Refactor/trading actions (#1169)

* refactor: 简化交易动作,移除 update_stop_loss/update_take_profit/partial_close
- 移除 Decision 结构体中的 NewStopLoss, NewTakeProfit, ClosePercentage 字段
- 删除 executeUpdateStopLossWithRecord, executeUpdateTakeProfitWithRecord, executePartialCloseWithRecord 函数
- 简化 logger 中的 partial_close 聚合逻辑
- 更新 AI prompt 和验证逻辑,只保留 6 个核心动作
- 清理相关测试代码
保留的交易动作: open_long, open_short, close_long, close_short, hold, wait
* refactor: 移除 AI学习与反思 模块
- 删除前端 AILearning.tsx 组件和相关引用
- 删除后端 /performance API 接口
- 删除 logger 中 AnalyzePerformance、calculateSharpeRatio 等函数
- 删除 PerformanceAnalysis、TradeOutcome、SymbolPerformance 等结构体
- 删除 Context 中的 Performance 字段
- 移除 AI prompt 中夏普比率自我进化相关内容
- 清理 i18n 翻译文件中的相关条目
该模块基于磁盘存储计算,经常出错,做减法移除
* refactor: 将数据库操作统一迁移到 store 包
- 新增 store/ 包,统一管理所有数据库操作
  - store.go: 主 Store 结构,懒加载各子模块
  - user.go, ai_model.go, exchange.go, trader.go 等子模块
  - 支持加密/解密函数注入 (SetCryptoFuncs)
- 更新 main.go 使用 store.New() 替代 config.NewDatabase()
- 更新 api/server.go 使用 *store.Store 替代 *config.Database
- 更新 manager/trader_manager.go:
  - 新增 LoadTradersFromStore, LoadUserTradersFromStore 方法
  - 删除旧版 LoadUserTraders, LoadTraderByID, loadSingleTrader 等方法
  - 移除 nofx/config 依赖
- 删除 config/database.go 和 config/database_test.go
- 更新 api/server_test.go 使用 store.Trader 类型
- 清理 logger/ 包中未使用的 telegram 相关代码
* refactor: unify encryption key management via .env
- Remove redundant EncryptionManager and SecureStorage
- Simplify CryptoService to load keys from environment variables only
  - RSA_PRIVATE_KEY: RSA private key for client-server encryption
  - DATA_ENCRYPTION_KEY: AES-256 key for database encryption
  - JWT_SECRET: JWT signing key for authentication
- Update start.sh to auto-generate missing keys on first run
- Remove secrets/ directory and file-based key storage
- Delete obsolete encryption setup scripts
- Update .env.example with all required keys
* refactor: unify logger usage across mcp package
- Add MCPLogger adapter in logger package to implement mcp.Logger interface
- Update mcp/config.go to use global logger by default
- Remove redundant defaultLogger from mcp/logger.go
- Keep noopLogger for testing purposes
* chore: remove leftover test RSA key file
* chore: remove unused bootstrap package
* refactor: unify logging to use logger package instead of fmt/log
- Replace all fmt.Print/log.Print calls with logger package
- Add auto-initialization in logger package init() for test compatibility
- Update main.go to initialize logger at startup
- Migrate all packages: api, backtest, config, decision, manager, market, store, trader
* refactor: rename database file from config.db to data.db
- Update main.go, start.sh, docker-compose.yml
- Update migration script and documentation
- Update .gitignore and translations
* fix: add RSA_PRIVATE_KEY to docker-compose environment
* fix: add registration_enabled to /api/config response
* fix: Fix navigation between login and register pages
Use window.location.href instead of react-router's navigate() to fix
the issue where URL changes but the page doesn't reload due to App.tsx
using custom route state management.
* fix: Switch SQLite from WAL to DELETE mode for Docker compatibility
WAL mode causes data sync issues with Docker bind mounts on macOS due
to incompatible file locking mechanisms between the container and host.
DELETE mode (traditional journaling) ensures data is written directly
to the main database file.
* refactor: Remove default user from database initialization
The default user was a legacy placeholder that is no longer needed now
that proper user registration is in place.
