feat(credential): implement credential peer auth and trust propagation (#1968)

- add credential manager and RPC/CLI for generate/list/revoke - support credential-based Noise authentication and revocation handling - propagate trusted credential metadata through OSPF route sync - classify direct peers by auth level in session maintenance - normalize sender credential flag for legacy non-secure compatibility - add unit/integration tests for credential join, relay and revocation
2026-05-15 10:25:40 +00:00 · 2026-03-07 22:58:15 +08:00
parent 59d4475743
commit c4eacf4591
31 changed files with 4289 additions and 163 deletions
@@ -44,6 +44,7 @@ message PeerConnInfo {
  bytes noise_local_static_pubkey = 11;
  bytes noise_remote_static_pubkey = 12;
  peer_rpc.SecureAuthLevel secure_auth_level = 13;
+  peer_rpc.PeerIdentityType peer_identity_type = 14;
 }

 message PeerInfo {
@@ -291,3 +292,45 @@ service StatsRpc {
  rpc GetPrometheusStats(GetPrometheusStatsRequest)
      returns (GetPrometheusStatsResponse);
 }
+
+// Credential management messages
+
+message GenerateCredentialRequest {
+  repeated string groups = 1;   // optional: ACL groups for this credential
+  bool allow_relay = 2;         // optional: allow relay through credential node
+  repeated string allowed_proxy_cidrs = 3; // optional: restrict proxy_cidrs
+  int64 ttl_seconds = 4;        // must be > 0: credential TTL in seconds (0 / omitted is invalid)
+}
+
+message GenerateCredentialResponse {
+  string credential_id = 1;       // public key base64
+  string credential_secret = 2;   // private key base64
+}
+
+message RevokeCredentialRequest {
+  string credential_id = 1;
+}
+
+message RevokeCredentialResponse {
+  bool success = 1;
+}
+
+message ListCredentialsRequest {}
+
+message CredentialInfo {
+  string credential_id = 1;       // public key base64
+  repeated string groups = 2;
+  bool allow_relay = 3;
+  int64 expiry_unix = 4;
+  repeated string allowed_proxy_cidrs = 5;
+}
+
+message ListCredentialsResponse {
+  repeated CredentialInfo credentials = 1;
+}
+
+service CredentialManageRpc {
+  rpc GenerateCredential(GenerateCredentialRequest) returns (GenerateCredentialResponse);
+  rpc RevokeCredential(RevokeCredentialRequest) returns (RevokeCredentialResponse);
+  rpc ListCredentials(ListCredentialsRequest) returns (ListCredentialsResponse);
+}