Feat/api to provision cert

cmd/silo-proxy-agent/main.go

@@ -51,7 +51,7 @@ func main() {
 		MaxAge:           12 * time.Hour,
 	}))
 	engine.Use(gin.Recovery())
-	internalhttp.SetupRoute(engine, services)
+	internalhttp.SetupRoute(engine, services, "")
 
 	server := &http.Server{
 		Addr:    fmt.Sprintf(":%d", config.Http.Port),

cmd/silo-proxy-server/application.yml

@@ -2,6 +2,7 @@ log:
   level: debug
 http:
   port: 8080
+  admin_api_key: ""  # Required for certificate management endpoints
   agent_port_range:
     start: 8100
     end: 8100
@@ -12,4 +13,8 @@ grpc:
     cert_file: ./certs/server/server-cert.pem
     key_file: ./certs/server/server-key.pem
     ca_file: ./certs/ca/ca-cert.pem
+    ca_key_file: ./certs/ca/ca-key.pem
     client_auth: require
+    domain_names: "localhost"
+    ip_addresses: "127.0.0.1"
+    agent_cert_dir: ./certs/agents

cmd/silo-proxy-server/config.go

@@ -22,11 +22,15 @@ type GrpcConfig struct {
 }
 
 type TLSConfig struct {
-	Enabled    bool   `mapstructure:"enabled"`
-	CertFile   string `mapstructure:"cert_file"`
-	KeyFile    string `mapstructure:"key_file"`
-	CAFile     string `mapstructure:"ca_file"`
-	ClientAuth string `mapstructure:"client_auth"`
+	Enabled      bool   `mapstructure:"enabled"`
+	CertFile     string `mapstructure:"cert_file"`
+	KeyFile      string `mapstructure:"key_file"`
+	CAFile       string `mapstructure:"ca_file"`
+	CAKeyFile    string `mapstructure:"ca_key_file"`
+	ClientAuth   string `mapstructure:"client_auth"`
+	DomainNames  string `mapstructure:"domain_names"`
+	IPAddresses  string `mapstructure:"ip_addresses"`
+	AgentCertDir string `mapstructure:"agent_cert_dir"`
 }
 
 var config Config

cmd/silo-proxy-server/main.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	internalhttp "github.com/EternisAI/silo-proxy/internal/api/http"
+	"github.com/EternisAI/silo-proxy/internal/cert"
 	grpcserver "github.com/EternisAI/silo-proxy/internal/grpc/server"
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
@@ -32,6 +33,25 @@ func main() {
 		ClientAuth: config.Grpc.TLS.ClientAuth,
 	}
 
+	var certService *cert.Service
+	if config.Grpc.TLS.Enabled {
+
+		var err error
+		certService, err = cert.New(
+			config.Grpc.TLS.CAFile,
+			config.Grpc.TLS.CAKeyFile,
+			config.Grpc.TLS.CertFile,
+			config.Grpc.TLS.KeyFile,
+			config.Grpc.TLS.AgentCertDir,
+			config.Grpc.TLS.DomainNames,
+			config.Grpc.TLS.IPAddresses,
+		)
+		if err != nil {
+			slog.Error("Failed to initialize certificates", "error", err)
+			os.Exit(1)
+		}
+	}
+
 	grpcSrv := grpcserver.NewServer(config.Grpc.Port, tlsConfig)
 
 	portManager, err := internalhttp.NewPortManager(
@@ -52,21 +72,22 @@ func main() {
 		"pool_size", config.Http.AgentPortRange.End-config.Http.AgentPortRange.Start+1)
 
 	services := &internalhttp.Services{
-		GrpcServer: grpcSrv,
+		GrpcServer:  grpcSrv,
+		CertService: certService,
 	}
 
 	gin.SetMode(gin.ReleaseMode)
 	engine := gin.New()
 	engine.Use(cors.New(cors.Config{
 		AllowOrigins:     []string{"*"},
 		AllowMethods:     []string{"PUT", "PATCH", "GET", "POST", "DELETE"},
-		AllowHeaders:     []string{"Origin", "Content-Length", "Content-Type", "Authorization"},
+		AllowHeaders:     []string{"Origin", "Content-Length", "Content-Type", "Authorization", "X-API-Key"},
 		ExposeHeaders:    []string{"Content-Length"},
 		AllowCredentials: true,
 		MaxAge:           12 * time.Hour,
 	}))
 	engine.Use(gin.Recovery())
-	internalhttp.SetupRoute(engine, services)
+	internalhttp.SetupRoute(engine, services, config.Http.AdminAPIKey)
 