* feat: Add order tracking system with centralized status sync
- Add trader_orders table for tracking all order lifecycle
- Implement GetOrderStatus interface for all exchanges (Binance, Bybit, Hyperliquid, Aster, Lighter)
- Create OrderSyncManager for centralized order status polling
- Add trading statistics (Sharpe ratio, win rate, profit factor) to AI context
- Include recent completed orders in AI decision input
- Remove per-order goroutine polling in favor of global sync manager
* feat: Add TradingView K-line chart to dashboard
- Create TradingViewChart component with exchange/symbol selectors
- Support Binance, Bybit, OKX, Coinbase, Kraken, KuCoin exchanges
- Add popular symbols quick selection
- Support multiple timeframes (1m to 1W)
- Add fullscreen mode
- Integrate with Dashboard page below equity chart
- Add i18n translations for zh/en
* refactor: Replace separate charts with tabbed ChartTabs component
- Create ChartTabs component with tab switching between equity curve and K-line
- Add embedded mode support for EquityChart and TradingViewChart
- User can now switch between account equity and market chart in same area
* fix: Use ChartTabs in App.tsx and fix embedded mode in EquityChart
- Replace EquityChart with ChartTabs in App.tsx (the actual dashboard renderer)
- Fix EquityChart embedded mode for error and empty data states
- Rename interval state to timeInterval to avoid shadowing window.setInterval
- Add debug logging to ChartTabs component
* feat: Add position tracking system for accurate trade history
- Add trader_positions table to track complete open/close trades
- Add PositionSyncManager to detect manual closes via polling
- Record position on open, update on close with PnL calculation
- Use positions table for trading stats and recent trades (replacing orders table)
- Fix TradingView chart symbol format (add .P suffix for futures)
- Fix DecisionCard wait/hold action color (gray instead of red)
- Auto-append USDT suffix for custom symbol input
* update
---------
This commit is contained in:
tinkle-community
2025-12-06 01:04:26 +08:00
parent 010676c591
commit f4ece051e7
87 changed files with 6870 additions and 10584 deletions

View File

@@ -203,7 +203,7 @@ spec:
./scripts/generate_data_key.sh
# 2. 备份旧数据库
cp config.db config.db.backup
cp data.db data.db.backup
# 3. 重启服务 (会自动处理密钥迁移)
source .env && ./mars

View File

@@ -1,143 +0,0 @@
#!/bin/bash
# 数据加密密钥生成脚本 - 用于Mars AI交易系统数据库加密
# 生成用于AES-256-GCM数据库加密的随机密钥
set -e # 遇到错误立即退出
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
NC='\033[0m' # No Color
echo -e "${BLUE}╔══════════════════════════════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║ Mars AI交易系统 安全密钥生成器 ║${NC}"
echo -e "${BLUE}║ AES-256-GCM数据密钥 + JWT认证密钥 ║${NC}"
echo -e "${BLUE}╚══════════════════════════════════════════════════════════════════╝${NC}"
echo
# 检查是否安装了 OpenSSL
if ! command -v openssl &> /dev/null; then
echo -e "${RED}❌ 错误: 系统中未安装 OpenSSL${NC}"
echo -e "请安装 OpenSSL:"
echo -e " macOS: ${YELLOW}brew install openssl${NC}"
echo -e " Ubuntu/Debian: ${YELLOW}sudo apt-get install openssl${NC}"
echo -e " CentOS/RHEL: ${YELLOW}sudo yum install openssl${NC}"
exit 1
fi
echo -e "${GREEN}✓ OpenSSL 已安装: $(openssl version)${NC}"
# 生成安全密钥
echo -e "${BLUE}🔐 生成安全密钥...${NC}"
echo
# 生成 AES-256 数据加密密钥
echo -e "${YELLOW}1/2: 生成 AES-256 数据加密密钥...${NC}"
DATA_KEY=$(openssl rand -base64 32)
if [ $? -eq 0 ]; then
echo -e "${GREEN} ✓ 数据加密密钥生成成功${NC}"
else
echo -e "${RED} ❌ 数据加密密钥生成失败${NC}"
exit 1
fi
# 生成 JWT 认证密钥
echo -e "${YELLOW}2/2: 生成 JWT 认证密钥...${NC}"
JWT_KEY=$(openssl rand -base64 64)
if [ $? -eq 0 ]; then
echo -e "${GREEN} ✓ JWT认证密钥生成成功${NC}"
else
echo -e "${RED} ❌ JWT认证密钥生成失败${NC}"
exit 1
fi
# 显示密钥
echo
echo -e "${GREEN}🎉 安全密钥生成完成!${NC}"
echo
echo -e "${BLUE}📋 生成的密钥:${NC}"
echo -e "${PURPLE}1. 数据加密密钥 (AES-256):${NC}"
echo -e "${YELLOW}$DATA_KEY${NC}"
echo
echo -e "${PURPLE}2. JWT认证密钥 (512-bit):${NC}"
echo -e "${YELLOW}$JWT_KEY${NC}"
echo
# 显示使用方法
echo -e "${YELLOW}📋 使用方法:${NC}"
echo
echo -e "${BLUE}1. 环境变量设置:${NC}"
echo -e " export DATA_ENCRYPTION_KEY=\"$DATA_KEY\""
echo -e " export JWT_SECRET=\"$JWT_KEY\""
echo
echo -e "${BLUE}2. .env 文件设置:${NC}"
echo -e " DATA_ENCRYPTION_KEY=$DATA_KEY"
echo -e " JWT_SECRET=$JWT_KEY"
echo
echo -e "${BLUE}3. Docker环境设置:${NC}"
echo -e " docker run -e DATA_ENCRYPTION_KEY=\"$DATA_KEY\" -e JWT_SECRET=\"$JWT_KEY\" ..."
