实现证书管理

2026-01-07 07:55:48 +08:00 · 2020-09-30 17:46:43 +08:00
parent c93a3e049a
commit 3c18a7c45c
16 changed files with 850 additions and 2 deletions
--- a/internal/db/models/server_dao.go
+++ b/internal/db/models/server_dao.go
@@ -10,6 +10,8 @@ import (
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/dbs"
 	"github.com/iwind/TeaGo/types"
+	"strconv"
+	"strings"
 )

 const (
@@ -512,6 +514,18 @@ func (this *ServerDAO) ComposeServerConfig(serverId int64) (*serverconfigs.Serve
 		if err != nil {
 			return nil, err
 		}
+
+		// SSL
+		if httpsConfig.SSLPolicyRef != nil {
+			sslPolicyConfig, err := SharedSSLPolicyDAO.ComposePolicyConfig(httpsConfig.SSLPolicyRef.SSLPolicyId)
+			if err != nil {
+				return nil, err
+			}
+			if sslPolicyConfig != nil {
+				httpsConfig.SSLPolicy = sslPolicyConfig
+			}
+		}
+
 		config.HTTPS = httpsConfig
 	}

@@ -532,6 +546,18 @@ func (this *ServerDAO) ComposeServerConfig(serverId int64) (*serverconfigs.Serve
 		if err != nil {
 			return nil, err
 		}
+
+		// SSL
+		if tlsConfig.SSLPolicyRef != nil {
+			sslPolicyConfig, err := SharedSSLPolicyDAO.ComposePolicyConfig(tlsConfig.SSLPolicyRef.SSLPolicyId)
+			if err != nil {
+				return nil, err
+			}
+			if sslPolicyConfig != nil {
+				tlsConfig.SSLPolicy = sslPolicyConfig
+			}
+		}
+
 		config.TLS = tlsConfig
 	}

@@ -617,6 +643,7 @@ func (this *ServerDAO) FindReverseProxyRef(serverId int64) (*serverconfigs.Rever
 	return config, err
 }

+// 查找Server对应的WebId
 func (this *ServerDAO) FindServerWebId(serverId int64) (int64, error) {
 	webId, err := this.Query().
 		Pk(serverId).
@@ -628,6 +655,42 @@ func (this *ServerDAO) FindServerWebId(serverId int64) (int64, error) {
 	return int64(webId), nil
 }

+// 计算使用SSL策略的所有服务数量
+func (this *ServerDAO) CountServersWithSSLPolicyIds(sslPolicyIds []int64) (count int64, err error) {
+	if len(sslPolicyIds) == 0 {
+		return
+	}
+	policyStringIds := []string{}
+	for _, policyId := range sslPolicyIds {
+		policyStringIds = append(policyStringIds, strconv.FormatInt(policyId, 10))
+	}
+	return this.Query().
+		State(ServerStateEnabled).
+		Where("(FIND_IN_SET(JSON_EXTRACT(https, '$.sslPolicyRef.sslPolicyId'), :policyIds) OR FIND_IN_SET(JSON_EXTRACT(tls, '$.sslPolicyRef.sslPolicyId'), :policyIds))").
+		Param("policyIds", strings.Join(policyStringIds, ",")).
+		Count()
+}
+
+// 查找使用SSL策略的所有服务
+func (this *ServerDAO) FindAllServersWithSSLPolicyIds(sslPolicyIds []int64) (result []*Server, err error) {
+	if len(sslPolicyIds) == 0 {
+		return
+	}
+	policyStringIds := []string{}
+	for _, policyId := range sslPolicyIds {
+		policyStringIds = append(policyStringIds, strconv.FormatInt(policyId, 10))
+	}
+	_, err = this.Query().
+		State(ServerStateEnabled).
+		Result("id", "name", "https", "tls", "isOn", "type").
+		Where("(FIND_IN_SET(JSON_EXTRACT(https, '$.sslPolicyRef.sslPolicyId'), :policyIds) OR FIND_IN_SET(JSON_EXTRACT(tls, '$.sslPolicyRef.sslPolicyId'), :policyIds))").
+		Param("policyIds", strings.Join(policyStringIds, ",")).
+		Slice(&result).
+		AscPk().
