对服务增加基础的数据统计/部分代码分Package

2025-12-27 15:46:35 +08:00 · 2021-01-25 16:40:03 +08:00
parent f1c325713d
commit 2f9fe99088
106 changed files with 2095 additions and 148 deletions
--- a/internal/db/models/acme/acme_authentication_dao.go
+++ b/internal/db/models/acme/acme_authentication_dao.go
@@ -0,0 +1,54 @@
+package acme
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+type ACMEAuthenticationDAO dbs.DAO
+
+func NewACMEAuthenticationDAO() *ACMEAuthenticationDAO {
+	return dbs.NewDAO(&ACMEAuthenticationDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeACMEAuthentications",
+			Model:  new(ACMEAuthentication),
+			PkName: "id",
+		},
+	}).(*ACMEAuthenticationDAO)
+}
+
+var SharedACMEAuthenticationDAO *ACMEAuthenticationDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedACMEAuthenticationDAO = NewACMEAuthenticationDAO()
+	})
+}
+
+// 创建认证信息
+func (this *ACMEAuthenticationDAO) CreateAuth(tx *dbs.Tx, taskId int64, domain string, token string, key string) error {
+	op := NewACMEAuthenticationOperator()
+	op.TaskId = taskId
+	op.Domain = domain
+	op.Token = token
+	op.Key = key
+	err := this.Save(tx, op)
+	return err
+}
+
+// 根据令牌查找认证信息
+func (this *ACMEAuthenticationDAO) FindAuthWithToken(tx *dbs.Tx, token string) (*ACMEAuthentication, error) {
+	one, err := this.Query(tx).
+		Attr("token", token).
+		DescPk().
+		Find()
+	if err != nil {
+		return nil, err
+	}
+	if one == nil {
+		return nil, nil
+	}
+	return one.(*ACMEAuthentication), nil
+}
--- a/internal/db/models/acme/acme_authentication_dao_test.go
+++ b/internal/db/models/acme/acme_authentication_dao_test.go
@@ -0,0 +1,5 @@
+package acme
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+)
--- a/internal/db/models/acme/acme_authentication_model.go
+++ b/internal/db/models/acme/acme_authentication_model.go
@@ -0,0 +1,24 @@
+package acme
+
+// ACME认证
+type ACMEAuthentication struct {
+	Id        uint64 `field:"id"`        // ID
+	TaskId    uint64 `field:"taskId"`    // 任务ID
+	Domain    string `field:"domain"`    // 域名
+	Token     string `field:"token"`     // 令牌
+	Key       string `field:"key"`       // 密钥
+	CreatedAt uint64 `field:"createdAt"` // 创建时间
+}
+
+type ACMEAuthenticationOperator struct {
+	Id        interface{} // ID
+	TaskId    interface{} // 任务ID
+	Domain    interface{} // 域名
+	Token     interface{} // 令牌
+	Key       interface{} // 密钥
+	CreatedAt interface{} // 创建时间
+}
+
+func NewACMEAuthenticationOperator() *ACMEAuthenticationOperator {
+	return &ACMEAuthenticationOperator{}
+}
--- a/internal/db/models/acme/acme_authentication_model_ext.go
+++ b/internal/db/models/acme/acme_authentication_model_ext.go
@@ -0,0 +1 @@
+package acme
--- a/internal/db/models/acme/acme_task_dao.go
+++ b/internal/db/models/acme/acme_task_dao.go
@@ -0,0 +1,377 @@
+package acme
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAPI/internal/acme"
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models/dns"
+	dbutils "github.com/TeaOSLab/EdgeAPI/internal/db/utils"
+	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients"
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/sslconfigs"
+	"github.com/go-acme/lego/v4/registration"
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+	"github.com/iwind/TeaGo/logs"
+	"github.com/iwind/TeaGo/types"
+)
+
+const (
+	ACMETaskStateEnabled  = 1 // 已启用
+	ACMETaskStateDisabled = 0 // 已禁用
+)
+
+type ACMETaskDAO dbs.DAO
+
+func NewACMETaskDAO() *ACMETaskDAO {
+	return dbs.NewDAO(&ACMETaskDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeACMETasks",
+			Model:  new(ACMETask),
+			PkName: "id",
+		},
+	}).(*ACMETaskDAO)
+}
+
+var SharedACMETaskDAO *ACMETaskDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedACMETaskDAO = NewACMETaskDAO()
+	})
+}
+
+// 启用条目
+func (this *ACMETaskDAO) EnableACMETask(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ACMETaskStateEnabled).
