Add support for license tiers (#1746)

* add tier field to license metadata

* add tier to internal license representation & handle conversion from proto

* change naming convention

* rename feature gate helper

* change naming again

* add license tier validation

* add tests

* add license tier tests

* remove unused import

* fix comment

* pass license tier info to UI

* update inputs

* disable service location mode in network form

* rename helper function

* update location wizard

* update license tests

* Update crates/defguard_core/src/enterprise/license.rs

Co-authored-by: Adam <adam@defguard.net>

* fix comparison

---------

Co-authored-by: Adam <adam@defguard.net>

Author: wojcik91

crates/defguard_core/build.rs

@@ -9,6 +9,6 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             &["src/enterprise/proto/license.proto"],
             &["src/enterprise/proto"],
         )?;
-    println!("cargo:rerun-if-changed=src/enterprise");
+    println!("cargo:rerun-if-changed=src/enterprise/proto");
     Ok(())
 }

crates/defguard_core/src/auth/mod.rs

@@ -18,7 +18,7 @@ use crate::{
         Group, OAuth2Token, Session, SessionState, User,
         models::{group::Permission, oauth2client::OAuth2Client},
     },
-    enterprise::{db::models::api_tokens::ApiToken, is_enterprise_enabled},
+    enterprise::{db::models::api_tokens::ApiToken, is_business_license_active},
     error::WebError,
     handlers::SESSION_COOKIE_NAME,
 };
@@ -38,7 +38,7 @@ where
         let appstate = AppState::from_ref(state);
 
         // first try to authenticate by API token if one is found in header
-        if is_enterprise_enabled() {
+        if is_business_license_active() {
             let maybe_auth_header: Option<TypedHeader<Authorization<Bearer>>> =
                 <TypedHeader<_> as OptionalFromRequestParts<S>>::from_request_parts(parts, state)
                     .await

crates/defguard_core/src/db/models/wireguard.rs

@@ -40,7 +40,7 @@ use super::{
     wireguard_peer_stats::WireguardPeerStats,
 };
 use crate::{
-    enterprise::{firewall::FirewallError, is_enterprise_enabled},
+    enterprise::{firewall::FirewallError, is_enterprise_license_active},
     grpc::gateway::{send_multiple_wireguard_events, state::GatewayState},
     wg_config::ImportedDevice,
 };
@@ -1335,7 +1335,8 @@ impl WireguardNetwork<Id> {
     /// - Enterprise is enabled
     #[must_use]
     pub fn should_prevent_service_location_usage(&self) -> bool {
-        self.service_location_mode != ServiceLocationMode::Disabled && !is_enterprise_enabled()
+        self.service_location_mode != ServiceLocationMode::Disabled
+            && !is_enterprise_license_active()
     }
 }
 

crates/defguard_core/src/enterprise/activity_log_stream/activity_log_stream_manager.rs

@@ -10,7 +10,7 @@ use super::ActivityLogStreamReconfigurationNotification;
 use crate::enterprise::{
     activity_log_stream::http_stream::{HttpActivityLogStreamConfig, run_http_stream_task},
     db::models::activity_log_stream::{ActivityLogStream, ActivityLogStreamConfig},
-    is_enterprise_enabled,
+    is_business_license_active,
 };
 
 // check if enterprise features are enabled every minute
@@ -27,7 +27,7 @@ pub async fn run_activity_log_stream_manager(
     let mut enterprise_check_timer = interval(Duration::from_secs(ENTERPRISE_CHECK_PERIOD_SECS));
 
     // initialize enterprise features status
-    let mut enterprise_features_enabled = is_enterprise_enabled();
+    let mut enterprise_features_enabled = is_business_license_active();
 
     loop {
         let mut handles = JoinSet::<()>::new();
@@ -94,7 +94,7 @@ pub async fn run_activity_log_stream_manager(
                }
                _ = enterprise_check_timer.tick() => {
                     // check if enterprise features status has changed
-                    let current_enterprise_features_enabled = is_enterprise_enabled();
+                    let current_enterprise_features_enabled = is_business_license_active();
                     if current_enterprise_features_enabled != enterprise_features_enabled {
                         warn!("Activity log stream manager will reload, detected license enterprise features status has changed");
                         enterprise_features_enabled = current_enterprise_features_enabled;

crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs

@@ -1,7 +1,7 @@
 use sqlx::{PgExecutor, Type, query, query_as};
 use struct_patch::Patch;
 
-use crate::enterprise::is_enterprise_enabled;
+use crate::enterprise::is_business_license_active;
 
