fix(agent-tunnel): address Copilot review on PR #1773

irvingoujAtDevolution · irvingoujAtDevolution · commit ae56597ba14c · 2026-05-19T15:05:02.000-04:00
- EnrollmentClaims: override GetDefaultLifetime() to 3600s (was 300s).
  The operator copy/paste flow easily exceeds 5 minutes; the old
  EnrollmentTokenStore had a 1h default for the same reason.

- api/tunnel.rs: return 403 instead of 404 when JWT validation fails
  and no static enrollment_secret is configured. The user's token is
  unauthenticated, not a server-config issue. 404 stays for the case
  where the agent tunnel feature is fully disabled.

- extract.rs: sync top-level rustdoc on AgentManagementReadAccess to
  list AgentRead alongside the existing back-compat scopes.
diff --git a/devolutions-gateway/src/api/tunnel.rs b/devolutions-gateway/src/api/tunnel.rs
@@ -145,11 +145,16 @@ async fn enroll_agent(
     let jwt_valid = validate_enrollment_jwt(provided_token, &conf.provisioner_public_key);
 
     if !jwt_valid {
+        // The JWT failed to validate against the provisioner key. The static
+        // `enrollment_secret` is only a fallback for environments without DVLS;
+        // when it is not configured, the request is simply unauthenticated, not
+        // a server-config issue — so 403, not 404 (404 is reserved for the agent
+        // tunnel feature itself being disabled).
         let enrollment_secret = conf
             .agent_tunnel
             .enrollment_secret
             .as_deref()
-            .ok_or_else(|| HttpError::not_found().msg("agent enrollment is not configured"))?;
+            .ok_or_else(|| HttpError::forbidden().msg("invalid enrollment token"))?;
 
         if !timing_safe_eq(provided_token.as_bytes(), enrollment_secret.as_bytes()) {
             return Err(HttpError::forbidden().msg("invalid enrollment token"));
diff --git a/devolutions-gateway/src/extract.rs b/devolutions-gateway/src/extract.rs
@@ -408,7 +408,9 @@ where
 
 /// Grants read access to agent management endpoints.
 ///
-/// Accepts a scope token with `DiagnosticsRead`, `ConfigWrite`, or `Wildcard` scope.
+/// Accepts a scope token with `AgentRead`, `DiagnosticsRead`, `ConfigWrite`, or
+/// `Wildcard` scope. `DiagnosticsRead` / `ConfigWrite` are kept for
+/// back-compat with callers that predate the dedicated `AgentRead` scope.
 #[derive(Clone, Copy)]
 pub struct AgentManagementReadAccess;
 
diff --git a/utils/dotnet/Devolutions.Gateway.Utils/src/EnrollmentClaims.cs b/utils/dotnet/Devolutions.Gateway.Utils/src/EnrollmentClaims.cs
@@ -55,4 +55,15 @@ public string GetContentType()
     {
         return "ENROLLMENT";
     }
+
+    /// <summary>
+    /// One hour. The operator typically generates the enrollment string in
+    /// the admin UI, copies it, walks to the target machine, installs the
+    /// agent, and pastes it — the 5-minute interface default is too short
+    /// for that flow. Callers can still override via <c>TokenUtils.Sign</c>.
+    /// </summary>
+    public long? GetDefaultLifetime()
+    {
+        return 3600;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -55,4 +55,15 @@ public string GetContentType()`
`55`	`55`	`{`
`56`	`56`	`return "ENROLLMENT";`
`57`	`57`	`}`
	`58`	`+`
	`59`	`+ /// <summary>`
	`60`	`+ /// One hour. The operator typically generates the enrollment string in`
	`61`	`+ /// the admin UI, copies it, walks to the target machine, installs the`
	`62`	`+ /// agent, and pastes it — the 5-minute interface default is too short`
	`63`	`+ /// for that flow. Callers can still override via <c>TokenUtils.Sign</c>.`
	`64`	`+ /// </summary>`
	`65`	`+ public long? GetDefaultLifetime()`
	`66`	`+ {`
	`67`	`+ return 3600;`
	`68`	`+ }`
`58`	`69`	`}`