echo
echo -e "${BLUE}4. Kubernetes Secret:${NC}"
echo -e " kubectl create secret generic mars-crypto-key \\"
echo -e " --from-literal=DATA_ENCRYPTION_KEY=\"$DATA_KEY\" \\"
echo -e " --from-literal=JWT_SECRET=\"$JWT_KEY\""
echo
# 显示密钥特性
echo -e "${BLUE}🔍 密钥特性:${NC}"
echo -e " • 数据加密: ${YELLOW}AES-256-GCM (256 bits)${NC}"
echo -e " • JWT认证: ${YELLOW}HS256 (512 bits)${NC}"
echo -e " • 格式: ${YELLOW}Base64 编码${NC}"
echo -e " • 用途: ${YELLOW}数据库加密 + 用户认证${NC}"
# 安全提醒
echo
echo -e "${RED}⚠️ 安全提醒:${NC}"
echo -e " • 请妥善保管此密钥,丢失后无法恢复加密的数据"
echo -e " • 不要将密钥提交到版本控制系统"
echo -e " • 建议在不同环境使用不同的密钥"
echo -e " • 定期更换密钥并重新加密数据"
echo -e " • 在生产环境中,建议使用密钥管理服务"
echo
echo -e "${GREEN}✅ 数据加密密钥生成完成!${NC}"
# 可选:保存到 .env 文件
echo
read -p "是否将密钥保存到 .env 文件? [y/N]: " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
if [ -f ".env" ]; then
# 检查是否已存在 DATA_ENCRYPTION_KEY
if grep -q "^DATA_ENCRYPTION_KEY=" .env; then
echo -e "${YELLOW}⚠️ .env 文件中已存在 DATA_ENCRYPTION_KEY${NC}"
read -p "是否覆盖现有密钥? [y/N]: " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
# 替换现有密钥
if [[ "$OSTYPE" == "darwin"* ]]; then
# macOS
sed -i '' "s/^DATA_ENCRYPTION_KEY=.*/DATA_ENCRYPTION_KEY=$RAW_KEY/" .env
else
# Linux
sed -i "s/^DATA_ENCRYPTION_KEY=.*/DATA_ENCRYPTION_KEY=$RAW_KEY/" .env
fi
echo -e "${GREEN}✓ .env 文件中的密钥已更新${NC}"
else
echo -e "${BLUE} 保持现有密钥不变${NC}"
fi
else
# 追加新密钥
echo "DATA_ENCRYPTION_KEY=$RAW_KEY" >> .env
echo -e "${GREEN}✓ 密钥已保存到 .env 文件${NC}"
fi
else
# 创建新的 .env 文件
echo "DATA_ENCRYPTION_KEY=$RAW_KEY" > .env
echo -e "${GREEN}✓ 密钥已保存到 .env 文件${NC}"
fi
fi

View File

@@ -1,149 +0,0 @@
#!/bin/bash
# RSA密钥对生成脚本 - 用于Mars AI交易系统加密服务
# 生成用于混合加密的RSA-2048密钥对
set -e # 遇到错误立即退出
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# 配置
RSA_KEY_SIZE=2048
SECRETS_DIR="secrets"
PRIVATE_KEY_FILE="$SECRETS_DIR/rsa_key"
PUBLIC_KEY_FILE="$SECRETS_DIR/rsa_key.pub"
echo -e "${BLUE}╔══════════════════════════════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║ Mars AI交易系统 RSA密钥生成器 ║${NC}"
echo -e "${BLUE}║ RSA-2048 混合加密密钥对 ║${NC}"
echo -e "${BLUE}╚══════════════════════════════════════════════════════════════════╝${NC}"
echo
# 检查是否安装了 OpenSSL
if ! command -v openssl &> /dev/null; then
echo -e "${RED}❌ 错误: 系统中未安装 OpenSSL${NC}"
echo -e "请安装 OpenSSL:"
echo -e " macOS: ${YELLOW}brew install openssl${NC}"
echo -e " Ubuntu/Debian: ${YELLOW}sudo apt-get install openssl${NC}"
echo -e " CentOS/RHEL: ${YELLOW}sudo yum install openssl${NC}"
exit 1
fi
echo -e "${GREEN}✓ OpenSSL 已安装: $(openssl version)${NC}"
# 创建 secrets 目录
if [ ! -d "$SECRETS_DIR" ]; then
echo -e "${YELLOW}📁 创建 $SECRETS_DIR 目录...${NC}"
mkdir -p "$SECRETS_DIR"
chmod 700 "$SECRETS_DIR"
echo -e "${GREEN}✓ 目录创建成功${NC}"
else
echo -e "${GREEN}$SECRETS_DIR 目录已存在${NC}"
fi
# 检查现有密钥
if [ -f "$PRIVATE_KEY_FILE" ] || [ -f "$PUBLIC_KEY_FILE" ]; then
echo
echo -e "${YELLOW}⚠️ 检测到现有的RSA密钥文件:${NC}"
[ -f "$PRIVATE_KEY_FILE" ] && echo -e "$PRIVATE_KEY_FILE"
[ -f "$PUBLIC_KEY_FILE" ] && echo -e "$PUBLIC_KEY_FILE"
echo
read -p "是否覆盖现有密钥? [y/N]: " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo -e "${BLUE} 操作已取消${NC}"
exit 0
fi
echo -e "${YELLOW}🗑️ 删除现有密钥文件...${NC}"
rm -f "$PRIVATE_KEY_FILE" "$PUBLIC_KEY_FILE"
fi
echo
echo -e "${BLUE}🔐 开始生成 RSA-$RSA_KEY_SIZE 密钥对...${NC}"
# 生成私钥
echo -e "${YELLOW}📝 步骤 1/3: 生成 RSA 私钥 ($RSA_KEY_SIZE bits)...${NC}"
if openssl genrsa -out "$PRIVATE_KEY_FILE" $RSA_KEY_SIZE 2>/dev/null; then
echo -e "${GREEN}✓ 私钥生成成功${NC}"
else
echo -e "${RED}❌ 私钥生成失败${NC}"
