feat(acl): add group-based ACL rules and related structures (#1265)

* feat(acl): add group-based ACL rules and related structures * refactor(acl): optimize group handling with Arc and improve cache management * refactor(acl): clippy * feat(tests): add performance tests for generate_with_proof and verify methods * feat: update group_trust_map to use HashMap for more secure group proofs * refactor: refactor the logic of the trusted group getting and setting * feat(acl): support kcp/quic use group acl * feat(proxy): optimize group retrieval by IP in Kcp and Quic proxy handlers * feat(tests): add group-based ACL tree node test * always allow quic proxy traffic --------- Co-authored-by: Sijie.Sun <sunsijie@buaa.edu.cn> Co-authored-by: sijie.sun <sijie.sun@smartx.com>
2026-05-06 17:59:11 +00:00 · 2025-08-22 22:25:00 +08:00
parent 34560af141
commit 08a92a53c3
18 changed files with 1042 additions and 29 deletions
@@ -8,8 +8,10 @@ use crate::common::config::ProxyNetworkConfig;
 use crate::common::stats_manager::StatsManager;
 use crate::common::token_bucket::TokenBucketManager;
 use crate::peers::acl_filter::AclFilter;
+use crate::proto::acl::GroupIdentity;
 use crate::proto::cli::PeerConnInfo;
 use crate::proto::common::{PeerFeatureFlag, PortForwardConfigPb};
+use crate::proto::peer_rpc::PeerGroupInfo;
 use crossbeam::atomic::AtomicCell;

 use super::{
@@ -351,6 +353,7 @@ impl GlobalCtx {
    }

    pub fn set_quic_proxy_port(&self, port: Option<u16>) {
+        self.acl_filter.set_quic_udp_port(port.unwrap_or(0));
        self.quic_proxy_port.store(port);
    }

@@ -365,6 +368,37 @@ impl GlobalCtx {
    pub fn get_acl_filter(&self) -> &Arc<AclFilter> {
        &self.acl_filter
    }
+
+    pub fn get_acl_groups(&self, peer_id: PeerId) -> Vec<PeerGroupInfo> {
+        use std::collections::HashSet;
+        self.config
+            .get_acl()
+            .and_then(|acl| acl.acl_v1)
+            .and_then(|acl_v1| acl_v1.group)
+            .map_or_else(Vec::new, |group| {
+                let memberships: HashSet<_> = group.members.iter().collect();
+                group
+                    .declares
+                    .iter()
+                    .filter(|g| memberships.contains(&g.group_name))
+                    .map(|g| {
+                        PeerGroupInfo::generate_with_proof(
+                            g.group_name.clone(),
+                            g.group_secret.clone(),
+                            peer_id,
+                        )
+                    })
+                    .collect()
+            })
+    }
+
+    pub fn get_acl_group_declarations(&self) -> Vec<GroupIdentity> {
+        self.config
+            .get_acl()
+            .and_then(|acl| acl.acl_v1)
+            .and_then(|acl_v1| acl_v1.group)
+            .map_or_else(Vec::new, |group| group.declares.to_vec())
+    }
 }

 #[cfg(test)]