+		FindAll()
+	return
+}
+
 // 创建事件
 func (this *ServerDAO) createEvent() error {
 	return SharedSysEventDAO.CreateEvent(NewServerChangeEvent())
--- a/internal/db/models/ssl_cert_dao.go
+++ b/internal/db/models/ssl_cert_dao.go
@@ -0,0 +1,242 @@
+package models
+
+import (
+	"encoding/json"
+	"errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/sslconfigs"
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+	"github.com/iwind/TeaGo/types"
+	"time"
+)
+
+const (
+	SSLCertStateEnabled  = 1 // 已启用
+	SSLCertStateDisabled = 0 // 已禁用
+)
+
+type SSLCertDAO dbs.DAO
+
+func NewSSLCertDAO() *SSLCertDAO {
+	return dbs.NewDAO(&SSLCertDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeSSLCerts",
+			Model:  new(SSLCert),
+			PkName: "id",
+		},
+	}).(*SSLCertDAO)
+}
+
+var SharedSSLCertDAO = NewSSLCertDAO()
+
+// 启用条目
+func (this *SSLCertDAO) EnableSSLCert(id int64) error {
+	_, err := this.Query().
+		Pk(id).
+		Set("state", SSLCertStateEnabled).
+		Update()
+	return err
+}
+
+// 禁用条目
+func (this *SSLCertDAO) DisableSSLCert(id int64) error {
+	_, err := this.Query().
+		Pk(id).
+		Set("state", SSLCertStateDisabled).
+		Update()
+	return err
+}
+
+// 查找启用中的条目
+func (this *SSLCertDAO) FindEnabledSSLCert(id int64) (*SSLCert, error) {
+	result, err := this.Query().
+		Pk(id).
+		Attr("state", SSLCertStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*SSLCert), err
+}
+
+// 根据主键查找名称
+func (this *SSLCertDAO) FindSSLCertName(id int64) (string, error) {
+	return this.Query().
+		Pk(id).
+		Result("name").
+		FindStringCol("")
+}
+
+// 创建证书
+func (this *SSLCertDAO) CreateCert(isOn bool, name string, description string, serverName string, isCA bool, certData []byte, keyData []byte, timeBeginAt int64, timeEndAt int64, dnsNames []string, commonNames []string) (int64, error) {
+	op := NewSSLCertOperator()
+	op.State = SSLCertStateEnabled
+	op.IsOn = isOn
+	op.Name = name
+	op.Description = description
+	op.ServerName = serverName
+	op.IsCA = isCA
+	op.CertData = certData
+	op.KeyData = keyData
+	op.TimeBeginAt = timeBeginAt
+	op.TimeEndAt = timeEndAt
+
+	dnsNamesJSON, err := json.Marshal(dnsNames)
+	if err != nil {
+		return 0, err
+	}
+	op.DnsNames = dnsNamesJSON
+
+	commonNamesJSON, err := json.Marshal(commonNames)
+	if err != nil {
+		return 0, err
+	}
+	op.CommonNames = commonNamesJSON
+
+	_, err = this.Save(op)
+	if err != nil {
+		return 0, err
+	}
+	return types.Int64(op.Id), nil
+}
+
+// 修改证书
+func (this *SSLCertDAO) UpdateCert(certId int64, isOn bool, name string, description string, serverName string, isCA bool, certData []byte, keyData []byte, timeBeginAt int64, timeEndAt int64, dnsNames []string, commonNames []string) error {
+	if certId <= 0 {
+		return errors.New("invalid certId")
+	}
+	op := NewSSLCertOperator()
+	op.Id = certId
+	op.IsOn = isOn
+	op.Name = name
+	op.Description = description
+	op.ServerName = serverName
+	op.IsCA = isCA
+	op.CertData = certData
+	op.KeyData = keyData
+	op.TimeBeginAt = timeBeginAt
+	op.TimeEndAt = timeEndAt
+
+	dnsNamesJSON, err := json.Marshal(dnsNames)