+		Update()
+	return err
+}
+
+// 禁用条目
+func (this *ACMETaskDAO) DisableACMETask(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ACMETaskStateDisabled).
+		Update()
+	return err
+}
+
+// 查找启用中的条目
+func (this *ACMETaskDAO) FindEnabledACMETask(tx *dbs.Tx, id int64) (*ACMETask, error) {
+	result, err := this.Query(tx).
+		Pk(id).
+		Attr("state", ACMETaskStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*ACMETask), err
+}
+
+// 计算某个ACME用户相关的任务数量
+func (this *ACMETaskDAO) CountACMETasksWithACMEUserId(tx *dbs.Tx, acmeUserId int64) (int64, error) {
+	return this.Query(tx).
+		State(ACMETaskStateEnabled).
+		Attr("acmeUserId", acmeUserId).
+		Count()
+}
+
+// 计算某个DNS服务商相关的任务数量
+func (this *ACMETaskDAO) CountACMETasksWithDNSProviderId(tx *dbs.Tx, dnsProviderId int64) (int64, error) {
+	return this.Query(tx).
+		State(ACMETaskStateEnabled).
+		Attr("dnsProviderId", dnsProviderId).
+		Count()
+}
+
+// 停止某个证书相关任务
+func (this *ACMETaskDAO) DisableAllTasksWithCertId(tx *dbs.Tx, certId int64) error {
+	_, err := this.Query(tx).
+		Attr("certId", certId).
+		Set("state", ACMETaskStateDisabled).
+		Update()
+	return err
+}
+
+// 计算所有任务数量
+func (this *ACMETaskDAO) CountAllEnabledACMETasks(tx *dbs.Tx, adminId int64, userId int64) (int64, error) {
+	return dbutils.NewQuery(tx, this, adminId, userId).
+		State(ACMETaskStateEnabled).
+		Count()
+}
+
+// 列出单页任务
+func (this *ACMETaskDAO) ListEnabledACMETasks(tx *dbs.Tx, adminId int64, userId int64, offset int64, size int64) (result []*ACMETask, err error) {
+	_, err = dbutils.NewQuery(tx, this, adminId, userId).
+		State(ACMETaskStateEnabled).
+		DescPk().
+		Offset(offset).
+		Limit(size).
+		Slice(&result).
+		FindAll()
+	return
+}
+
+// 创建任务
+func (this *ACMETaskDAO) CreateACMETask(tx *dbs.Tx, adminId int64, userId int64, authType acme.AuthType, acmeUserId int64, dnsProviderId int64, dnsDomain string, domains []string, autoRenew bool) (int64, error) {
+	op := NewACMETaskOperator()
+	op.AdminId = adminId
+	op.UserId = userId
+	op.AuthType = authType
+	op.AcmeUserId = acmeUserId
+	op.DnsProviderId = dnsProviderId
+	op.DnsDomain = dnsDomain
+
+	if len(domains) > 0 {
+		domainsJSON, err := json.Marshal(domains)
+		if err != nil {
+			return 0, err
+		}
+		op.Domains = domainsJSON
+	} else {
+		op.Domains = "[]"
+	}
+
+	op.AutoRenew = autoRenew
+	op.IsOn = true
+	op.State = ACMETaskStateEnabled
+	err := this.Save(tx, op)
+	if err != nil {
+		return 0, err
+	}
+	return types.Int64(op.Id), nil
+}
+
+// 修改任务
+func (this *ACMETaskDAO) UpdateACMETask(tx *dbs.Tx, acmeTaskId int64, acmeUserId int64, dnsProviderId int64, dnsDomain string, domains []string, autoRenew bool) error {
+	if acmeTaskId <= 0 {
+		return errors.New("invalid acmeTaskId")
+	}
+
+	op := NewACMETaskOperator()
+	op.Id = acmeTaskId
+	op.AcmeUserId = acmeUserId
+	op.DnsProviderId = dnsProviderId
+	op.DnsDomain = dnsDomain
+
+	if len(domains) > 0 {
+		domainsJSON, err := json.Marshal(domains)
+		if err != nil {
+			return err
+		}
+		op.Domains = domainsJSON
+	} else {
+		op.Domains = "[]"
+	}
+
+	op.AutoRenew = autoRenew
+	err := this.Save(tx, op)
+	return err
+}
+
+// 检查权限
+func (this *ACMETaskDAO) CheckACMETask(tx *dbs.Tx, adminId int64, userId int64, acmeTaskId int64) (bool, error) {
+	return dbutils.NewQuery(tx, this, adminId, userId).
