feat(agent): support PSU gRPC app token secrets#1848
feat(agent): support PSU gRPC app token secrets#1848Adam Driscoll (adamdriscoll) wants to merge 1 commit into
Conversation
Resolve configured PSU gRPC AppToken values before opening the agent stream so literal tokens are passed through and secret references reuse the existing PowerShell secret resolver. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Let maintainers know that an action is required on their side
|
There was a problem hiding this comment.
Pull request overview
This PR enables the PSU gRPC agent to authenticate with secret-backed application tokens. Previously, the gRPC agent forwarded the configured AppToken verbatim as bearer metadata, so a $secret:<name> reference would be sent literally instead of the resolved secret. The change resolves the token before opening the agent stream, reusing the existing PSU PowerShell secret resolver (already used by the PSU Event Hub compatibility feature) so literal tokens pass through unchanged and $secret:<name> references are resolved on demand. This fits into the devolutions-agent PSU integration, keeping token handling in the agent transport layer.
Changes:
- Add
PsuGrpcAgent::resolve_app_tokenand call it inrun_single_connectionso the resolved token (not the raw config value) is carried inauthorizationmetadata. - Widen visibility of
PowerShellWorker, its constructor/resolve_app_token, and the (renamed)app_token_secret_reference_namehelper topub(crate)so the gRPC agent module can reuse them. - Add unit tests covering literal-token pass-through and empty-token filtering.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| devolutions-agent/src/psu_grpc_agent/mod.rs | Adds resolve_app_token (literal vs $secret: handling), resolves the token before connecting, and adds two unit tests. |
| devolutions-agent/src/psu_event_hub/powershell_worker.rs | Widens PowerShellWorker/new/resolve_app_token to pub(crate) and renames secret_reference_name → app_token_secret_reference_name (crate-public); updates tests. |
| devolutions-agent/src/psu_event_hub/mod.rs | Exposes the powershell_worker module as pub(crate) so the sibling gRPC agent module can reference it. |
I verified all references to the renamed helper were updated, that widening visibility does not break existing consumers, that the new error messages follow the repo's lowercase/no-punctuation convention, and that the test struct literals match the dto definitions. No objective issues found.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
PSU gRPC agents need to authenticate using configured application tokens while keeping secret-backed tokens out of static configuration. This change resolves the configured gRPC
AppTokenbefore opening the agent stream so literal tokens continue to pass through and$secret:<name>references reuse the existing PSU PowerShell secret resolver.The implementation keeps token handling in the agent transport layer and avoids server-side or per-method parsing in this repository because the ASP.NET Core gRPC server and
PSUPermissionsintegration are not present here. The gRPC request still carries the resolved token through standardauthorizationmetadata for the PSU server authentication middleware to consume.Validation:
cargo +nightly fmt --allcargo test -p devolutions-agent psu_grpc_agent && cargo test -p devolutions-agent psu_event_hub::powershell_worker && cargo test -p devolutions-agent configcargo clippy --workspace --tests -- -D warningsgit --no-pager diff --checkcargo test -p devolutions-agentcargo test --workspacewas attempted. The parallel run hit Windows paging-file/mmap errors; the single-job retry withProgramData=C:\ProgramDataprogressed untildevolutions-agent-updaterrequired elevation (os error 740).