[Feature] register agent with access token (#701)

<!-- Please provide brief information about the PR, what it contains &
its purpose, new behaviors after the change. And let us know here if you
need any help: https://github.com/microsoft/HydraLab/issues/new -->

## Description

<!-- A few words to explain your changes -->

![image](https://github.com/user-attachments/assets/301c85f3-81e3-4fa4-9078-3fe649c2b4ab)

### Linked GitHub issue ID: #  

## Pull Request Checklist
<!-- Put an x in the boxes that apply. This is simply a reminder of what
we are going to look for before merging your code. -->

- [ ] Tests for the changes have been added (for bug fixes / features)
- [x] Code compiles correctly with all tests are passed.
- [x] I've read the [contributing
guide](https://github.com/microsoft/HydraLab/blob/main/CONTRIBUTING.md#making-changes-to-the-code)
and followed the recommended practices.
- [ ] [Wikis](https://github.com/microsoft/HydraLab/wiki) or
[README](https://github.com/microsoft/HydraLab/blob/main/README.md) have
been reviewed and added / updated if needed (for bug fixes / features)

### Does this introduce a breaking change?
*If this introduces a breaking change for Hydra Lab users, please
describe the impact and migration path.*

- [x] Yes
- [ ] No

## How you tested it
*Please make sure the change is tested, you can test it by adding UTs,
do local test and share the screenshots, etc.*


Please check the type of change your PR introduces:
- [ ] Bugfix
- [x] Feature
- [ ] Technical design
- [ ] Build related changes
- [ ] Refactoring (no functional changes, no api changes)
- [ ] Code style update (formatting, renaming) or Documentation content
changes
- [ ] Other (please describe): 

### Feature UI screenshots or Technical design diagrams
*If this is a relatively large or complex change, kick it off by drawing
the tech design with PlantUML and explaining why you chose the solution
you did and what alternatives you considered, etc...*

---------

Co-authored-by: Le Zhou <[email protected]>

Author: zhou9584

agent/src/main/java/com/microsoft/hydralab/agent/service/AgentManageService.java

@@ -3,6 +3,9 @@
 
 package com.microsoft.hydralab.agent.service;
 
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.identity.AzureCliCredentialBuilder;
 import com.microsoft.hydralab.agent.config.AppOptions;
 import com.microsoft.hydralab.common.entity.common.AgentUpdateTask;
 import com.microsoft.hydralab.common.entity.common.Message;
@@ -93,4 +96,16 @@ public void restartAgent(String packageFileName, String path) {
                     path);
         }
     }
+
+    public String getAgentAccessToken(String appId) {
+        try {
+            TokenCredential defaultAzureCredential = new AzureCliCredentialBuilder().build();
+            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("api://" + appId);
+            logger.info("Requesting access token for appId: {}", appId);
+            return defaultAzureCredential.getToken(tokenRequestContext).block().getToken();
+        } catch (Exception e) {
+            logger.error("Failed to get agent access token for appId: {}", appId, e);
+            return null;
+        }
+    }
 }

agent/src/main/java/com/microsoft/hydralab/agent/service/AgentWebSocketClientService.java

@@ -92,6 +92,9 @@ public void onMessage(Message message) {
         Message response = null;
         switch (path) {
             case Const.Path.AUTH:
+                if (!(message.getBody() instanceof JSONObject)) {
+                    break;
+                }
                 provideAuthInfo(message);
                 return;
             case Const.Path.AGENT_INIT:
@@ -240,6 +243,8 @@ private void prometheusPushgatewayInit(AgentMetadata agentMetadata) {
     }
 
     private void provideAuthInfo(Message message) {
+        JSONObject authData = (JSONObject) message.getBody();
+        String authMode = authData.getString(Const.AgentConfig.AGENT_AUTH_MODE_PARAM);
         Message responseAuth = new Message();
         responseAuth.setSessionId(message.getSessionId());
 
@@ -248,7 +253,22 @@ private void provideAuthInfo(Message message) {
         }
         agentUser.setId(agentId);
         agentUser.setName(agentName);
-        agentUser.setSecret(agentSecret);
+        switch (authMode) {
+            case Const.AgentAuthMode.TOKEN:
+                String appId = authData.getString(Const.AgentConfig.AUTH_APP_ID_PARAM);
+                agentUser.setSecret(agentManageService.getAgentAccessToken(appId));
+                break;
+            case Const.AgentAuthMode.SECRET:
+                agentUser.setSecret(agentSecret);
+                break;
+            default:
+                log.error("Unknown auth mode: {}", authMode);
+                responseAuth.setCode(400);
+                responseAuth.setMessage("Unknown auth mode: " + authMode);
+                send(responseAuth);
+                return;
+        }
+
         try {
             InetAddress localHost = InetAddress.getLocalHost();
             agentUser.setHostname(localHost.getHostName());

center/src/main/java/com/microsoft/hydralab/center/controller/AgentManageController.java

@@ -295,4 +295,27 @@ public Result deleteAgent(@CurrentSecurityContext SysUser requestor,
         agentManageService.deleteAgent(agentManageService.getAgent(agentId));
         return Result.ok("Delete Success");
     }
+
+    /**
+     * Authenticated USER:
+     * 1) users with ROLE SUPER_ADMIN/ADMIN,
+     * 2) agent creator,
+     * 3) admin of the TEAM that agent is in
+     */
+    @PostMapping("/api/agent/updateDeviceId")
+    public Result updateAgentDeviceId(@CurrentSecurityContext SysUser requestor,
+                                      @RequestParam(value = "agentId", required = true) String agentId,
+                                      @RequestParam(value = "deviceId", required = true) String deviceId) {
+        if (!agentManageService.checkAgentAuthorization(requestor, agentId)) {
+            return Result.error(HttpStatus.UNAUTHORIZED.value(), "Authentication failed");
+        }
+
+        try {
+            agentManageService.updateAgentDeviceId(agentId, deviceId);
+        } catch (Exception e) {
+            log.error("Failed to update device info for agent {}: {}", agentId, e.getMessage());
+            return Result.error(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Failed to update device info: " + e.getMessage());
+        }
+        return Result.ok("Update Device Info Success!");
+    }
 }

center/src/main/java/com/microsoft/hydralab/center/interceptor/BaseInterceptor.java

@@ -74,9 +74,6 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
 
         // For Azure AD authentication
         String accessToken = request.getHeader("X-MS-TOKEN-AAD-ID-TOKEN");
-
-        LOGGER.info("IdToken: " + request.getHeader("X-MS-TOKEN-AAD-ID-TOKEN"));
-        LOGGER.info("AccessToken: " + request.getHeader("X-MS-TOKEN-AAD-ACCESS-TOKEN"));
         LOGGER.info("UserId: " + request.getHeader("X-MS-CLIENT-PRINCIPAL-ID"));
         LOGGER.info("UserName: " + request.getHeader("X-MS-CLIENT-PRINCIPAL-NAME"));
 

center/src/main/java/com/microsoft/hydralab/center/repository/AgentUserRepository.java

@@ -24,4 +24,6 @@ public interface AgentUserRepository extends JpaRepository<AgentUser, String>, J
     List<AgentUser> findAllByMailAddress(String mailAddress);
 
     List<AgentUser> findAllByTeamId(String teamId);
+
+    Optional<AgentUser> findByDeviceId(String deviceId);
 }

center/src/main/java/com/microsoft/hydralab/center/service/AgentManageService.java

@@ -9,8 +9,11 @@
 import com.microsoft.hydralab.common.entity.center.SysUser;
 import com.microsoft.hydralab.common.entity.common.AgentUser;
 import com.microsoft.hydralab.common.entity.common.CriteriaType;
+import com.microsoft.hydralab.common.util.Const;
 import com.microsoft.hydralab.common.util.CriteriaTypeUtil;
+import com.microsoft.hydralab.common.util.HydraLabRuntimeException;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.data.jpa.domain.Specification;
 import org.springframework.stereotype.Component;
 
@@ -30,6 +33,8 @@ public class AgentManageService {
     private UserTeamManagementService userTeamManagementService;
     @Resource
     private SysUserService sysUserService;
+    @Value("${app.agent-auth-mode: 'SECRET'}")
+    private String agentAuthMode;
 
     public AgentUser createAgent(String teamId, String teamName, String mailAddress, String os, String name) {
         AgentUser agentUserInfo = new AgentUser();
@@ -51,7 +56,16 @@ public AgentUser createAgent(String teamId, String teamName, String mailAddress,
 
     public AgentUser getAgent(String agentId) {
         Optional<AgentUser> agent = agentUserRepository.findById(agentId);
-        return agent.orElse(null);
+        if (!agent.isPresent()) {
+            return null;
+        }
+        AgentUser agentUser = agent.get();
+        // If agentAuthMode is TOKEN
+        if (Const.AgentAuthMode.TOKEN.equals(agentAuthMode)) {
+            // Set secret to "Not_Required" for TOKEN auth mode
+            agentUser.setSecret("Not_Required");
+        }
+        return agentUser;
     }
 
     public void deleteAgent(AgentUser agentUser) {
@@ -132,6 +146,16 @@ public void updateAgentTeam(String teamId, String teamName) {
         agentUserRepository.saveAll(agents);
     }
 
+    public void updateAgentDeviceId(String agentId, String deviceId) {
+        Optional<AgentUser> findUser = agentUserRepository.findById(agentId);
+        if (!findUser.isPresent()) {
+            throw new HydraLabRuntimeException("Agent with ID " + agentId + " not found.");
+        }
+        AgentUser user = findUser.get();
+        user.setDeviceId(deviceId);
+        agentUserRepository.saveAndFlush(user);
+    }
+
     public File generateAgentConfigFile(String agentId, String host) {
         AgentUser agentUser = getAgent(agentId);
         if (agentUser != null) {
@@ -148,6 +172,9 @@ public File generateAgentConfigFile(String agentId, String host) {
                         new File(CenterConstant.CENTER_TEMP_FILE_DIR));
 
                 FileWriter fileWriter = new FileWriter(agentConfigFile.getAbsolutePath());
+                if(Const.AgentAuthMode.TOKEN.equals(agentAuthMode)){
+                    agentUser.setSecret("Not_Required");
+                }
                 fileWriter.write("app:\n" +
                         "  # register to Hydra Lab Center\n" +
                         "  registry:\n" +

center/src/main/java/com/microsoft/hydralab/center/service/DeviceAgentManagementService.java

@@ -8,6 +8,7 @@
 import com.android.ddmlib.IDevice;
 import com.microsoft.hydralab.center.openai.SuggestionService;
 import com.microsoft.hydralab.center.repository.AgentUserRepository;
+import com.microsoft.hydralab.center.util.AuthUtil;
 import com.microsoft.hydralab.center.util.MetricUtil;
 import com.microsoft.hydralab.common.entity.agent.AgentFunctionAvailability;
 import com.microsoft.hydralab.common.entity.agent.EnvCapabilityRequirement;
@@ -104,6 +105,8 @@ public class DeviceAgentManagementService {
     // save blocked devices <deviceSerial, blockedDeviceInfo>
     private final ConcurrentHashMap<String, BlockedDeviceInfo> blockedDevicesMap = new ConcurrentHashMap<>();
 
+    @Resource
+    AuthUtil authUtil;
     @Resource
     BlockedDeviceInfoRepository blockedDeviceInfoRepository;
     @Resource
@@ -133,7 +136,6 @@ public class DeviceAgentManagementService {
 
     @Value("${app.storage.type}")
     private String storageType;
-
     @Value("${app.access-token-limit}")
     int accessLimit;
     @Value("${app.batteryStrategy}")
@@ -147,6 +149,8 @@ public class DeviceAgentManagementService {
     private boolean appCenterEnabled;
     @Value("${app.error-reporter.app-center.agent.secret: ''}")
     private String appCenterSecret;
+    @Value("${app.agent-auth-mode: 'SECRET'}")
+    private String agentAuthMode;
 
     public void onOpen(Session session) {
         onlineCount.incrementAndGet();
@@ -193,7 +197,12 @@ private void sendAgentMetadata(Session session, AgentUser agentUser, String sign
     }
 
     private void requestAuth(Session session) {
-        sendMessageToSession(session, Message.auth());
+        Message message = Message.auth();
+        JSONObject authData = new JSONObject();
+        authData.put(Const.AgentConfig.AGENT_AUTH_MODE_PARAM, agentAuthMode);
+        authData.put(Const.AgentConfig.AUTH_APP_ID_PARAM, authUtil.getClientId());
+        message.setBody(authData);
+        sendMessageToSession(session, message);
     }
 
     public void onMessage(Message message, @NotNull Session session) throws IOException {
@@ -617,16 +626,23 @@ private AgentUser searchQualifiedAgent(Message message) {
             return null;
         }
         AgentUser agentUser = (AgentUser) body;
-        String id = agentUser.getId();
-
-        Optional<AgentUser> findUser = agentUserRepository.findById(id);
-        if (!findUser.isPresent()) {
-            return null;
+        AgentUser user;
+        switch (agentAuthMode) {
+            case Const.AgentAuthMode.TOKEN:
+                user = searchAgentByToken(agentUser);
+                break;
+            case Const.AgentAuthMode.SECRET:
+                user = searchAgentBySecret(agentUser);
+                break;
+            default:
+                log.error("Unknown agent auth mode: {}, please check your configuration.", agentAuthMode);
+                return null;
         }
-        AgentUser user = findUser.get();
-        if (!user.getSecret().equals(agentUser.getSecret()) || !user.getName().equals(agentUser.getName())) {
+        if (user == null) {
+            log.warn("Agent user {} is not found or invalid.", agentUser);
             return null;
         }
+
         user.setHostname(agentUser.getHostname());
         user.setIp(agentUser.getIp());
         user.setVersionName(agentUser.getVersionName());
@@ -636,6 +652,39 @@ private AgentUser searchQualifiedAgent(Message message) {
         return user;
     }
 
+    private AgentUser searchAgentByToken(AgentUser agentUser) {
+        String accessToken = agentUser.getSecret();
+        if (accessToken == null || accessToken.isEmpty()) {
+            return null;
+        }
+        if (!authUtil.isValidToken(accessToken)) {
+            return null;
+        }
+        String deviceId = authUtil.decodeAccessToken(accessToken).getString("deviceid");
+        if (deviceId == null || deviceId.isEmpty()) {
+            return null;
+        }
+        Optional<AgentUser> findUser = agentUserRepository.findByDeviceId(deviceId);
+        if (!findUser.isPresent()) {
+            return null;
+        }
+        return findUser.get();
+    }
+
+    private AgentUser searchAgentBySecret(AgentUser agentUser) {
+        String id = agentUser.getId();
+
+        Optional<AgentUser> findUser = agentUserRepository.findById(id);
+        if (!findUser.isPresent()) {
+            return null;
+        }
+        AgentUser user = findUser.get();
+        if (!user.getSecret().equals(agentUser.getSecret())) {
+            return null;
+        }
+        return user;
+    }
+
     public void onClose(Session session) {
         onlineCount.decrementAndGet();
         log.info("Session closed, id：{}，online count: {}", session.getId(), onlineCount.get());