+        cookie::{Cookie, SameSite},
+        CookieJar, PrivateCookieJar,
+    },
+    headers::UserAgent,
+    TypedHeader,
 };
 use openidconnect::{
-    core::CoreProviderMetadata, reqwest::async_http_client, ClientId, ClientSecret, IssuerUrl,
-    ProviderMetadata, RedirectUrl,
+    core::{
+        CoreClient, CoreGenderClaim, CoreJsonWebKeyType, CoreJweContentEncryptionAlgorithm,
+        CoreJwsSigningAlgorithm, CoreProviderMetadata, CoreResponseType,
+    },
+    reqwest::async_http_client,
+    AuthenticationFlow, ClientId, ClientSecret, CsrfToken, EmptyAdditionalClaims, IdToken,
+    IssuerUrl, Nonce, ProviderMetadata, RedirectUrl, Scope,
 };
-use openidconnect::{AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToken, Nonce, Scope};
 use serde_json::json;
 use time::Duration;
 
 use super::LicenseInfo;
-use crate::appstate::AppState;
-use crate::db::{DbPool, MFAInfo, Session, SessionState, Settings, User, UserInfo};
-use crate::enterprise::db::models::openid_provider::OpenIdProvider;
-use crate::error::WebError;
-use crate::handlers::user::{check_username, prune_username};
-use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME};
-use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
-use crate::server_config;
+use crate::{
+    appstate::AppState,
+    db::{DbPool, MFAInfo, Session, SessionState, Settings, User, UserInfo},
+    enterprise::db::models::openid_provider::OpenIdProvider,
+    error::WebError,
+    handlers::{
+        user::{check_username, prune_username},
+        ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME,
+    },
+    headers::{check_new_device_login, get_user_agent_device, parse_user_agent},
+    server_config,
+};
 
 type ProvMeta = ProviderMetadata<
     openidconnect::EmptyAdditionalProviderMetadata,

src/grpc/enrollment.rs

@@ -1,16 +1,18 @@
 use std::sync::Arc;
 
-use super::InstanceInfo;
 use ipnetwork::IpNetwork;
 use sqlx::Transaction;
 use tokio::sync::{broadcast::Sender, mpsc::UnboundedSender};
 use tonic::Status;
 use uaparser::UserAgentParser;
 
-use super::proto::{
-    ActivateUserRequest, AdminInfo, Device as ProtoDevice, DeviceConfig as ProtoDeviceConfig,
-    DeviceConfigResponse, EnrollmentStartRequest, EnrollmentStartResponse, ExistingDevice,
-    InitialUserInfo, NewDevice,
+use super::{
+    proto::{
+        ActivateUserRequest, AdminInfo, Device as ProtoDevice, DeviceConfig as ProtoDeviceConfig,
+        DeviceConfigResponse, EnrollmentStartRequest, EnrollmentStartResponse, ExistingDevice,
+        InitialUserInfo, NewDevice,
+    },
+    InstanceInfo,
 };
 use crate::{
     db::{

src/grpc/mod.rs

@@ -9,7 +9,6 @@ use std::{
     sync::{Arc, Mutex},
 };
 
-use crate::enterprise::grpc::polling::PollingServer;
 use chrono::{Duration as ChronoDuration, NaiveDateTime, Utc};
 use reqwest::Url;
 use serde::Serialize;
@@ -46,6 +45,7 @@ use self::{
 use crate::{
     auth::failed_login::FailedLoginMap,
     db::{AppEvent, Settings},
+    enterprise::grpc::polling::PollingServer,
     handlers::mail::send_gateway_disconnected_email,
     mail::Mail,
     server_config,

src/grpc/utils.rs

@@ -1,11 +1,19 @@
-use super::InstanceInfo;
 use ipnetwork::IpNetwork;
 use tonic::Status;
 
-use super::proto::{DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse};
-use crate::db::{
-    models::{device::WireguardNetworkDevice, wireguard::WireguardNetwork},
-    DbPool, Device, Settings, User,
+use super::{
+    proto::{DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, InstanceConfigResponse},
+    InstanceInfo,
+};
+use crate::{
+    db::{
+        models::{device::WireguardNetworkDevice, wireguard::WireguardNetwork},
+        DbPool, Device, Settings, User,
+    },
+    enterprise::{
+        db::models::enterprise_settings::EnterpriseSettings,
+        license::{get_cached_license, validate_license},
+    },
 };
 
 pub(crate) async fn build_device_config_response(
@@ -93,3 +101,20 @@ pub(crate) async fn build_device_config_response(
         token: None,
     })
 }
+
+pub(crate) async fn build_instance_config_response(
+    pool: &DbPool,
+) -> Result<InstanceConfigResponse, Status> {
+    debug!("Building instance config response");
+    let enterprise = validate_license(get_cached_license().as_ref()).is_ok();
+    let enterprise_settings = EnterpriseSettings::get(pool).await.map_err(|err| {
+        error!("Failed to get enterprise settings while building instance config response: {err}");
+        Status::internal("unexpected error")
+    })?;
+    debug!("Instance config response built");
+
+    Ok(InstanceConfigResponse {
+        enterprise,
+        disable_all_traffic: enterprise_settings.disable_all_traffic,
+    })
+}

src/handlers/app_info.rs

@@ -2,11 +2,11 @@ use axum::{extract::State, http::StatusCode};
 use serde_json::json;
 
 use super::{ApiResponse, ApiResult, VERSION};
-use crate::db::Settings;
-use crate::enterprise::license::get_cached_license;
 use crate::{
-    appstate::AppState, auth::SessionInfo, db::WireguardNetwork,
-    enterprise::license::validate_license,
+    appstate::AppState,
+    auth::SessionInfo,
+    db::{Settings, WireguardNetwork},
+    enterprise::license::{get_cached_license, validate_license},
 };
 
 /// Additional information about core state.

src/secret.rs

@@ -1,6 +1,4 @@
-use std::convert::Infallible;
-use std::error::Error;
-use std::str::FromStr;
+use std::{convert::Infallible, error::Error, str::FromStr};
 
 use secrecy::{ExposeSecret, Secret};
 use serde::{Deserialize, Serialize};

tests/enterprise_settings.rs

@@ -1,14 +1,16 @@
 mod common;
 
-use defguard::enterprise::{
-    db::models::enterprise_settings::EnterpriseSettings,
-    license::{get_cached_license, set_cached_license},
+use defguard::{
+    enterprise::{
+        db::models::enterprise_settings::EnterpriseSettings,
+        license::{get_cached_license, set_cached_license},
+    },
+    handlers::Auth,
 };
 use reqwest::StatusCode;
+use serde_json::{json, Value};
 
 use self::common::make_test_client;
-use defguard::handlers::Auth;
-use serde_json::{json, Value};
 
 fn make_network() -> Value {
     json!({
@@ -41,6 +43,7 @@ async fn test_only_enterprise_can_modify() {
     let settings = EnterpriseSettings {
         id: None,
         admin_device_management: true,
+        disable_all_traffic: false,
         only_client_activation: false,
     };
 
@@ -85,6 +88,7 @@ async fn test_admin_devices_management_is_enforced() {
     let settings = EnterpriseSettings {
         id: None,
         admin_device_management: true,
+        disable_all_traffic: false,
         only_client_activation: false,
     };
     let response = client
@@ -162,6 +166,7 @@ async fn test_regular_user_device_management() {
     let settings = EnterpriseSettings {
         id: None,
         admin_device_management: false,
+        disable_all_traffic: false,
         only_client_activation: false,
     };
     let response = client