refactor(pr2): trim cert renewal and JWT enrollment refactor

PR #1741 was reviewed as too large. Reduce its scope to A+B (refactor +
transparent routing) by backing out the cert-renewal additions (C) and
the JWT-based enrollment pivot (D). Both will be opened as their own
PRs against master.

Cert renewal (C) removed:

- Agent-side: drop the pre-loop expiry check, periodic cert_expiry_tick
  in the main select! loop, ConnectionOutcome enum, and the
  `is_cert_expiring` / `read_agent_name_from_cert` /
  `generate_csr_from_existing_key` helpers from enrollment.rs.
- Gateway-side: drop the agent's ability to drive renewal; the
  CertRenewal proto messages stay (they exist on master from #1738) and
  the listener keeps the stub debug-and-drop arm. AGENT_CERT_VALIDITY_DAYS
  reverts to 365.

JWT enrollment refactor (D) removed:

- Gateway: revert token.rs (TunnelEnroll only, no AgentEnroll/AgentRead),
  extract.rs (no AgentManagement scope unions), and api/tunnel.rs to
  master (EnrollmentTokenStore-backed enroll handler with
  quic_endpoint in the response).
- Agent-tunnel crate: restore enrollment_store module + handle getter +
  registration in bind().
- Agent CLI: revert main.rs and cli_tests.rs to before --advertise-domains
  (config-side advertise_domains support stays, only the CLI flag goes).
  Test JWTs go back to gateway.tunnel.enroll scope.
- NuGet: delete EnrollmentClaims.cs, drop GatewayAgentEnroll/Read from
  AccessScope.cs, revert csproj version, drop the new
  JsonSerializationTests cases.

Author: irvingoujAtDevolution

crates/agent-tunnel-proto/src/control.rs

@@ -60,7 +60,7 @@ pub enum ControlMessage {
         protocol_version: u16,
         /// Monotonically increasing epoch within this agent process lifetime.
         epoch: u64,
-        /// Reachable IPv4 subnets.
+        /// Reachable subnets (IPv4 and IPv6).
         subnets: Vec<Ipv4Network>,
         /// DNS domains this agent can resolve, with source tracking.
         domains: Vec<DomainAdvertisement>,

crates/agent-tunnel/src/cert.rs

@@ -94,7 +94,7 @@ const SERVER_CERT_FILENAME: &str = "agent-tunnel-server-cert.pem";
 const SERVER_KEY_FILENAME: &str = "agent-tunnel-server-key.pem";
 const CA_VALIDITY_DAYS: u32 = 3650; // ~10 years
 const SERVER_CERT_VALIDITY_DAYS: u32 = 365; // 1 year
-const AGENT_CERT_VALIDITY_DAYS: u32 = 30; // 30 days (short-lived, auto-renewed)
+const AGENT_CERT_VALIDITY_DAYS: u32 = 365; // 1 year
 
 const SECS_PER_DAY: u64 = 86_400;
 const CA_COMMON_NAME: &str = "Devolutions Gateway Agent Tunnel CA";

