Block changing network address if devices are present, fix wizard

crates/defguard_common/src/db/models/device.rs

@@ -333,7 +333,7 @@ impl WireguardNetworkDevice {
             &self.ips_as_network(),
             self.is_authorized,
             self.authorized_at,
-            self.preshared_key
+            self.preshared_key,
         )
         .execute(executor)
         .await?;
@@ -511,6 +511,25 @@ impl WireguardNetworkDevice {
         .fetch_one(executor)
         .await
     }
+
+    /// Check if any device is assigned to a given network.
+    pub async fn has_devices_in_network<'e, E>(
+        executor: E,
+        network_id: Id,
+    ) -> Result<bool, SqlxError>
+    where
+        E: PgExecutor<'e>,
+    {
+        let result = query_scalar!(
+            "SELECT EXISTS(SELECT 1 FROM wireguard_network_device \
+            WHERE wireguard_network_id = $1)",
+            network_id
+        )
+        .fetch_one(executor)
+        .await?;
+
+        Ok(result.unwrap_or(false))
+    }
 }
 
 #[derive(Debug, Error)]

crates/defguard_core/src/enterprise/handlers/openid_login.rs

@@ -672,6 +672,7 @@ pub(crate) async fn auth_callback(
 
 #[cfg(test)]
 mod test {
+    use super::*;
     use crate::{
         enterprise::{
             license::{License, LicenseTier, set_cached_license},
@@ -680,8 +681,6 @@ mod test {
         grpc::proto::enterprise::license::LicenseLimits,
     };
 
-    use super::*;
-
     #[test]
     fn test_prune_username() {
         // Test RemoveForbidden handling

crates/defguard_core/src/enterprise/ldap/tests.rs

@@ -5,19 +5,21 @@ use ldap3::SearchEntry;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
 use super::*;
-use crate::enterprise::license::{License, LicenseTier, set_cached_license};
-use crate::enterprise::{
-    ldap::{
-        model::{extract_rdn_value, get_users_without_ldap_path, user_from_searchentry},
-        sync::{
-            Authority, compute_group_sync_changes, compute_user_sync_changes,
-            extract_intersecting_users,
+use crate::{
+    enterprise::{
+        ldap::{
+            model::{extract_rdn_value, get_users_without_ldap_path, user_from_searchentry},
+            sync::{
+                Authority, compute_group_sync_changes, compute_user_sync_changes,
+                extract_intersecting_users,
+            },
+            test_client::{LdapEvent, group_to_test_attrs, user_to_test_attrs},
         },
-        test_client::{LdapEvent, group_to_test_attrs, user_to_test_attrs},
+        license::{License, LicenseTier, set_cached_license},
+        limits::get_counts,
     },
-    limits::get_counts,
+    grpc::proto::enterprise::license::LicenseLimits,
 };
-use crate::grpc::proto::enterprise::license::LicenseLimits;
 
 const PASSWORD: &str = "test_password";
 

crates/defguard_core/src/handlers/gateway.rs

@@ -1,7 +1,6 @@
 use axum::{
     Json,
-    extract::rejection::JsonRejection,
-    extract::{Path, State},
+    extract::{Path, State, rejection::JsonRejection},
 };
 use chrono::NaiveDateTime;
 use defguard_common::db::{Id, models::gateway::Gateway};

crates/defguard_core/src/handlers/wireguard.rs

@@ -50,6 +50,7 @@ pub(crate) struct WireguardNetworkInfo {
     network: WireguardNetwork<Id>,
     gateways: Vec<GatewayInfo>,
     allowed_groups: Vec<String>,
+    has_devices: bool,
 }
 
 #[derive(Deserialize, Serialize, ToSchema)]
@@ -325,8 +326,20 @@ pub(crate) async fn modify_network(
     let mut network = find_network(network_id, &appstate.pool).await?;
     // store network before mods
     let before = network.clone();
-    network.address = data.parse_addresses()?;
+    let new_addresses = data.parse_addresses()?;
 
+    // Block network address changes if any device is assigned to the network
+    if before.address != new_addresses
+        && WireguardNetworkDevice::has_devices_in_network(&appstate.pool, network_id).await?
+    {
+        return Err(WebError::BadRequest(
+            "Cannot change network address while devices are assigned to this network. \
+             Remove all devices first."
+                .into(),
+        ));
+    }
+
+    network.address = new_addresses;
     network.allowed_ips = data.parse_allowed_ips();
     network.name = data.name;
 
@@ -473,10 +486,13 @@ pub(crate) async fn list_networks(_role: AdminRole, State(appstate): State<AppSt
     for network in networks {
         let allowed_groups = network.fetch_allowed_groups(&appstate.pool).await?;
         let gateways = GatewayInfo::find_by_location_id(&appstate.pool, network.id).await?;
+        let has_devices =
+            WireguardNetworkDevice::has_devices_in_network(&appstate.pool, network.id).await?;
         network_info.push(WireguardNetworkInfo {
             network,
             gateways,
             allowed_groups,
+            has_devices,
         });
     }
     debug!("Listed WireGuard networks");
@@ -519,10 +535,13 @@ pub(crate) async fn network_details(
         Some(network) => {
             let allowed_groups = network.fetch_allowed_groups(&appstate.pool).await?;
             let gateways = GatewayInfo::find_by_location_id(&appstate.pool, network_id).await?;
+            let has_devices =
+                WireguardNetworkDevice::has_devices_in_network(&appstate.pool, network_id).await?;
             let network_info = WireguardNetworkInfo {
                 network,
                 gateways,
                 allowed_groups,
+                has_devices,
             };
             ApiResponse::json(network_info, StatusCode::OK)
         }