Skip to content

feat(agent): support PSU gRPC app token secrets#1848

Open
Adam Driscoll (adamdriscoll) wants to merge 1 commit into
masterfrom
adamdriscoll-gateway-jwt-agent-tokens
Open

feat(agent): support PSU gRPC app token secrets#1848
Adam Driscoll (adamdriscoll) wants to merge 1 commit into
masterfrom
adamdriscoll-gateway-jwt-agent-tokens

Conversation

@adamdriscoll

Copy link
Copy Markdown

PSU gRPC agents need to authenticate using configured application tokens while keeping secret-backed tokens out of static configuration. This change resolves the configured gRPC AppToken before opening the agent stream so literal tokens continue to pass through and $secret:<name> references reuse the existing PSU PowerShell secret resolver.

The implementation keeps token handling in the agent transport layer and avoids server-side or per-method parsing in this repository because the ASP.NET Core gRPC server and PSUPermissions integration are not present here. The gRPC request still carries the resolved token through standard authorization metadata for the PSU server authentication middleware to consume.

Validation:

  • cargo +nightly fmt --all
  • cargo test -p devolutions-agent psu_grpc_agent && cargo test -p devolutions-agent psu_event_hub::powershell_worker && cargo test -p devolutions-agent config
  • cargo clippy --workspace --tests -- -D warnings
  • git --no-pager diff --check
  • cargo test -p devolutions-agent

cargo test --workspace was attempted. The parallel run hit Windows paging-file/mmap errors; the single-job retry with ProgramData=C:\ProgramData progressed until devolutions-agent-updater required elevation (os error 740).

Resolve configured PSU gRPC AppToken values before opening the agent stream so literal tokens are passed through and secret references reuse the existing PowerShell secret resolver.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 8, 2026 17:49
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Let maintainers know that an action is required on their side

  • Add the label release-required Please cut a new release (Devolutions Gateway, Devolutions Agent, Jetsocat, PowerShell module) when you request a maintainer to cut a new release (Devolutions Gateway, Devolutions Agent, Jetsocat, PowerShell module)

  • Add the label release-blocker Follow-up is required before cutting a new release if a follow-up is required before cutting a new release

  • Add the label publish-required Please publish libraries (`Devolutions.Gateway.Utils`, OpenAPI clients, etc) when you request a maintainer to publish libraries (Devolutions.Gateway.Utils, OpenAPI clients, etc.)

  • Add the label publish-blocker Follow-up is required before publishing libraries if a follow-up is required before publishing libraries

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables the PSU gRPC agent to authenticate with secret-backed application tokens. Previously, the gRPC agent forwarded the configured AppToken verbatim as bearer metadata, so a $secret:<name> reference would be sent literally instead of the resolved secret. The change resolves the token before opening the agent stream, reusing the existing PSU PowerShell secret resolver (already used by the PSU Event Hub compatibility feature) so literal tokens pass through unchanged and $secret:<name> references are resolved on demand. This fits into the devolutions-agent PSU integration, keeping token handling in the agent transport layer.

Changes:

  • Add PsuGrpcAgent::resolve_app_token and call it in run_single_connection so the resolved token (not the raw config value) is carried in authorization metadata.
  • Widen visibility of PowerShellWorker, its constructor/resolve_app_token, and the (renamed) app_token_secret_reference_name helper to pub(crate) so the gRPC agent module can reuse them.
  • Add unit tests covering literal-token pass-through and empty-token filtering.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
devolutions-agent/src/psu_grpc_agent/mod.rs Adds resolve_app_token (literal vs $secret: handling), resolves the token before connecting, and adds two unit tests.
devolutions-agent/src/psu_event_hub/powershell_worker.rs Widens PowerShellWorker/new/resolve_app_token to pub(crate) and renames secret_reference_nameapp_token_secret_reference_name (crate-public); updates tests.
devolutions-agent/src/psu_event_hub/mod.rs Exposes the powershell_worker module as pub(crate) so the sibling gRPC agent module can reference it.

I verified all references to the renamed helper were updated, that widening visibility does not break existing consumers, that the new error messages follow the repo's lowercase/no-punctuation convention, and that the test struct literals match the dto definitions. No objective issues found.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants