test(agent-tunnel): add e2e + registry + routing test suite

- testsuite/tests/agent_tunnel/integration.rs: full QUIC e2e (CA →
  enroll → mTLS → control stream → ConnectRequest → echo) and a
  domain-routing variant.
- testsuite/tests/agent_tunnel/registry.rs: AgentRegistry unit tests
  covering online/offline timeouts, route epoch handling (replace vs
  refresh vs ignore stale), domain advertisement persistence, and the
  agent-info snapshot.
- testsuite/tests/agent_tunnel/routing.rs: RoutePlan::resolve / try_route
  decision matrix — explicit jet_agent_id, subnet match, domain match,
  fallback to direct, offline filtering, and the no-handle paths.

Also includes the read_cert_chain rewrite from #1771 (needed for the
e2e tests to parse the rcgen-produced PEM); once #1771 lands this
collapses to just the test files.

Author: irvingoujAtDevolution

crates/agent-tunnel/src/cert.rs

@@ -8,7 +8,7 @@ use std::time::Duration;
 
 use anyhow::{Context as _, bail};
 use camino::{Utf8Path, Utf8PathBuf};
-use picky::pem::parse_pem;
+use picky::pem::{PemError, parse_pem, read_pem};
 use picky::x509::Cert;
 use picky_asn1_x509::{ExtensionView, GeneralName};
 use rcgen::{CertificateParams, DnType, ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType};
@@ -32,29 +32,28 @@ fn cert_pem_to_der(pem_str: &str) -> anyhow::Result<Vec<u8>> {
 /// Parse one or more PEM-encoded certificates into `rustls` certificate types.
 ///
 /// A PEM file can carry multiple concatenated CERTIFICATE blocks (chain). We
-/// iterate block-by-block with [`parse_pem`], check each label, and wrap the
-/// DER bytes in [`rustls_pki_types::CertificateDer`] — the only type the
-/// rustls/quinn TLS builders accept.
+/// use [`read_pem`] in a loop — each call consumes one block; `HeaderNotFound`
+/// signals "no more blocks left", which is the termination condition. Each
+/// block's label is verified, then the DER bytes are wrapped in
+/// [`rustls_pki_types::CertificateDer`] — the type the rustls/quinn TLS
+/// builders accept.
 fn read_cert_chain(pem_str: &str) -> anyhow::Result<Vec<rustls::pki_types::CertificateDer<'static>>> {
+    use std::io::BufReader;
+
+    let mut reader = BufReader::new(pem_str.as_bytes());
     let mut chain = Vec::new();
-    let mut remaining = pem_str;
-    while let Some(start) = remaining.find("-----BEGIN ") {
-        let block_end = remaining[start..]
-            .find("-----END ")
-            .and_then(|e| {
-                remaining[start + e..]
-                    .find("-----\n")
-                    .map(|n| start + e + n + "-----\n".len())
-            })
-            .context("malformed PEM block (no END tag)")?;
-
-        let block = &remaining[start..block_end];
-        let pem = parse_pem(block).context("parse PEM block")?;
-        if pem.label() != PEM_LABEL_CERTIFICATE {
-            bail!("expected {PEM_LABEL_CERTIFICATE} PEM, got {}", pem.label());
+
+    loop {
+        match read_pem(&mut reader) {
+            Ok(pem) => {
+                if pem.label() != PEM_LABEL_CERTIFICATE {
+                    bail!("expected {PEM_LABEL_CERTIFICATE} PEM, got {}", pem.label());
+                }
+                chain.push(rustls::pki_types::CertificateDer::from(pem.data().to_vec()));
+            }
+            Err(PemError::HeaderNotFound) => break,
+            Err(e) => return Err(anyhow::Error::new(e).context("parse PEM block")),
         }
-        chain.push(rustls::pki_types::CertificateDer::from(pem.data().to_vec()));
-        remaining = &remaining[block_end..];
     }
 
     if chain.is_empty() {

testsuite/Cargo.toml

@@ -31,16 +31,27 @@ typed-builder = "0.21"
 tokio-tungstenite = { version = "0.26", features = ["rustls-tls-native-roots"] }
 
 [dev-dependencies]
+agent-tunnel = { path = "../crates/agent-tunnel" }
+agent-tunnel-proto = { path = "../crates/agent-tunnel-proto", features = ["serde"] }
+devolutions-gateway-task = { path = "../crates/devolutions-gateway-task" }
 base64 = "0.22"
-proxy-socks = { path = "../crates/proxy-socks" }
+camino = "1"
+ipnetwork = "0.20"
 libsql = { version = "0.9", default-features = false, features = ["core"] }
 mcp-proxy.path = "../crates/mcp-proxy"
+proxy-socks = { path = "../crates/proxy-socks" }
+quinn = "0.11"
+rcgen = { version = "0.13", features = ["pem", "x509-parser"] }
 rstest = "0.25"
+rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"] }
+rustls-pemfile = "2"
+rustls-pki-types = "1"
 serde_json = "1"
 sysevent.path = "../crates/sysevent"
 tempfile = "3"
 test-utils.path = "../crates/test-utils"
 tokio-rustls = { version = "0.26", features = ["ring"] }
+uuid = { version = "1", features = ["v4"] }
 
 [target.'cfg(unix)'.dev-dependencies]
 sysevent-syslog.path = "../crates/sysevent-syslog"