feat(credential): improve credential peer routing and visibility (#1971)

- improve credential peer filtering and related route lookup behavior - expose credential peer information through CLI and API definitions - add and refine tests for credential routing and peer interactions
2026-05-16 02:45:41 +00:00 · 2026-03-08 14:06:33 +08:00
parent f3db348b01
commit ef44027f57
8 changed files with 197 additions and 22 deletions
@@ -2261,6 +2261,7 @@ impl PeerRouteServiceImpl {
            let (untrusted, global_trusted_keys) =
                self.synced_route_info.verify_and_update_credential_trusts();
            self.global_ctx.update_trusted_keys(global_trusted_keys);
+            self.disconnect_untrusted_peers(&untrusted).await;
            untrusted_changed = !untrusted.is_empty();
        }

@@ -2274,6 +2275,22 @@ impl PeerRouteServiceImpl {
        my_peer_info_updated || my_conn_info_updated || my_foreign_network_updated
    }

+    async fn disconnect_untrusted_peers(&self, untrusted_peers: &[PeerId]) {
+        if untrusted_peers.is_empty() {
+            return;
+        }
+
+        let interface = self.interface.lock().await;
+        let Some(interface) = interface.as_ref() else {
+            return;
+        };
+
+        for peer_id in untrusted_peers {
+            tracing::warn!(?peer_id, "disconnecting untrusted peer");
+            interface.close_peer(*peer_id).await;
+        }
+    }
+
    fn build_sync_request(
        &self,
        session: &SyncRouteSession,
@@ -2904,6 +2921,7 @@ impl RouteSessionManager {
        session.update_dst_session_id(from_session_id);

        let mut need_update_route_table = false;
+        let mut untrusted_peers = Vec::new();

        if let Some(peer_infos) = &peer_infos {
            // Step 9b: credential peers can only propagate their own route info
@@ -3001,9 +3019,10 @@ impl RouteSessionManager {

        if need_update_route_table {
            // Run credential verification and update route table
-            let (_untrusted, global_trusted_keys) = service_impl
+            let (untrusted, global_trusted_keys) = service_impl
                .synced_route_info
                .verify_and_update_credential_trusts();
+            untrusted_peers = untrusted;
            // Sync trusted keys to GlobalCtx for handshake verification
            service_impl
                .global_ctx
@@ -3035,6 +3054,11 @@ impl RouteSessionManager {
        let is_initiator = session.we_are_initiator.load(Ordering::Relaxed);
        let session_id = session.my_session_id.load(Ordering::Relaxed);

+        drop(_session_lock);
+        service_impl
+            .disconnect_untrusted_peers(&untrusted_peers)
+            .await;
+
        self.sync_now("sync_route_info");

        Ok(SyncRouteInfoResponse {