exit 1
fi
# 设置私钥权限
chmod 600 "$PRIVATE_KEY_FILE"
echo -e "${GREEN}✓ 私钥权限设置为 600${NC}"
# 生成公钥
echo -e "${YELLOW}📝 步骤 2/3: 从私钥提取公钥...${NC}"
if openssl rsa -in "$PRIVATE_KEY_FILE" -pubout -out "$PUBLIC_KEY_FILE" 2>/dev/null; then
echo -e "${GREEN}✓ 公钥生成成功${NC}"
else
echo -e "${RED}❌ 公钥生成失败${NC}"
exit 1
fi
# 设置公钥权限
chmod 644 "$PUBLIC_KEY_FILE"
echo -e "${GREEN}✓ 公钥权限设置为 644${NC}"
# 验证密钥
echo -e "${YELLOW}📝 步骤 3/3: 验证密钥对...${NC}"
if openssl rsa -in "$PRIVATE_KEY_FILE" -check -noout 2>/dev/null; then
echo -e "${GREEN}✓ 私钥验证通过${NC}"
else
echo -e "${RED}❌ 私钥验证失败${NC}"
exit 1
fi
if openssl rsa -in "$PUBLIC_KEY_FILE" -pubin -text -noout &>/dev/null; then
echo -e "${GREEN}✓ 公钥验证通过${NC}"
else
echo -e "${RED}❌ 公钥验证失败${NC}"
exit 1
fi
# 显示密钥信息
echo
echo -e "${GREEN}🎉 RSA密钥对生成成功!${NC}"
echo
echo -e "${BLUE}📋 密钥信息:${NC}"
echo -e " 私钥文件: ${YELLOW}$PRIVATE_KEY_FILE${NC}"
echo -e " 公钥文件: ${YELLOW}$PUBLIC_KEY_FILE${NC}"
echo -e " 密钥大小: ${YELLOW}$RSA_KEY_SIZE bits${NC}"
echo
# 显示文件大小
PRIVATE_SIZE=$(stat -f%z "$PRIVATE_KEY_FILE" 2>/dev/null || stat -c%s "$PRIVATE_KEY_FILE" 2>/dev/null || echo "未知")
PUBLIC_SIZE=$(stat -f%z "$PUBLIC_KEY_FILE" 2>/dev/null || stat -c%s "$PUBLIC_KEY_FILE" 2>/dev/null || echo "未知")
echo -e "${BLUE}📏 文件大小:${NC}"
echo -e " 私钥: ${YELLOW}$PRIVATE_SIZE bytes${NC}"
echo -e " 公钥: ${YELLOW}$PUBLIC_SIZE bytes${NC}"
# 显示公钥内容预览
echo
echo -e "${BLUE}🔍 公钥内容预览:${NC}"
head -n 5 "$PUBLIC_KEY_FILE" | sed 's/^/ /'
echo -e " ${YELLOW}...${NC}"
tail -n 2 "$PUBLIC_KEY_FILE" | sed 's/^/ /'
echo
echo -e "${GREEN}✅ RSA密钥对生成完成!${NC}"
echo
echo -e "${YELLOW}📋 使用说明:${NC}"
echo -e " 1. 私钥文件 ($PRIVATE_KEY_FILE) 用于服务器端解密"
echo -e " 2. 公钥文件 ($PUBLIC_KEY_FILE) 可以分发给客户端用于加密"
echo -e " 3. 确保私钥文件的安全性,不要泄露给第三方"
echo -e " 4. 在生产环境中,建议将私钥存储在安全的密钥管理服务中"
echo
echo -e "${RED}⚠️ 安全提醒:${NC}"
echo -e " • 私钥文件权限已设置为 600 (仅所有者可读写)"
echo -e " • 请定期备份密钥文件"
echo -e " • 建议在不同环境使用不同的密钥对"
echo

View File

@@ -12,71 +12,71 @@ import (
)
func main() {
log.Println("🔄 開始遷移數據庫到加密格式...")
log.Println("🔄 开始迁移数据库到加密格式...")
// 1. 檢查數據庫檔案
dbPath := "config.db"
// 1. 检查数据库文件
dbPath := "data.db"
if len(os.Args) > 1 {
dbPath = os.Args[1]
}
if _, err := os.Stat(dbPath); os.IsNotExist(err) {
log.Fatalf("❌ 數據庫檔案不存在: %s", dbPath)
log.Fatalf("❌ 数据库文件不存在: %s", dbPath)
}
// 2. 備份數據庫
// 2. 备份数据库
backupPath := fmt.Sprintf("%s.pre_encryption_backup", dbPath)
log.Printf("📦 備份數據庫到: %s", backupPath)
log.Printf("📦 备份数据库到: %s", backupPath)
input, err := os.ReadFile(dbPath)
if err != nil {
log.Fatalf("❌ 讀取數據庫失敗: %v", err)
log.Fatalf("❌ 读取数据库失败: %v", err)
}
if err := os.WriteFile(backupPath, input, 0600); err != nil {
log.Fatalf("❌ 份失: %v", err)
log.Fatalf("❌ 份失: %v", err)
}
// 3. 打開數據庫
// 3. 打开数据库
db, err := sql.Open("sqlite", dbPath)
if err != nil {
log.Fatalf("❌ 打開數據庫失敗: %v", err)
log.Fatalf("❌ 打开数据库失败: %v", err)
}
defer db.Close()
// 4. 初始化加密管理器
em, err := crypto.GetEncryptionManager()
// 4. 初始化 CryptoService从环境变量加载密钥
cs, err := crypto.NewCryptoService()
if err != nil {
log.Fatalf("❌ 初始化加密管理器失敗: %v", err)
log.Fatalf("❌ 初始化加密服务失败: %v", err)
}
// 5. 移交易所配置
if err := migrateExchanges(db, em); err != nil {
log.Fatalf("❌ 移交易所配置失: %v", err)
// 5. 移交易所配置
if err := migrateExchanges(db, cs); err != nil {
log.Fatalf("❌ 移交易所配置失: %v", err)
}
// 6. 移 AI 模型配置
if err := migrateAIModels(db, em); err != nil {
log.Fatalf("❌ 移 AI 模型配置失: %v", err)
// 6. 移 AI 模型配置
if err := migrateAIModels(db, cs); err != nil {
log.Fatalf("❌ 移 AI 模型配置失: %v", err)
}
log.Println("✅ 數據遷移完成!")
