ACME证书增加ZeroSSL支持

2026-01-07 07:55:48 +08:00 · 2021-10-03 13:09:29 +08:00
parent 7b9e6fe5fb
commit eeec60c543
19 changed files with 1121 additions and 163 deletions
--- a/internal/db/models/acme/acme_provider_account_dao.go
+++ b/internal/db/models/acme/acme_provider_account_dao.go
@@ -0,0 +1,127 @@
+package acme
+
+import (
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+)
+
+const (
+	ACMEProviderAccountStateEnabled  = 1 // 已启用
+	ACMEProviderAccountStateDisabled = 0 // 已禁用
+)
+
+type ACMEProviderAccountDAO dbs.DAO
+
+func NewACMEProviderAccountDAO() *ACMEProviderAccountDAO {
+	return dbs.NewDAO(&ACMEProviderAccountDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeACMEProviderAccounts",
+			Model:  new(ACMEProviderAccount),
+			PkName: "id",
+		},
+	}).(*ACMEProviderAccountDAO)
+}
+
+var SharedACMEProviderAccountDAO *ACMEProviderAccountDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedACMEProviderAccountDAO = NewACMEProviderAccountDAO()
+	})
+}
+
+// EnableACMEProviderAccount 启用条目
+func (this *ACMEProviderAccountDAO) EnableACMEProviderAccount(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ACMEProviderAccountStateEnabled).
+		Update()
+	return err
+}
+
+// DisableACMEProviderAccount 禁用条目
+func (this *ACMEProviderAccountDAO) DisableACMEProviderAccount(tx *dbs.Tx, id int64) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", ACMEProviderAccountStateDisabled).
+		Update()
+	return err
+}
+
+// FindEnabledACMEProviderAccount 查找启用中的条目
+func (this *ACMEProviderAccountDAO) FindEnabledACMEProviderAccount(tx *dbs.Tx, id int64) (*ACMEProviderAccount, error) {
+	result, err := this.Query(tx).
+		Pk(id).
+		Attr("state", ACMEProviderAccountStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*ACMEProviderAccount), err
+}
+
+// FindACMEProviderAccountName 根据主键查找名称
+func (this *ACMEProviderAccountDAO) FindACMEProviderAccountName(tx *dbs.Tx, id int64) (string, error) {
+	return this.Query(tx).
+		Pk(id).
+		Result("name").
+		FindStringCol("")
+}
+
+// CreateAccount 创建账号
+func (this *ACMEProviderAccountDAO) CreateAccount(tx *dbs.Tx, name string, providerCode string, eabKid string, eabKey string) (int64, error) {
+	var op = NewACMEProviderAccountOperator()
+	op.Name = name
+	op.ProviderCode = providerCode
+	op.EabKid = eabKid
+	op.EabKey = eabKey
+
+	op.IsOn = true
+	op.State = ACMEProviderAccountStateEnabled
+	return this.SaveInt64(tx, op)
+}
+
+// UpdateAccount 修改账号
+func (this *ACMEProviderAccountDAO) UpdateAccount(tx *dbs.Tx, accountId int64, name string, eabKid string, eabKey string) error {
+	if accountId <= 0 {
+		return errors.New("invalid accountId")
+	}
+	var op = NewACMEProviderAccountOperator()
+	op.Id = accountId
+	op.Name = name
+	op.EabKid = eabKid
+	op.EabKey = eabKey
+	return this.Save(tx, op)
+}
+
+// CountAllEnabledAccounts 计算账号数量
+func (this *ACMEProviderAccountDAO) CountAllEnabledAccounts(tx *dbs.Tx) (int64, error) {
+	return this.Query(tx).
+		Count()
+}
+
+// ListEnabledAccounts 查找单页账号
+func (this *ACMEProviderAccountDAO) ListEnabledAccounts(tx *dbs.Tx, offset int64, size int64) (result []*ACMEProviderAccount, err error) {
+	_, err = this.Query(tx).
+		State(ACMEProviderAccountStateEnabled).
+		Offset(offset).
+		Limit(size).
+		DescPk().
+		Slice(&result).
+		FindAll()
+	return
+}
+
+// FindAllEnabledAccountsWithProviderCode 根据服务商代号查找账号
+func (this *ACMEProviderAccountDAO) FindAllEnabledAccountsWithProviderCode(tx *dbs.Tx, providerCode string) (result []*ACMEProviderAccount, err error) {
+	_, err = this.Query(tx).
+		State(ACMEProviderAccountStateEnabled).
+		Attr("providerCode", providerCode).
+		DescPk().
+		Slice(&result).
+		FindAll()
+	return
+}
--- a/internal/db/models/acme/acme_provider_account_dao_test.go
+++ b/internal/db/models/acme/acme_provider_account_dao_test.go
@@ -0,0 +1,6 @@
+package acme
+
+import (
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+)
--- a/internal/db/models/acme/acme_provider_account_model.go
+++ b/internal/db/models/acme/acme_provider_account_model.go
@@ -0,0 +1,28 @@
+package acme
+
+// ACMEProviderAccount ACME提供商
+type ACMEProviderAccount struct {
+	Id           uint64 `field:"id"`           // ID
+	IsOn         uint8  `field:"isOn"`         // 是否启用
+	Name         string `field:"name"`         // 名称
+	ProviderCode string `field:"providerCode"` // 代号
+	Error        string `field:"error"`        // 最后一条错误信息
+	EabKid       string `field:"eabKid"`       // KID
+	EabKey       string `field:"eabKey"`       // Key
+	State        uint8  `field:"state"`        // 状态
+}
+
+type ACMEProviderAccountOperator struct {
+	Id           interface{} // ID
+	IsOn         interface{} // 是否启用
+	Name         interface{} // 名称
+	ProviderCode interface{} // 代号
+	Error        interface{} // 最后一条错误信息
+	EabKid       interface{} // KID
+	EabKey       interface{} // Key
+	State        interface{} // 状态
+}
+
+func NewACMEProviderAccountOperator() *ACMEProviderAccountOperator {
+	return &ACMEProviderAccountOperator{}
+}
--- a/internal/db/models/acme/acme_provider_account_model_ext.go
+++ b/internal/db/models/acme/acme_provider_account_model_ext.go
@@ -0,0 +1 @@
+package acme
--- a/internal/db/models/acme/acme_task_dao.go
+++ b/internal/db/models/acme/acme_task_dao.go
@@ -3,7 +3,7 @@ package acme
 import (
 	"bytes"
 	"encoding/json"
-	"github.com/TeaOSLab/EdgeAPI/internal/acme"
+	acmeutils "github.com/TeaOSLab/EdgeAPI/internal/acme"
 	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
 	"github.com/TeaOSLab/EdgeAPI/internal/db/models/dns"
 	dbutils "github.com/TeaOSLab/EdgeAPI/internal/db/utils"
@@ -167,7 +167,7 @@ func (this *ACMETaskDAO) ListEnabledACMETasks(tx *dbs.Tx, adminId int64, userId
 }

