feat(credential): implement credential peer auth and trust propagation (#1968)

- add credential manager and RPC/CLI for generate/list/revoke - support credential-based Noise authentication and revocation handling - propagate trusted credential metadata through OSPF route sync - classify direct peers by auth level in session maintenance - normalize sender credential flag for legacy non-secure compatibility - add unit/integration tests for credential join, relay and revocation
2026-05-15 10:25:40 +00:00 · 2026-03-07 22:58:15 +08:00
parent 59d4475743
commit c4eacf4591
31 changed files with 4289 additions and 163 deletions
@@ -44,6 +44,7 @@ message PeerConnInfo {
  bytes noise_local_static_pubkey = 11;
  bytes noise_remote_static_pubkey = 12;
  peer_rpc.SecureAuthLevel secure_auth_level = 13;
+  peer_rpc.PeerIdentityType peer_identity_type = 14;
 }

 message PeerInfo {
@@ -291,3 +292,45 @@ service StatsRpc {
  rpc GetPrometheusStats(GetPrometheusStatsRequest)
      returns (GetPrometheusStatsResponse);
 }
+
+// Credential management messages
+
+message GenerateCredentialRequest {
+  repeated string groups = 1;   // optional: ACL groups for this credential
+  bool allow_relay = 2;         // optional: allow relay through credential node
+  repeated string allowed_proxy_cidrs = 3; // optional: restrict proxy_cidrs
+  int64 ttl_seconds = 4;        // must be > 0: credential TTL in seconds (0 / omitted is invalid)
+}
+
+message GenerateCredentialResponse {
+  string credential_id = 1;       // public key base64
+  string credential_secret = 2;   // private key base64
+}
+
+message RevokeCredentialRequest {
+  string credential_id = 1;
+}
+
+message RevokeCredentialResponse {
+  bool success = 1;
+}
+
+message ListCredentialsRequest {}
+
+message CredentialInfo {
+  string credential_id = 1;       // public key base64
+  repeated string groups = 2;
+  bool allow_relay = 3;
+  int64 expiry_unix = 4;
+  repeated string allowed_proxy_cidrs = 5;
+}
+
+message ListCredentialsResponse {
+  repeated CredentialInfo credentials = 1;
+}
+
+service CredentialManageRpc {
+  rpc GenerateCredential(GenerateCredentialRequest) returns (GenerateCredentialResponse);
+  rpc RevokeCredential(RevokeCredentialRequest) returns (RevokeCredentialResponse);
+  rpc ListCredentials(ListCredentialsRequest) returns (ListCredentialsResponse);
+}
@@ -216,6 +216,7 @@ message PeerFeatureFlag {
  bool support_conn_list_sync = 5;
  bool quic_input = 6;
  bool no_relay_quic = 7;
+  bool is_credential_peer = 8;
 }

 enum SocketType {
@@ -5,6 +5,14 @@ import "common.proto";

 package peer_rpc;

+message TrustedCredentialPubkey {
+  bytes pubkey = 1;              // X25519 public key (32 bytes)
+  repeated string groups = 2;   // ACL groups this credential belongs to
+  bool allow_relay = 3;         // whether this credential node can relay data
+  int64 expiry_unix = 4;        // expiry time (Unix timestamp)
+  repeated string allowed_proxy_cidrs = 5; // allowed proxy_cidrs ranges
+}
+
 message RoutePeerInfo {
  // means next hop in route table.
  uint32 peer_id = 1;
@@ -30,6 +38,9 @@ message RoutePeerInfo {

  common.NatType tcp_nat_type = 17;
  bytes noise_static_pubkey = 18;
+
+  // Trusted credential public keys published by admin nodes (holding network_secret)
+  repeated TrustedCredentialPubkey trusted_credential_pubkeys = 19;
 }

 message PeerIdVersion {
@@ -263,10 +274,16 @@ message KcpConnData {
 enum SecureAuthLevel {
  None = 0;
  EncryptedUnauthenticated = 1;
-  SharedNodePubkeyVerified = 2;
+  PeerVerified = 2;
  NetworkSecretConfirmed = 3;
 }

+enum PeerIdentityType {
+  Admin = 0;
+  Credential = 1;
+  SharedNode = 2;
+}
+
 enum PeerConnSessionActionPb {
  Join = 0;
  Sync = 1;