crates/agent-tunnel/src/enrollment_store.rs

@@ -0,0 +1,138 @@
+//! In-memory store for one-time enrollment tokens.
+//!
+//! Tokens are generated by the webapp enrollment-string endpoint and redeemed
+//! by the agent enrollment endpoint. Each token is single-use and has an expiry.
+
+use std::collections::HashMap;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use tokio::sync::RwLock;
+
+/// Default token lifetime if not specified: 1 hour.
+const DEFAULT_TOKEN_LIFETIME_SECS: u64 = 3600;
+
+/// A single enrollment token entry.
+#[derive(Debug, Clone)]
+pub struct EnrollmentTokenEntry {
+    /// When this token expires (UNIX timestamp in seconds).
+    pub expires_at: u64,
+    /// Optional agent name hint associated with this token.
+    pub agent_name: Option<String>,
+}
+
+/// Thread-safe in-memory store for one-time enrollment tokens.
+///
+/// Tokens are stored in a locked `HashMap` keyed by the token string.
+/// They are removed on consumption (one-time use) or on explicit cleanup.
+#[derive(Debug)]
+pub struct EnrollmentTokenStore {
+    tokens: RwLock<HashMap<String, EnrollmentTokenEntry>>,
+}
+
+impl EnrollmentTokenStore {
+    /// Creates a new, empty token store.
+    pub fn new() -> Self {
+        Self {
+            tokens: RwLock::new(HashMap::new()),
+        }
+    }
+
+    /// Inserts a new enrollment token.
+    ///
+    /// Also cleans up any expired tokens to prevent unbounded growth.
+    pub async fn insert(&self, token: String, agent_name: Option<String>, lifetime_secs: Option<u64>) {
+        self.cleanup_expired().await;
+
+        let lifetime = lifetime_secs.unwrap_or(DEFAULT_TOKEN_LIFETIME_SECS);
+        let now = current_time_secs();
+        let expires_at = now + lifetime;
+
+        self.tokens
+            .write()
+            .await
+            .insert(token, EnrollmentTokenEntry { expires_at, agent_name });
+    }
+
+    /// Consumes a token if it exists and is not expired.
+    ///
+    /// Returns `true` if the token was valid and has been redeemed (removed).
+    /// Returns `false` if the token doesn't exist or is expired.
+    ///
+    /// Note: an expired token is still removed from the store as a side-effect,
+    /// so a caller cannot distinguish "didn't exist" from "existed-but-expired"
+    /// (and shouldn't — both are authentication failures).
+    #[must_use = "check whether the token was valid"]
+    pub async fn redeem(&self, token: &str) -> bool {
+        let now = current_time_secs();
+
+        if let Some(entry) = self.tokens.write().await.remove(token)
+            && entry.expires_at > now
+        {
+            return true;
+        }
+
+        false
+    }
+
+    /// Removes all expired tokens from the store.
+    pub async fn cleanup_expired(&self) {
+        let now = current_time_secs();
+        self.tokens.write().await.retain(|_, entry| entry.expires_at > now);
+    }
+}
+
+impl Default for EnrollmentTokenStore {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+fn current_time_secs() -> u64 {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    async fn insert_and_redeem() {
+        let store = EnrollmentTokenStore::new();
+        store
+            .insert("tok-123".to_owned(), Some("my-agent".to_owned()), Some(3600))
+            .await;
+
+        assert!(store.redeem("tok-123").await);
+        // Second redeem should fail (one-time use).
+        assert!(!store.redeem("tok-123").await);
+    }
+
+    #[tokio::test]
+    async fn redeem_nonexistent_returns_false() {
+        let store = EnrollmentTokenStore::new();
+        assert!(!store.redeem("does-not-exist").await);
+    }
+
+    #[tokio::test]
+    async fn expired_token_not_consumable() {
+        let store = EnrollmentTokenStore::new();
+        // Insert with 0 lifetime → already expired.
+        store.insert("expired-tok".to_owned(), None, Some(0)).await;
+        assert!(!store.redeem("expired-tok").await);
+    }
+
+    #[tokio::test]
+    async fn cleanup_removes_expired() {
+        let store = EnrollmentTokenStore::new();
+        store.insert("expired".to_owned(), None, Some(0)).await;
+        store.insert("valid".to_owned(), None, Some(3600)).await;
+
+        store.cleanup_expired().await;
+
+        assert!(!store.redeem("expired").await);
+        assert!(store.redeem("valid").await);
+    }
+}

crates/agent-tunnel/src/lib.rs

@@ -7,11 +7,13 @@
 extern crate tracing;
 
 pub mod cert;
+pub mod enrollment_store;
 pub mod listener;
 pub mod registry;
 pub mod routing;
 pub mod stream;
 
+pub use enrollment_store::EnrollmentTokenStore;
 pub use listener::{AgentTunnelHandle, AgentTunnelListener};
 pub use registry::AgentRegistry;
 pub use stream::TunnelStream;

crates/agent-tunnel/src/listener.rs

@@ -16,6 +16,7 @@ use tokio::sync::RwLock;
 use uuid::Uuid;
 
 use super::cert::CaManager;
+use super::enrollment_store::EnrollmentTokenStore;
 use super::registry::{AgentPeer, AgentRegistry};
 use super::stream::TunnelStream;
 
@@ -32,6 +33,7 @@ pub struct AgentTunnelHandle {
     /// Map of agent_id → live Quinn connection, used for opening new streams.
     agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>>,
     ca_manager: Arc<CaManager>,
+    enrollment_token_store: Arc<EnrollmentTokenStore>,
 }
 
 impl AgentTunnelHandle {
@@ -43,6 +45,10 @@ impl AgentTunnelHandle {
         &self.ca_manager
     }
 