 #[derive(Debug, Deserialize, Patch, Serialize)]
 #[patch(attribute(derive(Deserialize, Serialize)))]
@@ -35,7 +35,7 @@ impl EnterpriseSettings {
     {
         // avoid holding the rwlock across await, makes the future !Send
         // and therefore unusable in axum handlers
-        if is_enterprise_enabled() {
+        if is_business_license_active() {
             let settings = query_as!(
                 Self,
                 "SELECT admin_device_management, \

crates/defguard_core/src/enterprise/directory_sync/mod.rs

@@ -11,12 +11,12 @@ use sqlx::{PgConnection, PgPool, error::Error as SqlxError};
 use thiserror::Error;
 use tokio::sync::broadcast::Sender;
 
-#[cfg(not(test))]
-use super::is_enterprise_enabled;
 use super::{
     db::models::openid_provider::{DirectorySyncTarget, OpenIdProvider},
     ldap::utils::ldap_update_users_state,
 };
+#[cfg(not(test))]
+use crate::enterprise::is_business_license_active;
 use crate::{
     db::{GatewayEvent, Group, User},
     enterprise::{
@@ -383,7 +383,7 @@ pub(crate) async fn test_directory_sync_connection(
     pool: &PgPool,
 ) -> Result<(), DirectorySyncError> {
     #[cfg(not(test))]
-    if !is_enterprise_enabled() {
+    if !is_business_license_active() {
         debug!("Enterprise is not enabled, skipping testing directory sync connection");
         return Ok(());
     }
@@ -408,7 +408,7 @@ pub(crate) async fn sync_user_groups_if_configured(
     wg_tx: &Sender<GatewayEvent>,
 ) -> Result<(), DirectorySyncError> {
     #[cfg(not(test))]
-    if !is_enterprise_enabled() {
+    if !is_business_license_active() {
         debug!("Enterprise is not enabled, skipping syncing user groups");
         return Ok(());
     }
@@ -966,7 +966,7 @@ pub(crate) async fn do_directory_sync(
     wireguard_tx: &Sender<GatewayEvent>,
 ) -> Result<(), DirectorySyncError> {
     #[cfg(not(test))]
-    if !is_enterprise_enabled() {
+    if !is_business_license_active() {
         debug!("Enterprise is not enabled, skipping performing directory sync");
         return Ok(());
     }

crates/defguard_core/src/enterprise/firewall/mod.rs

@@ -23,7 +23,7 @@ use crate::{
     db::{Device, User, WireguardNetwork},
     enterprise::{
         db::models::{acl::AliasKind, snat::UserSnatBinding},
-        is_enterprise_enabled,
+        is_business_license_active,
     },
 };
 
@@ -903,7 +903,7 @@ impl WireguardNetwork<Id> {
         conn: &mut PgConnection,
     ) -> Result<Option<FirewallConfig>, FirewallError> {
         // do a license check
-        if !is_enterprise_enabled() {
+        if !is_business_license_active() {
             debug!(
                 "Enterprise features are disabled, skipping generating firewall config for \
                 location {self}"

crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs

@@ -6,7 +6,7 @@ use tonic::Status;
 use crate::{
     enterprise::{
         handlers::openid_login::{extract_state_data, user_from_claims},
-        is_enterprise_enabled,
+        is_business_license_active,
     },
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, DesktopClientMfaEvent},
     grpc::{
@@ -23,7 +23,7 @@ impl ClientMfaServer {
         info: Option<DeviceInfo>,
     ) -> Result<(), Status> {
         debug!("Received OIDC MFA authentication request: {request:?}");
-        if !is_enterprise_enabled() {
+        if !is_business_license_active() {
             error!("OIDC MFA method requires enterprise feature to be enabled");
             return Err(Status::invalid_argument("OIDC MFA method is not supported"));
         }

crates/defguard_core/src/enterprise/grpc/polling.rs

@@ -5,7 +5,7 @@ use tonic::Status;
 
 use crate::{
     db::{Device, User, models::polling_token::PollingToken},
-    enterprise::is_enterprise_enabled,
+    enterprise::is_business_license_active,
     grpc::utils::build_device_config_response,
 };
 
@@ -24,7 +24,7 @@ impl PollingServer {
         debug!("Validating polling token. Token: {token}");
 
         // Polling service is enterprise-only, check the lincense
-        if !is_enterprise_enabled() {
+        if !is_business_license_active() {
             debug!("Instance has enterprise features disabled, denying instance polling info");
             return Err(Status::failed_precondition("no valid license"));
         }

crates/defguard_core/src/enterprise/handlers/mod.rs

@@ -17,7 +17,7 @@ use axum::{
 };
 
 use super::{
-    db::models::enterprise_settings::EnterpriseSettings, is_enterprise_enabled,
+    db::models::enterprise_settings::EnterpriseSettings, is_business_license_active,
     license::get_cached_license,
 };
 use crate::{appstate::AppState, error::WebError};
@@ -37,7 +37,7 @@ where
     type Rejection = WebError;
 
     async fn from_request_parts(_parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
-        if is_enterprise_enabled() {
+        if is_business_license_active() {
             Ok(LicenseInfo { valid: true })
         } else {
             Err(WebError::Forbidden(