Merge branch 'v2-dev' of https://github.com/certd/certd into v2-dev

2026-04-24 12:27:25 +08:00 · 2026-03-25 12:48:56 +08:00
parent b1eb706925 5a01634ca3
commit c5d285f755
53 changed files with 783 additions and 152 deletions
@@ -3,6 +3,18 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.

+## [1.39.6](https://github.com/certd/certd/compare/v1.39.5...v1.39.6) (2026-03-22)
+
+### Bug Fixes
+
+* 修复模版id不正确导致修改到错误的模版流水线bug ([b1ff163](https://github.com/certd/certd/commit/b1ff163a2828b205297408d5aed21cf1eff335e8))
+* 修复批量执行按钮无效的bug ([49703f0](https://github.com/certd/certd/commit/49703f08e55b303851086d9f36aca562d7999be6))
+
+### Performance Improvements
+
+* 火山引擎部署alb证书插件支持部署扩展证书以及删除已过期扩展证书 ([ffd2e81](https://github.com/certd/certd/commit/ffd2e8149e3a06bf3eec456ff85dbed793af9e90))
+* 新增阿里云证书清理插件 ([4b7eeaa](https://github.com/certd/certd/commit/4b7eeaa6e0a14d2e461c7c473a920a0966b1fe8e))
+
 ## [1.39.5](https://github.com/certd/certd/compare/v1.39.4...v1.39.5) (2026-03-18)

