Merge branch 'v2-dev' of https://github.com/certd/certd into v2-dev

2026-04-23 19:57:27 +08:00 · 2025-12-25 22:20:59 +08:00
parent d0f653da9a cbb8319cfa
commit 373415261e
29 changed files with 1430 additions and 216 deletions
@@ -31,6 +31,20 @@ process.on('uncaughtException', error => {
  }
 });

+// function startHeapLog() {
+//   function format(bytes: any) {
+//     return (bytes / 1024 / 1024).toFixed(2) + ' MB';
+//   }
+//   function log()  {
+//     const mu = process.memoryUsage();
+//     logger.info(`rss:${format(mu.rss)},heapUsed: ${format(mu.heapUsed)},heapTotal: ${format(mu.heapTotal)},external: ${format(mu.external)}`);
+//   }
+//   setInterval(log, 200);
+//   log()
+// }
+
+// startHeapLog();
+
@Configuration({
  detectorOptions: {
    ignore: [
@@ -64,6 +78,9 @@ export class MainConfiguration {
  app: koa.Application;

  async onReady() {
+
+
+
    // add middleware
    // this.app.useMiddleware([ReportMiddleware]);
    // add filter
@@ -242,7 +242,9 @@ export class LoginService {
    }
    const info = await this.userService.findOne({id: oauthBound.userId});
    if (info == null) {
-      throw new CommonException('用户不存在');
+      // 用户已被删除，删除此oauth绑定
+      await this.oauthBoundService.delete([oauthBound.id]);
+      return null
    }
    return this.generateToken(info);
  }
@@ -1012,7 +1012,7 @@ export class PipelineService extends BaseService<PipelineEntity> {
                  title: "申请证书",
                  runnableType: "step",
                  input: {
-                    renewDays: 35,
+                    renewDays: 18,
                    domains: req.domains,
                    email: req.email,
                    "challengeType": "auto",
@@ -13,6 +13,7 @@ import { RandomUtil } from '../../../../utils/random.js';
 import dayjs from 'dayjs';
 import { DbAdapter } from '../../../db/index.js';
 import { simpleNanoId, utils } from '@certd/basic';
+import { OauthBoundService } from '../../../login/service/oauth-bound-service.js';

 export type RegisterType = 'username' | 'mobile' | 'email';
 export type ForgotPasswordType = 'mobile' | 'email';
@@ -42,6 +43,10 @@ export class UserService extends BaseService<UserEntity> {
  @Inject()
  dbAdapter: DbAdapter;

+   @Inject()
+  oauthBoundService: OauthBoundService;
+
+
  //@ts-ignore
  getRepository() {
    return this.repository;
@@ -311,6 +316,9 @@ export class UserService extends BaseService<UserEntity> {
      throw new CommonException('不能删除管理员');
    }
    await super.delete(ids);
+    await this.oauthBoundService.deleteWhere({
+      userId: In(ids),
+    });
  }

  async isAdmin(userId: any) {
@@ -1,6 +1,9 @@
 import { AccessInput, BaseAccess, IsAccess } from '@certd/pipeline';

 export const AwsRegions = [
+  { label: 'cn-north-1', value: 'cn-north-1' },
+  { label: 'cn-northwest-1', value: 'cn-northwest-1' },
+  { label: '---------------', value: '--',disabled: true },
  { label: 'us-east-1', value: 'us-east-1' },
  { label: 'us-east-2', value: 'us-east-2' },
  { label: 'us-west-1', value: 'us-west-1' },
@@ -61,6 +64,18 @@ export class AwsAccess extends BaseAccess {
    helper: '请妥善保管您的安全访问密钥。您可以在AWS管理控制台的IAM中创建新的访问密钥。',
  })
  secretAccessKey = '';
+
+  @AccessInput({
+    title: 'region',
+    component: {
+      name:"a-select",
+      options: AwsRegions,
+    },
+    required: true,
+    helper: '请选择您的默认AWS区域，默认us-east-1',
+    options: AwsRegions,
+  })
+  region = '';
 }

