add mTLS for gateway & proxy communication

[wojcik91]

Generate and store core client certificates during component setup.
Those certs are then sent to the gateway/proxy along with CA cert so they can validate client identity.

Related #2695

Needs DefGuard/proto#74

[Copilot]

Pull request overview

Implements mutual TLS for Core↔Gateway/Proxy gRPC by provisioning a per-component Core client certificate during setup/adoption, persisting it in Core’s DB, and updating Core’s managers/clients to present that certificate for mTLS authentication.

Changes:

• Add DB schema support for per-component Core gRPC client cert/key material and rename component cert pin field to certificate_serial.
• Update setup/auto-adoption flows and Core→Proxy/Gateway connection code to use new CertBundle + mTLS channels (incl. CSR hostname verification).
• Refactor/expand integration and manager tests (timeouts/constants reuse, new wizard init coverage), and add server-side interceptor utilities in defguard_grpc_tls.

Reviewed changes

Copilot reviewed 71 out of 83 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
migrations/20260414120000_[2.0.0]_core_grpc_cert.up.sql	Renames certificate→certificate_serial and adds Core client cert/key/expiry columns.
migrations/20260414120000_[2.0.0]_core_grpc_cert.down.sql	Reverts column rename and drops Core client cert/key/expiry columns.
crates/defguard_setup/tests/integration/wizard_state.rs	Test import/module adjustments and model access cleanup.
crates/defguard_setup/tests/integration/wizard_init.rs	New integration tests covering wizard initialization scenarios.
crates/defguard_setup/tests/integration/session_info.rs	Consolidates common test helpers import path.
crates/defguard_setup/tests/integration/migration_wizard.rs	Uses shared shutdown timeout and tokio::time::timeout import.
crates/defguard_setup/tests/integration/main.rs	New test module entrypoint wiring integration test modules.
crates/defguard_setup/tests/integration/initial_setup.rs	Uses shared constants and standardized timeout handling.
crates/defguard_setup/tests/integration/common.rs	Introduces shared SHUTDOWN_TIMEOUT and SESSION_COOKIE_NAME for tests.
crates/defguard_setup/tests/integration/auto_wizard_url_settings.rs	Updates cert generation API and shared test constants.
crates/defguard_setup/tests/integration/auto_adoption_wizard.rs	Uses new adoption component enum import + shared timeouts/constants.
crates/defguard_setup/src/auto_adoption.rs	Issues/stores Core client certs during adoption and sends CertBundle to components.
crates/defguard_proxy_manager/src/tests/proxy_manager/manager.rs	Comment/style updates (dash normalization) in tests.
crates/defguard_proxy_manager/src/tests/proxy_manager/handler/support.rs	Reuses shared receive timeout constant; minor cleanup.
crates/defguard_proxy_manager/src/tests/proxy_manager/handler/polling.rs	Comment/style updates in tests.
crates/defguard_proxy_manager/src/tests/proxy_manager/handler/password_reset.rs	Standardizes timeout import usage in tests.
crates/defguard_proxy_manager/src/tests/proxy_manager/handler/oidc.rs	Comment/style updates in tests.
crates/defguard_proxy_manager/src/tests/proxy_manager/handler/mfa.rs	Reuses shared receive timeout constant; minor test cleanup.
crates/defguard_proxy_manager/src/tests/proxy_manager/handler/enrollment.rs	Comment/style updates in tests.
crates/defguard_proxy_manager/src/tests/proxy_manager/handler/acme.rs	Uses shared receive timeout constant; comment/style updates.
crates/defguard_proxy_manager/src/tests/common/mod.rs	Adds shared RECEIVE_TIMEOUT and standardizes sleep usage.
crates/defguard_proxy_manager/src/handler.rs	Switches Core→Proxy connection to mTLS and improves shutdown responsiveness during backoff.
crates/defguard_proxy_manager/src/certs.rs	Updates cert refresh to use certificate_serial.
crates/defguard_mail/src/tests.rs	Reuses shared send delay constant and sleep import.
crates/defguard_grpc_tls/src/server.rs	New server-side interceptor for enforcing client cert serial on incoming RPCs.
crates/defguard_grpc_tls/src/lib.rs	Exposes new server module.
crates/defguard_grpc_tls/src/certs.rs	Adds server TLS config helper; updates client config for mTLS; adds proxy_mtls_channel.
crates/defguard_grpc_tls/Cargo.toml	Adds dependencies required for new TLS/channel utilities (e.g., tonic, hyper-rustls).
crates/defguard_gateway_manager/src/tests/common/mod.rs	Standardizes sleep usage in gateway manager tests.
crates/defguard_gateway_manager/src/lib.rs	Standardizes sleep import usage.
crates/defguard_gateway_manager/src/handler.rs	Updates Core→Gateway TLS client config to require/present Core client cert + key.
crates/defguard_gateway_manager/src/certs.rs	Updates cert refresh logic and tests to use certificate_serial.
crates/defguard_core/tests/integration/api/user.rs	Comment/style update in tests.
crates/defguard_core/tests/integration/api/proxy_certs.rs	Standardizes sleep usage and imports in tests.
crates/defguard_core/tests/integration/api/enrollment.rs	Comment/style update in tests.
crates/defguard_core/tests/integration/api/common/mod.rs	Updates cert generation helper to new signing API.
crates/defguard_core/tests/integration/api/auth.rs	Comment/style update in tests.
crates/defguard_core/tests/integration/api/acl/rules.rs	Standardizes sleep usage/imports and comment style.
crates/defguard_core/tests/integration/api/acl/destinations.rs	Standardizes sleep usage/imports in tests.
crates/defguard_core/tests/integration/api/acl/aliases.rs	Standardizes sleep usage/imports in tests.
