Devolutions
diff --git a/‎crates/devolutions-gateway-generators/src/lib.rs‎
Lines changed: 2 additions & 3 deletions b/‎crates/devolutions-gateway-generators/src/lib.rs‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎devolutions-agent/src/enrollment.rs‎
Lines changed: 24 additions & 20 deletions b/‎devolutions-agent/src/enrollment.rs‎
Lines changed: 24 additions & 20 deletions
diff --git a/‎devolutions-agent/src/main.rs‎
Lines changed: 60 additions & 58 deletions b/‎devolutions-agent/src/main.rs‎
Lines changed: 60 additions & 58 deletions
diff --git a/‎devolutions-gateway/src/api/tunnel.rs‎
Lines changed: 4 additions & 5 deletions b/‎devolutions-gateway/src/api/tunnel.rs‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎devolutions-gateway/src/token.rs‎
Lines changed: 6 additions & 9 deletions b/‎devolutions-gateway/src/token.rs‎
Lines changed: 6 additions & 9 deletions
@@ -323,8 +323,7 @@ pub fn any_kdc_claims(now: i64, validity_duration: i64) -> impl Strategy<Value =
 #[derive(Debug, Clone, Serialize)]
 pub struct EnrollmentClaims {
     pub jet_gw_url: String,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub jet_agent_name: Option<String>,
+    pub jet_agent_name: String,
     pub nbf: i64,
     pub exp: i64,
     pub jti: Uuid,
@@ -333,7 +332,7 @@ pub struct EnrollmentClaims {
 pub fn any_enrollment_claims(now: i64, validity_duration: i64) -> impl Strategy<Value = EnrollmentClaims> {
     (
         "https://[a-z]{1,10}\\.[a-z]{1,5}(:[0-9]{3,4})?",
-        option::of("[a-zA-Z0-9_-]{1,25}"),
+        "[a-zA-Z0-9_-]{1,25}",
         uuid_typed(),
     )
         .prop_map(move |(jet_gw_url, jet_agent_name, jti)| EnrollmentClaims {
 
@@ -22,9 +22,8 @@ use crate::config;
 pub struct EnrollmentJwtClaims {
     /// Gateway URL to connect to for enrollment.
     pub jet_gw_url: String,
-    /// Suggested agent display name (optional hint).
-    #[serde(default)]
-    pub jet_agent_name: Option<String>,
+    /// Agent friendly name.
+    pub jet_agent_name: String,
 }
 
 /// Decode an enrollment JWT to extract agent-side configuration claims.
@@ -61,8 +60,6 @@ pub fn parse_enrollment_jwt(jwt: &str) -> Result<EnrollmentJwtClaims> {
 struct EnrollRequest {
     /// Agent-generated UUID (the agent owns its identity)
     agent_id: Uuid,
-    /// Friendly name for the agent
-    agent_name: String,
     /// PEM-encoded Certificate Signing Request
     csr_pem: String,
     /// Optional hostname of the agent machine (added as DNS SAN in the issued certificate)
@@ -94,19 +91,24 @@ pub struct PersistedEnrollment {
 ///
 /// # Arguments
 /// * `gateway_url` - Base Gateway URL (e.g., "https://gateway.example.com:7171")
-/// * `enrollment_token` - JWT token for enrollment
-/// * `agent_name` - Friendly name for this agent
+/// * `enrollment_token` - JWT token for enrollment. The signed `jet_gw_url`
+///   claim is also used by `up --enrollment-string` when no explicit gateway
+///   URL is provided. The signed `jet_agent_name` claim is the enrollment name.
 /// * `advertise_subnets` - List of subnets to advertise (e.g., ["10.0.0.0/8"])
 pub async fn enroll_agent(
     gateway_url: &str,
     enrollment_token: &str,
-    agent_name: &str,
     advertise_subnets: Vec<String>,
 ) -> Result<PersistedEnrollment> {
+    let EnrollmentJwtClaims {
+        jet_agent_name: agent_name,
+        ..
+    } = parse_enrollment_jwt(enrollment_token)?;
+
     // Generate key pair and CSR locally — the private key never leaves this machine.
-    let (key_pem, csr_pem) = generate_key_and_csr(agent_name)?;
+    let (key_pem, csr_pem) = generate_key_and_csr(&agent_name)?;
 
-    let enroll_response = request_enrollment(gateway_url, enrollment_token, agent_name, &csr_pem).await?;
+    let enroll_response = request_enrollment(gateway_url, enrollment_token, &csr_pem).await?;
     persist_enrollment_response(agent_name, advertise_subnets, enroll_response, &key_pem)
 }
 
@@ -127,12 +129,7 @@ fn generate_key_and_csr(agent_name: &str) -> Result<(String, String)> {
     Ok((key_pem, csr_pem))
 }
 
