support protobuf versioning (#292)

* update protos

* use versioned protos

* update dependencies

* update proto submodule

* update protos directory structure

* update proto submodule

* handle updated protobuf

* adjust protobuf naming

* update proto submodule

Author: wojcik91

Cargo.lock

@@ -12,11 +12,11 @@ defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "0195
 defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "01957186101fc105803d56f1190efbdb5102df2f" }
 defguard_wireguard_rs = "0.9"
 env_logger = "0.11"
-gethostname = "1.0"
 ipnetwork = "0.21"
 libc = { version = "0.2", default-features = false }
 log = "0.4"
 prost = "0.14"
+prost-types = "0.14"
 serde = { version = "1.0", features = ["derive"] }
 syslog = "7.0"
 thiserror = "2.0"

Cargo.toml

@@ -11,10 +11,10 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         // compiling protos using path on build time
         .compile_protos(
             &[
-                "proto/wireguard/gateway.proto",
-                "proto/enterprise/firewall/firewall.proto",
+                "proto/v2/gateway.proto",
+                "proto/enterprise/v2/firewall/firewall.proto",
             ],
-            &["proto/wireguard", "proto/enterprise/firewall"],
+            &["proto"],
         )?;
     println!("cargo:rerun-if-changed=proto");
     Ok(())

build.rs

@@ -14,6 +14,7 @@ use std::{
 use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network};
 use iprange::{IpAddrRange, IpAddrRangeError};
 use thiserror::Error;
+use tracing::error;
 
 use crate::proto;
 
@@ -161,7 +162,7 @@ impl Protocol {
             proto::enterprise::firewall::Protocol::Udp => Ok(Self::Udp),
             proto::enterprise::firewall::Protocol::Icmp => Ok(Self::Icmp),
             // TODO: IcmpV6
-            proto::enterprise::firewall::Protocol::Invalid => {
+            proto::enterprise::firewall::Protocol::Unspecified => {
                 Err(FirewallError::UnsupportedProtocol(proto as u8))
             }
         }
@@ -196,10 +197,14 @@ impl From<bool> for Policy {
 
 impl Policy {
     #[must_use]
-    pub const fn from_proto(verdict: proto::enterprise::firewall::FirewallPolicy) -> Self {
+    pub fn from_proto(verdict: proto::enterprise::firewall::FirewallPolicy) -> Self {
         match verdict {
             proto::enterprise::firewall::FirewallPolicy::Allow => Self::Allow,
             proto::enterprise::firewall::FirewallPolicy::Deny => Self::Deny,
+            proto::enterprise::firewall::FirewallPolicy::Unspecified => {
+                error!("Received invalid gRPC FirewallPolicy. Falling back to Deny.");
+                Self::Deny
+            }
         }
     }
 }

flake.lock

@@ -13,7 +13,6 @@ use defguard_version::{
     ComponentInfo, DefguardComponent, Version, get_tracing_variables, server::DefguardVersionLayer,
 };
 use defguard_wireguard_rs::{WireguardInterfaceApi, net::IpAddrMask};
-use gethostname::gethostname;
 use tokio::{
     sync::{mpsc, oneshot},
     time::interval,
@@ -35,9 +34,12 @@ use crate::{
     },
     error::GatewayError,
     execute_command, mask,
-    proto::gateway::{
-        Configuration, ConfigurationRequest, CoreRequest, CoreResponse, LogEntry, Peer, Update,
-        core_request, core_response, gateway_server, update,
+    proto::{
+        common::LogEntry,
+        gateway::{
+            Configuration, CoreRequest, CoreResponse, Peer, Update, core_request, core_response,
+            gateway_server, update,
+        },
     },
     setup::run_setup,
     version::is_core_version_supported,
@@ -110,7 +112,7 @@ pub async fn run_gateway_loop(
 #[derive(Clone, PartialEq)]
 struct InterfaceConfiguration {
     name: String,
-    prvkey: String,
+    private_key: String,
     addresses: Vec<IpAddrMask>,
     port: u16,
     mtu: u32,
@@ -127,7 +129,7 @@ impl From<Configuration> for InterfaceConfiguration {
             .collect();
         Self {
             name: config.name,
-            prvkey: config.prvkey,
+            private_key: config.private_key,
             addresses,
             port: config.port as u16,
             mtu: config.mtu,
@@ -384,7 +386,7 @@ impl Gateway {
         );
         trace!(
             "Received configuration: {:?}",
-            mask!(new_configuration, prvkey)
+            mask!(new_configuration, private_key)
         );
 
         // check if new configuration is different than current one
@@ -405,7 +407,7 @@ impl Gateway {
             );
             trace!(
                 "Reconfigured WireGuard interface. Configuration: {:?}",
-                mask!(new_configuration, prvkey)
+                mask!(new_configuration, private_key)
             );
             // store new configuration and peers
             self.interface_configuration = Some(new_interface_configuration);
@@ -685,20 +687,11 @@ impl gateway_server::Gateway for GatewayServer {
         }
 
         let (tx, rx) = mpsc::unbounded_channel();
-        let Ok(hostname) = gethostname().into_string() else {
-            error!("Unable to get hostname");
-            return Err(Status::internal("failed to get hostname"));
-        };
 
