refactor(pr2): split cert.rs refactor and agent-tunnel tests into own PRs

Tests (testsuite/tests/agent_tunnel/{integration,registry,routing}.rs) and
the read_cert_chain rewrite are not part of the routing/upstream feature
itself — they ship as their own PRs so this one stays focused on the
feature code:

- Cert PEM parsing fix → #1771
- Agent-tunnel test suite → follow-up PR (stacked on this one)

After this trim, PR2's diff is purely:
- Routing: agent-tunnel/{routing,registry,listener}.rs
- Upstream refactor: devolutions-gateway/upstream.rs and the proxy paths
  (fwd, kdc_proxy, rdp, rdp_proxy, rd_clean_path, generic_client)
- Agent client: devolutions-agent/tunnel_helpers.rs (TargetAddr widening
  to handle IPv6 alongside IPv4)

Author: irvingoujAtDevolution

Cargo.lock

@@ -10,6 +10,8 @@ use serde::Serialize;
 use tokio::sync::RwLock as TokioRwLock;
 use uuid::Uuid;
 
+use crate::routing::RouteTarget;
+
 /// Duration after which an agent is considered offline if no heartbeat has been received.
 pub const AGENT_OFFLINE_TIMEOUT: Duration = Duration::from_secs(90);
 
@@ -33,31 +35,29 @@ pub struct RouteAdvertisementState {
 }
 
 impl RouteAdvertisementState {
-    /// Match this route set against a target host (IP or domain name).
+    /// Match this route set against a parsed target host.
     ///
     /// Returns a specificity score if matched, or `None` if no match.
     /// IP subnet matches return `usize::MAX` (always highest priority).
     /// Domain matches return the matched domain length (longer = more specific).
-    pub fn matches_target(&self, target_host: &str) -> Option<usize> {
+    pub fn matches_target(&self, target: &RouteTarget) -> Option<usize> {
         use std::net::IpAddr;
 
-        if let Ok(ip) = target_host.parse::<IpAddr>() {
+        match target {
             // Only IPv4 subnets are currently tracked; only match IPv4 target IPs.
-            if let IpAddr::V4(ipv4) = ip {
-                return self
-                    .subnets
-                    .iter()
-                    .any(|subnet| subnet.contains(ipv4))
-                    .then_some(usize::MAX);
-            }
-            return None;
+            RouteTarget::Ip(IpAddr::V4(ipv4)) => self
+                .subnets
+                .iter()
+                .any(|subnet| subnet.contains(*ipv4))
+                .then_some(usize::MAX),
+            RouteTarget::Ip(IpAddr::V6(_)) => None,
+            RouteTarget::Hostname(hostname) => self
+                .domains
+                .iter()
+                .filter(|adv| adv.domain.matches_hostname(hostname.as_str()))
+                .map(|adv| adv.domain.as_str().len())
+                .max(),
         }
-
-        self.domains
-            .iter()
-            .filter(|adv| adv.domain.matches_hostname(target_host))
-            .map(|adv| adv.domain.as_str().len())
-            .max()
     }
 }
 
@@ -281,13 +281,13 @@ impl AgentRegistry {
         self.agents.read().await.values().map(AgentInfo::from).collect()
     }
 
-    /// Find all online agents that can route to the given target host (IP or domain).
+    /// Find all online agents that can route to the given parsed target host.
     ///
     /// For IP targets: matches against advertised subnets.
     /// For domain targets: uses longest suffix match (more specific domain wins).
     ///
     /// Results with equal specificity are sorted by `received_at` descending (most recent first).
-    pub async fn find_agents_for(&self, target_host: &str) -> Vec<Arc<AgentPeer>> {
+    pub async fn find_agents_for(&self, target: &RouteTarget) -> Vec<Arc<AgentPeer>> {
         let mut best_specificity: usize = 0;
         let mut candidates: Vec<(SystemTime, Arc<AgentPeer>)> = Vec::new();
 
@@ -299,7 +299,7 @@ impl AgentRegistry {
 
             let route_state = agent.route_state();
 
-            if let Some(specificity) = route_state.matches_target(target_host) {
+            if let Some(specificity) = route_state.matches_target(target) {
                 if specificity > best_specificity {
                     best_specificity = specificity;
                     candidates.clear();

crates/agent-tunnel/src/registry.rs

@@ -3,15 +3,46 @@
 //! Used by both connection forwarding (`fwd.rs`) and KDC proxy (`kdc_proxy.rs`)
 //! to ensure consistent routing behavior and error messages.
 
+use std::net::IpAddr;
 use std::sync::Arc;
 
+use agent_tunnel_proto::DomainName;
 use anyhow::{Result, anyhow};
 use uuid::Uuid;
 
 use super::listener::AgentTunnelHandle;
 use super::registry::{AgentPeer, AgentRegistry};
 use super::stream::TunnelStream;
 