 // CreateACMETask 创建任务
-func (this *ACMETaskDAO) CreateACMETask(tx *dbs.Tx, adminId int64, userId int64, authType acme.AuthType, acmeUserId int64, dnsProviderId int64, dnsDomain string, domains []string, autoRenew bool, authURL string) (int64, error) {
+func (this *ACMETaskDAO) CreateACMETask(tx *dbs.Tx, adminId int64, userId int64, authType acmeutils.AuthType, acmeUserId int64, dnsProviderId int64, dnsDomain string, domains []string, autoRenew bool, authURL string) (int64, error) {
 	op := NewACMETaskOperator()
 	op.AdminId = adminId
 	op.UserId = userId
@@ -286,13 +286,39 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 		return
 	}

-	privateKey, err := acme.ParsePrivateKeyFromBase64(user.PrivateKey)
+	// 服务商
+	if len(user.ProviderCode) == 0 {
+		user.ProviderCode = acmeutils.DefaultProviderCode
+	}
+	var acmeProvider = acmeutils.FindProviderWithCode(user.ProviderCode)
+	if acmeProvider == nil {
+		errMsg = "服务商已不可用"
+		return
+	}
+
+	// 账号
+	var acmeAccount *acmeutils.Account
+	if user.AccountId > 0 {
+		account, err := SharedACMEProviderAccountDAO.FindEnabledACMEProviderAccount(tx, int64(user.AccountId))
+		if err != nil {
+			errMsg = "查询ACME账号时出错：" + err.Error()
+			return
+		}
+		if account != nil {
+			acmeAccount = &acmeutils.Account{
+				EABKid: account.EabKid,
+				EABKey: account.EabKey,
+			}
+		}
+	}
+
+	privateKey, err := acmeutils.ParsePrivateKeyFromBase64(user.PrivateKey)
 	if err != nil {
 		errMsg = "解析私钥时出错：" + err.Error()
 		return
 	}