+		State(ACMETaskStateEnabled).
+		Pk(acmeTaskId).
+		Exist()
+}
+
+// 设置任务关联的证书
+func (this *ACMETaskDAO) UpdateACMETaskCert(tx *dbs.Tx, taskId int64, certId int64) error {
+	if taskId <= 0 {
+		return errors.New("invalid taskId")
+	}
+
+	op := NewACMETaskOperator()
+	op.Id = taskId
+	op.CertId = certId
+	err := this.Save(tx, op)
+	return err
+}
+
+// 执行任务并记录日志
+func (this *ACMETaskDAO) RunTask(tx *dbs.Tx, taskId int64) (isOk bool, errMsg string, resultCertId int64) {
+	isOk, errMsg, resultCertId = this.runTaskWithoutLog(tx, taskId)
+
+	// 记录日志
+	err := SharedACMETaskLogDAO.CreateACMETaskLog(tx, taskId, isOk, errMsg)
+	if err != nil {
+		logs.Error(err)
+	}
+
+	return
+}
+
+// 执行任务但并不记录日志
+func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool, errMsg string, resultCertId int64) {
+	task, err := this.FindEnabledACMETask(tx, taskId)
+	if err != nil {
+		errMsg = "查询任务信息时出错：" + err.Error()
+		return
+	}
+	if task == nil {
+		errMsg = "找不到要执行的任务"
+		return
+	}
+	if task.IsOn != 1 {
+		errMsg = "任务没有启用"
+		return
+	}
+
+	// ACME用户
+	user, err := SharedACMEUserDAO.FindEnabledACMEUser(tx, int64(task.AcmeUserId))
+	if err != nil {
+		errMsg = "查询ACME用户时出错：" + err.Error()
+		return
+	}
+	if user == nil {
+		errMsg = "找不到ACME用户"
+		return
+	}
+
+	privateKey, err := acme.ParsePrivateKeyFromBase64(user.PrivateKey)
+	if err != nil {
+		errMsg = "解析私钥时出错：" + err.Error()
+		return
+	}
+
+	remoteUser := acme.NewUser(user.Email, privateKey, func(resource *registration.Resource) error {
+		resourceJSON, err := json.Marshal(resource)
+		if err != nil {
+			return err
+		}
+
+		err = SharedACMEUserDAO.UpdateACMEUserRegistration(tx, int64(user.Id), resourceJSON)
+		return err
+	})
+
+	if len(user.Registration) > 0 {
+		err = remoteUser.SetRegistration([]byte(user.Registration))
+		if err != nil {
+			errMsg = "设置注册信息时出错：" + err.Error()
+			return
+		}
+	}
+
+	var acmeTask *acme.Task = nil
+	if task.AuthType == acme.AuthTypeDNS {
+		// DNS服务商
+		dnsProvider, err := dns.SharedDNSProviderDAO.FindEnabledDNSProvider(tx, int64(task.DnsProviderId))
+		if err != nil {
+			errMsg = "查找DNS服务商账号信息时出错：" + err.Error()
+			return
+		}
+		if dnsProvider == nil {
+			errMsg = "找不到DNS服务商账号"
+			return
+		}
+		providerInterface := dnsclients.FindProvider(dnsProvider.Type)
+		if providerInterface == nil {
+			errMsg = "暂不支持此类型的DNS服务商 '" + dnsProvider.Type + "'"
+			return
+		}
+		apiParams, err := dnsProvider.DecodeAPIParams()
+		if err != nil {
+			errMsg = "解析DNS服务商API参数时出错：" + err.Error()
+			return
+		}
+		err = providerInterface.Auth(apiParams)
+		if err != nil {
+			errMsg = "校验DNS服务商API参数时出错：" + err.Error()
+			return
+		}
+
+		acmeTask = &acme.Task{
+			User:        remoteUser,
+			AuthType:    acme.AuthTypeDNS,
+			DNSProvider: providerInterface,
+			DNSDomain:   task.DnsDomain,
+			Domains:     task.DecodeDomains(),
+		}
+	} else if task.AuthType == acme.AuthTypeHTTP {
+		acmeTask = &acme.Task{
+			User:     remoteUser,
+			AuthType: acme.AuthTypeHTTP,
+			Domains:  task.DecodeDomains(),
+		}
+	}
+
+	acmeRequest := acme.NewRequest(acmeTask)
+	acmeRequest.OnAuth(func(domain, token, keyAuth string) {