+/// A parsed target host used for route matching.
+///
+/// Routing cares only about the host identity, not the port or scheme used by
+/// the eventual connection attempt.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum RouteTarget {
+    Ip(IpAddr),
+    Hostname(DomainName),
+}
+
+impl RouteTarget {
+    pub fn ip(ip: IpAddr) -> Self {
+        Self::Ip(ip)
+    }
+
+    pub fn hostname(hostname: impl Into<String>) -> Self {
+        Self::Hostname(DomainName::new(hostname))
+    }
+}
+
+impl std::fmt::Display for RouteTarget {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::Ip(ip) => ip.fmt(f),
+            Self::Hostname(hostname) => hostname.fmt(f),
+        }
+    }
+}
+
 /// Result of the routing pipeline.
 ///
 /// Each variant carries enough context for the caller to produce an actionable error message.
@@ -34,7 +65,7 @@ pub enum RoutingDecision {
 pub async fn resolve_route(
     registry: &AgentRegistry,
     explicit_agent_id: Option<Uuid>,
-    target_host: &str,
+    target: &RouteTarget,
 ) -> RoutingDecision {
     // Step 1: Explicit agent ID (from JWT)
     if let Some(id) = explicit_agent_id {
@@ -45,7 +76,7 @@ pub async fn resolve_route(
     }
 
     // Step 2: Match target against all agents (IP subnet or domain suffix)
-    let agents = registry.find_agents_for(target_host).await;
+    let agents = registry.find_agents_for(target).await;
 
     if agents.is_empty() {
         RoutingDecision::Direct
@@ -62,7 +93,7 @@ pub async fn resolve_route(
 pub async fn try_route(
     handle: Option<&AgentTunnelHandle>,
     explicit_agent_id: Option<Uuid>,
-    target_host: &str,
+    target: &RouteTarget,
     session_id: Uuid,
     target_addr: &str,
 ) -> Result<Option<(TunnelStream, Arc<AgentPeer>)>> {
@@ -78,7 +109,7 @@ pub async fn try_route(
         };
     };
 
-    match resolve_route(handle.registry(), explicit_agent_id, target_host).await {
+    match resolve_route(handle.registry(), explicit_agent_id, target).await {
         RoutingDecision::ExplicitAgentNotFound(id) => {
             Err(anyhow!("agent {id} specified in token not found in registry"))
         }

crates/agent-tunnel/src/routing.rs

@@ -201,10 +201,15 @@ pub async fn send_krb_message(
         None
     };
 
+    let route_target = match kdc_addr.host_ip() {
+        Some(ip) => agent_tunnel::routing::RouteTarget::ip(ip),
+        None => agent_tunnel::routing::RouteTarget::hostname(kdc_addr.host()),
+    };
+
     if let Some((mut stream, _agent)) = agent_tunnel::routing::try_route(
         agent_tunnel_handle,
         None,
-        kdc_addr.host(),
+        &route_target,
         uuid::Uuid::new_v4(),
         kdc_target,
     )

devolutions-gateway/src/api/kdc_proxy.rs

@@ -20,7 +20,7 @@ use std::task::{Context, Poll};
 
 use agent_tunnel::AgentTunnelHandle;
 use agent_tunnel::registry::AgentPeer;
-use agent_tunnel::routing::{RoutingDecision, resolve_route};
+use agent_tunnel::routing::{RouteTarget, RoutingDecision, resolve_route};
 use agent_tunnel::stream::TunnelStream;
 use anyhow::{Context as _, Result, anyhow};
 use nonempty::NonEmpty;
@@ -197,10 +197,10 @@ impl<'a> RoutePlan<'a> {
             return Ok(Self::Direct(target));
         };
 
-        let target_host = target.host();
-        let decision = resolve_route(handle.registry(), None, target_host).await;
+        let route_target = route_target_from_target_addr(target);
+        let decision = resolve_route(handle.registry(), None, &route_target).await;
         debug!(
-            target_host,
+            target = %route_target,
             decision = ?match &decision {
                 RoutingDecision::ViaAgent(c) => format!("ViaAgent({} candidates)", c.len()),
                 RoutingDecision::Direct => "Direct".to_owned(),
@@ -298,6 +298,13 @@ impl<'a> RoutePlan<'a> {
     }
 }
 
+fn route_target_from_target_addr(target: &TargetAddr) -> RouteTarget {
+    match target.host_ip() {
+        Some(ip) => RouteTarget::ip(ip),
+        None => RouteTarget::hostname(target.host()),
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Public entry points
 // ---------------------------------------------------------------------------

devolutions-gateway/src/upstream.rs

@@ -31,27 +31,16 @@ typed-builder = "0.21"
 tokio-tungstenite = { version = "0.26", features = ["rustls-tls-native-roots"] }
 
 [dev-dependencies]
-agent-tunnel = { path = "../crates/agent-tunnel" }
-agent-tunnel-proto = { path = "../crates/agent-tunnel-proto", features = ["serde"] }
-devolutions-gateway-task = { path = "../crates/devolutions-gateway-task" }
 base64 = "0.22"
-camino = "1"
-ipnetwork = "0.20"
+proxy-socks = { path = "../crates/proxy-socks" }
 libsql = { version = "0.9", default-features = false, features = ["core"] }
 mcp-proxy.path = "../crates/mcp-proxy"
-proxy-socks = { path = "../crates/proxy-socks" }
-quinn = "0.11"
-rcgen = { version = "0.13", features = ["pem", "x509-parser"] }
 rstest = "0.25"
-rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"] }
-rustls-pemfile = "2"
-rustls-pki-types = "1"
 serde_json = "1"
 sysevent.path = "../crates/sysevent"
 tempfile = "3"
 test-utils.path = "../crates/test-utils"
 tokio-rustls = { version = "0.26", features = ["ring"] }
-uuid = { version = "1", features = ["v4"] }
 
 [target.'cfg(unix)'.dev-dependencies]
 sysevent-syslog.path = "../crates/sysevent-syslog"