log.Printf("📝 原始數據備份位: %s", backupPath)
log.Println("⚠️ 請驗證系統功能正常,手動刪除備份檔案")
log.Println("✅ 数据迁移完成!")
log.Printf("📝 原始数据备份位: %s", backupPath)
log.Println("⚠️ 请验证系统功能正常,手动删除备份文件")
}
// migrateExchanges 移交易所配置
func migrateExchanges(db *sql.DB, em *crypto.EncryptionManager) error {
log.Println("🔄 移交易所配置...")
// migrateExchanges 移交易所配置
func migrateExchanges(db *sql.DB, cs *crypto.CryptoService) error {
log.Println("🔄 移交易所配置...")
// 查所有未加密的記錄(假設加密數據都包含 '==' Base64 特徵
// 查所有未加密的记录(加密数据以 ENC:v1: 开头
rows, err := db.Query(`
SELECT user_id, id, api_key, secret_key,
COALESCE(hyperliquid_private_key, ''),
COALESCE(aster_private_key, '')
FROM exchanges
WHERE (api_key != '' AND api_key NOT LIKE '%==%')
OR (secret_key != '' AND secret_key NOT LIKE '%==%')
WHERE (api_key != '' AND api_key NOT LIKE 'ENC:v1:%')
OR (secret_key != '' AND secret_key NOT LIKE 'ENC:v1:%')
`)
if err != nil {
return err
@@ -96,34 +96,34 @@ func migrateExchanges(db *sql.DB, em *crypto.EncryptionManager) error {
return err
}
// 加密每字段
encAPIKey, err := em.EncryptForDatabase(apiKey)
// 加密每字段
encAPIKey, err := cs.EncryptForStorage(apiKey)
if err != nil {
return fmt.Errorf("加密 API Key 失: %w", err)
return fmt.Errorf("加密 API Key 失: %w", err)
}
encSecretKey, err := em.EncryptForDatabase(secretKey)
encSecretKey, err := cs.EncryptForStorage(secretKey)
if err != nil {
return fmt.Errorf("加密 Secret Key 失: %w", err)
return fmt.Errorf("加密 Secret Key 失: %w", err)
}
encHLPrivateKey := ""
if hlPrivateKey != "" {
encHLPrivateKey, err = em.EncryptForDatabase(hlPrivateKey)
encHLPrivateKey, err = cs.EncryptForStorage(hlPrivateKey)
if err != nil {
return fmt.Errorf("加密 Hyperliquid Private Key 失: %w", err)
return fmt.Errorf("加密 Hyperliquid Private Key 失: %w", err)
}
}
encAsterPrivateKey := ""
if asterPrivateKey != "" {
encAsterPrivateKey, err = em.EncryptForDatabase(asterPrivateKey)
encAsterPrivateKey, err = cs.EncryptForStorage(asterPrivateKey)
if err != nil {
return fmt.Errorf("加密 Aster Private Key 失: %w", err)
return fmt.Errorf("加密 Aster Private Key 失: %w", err)
}
}
// 更新數據庫
// 更新数据库
_, err = tx.Exec(`
UPDATE exchanges
SET api_key = ?, secret_key = ?,
@@ -132,7 +132,7 @@ func migrateExchanges(db *sql.DB, em *crypto.EncryptionManager) error {
`, encAPIKey, encSecretKey, encHLPrivateKey, encAsterPrivateKey, userID, exchangeID)
if err != nil {
return fmt.Errorf("更新數據庫失敗: %w", err)
return fmt.Errorf("更新数据库失败: %w", err)
}
log.Printf(" ✓ 已加密: [%s] %s", userID, exchangeID)
@@ -143,18 +143,18 @@ func migrateExchanges(db *sql.DB, em *crypto.EncryptionManager) error {
return err
}
log.Printf("✅ 已移 %d 交易所配置", count)
log.Printf("✅ 已移 %d 交易所配置", count)
return nil
}
// migrateAIModels 移 AI 模型配置
func migrateAIModels(db *sql.DB, em *crypto.EncryptionManager) error {
log.Println("🔄 移 AI 模型配置...")
