fix(agent): improve enrollment token validation (#1806)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: irvingoujAtDevolution

crates/devolutions-gateway-generators/src/lib.rs

@@ -25,6 +25,7 @@ pub fn token_content_type() -> impl Strategy<Value = token::ContentType> {
         Just(token::ContentType::Jmux),
         Just(token::ContentType::Kdc),
         Just(token::ContentType::Jrl),
+        Just(token::ContentType::Enrollment),
     ]
     .no_shrink()
 }
@@ -319,6 +320,31 @@ pub fn any_kdc_claims(now: i64, validity_duration: i64) -> impl Strategy<Value =
         })
 }
 
+#[derive(Debug, Clone, Serialize)]
+pub struct EnrollmentClaims {
+    pub jet_gw_url: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub jet_agent_name: Option<String>,
+    pub nbf: i64,
+    pub exp: i64,
+    pub jti: Uuid,
+}
+
+pub fn any_enrollment_claims(now: i64, validity_duration: i64) -> impl Strategy<Value = EnrollmentClaims> {
+    (
+        "https://[a-z]{1,10}\\.[a-z]{1,5}(:[0-9]{3,4})?",
+        option::of("[a-zA-Z0-9_-]{1,25}"),
+        uuid_typed(),
+    )
+        .prop_map(move |(jet_gw_url, jet_agent_name, jti)| EnrollmentClaims {
+            jet_gw_url,
+            jet_agent_name,
+            jti,
+            nbf: now,
+            exp: now + validity_duration,
+        })
+}
+
 #[derive(Debug, Serialize, Clone)]
 #[serde(untagged)]
 pub enum TokenClaims {
@@ -327,6 +353,7 @@ pub enum TokenClaims {
     Bridge(BridgeClaims),
     Jmux(JmuxClaims),
     Kdc(KdcClaims),
+    Enrollment(EnrollmentClaims),
 }
 
 impl TokenClaims {
@@ -337,6 +364,7 @@ impl TokenClaims {
             TokenClaims::Bridge(_) => "BRIDGE",
             TokenClaims::Jmux(_) => "JMUX",
             TokenClaims::Kdc(_) => "KDC",
+            TokenClaims::Enrollment(_) => "ENROLLMENT",
         }
     }
 
@@ -355,6 +383,7 @@ pub fn any_claims_with_validity_duration(now: i64, validity_duration: i64) -> im
         any_kdc_claims(now, validity_duration).prop_map(TokenClaims::Kdc),
         any_jmux_claims(now, validity_duration).prop_map(TokenClaims::Jmux),
         any_association_claims(now, validity_duration).prop_map(TokenClaims::Association),
+        any_enrollment_claims(now, validity_duration).prop_map(TokenClaims::Enrollment),
     ]
 }
 

devolutions-agent/src/enrollment.rs

@@ -17,7 +17,7 @@ use crate::config;
 /// the JWT (the operator). The Gateway verifies the signature when the JWT is
 /// presented as the Bearer token on `/jet/tunnel/enroll`.
 ///
-/// Additional standard claims (`exp`, `jti`, `scope`, ...) are ignored here.
+/// Additional standard claims (`exp`, `jti`, ...) are ignored here.
 #[derive(Debug, serde::Deserialize)]
 pub struct EnrollmentJwtClaims {
     /// Gateway URL to connect to for enrollment.
@@ -371,7 +371,7 @@ mod tests {
     /// Build a JWT with arbitrary header/signature placeholders. The parser never
     /// verifies the signature, so the content of those two segments is irrelevant.
     fn make_jwt(payload: serde_json::Value) -> String {
-        let header = serde_json::json!({ "alg": "RS256", "typ": "JWT" });
+        let header = serde_json::json!({ "alg": "RS256", "typ": "JWT", "cty": "ENROLLMENT" });
         let b64 = base64::engine::general_purpose::URL_SAFE_NO_PAD;
         format!(
             "{}.{}.{}",
@@ -391,7 +391,6 @@ mod tests {
     #[test]
     fn parse_enrollment_jwt_requires_gw_url() {
         let jwt = make_jwt(serde_json::json!({
-            "scope": "gateway.tunnel.enroll",
             "jet_agent_name": "agent-a",
         }));
         assert!(parse_enrollment_jwt(&jwt).is_err());

devolutions-agent/src/main.rs

@@ -366,7 +366,7 @@ mod tests {
     /// Build a JWT with the given payload. The header and signature are placeholders —
     /// the agent does not verify them; only the Gateway does.
     fn make_jwt(payload: serde_json::Value) -> String {
-        let header = serde_json::json!({ "alg": "RS256", "typ": "JWT" });
+        let header = serde_json::json!({ "alg": "RS256", "typ": "JWT", "cty": "ENROLLMENT" });
         let b64 = base64::engine::general_purpose::URL_SAFE_NO_PAD;
         format!(
             "{}.{}.{}",
@@ -379,7 +379,6 @@ mod tests {
     #[test]
     fn parse_up_command_args_accepts_enrollment_string() {
         let jwt = make_jwt(serde_json::json!({
-            "scope": "gateway.tunnel.enroll",
             "exp": 1_999_999_999i64,
             "jti": "00000000-0000-0000-0000-000000000000",
             "jet_gw_url": "https://gateway.example.com:7171",

devolutions-gateway/openapi/gateway-api.yaml

@@ -1153,7 +1153,7 @@ components:
       - gateway.traffic.ack
       - gateway.net.monitor.config
       - gateway.net.monitor.drain
-      - gateway.agent.enroll
+      - gateway.agent.delete
       - gateway.agent.read
     AckRequest:
       type: object