+	if err != nil {
+		return err
+	}
+	op.DnsNames = dnsNamesJSON
+
+	commonNamesJSON, err := json.Marshal(commonNames)
+	if err != nil {
+		return err
+	}
+	op.CommonNames = commonNamesJSON
+
+	_, err = this.Save(op)
+	return err
+}
+
+// 组合配置
+func (this *SSLCertDAO) ComposeCertConfig(certId int64) (*sslconfigs.SSLCertConfig, error) {
+	cert, err := this.FindEnabledSSLCert(certId)
+	if err != nil {
+		return nil, err
+	}
+	if cert == nil {
+		return nil, nil
+	}
+
+	config := &sslconfigs.SSLCertConfig{}
+	config.Id = int64(cert.Id)
+	config.IsOn = cert.IsOn == 1
+	config.IsCA = cert.IsCA == 1
+	config.Name = cert.Name
+	config.Description = cert.Description
+	config.CertData = []byte(cert.CertData)
+	config.KeyData = []byte(cert.KeyData)
+	config.ServerName = cert.ServerName
+	config.TimeBeginAt = int64(cert.TimeBeginAt)
+	config.TimeEndAt = int64(cert.TimeEndAt)
+
+	if IsNotNull(cert.DnsNames) {
+		dnsNames := []string{}
+		err := json.Unmarshal([]byte(cert.DnsNames), &dnsNames)
+		if err != nil {
+			return nil, err
+		}
+		config.DNSNames = dnsNames
+	}
+
+	if IsNotNull(cert.CommonNames) {
+		commonNames := []string{}
+		err := json.Unmarshal([]byte(cert.CommonNames), &commonNames)
+		if err != nil {
+			return nil, err
+		}
+		config.CommonNames = commonNames
+	}
+
+	return config, nil
+}
+
+// 计算符合条件的证书数量
+func (this *SSLCertDAO) CountCerts(isCA bool, isAvailable bool, isExpired bool, expiringDays int64, keyword string) (int64, error) {
+	query := this.Query().
+		State(SSLCertStateEnabled)
+	if isCA {
+		query.Attr("isCA", true)
+	}
+	if isAvailable {
+		query.Where("timeBeginAt<=UNIX_TIMESTAMP() AND timeEndAt>=UNIX_TIMESTAMP()")
+	}
+	if isExpired {
+		query.Where("timeEndAt<UNIX_TIMESTAMP()")
+	}
+	if expiringDays > 0 {
+		query.Where("timeEndAt>UNIX_TIMESTAMP() AND timeEndAt<:expiredAt").
+			Param("expiredAt", time.Now().Unix()+expiringDays*86400)
+	}
+	if len(keyword) > 0 {
+		query.Where("(name LIKE :keyword OR description LIKE :keyword OR dnsNames LIKE :keyword OR commonNames LIKE :keyword)").
+			Param("keyword", "%"+keyword+"%")
+	}
+	return query.Count()
+}
+
+// 列出符合条件的证书
+func (this *SSLCertDAO) ListCertIds(isCA bool, isAvailable bool, isExpired bool, expiringDays int64, keyword string, offset int64, size int64) (certIds []int64, err error) {
+	query := this.Query().
+		State(SSLCertStateEnabled)
+	if isCA {
+		query.Attr("isCA", true)
+	}
+	if isAvailable {
+		query.Where("timeBeginAt<=UNIX_TIMESTAMP() AND timeEndAt>=UNIX_TIMESTAMP()")
+	}
+	if isExpired {
+		query.Where("timeEndAt<UNIX_TIMESTAMP()")
+	}
+	if expiringDays > 0 {
+		query.Where("timeEndAt>UNIX_TIMESTAMP() AND timeEndAt<:expiredAt").
+			Param("expiredAt", time.Now().Unix()+expiringDays*86400)
+	}
+	if len(keyword) > 0 {
+		query.Where("(name LIKE :keyword OR description LIKE :keyword OR dnsNames LIKE :keyword OR commonNames LIKE :keyword)").
+			Param("keyword", "%"+keyword+"%")
+	}
+
+	ones, err := query.
+		ResultPk().
+		DescPk().
+		Offset(offset).
+		Limit(size).