 new AwsAccess();
@@ -0,0 +1,62 @@
+import { AbstractDnsProvider, CreateRecordOptions, IsDnsProvider, RemoveRecordOptions } from '@certd/plugin-cert';
+import { AwsClient } from './libs/aws-client.js';
+import { AwsAccess } from './access.js';
+
+
+@IsDnsProvider({
+  name: 'aws-route53',
+  title: 'AWS Route53',
+  desc: 'AWS Route53 DNS解析提供商',
+  accessType: 'aws',
+  icon: 'svg:icon-aws',
+  order:0,
+})
+export class AwsRoute53Provider extends AbstractDnsProvider {
+  
+  client: AwsClient;
+  async onInstance() {
+    const access: AwsAccess = this.ctx.access as AwsAccess
+    this.client = new AwsClient({ access: access, logger: this.logger, region:access.region || 'us-east-1' });
+  }
+
+  async createRecord(options: CreateRecordOptions): Promise<any> {
+    const { fullRecord, value, type, domain } = options;
+    this.logger.info('添加域名解析：', fullRecord, value, domain);
+    // const domain = await this.matchDomain(fullRecord);
+
+    const {ZoneId,ZoneName} = await this.client.route53GetHostedZoneId(domain);
+    this.logger.info(`获取到hostedZoneId:${ZoneId},name:${ZoneName},domain:${domain}`);
+    
+    await this.client.route53ChangeRecord({
+      hostedZoneId: ZoneId,
+      fullRecord: fullRecord,
+      type: type,
+      value: value,
+      action: 'CREATE',
+    });
+    return {
+      hostedZoneId: ZoneId,
+    }
+  }
+
+ 
+  async removeRecord(options: RemoveRecordOptions<any>): Promise<any> {
+    const { fullRecord, value,type } = options.recordReq;
+    const record = options.recordRes;
+    const hostedZoneId = record.hostedZoneId;
+
+    try{
+      await this.client.route53ChangeRecord({
+        hostedZoneId: hostedZoneId,
+        fullRecord: fullRecord,
+        type: type,
+        value: value,
+        action: 'DELETE',
+      });
+    }catch(e){
+      this.logger.warn(`删除域名解析失败：${e.message} : ${hostedZoneId} ${fullRecord} ${value} ${type} `, );
+    }
+  }
+}
+
+new AwsRoute53Provider();
@@ -1,2 +1,3 @@
 export * from './plugins/index.js';
 export * from './access.js';
+export * from './aws-route53-provider.js';
@@ -1,40 +0,0 @@
-// 导入所需的 SDK 模块
-import { AwsAccess } from '../access.js';
-import { CertInfo } from '@certd/plugin-cert';
-
-type AwsAcmClientOptions = { access: AwsAccess; region: string };
-
-export class AwsAcmClient {
-  options: AwsAcmClientOptions;
-  access: AwsAccess;
-  region: string;
-  constructor(options: AwsAcmClientOptions) {
-    this.options = options;
-    this.access = options.access;
-    this.region = options.region;
-  }
-  async importCertificate(certInfo: CertInfo) {
-    // 创建 ACM 客户端
-    const { ACMClient, ImportCertificateCommand } = await import('@aws-sdk/client-acm');
-    const acmClient = new ACMClient({
-      region: this.region, // 替换为您的 AWS 区域
-      credentials: {
-        accessKeyId: this.access.accessKeyId, // 从环境变量中读取
-        secretAccessKey: this.access.secretAccessKey,
-      },
-    });
-
-    const cert = certInfo.crt.split('-----END CERTIFICATE-----')[0] + '-----END CERTIFICATE-----';
-    // 构建上传参数
-    const data = await acmClient.send(
-      new ImportCertificateCommand({
-        Certificate: Buffer.from(cert),
-        PrivateKey: Buffer.from(certInfo.key),
-        // CertificateChain: certificateChain, // 可选
-      })
-    );
-    console.log('Upload successful:', data);
-    // 返回证书 ARN（Amazon Resource Name）
-    return data.CertificateArn;
-  }
-}
@@ -0,0 +1,136 @@
+// 导入所需的 SDK 模块
+import { AwsAccess } from '../access.js';
+import { CertInfo } from '@certd/plugin-cert';
+import {ILogger, utils} from '@certd/basic';
+type AwsClientOptions = { access: AwsAccess; region: string, logger:ILogger };
+
+export class AwsClient {
+  options: AwsClientOptions;
+  access: AwsAccess;
+  region: string;
+  logger: ILogger;
+  constructor(options: AwsClientOptions) {
+    this.options = options;
+    this.access = options.access;
+    this.region = options.region;
+    this.logger = options.logger;
+  }
+  async importCertificate(certInfo: CertInfo) {
+    // 创建 ACM 客户端
+    const { ACMClient, ImportCertificateCommand } = await import('@aws-sdk/client-acm');
+    const acmClient = new ACMClient({
+      region: this.region, // 替换为您的 AWS 区域
+      credentials: {
+        accessKeyId: this.access.accessKeyId, // 从环境变量中读取
+        secretAccessKey: this.access.secretAccessKey,
+      },
+    });
+
+    const cert = certInfo.crt.split('-----END CERTIFICATE-----')[0] + '-----END CERTIFICATE-----';