 	httpServer := &http.Server{
 		Addr:    fmt.Sprintf(":%d", config.Http.Port),

docs/potential_issues.md

@@ -0,0 +1,5 @@
+Potential Issues
+
+1. Missing server certificate regeneration when domain/IP config changes
+2. No rate limiting on certificate generation endpoints
+3. Agent cert directory cleanup - DeleteAgentCert removes entire directory, which could be dangerous

internal/api/http/handler/cert.go

@@ -0,0 +1,234 @@
+package handler
+
+import (
+	"archive/zip"
+	"bytes"
+	"crypto/rsa"
+	"crypto/x509"
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	"github.com/EternisAI/silo-proxy/internal/cert"
+	"github.com/gin-gonic/gin"
+)
+
+func (h *CertHandler) validateAgentID(ctx *gin.Context) (string, bool) {
+	agentID := ctx.Param("id")
+	if err := cert.ValidateAgentID(agentID); err != nil {
+		slog.Warn("Invalid agent ID", "agent_id", agentID, "error", err)
+		ctx.JSON(http.StatusBadRequest, gin.H{
+			"error": err.Error(),
+		})
+		return "", false
+	}
+	return agentID, true
+}
+
+type CertHandler struct {
+	certService *cert.Service
+}
+
+func NewCertHandler(certService *cert.Service) *CertHandler {
+	return &CertHandler{
+		certService: certService,
+	}
+}
+
+func (h *CertHandler) CreateAgentCertificate(ctx *gin.Context) {
+	if h.certService == nil {
+		slog.Warn("Agent cert creation requested but TLS is disabled")
+		ctx.JSON(http.StatusBadRequest, gin.H{
+			"error": "TLS is not enabled on this server",
+		})
+		return
+	}
+
+	agentID, ok := h.validateAgentID(ctx)
+	if !ok {
+		return
+	}
+
+	if h.certService.AgentCertExists(agentID) {
+		slog.Warn("Certificate already exists", "agent_id", agentID)
+		ctx.JSON(http.StatusConflict, gin.H{
+			"error": "Certificate already exists for this agent",
+		})
+		return
+	}
+
+	slog.Info("Creating agent certificate", "agent_id", agentID)
+
+	agentCert, agentKey, err := h.certService.GenerateAgentCert(agentID)
+	if err != nil {
+		slog.Error("Failed to generate agent certificate", "error", err, "agent_id", agentID)
+		ctx.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to generate agent certificate",
+		})
+		return
+	}
+
+	caCertBytes, err := h.certService.GetCACert()
+	if err != nil {
+		slog.Error("Failed to read CA certificate", "error", err, "agent_id", agentID)
+		ctx.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to read CA certificate",
+		})
+		return
+	}
+
+	zipBuffer, err := h.createCertZip(agentID, agentCert, agentKey, caCertBytes)
+	if err != nil {
+		slog.Error("Failed to create zip file", "error", err, "agent_id", agentID)
+		ctx.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to create zip file",
+		})
+		return
+	}
+
+	ctx.Header("Content-Type", "application/zip")
+	ctx.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s-certs.zip\"", agentID))
+	ctx.Data(http.StatusCreated, "application/zip", zipBuffer.Bytes())
+
+	slog.Info("Agent certificate created successfully", "agent_id", agentID, "zip_size", zipBuffer.Len())
+}
+
+func (h *CertHandler) GetAgentCertificate(ctx *gin.Context) {
+	if h.certService == nil {
+		slog.Warn("Agent cert retrieval requested but TLS is disabled")
+		ctx.JSON(http.StatusBadRequest, gin.H{
+			"error": "TLS is not enabled on this server",
+		})
+		return
+	}
+
+	agentID, ok := h.validateAgentID(ctx)
+	if !ok {
+		return
+	}
+
+	if !h.certService.AgentCertExists(agentID) {
+		slog.Warn("Certificate not found", "agent_id", agentID)
+		ctx.JSON(http.StatusNotFound, gin.H{
+			"error": "Certificate not found for this agent",
+		})
+		return
+	}
+
+	slog.Info("Retrieving agent certificate", "agent_id", agentID)
+
+	agentCertBytes, agentKeyBytes, err := h.certService.GetAgentCert(agentID)
+	if err != nil {
+		slog.Error("Failed to read agent certificate", "error", err, "agent_id", agentID)
