From a43de184ee477a184e81b1ec86e8fb4a185a5dfa Mon Sep 17 00:00:00 2001 From: Aleksander <170264518+t-aleksander@users.noreply.github.com> Date: Tue, 16 Jun 2026 11:53:56 +0200 Subject: [PATCH 1/2] filter out --- .../defguard_core/src/grpc/client_version.rs | 56 +++++++++++++++++++ crates/defguard_core/src/grpc/utils.rs | 10 ++++ .../src/servers/enrollment.rs | 6 +- 3 files changed, 71 insertions(+), 1 deletion(-) diff --git a/crates/defguard_core/src/grpc/client_version.rs b/crates/defguard_core/src/grpc/client_version.rs index b1c6c0b8e1..50142c204f 100644 --- a/crates/defguard_core/src/grpc/client_version.rs +++ b/crates/defguard_core/src/grpc/client_version.rs @@ -48,18 +48,21 @@ pub(crate) fn parse_client_version_platform( #[derive(Debug)] pub enum ClientFeature { ServiceLocations, + PostureChecks, } impl ClientFeature { const fn min_version(&self) -> Option { match self { Self::ServiceLocations => Some(Version::new(1, 6, 0)), + Self::PostureChecks => Some(Version::new(2, 1, 0)), } } fn required_os_family(&self) -> Option> { match self { Self::ServiceLocations => Some(vec!["windows"]), + Self::PostureChecks => None, } } @@ -383,4 +386,57 @@ mod tests { "ServiceLocations should not be supported with pre-release version below minimum" ); } + + #[test] + fn test_posture_checks_feature_support() { + // PostureChecks has no OS family requirement, so it should work on any platform + // as long as the client version is at least 2.1.0. + for os_family in ["windows", "macos", "linux"] { + let info = create_device_info( + Some("2.1.0".to_owned()), + Some(ClientPlatformInfo { + os_family: os_family.to_owned(), + ..Default::default() + }), + ); + assert!( + ClientFeature::PostureChecks.is_supported_by_device(Some(&info)), + "PostureChecks should be supported on {os_family} at minimum version" + ); + } + + // Higher version is supported even without platform info. + let info = create_device_info(Some("2.5.0".to_owned()), None); + assert!( + ClientFeature::PostureChecks.is_supported_by_device(Some(&info)), + "PostureChecks should be supported with higher version" + ); + + // Version below minimum is not supported. + let info = create_device_info(Some("2.0.9".to_owned()), None); + assert!( + !ClientFeature::PostureChecks.is_supported_by_device(Some(&info)), + "PostureChecks should not be supported below minimum version" + ); + + // Pre-release below minimum is not supported. + let info = create_device_info(Some("2.1.0-alpha1".to_owned()), None); + assert!( + !ClientFeature::PostureChecks.is_supported_by_device(Some(&info)), + "PostureChecks should not be supported with pre-release version below minimum" + ); + + // Missing version info means the feature is not supported. + let info = create_device_info(None, None); + assert!( + !ClientFeature::PostureChecks.is_supported_by_device(Some(&info)), + "PostureChecks should not be supported without version info" + ); + + // No device info at all means the feature is not supported. + assert!( + !ClientFeature::PostureChecks.is_supported_by_device(None), + "PostureChecks should not be supported without device info" + ); + } } diff --git a/crates/defguard_core/src/grpc/utils.rs b/crates/defguard_core/src/grpc/utils.rs index 462de23579..7f1fd478e0 100644 --- a/crates/defguard_core/src/grpc/utils.rs +++ b/crates/defguard_core/src/grpc/utils.rs @@ -185,6 +185,16 @@ pub async fn build_device_config_response( Status::internal(format!("unexpected error: {err}")) })?; + if device_config.posture_check_required + && !ClientFeature::PostureChecks.is_supported_by_device(device_info.as_ref()) + { + info!( + "Device {} does not support posture checks feature, skipping sending network {} configuration to device {}.", + device.name, network.name, device.name + ); + continue; + } + let config = ProtoDeviceConfig { config: device_config.config, network_id: device_config.network_id, diff --git a/crates/defguard_proxy_manager/src/servers/enrollment.rs b/crates/defguard_proxy_manager/src/servers/enrollment.rs index 2d76b260f0..c5b61ef975 100644 --- a/crates/defguard_proxy_manager/src/servers/enrollment.rs +++ b/crates/defguard_proxy_manager/src/servers/enrollment.rs @@ -857,7 +857,7 @@ impl EnrollmentServer { device.wireguard_pubkey, user.username, user.id, ); - // Don't send them service locations if they don't support it + // Don't send them service locations or posture-checked locations if they don't support it let configs = configs .into_iter() .filter(|config| { @@ -865,6 +865,10 @@ impl EnrollmentServer { || ClientFeature::ServiceLocations .is_supported_by_device(req_device_info.as_ref()) }) + .filter(|config| { + !config.posture_check_required + || ClientFeature::PostureChecks.is_supported_by_device(req_device_info.as_ref()) + }) .collect::>(); let template_locations = configs From e76f91674512f4d578891799df73078645d849e5 Mon Sep 17 00:00:00 2001 From: Aleksander <170264518+t-aleksander@users.noreply.github.com> Date: Tue, 16 Jun 2026 11:56:02 +0200 Subject: [PATCH 2/2] remove one test case --- crates/defguard_core/src/grpc/client_version.rs | 7 ------- 1 file changed, 7 deletions(-) diff --git a/crates/defguard_core/src/grpc/client_version.rs b/crates/defguard_core/src/grpc/client_version.rs index 50142c204f..987330b486 100644 --- a/crates/defguard_core/src/grpc/client_version.rs +++ b/crates/defguard_core/src/grpc/client_version.rs @@ -419,13 +419,6 @@ mod tests { "PostureChecks should not be supported below minimum version" ); - // Pre-release below minimum is not supported. - let info = create_device_info(Some("2.1.0-alpha1".to_owned()), None); - assert!( - !ClientFeature::PostureChecks.is_supported_by_device(Some(&info)), - "PostureChecks should not be supported with pre-release version below minimum" - ); - // Missing version info means the feature is not supported. let info = create_device_info(None, None); assert!(