// migrateAIModels 移 AI 模型配置
func migrateAIModels(db *sql.DB, cs *crypto.CryptoService) error {
log.Println("🔄 移 AI 模型配置...")
rows, err := db.Query(`
SELECT user_id, id, api_key
FROM ai_models
WHERE api_key != '' AND api_key NOT LIKE '%==%'
WHERE api_key != '' AND api_key NOT LIKE 'ENC:v1:%'
`)
if err != nil {
return err
@@ -174,9 +174,9 @@ func migrateAIModels(db *sql.DB, em *crypto.EncryptionManager) error {
return err
}
encAPIKey, err := em.EncryptForDatabase(apiKey)
encAPIKey, err := cs.EncryptForStorage(apiKey)
if err != nil {
return fmt.Errorf("加密 API Key 失: %w", err)
return fmt.Errorf("加密 API Key 失: %w", err)
}
_, err = tx.Exec(`
@@ -184,7 +184,7 @@ func migrateAIModels(db *sql.DB, em *crypto.EncryptionManager) error {
`, encAPIKey, userID, modelID)
if err != nil {
return fmt.Errorf("更新數據庫失敗: %w", err)
return fmt.Errorf("更新数据库失败: %w", err)
}
log.Printf(" ✓ 已加密: [%s] %s", userID, modelID)
@@ -195,6 +195,6 @@ func migrateAIModels(db *sql.DB, em *crypto.EncryptionManager) error {
return err
}
log.Printf("✅ 已移 %d AI 模型配置", count)
log.Printf("✅ 已移 %d AI 模型配置", count)
return nil
}

View File

@@ -1,319 +0,0 @@
#!/bin/bash
# Mars AI交易系统加密环境设置脚本
# 一键生成RSA密钥对和数据加密密钥完整设置加密环境
set -e # 遇到错误立即退出
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# 获取脚本所在目录
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
echo -e "${PURPLE}╔════════════════════════════════════════════════════════════════════════╗${NC}"
echo -e "${PURPLE}║ Mars AI交易系统 ║${NC}"
echo -e "${PURPLE}║ 🔐 加密环境一键设置工具 ║${NC}"
echo -e "${PURPLE}║ ║${NC}"
echo -e "${PURPLE}║ 功能: 生成RSA密钥对 + 数据加密密钥 + 配置环境变量 ║${NC}"
echo -e "${PURPLE}╚════════════════════════════════════════════════════════════════════════╝${NC}"
echo
# 检查依赖
echo -e "${CYAN}🔍 检查系统依赖...${NC}"
# 检查 OpenSSL
if ! command -v openssl &> /dev/null; then
echo -e "${RED}❌ 错误: 系统中未安装 OpenSSL${NC}"
echo -e "请安装 OpenSSL:"
echo -e " macOS: ${YELLOW}brew install openssl${NC}"
echo -e " Ubuntu/Debian: ${YELLOW}sudo apt-get install openssl${NC}"
echo -e " CentOS/RHEL: ${YELLOW}sudo yum install openssl${NC}"
exit 1
fi
echo -e "${GREEN}✓ OpenSSL: $(openssl version)${NC}"
# 进入项目根目录
cd "$PROJECT_ROOT"
echo -e "${GREEN}✓ 工作目录: $(pwd)${NC}"
# 配置参数
RSA_KEY_SIZE=2048
SECRETS_DIR="secrets"
PRIVATE_KEY_FILE="$SECRETS_DIR/rsa_key"
PUBLIC_KEY_FILE="$SECRETS_DIR/rsa_key.pub"
echo
echo -e "${BLUE}📋 配置参数:${NC}"
echo -e " • RSA密钥大小: ${YELLOW}$RSA_KEY_SIZE bits${NC}"
echo -e " • 私钥文件: ${YELLOW}$PRIVATE_KEY_FILE${NC}"
echo -e " • 公钥文件: ${YELLOW}$PUBLIC_KEY_FILE${NC}"
echo -e " • AES密钥: ${YELLOW}256 bits (自动生成)${NC}"
# 询问用户确认
echo
read -p "是否继续设置加密环境? [Y/n]: " -n 1 -r
echo
if [[ $REPLY =~ ^[Nn]$ ]]; then
echo -e "${BLUE} 操作已取消${NC}"
exit 0
fi
echo
echo -e "${CYAN}🚀 开始设置加密环境...${NC}"
# ============= 步骤1: 创建目录 =============
echo
echo -e "${YELLOW}📁 步骤 1/4: 创建必要目录...${NC}"
if [ ! -d "$SECRETS_DIR" ]; then
mkdir -p "$SECRETS_DIR"
chmod 700 "$SECRETS_DIR"
echo -e "${GREEN}✓ 创建 $SECRETS_DIR 目录${NC}"
else
echo -e "${GREEN}$SECRETS_DIR 目录已存在${NC}"
fi
if [ ! -d "scripts" ]; then
mkdir -p "scripts"
echo -e "${GREEN}✓ 创建 scripts 目录${NC}"
else
echo -e "${GREEN}✓ scripts 目录已存在${NC}"
fi
# ============= 步骤2: 生成RSA密钥对 =============
echo
echo -e "${YELLOW}🔐 步骤 2/4: 生成 RSA-$RSA_KEY_SIZE 密钥对...${NC}"
