refactor(api): restructured API for type safety, maintainability and docs generation

- These changes makes the API incombatible with previous versions - Added new types for error handling, success responses, and health checks. - Updated health check logic to utilize the new types for better clarity and structure. - Refactored existing handlers to improve response consistency and error handling. - Updated Makefile to include a new target for generating API types from Swagger. - Updated "new agent" API to respond an encrypted cert pair
2026-03-28 20:01:50 +01:00 · 2025-08-16 13:04:05 +08:00
parent fce9ce21c9
commit 35a3e3fef6
149 changed files with 13173 additions and 2173 deletions
--- a/agent/pkg/agent/new_agent.go
+++ b/agent/pkg/agent/new_agent.go
@@ -1,6 +1,8 @@
 package agent

 import (
+	"crypto/aes"
+	"crypto/cipher"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
@@ -8,6 +10,7 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"errors"
+	"io"
 	"math/big"
 	"strings"
 	"time"
@@ -74,6 +77,62 @@ func (p *PEMPair) Load(data string) (err error) {
 	return nil
 }

+func (p *PEMPair) Encrypt(encKey []byte) (PEMPair, error) {
+	cert, err := encrypt(p.Cert, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	key, err := encrypt(p.Key, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	return PEMPair{Cert: cert, Key: key}, nil
+}
+
+func (p *PEMPair) Decrypt(encKey []byte) (PEMPair, error) {
+	cert, err := decrypt(p.Cert, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	key, err := decrypt(p.Key, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	return PEMPair{Cert: cert, Key: key}, nil
+}
+
+func encrypt(data []byte, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+	return gcm.Seal(nonce, nonce, data, nil), nil
+}
+
+func decrypt(data []byte, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := data[:gcm.NonceSize()]
+	ciphertext := data[gcm.NonceSize():]
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}
+
 func (p *PEMPair) ToTLSCert() (*tls.Certificate, error) {
 	cert, err := tls.X509KeyPair(p.Cert, p.Key)
 	return &cert, err
--- a/agent/pkg/agent/new_agent_test.go
+++ b/agent/pkg/agent/new_agent_test.go
@@ -1,6 +1,7 @@
 package agent

 import (
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -89,3 +90,23 @@ func TestServerClient(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, resp.StatusCode, http.StatusOK)
 }
+
+func TestPEMPairEncryptDecrypt(t *testing.T) {
+	encKey := make([]byte, 32)
+	_, err := rand.Read(encKey)
+	require.NoError(t, err)
+
+	ca, _, _, err := NewAgent()
+	require.NoError(t, err)
+
+	encCA, err := ca.Encrypt(encKey)
+	require.NoError(t, err)
+	require.NotNil(t, encCA)
+
+	decCA, err := encCA.Decrypt(encKey)
+	require.NoError(t, err)
+	require.NotNil(t, decCA)
+
+	require.Equal(t, string(ca.Cert), string(decCA.Cert))
+	require.Equal(t, string(ca.Key), string(decCA.Key))
+}