perf: 添加阿里云 ESA证书部署插件

- 新增 AliyunDeployCertToESA 插件类，实现证书上传和部署到阿里云 ESA 功能 - 优化证书名称生成逻辑，支持通配符域名 - 重构部分代码，提高可复用性和可维护性 - 更新相关依赖版本，确保兼容性
2026-04-24 04:17:25 +08:00 · 2025-05-22 23:21:32 +08:00
parent 7984b625ba
commit 1db1ffde99
13 changed files with 420 additions and 71 deletions
@@ -227,6 +227,14 @@ export abstract class AbstractTaskPlugin implements ITaskPlugin {
    return name + "_" + dayjs().format("YYYYMMDDHHmmssSSS");
  }

+  buildCertName(domain: string) {
+    if (domain.includes("*")) {
+      domain = domain.replaceAll("*", "_");
+    }
+    return `${domain}_${dayjs().format("YYYYMMDDHHmmssSSS")}`;
+  }
+
+
  async onRequest(req: PluginRequestHandleReq<any>) {
    if (!req.action) {
      throw new Error("action is required");
@@ -93,6 +93,16 @@ export class CertReader {
    return domains;
  }

+  static getMainDomain(crt: string) {
+    const { detail } = CertReader.readCertDetail(crt);
+    return detail.domains.commonName;
+  }
+
+  getMainDomain() {
+    const { detail } = this.getCrtDetail();
+    return detail.domains.commonName;
+  }
+
  saveToFile(type: "crt" | "key" | "pfx" | "der" | "oc" | "one" | "ic" | "jks", filepath?: string) {
    if (!this.cert[type]) {
      return;
@@ -16,7 +16,9 @@
    "pub": "npm publish"
  },
  "dependencies": {
+    "@alicloud/openapi-client": "^0.4.14",
    "@alicloud/pop-core": "^1.7.10",
+    "@alicloud/tea-util": "^1.4.10",
    "@aws-sdk/client-s3": "^3.787.0",
    "@certd/basic": "^1.34.5",
    "@certd/pipeline": "^1.34.5",
@@ -1,4 +1,88 @@
 import { IsAccess, AccessInput, BaseAccess } from "@certd/pipeline";
+import { ILogger } from "@certd/basic";
+
+export type AliyunClientV2Req = {
+  action: string;
+  version: string;
+  protocol?: "HTTPS";
+  // 接口 HTTP 方法
+  method?: "GET" | "POST";
+  authType?: "AK";
+  style?: "RPC";
+  // 接口 PATH
+  pathname?: `/`;
+
+  data?: any;
+  query?: any;
+};
+export class AliyunClientV2 {
+  access: AliyunAccess;
+  logger: ILogger;
+  endpoint: string;
+
+  client: any;
+  constructor(opts: { access: AliyunAccess; logger: ILogger; endpoint: string }) {
+    this.access = opts.access;
+    this.logger = opts.logger;
+    this.endpoint = opts.endpoint;
+  }
+
+  async getClient() {
+    if (this.client) {
+      return this.client;
+    }
+    const $OpenApi = await import("@alicloud/openapi-client");
+    const config = new $OpenApi.Config({
+      accessKeyId: this.access.accessKeyId,
+      accessKeySecret: this.access.accessKeySecret,
+    });
+    // Endpoint 请参考 https://api.aliyun.com/product/FC
+    // config.endpoint = `esa.${this.regionId}.aliyuncs.com`;
+    config.endpoint = this.endpoint;
+    //@ts-ignore
+    this.client = new $OpenApi.default.default(config);
+    return this.client;
+  }
+
+  async doRequest(req: AliyunClientV2Req) {
+    const client = await this.getClient();
+
+    const $OpenApi = await import("@alicloud/openapi-client");
+    const $Util = await import("@alicloud/tea-util");
+
+    const params = new $OpenApi.Params({
+      // 接口名称
+      action: req.action,
+      // 接口版本
+      version: req.version,
+      // 接口协议
+      protocol: "HTTPS",
+      // 接口 HTTP 方法
+      method: req.method ?? "POST",
+      authType: "AK",
+      style: "RPC",
+      // 接口 PATH
+      pathname: `/`,
+      // 接口请求体内容格式
+      reqBodyType: "json",
+      // 接口响应体内容格式
+      bodyType: "json",
+    });
+
+    const runtime = new $Util.RuntimeOptions({});
+    const request = new $OpenApi.OpenApiRequest({
+      body: req.data,
+      query: req.query,
+    });
+    // 复制代码运行请自行打印 API 的返回值
+    // 返回值实际为 Map 类型，可从 Map 中获得三类数据：响应体 body、响应头 headers、HTTP 返回的状态码 statusCode。
+    const res = await client.callApi(params, request, runtime);
+    /**
+     * res?.body?.
+     */
+    return res?.body;
+  }
+}

