Devolutions
diff --git a/‎Cargo.lock‎
Lines changed: 306 additions & 87 deletions b/‎Cargo.lock‎
Lines changed: 306 additions & 87 deletions
diff --git a/‎PROTOCOL.md‎
Lines changed: 294 additions & 0 deletions b/‎PROTOCOL.md‎
Lines changed: 294 additions & 0 deletions
@@ -0,0 +1,294 @@
+# QUIC Agent Tunnel Protocol
+
+## Overview
+
+The agent tunnel enables Devolutions Gateway to proxy RDP/SSH/Kerberos connections through agents deployed in private networks.
+Agents connect **outbound** to the gateway — no inbound firewall rules needed.
+The tunnel uses QUIC (via Cloudflare's quiche library) with mutual TLS for transport.
+
+## Trust Model
+
+### Private PKI
+
+The gateway runs its own Certificate Authority (CA).
+No system trust store or public CA is involved.
+
+```
+Gateway CA (ECDSA P-256, self-signed, 10-year validity)
+  ├── Server Cert (signed by CA, 1-year validity, SAN = gateway hostname)
+  ├── Agent Cert A (signed by CA, 1-year validity, SAN = urn:uuid:{agent_id})
+  └── Agent Cert B (signed by CA, 1-year validity, SAN = urn:uuid:{agent_id})
+```
+
+The CA is generated automatically on first gateway startup.
+Agent certificates are issued during enrollment.
+
+### CSR-Based Enrollment (Private Key Never Leaves Agent)
+
+```
+Agent                                      Gateway
+  │                                           │
+  │  Generate ECDSA P-256 key pair locally    │
+  │  Generate CSR (contains public key only)  │
+  │  Write private key to disk immediately    │
+  │                                           │
+  │── POST /jet/agent-tunnel/enroll ─────────>│
+  │   Bearer: <enrollment-token>              │
+  │   Body: { agent_name, csr_pem }           │
+  │                                           │  Verify CSR signature
+  │                                           │  Extract public key from CSR
+  │                                           │  Generate agent UUID
+  │                                           │  Sign cert with CA (embed UUID in SAN)
+  │                                           │
+  │<──────────────────────────────────────────│
+  │   { agent_id, client_cert_pem,            │
+  │     gateway_ca_cert_pem, quic_endpoint }  │
+  │                                           │
+  │  Write cert + CA cert to disk             │
+  │                                           │
+  │  Private key NEVER transmitted            │
+```
+
+The enrollment token is either:
+- A **one-time token** (UUID, 122-bit entropy) generated by the gateway webapp/DVLS — consumed on use, cannot be replayed.
+- A **static secret** configured in gateway.json — compared in constant time.
+
+The enrollment endpoint (`/jet/agent-tunnel/enroll`) bypasses the normal JWT auth middleware and uses its own Bearer token validation.
+
+## Transport: QUIC over UDP
+
+### Why QUIC
+
+- **Outbound-only** — agent initiates the connection, traverses NAT/firewalls.
+- **Built-in TLS 1.3** — mutual authentication is part of the QUIC handshake, not a separate layer.
+- **Stream multiplexing** — one connection carries many independent bidirectional streams without head-of-line blocking.
+- **Connection migration** — IP changes don't break the connection (disabled in our config for simplicity).
+
+### QUIC Configuration
+
+Both sides configure matching transport parameters:
+
+| Parameter | Value | Why |
+|---|---|---|
+| `max_idle_timeout` | 120,000 ms | Close connection after 2 min of silence. |
+| `max_recv/send_udp_payload_size` | 1,350 bytes | Conservative MTU to avoid fragmentation. |
+| `initial_max_data` | 10 MB | Total connection-level flow control window. |
+| `initial_max_stream_data_bidi_local` | 1 MB | Per-stream flow control (locally-opened streams). |
+| `initial_max_stream_data_bidi_remote` | 1 MB | Per-stream flow control (remotely-opened streams). |
+| `initial_max_streams_bidi` | 100 | Max concurrent bidirectional streams. |
+| `disable_active_migration` | true | Don't migrate on IP change. |
+
+ALPN protocol identifier: `devolutions-agent-tunnel`
+
+### mTLS Handshake
+
+```
+Agent                                      Gateway
+  │                                           │
+  │── QUIC Initial (ClientHello) ────────────>│
+  │   Client cert: agent-{uuid}-cert.pem      │
+  │                                           │
+  │<──── QUIC Handshake (ServerHello) ────────│
+  │      Server cert: agent-tunnel-server.pem  │
+  │                                           │
+  │  Verify: server cert signed by CA?         │  Verify: client cert signed by CA?