+		err := SharedACMEAuthenticationDAO.CreateAuth(tx, taskId, domain, token, keyAuth)
+		if err != nil {
+			logs.Println("[ACME]write authentication to database error: " + err.Error())
+		}
+	})
+	certData, keyData, err := acmeRequest.Run()
+	if err != nil {
+		errMsg = "证书生成失败：" + err.Error()
+		return
+	}
+
+	// 分析证书
+	sslConfig := &sslconfigs.SSLCertConfig{
+		CertData: certData,
+		KeyData:  keyData,
+	}
+	err = sslConfig.Init()
+	if err != nil {
+		errMsg = "证书生成成功，但是分析证书信息时发生错误：" + err.Error()
+		return
+	}
+
+	// 保存证书
+	resultCertId = int64(task.CertId)
+	if resultCertId > 0 {
+		cert, err := models.SharedSSLCertDAO.FindEnabledSSLCert(tx, resultCertId)
+		if err != nil {
+			errMsg = "证书生成成功，但查询已绑定的证书时出错：" + err.Error()
+			return
+		}
+		if cert == nil {
+			errMsg = "证书已被管理员或用户删除"
+
+			// 禁用
+			err = SharedACMETaskDAO.DisableACMETask(tx, taskId)
+			if err != nil {
+				errMsg = "禁用失效的ACME任务出错：" + err.Error()
+			}
+
+			return
+		}
+
+		err = models.SharedSSLCertDAO.UpdateCert(tx, resultCertId, cert.IsOn == 1, cert.Name, cert.Description, cert.ServerName, cert.IsCA == 1, certData, keyData, sslConfig.TimeBeginAt, sslConfig.TimeEndAt, sslConfig.DNSNames, sslConfig.CommonNames)
+		if err != nil {
+			errMsg = "证书生成成功，但是修改数据库中的证书信息时出错：" + err.Error()
+			return
+		}
+	} else {
+		resultCertId, err = models.SharedSSLCertDAO.CreateCert(tx, int64(task.AdminId), int64(task.UserId), true, task.DnsDomain+"免费证书", "免费申请的证书", "", false, certData, keyData, sslConfig.TimeBeginAt, sslConfig.TimeEndAt, sslConfig.DNSNames, sslConfig.CommonNames)
+		if err != nil {
+			errMsg = "证书生成成功，但是保存到数据库失败：" + err.Error()
+			return
+		}
+
+		err = models.SharedSSLCertDAO.UpdateCertACME(tx, resultCertId, int64(task.Id))
+		if err != nil {
+			errMsg = "证书生成成功，修改证书ACME信息时出错：" + err.Error()
+			return
+		}
+
+		// 设置成功
+		err = SharedACMETaskDAO.UpdateACMETaskCert(tx, taskId, resultCertId)
+		if err != nil {
+			errMsg = "证书生成成功，设置任务关联的证书时出错：" + err.Error()
+			return
+		}
+	}
+
+	isOk = true
+	return
+}
--- a/internal/db/models/acme/acme_task_dao_test.go
+++ b/internal/db/models/acme/acme_task_dao_test.go
@@ -0,0 +1,5 @@
+package acme
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+)
--- a/internal/db/models/acme/acme_task_log_dao.go
+++ b/internal/db/models/acme/acme_task_log_dao.go
@@ -0,0 +1,50 @@
+package acme
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+type ACMETaskLogDAO dbs.DAO
+
+func NewACMETaskLogDAO() *ACMETaskLogDAO {
+	return dbs.NewDAO(&ACMETaskLogDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeACMETaskLogs",
+			Model:  new(ACMETaskLog),
+			PkName: "id",
+		},
+	}).(*ACMETaskLogDAO)
+}
+
+var SharedACMETaskLogDAO *ACMETaskLogDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedACMETaskLogDAO = NewACMETaskLogDAO()
+	})
+}
+
+// 生成日志
+func (this *ACMETaskLogDAO) CreateACMETaskLog(tx *dbs.Tx, taskId int64, isOk bool, errMsg string) error {
+	op := NewACMETaskLogOperator()
+	op.TaskId = taskId
+	op.Error = errMsg
+	op.IsOk = isOk
+	err := this.Save(tx, op)
+	return err
+}
+
+// 取得任务的最后一条执行日志
+func (this *ACMETaskLogDAO) FindLatestACMETasKLog(tx *dbs.Tx, taskId int64) (*ACMETaskLog, error) {
+	one, err := this.Query(tx).