# 检查现有RSA密钥
if [ -f "$PRIVATE_KEY_FILE" ] || [ -f "$PUBLIC_KEY_FILE" ]; then
echo -e "${YELLOW}⚠️ 检测到现有的RSA密钥文件${NC}"
read -p "是否重新生成RSA密钥? [y/N]: " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
rm -f "$PRIVATE_KEY_FILE" "$PUBLIC_KEY_FILE"
echo -e "${YELLOW}🗑️ 删除旧密钥${NC}"
else
echo -e "${BLUE} 保持现有RSA密钥${NC}"
RSA_SKIPPED=true
fi
fi
if [ "$RSA_SKIPPED" != "true" ]; then
# 生成私钥
echo -e " ${CYAN}生成RSA私钥...${NC}"
openssl genrsa -out "$PRIVATE_KEY_FILE" $RSA_KEY_SIZE 2>/dev/null
chmod 600 "$PRIVATE_KEY_FILE"
echo -e "${GREEN} ✓ 私钥生成完成${NC}"
# 生成公钥
echo -e " ${CYAN}提取RSA公钥...${NC}"
openssl rsa -in "$PRIVATE_KEY_FILE" -pubout -out "$PUBLIC_KEY_FILE" 2>/dev/null
chmod 644 "$PUBLIC_KEY_FILE"
echo -e "${GREEN} ✓ 公钥生成完成${NC}"
# 验证密钥
echo -e " ${CYAN}验证密钥对...${NC}"
openssl rsa -in "$PRIVATE_KEY_FILE" -check -noout 2>/dev/null
echo -e "${GREEN} ✓ 密钥验证通过${NC}"
fi
# ============= 步骤3: 生成数据加密密钥和JWT密钥 =============
echo
echo -e "${YELLOW}🔑 步骤 3/4: 生成 AES-256 数据加密密钥和JWT认证密钥...${NC}"
# 检查现有密钥
DATA_KEY_EXISTS=false
JWT_KEY_EXISTS=false
if [ -f ".env" ]; then
if grep -q "^DATA_ENCRYPTION_KEY=" .env; then
DATA_KEY_EXISTS=true
fi
if grep -q "^JWT_SECRET=" .env; then
JWT_KEY_EXISTS=true
fi
fi
if [ "$DATA_KEY_EXISTS" = "true" ] || [ "$JWT_KEY_EXISTS" = "true" ]; then
echo -e "${YELLOW}⚠️ 检测到现有的密钥配置${NC}"
if [ "$DATA_KEY_EXISTS" = "true" ]; then
echo -e " • 数据加密密钥已存在"
fi
if [ "$JWT_KEY_EXISTS" = "true" ]; then
echo -e " • JWT认证密钥已存在"
fi
read -p "是否重新生成所有密钥? [y/N]: " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo -e "${BLUE} 保持现有密钥${NC}"
KEY_SKIPPED=true
# 读取现有密钥
if [ "$DATA_KEY_EXISTS" = "true" ]; then
DATA_KEY=$(grep "^DATA_ENCRYPTION_KEY=" .env | cut -d'=' -f2)
fi
if [ "$JWT_KEY_EXISTS" = "true" ]; then
JWT_KEY=$(grep "^JWT_SECRET=" .env | cut -d'=' -f2)
fi
fi
fi
if [ "$KEY_SKIPPED" != "true" ]; then
# 生成新的密钥
echo -e " ${CYAN}生成AES-256数据加密密钥...${NC}"
DATA_KEY=$(openssl rand -base64 32)
echo -e "${GREEN} ✓ 数据加密密钥生成完成${NC}"
echo -e " ${CYAN}生成JWT认证密钥...${NC}"
JWT_KEY=$(openssl rand -base64 64)
echo -e "${GREEN} ✓ JWT认证密钥生成完成${NC}"
# 保存到.env文件
if [ -f ".env" ]; then
# 更新现有文件
if grep -q "^DATA_ENCRYPTION_KEY=" .env; then
if [[ "$OSTYPE" == "darwin"* ]]; then
sed -i '' "s/^DATA_ENCRYPTION_KEY=.*/DATA_ENCRYPTION_KEY=$DATA_KEY/" .env
else
sed -i "s/^DATA_ENCRYPTION_KEY=.*/DATA_ENCRYPTION_KEY=$DATA_KEY/" .env
fi
else
echo "DATA_ENCRYPTION_KEY=$DATA_KEY" >> .env
fi
if grep -q "^JWT_SECRET=" .env; then
# 使用替代分隔符避免 / 字符冲突,并用引号保护值
if [[ "$OSTYPE" == "darwin"* ]]; then
sed -i '' "s|^JWT_SECRET=.*|JWT_SECRET=\"$JWT_KEY\"|" .env
else
sed -i "s|^JWT_SECRET=.*|JWT_SECRET=\"$JWT_KEY\"|" .env
fi
else
# 使用引号确保值在同一行
printf "JWT_SECRET=\"%s\"\n" "$JWT_KEY" >> .env
fi
else
# 创建新文件
echo "DATA_ENCRYPTION_KEY=$DATA_KEY" > .env
printf "JWT_SECRET=\"%s\"\n" "$JWT_KEY" >> .env
fi
chmod 600 .env
echo -e "${GREEN} ✓ 密钥已保存到 .env 文件${NC}"
elif [ "$DATA_KEY_EXISTS" != "true" ] || [ "$JWT_KEY_EXISTS" != "true" ]; then
# 生成缺失的密钥
if [ "$DATA_KEY_EXISTS" != "true" ]; then
echo -e " ${CYAN}生成缺失的AES-256数据加密密钥...${NC}"
DATA_KEY=$(openssl rand -base64 32)
echo "DATA_ENCRYPTION_KEY=$DATA_KEY" >> .env
echo -e "${GREEN} ✓ 数据加密密钥生成完成${NC}"
fi
if [ "$JWT_KEY_EXISTS" != "true" ]; then
echo -e " ${CYAN}生成缺失的JWT认证密钥...${NC}"
JWT_KEY=$(openssl rand -base64 64)
printf "JWT_SECRET=\"%s\"\n" "$JWT_KEY" >> .env