 ### Performance Improvements
@@ -0,0 +1,63 @@
+showRunStrategy: false
+default:
+  strategy:
+    runStrategy: 0
+name: AliyunDeleteExpiringCert
+title: 阿里云-删除即将过期证书
+icon: ant-design:aliyun-outlined
+group: aliyun
+desc: 仅删除未使用的证书
+needPlus: true
+input:
+  accessId:
+    title: Access提供者
+    helper: access 授权
+    component:
+      name: access-selector
+      type: aliyun
+    required: true
+    order: 0
+  endpoint:
+    title: 地域
+    helper: 阿里云CAS证书服务地域
+    component:
+      name: a-select
+      options:
+        - value: cas.aliyuncs.com
+          label: 中国大陆
+        - value: cas.ap-southeast-1.aliyuncs.com
+          label: 新加坡
+    required: true
+    value: cas.aliyuncs.com
+    order: 0
+  maxCount:
+    title: 最大删除数量
+    helper: 单次运行最大删除数量
+    value: 100
+    component:
+      name: a-input-number
+      vModel: value
+    required: true
+    order: 0
+  expiringDays:
+    title: 即将过期天数
+    helper: 仅删除有效期小于此天数的证书,0表示完全过期时才删除
+    value: 0
+    component:
+      name: a-input-number
+      vModel: value
+    required: true
+    order: 0
+  checkTimeout:
+    title: 检查超时时间
+    helper: 检查删除任务结果超时时间,单位分钟
+    value: 10
+    component:
+      name: a-input-number
+      vModel: value
+    required: true
+    order: 0
+output: {}
+pluginType: deploy
+type: builtIn
+scriptFilePath: /plugins/plugin-aliyun/plugin/delete-expiring-cert/index.js
@@ -96,6 +96,19 @@ input:
      选择要部署证书的监听器
      需要在监听器中选择证书中心，进行跨服务访问授权
    order: 0
+  certType:
+    title: 证书部署类型
+    helper: 选择部署默认证书还是扩展证书
+    component:
+      name: a-select
+      options:
+        - label: 默认证书
+          value: default
+        - label: 扩展证书
+          value: extension
+    value: default
+    required: true
+    order: 0
 output: {}
 pluginType: deploy
 type: builtIn
@@ -1,6 +1,6 @@
 {
  "name": "@certd/ui-server",
-  "version": "1.39.5",
+  "version": "1.39.6",
  "description": "fast-server base midway",
  "private": true,
  "type": "module",
@@ -50,20 +50,20 @@
    "@aws-sdk/client-route-53": "^3.964.0",
    "@aws-sdk/client-s3": "^3.964.0",
    "@aws-sdk/client-sts": "^3.990.0",
-    "@certd/acme-client": "^1.39.5",
-    "@certd/basic": "^1.39.5",
-    "@certd/commercial-core": "^1.39.5",
+    "@certd/acme-client": "^1.39.6",
+    "@certd/basic": "^1.39.6",
+    "@certd/commercial-core": "^1.39.6",
    "@certd/cv4pve-api-javascript": "^8.4.2",
-    "@certd/jdcloud": "^1.39.5",
-    "@certd/lib-huawei": "^1.39.5",
-    "@certd/lib-k8s": "^1.39.5",
-    "@certd/lib-server": "^1.39.5",
-    "@certd/midway-flyway-js": "^1.39.5",
-    "@certd/pipeline": "^1.39.5",
-    "@certd/plugin-cert": "^1.39.5",
-    "@certd/plugin-lib": "^1.39.5",
-    "@certd/plugin-plus": "^1.39.5",
-    "@certd/plus-core": "^1.39.5",
+    "@certd/jdcloud": "^1.39.6",
+    "@certd/lib-huawei": "^1.39.6",
+    "@certd/lib-k8s": "^1.39.6",
+    "@certd/lib-server": "^1.39.6",
+    "@certd/midway-flyway-js": "^1.39.6",
+    "@certd/pipeline": "^1.39.6",
+    "@certd/plugin-cert": "^1.39.6",
+    "@certd/plugin-lib": "^1.39.6",
+    "@certd/plugin-plus": "^1.39.6",
+    "@certd/plus-core": "^1.39.6",
    "@google-cloud/publicca": "^1.3.0",
    "@huaweicloud/huaweicloud-sdk-cdn": "^3.1.185",
    "@huaweicloud/huaweicloud-sdk-core": "^3.1.185",
@@ -0,0 +1,159 @@
+import { IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from '@certd/pipeline';
+import { AbstractPlusTaskPlugin } from "@certd/plugin-plus";
+import dayjs from 'dayjs';
+import { AliyunAccess } from '../../../plugin-lib/aliyun/access/index.js';
+import { AliyunSslClient } from '../../../plugin-lib/aliyun/lib/index.js';
+
+@IsTaskPlugin({
+  name: 'AliyunDeleteExpiringCert',
+  title: '阿里云-删除即将过期证书',
+  icon: 'ant-design:aliyun-outlined',
+  group: pluginGroups.aliyun.key,
+  desc: '仅删除未使用的证书',
+  default: {
+    strategy: {
+      runStrategy: RunStrategy.AlwaysRun,
+    },
+  },
+  needPlus: true,
+})
+export class AliyunDeleteExpiringCert extends AbstractPlusTaskPlugin {
+  @TaskInput({
+    title: 'Access提供者',
+    helper: 'access 授权',
+    component: {
+      name: 'access-selector',
+      type: 'aliyun',
+    },
+    required: true,
+  })
+  accessId!: string;
+
+  @TaskInput({
+    title: '地域',
+    helper: '阿里云CAS证书服务地域',
+    component: {
+      name: 'a-select',
+      options: [
+        { value: 'cas.aliyuncs.com', label: '中国大陆' },
+        { value: 'cas.ap-southeast-1.aliyuncs.com', label: '新加坡' },
+      ],
+    },
+    required: true,
+    value: 'cas.aliyuncs.com',
+  })
+  endpoint!: string;
+
+  // @TaskInput({
+  //   title: '关键字筛选',
+  //   helper: '仅匹配证书名称、域名包含关键字的证书，可以不填',
+  //   required: false,
+  //   component: {
+  //     name: 'a-input',
+  //   },
+  // })
+  // searchKey!: string;
+
+  @TaskInput({
+    title: '最大删除数量',
+    helper: '单次运行最大删除数量',
+    value: 100,
+    component: {
+      name: 'a-input-number',
+      vModel: 'value',
+    },
+    required: true,
+  })
+  maxCount!: number;
+
+  @TaskInput({
+    title: '即将过期天数',
+    helper: '仅删除有效期小于此天数的证书,0表示完全过期时才删除',
+    value: 0,
+    component: {
+      name: 'a-input-number',
+      vModel: 'value',
+    },
+    required: true,
+  })
+  expiringDays!: number;
+
+  @TaskInput({
+    title: '检查超时时间',
+    helper: '检查删除任务结果超时时间,单位分钟',
+    value: 10,
+    component: {
+      name: 'a-input-number',
+      vModel: 'value',
+    },
+    required: true,
+  })
+  checkTimeout!: number;
+
+  async onInstance() {}
+
+  async execute(): Promise<void> {
+    const access = await this.getAccess<AliyunAccess>(this.accessId);
+    const sslClient = new AliyunSslClient({
+      access,
+      logger: this.logger,
+      endpoint: this.endpoint,
+    });
+
+    const params = {
+      ShowSize: 100,
+      CurrentPage: 1,
+      // Keyword: this.searchKey,
+    };
+    const certificates: any[] = [];
+    while(true){
+      const res = await sslClient.doRequest('ListCertificates', params, {
+          method: 'POST',
+        });
+      let list = res?.CertificateList;
+      if (!list || list.length === 0) {
+        break;
+      }
+      this.logger.info(`查询第${params.CurrentPage}页，每页${params.ShowSize}个证书，当前页共${list.length}个证书`);
+
+      const lastDay = dayjs().add(this.expiringDays, 'day');
+      list = list.filter((item: any) => {
+        const notAfter = item.NotAfter;
+        const usingProducts = item.UsingProductList;
+        return dayjs(notAfter).isBefore(lastDay) && (!usingProducts || usingProducts.length === 0);
+      });
+      for (const item of list) {
+        this.logger.info(`证书ID:${item.CertificateId}, 过期时间:${item.NotAfter}，名称:${item.CertificateName}，证书域名:${item.Domain}`);
+        certificates.push(item);
+      }
+      params.CurrentPage++;
+    }
+
+    this.logger.info(`即将过期的证书数量:${certificates.length}`);
+    if (certificates.length === 0) {
+      this.logger.info('没有即将过期的证书, 无需删除');
+      return;
+    }
+    this.logger.info(`开始删除证书，共${certificates.length}个证书`);
+    let successCount = 0;
+    let failedCount = 0;
+
+    for (const certificate of certificates) {
+      try {
+        const deleteRes = await sslClient.doRequest('DeleteUserCertificate', {
+          CertId: certificate.CertificateId,
+        }, { method: 'POST' });
+        this.logger.info(`删除证书成功，证书ID:${certificate.CertificateId}, 名称:${certificate.CertificateName}, requestId:${deleteRes?.RequestId}`);
+        successCount++;
+
+      } catch (error: any) {
+        this.logger.error(`删除证书失败，证书ID:${certificate.CertificateId}, 名称:${certificate.CertificateName}, 错误:${error.message}`);
+        failedCount++;
+      }
+    }
+
+    this.logger.info(`证书删除完成，成功:${successCount}, 失败:${failedCount}`);
+  }
+}
+
+new AliyunDeleteExpiringCert();
@@ -13,4 +13,5 @@ export * from './deploy-to-vod/index.js';
 export * from './deploy-to-apigateway/index.js';
 export * from './deploy-to-apig/index.js';
 export * from './deploy-to-ack/index.js';
-export * from './deploy-to-all/index.js';
+export * from './deploy-to-all/index.js';
+export * from './delete-expiring-cert/index.js';
@@ -3,6 +3,7 @@ import { createCertDomainGetterInputDefine, createRemoteSelectInputDefine } from
 import { CertApplyPluginNames, CertInfo } from "@certd/plugin-cert";
 import { VolcengineAccess } from "../access.js";
 import { VolcengineClient } from "../ve-client.js";
+import dayjs from "dayjs";