crates/defguard_core/src/support.rs	Redacts ldap_bind_password in support config dump output.
crates/defguard_core/src/handlers/mail.rs	Updates support-data payload to use certificate_serial.
crates/defguard_core/src/handlers/gateway.rs	Updates gateway listing queries/struct to expose certificate_serial.
crates/defguard_core/src/handlers/component_setup.rs	Sends CertBundle, validates CSR hostname, provisions Core client certs, and uses mTLS for ACME trigger.
crates/defguard_core/src/enterprise/ldap/utils.rs	Comment/style update.
crates/defguard_core/src/enterprise/ldap/tests.rs	Comment/style updates in tests.
crates/defguard_core/src/enrollment_management.rs	Comment/style update.
crates/defguard_core/src/cert_settings.rs	Updates cert signing calls to sign_server_cert.
crates/defguard_core/src/auth/mod.rs	Avoids logging raw API token values in debug logs.
crates/defguard_core/Cargo.toml	Adds defguard_grpc_tls (and hyper-rustls) dependency.
crates/defguard_common/src/types/proxy.rs	Renames certificate field to certificate_serial in proxy API type.
crates/defguard_common/src/db/models/user.rs	Comment/style update in tests.
crates/defguard_common/src/db/models/setup_auto_adoption.rs	Switches to query! macro for state clearing update.
crates/defguard_common/src/db/models/proxy.rs	Renames cert field, adds Core client cert/key fields (serde-skipped), and adjusts list query projections.
crates/defguard_common/src/db/models/migration_wizard.rs	Switches to query! macro and adjusts parameter passing.
crates/defguard_common/src/db/models/initial_setup_wizard.rs	Switches to query! macro for state clearing update.
crates/defguard_common/src/db/models/gateway.rs	Renames cert field and adds Core client cert/key fields (serde-skipped) + custom Debug redaction.
crates/defguard_certs/src/lib.rs	Splits signing into server vs client cert EKUs, adds CSR hostname verification, and adds Core client cert issuance helper.
Cargo.lock	Locks new dependency additions.
.sqlx/query-fff6c48d97533e3b6b82954925f0ac762ebb9bfcedbc24a104c7237802e3a70b.json	New sqlx metadata for wizard migration state update query.
.sqlx/query-fa84c8e5a9db1d10c78a73e7eef6c942054e73522b9814323391009adfbd5e69.json	New/updated sqlx metadata for gateway mark-disconnected query.
.sqlx/query-f2eab45b5d87910672e8970e662b99e657fce3a80d9eb42760728db17d8d844e.json	New sqlx metadata for auto-adoption wizard state clear query.
.sqlx/query-f0bd5b48faffc4152e2683d4aecfcfb5a2496f961ead8474e8ed5e290cabec85.json	Updates proxy update query metadata for renamed cert + new client cert fields.
.sqlx/query-eb50eae3a1786cf685b8ec084e905afc8c9c0ae34ffe29bf6adb2a89f1ae6edb.json	Updates proxy-by-id select metadata for renamed cert + new client cert fields.
.sqlx/query-d9dc6788c19efa7b1ec9060651398e85a165c0e03167abd4940b248e8d29ccf1.json	Updates proxy paginated select metadata for renamed cert + new client cert fields.
.sqlx/query-d4c6847ef8197f425c3cb19964509f11c97ab5d68c7ccd1c173aa8212a659770.json	Updates gateway-by-id select metadata for renamed cert + new client cert fields.
.sqlx/query-a41787c8c8307414165ab23ef96d82a34d3bfa4364cbe9b8368e71445bc20877.json	Updates gateway list/select metadata for renamed cert + new client cert fields.
.sqlx/query-a05a752af1643a1d9f9b9544df2055218f9c51b0ae143a9a1c5ff9e13dab9c75.json	Updates gateway insert metadata for renamed cert + new client cert fields.
.sqlx/query-9ec638cdabc0500b54cedc5ba18c7745a48080f1e8faa7f7bf7ffae65f2b6ebf.json	Updates gateway info query metadata to match explicit projection with certificate_serial.
.sqlx/query-93a4240e469c663e4038cee30aa9c81e888b03cb8d158ed3770a4bc19bae6b22.json	Updates gateway select-all metadata for renamed cert + new client cert fields.
.sqlx/query-8d142b160cee06ddc6b3578b3808d731e8c60d5284b8a7ed29b1e32601b667f6.json	Updates proxy select-all metadata for renamed cert + new client cert fields.
.sqlx/query-8a9afd0b7e2f96be85230b35190fab658d841589e7670a4b3fcbc9d53cd1c250.json	Updates proxy info list projection metadata (explicit columns, certificate_serial).
.sqlx/query-702eeefc7607721e6bf4e84fad0c21c8ee0fe9d2cf0b574332bddc24a0ab4a37.json	Updates gateway update metadata for renamed cert + new client cert fields.
.sqlx/query-6c0570ec090a92e22b111cdbb131c07340f6c0993ac4aef58cea272ff3c27ef8.json	Updates gateway paginated select metadata for renamed cert + new client cert fields.
.sqlx/query-4d9c4562a138038ba054b5b83b646341ee18e24f0d32399e6ce2ebaedef64cea.json	Updates gateway select metadata for renamed cert + new client cert fields.
.sqlx/query-4b6305c0cc7e4bff7f918f9113dcbe02cd4b54d4ec042f238c854637a6b101d0.json	Updates gateway info list query metadata to match explicit projection with certificate_serial.
.sqlx/query-3f61241d9934c717b7c5f89047333d1c3f2b3a4f20a93089bad74a8d560b1843.json	New sqlx metadata for proxy mark-disconnected query.
.sqlx/query-3c6a119f2f10046bd9e42314df953a0a0b3b44d0a87d43f69425729c15e1a400.json	Updates gateway select metadata for renamed cert + new client cert fields.
.sqlx/query-304b0e9ef4c04cc998581114f043b3b3fccb2d956776dbb409d157cb53b2b8ac.json	New sqlx metadata for initial setup wizard state clear query.
.sqlx/query-2ff663d549b92de999cf87960dd3afda3fb17e9b28034593b960dcb3856460c0.json	Updates proxy insert metadata for renamed cert + new client cert fields.
.sqlx/query-2ce93887379d80ff03753caaf94ec1ab4c6f0ead212fc74bb881e1d5c0d96080.json	Updates proxy select metadata for renamed cert + new client cert fields.
.sqlx/query-27e7e18a7014af541fe5f8f051f78d61eebe6a79945324e98ca452b50d6abc90.json	Updates proxy select metadata for renamed cert + new client cert fields.