+		Attr("taskId", taskId).
+		DescPk().
+		Find()
+	if err != nil || one == nil {
+		return nil, err
+	}
+	return one.(*ACMETaskLog), nil
+}
--- a/internal/db/models/acme/acme_task_log_dao_test.go
+++ b/internal/db/models/acme/acme_task_log_dao_test.go
@@ -0,0 +1,5 @@
+package acme
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+)
--- a/internal/db/models/acme/acme_task_log_model.go
+++ b/internal/db/models/acme/acme_task_log_model.go
@@ -0,0 +1,22 @@
+package acme
+
+// ACME任务运行日志
+type ACMETaskLog struct {
+	Id        uint64 `field:"id"`        // ID
+	TaskId    uint64 `field:"taskId"`    // 任务ID
+	IsOk      uint8  `field:"isOk"`      // 是否成功
+	Error     string `field:"error"`     // 错误信息
+	CreatedAt uint64 `field:"createdAt"` // 运行时间
+}
+
+type ACMETaskLogOperator struct {
+	Id        interface{} // ID
+	TaskId    interface{} // 任务ID
+	IsOk      interface{} // 是否成功
+	Error     interface{} // 错误信息
+	CreatedAt interface{} // 运行时间
+}
+
+func NewACMETaskLogOperator() *ACMETaskLogOperator {
+	return &ACMETaskLogOperator{}
+}
--- a/internal/db/models/acme/acme_task_log_model_ext.go
+++ b/internal/db/models/acme/acme_task_log_model_ext.go
@@ -0,0 +1 @@
+package acme
--- a/internal/db/models/acme/acme_task_model.go
+++ b/internal/db/models/acme/acme_task_model.go
@@ -0,0 +1,38 @@
+package acme
+
+// ACME任务
+type ACMETask struct {
+	Id            uint64 `field:"id"`            // ID
+	AdminId       uint32 `field:"adminId"`       // 管理员ID
+	UserId        uint32 `field:"userId"`        // 用户ID
+	IsOn          uint8  `field:"isOn"`          // 是否启用
+	AcmeUserId    uint32 `field:"acmeUserId"`    // ACME用户ID
+	DnsDomain     string `field:"dnsDomain"`     // DNS主域名
+	DnsProviderId uint64 `field:"dnsProviderId"` // DNS服务商
+	Domains       string `field:"domains"`       // 证书域名
+	CreatedAt     uint64 `field:"createdAt"`     // 创建时间
+	State         uint8  `field:"state"`         // 状态
+	CertId        uint64 `field:"certId"`        // 生成的证书ID
+	AutoRenew     uint8  `field:"autoRenew"`     // 是否自动更新
+	AuthType      string `field:"authType"`      // 认证类型
+}
+
+type ACMETaskOperator struct {
+	Id            interface{} // ID
+	AdminId       interface{} // 管理员ID
+	UserId        interface{} // 用户ID
+	IsOn          interface{} // 是否启用
+	AcmeUserId    interface{} // ACME用户ID
+	DnsDomain     interface{} // DNS主域名
+	DnsProviderId interface{} // DNS服务商
+	Domains       interface{} // 证书域名
+	CreatedAt     interface{} // 创建时间
+	State         interface{} // 状态
+	CertId        interface{} // 生成的证书ID
+	AutoRenew     interface{} // 是否自动更新
+	AuthType      interface{} // 认证类型
+}
+
+func NewACMETaskOperator() *ACMETaskOperator {
+	return &ACMETaskOperator{}
+}
--- a/internal/db/models/acme/acme_task_model_ext.go
+++ b/internal/db/models/acme/acme_task_model_ext.go
@@ -0,0 +1,20 @@
+package acme
+
+import (
+	"encoding/json"
+	"github.com/iwind/TeaGo/logs"
+)
+
+// 将域名解析成字符串数组
+func (this *ACMETask) DecodeDomains() []string {
+	if len(this.Domains) == 0 || this.Domains == "null" {
+		return nil
+	}
