From e15130534f30f1b5b462fdf34bbff76d784cc50b Mon Sep 17 00:00:00 2001
From: Jin Hai <haijin.chn@gmail.com>
Date: Tue, 23 Jun 2026 17:43:26 +0800
Subject: [PATCH] Go: default public key (#16265)

### What problem does this PR solve?

Provider default public key for CLI

### Type of change

- [x] Refactoring

Signed-off-by: Jin Hai <haijin.chn@gmail.com>
---
 internal/cli/admin_command.go  | 14 ++++++++++++--
 internal/cli/cli.go            | 33 +++++++++++++++++++++++++++++++++
 internal/cli/common_command.go | 10 ++++++++--
 internal/cli/crypt.go          | 12 ++++++------
 internal/cli/user_command.go   |  7 ++++++-
 5 files changed, 65 insertions(+), 11 deletions(-)

diff --git a/internal/cli/admin_command.go b/internal/cli/admin_command.go
index eb47001ccd..f42bec08d1 100644
--- a/internal/cli/admin_command.go
+++ b/internal/cli/admin_command.go
@@ -517,8 +517,13 @@ func (c *CLI) AdminCreateUserCommand(cmd *Command) (ResponseIf, error) {
 		return nil, fmt.Errorf("password not provided")
 	}
 
+	publicKey, err := c.GetPublicKeyPEM()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get public key: %w", err)
+	}
+
 	// Encrypt password using RSA
-	encryptedPassword, err := EncryptPassword(password)
+	encryptedPassword, err := EncryptPassword(password, publicKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt password: %w", err)
 	}
@@ -658,8 +663,13 @@ func (c *CLI) AdminAlterUserPassword(cmd *Command) (ResponseIf, error) {
 		return nil, fmt.Errorf("password not provided")
 	}
 
+	publicKey, err := c.GetPublicKeyPEM()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get public key: %w", err)
+	}
+
 	// Encrypt password using RSA
-	encryptedPassword, err := EncryptPassword(password)
+	encryptedPassword, err := EncryptPassword(password, publicKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt password: %w", err)
 	}
diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index f0852727b4..f8319eb62c 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -38,6 +38,7 @@ type APIServerConfig struct {
 	UserName     *string `yaml:"user_name"`
 	UserPassword *string `yaml:"password"`
 	ApiToken     *string `yaml:"api_token"`
+	KeyFile      *string `yaml:"key_file"`
 	IP           string
 	Port         int
 }
@@ -86,6 +87,7 @@ type AdminModeConfig struct {
 	AdminPort     int
 	AdminName     *string
 	AdminPassword *string
+	KeyFile       *string
 	//AdminCommand  *string
 }
 
@@ -217,6 +219,11 @@ func ParseArgs(args []string) (*CommandLineConfig, error) {
 					}
 					i++
 				}
+			case "-k", "--key":
+				if i+1 < len(args) && !strings.HasPrefix(args[i+1], "-") {
+					defaultApiServerConfig.KeyFile = &args[i+1]
+					i++
+				}
 			default:
 				// Non-flag argument (command)
 				if !strings.HasPrefix(arg, "-") {
@@ -333,6 +340,11 @@ func ParseArgs(args []string) (*CommandLineConfig, error) {
 					AdminConfig.AdminName = &args[i+1]
 					i++
 				}
+			case "-k", "--key":
+				if i+1 < len(args) && !strings.HasPrefix(args[i+1], "-") {
+					AdminConfig.KeyFile = &args[i+1]
+					i++
+				}
 			case "-p", "--password":
 				if i+1 < len(args) && !strings.HasPrefix(args[i+1], "-") {
 					AdminConfig.AdminPassword = &args[i+1]
@@ -853,6 +865,27 @@ func (c *CLI) VerifyAuth(username, password string) error {
 	return err
 }
 