Files not reviewed (10)

• .sqlx/query-27e7e18a7014af541fe5f8f051f78d61eebe6a79945324e98ca452b50d6abc90.json: Language not supported
• .sqlx/query-2ce93887379d80ff03753caaf94ec1ab4c6f0ead212fc74bb881e1d5c0d96080.json: Language not supported
• .sqlx/query-304b0e9ef4c04cc998581114f043b3b3fccb2d956776dbb409d157cb53b2b8ac.json: Language not supported
• .sqlx/query-3c6a119f2f10046bd9e42314df953a0a0b3b44d0a87d43f69425729c15e1a400.json: Language not supported
• .sqlx/query-3f61241d9934c717b7c5f89047333d1c3f2b3a4f20a93089bad74a8d560b1843.json: Language not supported
• .sqlx/query-4d9c4562a138038ba054b5b83b646341ee18e24f0d32399e6ce2ebaedef64cea.json: Language not supported
• .sqlx/query-a41787c8c8307414165ab23ef96d82a34d3bfa4364cbe9b8368e71445bc20877.json: Language not supported
• .sqlx/query-f2eab45b5d87910672e8970e662b99e657fce3a80d9eb42760728db17d8d844e.json: Language not supported
• .sqlx/query-fa84c8e5a9db1d10c78a73e7eef6c942054e73522b9814323391009adfbd5e69.json: Language not supported
• .sqlx/query-fff6c48d97533e3b6b82954925f0ac762ebb9bfcedbc24a104c7237802e3a70b.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Already fixed, not sure why GH still shows this as requested changes