-async fn request_enrollment(
-    gateway_url: &str,
-    enrollment_token: &str,
-    agent_name: &str,
-    csr_pem: &str,
-) -> Result<EnrollResponse> {
+async fn request_enrollment(gateway_url: &str, enrollment_token: &str, csr_pem: &str) -> Result<EnrollResponse> {
     let client = reqwest::Client::new();
     let enroll_url = format!("{}/jet/tunnel/enroll", gateway_url.trim_end_matches('/'));
 
@@ -141,7 +138,6 @@ async fn request_enrollment(
         .bearer_auth(enrollment_token)
         .json(&EnrollRequest {
             agent_id: Uuid::new_v4(),
-            agent_name: agent_name.to_owned(),
             csr_pem: csr_pem.to_owned(),
             agent_hostname: hostname::get()
                 .ok()
@@ -162,7 +158,7 @@ async fn request_enrollment(
 }
 
 fn persist_enrollment_response(
-    agent_name: &str,
+    agent_name: String,
     advertise_subnets: Vec<String>,
     EnrollResponse {
         agent_id,
@@ -284,7 +280,7 @@ fn persist_enrollment_response(
 
     Ok(PersistedEnrollment {
         agent_id,
-        agent_name: agent_name.to_owned(),
+        agent_name,
         client_cert_path,
         client_key_path,
         gateway_ca_path,
@@ -325,7 +321,7 @@ pub fn is_cert_expiring(cert_path: &Utf8Path, threshold_days: u32) -> Result<boo
 
 /// Extract the `CommonName` from an existing PEM certificate. The renewal CSR
 /// must reuse the agent's name across renewals — the gateway looks the agent
-/// up in its registry by that name, and the most authoritative source for it
+/// up in its registry by that name, and the source for it
 /// is the cert the gateway itself signed last time.
 pub fn read_agent_name_from_cert(cert_path: &Utf8Path) -> Result<String> {
     use std::io::BufReader;
@@ -395,4 +391,12 @@ mod tests {
         }));
         assert!(parse_enrollment_jwt(&jwt).is_err());
     }
+
+    #[test]
+    fn parse_enrollment_jwt_requires_agent_name() {
+        let jwt = make_jwt(serde_json::json!({
+            "jet_gw_url": "https://gw.example.com",
+        }));
+        assert!(parse_enrollment_jwt(&jwt).is_err());
+    }
 }
@@ -55,7 +55,6 @@ const START_FAILED_ERR_CODE: u32 = 2;
 struct UpCommand {
     gateway_url: String,
     enrollment_token: String,
-    agent_name: String,
     advertise_subnets: Vec<String>,
 }
 
@@ -149,8 +148,6 @@ fn parse_up_command_args(args: &[String]) -> Result<UpCommand> {
 
 fn parse_up_command_args_with_reader<R: BufRead>(args: &[String], mut stdin_reader: R) -> Result<UpCommand> {
     let mut gateway_url = None;
-    let mut enrollment_token = None;
-    let mut agent_name = None;
     let mut enrollment_string = None;
     let mut advertise_subnets = Vec::new();
 
@@ -160,8 +157,6 @@ fn parse_up_command_args_with_reader<R: BufRead>(args: &[String], mut stdin_read
 
         match arg {
             "--gateway" => gateway_url = Some(parse_required_value(args, &mut index, "--gateway")?),
-            "--token" | "--enrollment-token" => enrollment_token = Some(parse_required_value(args, &mut index, arg)?),
-            "--name" | "--agent-name" => agent_name = Some(parse_required_value(args, &mut index, arg)?),
             "--enrollment-string" => enrollment_string = Some(parse_required_value(args, &mut index, arg)?),
             "--advertise-routes" | "--advertise-subnets" => {
                 advertise_subnets.extend(parse_advertise_subnets(&parse_required_value(args, &mut index, arg)?))
@@ -172,37 +167,29 @@ fn parse_up_command_args_with_reader<R: BufRead>(args: &[String], mut stdin_read
         index += 1;
     }
 
