feat(credential): implement credential peer auth and trust propagation (#1968)

- add credential manager and RPC/CLI for generate/list/revoke
- support credential-based Noise authentication and revocation handling
- propagate trusted credential metadata through OSPF route sync
- classify direct peers by auth level in session maintenance
- normalize sender credential flag for legacy non-secure compatibility
- add unit/integration tests for credential join, relay and revocation

easytier/src/rpc_service/api.rs

@@ -10,9 +10,9 @@ use crate::{
         api::{
             config::ConfigRpcServer,
             instance::{
-                AclManageRpcServer, ConnectorManageRpcServer, MappedListenerManageRpcServer,
-                PeerManageRpcServer, PortForwardManageRpcServer, StatsRpcServer, TcpProxyRpcServer,
-                VpnPortalRpcServer,
+                AclManageRpcServer, ConnectorManageRpcServer, CredentialManageRpcServer,
+                MappedListenerManageRpcServer, PeerManageRpcServer, PortForwardManageRpcServer,
+                StatsRpcServer, TcpProxyRpcServer, VpnPortalRpcServer,
             },
             logger::LoggerRpcServer,
             manage::WebClientServiceServer,
@@ -23,8 +23,9 @@ use crate::{
     },
     rpc_service::{
         acl_manage::AclManageRpcService, config::ConfigRpcService,
-        connector_manage::ConnectorManageRpcService, instance_manage::InstanceManageRpcService,
-        logger::LoggerRpcService, mapped_listener_manage::MappedListenerManageRpcService,
+        connector_manage::ConnectorManageRpcService, credential_manage::CredentialManageRpcService,
+        instance_manage::InstanceManageRpcService, logger::LoggerRpcService,
+        mapped_listener_manage::MappedListenerManageRpcService,
         peer_center::PeerCenterManageRpcService, peer_manage::PeerManageRpcService,
         port_forward_manage::PortForwardManageRpcService, proxy::TcpProxyRpcService,
         stats::StatsRpcService, vpn_portal::VpnPortalRpcService,
@@ -156,6 +157,11 @@ fn register_api_rpc_service(
         PeerCenterRpcServer::new(PeerCenterManageRpcService::new(instance_manager.clone())),
         "",
     );
+
+    registry.register(
+        CredentialManageRpcServer::new(CredentialManageRpcService::new(instance_manager.clone())),
+        "",
+    );
 }
 
 fn parse_rpc_portal(rpc_portal: Option<String>) -> anyhow::Result<SocketAddr> {

easytier/src/rpc_service/credential_manage.rs

@@ -0,0 +1,62 @@
+use std::sync::Arc;
+
+use crate::{
+    instance_manager::NetworkInstanceManager,
+    proto::{
+        api::instance::{
+            CredentialManageRpc, GenerateCredentialRequest, GenerateCredentialResponse,
+            ListCredentialsRequest, ListCredentialsResponse, RevokeCredentialRequest,
+            RevokeCredentialResponse,
+        },
+        rpc_types::controller::BaseController,
+    },
+};
+
+#[derive(Clone)]
+pub struct CredentialManageRpcService {
+    instance_manager: Arc<NetworkInstanceManager>,
+}
+
+impl CredentialManageRpcService {
+    pub fn new(instance_manager: Arc<NetworkInstanceManager>) -> Self {
+        Self { instance_manager }
+    }
+}
+
+#[async_trait::async_trait]
+impl CredentialManageRpc for CredentialManageRpcService {
+    type Controller = BaseController;
+
+    async fn generate_credential(
+        &self,
+        ctrl: Self::Controller,
+        req: GenerateCredentialRequest,
+    ) -> crate::proto::rpc_types::error::Result<GenerateCredentialResponse> {
+        super::get_instance_service(&self.instance_manager, &None)?
+            .get_credential_manage_service()
+            .generate_credential(ctrl, req)
+            .await
+    }
+
+    async fn revoke_credential(
+        &self,
+        ctrl: Self::Controller,
+        req: RevokeCredentialRequest,
+    ) -> crate::proto::rpc_types::error::Result<RevokeCredentialResponse> {
+        super::get_instance_service(&self.instance_manager, &None)?
+            .get_credential_manage_service()
+            .revoke_credential(ctrl, req)
+            .await
+    }
+
+    async fn list_credentials(
+        &self,
+        ctrl: Self::Controller,
+        req: ListCredentialsRequest,
+    ) -> crate::proto::rpc_types::error::Result<ListCredentialsResponse> {
+        super::get_instance_service(&self.instance_manager, &None)?
+            .get_credential_manage_service()
+            .list_credentials(ctrl, req)
+            .await
+    }
+}

easytier/src/rpc_service/mod.rs

@@ -2,6 +2,7 @@ mod acl_manage;
 mod api;
 mod config;
 mod connector_manage;
+mod credential_manage;
 mod mapped_listener_manage;
 mod peer_center;
 mod peer_manage;
@@ -76,6 +77,11 @@ pub trait InstanceRpcService: Sync + Send {
             > + Send
             + Sync,
     >;
+    fn get_credential_manage_service(
+        &self,
+    ) -> &dyn crate::proto::api::instance::CredentialManageRpc<
+        Controller = crate::proto::rpc_types::controller::BaseController,
+    >;
 }
 
 fn get_instance_service(