+		FindAll()
+	if err != nil {
+		return nil, err
+	}
+
+	result := []int64{}
+	for _, one := range ones {
+		result = append(result, int64(one.(*SSLCert).Id))
+	}
+	return result, nil
+}
--- a/internal/db/models/ssl_cert_dao_test.go
+++ b/internal/db/models/ssl_cert_dao_test.go
@@ -0,0 +1,5 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+)
--- a/internal/db/models/ssl_cert_group_dao.go
+++ b/internal/db/models/ssl_cert_group_dao.go
@@ -0,0 +1,65 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	SSLCertGroupStateEnabled  = 1 // 已启用
+	SSLCertGroupStateDisabled = 0 // 已禁用
+)
+
+type SSLCertGroupDAO dbs.DAO
+
+func NewSSLCertGroupDAO() *SSLCertGroupDAO {
+	return dbs.NewDAO(&SSLCertGroupDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeSSLCertGroups",
+			Model:  new(SSLCertGroup),
+			PkName: "id",
+		},
+	}).(*SSLCertGroupDAO)
+}
+
+var SharedSSLCertGroupDAO = NewSSLCertGroupDAO()
+
+// 启用条目
+func (this *SSLCertGroupDAO) EnableSSLCertGroup(id uint32) error {
+	_, err := this.Query().
+		Pk(id).
+		Set("state", SSLCertGroupStateEnabled).
+		Update()
+	return err
+}
+
+// 禁用条目
+func (this *SSLCertGroupDAO) DisableSSLCertGroup(id uint32) error {
+	_, err := this.Query().
+		Pk(id).
+		Set("state", SSLCertGroupStateDisabled).
+		Update()
+	return err
+}
+
+// 查找启用中的条目
+func (this *SSLCertGroupDAO) FindEnabledSSLCertGroup(id uint32) (*SSLCertGroup, error) {
+	result, err := this.Query().
+		Pk(id).
+		Attr("state", SSLCertGroupStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*SSLCertGroup), err
+}
+
+// 根据主键查找名称
+func (this *SSLCertGroupDAO) FindSSLCertGroupName(id uint32) (string, error) {
+	return this.Query().
+		Pk(id).
+		Result("name").
+		FindStringCol("")
+}
--- a/internal/db/models/ssl_cert_group_dao_test.go
+++ b/internal/db/models/ssl_cert_group_dao_test.go
@@ -0,0 +1,5 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+)
--- a/internal/db/models/ssl_cert_group_model.go
+++ b/internal/db/models/ssl_cert_group_model.go
@@ -0,0 +1,26 @@
+package models
+
+//
+type SSLCertGroup struct {
+	Id        uint32 `field:"id"`        // ID
+	AdminId   uint32 `field:"adminId"`   // 管理员ID
+	UserId    uint32 `field:"userId"`    // 用户ID
+	Name      string `field:"name"`      // 分组名
+	Order     uint32 `field:"order"`     // 分组排序
+	State     uint8  `field:"state"`     // 状态
+	CreatedAt uint64 `field:"createdAt"` // 创建时间
+}
+
+type SSLCertGroupOperator struct {
+	Id        interface{} // ID
+	AdminId   interface{} // 管理员ID
+	UserId    interface{} // 用户ID
+	Name      interface{} // 分组名
+	Order     interface{} // 分组排序
+	State     interface{} // 状态
+	CreatedAt interface{} // 创建时间
+}
+
+func NewSSLCertGroupOperator() *SSLCertGroupOperator {
+	return &SSLCertGroupOperator{}
+}
--- a/internal/db/models/ssl_cert_group_model_ext.go
+++ b/internal/db/models/ssl_cert_group_model_ext.go
@@ -0,0 +1 @@
+package models
--- a/internal/db/models/ssl_cert_model.go
+++ b/internal/db/models/ssl_cert_model.go
@@ -0,0 +1,48 @@