-    if let Some(enrollment_string) = enrollment_string {
-        // A single hyphen means "read the enrollment string from stdin".
-        let enrollment_string = if enrollment_string == "-" {
-            let mut line = String::new();
-            stdin_reader
-                .read_line(&mut line)
-                .context("failed to read enrollment string from stdin")?;
-            let trimmed = line.trim().to_owned();
-            if trimmed.is_empty() {
-                bail!("enrollment string read from stdin is empty");
-            }
-            trimmed
-        } else {
-            enrollment_string
-        };
-
-        let claims = parse_enrollment_jwt(&enrollment_string)?;
-
-        // The JWT itself is the Bearer token; the Gateway verifies the signature.
-        gateway_url.get_or_insert(claims.jet_gw_url);
-        enrollment_token.get_or_insert(enrollment_string);
-
-        if agent_name.is_none() {
-            agent_name = claims.jet_agent_name;
+    let enrollment_string = enrollment_string.context("missing required --enrollment-string")?;
+
+    // A single hyphen means "read the enrollment string from stdin".
+    let enrollment_token = if enrollment_string == "-" {
+        let mut line = String::new();
+        stdin_reader
+            .read_line(&mut line)
+            .context("failed to read enrollment string from stdin")?;
+        let trimmed = line.trim().to_owned();
+        if trimmed.is_empty() {
+            bail!("enrollment string read from stdin is empty");
         }
-    }
+        trimmed
+    } else {
+        enrollment_string
+    };
+
+    let claims = parse_enrollment_jwt(&enrollment_token)?;
+    gateway_url.get_or_insert(claims.jet_gw_url);
 
     Ok(UpCommand {
         gateway_url: gateway_url.context("missing required --gateway")?,
-        enrollment_token: enrollment_token.context("missing required --token")?,
-        agent_name: agent_name.context("missing required --name")?,
+        enrollment_token,
         advertise_subnets,
     })
 }
@@ -253,9 +240,8 @@ fn main() {
                 let gateway_url = env::args()
                     .nth(2)
                     .expect("missing gateway URL (e.g., https://gateway.example.com:7171)");
-                let enrollment_token = env::args().nth(3).expect("missing enrollment token");
-                let agent_name = env::args().nth(4).expect("missing agent name");
-                let subnets_arg = env::args().nth(5).unwrap_or_default();
+                let enrollment_token = env::args().nth(3).expect("missing enrollment string");
+                let subnets_arg = env::args().nth(4).unwrap_or_default();
 
                 let advertise_subnets: Vec<String> = if subnets_arg.is_empty() {
                     Vec::new()
@@ -265,13 +251,9 @@ fn main() {
 
                 let rt = tokio::runtime::Runtime::new().expect("failed to create tokio runtime");
                 rt.block_on(async {
-                    if let Err(e) = devolutions_agent::enrollment::enroll_agent(
-                        &gateway_url,
-                        &enrollment_token,
-                        &agent_name,
-                        advertise_subnets,
-                    )
-                    .await
+                    if let Err(e) =
+                        devolutions_agent::enrollment::enroll_agent(&gateway_url, &enrollment_token, advertise_subnets)
+                            .await
                     {
                         eprintln!("[ERROR] Enrollment failed: {e:#}");
                         std::process::exit(1);
@@ -293,7 +275,6 @@ fn main() {
                     devolutions_agent::enrollment::enroll_agent(
                         &command.gateway_url,
                         &command.enrollment_token,
-                        &command.agent_name,
                         command.advertise_subnets,
                     )
                     .await
@@ -320,14 +301,16 @@ mod tests {
     use super::*;
 
     #[test]
-    fn parse_up_command_args_uses_default_config_path() {
+    fn parse_up_command_args_accepts_advertise_routes() {
+        let jwt = make_jwt(serde_json::json!({
+            "exp": 1_999_999_999i64,
+            "jti": "00000000-0000-0000-0000-000000000000",
+            "jet_gw_url": "https://gateway.example.com:7171",
+            "jet_agent_name": "site-a-agent",
+        }));
         let args = vec![
-            "--gateway".to_owned(),
-            "https://gateway.example.com:7171".to_owned(),
-            "--token".to_owned(),
-            "bootstrap-token".to_owned(),
-            "--name".to_owned(),
-            "site-a-agent".to_owned(),
+            "--enrollment-string".to_owned(),
+            jwt.clone(),
             "--advertise-routes".to_owned(),
             "10.0.0.0/8,192.168.1.0/24".to_owned(),
         ];
@@ -338,22 +321,25 @@ mod tests {
             parsed,
             UpCommand {
                 gateway_url: "https://gateway.example.com:7171".to_owned(),
-                enrollment_token: "bootstrap-token".to_owned(),
-                agent_name: "site-a-agent".to_owned(),
+                enrollment_token: jwt,
                 advertise_subnets: vec!["10.0.0.0/8".to_owned(), "192.168.1.0/24".to_owned()],
             }
         );
     }
 