@IsTaskPlugin({
  name: "VolcengineDeployToALB",
@@ -32,6 +33,7 @@ export class VolcengineDeployToALB extends AbstractTaskPlugin {
  certDomains!: string[];


+
  @TaskInput({
    title: "Access授权",
    helper: "火山引擎AccessKeyId、AccessKeySecret",
@@ -126,6 +128,22 @@ export class VolcengineDeployToALB extends AbstractTaskPlugin {
  listenerList!: string | string[];


+  @TaskInput({
+    title: "证书部署类型",
+    helper: "选择部署默认证书还是扩展证书",
+    component: {
+      name: "a-select",
+      options: [
+        { label: "默认证书", value: "default" },
+        { label: "扩展证书", value: "extension" }
+      ]
+    },
+    value: "default",
+    required: true
+  })
+  certType!: string;
+
+
  async onInstance() {
  }

@@ -149,20 +167,101 @@ export class VolcengineDeployToALB extends AbstractTaskPlugin {
    const service = await this.getAlbService();
    for (const listener of this.listenerList) {
      this.logger.info(`开始部署监听器${listener}证书`);
-      await service.request({
-        action: "ModifyListenerAttributes",
-        query: {
-          ListenerId: listener,
-          CertificateSource: "cert_center",
-          CertCenterCertificateId: certId
-        }
-      });
-      this.logger.info(`部署监听器${listener}证书成功`);
+      if (this.certType === "default") {
+        // 部署默认证书
+        const res = await service.request({
+          action: "ModifyListenerAttributes",
+          query: {
+            ListenerId: listener,
+            CertificateSource: "cert_center",
+            CertCenterCertificateId: certId
+          }
+        });
+        this.logger.info(`部署监听器${listener}默认证书成功，res:${JSON.stringify(res)}`);
+      } else {
+        // 部署扩展证书
+        await this.deployExtensionCertificate(service, listener, certId as string);
+      }
+      await this.ctx.utils.sleep(5000);
    }