+package models
+
+// SSL证书
+type SSLCert struct {
+	Id          uint32 `field:"id"`          // ID
+	AdminId     uint32 `field:"adminId"`     // 管理员ID
+	UserId      uint32 `field:"userId"`      // 用户ID
+	State       uint8  `field:"state"`       // 状态
+	CreatedAt   uint64 `field:"createdAt"`   // 创建时间
+	UpdatedAt   uint64 `field:"updatedAt"`   // 修改时间
+	IsOn        uint8  `field:"isOn"`        // 是否启用
+	Name        string `field:"name"`        // 证书名
+	Description string `field:"description"` // 描述
+	CertData    string `field:"certData"`    // 证书内容
+	KeyData     string `field:"keyData"`     // 密钥内容
+	ServerName  string `field:"serverName"`  // 证书使用的主机名
+	IsCA        uint8  `field:"isCA"`        // 是否为CA证书
+	GroupIds    string `field:"groupIds"`    // 证书分组
+	TimeBeginAt uint64 `field:"timeBeginAt"` // 开始时间
+	TimeEndAt   uint64 `field:"timeEndAt"`   // 结束时间
+	DnsNames    string `field:"dnsNames"`    // DNS名称列表
+	CommonNames string `field:"commonNames"` // 发行单位列表
+}
+
+type SSLCertOperator struct {
+	Id          interface{} // ID
+	AdminId     interface{} // 管理员ID
+	UserId      interface{} // 用户ID
+	State       interface{} // 状态
+	CreatedAt   interface{} // 创建时间
+	UpdatedAt   interface{} // 修改时间
+	IsOn        interface{} // 是否启用
+	Name        interface{} // 证书名
+	Description interface{} // 描述
+	CertData    interface{} // 证书内容
+	KeyData     interface{} // 密钥内容
+	ServerName  interface{} // 证书使用的主机名
+	IsCA        interface{} // 是否为CA证书
+	GroupIds    interface{} // 证书分组
+	TimeBeginAt interface{} // 开始时间
+	TimeEndAt   interface{} // 结束时间
+	DnsNames    interface{} // DNS名称列表
+	CommonNames interface{} // 发行单位列表
+}
+
+func NewSSLCertOperator() *SSLCertOperator {
+	return &SSLCertOperator{}
+}
--- a/internal/db/models/ssl_cert_model_ext.go
+++ b/internal/db/models/ssl_cert_model_ext.go
@@ -0,0 +1 @@
+package models
--- a/internal/db/models/ssl_policy_dao.go
+++ b/internal/db/models/ssl_policy_dao.go
@@ -0,0 +1,142 @@
+package models
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/sslconfigs"
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+	"strconv"
+)
+
+const (
+	SSLPolicyStateEnabled  = 1 // 已启用
+	SSLPolicyStateDisabled = 0 // 已禁用
+)
+
+type SSLPolicyDAO dbs.DAO
+
+func NewSSLPolicyDAO() *SSLPolicyDAO {
+	return dbs.NewDAO(&SSLPolicyDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeSSLPolicies",
+			Model:  new(SSLPolicy),
+			PkName: "id",
+		},
+	}).(*SSLPolicyDAO)
+}
+
+var SharedSSLPolicyDAO = NewSSLPolicyDAO()
+
+// 启用条目
+func (this *SSLPolicyDAO) EnableSSLPolicy(id int64) error {
+	_, err := this.Query().
+		Pk(id).
+		Set("state", SSLPolicyStateEnabled).
+		Update()
+	return err
+}
+
+// 禁用条目
+func (this *SSLPolicyDAO) DisableSSLPolicy(id int64) error {
+	_, err := this.Query().
+		Pk(id).
+		Set("state", SSLPolicyStateDisabled).
+		Update()
+	return err
+}
+
+// 查找启用中的条目
+func (this *SSLPolicyDAO) FindEnabledSSLPolicy(id int64) (*SSLPolicy, error) {
+	result, err := this.Query().
+		Pk(id).
