feat(auth,client-registry): add Noise IK client authentication with managed client registry and per-client ACL controls

2026-03-29 17:04:27 +00:00
parent 187a69028b
commit 01a0d8b9f4
20 changed files with 1930 additions and 897 deletions
--- a/rust/src/management.rs
+++ b/rust/src/management.rs
@@ -585,6 +585,103 @@ async fn handle_server_request(
                Err(e) => ManagementResponse::err(id, format!("Serialize error: {}", e)),
            }
        }
+        // ── Client Registry (Hub) Commands ────────────────────────────────
+        "createClient" => {
+            let client_partial = request.params.get("client").cloned().unwrap_or_default();
+            match vpn_server.create_client(client_partial).await {
+                Ok(bundle) => ManagementResponse::ok(id, bundle),
+                Err(e) => ManagementResponse::err(id, format!("Create client failed: {}", e)),
+            }
+        }
+        "removeClient" => {
+            let client_id = match request.params.get("clientId").and_then(|v| v.as_str()) {
+                Some(cid) => cid.to_string(),
+                None => return ManagementResponse::err(id, "Missing clientId".to_string()),
+            };
+            match vpn_server.remove_registered_client(&client_id).await {
+                Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
+                Err(e) => ManagementResponse::err(id, format!("Remove client failed: {}", e)),
+            }
+        }
+        "getClient" => {
+            let client_id = match request.params.get("clientId").and_then(|v| v.as_str()) {
+                Some(cid) => cid.to_string(),
+                None => return ManagementResponse::err(id, "Missing clientId".to_string()),
+            };
+            match vpn_server.get_registered_client(&client_id).await {
+                Ok(entry) => ManagementResponse::ok(id, entry),
+                Err(e) => ManagementResponse::err(id, format!("Get client failed: {}", e)),
+            }
+        }
+        "listRegisteredClients" => {
+            let clients = vpn_server.list_registered_clients().await;
+            match serde_json::to_value(&clients) {
+                Ok(v) => ManagementResponse::ok(id, serde_json::json!({ "clients": v })),
+                Err(e) => ManagementResponse::err(id, format!("Serialize error: {}", e)),
+            }
+        }
+        "updateClient" => {
+            let client_id = match request.params.get("clientId").and_then(|v| v.as_str()) {
+                Some(cid) => cid.to_string(),
+                None => return ManagementResponse::err(id, "Missing clientId".to_string()),
+            };
+            let update = request.params.get("update").cloned().unwrap_or_default();
+            match vpn_server.update_registered_client(&client_id, update).await {
+                Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
+                Err(e) => ManagementResponse::err(id, format!("Update client failed: {}", e)),
+            }
+        }
+        "enableClient" => {
+            let client_id = match request.params.get("clientId").and_then(|v| v.as_str()) {
+                Some(cid) => cid.to_string(),
+                None => return ManagementResponse::err(id, "Missing clientId".to_string()),
+            };
+            match vpn_server.enable_client(&client_id).await {
+                Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
+                Err(e) => ManagementResponse::err(id, format!("Enable client failed: {}", e)),
+            }
+        }
+        "disableClient" => {
+            let client_id = match request.params.get("clientId").and_then(|v| v.as_str()) {
+                Some(cid) => cid.to_string(),
+                None => return ManagementResponse::err(id, "Missing clientId".to_string()),
+            };
+            match vpn_server.disable_client(&client_id).await {
+                Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
+                Err(e) => ManagementResponse::err(id, format!("Disable client failed: {}", e)),
+            }
+        }
+        "rotateClientKey" => {
+            let client_id = match request.params.get("clientId").and_then(|v| v.as_str()) {
+                Some(cid) => cid.to_string(),
+                None => return ManagementResponse::err(id, "Missing clientId".to_string()),
+            };
+            match vpn_server.rotate_client_key(&client_id).await {
+                Ok(bundle) => ManagementResponse::ok(id, bundle),
+                Err(e) => ManagementResponse::err(id, format!("Key rotation failed: {}", e)),
+            }
+        }
+        "exportClientConfig" => {
+            let client_id = match request.params.get("clientId").and_then(|v| v.as_str()) {
+                Some(cid) => cid.to_string(),
+                None => return ManagementResponse::err(id, "Missing clientId".to_string()),
+            };
+            let format = request.params.get("format").and_then(|v| v.as_str()).unwrap_or("smartvpn");
+            match vpn_server.export_client_config(&client_id, format).await {
+                Ok(config) => ManagementResponse::ok(id, config),
+                Err(e) => ManagementResponse::err(id, format!("Export failed: {}", e)),
+            }
+        }
+        "generateClientKeypair" => match crypto::generate_keypair() {
+            Ok((public_key, private_key)) => ManagementResponse::ok(
+                id,
+                serde_json::json!({
+                    "publicKey": public_key,
+                    "privateKey": private_key,
+                }),
+            ),
+            Err(e) => ManagementResponse::err(id, format!("Keypair generation failed: {}", e)),
+        },
        _ => ManagementResponse::err(id, format!("Unknown server method: {}", request.method)),
    }
 }