    this.logger.info("部署完成");
  }

+  private async deployExtensionCertificate(service: any, listenerId: string, certId: string) {
+    // 获取监听器当前的扩展证书列表
+    const domainExtensions = await this.getListenerDomainExtensions(service, listenerId);
+    
+    // 删除过期的扩展证书
+    try {
+      await this.deleteExpiredExtensions(service, listenerId, domainExtensions);
+    } catch (error) {
+      this.logger.error(`删除过期扩展证书失败:${error.message ||error}`);
+    }
+
+    // 新增扩展证书
+    const query: any = {
+      ListenerId: listenerId,
+      "DomainExtensions.1.Action": "create",
+      "DomainExtensions.1.CertificateSource": "cert_center",
+      "DomainExtensions.1.CertCenterCertificateId": certId
+    };
+
+    // 如果有证书域名信息，添加到扩展证书中
+    if (this.certDomains && this.certDomains.length > 0) {
+      query["DomainExtensions.1.Domain"] = this.certDomains[0];
+    }
+
+    await service.request({
+      action: "ModifyListenerAttributes",
+      query: query
+    });
+    this.logger.info(`部署监听器${listenerId}扩展证书成功`);
+  }
+
+  private async getListenerDomainExtensions(service: any, listenerId: string): Promise<any[]> {
+    const res = await service.request({
+      action: "DescribeListenerAttributes",
+      method: "GET",
+      query: {
+        ListenerId: listenerId
+      }
+    });
+    
+    return res.Result.DomainExtensions || [];
+  }
+
+  private async deleteExpiredExtensions(service: any, listenerId: string, domainExtensions: any[]) {
+    const expiredExtensions = [];
+    for (const ext of domainExtensions) {
+      if (!await this.isCertificateExpired(ext)) {
+        expiredExtensions.push(ext);
+      }
+    }
+    if (expiredExtensions.length === 0) {
+      this.logger.info(`没有过期的扩展证书，跳过删除`);
+      return;
+    }
+
+    const query: any = {
+      ListenerId: listenerId
+    };
+    expiredExtensions.forEach((ext, index) => {
+      const idx = index + 1;
+      query[`DomainExtensions.${idx}.Action`] = "delete";
+      query[`DomainExtensions.${idx}.DomainExtensionId`] = ext.DomainExtensionId;
+    });
+    
+    this.logger.info(`准备删除过期扩展证书，数量：${expiredExtensions.length}个，query:${JSON.stringify(query)}`);
+
+    await service.request({
+      action: "ModifyListenerAttributes",
+      query: query
+    });
+    this.logger.info(`删除${expiredExtensions.length}个过期扩展证书成功`);
+     await this.ctx.utils.sleep(5000);
+  }
+

  private async getCertService(access: VolcengineAccess) {
    const client = new VolcengineClient({
@@ -189,6 +288,54 @@ export class VolcengineDeployToALB extends AbstractTaskPlugin {
    return service;
  }

+  private async isCertificateExpired(extension: any): Promise<boolean> {
+    try {
+      let certificateId: string;
+      
+      // 根据证书来源获取证书ID
+      if (extension.CertificateSource === "cert_center") {
+        certificateId = extension.CertCenterCertificateId;
+      } else if (extension.CertificateSource === "alb") {
+        this.logger.warn(`ALB证书不支持过期检查，跳过`);
+        return false;
+      } else if (extension.CertificateSource === "pca_leaf") {
+        this.logger.warn(`PCA Leaf证书不支持过期检查，跳过`);
+        return false;
+      } else {
+        this.logger.warn(`未知的证书来源: ${extension.CertificateSource}，跳过`);
+        return false;
+      }
+      
+      if (!certificateId) {
+        this.logger.warn(`证书ID为空，跳过`);
+        return false;
+      }
+      
+      // 获取证书服务
+      const access = await this.getAccess<VolcengineAccess>(this.accessId);
+      const certService = await this.getCertService(access);
+      
+      // 获取证书详情
+      const certDetail = await certService.GetCertificateDetail(certificateId);
+      
+      // 判断证书是否过期
+      if (certDetail.NotAfter) {
+        const expireTime = dayjs(certDetail.NotAfter);
+        const now = dayjs();
+        const isExpired = expireTime.isBefore(now);
+        if (isExpired) {
+          this.logger.info(`证书 ${certificateId} 已过期，过期时间: ${expireTime.toISOString()}`);
+        }
+        return isExpired;
+      }
+      
+      return false;
+    } catch (error) {
+      this.logger.error(`检查证书是否过期失败: ${error.message || error}`);
+      return false;
+    }
+  }
+
  async onGetListenerList(data: any) {
    if (!this.accessId) {
      throw new Error("请选择Access授权");
@@ -42,6 +42,17 @@ export class VolcengineClient {
      });
      return res.Result.InstanceId || res.Result.RepeatId;
    };
+
+    service.GetCertificateDetail = async (certificateId: string) => {
+      const res = await service.request({
+        action: "CertificateGetInstance",
+        method: "POST",
+        body: {
+          InstanceId: certificateId
+        }
+      });
+      return res.Result;
+    };
    return service;
  }