echo -e "${GREEN} ✓ JWT认证密钥生成完成${NC}"
fi
chmod 600 .env
echo -e "${GREEN} ✓ 密钥已保存到 .env 文件${NC}"
fi
# ============= 步骤4: 验证和总结 =============
echo
echo -e "${YELLOW}✅ 步骤 4/4: 环境验证和总结...${NC}"
# 验证文件存在性和权限
echo -e " ${CYAN}验证文件和权限...${NC}"
if [ -f "$PRIVATE_KEY_FILE" ]; then
PRIVATE_PERM=$(stat -f "%A" "$PRIVATE_KEY_FILE" 2>/dev/null || stat -c "%a" "$PRIVATE_KEY_FILE" 2>/dev/null)
echo -e "${GREEN} ✓ 私钥文件: $PRIVATE_KEY_FILE (权限: $PRIVATE_PERM)${NC}"
else
echo -e "${RED} ❌ 私钥文件不存在${NC}"
exit 1
fi
if [ -f "$PUBLIC_KEY_FILE" ]; then
PUBLIC_PERM=$(stat -f "%A" "$PUBLIC_KEY_FILE" 2>/dev/null || stat -c "%a" "$PUBLIC_KEY_FILE" 2>/dev/null)
echo -e "${GREEN} ✓ 公钥文件: $PUBLIC_KEY_FILE (权限: $PUBLIC_PERM)${NC}"
else
echo -e "${RED} ❌ 公钥文件不存在${NC}"
exit 1
fi
if [ -f ".env" ] && grep -q "^DATA_ENCRYPTION_KEY=" .env && grep -q "^JWT_SECRET=" .env; then
ENV_PERM=$(stat -f "%A" ".env" 2>/dev/null || stat -c "%a" ".env" 2>/dev/null)
echo -e "${GREEN} ✓ 环境文件: .env (权限: $ENV_PERM)${NC}"
echo -e "${GREEN} 包含: DATA_ENCRYPTION_KEY, JWT_SECRET${NC}"
else
echo -e "${RED} ❌ 环境文件不存在或缺少必要密钥${NC}"
exit 1
fi
# 测试密钥功能
echo -e " ${CYAN}测试密钥功能...${NC}"
TEST_DATA="Hello Mars AI Trading System"
ENCRYPTED=$(echo "$TEST_DATA" | openssl rsautl -encrypt -pubin -inkey "$PUBLIC_KEY_FILE" | base64)
DECRYPTED=$(echo "$ENCRYPTED" | base64 -d | openssl rsautl -decrypt -inkey "$PRIVATE_KEY_FILE")
if [ "$DECRYPTED" = "$TEST_DATA" ]; then
echo -e "${GREEN} ✓ RSA加密/解密测试通过${NC}"
else
echo -e "${RED} ❌ RSA加密/解密测试失败${NC}"
exit 1
fi
# 显示最终结果
echo
echo -e "${GREEN}🎉 加密环境设置完成!${NC}"
echo
echo -e "${PURPLE}╔════════════════════════════════════════════════════════════════════════╗${NC}"
echo -e "${PURPLE}║ 设置完成摘要 ║${NC}"
echo -e "${PURPLE}╠════════════════════════════════════════════════════════════════════════╣${NC}"
echo -e "${PURPLE}${NC} ${BLUE}RSA密钥对:${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}${NC} 私钥: ${YELLOW}$PRIVATE_KEY_FILE${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}${NC} 公钥: ${YELLOW}$PUBLIC_KEY_FILE${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}${NC} 大小: ${YELLOW}$RSA_KEY_SIZE bits${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}${NC} ${BLUE}安全密钥配置:${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}${NC} 文件: ${YELLOW}.env${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}${NC} 数据加密: ${YELLOW}DATA_ENCRYPTION_KEY (AES-256-GCM)${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}${NC} JWT认证: ${YELLOW}JWT_SECRET (HS256)${NC} ${PURPLE}${NC}"
echo -e "${PURPLE}╚════════════════════════════════════════════════════════════════════════╝${NC}"
# 使用指南
echo
echo -e "${BLUE}📋 使用指南:${NC}"
echo
echo -e "${YELLOW}1. 启动Mars AI交易系统:${NC}"
echo -e " source .env && ./mars"
echo
echo -e "${YELLOW}2. Docker部署:${NC}"
echo -e " docker run --env-file .env mars-ai-trading"
echo
echo -e "${YELLOW}3. 查看公钥内容:${NC}"
echo -e " cat $PUBLIC_KEY_FILE"
echo
echo -e "${YELLOW}4. 测试加密API:${NC}"
echo -e " curl http://localhost:8080/api/crypto/public-key"
# 安全提醒
echo
echo -e "${RED}🔒 安全提醒:${NC}"
echo -e " • 私钥文件 ($PRIVATE_KEY_FILE) 权限已设置为 600"
echo -e " • 环境文件 (.env) 权限已设置为 600"
echo -e " • 请勿将私钥和数据密钥提交到版本控制系统"
echo -e " • 建议在生产环境中使用密钥管理服务"
echo -e " • 定期备份密钥文件"
echo
echo -e "${GREEN}✅ Mars AI交易系统加密环境设置完成${NC}"