+  │  (using gateway-ca.pem from enrollment)    │  (using own CA cert)
+  │                                           │  Extract agent UUID from SAN
+  │                                           │  Register in AgentRegistry
+  │                                           │
+  │  QUIC connection established               │
+```
+
+Both sides call `verify_peer(true)`.
+A rogue agent cannot connect without a CA-signed certificate.
+A rogue server cannot impersonate the gateway without the CA-signed server certificate.
+
+## Stream Model
+
+QUIC provides multiplexed bidirectional streams on a single connection.
+Stream IDs follow the QUIC specification:
+
+| ID pattern | Initiator | Type | Usage |
+|---|---|---|---|
+| 0, 4, 8, … | Client (agent) | Bidirectional | Control stream (stream 0 only) |
+| 1, 5, 9, … | Server (gateway) | Bidirectional | Session proxy streams |
+
+### Stream 0: Control Stream
+
+Always open.
+Carries periodic control messages between agent and gateway.
+
+### Streams 1, 5, 9, …: Session Proxy Streams
+
+One stream per proxied connection (RDP session, SSH session, etc.).
+Gateway opens the stream and sends a `ConnectMessage`.
+After setup, the stream carries raw TCP bytes bidirectionally.
+
+## Message Encoding
+
+All messages use **length-prefixed bincode**:
+
+```
+┌─────────────────────────┬──────────────────────────────┐
+│ 4 bytes (big-endian u32)│ N bytes (bincode payload)    │
+│ message_length = N      │                              │
+└─────────────────────────┴──────────────────────────────┘
+```
+
+bincode is a compact binary serialization format native to Rust's serde ecosystem.
+No schema files needed — types are defined directly in Rust structs.
+
+### Size Limits
+
+| Message type | Max size | Enforced where |
+|---|---|---|
+| Control messages | 1 MiB (`MAX_CONTROL_MESSAGE_SIZE`) | Gateway + Agent |
+| Session messages | 64 KiB (`MAX_SESSION_MESSAGE_SIZE`) | Gateway + Agent |
+
+The length prefix is checked **before** deserialization.
+bincode deserialization is bounded with `bincode::options().with_limit()` to prevent crafted payloads with huge internal `Vec` lengths from causing OOM.
+
+## Control Messages (Stream 0)
+
+```rust
+enum ControlMessage {
+    RouteAdvertise {
+        protocol_version: u16,            // Currently 2
+        epoch: u64,                       // Route data version number
+        subnets: Vec<Ipv4Network>,        // e.g. [10.0.0.0/8, 192.168.1.0/24]
+        domains: Vec<DomainAdvertisement>, // e.g. [{domain: "contoso.local", auto_detected: true}]
+    },
+    Heartbeat {
+        timestamp_ms: u64,       // Agent's current time (ms since epoch)
+        active_stream_count: u32, // Number of active proxy sessions
+    },
+    HeartbeatAck {
+        timestamp_ms: u64,       // Echo back agent's timestamp (for RTT calculation)
+    },
+}
+```
+
+### RouteAdvertise
+
+Tells the gateway what networks and domains this agent can reach.
+
+- Sent immediately after handshake with `epoch=1`.
+- Re-sent every 30 seconds with the same epoch (gateway refreshes `last_seen`, does not update routes).
+- If route data changes, epoch is incremented (gateway replaces old routes).
+- Stale epochs (older than current) are ignored.
+
+**Domain auto-detection:**
+- Windows: reads `USERDNSDOMAIN` environment variable, falls back to `GetComputerNameExW(ComputerNameDnsDomain)`.
+- Linux: parses `/etc/resolv.conf` for `search` or `domain` directives.
+- Auto-detected domains are tagged `auto_detected: true`.
+
+### Heartbeat / HeartbeatAck
+
+- Agent sends `Heartbeat` every 60 seconds.
+- Gateway replies with `HeartbeatAck` echoing the timestamp.
+- Agent computes `RTT = now - echoed_timestamp`.
+- Gateway uses heartbeat to update `last_seen`.
