test(agent): e2e + registry + routing test suite#1772
Open
irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 4 commits into
Open
test(agent): e2e + registry + routing test suite#1772irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 4 commits into
irvingouj@Devolutions (irvingoujAtDevolution) wants to merge 4 commits into
Conversation
irvingouj@Devolutions (irvingoujAtDevolution)
marked this pull request as draft
irvingouj@Devolutions (irvingoujAtDevolution)
changed the title
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/quic-tunnel-2-routing
branch
2 times, most recently
from
b4ec360 to
a2b2ff5
Compare
irvingouj@Devolutions (irvingoujAtDevolution)
added a commit
that referenced
this pull request
May 12, 2026
Address CBenoit's review on #1741: in addition to the `#[doc(hidden)]` marker and the `_for_test` naming, gate `AgentPeer::set_last_seen_for_test` and `set_received_at_for_test` behind `#[cfg(any(test, feature = "test-utils"))]` so production builds of `devolutions-gateway` and `devolutions-agent` don't compile these methods at all. Cross-crate test consumers (the workspace `testsuite` crate carrying the agent-tunnel integration tests, in #1772) opt in via `features = ["test-utils"]` on their `agent-tunnel` dev-dep.
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/agent-tunnel-tests
branch
3 times, most recently
from
8887df1 to
c2da5a9
Compare
- testsuite/tests/agent_tunnel/integration.rs: full QUIC e2e (CA → enroll → mTLS → control stream → ConnectRequest → echo) and a domain-routing variant. - testsuite/tests/agent_tunnel/registry.rs: AgentRegistry unit tests covering online/offline timeouts, route epoch handling (replace vs refresh vs ignore stale), domain advertisement persistence, and the agent-info snapshot. - testsuite/tests/agent_tunnel/routing.rs: RoutePlan::resolve / try_route decision matrix — explicit jet_agent_id, subnet match, domain match, fallback to direct, offline filtering, and the no-handle paths. Also includes the read_cert_chain rewrite from #1771 (needed for the e2e tests to parse the rcgen-produced PEM); once #1771 lands this collapses to just the test files.
irvingouj@Devolutions (irvingoujAtDevolution)
force-pushed
the
feat/agent-tunnel-tests
branch
from
c2da5a9 to
f711d50
Compare
…iants Backfills coverage that the original test suite (#1741-era) predates: - New `common.rs` consolidates the QUIC + mTLS test scaffolding so all E2E tests share one `bind_test_listener` helper instead of duplicating ~80 lines per test. - New `cert.rs` pins three invariants of `agent-tunnel/src/cert.rs`: - `sign_agent_csr` must encode the caller-passed agent_id in the URN SAN, *ignoring* the CSR's Common Name (#1775 review feedback — prevents a compromised agent from impersonating via CSR subject). - `extract_agent_id_from_pem` round-trips a freshly signed cert. - `extract_agent_id_from_pem` rejects a cert with no urn:uuid SAN (e.g. the CA root cert). - Extra `routing.rs` cases against a live `AgentTunnelHandle`: - `route_and_connect` errors on empty candidate slice. - `try_route` with handle present and no match returns `Ok(None)`. - `try_route` with handle present and missing explicit agent_id errors rather than silently falling back to direct. - New `cert_renewal_preserves_mtls_identity_e2e` runs the full QUIC `CertRenewalRequest` → `CertRenewalResponse::Success` round-trip with a renewal CSR filed under `CN=evil-impersonator`. Asserts the renewed cert still encodes the mTLS-authenticated `agent_id` — guards the #1775 handler's "never trust the CSR subject" comment with a test. 32 tests now pass; 3 parallel runs verified stable (~0.3s each).
…dvertise `ctrl.send(&RouteAdvertise)` only guarantees the message is on the wire, not that the gateway has processed it and updated `peer.route_state()`. A fixed 200ms `tokio::time::sleep` was racy on slow/loaded CI runners. Replace the three call sites with `wait_for_route_advertised`, a 10ms poll loop that exits as soon as the agent appears in the registry with `route_state().epoch >= min_epoch`, or panics with a clear message after 5s. Default `RouteAdvertisementState` has epoch 0, so any successful RouteAdvertise bumps it to >= 1. Side effect: the e2e tests finish in ~0.16s instead of ~0.32s because they no longer eat the worst-case fixed delay.
irvingouj@Devolutions (irvingoujAtDevolution)
marked this pull request as ready for review
irvingouj@Devolutions (irvingoujAtDevolution)
requested review from
Benoît Cortier (CBenoit) and
Copilot
and removed request for
Copilot
Copilot started reviewing on behalf of
irvingouj@Devolutions (irvingoujAtDevolution)
May 25, 2026 21:19
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the agent-tunnel test suite under
testsuite/tests/agent_tunnel/:integration.rs— full QUIC end-to-end (CA → enroll → mTLS → control stream → ConnectRequest → echo) plus the domain-routing variantregistry.rs—AgentRegistryunit tests (online/offline timeouts, route epoch handling, domain advertisement persistence, agent-info snapshot)routing.rs—RoutePlan::resolve/try_routedecision matrix (explicitjet_agent_id, subnet/domain match, fallback, offline filtering, no-handle paths)Why split out
The routing/upstream feature (#1741, since merged) kept its diff focused on production code. Tests live here so the test scaffolding diff doesn't muddle the feature review.
Test plan
cargo test -p testsuite --test integration_tests agent_tunnel::— 25/25 pass locally