+	result := []string{}
+	err := json.Unmarshal([]byte(this.Domains), &result)
+	if err != nil {
+		logs.Error(err)
+		return nil
+	}
+	return result
+}
--- a/internal/db/models/acme/acme_user_dao.go
+++ b/internal/db/models/acme/acme_user_dao.go
@@ -0,0 +1,199 @@
+package acme
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/base64"
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+	"github.com/iwind/TeaGo/types"
+)
+
+const (
+	ACMEUserStateEnabled  = 1 // 已启用
+	ACMEUserStateDisabled = 0 // 已禁用
+)
+
+type ACMEUserDAO dbs.DAO
+
+func NewACMEUserDAO() *ACMEUserDAO {
+	return dbs.NewDAO(&ACMEUserDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeACMEUsers",
+			Model:  new(ACMEUser),
+			PkName: "id",
+		},
+	}).(*ACMEUserDAO)
+}
+
+var SharedACMEUserDAO *ACMEUserDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedACMEUserDAO = NewACMEUserDAO()
+	})
+}
+
+// 启用条目
+func (this *ACMEUserDAO) EnableACMEUser(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ACMEUserStateEnabled).
+		Update()
+	return err
+}
+
+// 禁用条目
+func (this *ACMEUserDAO) DisableACMEUser(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ACMEUserStateDisabled).
+		Update()
+	return err
+}
+
+// 查找启用中的条目
+func (this *ACMEUserDAO) FindEnabledACMEUser(tx *dbs.Tx, id int64) (*ACMEUser, error) {
+	result, err := this.Query(tx).
+		Pk(id).
+		Attr("state", ACMEUserStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*ACMEUser), err
+}
+
+// 创建用户
+func (this *ACMEUserDAO) CreateACMEUser(tx *dbs.Tx, adminId int64, userId int64, email string, description string) (int64, error) {
+	// 生成私钥
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return 0, err
+	}
+
+	privateKeyData, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return 0, err
+	}
+	privateKeyText := base64.StdEncoding.EncodeToString(privateKeyData)
+
+	op := NewACMEUserOperator()
+	op.AdminId = adminId
+	op.UserId = userId
+	op.Email = email
+	op.Description = description
+	op.PrivateKey = privateKeyText
+	op.State = ACMEUserStateEnabled
+	err = this.Save(tx, op)
+	if err != nil {
+		return 0, err
+	}
+	return types.Int64(op.Id), nil
+}
+
+// 修改用户信息
+func (this *ACMEUserDAO) UpdateACMEUser(tx *dbs.Tx, acmeUserId int64, description string) error {
+	if acmeUserId <= 0 {
+		return errors.New("invalid acmeUserId")
+	}
+	op := NewACMEUserOperator()
+	op.Id = acmeUserId
+	op.Description = description
+	err := this.Save(tx, op)
+	return err
+}
+
+// 修改用户ACME注册信息
+func (this *ACMEUserDAO) UpdateACMEUserRegistration(tx *dbs.Tx, acmeUserId int64, registrationJSON []byte) error {
+	if acmeUserId <= 0 {
+		return errors.New("invalid acmeUserId")
+	}
+	op := NewACMEUserOperator()
+	op.Id = acmeUserId
+	op.Registration = registrationJSON
+	err := this.Save(tx, op)
+	return err
+}
+
+// 计算用户数量
+func (this *ACMEUserDAO) CountACMEUsersWithAdminId(tx *dbs.Tx, adminId int64, userId int64) (int64, error) {
+	query := this.Query(tx)
+	if adminId > 0 {
+		query.Attr("adminId", adminId)
+	}
+	if userId > 0 {
+		query.Attr("userId", userId)
+	}
+
+	return query.
