perf: EAB授权支持绑定邮箱，支持公共EAB设置

2026-04-15 13:32:37 +08:00 · 2024-10-14 03:17:10 +08:00
parent e8b617b80c
commit 07043aff0c
32 changed files with 374 additions and 57 deletions
--- a/packages/plugins/plugin-cert/src/access/eab-access.ts
+++ b/packages/plugins/plugin-cert/src/access/eab-access.ts
@@ -26,6 +26,16 @@ export class EabAccess extends BaseAccess {
    encrypt: true,
  })
  hmacKey = "";
+
+  @AccessInput({
+    title: "email",
+    component: {
+      placeholder: "绑定一个邮箱",
+    },
+    helper: "Google EAB 申请证书绑定邮箱后，不能更换，否则会导致EAB失效",
+    required: false,
+  })
+  email = "";
 }

 new EabAccess();
--- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
+++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
@@ -6,6 +6,7 @@ import { createDnsProvider, DnsProviderContext, IDnsProvider } from "../../dns-p
 import { CertReader } from "./cert-reader.js";
 import { CertApplyBasePlugin } from "./base.js";
 import { GoogleClient } from "../../libs/google.js";
+import { EabAccess } from "../../access";

 export type { CertInfo };
 export * from "./cert-reader.js";
@@ -138,6 +139,13 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
  })
  sslProvider!: SSLProvider;

+  @TaskInput({
+    title: "Google公共EAB授权",
+    isSys: true,
+    show: false,
+  })
+  googleCommonEabAccessId!: number;
+
  @TaskInput({
    title: "EAB授权",
    component: {
@@ -151,7 +159,7 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
    mergeScript: `
    return {
        show: ctx.compute(({form})=>{
-            return form.sslProvider === 'zerossl' || form.sslProvider === 'google'
+            return form.sslProvider === 'zerossl' || (form.sslProvider === 'google' && !form.googleCommonEabAccessId)
        })
    }
    `,
@@ -171,7 +179,7 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
    mergeScript: `
    return {
        show: ctx.compute(({form})=>{
-            return form.sslProvider === 'google'
+            return form.sslProvider === 'google' && !form.googleCommonEabAccessId
        })
    }
    `,
@@ -233,10 +241,12 @@ export class CertApplyPlugin extends CertApplyBasePlugin {

  acme!: AcmeService;

+  eab!: EabAccess;
  async onInit() {
-    let eab: any = null;
+    let eab: EabAccess = null;

    if (this.sslProvider === "google") {
+      const eabAccessId = this.eabAccessId || this.googleCommonEabAccessId;
      if (this.googleAccessId) {
        this.logger.info("您正在使用google服务账号授权");
        const googleAccess = await this.ctx.accessService.getById(this.googleAccessId);
@@ -245,9 +255,9 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
          logger: this.logger,
        });
        eab = await googleClient.getEab();
-      } else if (this.eabAccessId) {
+      } else if (eabAccessId) {
        this.logger.info("您正在使用google EAB授权");
-        eab = await this.ctx.accessService.getById(this.eabAccessId);
+        eab = await this.ctx.accessService.getById(eabAccessId);
      } else {
        this.logger.error("google需要配置EAB授权或服务账号授权");
        return;
@@ -260,7 +270,7 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
        return;
      }
    }
-
+    this.eab = eab;
    this.acme = new AcmeService({
      userContext: this.userContext,
      logger: this.logger,
@@ -276,7 +286,10 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
  }

  async doCertApply() {
-    const email = this["email"];
+    let email = this.email;
+    if (this.eab && this.eab.email) {
+      email = this.eab.email;
+    }
    const domains = this["domains"];

    const csrInfo = _.merge(