From 4dc182463c1014ee6698dc27857520c098532111 Mon Sep 17 00:00:00 2001 From: Junyi Ou Date: Mon, 22 Jun 2026 12:47:10 -0400 Subject: [PATCH] chore(agent-installer): track agent-tunnel installer follow-ups Mark two known gaps in the Agent Tunnel installer flow with TODOs: 1. Enrollment success != tunnel connectivity. enroll_agent() / the EnrollAgentTunnel custom action report success once the HTTPS cert exchange (POST /jet/tunnel/enroll, port 7171) completes and config is written. The QUIC tunnel (UDP, quic_endpoint) is never probed, so a blocked QUIC port (e.g. firewall on UDP 4433) produces a green install while the agent never comes online and silently auto-reconnects. 2. Custom installer dialog labels render as raw localization keys. The .wxl strings are loaded into a local dict used only for pre-flight MessageBoxes; the custom dialogs resolve [Key] via MsiRuntime.Localize, which is not populated from these custom strings (light.exe only emits !(loc.X)-referenced strings). --- devolutions-agent/src/enrollment.rs | 8 ++++++++ package/AgentWindowsManaged/Program.cs | 11 +++++++++++ 2 files changed, 19 insertions(+) diff --git a/devolutions-agent/src/enrollment.rs b/devolutions-agent/src/enrollment.rs index c3c915cc9..5a6ba5080 100644 --- a/devolutions-agent/src/enrollment.rs +++ b/devolutions-agent/src/enrollment.rs @@ -109,6 +109,14 @@ pub async fn enroll_agent( let (key_pem, csr_pem) = generate_key_and_csr(&agent_name)?; let enroll_response = request_enrollment(gateway_url, enrollment_token, &csr_pem).await?; + + // TODO(agent-tunnel): enrollment success here only means the HTTPS cert exchange on + // POST /jet/tunnel/enroll succeeded and the config was persisted — it does NOT verify the + // QUIC tunnel (UDP, quic_endpoint) can actually be established. The installer's + // EnrollAgentTunnel custom action reports "success" on this return, so a blocked QUIC port + // (e.g. firewall on UDP 4433) yields a green install while the agent never comes online and + // silently auto-reconnects forever. Add a short post-enroll QUIC connectivity probe to + // enroll_response.quic_endpoint and surface a clear warning/failure when it can't connect. persist_enrollment_response(agent_name, advertise_subnets, enroll_response, &key_pem) } diff --git a/package/AgentWindowsManaged/Program.cs b/package/AgentWindowsManaged/Program.cs index febd3f055..ba68e4dac 100644 --- a/package/AgentWindowsManaged/Program.cs +++ b/package/AgentWindowsManaged/Program.cs @@ -439,6 +439,17 @@ private static void Project_UIInitialized(SetupEventArgs e) strings.Add(s.Attributes["Id"].Value, s.InnerText); } + // TODO(agent-tunnel): these strings are loaded into a LOCAL dict that only feeds the + // pre-flight MessageBoxes below (x86 / .NET 4.8 / newer-installed). The custom dialogs + // (AgentTunnelDialog, AgentDialog title, etc.) resolve their "[Key]" labels via + // MsiRuntime.Localize, which is NOT populated from these custom strings — light.exe only + // emits strings referenced via !(loc.X) into the MSI, and the custom "[Key]" labels are + // never !(loc.X)-referenced, so they fall back to the raw key name in the UI + // (e.g. "AgentTunnelDlgTitle" shows literally). Wire this `strings` dict into the + // ManagedUI runtime localization (or have the custom dialogs use a shared I18n backed by + // it) so the labels render. Standard dialogs (Welcome/InstallDir) work only because + // WixSharp's built-in UI references those standard IDs via !(loc.X). + string I18n(string key) { if (!strings.TryGetValue(key, out string result))