+		State(ACMEUserStateEnabled).
+		Count()
+}
+
+// 列出当前管理员的用户
+func (this *ACMEUserDAO) ListACMEUsers(tx *dbs.Tx, adminId int64, userId int64, offset int64, size int64) (result []*ACMEUser, err error) {
+	query := this.Query(tx)
+	if adminId > 0 {
+		query.Attr("adminId", adminId)
+	}
+	if userId > 0 {
+		query.Attr("userId", userId)
+	}
+
+	_, err = query.
+		State(ACMEUserStateEnabled).
+		Offset(offset).
+		Limit(size).
+		Slice(&result).
+		DescPk().
+		FindAll()
+	return
+}
+
+// 查找所有用户
+func (this *ACMEUserDAO) FindAllACMEUsers(tx *dbs.Tx, adminId int64, userId int64) (result []*ACMEUser, err error) {
+	// 防止没有传入条件导致返回的数据过多
+	if adminId <= 0 && userId <= 0 {
+		return nil, errors.New("'adminId' or 'userId' should not be empty")
+	}
+
+	query := this.Query(tx)
+	if adminId > 0 {
+		query.Attr("adminId", adminId)
+	}
+	if userId > 0 {
+		query.Attr("userId", userId)
+	}
+	_, err = query.
+		State(ACMEUserStateEnabled).
+		Slice(&result).
+		DescPk().
+		FindAll()
+	return
+}
+
+// 检查用户权限
+func (this *ACMEUserDAO) CheckACMEUser(tx *dbs.Tx, acmeUserId int64, adminId int64, userId int64) (bool, error) {
+	if acmeUserId <= 0 {
+		return false, nil
+	}
+
+	query := this.Query(tx)
+	if adminId > 0 {
+		query.Attr("adminId", adminId)
+	} else if userId > 0 {
+		query.Attr("userId", userId)
+	} else {
+		return false, nil
+	}
+
+	return query.
+		State(ACMEUserStateEnabled).
+		Exist()
+}
--- a/internal/db/models/acme/acme_user_dao_test.go
+++ b/internal/db/models/acme/acme_user_dao_test.go
@@ -0,0 +1,5 @@
+package acme
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+)
--- a/internal/db/models/acme/acme_user_model.go
+++ b/internal/db/models/acme/acme_user_model.go
@@ -0,0 +1,30 @@
+package acme
+
+//
+type ACMEUser struct {
+	Id           uint64 `field:"id"`           // ID
+	AdminId      uint32 `field:"adminId"`      // 管理员ID
+	UserId       uint32 `field:"userId"`       // 用户ID
+	PrivateKey   string `field:"privateKey"`   // 私钥
+	Email        string `field:"email"`        // E-mail
+	CreatedAt    uint64 `field:"createdAt"`    // 创建时间
+	State        uint8  `field:"state"`        // 状态
+	Description  string `field:"description"`  // 备注介绍
+	Registration string `field:"registration"` // 注册信息
+}
+
+type ACMEUserOperator struct {
+	Id           interface{} // ID
+	AdminId      interface{} // 管理员ID
+	UserId       interface{} // 用户ID
+	PrivateKey   interface{} // 私钥
+	Email        interface{} // E-mail
+	CreatedAt    interface{} // 创建时间
+	State        interface{} // 状态
+	Description  interface{} // 备注介绍
+	Registration interface{} // 注册信息
+}
+
+func NewACMEUserOperator() *ACMEUserOperator {
+	return &ACMEUserOperator{}
+}
--- a/internal/db/models/acme/acme_user_model_ext.go
+++ b/internal/db/models/acme/acme_user_model_ext.go
@@ -0,0 +1 @@
+package acme