+		ctx.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to read agent certificate",
+		})
+		return
+	}
+
+	caCertBytes, err := h.certService.GetCACert()
+	if err != nil {
+		slog.Error("Failed to read CA certificate", "error", err, "agent_id", agentID)
+		ctx.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to read CA certificate",
+		})
+		return
+	}
+
+	zipBuffer, err := h.createCertZipFromBytes(agentID, agentCertBytes, agentKeyBytes, caCertBytes)
+	if err != nil {
+		slog.Error("Failed to create zip file", "error", err, "agent_id", agentID)
+		ctx.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to create zip file",
+		})
+		return
+	}
+
+	ctx.Header("Content-Type", "application/zip")
+	ctx.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s-certs.zip\"", agentID))
+	ctx.Data(http.StatusOK, "application/zip", zipBuffer.Bytes())
+
+	slog.Info("Agent certificate retrieved successfully", "agent_id", agentID, "zip_size", zipBuffer.Len())
+}
+
+func (h *CertHandler) DeleteAgentCertificate(ctx *gin.Context) {
+	if h.certService == nil {
+		slog.Warn("Agent cert deletion requested but TLS is disabled")
+		ctx.JSON(http.StatusBadRequest, gin.H{
+			"error": "TLS is not enabled on this server",
+		})
+		return
+	}
+
+	agentID, ok := h.validateAgentID(ctx)
+	if !ok {
+		return
+	}
+
+	if !h.certService.AgentCertExists(agentID) {
+		slog.Warn("Certificate not found for deletion", "agent_id", agentID)
+		ctx.JSON(http.StatusNotFound, gin.H{
+			"error": "Certificate not found for this agent",
+		})
+		return
+	}
+
+	slog.Info("Deleting agent certificate", "agent_id", agentID)
+
+	certDir := h.certService.GetAgentCertDir(agentID)
+	if err := h.certService.DeleteAgentCert(agentID); err != nil {
+		slog.Error("Failed to delete agent certificate", "error", err, "agent_id", agentID)
+		ctx.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to delete agent certificate",
+		})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{
+		"message":       "Successfully deleted agent certificate",
+		"deleted_paths": []string{certDir},
+	})
+	slog.Info("Agent certificate deleted successfully", "agent_id", agentID)
+}
+
+func (h *CertHandler) createCertZip(agentID string, agentCert *x509.Certificate, agentKey *rsa.PrivateKey, caCertBytes []byte) (*bytes.Buffer, error) {
+	agentCertPEM, err := cert.CertToPEM(agentCert)
+	if err != nil {
+		return nil, fmt.Errorf("failed to encode agent certificate: %w", err)
+	}
+
+	agentKeyPEM, err := cert.KeyToPEM(agentKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to encode agent key: %w", err)
+	}
+
+	return h.createCertZipFromBytes(agentID, agentCertPEM, agentKeyPEM, caCertBytes)
+}
+
+func (h *CertHandler) createCertZipFromBytes(agentID string, certPEM, keyPEM, caCertBytes []byte) (*bytes.Buffer, error) {
+	zipBuffer := new(bytes.Buffer)
+	zipWriter := zip.NewWriter(zipBuffer)
+	defer zipWriter.Close()
+
+	files := map[string][]byte{
+		fmt.Sprintf("%s-cert.pem", agentID): certPEM,
+		fmt.Sprintf("%s-key.pem", agentID):  keyPEM,
+		"ca-cert.pem":                       caCertBytes,
+	}
+
+	for filename, content := range files {
+		f, err := zipWriter.Create(filename)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create zip entry for %s: %w", filename, err)
+		}
+		if _, err := f.Write(content); err != nil {
+			return nil, fmt.Errorf("failed to write zip entry for %s: %w", filename, err)
+		}
+	}
+
+	if err := zipWriter.Close(); err != nil {
+		return nil, fmt.Errorf("failed to finalize zip archive: %w", err)
+	}
+
+	return zipBuffer, nil
+}

internal/api/http/http.go

@@ -3,6 +3,7 @@ package http
 type Config struct {
 	Port           uint      `mapstructure:"port"`
 	AgentPortRange PortRange `mapstructure:"agent_port_range"`
+	AdminAPIKey    string    `mapstructure:"admin_api_key"`
 }
 
 type PortRange struct {