-	remoteUser := acme.NewUser(user.Email, privateKey, func(resource *registration.Resource) error {
+	remoteUser := acmeutils.NewUser(user.Email, privateKey, func(resource *registration.Resource) error {
 		resourceJSON, err := json.Marshal(resource)
 		if err != nil {
 			return err
@@ -310,8 +336,8 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 		}
 	}

-	var acmeTask *acme.Task = nil
-	if task.AuthType == acme.AuthTypeDNS {
+	var acmeTask *acmeutils.Task = nil
+	if task.AuthType == acmeutils.AuthTypeDNS {
 		// DNS服务商
 		dnsProvider, err := dns.SharedDNSProviderDAO.FindEnabledDNSProvider(tx, int64(task.DnsProviderId))
 		if err != nil {
@@ -338,22 +364,24 @@ func (this *ACMETaskDAO) runTaskWithoutLog(tx *dbs.Tx, taskId int64) (isOk bool,
 			return
 		}

-		acmeTask = &acme.Task{
+		acmeTask = &acmeutils.Task{
 			User:        remoteUser,
-			AuthType:    acme.AuthTypeDNS,
+			AuthType:    acmeutils.AuthTypeDNS,
 			DNSProvider: providerInterface,
 			DNSDomain:   task.DnsDomain,
 			Domains:     task.DecodeDomains(),
 		}
-	} else if task.AuthType == acme.AuthTypeHTTP {
-		acmeTask = &acme.Task{
+	} else if task.AuthType == acmeutils.AuthTypeHTTP {
+		acmeTask = &acmeutils.Task{
 			User:     remoteUser,
-			AuthType: acme.AuthTypeHTTP,
+			AuthType: acmeutils.AuthTypeHTTP,
 			Domains:  task.DecodeDomains(),
 		}
 	}
+	acmeTask.Provider = acmeProvider
+	acmeTask.Account = acmeAccount

-	acmeRequest := acme.NewRequest(acmeTask)
+	acmeRequest := acmeutils.NewRequest(acmeTask)
 	acmeRequest.OnAuth(func(domain, token, keyAuth string) {
 		err := SharedACMEAuthenticationDAO.CreateAuth(tx, taskId, domain, token, keyAuth)
 		if err != nil {
--- a/internal/db/models/acme/acme_user_dao.go
+++ b/internal/db/models/acme/acme_user_dao.go
@@ -39,7 +39,7 @@ func init() {
 	})
 }

-// 启用条目
+// EnableACMEUser 启用条目
 func (this *ACMEUserDAO) EnableACMEUser(tx *dbs.Tx, id int64) error {
 	_, err := this.Query(tx).
 		Pk(id).
@@ -48,7 +48,7 @@ func (this *ACMEUserDAO) EnableACMEUser(tx *dbs.Tx, id int64) error {
 	return err
 }

-// 禁用条目
+// DisableACMEUser 禁用条目
 func (this *ACMEUserDAO) DisableACMEUser(tx *dbs.Tx, id int64) error {
 	_, err := this.Query(tx).
 		Pk(id).
@@ -69,8 +69,8 @@ func (this *ACMEUserDAO) FindEnabledACMEUser(tx *dbs.Tx, id int64) (*ACMEUser, e
 	return result.(*ACMEUser), err
 }

-// 创建用户
-func (this *ACMEUserDAO) CreateACMEUser(tx *dbs.Tx, adminId int64, userId int64, email string, description string) (int64, error) {
+// CreateACMEUser 创建用户
+func (this *ACMEUserDAO) CreateACMEUser(tx *dbs.Tx, adminId int64, userId int64, providerCode string, accountId int64, email string, description string) (int64, error) {
 	// 生成私钥
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
@@ -86,6 +86,8 @@ func (this *ACMEUserDAO) CreateACMEUser(tx *dbs.Tx, adminId int64, userId int64,
 	op := NewACMEUserOperator()
 	op.AdminId = adminId
 	op.UserId = userId
+	op.ProviderCode = providerCode
+	op.AccountId = accountId
 	op.Email = email
 	op.Description = description
 	op.PrivateKey = privateKeyText
@@ -97,7 +99,7 @@ func (this *ACMEUserDAO) CreateACMEUser(tx *dbs.Tx, adminId int64, userId int64,
 	return types.Int64(op.Id), nil
 }

