[ci skip] more codex 5.3 improvements

2026-02-06 15:17:38 +11:00
parent dc96431f06
commit dfbaacb6f3
16 changed files with 297 additions and 75 deletions
--- a/server/handler/encryptData.go
+++ b/server/handler/encryptData.go
@@ -2,11 +2,18 @@ package handler

 import (
 	"encoding/json"
-	"fmt"
-	"io"
 	"net/http"
+	"strings"
 )

+const encryptedValuePrefixV1 = "enc:v1:"
+
+type encryptRequest struct {
+	Plaintext string `json:"plaintext"`
+	Value     string `json:"value"`
+	Message   string `json:"message"`
+}
+
 // EncryptData encrypts a plaintext value and returns the ciphertext.
 // @Summary Encrypt data
 // @Description Encrypts a plaintext value and returns the ciphertext.
@@ -15,57 +22,47 @@ import (
 // @Produce json
 // @Param payload body map[string]string true "Plaintext payload"
 // @Success 200 {object} models.StatusMessageResponse "Ciphertext response"
+// @Failure 400 {object} models.ErrorResponse "Invalid request"
 // @Failure 500 {object} models.ErrorResponse "Server error"
 // @Router /api/encrypt [post]
 func (h *Handler) EncryptData(w http.ResponseWriter, r *http.Request) {
-	//ctx := context.Background()
-	var cipherText string
+	if r.Method != http.MethodPost {
+		writeJSONError(w, http.StatusMethodNotAllowed, "method not allowed")
+		return
+	}

-	reqBody, err := io.ReadAll(r.Body)
+	var req encryptRequest
+	if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 4096)).Decode(&req); err != nil {
+		h.Logger.Error("unable to decode encrypt request", "error", err)
+		writeJSONError(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+	plaintext := strings.TrimSpace(req.Plaintext)
+	if plaintext == "" {
+		plaintext = strings.TrimSpace(req.Value)
+	}
+	if plaintext == "" {
+		plaintext = strings.TrimSpace(req.Message)
+	}
+	if plaintext == "" {
+		writeJSONError(w, http.StatusBadRequest, "plaintext is required (accepted keys: plaintext, value, message)")
+		return
+	}
+
+	cipherText, err := h.Secret.Encrypt([]byte(plaintext))
 	if err != nil {
-		h.Logger.Error("Invalid data received", "error", err)
-		fmt.Fprintf(w, "Invalid data received")
-		w.WriteHeader(http.StatusInternalServerError)
+		h.Logger.Error("unable to encrypt payload", "error", err)
+		writeJSONError(w, http.StatusInternalServerError, "encryption failed")
 		return
-	} else {
-		h.Logger.Debug("received input data", "length", len(reqBody))
 	}

-	// get the json input
-	var input map[string]string
-	if err := json.Unmarshal(reqBody, &input); err != nil {
-		h.Logger.Error("unable to unmarshal json", "error", err)
-		prettyPrint(reqBody)
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(map[string]string{
-			"status":  "ERROR",
-			"message": fmt.Sprintf("Unable to unmarshal JSON in request body: '%s'", err),
-		})
-		return
-	} else {
-		h.Logger.Debug("successfully decoded JSON")
-		//prettyPrint(input)
-	}
-
-	//cipher, err := h.Secret.Encrypt()
-	for k := range input {
-		//h.Logger.Debug("foo", "key", k, "value", input[k])
-		cipherText, err = h.Secret.Encrypt([]byte(input[k]))
-		if err != nil {
-			h.Logger.Error("Unable to encrypt", "error", err)
-		} else {
-			h.Logger.Debug("Encrypted plaintext", "length", len(input[k]), "ciphertext", cipherText)
-			w.WriteHeader(http.StatusOK)
-			json.NewEncoder(w).Encode(map[string]string{
-				"status":  "OK",
-				"message": cipherText,
-			})
-			return
-		}
-
-	}
-
-	// return the result
-
+	h.Logger.Debug("encrypted plaintext payload", "input_length", len(plaintext))
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"status":     "OK",
+		"message":    cipherText,
+		"prefixed":   encryptedValuePrefixV1 + cipherText,
+		"ciphertext": cipherText,
+	})
 }
--- a/server/handler/legacy_gate.go
+++ b/server/handler/legacy_gate.go
@@ -0,0 +1,23 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+)
+
+const legacyAPIEnvVar = "VCTP_ENABLE_LEGACY_API"
+
+func legacyAPIEnabled() bool {
+	return strings.TrimSpace(os.Getenv(legacyAPIEnvVar)) == "1"
+}
+
+func (h *Handler) denyLegacyAPI(w http.ResponseWriter, endpoint string) bool {
+	if legacyAPIEnabled() {
+		return false
+	}
+	h.Logger.Warn("legacy endpoint request blocked", "endpoint", endpoint, "env_var", legacyAPIEnvVar)
+	writeJSONError(w, http.StatusGone, fmt.Sprintf("%s is deprecated and disabled; set %s=1 to temporarily re-enable", endpoint, legacyAPIEnvVar))
+	return true
+}
--- a/server/handler/updateCleanup.go
+++ b/server/handler/updateCleanup.go
@@ -16,6 +16,10 @@ import (
 // @Failure 500 {string} string "Server error"
 // @Router /api/cleanup/updates [delete]
 func (h *Handler) UpdateCleanup(w http.ResponseWriter, r *http.Request) {
+	if h.denyLegacyAPI(w, "/api/cleanup/updates") {
+		return
+	}
+
 	/*
 		// Get the current time
 		now := time.Now()
--- a/server/handler/vcCleanup.go
+++ b/server/handler/vcCleanup.go
@@ -20,6 +20,10 @@ import (
 // @Failure 400 {object} models.ErrorResponse "Invalid request"
 // @Router /api/cleanup/vcenter [delete]
 func (h *Handler) VcCleanup(w http.ResponseWriter, r *http.Request) {
+	if h.denyLegacyAPI(w, "/api/cleanup/vcenter") {
+		return
+	}
+
 	ctx := context.Background()