+		Attr("state", SSLPolicyStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*SSLPolicy), err
+}
+
+// 组合配置
+func (this *SSLPolicyDAO) ComposePolicyConfig(policyId int64) (*sslconfigs.SSLPolicy, error) {
+	policy, err := this.FindEnabledSSLPolicy(policyId)
+	if err != nil {
+		return nil, err
+	}
+	if policy == nil {
+		return nil, nil
+	}
+	config := &sslconfigs.SSLPolicy{}
+	config.Id = int64(policy.Id)
+	config.IsOn = policy.IsOn == 1
+	config.ClientAuthType = int(policy.ClientAuthType)
+	config.HTTP2Enabled = policy.Http2Enabled == 1
+	config.MinVersion = policy.MinVersion
+
+	// certs
+	if IsNotNull(policy.Certs) {
+		refs := []*sslconfigs.SSLCertRef{}
+		err = json.Unmarshal([]byte(policy.Certs), &refs)
+		if err != nil {
+			return nil, err
+		}
+		if len(refs) > 0 {
+			for _, ref := range refs {
+				certConfig, err := SharedSSLCertDAO.ComposeCertConfig(ref.CertId)
+				if err != nil {
+					return nil, err
+				}
+				if certConfig == nil {
+					continue
+				}
+				config.CertRefs = append(config.CertRefs, ref)
+				config.Certs = append(config.Certs, certConfig)
+			}
+		}
+	}
+
+	// cipher suites
+	if IsNotNull(policy.CipherSuites) {
+		cipherSuites := []string{}
+		err = json.Unmarshal([]byte(policy.CipherSuites), &cipherSuites)
+		if err != nil {
+			return nil, err
+		}
+		config.CipherSuites = cipherSuites
+	}
+
+	// hsts
+	if IsNotNull(policy.Hsts) {
+		hstsConfig := &sslconfigs.HSTSConfig{}
+		err = json.Unmarshal([]byte(policy.Hsts), hstsConfig)
+		if err != nil {
+			return nil, err
+		}
+		config.HSTS = hstsConfig
+	}
+
+	return config, nil
+}
+
+// 查询使用单个证书的所有策略ID
+func (this *SSLPolicyDAO) FindAllEnabledPolicyIdsWithCertId(certId int64) (policyIds []int64, err error) {
+	if certId <= 0 {
+		return
+	}
+
+	ones, err := this.Query().
+		State(SSLPolicyStateEnabled).
+		ResultPk().
+		Where(`JSON_CONTAINS(certs, '{"certId": ` + strconv.FormatInt(certId, 10) + ` }')`).
+		Reuse(false). // 由于我们在JSON_CONTAINS()直接使用了变量，所以不能重用
+		FindAll()
+	if err != nil {
+		return nil, err
+	}
+	for _, one := range ones {
+		policyIds = append(policyIds, int64(one.(*SSLPolicy).Id))
+	}
+	return policyIds, nil
+}
--- a/internal/db/models/ssl_policy_dao_test.go
+++ b/internal/db/models/ssl_policy_dao_test.go
@@ -0,0 +1,5 @@
+package models
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+)
--- a/internal/db/models/ssl_policy_model.go
+++ b/internal/db/models/ssl_policy_model.go
@@ -0,0 +1,36 @@
+package models
+
+//
+type SSLPolicy struct {
+	Id             uint32 `field:"id"`             // ID
+	AdminId        uint32 `field:"adminId"`        // 管理员ID
+	UserId         uint32 `field:"userId"`         // 用户ID
+	IsOn           uint8  `field:"isOn"`           // 是否启用
+	Certs          string `field:"certs"`          // 证书列表
+	ClientAuthType uint32 `field:"clientAuthType"` // 客户端认证类型
+	MinVersion     string `field:"minVersion"`     // 支持的SSL最小版本
+	CipherSuites   string `field:"cipherSuites"`   // 加密算法套件
+	Hsts           string `field:"hsts"`           // HSTS设置
+	Http2Enabled   uint8  `field:"http2Enabled"`   // 是否启用HTTP/2
+	State          uint8  `field:"state"`          // 状态
+	CreatedAt      uint64 `field:"createdAt"`      // 创建时间
+}
+
+type SSLPolicyOperator struct {
+	Id             interface{} // ID
+	AdminId        interface{} // 管理员ID
+	UserId         interface{} // 用户ID
+	IsOn           interface{} // 是否启用
+	Certs          interface{} // 证书列表
+	ClientAuthType interface{} // 客户端认证类型
+	MinVersion     interface{} // 支持的SSL最小版本
+	CipherSuites   interface{} // 加密算法套件
+	Hsts           interface{} // HSTS设置
+	Http2Enabled   interface{} // 是否启用HTTP/2
+	State          interface{} // 状态
+	CreatedAt      interface{} // 创建时间
+}
+
+func NewSSLPolicyOperator() *SSLPolicyOperator {
+	return &SSLPolicyOperator{}
+}
--- a/internal/db/models/ssl_policy_model_ext.go
+++ b/internal/db/models/ssl_policy_model_ext.go
@@ -0,0 +1 @@
+package models