refactor: clarify agent delete access scope (#1807)

irvingoujAtDevolution · web-flow · commit 0bd32c2c62f7 · 2026-06-02T14:21:42.000+09:00
diff --git a/devolutions-gateway/src/api/tunnel.rs b/devolutions-gateway/src/api/tunnel.rs
@@ -4,7 +4,7 @@ use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
 use crate::DgwState;
-use crate::extract::{AgentManagementReadAccess, AgentManagementWriteAccess};
+use crate::extract::{AgentManagementDeleteAccess, AgentManagementReadAccess};
 use crate::http::HttpError;
 
 #[derive(Deserialize)]
@@ -148,7 +148,7 @@ async fn get_agent(
 
 /// Delete (unregister) an agent by ID.
 async fn delete_agent(
-    _access: AgentManagementWriteAccess,
+    _access: AgentManagementDeleteAccess,
     State(DgwState {
         agent_tunnel_handle, ..
     }): State<DgwState>,
diff --git a/devolutions-gateway/src/extract.rs b/devolutions-gateway/src/extract.rs
@@ -478,13 +478,13 @@ where
     }
 }
 
-/// Grants write access to agent management endpoints.
+/// Grants delete access to agent management endpoints.
 ///
 /// Accepts scope tokens with `AgentDelete` or `Wildcard` scope.
 #[derive(Clone, Copy)]
-pub struct AgentManagementWriteAccess;
+pub struct AgentManagementDeleteAccess;
 
-impl<S> FromRequestParts<S> for AgentManagementWriteAccess
+impl<S> FromRequestParts<S> for AgentManagementDeleteAccess
 where
     S: Send + Sync,
 {
@@ -500,9 +500,9 @@ where
             AccessTokenClaims::Scope(scope) => match scope.scope {
                 AccessScope::Wildcard | AccessScope::AgentDelete => Ok(Self),
                 _ => Err(HttpError::forbidden()
-                    .msg("invalid scope for agent management write (require one of: gateway.agent.delete, *)")),
+                    .msg("invalid scope for agent management delete (require one of: gateway.agent.delete, *)")),
             },
-            _ => Err(HttpError::forbidden().msg("scope token required for agent management write")),
+            _ => Err(HttpError::forbidden().msg("scope token required for agent management delete")),
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -478,13 +478,13 @@ where`
`478`	`478`	`}`
`479`	`479`	`}`
`480`	`480`
`481`		`-/// Grants write access to agent management endpoints.`
	`481`	`+/// Grants delete access to agent management endpoints.`
`482`	`482`	`///`
`483`	`483`	/// Accepts scope tokens with `AgentDelete` or `Wildcard` scope.
`484`	`484`	`#[derive(Clone, Copy)]`
`485`		`-pub struct AgentManagementWriteAccess;`
	`485`	`+pub struct AgentManagementDeleteAccess;`
`486`	`486`
`487`		`-impl<S> FromRequestParts<S> for AgentManagementWriteAccess`
	`487`	`+impl<S> FromRequestParts<S> for AgentManagementDeleteAccess`
`488`	`488`	`where`
`489`	`489`	`S: Send + Sync,`
`490`	`490`	`{`
`@@ -500,9 +500,9 @@ where`
`500`	`500`	`AccessTokenClaims::Scope(scope) => match scope.scope {`
`501`	`501`	`AccessScope::Wildcard \| AccessScope::AgentDelete => Ok(Self),`
`502`	`502`	`_ => Err(HttpError::forbidden()`
`503`		`- .msg("invalid scope for agent management write (require one of: gateway.agent.delete, *)")),`
	`503`	`+ .msg("invalid scope for agent management delete (require one of: gateway.agent.delete, *)")),`
`504`	`504`	`},`
`505`		`- _ => Err(HttpError::forbidden().msg("scope token required for agent management write")),`
	`505`	`+ _ => Err(HttpError::forbidden().msg("scope token required for agent management delete")),`
`506`	`506`	`}`
`507`	`507`	`}`
`508`	`508`	`}`