+    pub fn enrollment_token_store(&self) -> &EnrollmentTokenStore {
+        &self.enrollment_token_store
+    }
+
     /// Open a proxy stream through a connected agent.
     // TODO: Emit TrafficEvent for connections routed through the agent tunnel.
     pub async fn connect_via_agent(
@@ -105,7 +111,6 @@ pub struct AgentTunnelListener {
     endpoint: quinn::Endpoint,
     registry: Arc<AgentRegistry>,
     agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>>,
-    ca_manager: Arc<CaManager>,
 }
 
 impl AgentTunnelListener {
@@ -148,18 +153,19 @@ impl AgentTunnelListener {
 
         let registry = Arc::new(AgentRegistry::new());
         let agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>> = Arc::new(RwLock::new(HashMap::new()));
+        let enrollment_token_store = Arc::new(EnrollmentTokenStore::new());
 
         let handle = AgentTunnelHandle {
             registry: Arc::clone(&registry),
             agent_connections: Arc::clone(&agent_connections),
             ca_manager: Arc::clone(&ca_manager),
+            enrollment_token_store,
         };
 
         let listener = Self {
             endpoint,
             registry,
             agent_connections,
-            ca_manager,
         };
 
         Ok((listener, handle))
@@ -200,11 +206,8 @@ impl devolutions_gateway_task::Task for AgentTunnelListener {
 
                     let registry = Arc::clone(&self.registry);
                     let agent_connections = Arc::clone(&self.agent_connections);
-                    let ca_manager = Arc::clone(&self.ca_manager);
 
-                    conn_handles.spawn(
-                        run_agent_connection(registry, agent_connections, ca_manager, incoming),
-                    );
+                    conn_handles.spawn(run_agent_connection(registry, agent_connections, incoming));
                 }
 
                 // Reap completed connection tasks to prevent unbounded growth.
@@ -225,7 +228,6 @@ impl devolutions_gateway_task::Task for AgentTunnelListener {
 async fn run_agent_connection(
     registry: Arc<AgentRegistry>,
     agent_connections: Arc<RwLock<HashMap<Uuid, quinn::Connection>>>,
-    ca_manager: Arc<CaManager>,
     incoming: quinn::Incoming,
 ) {
     let peer_addr = incoming.remote_address();
@@ -259,7 +261,7 @@ async fn run_agent_connection(
         agent_connections.write().await.insert(agent_id, conn.clone());
 
         // Accept the first bidirectional stream as the control stream.
-        let control_result = run_control_loop(&conn, agent_id, &agent_name, &registry, &ca_manager).await;
+        let control_result = run_control_loop(&conn, agent_id, &registry).await;
 
         // Agent disconnected — clean up.
         info!(%agent_id, "Agent QUIC connection closed");
@@ -275,13 +277,7 @@ async fn run_agent_connection(
     }
 }
 
-async fn run_control_loop(
-    conn: &quinn::Connection,
-    agent_id: Uuid,
-    agent_name: &str,
-    registry: &AgentRegistry,
-    ca_manager: &CaManager,
-) -> anyhow::Result<()> {
+async fn run_control_loop(conn: &quinn::Connection, agent_id: Uuid, registry: &AgentRegistry) -> anyhow::Result<()> {
     let mut ctrl: ControlStream<_, _> = conn.accept_bi().await.context("accept control stream")?.into();
 
     info!(%agent_id, "Control stream accepted");
@@ -302,7 +298,7 @@ async fn run_control_loop(
                     }
                 };
 
-                handle_control_message(registry, ca_manager, agent_id, agent_name, &mut ctrl, msg).await;
+                handle_control_message(registry, agent_id, &mut ctrl, msg).await;
             }
 