@IsAccess({
  name: "aliyun",
@@ -27,6 +111,14 @@ export class AliyunAccess extends BaseAccess {
    helper: "注意：证书申请需要dns解析权限；其他阿里云插件，需要对应的权限，比如证书上传需要证书管理权限；嫌麻烦就用主账号的全量权限的accessKey",
  })
  accessKeySecret = "";
+
+  getClient(endpoint: string) {
+    return new AliyunClientV2({
+      access: this,
+      logger: this.ctx.logger,
+      endpoint: endpoint,
+    });
+  }
 }

 new AliyunAccess();
@@ -57,15 +57,12 @@ export class SafeService {
  async reloadHiddenStatus(immediate = false) {
    const hidden = await this.getHiddenSetting()
    if (hidden.enabled) {
-      logger.error("启动站点隐藏");
-      hiddenStatus.isHidden = false
-      if (immediate) {
-        hiddenStatus.isHidden = true;
-      }
+      logger.info("启动站点隐藏");
+      hiddenStatus.isHidden = immediate;
      const autoHiddenTimes = hidden.autoHiddenTimes || 5;
      hiddenStatus.startCheck(autoHiddenTimes);
    } else {
-      logger.error("关闭站点隐藏");
+      logger.info("当前站点隐藏已关闭");
      hiddenStatus.isHidden = false;
      hiddenStatus.stopCheck()
    }
@@ -1,5 +1,5 @@
 import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from '@certd/pipeline';
-import { CertInfo ,CertApplyPluginNames} from '@certd/plugin-cert';
+import { CertInfo ,CertApplyPluginNames, CertReader} from '@certd/plugin-cert';
 import { AliyunAccess, AliyunClient, AliyunSslClient, createCertDomainGetterInputDefine, createRemoteSelectInputDefine } from '@certd/plugin-lib';

@IsTaskPlugin({
@@ -143,8 +143,9 @@ export class AliyunDeployCertToALB extends AbstractTaskPlugin {
        endpoint: this.casEndpoint,
      });

+      const certName = this.buildCertName(CertReader.getMainDomain(this.cert.crt))
      certId = await sslClient.uploadCert({
-        name: this.appendTimeSuffix('certd'),
+        name: certName,
        cert: this.cert,
      });
    }
@@ -1,7 +1,7 @@
 import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from '@certd/pipeline';
 import { AliyunAccess, AliyunClient, AliyunSslClient, createCertDomainGetterInputDefine, createRemoteSelectInputDefine } from '@certd/plugin-lib';
 import { optionsUtils } from '@certd/basic/dist/utils/util.options.js';
-import { CertApplyPluginNames} from '@certd/plugin-cert';
+import { CertApplyPluginNames, CertReader } from "@certd/plugin-cert";
@IsTaskPlugin({
  name: 'DeployCertToAliyunCDN',
  title: '阿里云-部署证书至CDN',
@@ -107,9 +107,11 @@ export class DeployCertToAliyunCDN extends AbstractTaskPlugin {

    let certId: any = this.cert;

-    const certName =  this.appendTimeSuffix(this.certName);
+    let certName =  this.appendTimeSuffix(this.certName);