+func (c *CLI) GetPublicKeyPEM() ([]byte, error) {
+
+	var publicKeyFile *string = nil
+	switch c.Config.CLIMode {
+	case AdminMode:
+		publicKeyFile = c.Config.AdminClientConfig.KeyFile
+	case APIMode:
+		publicKeyFile = c.Config.APIClientConfig.APIServerMap[c.Config.APIClientConfig.CurrentAPIServer].KeyFile
+	}
+	if publicKeyFile == nil {
+		result := "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArq9XTUSeYr2+N1h3Afl/\nz8Dse/2yD0ZGrKwx+EEEcdsBLca9Ynmx3nIB5obmLlSfmskLpBo0UACBmB5rEjBp\n2Q2f3AG3Hjd4B+gNCG6BDaawuDlgANIhGnaTLrIqWrrcm4EMzJOnAOI1fgzJRsOO\nUEfaS318Eq9OVO3apEyCCt0lOQK6PuksduOjVxtltDav+guVAA068NrPYmRNabVK\nRNLJpL8w4D44sfth5RvZ3q9t+6RTArpEtc5sh5ChzvqPOzKGMXW83C95TxmXqpbK\n6olN4RevSfVjEAgCydH6HN6OhtOQEcnrU97r9H0iZOWwbw3pVrZiUkuRD1R56Wzs\n2wIDAQAB\n-----END PUBLIC KEY-----"
+		return []byte(result), nil
+	}
+
+	publicKeyPEM, err := os.ReadFile(*publicKeyFile)
+	if err != nil {
+		return []byte(""), fmt.Errorf("failed to read public key: %w", err)
+	}
+	return publicKeyPEM, nil
+}
+
 // printSearchHelp prints help for the search command
 func printSearchHelp() {
 	help := `Search command usage: search <query> [path] [-n number]
diff --git a/internal/cli/common_command.go b/internal/cli/common_command.go
index 9cffd6cb6c..879fbf9dc1 100644
--- a/internal/cli/common_command.go
+++ b/internal/cli/common_command.go
@@ -160,8 +160,14 @@ func (c *CLI) PingServer(iterations int) (ResponseIf, error) {
 
 // loginUser performs the actual login request
 func (c *CLI) loginUser(email, password string) (string, error) {
-	// Encrypt password using scrypt (same as Python implementation)
-	encryptedPassword, err := EncryptPassword(password)
+	publicKey, err := c.GetPublicKeyPEM()
+	if err != nil {
+		return "", fmt.Errorf("failed to get public key: %w", err)
+	}
+
+	// Encrypt password using RSA
+	encryptedPassword, err := EncryptPassword(password, publicKey)
+
 	if err != nil {
 		return "", fmt.Errorf("failed to encrypt password: %w", err)
 	}
diff --git a/internal/cli/crypt.go b/internal/cli/crypt.go
index 4da5f18484..c073b402f3 100644
--- a/internal/cli/crypt.go
+++ b/internal/cli/crypt.go
@@ -29,13 +29,13 @@ import (
 
 // EncryptPassword encrypts a password using RSA public key
 // This matches the Python implementation in api/utils/crypt.py
-func EncryptPassword(password string) (string, error) {
+func EncryptPassword(password string, publicKeyPEM []byte) (string, error) {
 	// Read public key from conf/public.pem
-	publicKeyPath := filepath.Join(getProjectBaseDirectory(), "conf", "public.pem")
-	publicKeyPEM, err := os.ReadFile(publicKeyPath)
-	if err != nil {
-		return "", fmt.Errorf("failed to read public key: %w", err)
-	}
+	//publicKeyPath := filepath.Join(getProjectBaseDirectory(), "conf", "public.pem")
+	//publicKeyPEM, err := os.ReadFile(publicKeyPath)
+	//if err != nil {
+	//	return "", fmt.Errorf("failed to read public key: %w", err)
+	//}
 
 	// Parse public key
 	block, _ := pem.Decode(publicKeyPEM)
diff --git a/internal/cli/user_command.go b/internal/cli/user_command.go
index 9965d32ead..8f2aa25170 100644
--- a/internal/cli/user_command.go
+++ b/internal/cli/user_command.go
@@ -283,8 +283,13 @@ func (c *CLI) RegisterUser(cmd *Command) (ResponseIf, error) {
 		return nil, fmt.Errorf("no password")
 	}
 
+	publicKey, err := c.GetPublicKeyPEM()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get public key: %w", err)
+	}
+
 	// Encrypt password using RSA
-	encryptedPassword, err := EncryptPassword(password)
+	encryptedPassword, err := EncryptPassword(password, publicKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt password: %w", err)
 	}