             // Detect connection close.
@@ -318,9 +314,7 @@ async fn run_control_loop(
 
 async fn handle_control_message<S: tokio::io::AsyncWrite + Unpin, R: tokio::io::AsyncRead + Unpin>(
     registry: &AgentRegistry,
-    ca_manager: &CaManager,
     agent_id: Uuid,
-    agent_name: &str,
     ctrl: &mut ControlStream<S, R>,
     msg: ControlMessage,
 ) {
@@ -372,30 +366,8 @@ async fn handle_control_message<S: tokio::io::AsyncWrite + Unpin, R: tokio::io::
         ControlMessage::HeartbeatAck { .. } => {
             debug!(%agent_id, "Unexpected HeartbeatAck from agent");
         }
-        ControlMessage::CertRenewalRequest { csr_pem, .. } => {
-            info!(%agent_id, "Agent requested certificate renewal");
-
-            let result = match ca_manager.sign_agent_csr(agent_id, agent_name, &csr_pem, None) {
-                Ok(signed) => {
-                    info!(%agent_id, "Certificate renewed successfully");
-                    agent_tunnel_proto::CertRenewalResult::Success {
-                        client_cert_pem: signed.client_cert_pem,
-                        gateway_ca_cert_pem: signed.ca_cert_pem,
-                    }
-                }
-                Err(e) => {
-                    warn!(%agent_id, error = %e, "Certificate renewal failed");
-                    agent_tunnel_proto::CertRenewalResult::Error { reason: e.to_string() }
-                }
-            };
-
-            let response = ControlMessage::cert_renewal_response(result);
-            if let Err(e) = ctrl.send(&response).await {
-                warn!(%agent_id, error = %e, "Failed to send renewal response");
-            }
-        }
-        ControlMessage::CertRenewalResponse { .. } => {
-            debug!(%agent_id, "Unexpected CertRenewalResponse from agent");
+        ControlMessage::CertRenewalRequest { .. } | ControlMessage::CertRenewalResponse { .. } => {
+            debug!(%agent_id, "Certificate renewal not supported in this build");
         }
     }
 }

devolutions-agent/src/cli_tests.rs

@@ -26,7 +26,6 @@ fn parse_up_command_args_happy_path() {
             enrollment_token: "bootstrap-token".to_owned(),
             agent_name: "site-a-agent".to_owned(),
             advertise_subnets: vec!["10.0.0.0/8".to_owned(), "192.168.1.0/24".to_owned()],
-            advertise_domains: vec![],
             quic_endpoint: "gateway.example.com:7172".to_owned(),
         }
     );
@@ -53,29 +52,6 @@ fn parse_up_command_args_accepts_aliases() {
     assert_eq!(parsed.quic_endpoint, "gateway.example.com:7172");
 }
 
-#[test]
-fn parse_up_command_args_accepts_advertise_domains() {
-    let args = vec![
-        "--gateway".to_owned(),
-        "https://gateway.example.com:7171".to_owned(),
-        "--token".to_owned(),
-        "bootstrap-token".to_owned(),
-        "--name".to_owned(),
-        "site-a-agent".to_owned(),
-        "--quic-endpoint".to_owned(),
-        "gateway.example.com:7172".to_owned(),
-        "--advertise-domains".to_owned(),
-        "corp.example.com, lab.example.com".to_owned(),
-    ];
-
-    let parsed = parse_up_command_args(&args).expect("parse up args");
-
-    assert_eq!(
-        parsed.advertise_domains,
-        vec!["corp.example.com".to_owned(), "lab.example.com".to_owned()]
-    );
-}
-
 #[test]
 fn parse_up_command_args_rejects_missing_quic_endpoint() {
     // No --quic-endpoint and no JWT claim → must fail. The gateway does not
@@ -112,7 +88,7 @@ fn make_jwt(payload: serde_json::Value) -> String {
 #[test]
 fn parse_up_command_args_accepts_enrollment_string() {
     let jwt = make_jwt(serde_json::json!({
-        "scope": "gateway.agent.enroll",
+        "scope": "gateway.tunnel.enroll",
         "exp": 1_999_999_999i64,
         "jti": "00000000-0000-0000-0000-000000000000",
         "jet_gw_url": "https://gateway.example.com:7171",
@@ -134,7 +110,7 @@ fn parse_up_command_args_accepts_enrollment_string() {
 fn parse_up_command_args_rejects_enrollment_string_missing_quic_endpoint() {
     // JWT lacks `jet_quic_endpoint` AND no CLI `--quic-endpoint` → must fail.
     let jwt = make_jwt(serde_json::json!({
-        "scope": "gateway.agent.enroll",
+        "scope": "gateway.tunnel.enroll",
         "exp": 1_999_999_999i64,
         "jti": "00000000-0000-0000-0000-000000000000",
         "jet_gw_url": "https://gateway.example.com:7171",
@@ -152,7 +128,7 @@ fn parse_up_command_args_rejects_enrollment_string_missing_quic_endpoint() {
 #[test]
 fn parse_up_command_args_cli_quic_endpoint_wins_over_jwt() {
     let jwt = make_jwt(serde_json::json!({
-        "scope": "gateway.agent.enroll",
+        "scope": "gateway.tunnel.enroll",
         "exp": 1_999_999_999i64,
         "jti": "00000000-0000-0000-0000-000000000000",
         "jet_gw_url": "https://gateway.example.com:7171",