     #[test]
-    fn parse_up_command_args_accepts_aliases() {
+    fn parse_up_command_args_accepts_advertise_subnets_alias() {
+        let jwt = make_jwt(serde_json::json!({
+            "exp": 1_999_999_999i64,
+            "jti": "00000000-0000-0000-0000-000000000000",
+            "jet_gw_url": "https://gateway.example.com:7171",
+            "jet_agent_name": "site-a-agent",
+        }));
         let args = vec![
             "--gateway".to_owned(),
             "https://gateway.example.com:7171".to_owned(),
-            "--enrollment-token".to_owned(),
-            "bootstrap-token".to_owned(),
-            "--agent-name".to_owned(),
-            "site-a-agent".to_owned(),
+            "--enrollment-string".to_owned(),
+            jwt,
             "--advertise-subnets".to_owned(),
             "10.0.0.0/8".to_owned(),
         ];
@@ -391,6 +377,22 @@ mod tests {
         assert_eq!(parsed.gateway_url, "https://gateway.example.com:7171");
         // The JWT itself is used as the Bearer token for /jet/tunnel/enroll.
         assert_eq!(parsed.enrollment_token, jwt);
-        assert_eq!(parsed.agent_name, "site-a-agent");
+    }
+
+    #[test]
+    fn parse_up_command_args_rejects_split_inputs() {
+        for flag in ["--name", "--agent-name", "--token", "--enrollment-token"] {
+            let args = vec![flag.to_owned(), "site-a-agent".to_owned()];
+            let error = parse_up_command_args(&args).expect_err("argument should be rejected");
+
+            assert!(error.to_string().contains("unknown argument"));
+        }
+    }
+
+    #[test]
+    fn parse_up_command_args_requires_enrollment_string() {
+        let args = Vec::new();
+
+        assert!(parse_up_command_args(&args).is_err());
     }
 }
@@ -11,8 +11,6 @@ use crate::http::HttpError;
 pub struct EnrollRequest {
     /// Agent-generated UUID (the agent owns its identity).
     pub agent_id: Uuid,
-    /// Friendly name for the agent.
-    pub agent_name: String,
     /// PEM-encoded Certificate Signing Request from the agent.
     pub csr_pem: String,
     /// Optional hostname of the agent machine (added as DNS SAN in the issued certificate).
@@ -46,24 +44,25 @@ pub fn make_router<S>(state: DgwState) -> Router<S> {
 /// Enroll a new agent.
 ///
 /// Requires a Bearer token: an `ENROLLMENT` JWT signed by the configured provisioner key
-/// (e.g. DVLS, Hub, or any PEM service).
+/// (e.g. DVLS, Hub, PAM service, or any other compatible provisioner).
 ///
 /// The agent generates its own key pair and sends a CSR. The gateway signs it
 /// and returns the certificate. The private key never leaves the agent.
 async fn enroll_agent(
-    _: crate::extract::EnrollmentToken,
+    crate::extract::EnrollmentToken(token_claims): crate::extract::EnrollmentToken,
     State(DgwState {
         conf_handle,
         agent_tunnel_handle,
         ..
     }): State<DgwState>,
     Json(EnrollRequest {
         agent_id,
-        agent_name,
         csr_pem,
         agent_hostname,
     }): Json<EnrollRequest>,
 ) -> Result<Json<EnrollResponse>, HttpError> {
+    let agent_name = token_claims.jet_agent_name;
+
     // Validate agent name: 1-255 printable ASCII characters.
     if agent_name.is_empty() || 255 < agent_name.len() || agent_name.bytes().any(|b| !(0x20..=0x7E).contains(&b)) {
         return Err(HttpError::bad_request().msg("agent name must be 1-255 printable ASCII characters"));
 
@@ -499,12 +499,10 @@ pub struct ScopeTokenClaims {
 
 /// Claims carried by an agent-tunnel enrollment JWT.
 ///
-/// The JWT itself is copy-pasted by the operator into the agent's
-/// `--enrollment-string` argument. Agent reads `jet_gw_url` and
-/// `jet_agent_name` locally (without verifying the signature, since it is
-/// the intended recipient), then sends the JWT as the Bearer token to
-/// `/jet/tunnel/enroll`, where the Gateway verifies the signature, content
-/// type, and expiry against the configured provisioner key.
+/// The agent reads `jet_gw_url` and `jet_agent_name` locally, then sends
+/// the JWT as the Bearer token to `/jet/tunnel/enroll`, where the Gateway
+/// verifies the signature, content type, expiry, and agent name against
+/// the configured provisioner key.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct EnrollmentTokenClaims {
     /// JWT expiration time claim.
@@ -516,9 +514,8 @@ pub struct EnrollmentTokenClaims {
     /// Gateway URL the agent should connect to for enrollment.
     pub jet_gw_url: String,
 
-    /// Suggested agent display name (optional hint).
-    #[serde(default)]
-    pub jet_agent_name: Option<String>,
+    /// Agent friendly name.
+    pub jet_agent_name: String,
 }
 
 // ----- bridge claims ----- //