wip check remote component version in server middleware

j-chmielewski · j-chmielewski · commit fb349909d032 · 2025-08-25T10:46:45.000+02:00
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
@@ -51,6 +51,8 @@ use self::{
     interceptor::JwtInterceptor, proto::worker::worker_service_server::WorkerServiceServer,
     worker::WorkerServer,
 };
+#[cfg(feature = "wireguard")]
+use crate::version::MIN_GATEWAY_VERSION;
 use crate::{
     VERSION,
     auth::failed_login::FailedLoginMap,
@@ -983,7 +985,11 @@ pub async fn run_grpc_server(
     #[cfg(feature = "wireguard")]
     let router = router.add_service(
         ServiceBuilder::new()
-            .layer(DefguardVersionLayer::new(Version::parse(VERSION)?))
+            .layer(DefguardVersionLayer::new(
+                Version::parse(VERSION)?,
+                DefguardComponent::Gateway,
+                MIN_GATEWAY_VERSION,
+            ))
             .service(gateway_service),
     );
     #[cfg(feature = "worker")]
diff --git a/crates/defguard_core/src/version.rs b/crates/defguard_core/src/version.rs
@@ -1,7 +1,7 @@
 use defguard_version::Version;
 
-const MIN_PROXY_VERSION: Version = Version::new(1, 5, 0);
-const MIN_GATEWAY_VERSION: Version = Version::new(1, 6, 0);
+const MIN_PROXY_VERSION: Version = Version::new(1, 6, 0);
+pub const MIN_GATEWAY_VERSION: Version = Version::new(1, 6, 0);
 
 /// Checks if the proxy version meets minimum version requirements.
 pub(crate) fn is_proxy_version_supported(version: Option<&Version>) -> bool {
diff --git a/crates/defguard_version/src/server.rs b/crates/defguard_version/src/server.rs
@@ -25,7 +25,7 @@
 //!     .service(my_grpc_service);
 //! ```
 
-use http::HeaderValue;
+use http::{HeaderMap, HeaderValue};
 use std::{
     future::Future,
     pin::Pin,
@@ -37,8 +37,11 @@ use tonic::{
     server::NamedService,
 };
 use tower::{Layer, Service};
+use tracing::{error, info, warn};
 
-use crate::{ComponentInfo, SYSTEM_INFO_HEADER, VERSION_HEADER};
+use crate::{
+    ComponentInfo, DefguardComponent, SYSTEM_INFO_HEADER, SystemInfo, VERSION_HEADER, Version,
+};
 
 /// A tower `Layer` that adds Defguard version and system information headers to gRPC responses.
 ///
@@ -53,6 +56,8 @@ use crate::{ComponentInfo, SYSTEM_INFO_HEADER, VERSION_HEADER};
 #[derive(Clone)]
 pub struct DefguardVersionLayer {
     component_info: ComponentInfo,
+    remote_component: DefguardComponent,
+    remote_component_min_version: Version,
 }
 
 impl DefguardVersionLayer {
@@ -66,9 +71,15 @@ impl DefguardVersionLayer {
     ///
     /// * `Ok(DefguardVersionLayer)` - A new layer instance
     /// * `Err(DefguardVersionError)` - If the version string cannot be parsed
-    pub fn new(version: crate::Version) -> Self {
+    pub fn new(
+        version: Version,
+        remote_component: DefguardComponent,
+        remote_component_min_version: Version,
+    ) -> Self {
         Self {
             component_info: ComponentInfo::new(version),
+            remote_component,
+            remote_component_min_version,
         }
     }
 }
@@ -80,6 +91,8 @@ impl<S> Layer<S> for DefguardVersionLayer {
         DefguardVersionService {
             inner,
             component_info: self.component_info.clone(),
+            remote_component: self.remote_component.clone(),
+            remote_component_min_version: self.remote_component_min_version.clone(),
         }
     }
 }
@@ -102,6 +115,55 @@ impl<S> Layer<S> for DefguardVersionLayer {
 pub struct DefguardVersionService<S> {
     inner: S,
     component_info: ComponentInfo,
+    remote_component: DefguardComponent,
+    remote_component_min_version: Version,
+}
+
+impl<S> DefguardVersionService<S> {
+    /// Checks if remote component version meets minimum version requirements.
+    fn is_version_supported(&self, version: Option<&Version>) -> bool {
+        let Some(version) = version else {
+            error!(
+                "Missing core component version information. This most likely means that core component uses unsupported version."
+            );
+            return false;
+        };
+        if version < &self.remote_component_min_version {
+            error!(
+                "{} version {version} is not supported. Minimal supported {} version is {}.",
+                self.remote_component, self.remote_component, self.remote_component_min_version
+            );
+            return false;
+        }
+
+        info!("{} version {version} is supported", self.remote_component);
+        true
+    }
+
+    pub fn parse_headers(metadata: &HeaderMap) -> Option<ComponentInfo> {
+        let Some(version) = metadata.get(VERSION_HEADER) else {
+            warn!("Missing version header");
+            return None;
+        };
+        let Some(system) = metadata.get(SYSTEM_INFO_HEADER) else {
+            warn!("Missing system info header");
+            return None;
+        };
+        let (Ok(version), Ok(system)) = (version.to_str(), system.to_str()) else {
+            warn!("Failed to stringify version or system info header value");
+            return None;
+        };
+        let Ok(version) = Version::parse(version) else {
+            warn!("Failed to parse version: {version}");
+            return None;
+        };
+        let Ok(system) = SystemInfo::try_from_header_value(system) else {
+            warn!("Failed to parse system info: {system}");
+            return None;
+        };
+
+        Some(ComponentInfo { version, system })
+    }
 }
 
 impl<S, B> Service<Request<Body>> for DefguardVersionService<S>
@@ -136,7 +198,15 @@ where
                 .ok(),
         );
 
+        // Check remote component version
+        let maybe_info = Self::parse_headers(request.headers());
+        let version = maybe_info.as_ref().map(|info| &info.version);
+        let is_remote_version_supported = self.is_version_supported(version);
         Box::pin(async move {
+			if !is_remote_version_supported {
+				// TODO: return error response
+				error!("REMOTE VERSION NOT SUPPORTED");
+			}
             // Process the request with the inner service first
             let mut response = inner.call(request).await?;
 