    if (typeof this.cert === 'object') {
+      // @ts-ignore
+      const certName = this.buildCertName(CertReader.getMainDomain(this.cert.crt))
      certId = await sslClient.uploadCert({
        name:certName,
        cert: this.cert,
@@ -0,0 +1,226 @@
+import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from "@certd/pipeline";
+import { CertApplyPluginNames, CertInfo, CertReader } from "@certd/plugin-cert";
+import {
+  AliyunAccess, AliyunClientV2,
+  AliyunSslClient,
+  createCertDomainGetterInputDefine,
+  createRemoteSelectInputDefine
+} from "@certd/plugin-lib";
+
+@IsTaskPlugin({
+  name: "AliyunDeployCertToESA",
+  title: "阿里云-部署至ESA",
+  icon: "svg:icon-aliyun",
+  group: pluginGroups.aliyun.key,
+  desc: "部署证书到阿里云ESA(边缘安全加速)",
+  needPlus: false,
+  default: {
+    strategy: {
+      runStrategy: RunStrategy.SkipWhenSucceed
+    }
+  }
+})
+export class AliyunDeployCertToESA extends AbstractTaskPlugin {
+  @TaskInput({
+    title: "域名证书",
+    helper: "请选择证书申请任务输出的域名证书",
+    component: {
+      name: "output-selector",
+      from: [...CertApplyPluginNames]
+    },
+    required: true
+  })
+  cert!: CertInfo;
+
+  @TaskInput(createCertDomainGetterInputDefine({ props: { required: false } }))
+  certDomains!: string[];
+
+  @TaskInput({
+    title: "大区",
+    value: "cn-hangzhou",
+    component: {
+      name: "a-auto-complete",
+      vModel: "value",
+      options: [
+        { value: "cn-hangzhou", label: "华东1（杭州）" },
+        { value: "ap-southeast-1", label: "新加坡" }
+      ]
+    },
+    required: true
+  })
+  regionId!: string;
+
+  @TaskInput({
+    title: "证书接入点",
+    helper: "不会选就保持默认即可",
+    value: "cas.aliyuncs.com",
+    component: {
+      name: "a-select",
+      options: [
+        { value: "cas.aliyuncs.com", label: "中国大陆" },
+        { value: "cas.ap-southeast-1.aliyuncs.com", label: "新加坡" },
+        { value: "cas.eu-central-1.aliyuncs.com", label: "德国（法兰克福）" }
+      ]
+    },
+    required: true
+  })
+  casEndpoint!: string;
+
+
+  @TaskInput({
+    title: "Access授权",
+    helper: "阿里云授权AccessKeyId、AccessKeySecret",
+    component: {
+      name: "access-selector",
+      type: "aliyun"
+    },
+    required: true
+  })
+  accessId!: string;
+
+  @TaskInput(
+    createRemoteSelectInputDefine({
+      title: "站点",
+      helper: "请选择要部署证书的站点",
+      action: AliyunDeployCertToESA.prototype.onGetSiteList.name,
+      watches: ["accessId", "regionId"]
+    })
+  )
+  siteIds!: string[];
+
+
+  async onInstance() {
+  }
+
+  async getAliyunCertId(access: AliyunAccess) {
+    let certId: any = this.cert;
+    let certName: any = this.appendTimeSuffix("certd");
+    if (typeof this.cert === "object") {
+      const sslClient = new AliyunSslClient({
+        access,
+        logger: this.logger,
+        endpoint: this.casEndpoint
+      });
+
+      certName = this.buildCertName(CertReader.getMainDomain(this.cert.crt));
+
+      certId = await sslClient.uploadCert({
+        name: certName,
+        cert: this.cert
+      });
+      this.logger.info("上传证书成功", certId, certName);
+    }
+    return {
+      certId,
+      certName
+    };
+  }
+
+  async execute(): Promise<void> {
+    this.logger.info("开始部署证书到阿里云");
+    const access = await this.getAccess<AliyunAccess>(this.accessId);
+
+    const client = await this.getClient(access);
+
+    const { certId, certName } = await this.getAliyunCertId(access);
+
+    for (const siteId of this.siteIds) {
+      try {
+        const res = await client.doRequest({
+          // 接口名称
+          action: "SetCertificate",
+          // 接口版本
+          version: "2024-09-10",
+          data: {
+            SiteId: siteId,
+            CasId: certId,
+            Type: "cas",
+            Name: certName
+          }
+        });
+        this.logger.info(`部署站点[${siteId}]证书成功：${JSON.stringify(res)}`);
+
+      } catch (e) {
+        if (e.message.includes("Certificate.Duplicated")) {
+          this.logger.info(`站点[${siteId}]证书已存在,无需重复部署`);
+        }else{
+          throw e;
+        }
+      }
+
+      try{
+        await this.clearSiteCert(client,siteId);
+      }catch (e) {
+        this.logger.error("清理站点[${siteId}]证书失败",e)
+      }
+
+    }
+  }
+
+  async getClient(access: AliyunAccess) {
+    const endpoint = `esa.${this.regionId}.aliyuncs.com`;
+    return access.getClient(endpoint);
+  }
+
+  async onGetSiteList(data: any) {
+    if (!this.accessId) {
+      throw new Error("请选择Access授权");
+    }
+    const access = await this.getAccess<AliyunAccess>(this.accessId);
+
+    const client = await this.getClient(access);
+    const res = await client.doRequest({
+      action: "ListSites",
+      version: "2024-09-10",
+      method: "GET",
+      data: {}
+    });
+
+    const list = res?.Sites;
+    if (!list || list.length === 0) {
+      throw new Error("没有找到站点，请先创建站点");
+    }
+
+    const options = list.map((item: any) => {
+      return {
+        label: item.SiteName,
+        value: item.SiteId,
+        domain: item.SiteName
+      };
+    });
+    return this.ctx.utils.options.buildGroupOptions(options, this.certDomains);
+  }
+
+  async clearSiteCert(client: AliyunClientV2, siteId: string) {
+    this.logger.info(`开始清理站点[${siteId}]过期证书`);
+    const certListRes = await client.doRequest({
+      action: "ListCertificates",
+      version: "2024-09-10",
+      method: "GET",
+      query: {
+        SiteId: siteId
+      }
+    });
+
+    const list = certListRes.Result;
+    for (const item of list) {
+      this.logger.info(`证书${item.Name}状态：${item.Status}`);
+      if (item.Status === "Expired") {
+        this.logger.info(`证书${item.Name}已过期，执行删除`);
+        await client.doRequest({
+          action: "DeleteCertificate",
+          version: "2024-09-10",
+          // 接口 HTTP 方法
+          method: "GET",
+          query: {
+            SiteId: siteId,
+            Id: item.id
+          }
+        });
+        this.logger.info(`证书${item.Name}已删除`);
+      }
+    }
+  }
+}
+
+new AliyunDeployCertToESA();
@@ -1,5 +1,5 @@
 import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from "@certd/pipeline";
-import { CertApplyPluginNames, CertInfo } from "@certd/plugin-cert";
+import { CertApplyPluginNames, CertInfo, CertReader } from "@certd/plugin-cert";
 import { AliyunAccess, createCertDomainGetterInputDefine, createRemoteSelectInputDefine } from "@certd/plugin-lib";