+    // 构建上传参数
+    const data = await acmClient.send(
+      new ImportCertificateCommand({
+        Certificate: Buffer.from(cert),
+        PrivateKey: Buffer.from(certInfo.key),
+        // CertificateChain: certificateChain, // 可选
+      })
+    );
+    console.log('Upload successful:', data);
+    // 返回证书 ARN（Amazon Resource Name）
+    return data.CertificateArn;
+  }
+
+
+  async route53ClientGet() {
+    const { Route53Client } = await import('@aws-sdk/client-route-53');
+    return new Route53Client({
+      region: this.region,
+      credentials: {
+        accessKeyId: this.access.accessKeyId, // 从环境变量中读取
+        secretAccessKey: this.access.secretAccessKey,
+      },
+    });
+  }
+
+   async route53GetHostedZoneId(name:string) :Promise<{ZoneId:string,ZoneName:string}> {
+    const hostedZones = await this.route53ListHostedZones(name);
+    const zoneId = hostedZones[0].Id.replace('/hostedzone/','');
+    this.logger.info(`获取到hostedZoneId:${zoneId},name:${hostedZones[0].Name}`);
+    return {
+      ZoneId: zoneId,
+      ZoneName: hostedZones[0].Name,
+    };
+  }
+  async route53ListHostedZones(name:string) :Promise<{Id:string,Name:string}[]> {
+    const {  ListHostedZonesByNameCommand } =await import("@aws-sdk/client-route-53"); // ES Modules import
+
+    const client = await this.route53ClientGet();
+    const input = { // ListHostedZonesByNameRequest
+      DNSName: name,
+    };
+    const command = new ListHostedZonesByNameCommand(input);
+    const response = await this.doRequest(()=>client.send(command));
+    if (response.HostedZones.length === 0) {
+      throw new Error(`找不到 HostedZone ${name}`);
+    }
+    this.logger.info(`获取到hostedZoneId:${JSON.stringify(response.HostedZones)}`);
+    return response.HostedZones;
+  }
+
+  async route53ChangeRecord(req:{
+    hostedZoneId:string,fullRecord:string,type:string, value:string, action:"CREATE"|"DELETE"}){
+    const {  ChangeResourceRecordSetsCommand} =await import("@aws-sdk/client-route-53"); // ES Modules import
+    // const { Route53Client, ChangeResourceRecordSetsCommand } = require("@aws-sdk/client-route-53"); // CommonJS import
+    // import type { Route53ClientConfig } from "@aws-sdk/client-route-53";
+    const client = await this.route53ClientGet();
+
+    const appendBody:any = {}
+    if(req.action === 'CREATE'){
+      appendBody.TTL = 60;
+    }
+    const input = { // ChangeResourceRecordSetsRequest
+      HostedZoneId: req.hostedZoneId, // required
+      ChangeBatch: { // ChangeBatch
+        Changes: [ // Changes // required
+          { // Change
+            Action: req.action as any , // required
+            ResourceRecordSet: { // ResourceRecordSet
+              Name: req.fullRecord+".", // required
+              Type: req.type.toUpperCase() as any,
+              ResourceRecords: [ // ResourceRecords
+                { // ResourceRecord
+                  Value: `"${req.value}"`, // required
+                },
+              ],
+              ...appendBody
+            },
+          },
+        ],
+      },
+    };
+    this.logger.info(`添加域名解析参数：${JSON.stringify(input)}`);
+    const command = new ChangeResourceRecordSetsCommand(input);
+    const response = await this.doRequest(()=>client.send(command));
+    console.log('Add record successful:', JSON.stringify(response));
+    await utils.sleep(3000);
+    return response;
+    /*
+    // { // ChangeResourceRecordSetsResponse
+//   ChangeInfo: { // ChangeInfo
+//     Id: "STRING_VALUE", // required
+//     Status: "PENDING" || "INSYNC", // required
+//     SubmittedAt: new Date("TIMESTAMP"), // required
+//     Comment: "STRING_VALUE",
+//   },
+// };*/
+  }
+
+  async doRequest<T>(call:()=>Promise<T>):Promise<T>{
+    try{
+      return await call();
+    }catch(err){
+      this.logger.error(`调用接口失败:${err.Error?.Message || err.message},requestId:${err.requestId}`);
+      throw err;
+    }
+  }
+}
@@ -1,7 +1,7 @@
 import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from "@certd/pipeline";
 import { CertApplyPluginNames, CertInfo } from "@certd/plugin-cert";
 import { AwsAccess, AwsRegions } from "../access.js";
-import { AwsAcmClient } from "../libs/aws-acm-client.js";
+import { AwsClient } from "../libs/aws-client.js";
 import { createCertDomainGetterInputDefine, createRemoteSelectInputDefine } from "@certd/plugin-lib";
 import { optionsUtils } from "@certd/basic";