         // First, send configuration request.
-        #[allow(deprecated)]
-        let payload = ConfigurationRequest {
-            name: None, // TODO: remove?
-            hostname,
-        };
         let req = CoreRequest {
             id: self.message_id.fetch_add(1, Ordering::Relaxed),
-            payload: Some(core_request::Payload::ConfigRequest(payload)),
+            payload: Some(core_request::Payload::ConfigRequest(())),
         };
 
         match tx.send(Ok(req)) {
@@ -906,7 +899,7 @@ mod tests {
     async fn test_configuration_comparison() {
         let old_config = InterfaceConfiguration {
             name: "gateway".to_string(),
-            prvkey: "FGqcPuaSlGWC2j50TBA4jHgiefPgQQcgTNLwzKUzBS8=".to_string(),
+            private_key: "FGqcPuaSlGWC2j50TBA4jHgiefPgQQcgTNLwzKUzBS8=".to_string(),
             addresses: vec!["10.6.1.1/24".parse().unwrap()],
             port: 50051,
             mtu: 1420,
@@ -954,7 +947,7 @@ mod tests {
         // only interface config is different
         let new_config = InterfaceConfiguration {
             name: "gateway".to_string(),
-            prvkey: "FGqcPuaSlGWC2j50TBA4jHgiefPgQQcgTNLwzKUzBS8=".to_string(),
+            private_key: "FGqcPuaSlGWC2j50TBA4jHgiefPgQQcgTNLwzKUzBS8=".to_string(),
             addresses: vec!["10.6.1.2/24".parse().unwrap()],
             port: 50051,
             mtu: 1420,

proto

@@ -4,13 +4,40 @@ pub mod gateway;
 pub mod server;
 mod version;
 
+pub mod generated {
+    pub mod defguard {
+        pub mod common {
+            pub mod v2 {
+                tonic::include_proto!("defguard.common.v2");
+            }
+        }
+        pub mod gateway {
+            pub mod v2 {
+
+                tonic::include_proto!("defguard.gateway.v2");
+            }
+        }
+        pub mod enterprise {
+            pub mod firewall {
+                pub mod v2 {
+
+                    tonic::include_proto!("defguard.enterprise.firewall.v2");
+                }
+            }
+        }
+    }
+}
+
 pub mod proto {
+    pub mod common {
+        pub use crate::generated::defguard::common::v2::*;
+    }
     pub mod gateway {
-        tonic::include_proto!("gateway");
+        pub use crate::generated::defguard::gateway::v2::*;
     }
     pub mod enterprise {
         pub mod firewall {
-            tonic::include_proto!("enterprise.firewall");
+            pub use crate::generated::defguard::enterprise::firewall::v2::*;
         }
     }
 }
@@ -23,6 +50,7 @@ use std::{process::Command, str::FromStr, time::SystemTime};
 use config::Config;
 use defguard_wireguard_rs::{InterfaceConfiguration, net::IpAddrMask, peer::Peer};
 use error::GatewayError;
+use prost_types::Timestamp;
 use syslog::{BasicLogger, Facility, Formatter3164};
 
 pub mod enterprise;
@@ -102,7 +130,7 @@ impl From<proto::gateway::Configuration> for InterfaceConfiguration {
             .collect();
         InterfaceConfiguration {
             name: config.name,
-            prvkey: config.prvkey,
+            prvkey: config.private_key,
             addresses,
             port: config.port as u16,
             peers,
@@ -150,9 +178,13 @@ impl From<&Peer> for proto::gateway::PeerStats {
                 .endpoint
                 .map_or(String::new(), |endpoint| endpoint.to_string()),
             allowed_ips: peer.allowed_ips.iter().map(ToString::to_string).collect(),
-            latest_handshake: peer.last_handshake.map_or(0, |ts| {
+            latest_handshake: peer.last_handshake.and_then(|ts| {
                 ts.duration_since(SystemTime::UNIX_EPOCH)
-                    .map_or(0, |duration| duration.as_secs())
+                    .ok()
+                    .map(|d| Timestamp {
+                        seconds: d.as_secs() as i64,
+                        nanos: d.subsec_nanos() as i32,
+                    })
             }),
             download: peer.rx_bytes,
             upload: peer.tx_bytes,

src/enterprise/firewall/mod.rs

@@ -3,7 +3,7 @@ use tokio::sync::mpsc::Sender;
 use tracing::{Event, Subscriber};
 use tracing_subscriber::{Layer, layer::SubscriberExt, util::SubscriberInitExt};
 
-use crate::proto::gateway::LogEntry;
+use crate::proto::common::LogEntry;
 
 pub fn init_tracing(own_version: &Version, level: &str, logs_tx: Option<Sender<LogEntry>>) {
     let subscriber = tracing_subscriber::registry();

src/gateway.rs

@@ -16,7 +16,10 @@ use crate::{
     config::Config,
     error::GatewayError,
     gateway::TlsConfig,
-    proto::gateway::{CertificateInfo, DerPayload, LogEntry, gateway_setup_server},
+    proto::{
+        common::{CertificateInfo, DerPayload, LogEntry},
+        gateway::gateway_setup_server,
+    },
 };
 
 const AUTH_HEADER: &str = "authorization";