@IsTaskPlugin({
@@ -141,9 +141,11 @@ export class AliyunDeployCertToFC extends AbstractTaskPlugin {
        bodyType: 'json',
      });
      // body params
+      const certName = this.buildCertName(CertReader.getMainDomain(this.cert.crt))
+
      const body: { [key: string]: any } = {
        certConfig: {
-          certName: this.appendTimeSuffix('certd_fc'),
+          certName: certName,
          certificate: this.cert.crt,
          privateKey: this.cert.key,
        },
@@ -1,5 +1,5 @@
 import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from '@certd/pipeline';
-import { CertInfo } from '@certd/plugin-cert';
+import { CertInfo, CertReader } from "@certd/plugin-cert";
 import { AliyunAccess, AliyunClient, AliyunSslClient, createCertDomainGetterInputDefine, createRemoteSelectInputDefine } from '@certd/plugin-lib';
 import { CertApplyPluginNames} from '@certd/plugin-cert';
@IsTaskPlugin({
@@ -139,8 +139,10 @@ export class AliyunDeployCertToNLB extends AbstractTaskPlugin {
        endpoint: this.casEndpoint,
      });

+      const certName = this.buildCertName(CertReader.getMainDomain(this.cert.crt))
+
      certId = await sslClient.uploadCert({
-        name: this.appendTimeSuffix('certd'),
+        name: certName,
        cert: this.cert,
      });
    }
@@ -1,5 +1,5 @@
 import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from "@certd/pipeline";
-import { CertApplyPluginNames, CertInfo } from "@certd/plugin-cert";
+import { CertApplyPluginNames, CertInfo, CertReader } from "@certd/plugin-cert";
 import {
  AliyunAccess,
  AliyunClient,
@@ -124,7 +124,7 @@ export class AliyunDeployCertToWaf extends AbstractTaskPlugin {
      });

      certId = await sslClient.uploadCert({
-        name: this.appendTimeSuffix('certd'),
+        name: this.buildCertName(CertReader.getMainDomain(this.cert.crt)),
        cert: this.cert,
      });
    }
@@ -1,7 +1,7 @@
 import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput, TaskOutput } from '@certd/pipeline';
 import { AliyunAccess } from '@certd/plugin-lib';
 import { AliyunSslClient } from '@certd/plugin-lib';
-import { CertApplyPluginNames} from '@certd/plugin-cert';
+import { CertApplyPluginNames, CertReader } from "@certd/plugin-cert";
 /**
 * 华东1（杭州）	cn-hangzhou	cas.aliyuncs.com	cas-vpc.cn-hangzhou.aliyuncs.com
 * 马来西亚（吉隆坡）	ap-southeast-3	cas.ap-southeast-3.aliyuncs.com	cas-vpc.ap-southeast-3.aliyuncs.com
@@ -97,8 +97,9 @@ export class UploadCertToAliyun extends AbstractTaskPlugin {
      logger: this.logger,
      endpoint,
    });
+    const certName = this.buildCertName(CertReader.getMainDomain(this.cert.crt))
    this.aliyunCertId = await client.uploadCert({
-      name: this.appendTimeSuffix('certd'),
+      name: certName,
      cert: this.cert,
    });
  }