@@ -115,9 +115,10 @@ export class AwsDeployToCloudFront extends AbstractTaskPlugin {
  }

  private async uploadToACM(access: AwsAccess, cert: CertInfo) {
-    const acmClient = new AwsAcmClient({
+    const acmClient = new AwsClient({
      access,
      region: this.region,
+      logger: this.logger,
    });
    const awsCertARN = await acmClient.importCertificate(cert);
    this.logger.info('证书上传成功,id=', awsCertARN);
@@ -1,7 +1,7 @@
 import { AbstractTaskPlugin, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput, TaskOutput } from '@certd/pipeline';
 import { CertInfo } from '@certd/plugin-cert';
 import { AwsAccess, AwsRegions } from '../access.js';
-import { AwsAcmClient } from '../libs/aws-acm-client.js';
+import { AwsClient } from '../libs/aws-client.js';
 import { CertApplyPluginNames} from '@certd/plugin-cert';
@IsTaskPlugin({
  name: 'AwsUploadToACM',
@@ -59,9 +59,10 @@ export class AwsUploadToACM extends AbstractTaskPlugin {
  async execute(): Promise<void> {
    const { cert, accessId, region } = this;
    const access = await this.getAccess<AwsAccess>(accessId);
-    const acmClient = new AwsAcmClient({
+    const acmClient = new AwsClient({
      access,
      region,
+      logger: this.logger,
    });
    this.awsCertARN = await acmClient.importCertificate(cert);
    this.logger.info('证书上传成功,id=', this.awsCertARN);
@@ -170,13 +170,15 @@ export class HauweiDeployCertToOBS extends AbstractTaskPlugin {
    const params:any = {
      Bucket: bucket,
      DomainName: domain,
-      Name: this.buildCertName( domain)
+      DomainBody:{
+        Name: this.buildCertName( domain),  
+      }
    };
    if (typeof cert === 'string'){
-      params.CertificateId= cert
+      params.DomainBody.CertificateId= cert
    }else{
-      params.Certificate= cert.crt
-      params.PrivateKey = cert.key
+      params.DomainBody.Certificate= cert.crt
+      params.DomainBody.PrivateKey = cert.key
    }
    const res = await obsClient.setBucketCustomDomain(params)
    this.checkRet(res)
@@ -54,8 +54,8 @@ export class TencentDeleteExpiringCert extends AbstractPlusTaskPlugin {
  @TaskInput({
    title: '即将过期天数',
    helper:
-      '仅删除有效期小于此天数的证书,\n<span class="color-red">注意：`1.26.14`版本之前Certd创建的证书流水线默认是到期前20天才更新证书，需要将之前创建的证书申请任务的更新天数改为35天，保证删除之前就已经替换掉即将过期证书</span>',
-    value: 30,
+      '仅删除有效期小于此天数的证书',
+    value: 18,
    component: {
      name: 'a-input-number',
      vModel: 'value',