 	// Get the parameters
--- a/server/handler/vmCreateEvent.go
+++ b/server/handler/vmCreateEvent.go
@@ -27,6 +27,10 @@ import (
 // @Failure 500 {string} string "Server error"
 // @Router /api/event/vm/create [post]
 func (h *Handler) VmCreateEvent(w http.ResponseWriter, r *http.Request) {
+	if h.denyLegacyAPI(w, "/api/event/vm/create") {
+		return
+	}
+
 	var (
 		unixTimestamp int64
 		//numVcpus      int32
--- a/server/handler/vmDeleteEvent.go
+++ b/server/handler/vmDeleteEvent.go
@@ -25,6 +25,10 @@ import (
 // @Failure 500 {string} string "Server error"
 // @Router /api/event/vm/delete [post]
 func (h *Handler) VmDeleteEvent(w http.ResponseWriter, r *http.Request) {
+	if h.denyLegacyAPI(w, "/api/event/vm/delete") {
+		return
+	}
+
 	var (
 		deletedTimestamp int64
 	)
--- a/server/handler/vmModifyEvent.go
+++ b/server/handler/vmModifyEvent.go
@@ -32,6 +32,10 @@ import (
 // @Failure 500 {object} models.ErrorResponse "Server error"
 // @Router /api/event/vm/modify [post]
 func (h *Handler) VmModifyEvent(w http.ResponseWriter, r *http.Request) {
+	if h.denyLegacyAPI(w, "/api/event/vm/modify") {
+		return
+	}
+
 	var configChanges []map[string]string
 	params := queries.CreateUpdateParams{}
 	var unixTimestamp int64
--- a/server/handler/vmMoveEvent.go
+++ b/server/handler/vmMoveEvent.go
@@ -27,6 +27,10 @@ import (
 // @Failure 500 {object} models.ErrorResponse "Server error"
 // @Router /api/event/vm/move [post]
 func (h *Handler) VmMoveEvent(w http.ResponseWriter, r *http.Request) {
+	if h.denyLegacyAPI(w, "/api/event/vm/move") {
+		return
+	}
+
 	params := queries.CreateUpdateParams{}
 	var unixTimestamp int64

--- a/server/router/router.go
+++ b/server/router/router.go
@@ -55,7 +55,7 @@ func New(logger *slog.Logger, database db.Database, buildTime string, sha1ver st
 	// add missing data to VMs
 	//mux.HandleFunc("/api/inventory/vm/update", h.VmUpdateDetails)

-	// temporary endpoint
+	// Legacy/maintenance endpoints are gated by VCTP_ENABLE_LEGACY_API.
 	mux.HandleFunc("/api/cleanup/updates", h.UpdateCleanup)
 	//mux.HandleFunc("/api/cleanup/vcenter", h.VcCleanup)