+- Agent offline threshold: 90 seconds without heartbeat.
+
+## Session Messages (Streams 1, 5, 9, …)
+
+### ConnectMessage (Gateway → Agent)
+
+```rust
+struct ConnectMessage {
+    session_id: Uuid,   // Unique session identifier
+    target: String,     // e.g. "10.0.0.5:3389" or "dc01.contoso.local:88"
+}
+```
+
+Gateway opens a new server-initiated bidirectional stream and sends this message.
+
+### ConnectResponse (Agent → Gateway)
+
+```rust
+enum ConnectResponse {
+    Success,
+    Error { code: u16, reason: String },
+}
+```
+
+### After ConnectResponse::Success
+
+The stream becomes a **raw byte pipe** — no more framing.
+Every byte written to one end comes out the other end, in order.
+This carries the actual protocol traffic (RDP, SSH, Kerberos, etc.).
+
+```
+Browser ↔ WebSocket ↔ Gateway ↔ QUIC stream ↔ Agent ↔ TCP ↔ Target
+```
+
+## Session Proxy Flow (Complete)
+
+```
+1. User opens SSH session to 10.0.0.5 in webapp
+2. Webapp gets session token (JWT with destination=10.0.0.5:22)
+3. Browser opens WebSocket to /jet/fwd/tcp/{session_id}
+4. Gateway routing: 10.0.0.5 matches agent's 10.0.0.0/8 subnet
+5. Gateway opens QUIC stream (stream_id=1) to agent
+6. Gateway sends ConnectMessage { session_id, target: "10.0.0.5:22" }
+7. Agent receives ConnectMessage on stream 1
+8. Agent validates: 10.0.0.5 is in its advertised 10.0.0.0/8? YES
+9. Agent connects TCP to 10.0.0.5:22
+10. Agent sends ConnectResponse::Success
+11. Bidirectional data flow:
+    Browser → WS → Gateway → QUIC stream 1 → Agent → TCP → SSH server
+    SSH server → TCP → Agent → QUIC stream 1 → Gateway → WS → Browser
+```
+
+## Agent Subnet Validation
+
+When the agent receives a `ConnectMessage`, it:
+
+1. DNS-resolves the target hostname to IP addresses.
+2. Filters: only keep IPs that fall within the agent's configured `advertise_subnets`.
+3. IPv6 addresses are dropped (only IPv4 subnet matching is supported).
+4. If no reachable IPs remain → `ConnectResponse::Error` ("target not in advertised subnets").
+5. Otherwise → TCP connect to the first reachable IP.
+
+This prevents a compromised gateway from using the agent as an open proxy to arbitrary hosts.
+
+## Auto-Reconnect
+
+The agent's tunnel task runs an outer reconnection loop:
+
+```
+loop {
+    let start = now();
+    match run_single_connection().await {
+        Ok(()) => return;     // Graceful shutdown
+        Err(e) => log(e);     // Connection lost
+    }
+    if elapsed > 30s { backoff = 1s; }  // Was working, reset
+    sleep(backoff);                      // Respect shutdown signal
+    backoff = (backoff * 2 * jitter).min(60s);
+}
+```
+
+- Initial backoff: 1 second.
+- Max backoff: 60 seconds.
+- Jitter: ±25% to prevent thundering herd.
+- Backoff resets after 30 seconds of stable connection.
+- Shutdown signal is checked during backoff sleep.
+- Each reconnection re-reads config (supports config changes) and re-resolves DNS.
+
+## Security Measures Summary
+
+| Measure | Where |
+|---|---|
+| mTLS (mutual certificate verification) | QUIC handshake |
+| Private PKI (no system trust store) | cert.rs |
+| CSR-based enrollment (key never leaves agent) | enrollment.rs, cert.rs |
+| One-time enrollment tokens (122-bit UUID) | enrollment_store.rs |
+| Constant-time secret comparison | agent_enrollment.rs |
+| Agent subnet validation (no open proxy) | tunnel.rs |
+| Bounded bincode deserialization | connection.rs, tunnel.rs |
+| Buffer size limits on control/proxy streams | connection.rs |
+| Bounded read channels (backpressure) | stream.rs |
+| Max connection limit (1000) | listener.rs |
+| File permissions 0o600 on private keys (Unix) | cert.rs, enrollment.rs |
+| Agent name validation (printable ASCII, max 255) | agent_enrollment.rs |