-// 修改用户信息
+// UpdateACMEUser 修改用户信息
 func (this *ACMEUserDAO) UpdateACMEUser(tx *dbs.Tx, acmeUserId int64, description string) error {
 	if acmeUserId <= 0 {
 		return errors.New("invalid acmeUserId")
@@ -109,7 +111,7 @@ func (this *ACMEUserDAO) UpdateACMEUser(tx *dbs.Tx, acmeUserId int64, descriptio
 	return err
 }

-// 修改用户ACME注册信息
+// UpdateACMEUserRegistration 修改用户ACME注册信息
 func (this *ACMEUserDAO) UpdateACMEUserRegistration(tx *dbs.Tx, acmeUserId int64, registrationJSON []byte) error {
 	if acmeUserId <= 0 {
 		return errors.New("invalid acmeUserId")
@@ -121,7 +123,7 @@ func (this *ACMEUserDAO) UpdateACMEUserRegistration(tx *dbs.Tx, acmeUserId int64
 	return err
 }

-// 计算用户数量
+// CountACMEUsersWithAdminId 计算用户数量
 func (this *ACMEUserDAO) CountACMEUsersWithAdminId(tx *dbs.Tx, adminId int64, userId int64) (int64, error) {
 	query := this.Query(tx)
 	if adminId > 0 {
@@ -136,7 +138,7 @@ func (this *ACMEUserDAO) CountACMEUsersWithAdminId(tx *dbs.Tx, adminId int64, us
 		Count()
 }

-// 列出当前管理员的用户
+// ListACMEUsers 列出当前管理员的用户
 func (this *ACMEUserDAO) ListACMEUsers(tx *dbs.Tx, adminId int64, userId int64, offset int64, size int64) (result []*ACMEUser, err error) {
 	query := this.Query(tx)
 	if adminId > 0 {
@@ -156,8 +158,8 @@ func (this *ACMEUserDAO) ListACMEUsers(tx *dbs.Tx, adminId int64, userId int64,
 	return
 }

-// 查找所有用户
-func (this *ACMEUserDAO) FindAllACMEUsers(tx *dbs.Tx, adminId int64, userId int64) (result []*ACMEUser, err error) {
+// FindAllACMEUsers 查找所有用户
+func (this *ACMEUserDAO) FindAllACMEUsers(tx *dbs.Tx, adminId int64, userId int64, providerCode string) (result []*ACMEUser, err error) {
 	// 防止没有传入条件导致返回的数据过多
 	if adminId <= 0 && userId <= 0 {
 		return nil, errors.New("'adminId' or 'userId' should not be empty")
@@ -170,6 +172,9 @@ func (this *ACMEUserDAO) FindAllACMEUsers(tx *dbs.Tx, adminId int64, userId int6
 	if userId > 0 {
 		query.Attr("userId", userId)
 	}
+	if len(providerCode) > 0 {
+		query.Attr("providerCode", providerCode)
+	}
 	_, err = query.
 		State(ACMEUserStateEnabled).
 		Slice(&result).
@@ -178,7 +183,7 @@ func (this *ACMEUserDAO) FindAllACMEUsers(tx *dbs.Tx, adminId int64, userId int6
 	return
 }

-// 检查用户权限
+// CheckACMEUser 检查用户权限
 func (this *ACMEUserDAO) CheckACMEUser(tx *dbs.Tx, acmeUserId int64, adminId int64, userId int64) (bool, error) {
 	if acmeUserId <= 0 {
 		return false, nil
--- a/internal/db/models/acme/acme_user_model.go
+++ b/internal/db/models/acme/acme_user_model.go
@@ -1,6 +1,6 @@
 package acme

-//
+// ACMEUser ACME用户
 type ACMEUser struct {
 	Id           uint64 `field:"id"`           // ID
 	AdminId      uint32 `field:"adminId"`      // 管理员ID
@@ -11,6 +11,8 @@ type ACMEUser struct {
 	State        uint8  `field:"state"`        // 状态
 	Description  string `field:"description"`  // 备注介绍
 	Registration string `field:"registration"` // 注册信息
+	ProviderCode string `field:"providerCode"` // 服务商代号
+	AccountId    uint64 `field:"accountId"`    // 提供商ID
 }

 type ACMEUserOperator struct {
@@ -23,6 +25,8 @@ type ACMEUserOperator struct {
 	State        interface{} // 状态
 	Description  interface{} // 备注介绍
 	Registration interface{} // 注册信息
+	ProviderCode interface{} // 服务商代号
+	AccountId    interface{} // 提供商ID
 }

 func NewACMEUserOperator() *ACMEUserOperator {